Markus Lehtonen [Fri, 10 May 2013 13:47:30 +0000 (16:47 +0300)]
Update changelog
Change-Id: I5b058e5abaf7b01f44bb553fa2c37afa0e034615
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Arron Wang [Mon, 6 May 2013 08:34:37 +0000 (17:34 +0900)]
Merge changes I5fe041a6,I0200a1c0 into tizen_2.1
* changes:
NFC: pn544: Remove Felica and Jewel device presence check
NFC: pn544: Identify NFC-F device through NFCID2
Li Peng [Fri, 3 May 2013 02:06:05 +0000 (11:06 +0900)]
Merge "Enable long press to answer incoming call, fix TZSP-5507." into tizen_2.1
Jie Yang [Sat, 27 Apr 2013 07:45:32 +0000 (15:45 +0800)]
Enable long press to answer incoming call, fix TZSP-5507.
call mfld_jack_status_set to set "earkey_online" node:
1. SND_JACK_BTN_0 means long press detected, will set the node to non-zero((SND_JACK_HEADSET | SND_JACK_BTN_0) here);
2. SND_JACK_BTN_1 means long press released(either short press or long press to release), will set the node to zero, and enable another long press later.
Arron Wang [Mon, 22 Apr 2013 08:08:05 +0000 (16:08 +0800)]
NFC: pn544: Remove Felica and Jewel device presence check
There is no builtin command for driver to check the presence of
Felica and Jewel device, it is more reasonable for the userspace
daemon neard to build seperate commands to check the presence of
the card
Change-Id: I5fe041a66a6f09ea88e2fd88949390f8aa1acc9c
Signed-off-by: Arron Wang <arron.wang@intel.com>
Arron Wang [Mon, 15 Apr 2013 03:16:09 +0000 (11:16 +0800)]
NFC: pn544: Identify NFC-F device through NFCID2
NFCID2 is defined under the name of manufacture ID(IDm)
in Felica card
Change-Id: I0200a1c0efa3c5d21686fb822d26bab1b113d674
Signed-off-by: Arron Wang <arron.wang@intel.com>
Arron Wang [Fri, 5 Apr 2013 03:47:07 +0000 (11:47 +0800)]
Enable pn544 new kernel option
Change-Id: I66c30dc7822c82237923ea57cb22cc4cd9f052ad
Arron Wang [Fri, 5 Apr 2013 05:11:13 +0000 (13:11 +0800)]
NFC: Add node parameter for the new patches fix building error
Due to commit
b67bfe0d42cac56c512dd5da4b1b347a23f4b70a
hlist: drop the node parameter from iterators
We need to add these parameter to the new code
Change-Id: I68d6842d2b67552c9037d0d2fefff493a05ddbca
Waldemar Rymarkiewicz [Thu, 11 Oct 2012 12:03:58 +0000 (14:03 +0200)]
NFC: Upgrade to latest nfc-next tree
NFC: pn533: Fix in/out frame buffer allocation
Max frame size should be 264 bytes as per spec and not limited to
endpoint MaxPacketSize which is 64 in my case (acr122 reader).
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove unused arg parameter
Get rid of unused arg param in pn533_init_target_complete and
in pn533_start_poll_complete.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Use IDR library to assing NFC devices IDs
As a consequence the NFC device IDs won't be increasing all the time,
as IDR provides the first available ID.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Fix some code style and whitespace issues
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Remove CONFIG_EXPERIMENTAL
This config item has not carried much meaning for a while now and is
almost always enabled by default. As agreed during the Linux kernel
summit, remove it.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Remove CONFIG_EXPERIMENTAL from the LLCP Makefile
This config item has not carried much meaning for a while now and is
almost always enabled by default. As agreed during the Linux kernel
summit, remove it.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Remove CONFIG_EXPERIMENTAL from the NCI Makefile
This config item has not carried much meaning for a while now and is
almost always enabled by default. As agreed during the Linux kernel
summit, remove it.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Purge LLCP socket Tx queues when being disconnected
The Tx queues are no longer valid when we receive a disconnection or when
the LLCP link goes down. In the later case we also purge the entire local
Tx queue.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Extend netlink interface for LTO, RW, and MIUX parameters support
NFC_CMD_LLC_GET_PARAMS: request LTO, RW, and MIUX parameters for a device
NFC_CMD_LLC_SET_PARAMS: set one or more of LTO, RW, and MIUX parameters for
a device. LTO must be set before the link is up otherwise -EINPROGRESS is
returned. RW and MIUX can be set at anytime and will be passed in subsequent
CONNECT and CC messages. If one of the passed parameters is wrong none is
set and -EINVAL is returned.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Fix hci_connect_gate() when a pre-opened pipe is passed
In some cases, pre-opened pipes don't stay open when a clear all pipes
command is sent. They stay created however. Therefore, one can never
assume that such a pipe is already open. As re-opening a pipe seems not
to be a problem, we do that now.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Ignore err when chip doesn't implement HW/SW info registers
NFC_HCI_ID_MGMT_VERSION_SW and NFC_HCI_ID_MGMT_VERSION_HW are optional
registers for gate NFC_HCI_ID_MGMT_GATE in standard HCI. When chip
doesn't implement, just leave all the information as zeros.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Dot not dispatch HCI event received on unopened pipe
A chip with pre-opened gates may send events on a gate that nobody
has opened in the handset host. Discard those events.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Export nfc_hci_result_to_errno as it can be needed by HCI drivers
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Export nfc_hci_sak_to_protocol()
Some HCI drivers will need it.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Remove unused details from pn544.h header file
The majority of the defines and structures from pn544.h are no
longer in use. So just remove them.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Move pn544.h to linux/platform_data/
The pn544.h just provides the platform data struct and defines and
nothing else. So move it to to linux/platform_data/ now.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Copy user space buffer when sending UI frames
Using the userspace IO vector directly is wrong, we should copy it from
user space first.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Stop sending LLCP frames when tx queues are getting too deep
When the tx pending queues and/or the socket tx queue is getting too deep,
we have to let userspace know. We won't be queueing any more frames until
the congestion is fixed.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Queue a copy of the transmitted LLCP skb
Drivers are allowed to modify the sent skb and thus we need to make a copy
of it before passing it to the driver. Without this fix, LLCP Tx skbs were
not queued properly as the ptype check was failing due to e.g. the pn533
driver skb_pushing the Tx skb.
Reported-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Fix nfc_llcp_local chained list insertion
list_add was called with swapped parameters
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix missing lock while operating on commands list
In pn533_wq_cmd command was removed from list without cmd_lock held
(race with pn533_send_cmd_frame_async) which could lead to list
corruption. Delete command from list before releasing lock.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix use after free
cmd was freed in pn533_dep_link_up regardless of
pn533_send_cmd_frame_async return code. Cmd is passed as argument to
pn533_in_dep_link_up_complete callback and should be freed there.
Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix mem leak in pn533_in_dep_link_up
cmd is allocated in pn533_dep_link_up and passed as an arg to
pn533_send_cmd_frame_async together with a complete cb.
arg is passed to the cb and must be kfreed there.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Fix pn533 target mode memory leak
In target mode, sent sk_buff were not freed in pn533_tm_send_complete
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Fix incorrect llcp pointer dereference
nfc_llcp_ns(s) dereferences the s pointer which is freed a line
above. In a result, it can produce a crash or you will read
incorrect value.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Add support for SO_TIMESTAMP LLCP socket option
Set timestamp in sent and received sk_buffs. timestamp is then put in
msghdr structure in llcp_sock_recvmsg().
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove in/out_maxlen as it is not used
in_maxlen and out_maxlen was replaced with PN533_NORMAL_FRAME_MAX_LEN
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove unused definitions
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Add frame header length define
PN533_CMD_DATAEXCH_HEAD_LEN includes a frame header length which is not
seen at a glance. It can be missleading, so split it and define the
frame header length explicitly.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove pointless flags param
__pn533_send_cmd_frame_async() is called when lock is held so GFP_KERNEL
flag will be always used. Thus, having extra param does not optimise the
code.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Add a new pn533_send_cmd_async iface
This is intendend to replace pn533_send_cmd_frame_async() which
requires from the caller to create a complete frame.
The new function constructs a frame and sends it out which hides the
frame logic and avoid code duplication.
The caller has to allocate skb and put its payload there, and finally
provide the skb together with a complete cb to pn533_send_cmd_async().
Response skb is allocated by the core part and pass to the caller cb.
Next, the caller has to free it when is not needed anymore or pass it
up to the stack.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Add a new pn533_send_data_async iface
This iface is intended to be used with DEP transfers. It differs
from pn533_send_cmd_async() in the way the response skb is allocated.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Add a new pn533_send_sync iface
It is intended to replace pn533_send_cmd_frame_sync() iface which
requires from the caller to create complete frame.
The new function constructs a complete frame itself and sends it out
in sync manner. This way frame logic is hidden from the caller.
pn533_send_cmd_sync() returns ERR_PTR in case of an error or a pointer
to valid response sk_buff otherwise. The pointer must be freed by the
caller when it's been consumed.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Add pn533_alloc_skb for req allocation
Allocate sk_buff for the request.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove pn533_send_cmd_frame_sync
Remove obsolate pn533_send_cmd_frame_sync() and use
previously added new iface for sync send.
The new interface require the use of individual skb for each
cmd which removes some memcpy calls and hides frame logic.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Remove the tx backlog queue
Not only it was improperly use to queue backlogged RX skbuffs, but it was
also not processed at all.
If the socket receive queue is full we simply drop the incoming packets.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
workqueue: avoid using deprecated functions
The network merge brought in a few users of functions that got
deprecated by the workqueue cleanups: the 'system_nrt_wq' is now the
same as the regular system_wq, since all workqueues are now non-
reentrant.
Similarly, remove one use of flush_work_sync() - the regular
flush_work() has become synchronous, and the "_sync()" version is thus
deprecated as being superfluous.
Change-Id: I6189414648e447f81053b03669ce23e528b441a9
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
NFC: llcp: Fix Rx memory leak
The reference count bump on the llcp Rx path is leading to a memory leak
whenever we're not receiving an I frame.
We fix that by removing the refcount bump (drivers must not free their
received skb) and using it only in the I frame path, when the frame is
actually queued. In that case, the skb will only be freed when someone
fetches it from userspace. in all other cases, LLCP received frames will
be freed when leaving the Rx work queue.
Reported-by: Eric Lapuyade <eric.lapuyade@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Del frame logic from TgGet/SetData cmd
Remove frame logic from TgSetData and TgGetData commands
using the new iface for async send.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Del frame logic from InJumForDep cmd
Remove frame logic from InJmumpForDEP command using
the new iface for async send.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Del frame logic from Data Exchange cmd
Remove frame logic from transceive cb using new iface
for async send.
For pn533_wq_mi_recv() use pn533_send_cmd_direct_async which
sends the cmd directly to the hardware, skipping cmd queue.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Dump tx and rx data in debug mode
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove frame logic from poll cmds
Remove frame logic from start_pool cb using the new iface
for async send.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix quoted strings split across lines
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix spacing issues
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix open parenthesis alignment
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix minor style issues
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove unused pn533_send_cmd_frame_asy
Remove obsolete send async api as it's no longer used. Remove
global dev->in_frame as well, as each packet is kept is a
seperate skb struct now, so that's not used anymore.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix urb->status handling
Fix text message to be more suitable for the error code and treat
ESHUTDOWN as an error not debug msg.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Cleanup debug messages
Remove debug messages which do not include valueable informations
in debug mode. Add some new ones for better tracking or reword when
if necessary.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Don't use out_frame in pn533_send_ack
dev->out_frame buffer is much bigger for ACK frame needs. Use
local buffer instead.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Use skb in __pn533_send_cmd_frame_asyn
__pn533_send_cmd_frame_async() should be frame type independent. So, don't
use pn533_frame type params and instead use skb for req and resp pointers.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove deprecated dev->out_frame buff
As it's not used anymore get rid of that buffer.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Cleanup pn533_cmd_complete_t
'params' arg in pn533_cmd_complete_t definition has been deprecated and
currently is not in use (resp skb is pass in arg ptr), so remove it.
Also 'params_len' arg is used as a transfer status indicator, so simply
reword it appropriately.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Remove unused dev->wq_in_frame
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Introduce ops for frame logic
Encapsulate whole frame logic (tx/rx frame structure and size) inside
the ops structure to make the core driver generic for devices which
handle frames in non standard menner (different then pn533 spec say).
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: nfcwilink: Use devm_kzalloc
devm_kzalloc allocates memory that is released when a driver detaches.
This patch uses devm_kzalloc for data that is allocated in the probe
function of a platform device and is only freed in the remove function.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Fixed nfc core and hci unregistration and cleanup
When an adapter is removed, it will unregister itself from hci and/or
nfc core. In order to do that safely, work tasks must first be canceled
and prevented to be scheduled again, before the hci or nfc device can be
destroyed.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Added error handling in event_received hci ops
There is no use to return an error if the caller doesn't get it.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Changed event_received hci ops result semantic
Some chips use a standard HCI event code, destined to a proprietary
gate, with a different meaning. Therefore, the HCI driver must always
have a chance to intercept the event before standard processing is
attempted.
The new semantic specifies that the result value "1" means that the
driver doesn't especially handle the event. result <= 0 means it was
handled.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Fixed skb leak in tm_send() nfc and hci ops implementations
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Add HCI quirks to support driver (non)standard implementations
Some chips diverge from the HCI spec in their implementation of standard
features. This adds a new quirks parameter to
nfc_hci_allocate_device() to let the driver indicate its divergence.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn544: Separate the core code and the i2c one into different modules
As we may need to support other physical layers, we can avoid linking the
core part into each and every pn544 module.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn544: Use module_i2c_driver
The pn544 init routine does nothing but adding the driver to the i2c bus.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn544: Use devm_kzalloc API
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: update HCI documentation
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Initial Secure Element API
Each NFC adapter can have several links to different secure elements and
that property needs to be exported by the drivers.
A secure element link can be enabled and disabled, and card emulation will
be handled by the currently active one. Otherwise card emulation will be
host implemented.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix missing parenthesis
This is a quite critical patch as it fixes potential reference to
undefined general_bytes which were never set correctly on target
activation due to missing parenthesis.
Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Update pn544 documentation
The pn544 driver no longer has a /dev/pn544 interface nor a sysfs one.
Reported-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Avoid memcpy on LLCP connection less Rx path
We can cast msg_name to a sockaddr_nfc_llcp pointer directly.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Use skb_copy_datagram_iovec
Safer and more robust than than memcpy_toiovec.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix bad allocation size
Use dereferenced pointer in sizeof instead of pointer itself.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Change nfc.h license
nfc.h being GPL makes it quite controversial for non GPL applications to
include it.
Moreover, nfc.h only includes structures and API definitions that are hardly
copyrightable.
Signed-off-by: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Initial support for Inside Secure microread
Inside Secure microread is an HCI based NFC chipset.
This initial support includes reader and p2p (Target and initiator) modes.
Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: microread: Add i2c physical layer
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: microread: Add MEI physical layer
On some peculiar worlds, microreads are found hidden behind MEIs and needs
to be accessed through the ME bus.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Fix target polling mode
Remove unneeded bitwise OR operator on uninitialized sk_buff data
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: integer underflow in nfc_llcp_set_remote_gb()
If gb_len is less than 3 it would cause an integer underflow and
possibly memory corruption in nfc_llcp_parse_gb_tlv().
I removed the old test for gb_len == 0. I also removed the test for
->remote_gb == NULL. It's not possible for ->remote_gb to be NULL and
we have already dereferenced ->remote_gb_len so it's too late to test.
The old test return -ENODEV but my test returns -EINVAL.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
NFC: microread: Fix mei physical layer
The MEI bus API changed according to the latest comments from the char-misc
maintainers, and this patch fixes the microread mei physical layer code
according to those changes:
We pass the MEI id back to the probe routine, and the mei_driver takes a
table of MEI ids instead of one static id.
Also, mei_bus_driver got renamed to mei_driver, mei_bus_client to
mei_device, and mei_bus_set/get_clientdata to mei_set/get_clientdata.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Decrease socket ack log when accepting a connection
This is really difficult to test with real NFC devices, but without
this fix an LLCP server will eventually refuse new connections.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Clean local timers and works when removing a device
Whenever an adapter is removed we must clean all the local structures,
especially the timers and scheduled work. Otherwise those asynchronous
threads will eventually try to access the freed nfc_dev pointer if an LLCP
link is up.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Clean raw sockets from nfc_llcp_socket_release
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Report error to pending sockets when a device is removed
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: microread: Fix MEI build failure
The mei_device field should be called device, not mei_device.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Rename socket rw and miu fields
They really are remote peer parameters, and we need to distinguish them
from the local ones as we'll modify the latter with socket options.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Implement socket options
Some LLCP services (e.g. the validation ones) require some control over
the LLCP link parameters like the receive window (RW) or the MIU extension
(MIUX). This can only be done through socket options.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Use socket specific link parameters before the local ones
If the socket link options are set, use them before the local one.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Remove redundant printk
We already have a pr_debug for that.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Add missing type policies for netlink attributes
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Service Name Lookup SDRES aggregation
This modifies the way SDRES PDUs are sent back. If multiple SDREQs are
received within a single SNL PDU, all SDRES replies are sent packed in
one SNL PDU too.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Service Name Lookup netlink interface
This adds a netlink interface for service name lookup support.
Multiple URIs can be passed nested into the NFC_ATTR_LLC_SDP attribute
using the NFC_CMD_LLC_SDREQ netlink command.
When the SNL reply is received, a NFC_EVENT_LLC_SDRES event is sent to
the user space. URI and SAP tuples are passed back, nested into
NFC_ATTR_LLC_SDP attribute.
Change-Id: If36fbcb0660f246fcd7f9696e7ce6d1e790f99cb
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Add cleanup support for unreplied SNL requests
If the remote LLC doesn't reply in time to our SNL requests we remove
them from the list of pending requests. The timeout is fixed to an
arbitrary value of 3 times remote_lto.
When not replied, the local LLC broadcasts NFC_EVENT_LLC_SDRES nl events for
the concerned uris with sap values set to LLCP_SDP_UNBOUND (which is 65).
Change-Id: If6c89a1d3b18942d9a9f45b95c6486d214561c84
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Detach socket from process context only when releasing the socket
Calling sock_orphan when e.g. the NFC adapter is removed can lead to
kernel crashes when e.g. a connection less client is sleeping on the
Rx workqueue, waiting for data to show up.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Remove possible double call to kfree_skb
kfree_skb was called twice when the socket receive queue is full
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Revert "NFC: microread: Fix MEI build failure"
This reverts commit
63cd353c34a08af2d1935f8d0c2b6b091714ff79.
We no longer need this fix as the MEI bus API are now merged into
char-misc-next.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: microread: Fix build failure due to a new MEI bus API
uuid device_id field is removed and mei_device is renamed mei_cl_device.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: pn533: Use dynamic debug for pn533 hex dumps
Those can be very verbose and we only want them when debugging pn533.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Socket miux is a big endian field
The MIUX must be transmitted in big endian and as such we have to convert
it properly.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Fall back to local values when getting socket options
If a socket option has not been set by the user, fall back to the LLCP
local ones.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Fix zero octets length SDU handling
LLCP Validation test #2 (Connection-less information transfer) send a
service data unit of zero octets length. This is now handled correctly.
Signed-off-by: Olivier Guiter <olivier.guiter@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Aggregated frames support
This adds support for AGF PDUs. For each PDU contained in the AGF, a new sk_buff
is allocated and dispatched to its corresponding handler.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Use localy stored remote_miu value if not set at socket level
If remote_miu value is not set in the socket (i.e. connection-less socket) the
value stored in the local is used.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Reset RW, LTO, and MIU remote parameters when link goes down
This resets remote parameters in both local and socket llcp structures when the
link goes down. That way, nfc_llcp_getsockopt won't return values corresponding
to the previous link parameters.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Add support in getsockopt for RW, LTO, and MIU remote parameters
Useful for LLCP validation tests.
Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Keep the connected socket parent pointer alive
And avoid decreasing the ack log twice when dequeueing connected LLCP
sockets.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Only keep raw sockets alive when the LLCP local leaves
When the MAC goes down, connected and connection less sockets should be
notified, but raw sockets should be kept alive.
They will get notified only when the physical devices goes away.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Remove local_cleanup last argument
local_cleanup is always called with device set to false as it means the
local LLCP is going away. So no need to pass this switch as an argument.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: llcp: Terminate connection when receiving a DISC on (0,0)
According to the LLCP specs, we must terminate the LLCP link when receiving
a DISC with both ssap and dsap set to 0.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Prevent polling when device is down
Some devices turn radio on whenever they're asked to start a poll.
To prevent that from happening, we just don't call into the driver
start_poll hook when the NFC device is down.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
ida: simplified functions for id allocation
The current hyper-optimized functions are overkill if you simply want to
allocate an id for a device. Create versions which use an internal
lock.
In followup patches, numerous drivers are converted to use this
interface.
Thanks to Tejun for feedback.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ida: make ida_simple_get/put() IRQ safe
It's often convenient to be able to release resource from IRQ context.
Make ida_simple_*() use irqsave/restore spin ops so that they are IRQ
safe.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivercore: Generalize module_platform_driver
This patch generalizes the module_platform_driver macro and introduces a new
module_driver macro. The module_driver macro takes a driver name, a register
and a unregister function for this driver type. Using these it construct the
module init and exit sections which register and unregister the driver. Since
such init/exit sections are commonly found in drivers this macro can be used
to eliminate a lot of boilerplate code.
The macro is not intended to be used by driver modules directly, instead it
should be used to generate bus specific macros for registering drivers like
the module_platform_driver macro.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Acked-by: Jonathan Cameron <jic23@kernel.org>
Acked-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
I2C: Add helper macro for i2c_driver boilerplate
This patch introduces the module_i2c_driver macro which is a convenience macro
for I2C driver modules similar to module_platform_driver. It is intended to be
used by drivers which init/exit section does nothing but register/unregister
the I2C driver. By using this macro it is possible to eliminate a few lines of
boilerplate code per I2C driver.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Acked-by: Wolfram Sang <w.sang@pengutronix.de>
Acked-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Remove deprecated file
Change-Id: I59c1dc402c556eebc7b5161057258f50f67a25ee
Signed-off-by: Arron Wang <arron.wang@intel.com>
Li Peng [Wed, 24 Apr 2013 07:04:40 +0000 (15:04 +0800)]
Update changelog
Change-Id: Ia40e754b988fac8bcc3c3946ff006d7cf67155d7
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Tue, 23 Apr 2013 15:12:12 +0000 (23:12 +0800)]
gfx: call ospm_power_resume at gfx_resume
We should restore gfx device state as early as possible,
because register like MRST_PERF_MODE should be restored at
device power on keep gfx/video performance same as before,
otherwise it may cause gfx resume failure in random case.
Change-Id: Ibac56ee512a182fafb4a6a4ce2cf928c9bae4108
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Tue, 23 Apr 2013 07:09:20 +0000 (15:09 +0800)]
Update changelog
Change-Id: Idf15167e986c14bc578dd9a6595a2397906ceba0
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Mon, 22 Apr 2013 09:22:18 +0000 (17:22 +0800)]
call ospm_power_suspend() in case gfx device isn't suspended
We see cases that gfx device isn't suspended when system suspend
process come into gfx_suspend(), so it need to check gfx suspend
state and call ospm_power_suspend() to suspend device properly.
Otherwise we would see performance downgrade in video decoding/encoding
if system is suspened once.
Change-Id: Id2cda9e9abeceda46429f8c1267bcf3f81967911
Signed-off-by: Li Peng <peng.li@intel.com>
Markus Lehtonen [Thu, 7 Feb 2013 10:35:02 +0000 (12:35 +0200)]
Update changelog
Change-Id: I32d4ffc5b4de7e20dbbf8362a89b6439a3f71f11
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Jan Kara [Wed, 27 Jun 2012 19:23:07 +0000 (21:23 +0200)]
udf: Fortify loading of sparing table
commit
1df2ae31c724e57be9d7ac00d78db8a5dabdd050 upstream.
Add sanity checks when loading sparing table from disk to avoid accessing
unallocated memory or writing to it.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Kara [Wed, 27 Jun 2012 18:20:22 +0000 (20:20 +0200)]
udf: Avoid run away loop when partition table length is corrupted
commit
adee11b2085bee90bd8f4f52123ffb07882d6256 upstream.
Check provided length of partition table so that (possibly maliciously)
corrupted partition table cannot cause accessing data beyond current buffer.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Kara [Wed, 27 Jun 2012 18:08:44 +0000 (20:08 +0200)]
udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()
commit
cb14d340ef1737c24125dd663eff77734a482d47 upstream.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linus Torvalds [Tue, 17 Jan 2012 23:21:19 +0000 (15:21 -0800)]
proc: clean up and fix /proc/<pid>/mem handling
commit
e268337dfe26dfc7efd422a804dbb27977a3cccc upstream.
Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
robust, and it also doesn't match the permission checking of any of the
other related files.
This changes it to do the permission checks at open time, and instead of
tracking the process, it tracks the VM at the time of the open. That
simplifies the code a lot, but does mean that if you hold the file
descriptor open over an execve(), you'll continue to read from the _old_
VM.
That is different from our previous behavior, but much simpler. If
somebody actually finds a load where this matters, we'll need to revert
this commit.
I suspect that nobody will ever notice - because the process mapping
addresses will also have changed as part of the execve. So you cannot
actually usefully access the fd across a VM change simply because all
the offsets for IO would have changed too.
Reported-by: Jüri Aedla <asd@ut.ee>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Paolo Bonzini [Thu, 12 Jan 2012 15:01:29 +0000 (16:01 +0100)]
dm: do not forward ioctls from logical volumes to the underlying device
commit
ec8013beddd717d1740cfefb1a9b900deef85462 upstream.
A logical volume can map to just part of underlying physical volume.
In this case, it must be treated like a partition.
Based on a patch from Alasdair G Kergon.
Cc: Alasdair G Kergon <agk@redhat.com>
Cc: dm-devel@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Paolo Bonzini [Thu, 12 Jan 2012 15:01:28 +0000 (16:01 +0100)]
block: fail SCSI passthrough ioctls on partition devices
commit
0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream.
[ Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
and -ENOIOCTLCMD from sd_compat_ioctl. ]
Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
will pass the command to the underlying block device. This is
well-known, but it is also a large security problem when (via Unix
permissions, ACLs, SELinux or a combination thereof) a program or user
needs to be granted access only to part of the disk.
This patch lets partitions forward a small set of harmless ioctls;
others are logged with printk so that we can see which ioctls are
actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
Of course it was being sent to a (partition on a) hard disk, so it would
have failed with ENOTTY and the patch isn't changing anything in
practice. Still, I'm treating it specially to avoid spamming the logs.
In principle, this restriction should include programs running with
CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
/dev/sdb, it still should not be able to read/write outside the
boundaries of /dev/sda2 independent of the capabilities. However, for
now programs with CAP_SYS_RAWIO will still be allowed to send the
ioctls. Their actions will still be logged.
This patch does not affect the non-libata IDE driver. That driver
however already tests for bd != bd->bd_contains before issuing some
ioctl; it could be restricted further to forbid these ioctls even for
programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ Make it also print the command name when warning - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Paolo Bonzini [Thu, 12 Jan 2012 15:01:27 +0000 (16:01 +0100)]
block: add and use scsi_blk_cmd_ioctl
commit
577ebb374c78314ac4617242f509e2f5e7156649 upstream.
Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
The function will then be enhanced to detect partition block devices
and, in that case, subject the ioctls to whitelisting.
Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andy Lutomirski [Thu, 5 Jul 2012 23:00:11 +0000 (16:00 -0700)]
mm: Hold a file reference in madvise_remove
commit
9ab4233dd08036fe34a89c7dc6f47a8bf2eb29eb upstream.
Otherwise the code races with munmap (causing a use-after-free
of the vma) or with close (causing a use-after-free of the struct
file).
The bug was introduced by commit
90ed52ebe481 ("[PATCH] holepunch: fix
mmap_sem i_mutex deadlock")
[bwh: Backported to 3.2:
- Adjust context
- madvise_remove() calls vmtruncate_range(), not do_fallocate()]
[luto: Backported to 3.0: Adjust context]
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Miklos Szeredi <mszeredi@suse.cz>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Cc: Nick Piggin <npiggin@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrea Arcangeli [Tue, 29 May 2012 22:06:49 +0000 (15:06 -0700)]
mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition
commit
26c191788f18129af0eb32a358cdaea0c7479626 upstream.
When holding the mmap_sem for reading, pmd_offset_map_lock should only
run on a pmd_t that has been read atomically from the pmdp pointer,
otherwise we may read only half of it leading to this crash.
PID: 11679 TASK:
f06e8000 CPU: 3 COMMAND: "do_race_2_panic"
#0 [
f06a9dd8] crash_kexec at
c049b5ec
#1 [
f06a9e2c] oops_end at
c083d1c2
#2 [
f06a9e40] no_context at
c0433ded
#3 [
f06a9e64] bad_area_nosemaphore at
c043401a
#4 [
f06a9e6c] __do_page_fault at
c0434493
#5 [
f06a9eec] do_page_fault at
c083eb45
#6 [
f06a9f04] error_code (via page_fault) at
c083c5d5
EAX:
01fb470c EBX:
fff35000 ECX:
00000003 EDX:
00000100 EBP:
00000000
DS: 007b ESI:
9e201000 ES: 007b EDI:
01fb4700 GS: 00e0
CS: 0060 EIP:
c083bc14 ERR:
ffffffff EFLAGS:
00010246
#7 [
f06a9f38] _spin_lock at
c083bc14
#8 [
f06a9f44] sys_mincore at
c0507b7d
#9 [
f06a9fb0] system_call at
c083becd
start len
EAX:
ffffffda EBX:
9e200000 ECX:
00001000 EDX:
6228537f
DS: 007b ESI:
00000000 ES: 007b EDI:
003d0f00
SS: 007b ESP:
62285354 EBP:
62285388 GS: 0033
CS: 0073 EIP:
00291416 ERR:
000000da EFLAGS:
00000286
This should be a longstanding bug affecting x86 32bit PAE without THP.
Only archs with 64bit large pmd_t and 32bit unsigned long should be
affected.
With THP enabled the barrier() in pmd_none_or_trans_huge_or_clear_bad()
would partly hide the bug when the pmd transition from none to stable,
by forcing a re-read of the *pmd in pmd_offset_map_lock, but when THP is
enabled a new set of problem arises by the fact could then transition
freely in any of the none, pmd_trans_huge or pmd_trans_stable states.
So making the barrier in pmd_none_or_trans_huge_or_clear_bad()
unconditional isn't good idea and it would be a flakey solution.
This should be fully fixed by introducing a pmd_read_atomic that reads
the pmd in order with THP disabled, or by reading the pmd atomically
with cmpxchg8b with THP enabled.
Luckily this new race condition only triggers in the places that must
already be covered by pmd_none_or_trans_huge_or_clear_bad() so the fix
is localized there but this bug is not related to THP.
NOTE: this can trigger on x86 32bit systems with PAE enabled with more
than 4G of ram, otherwise the high part of the pmd will never risk to be
truncated because it would be zero at all times, in turn so hiding the
SMP race.
This bug was discovered and fully debugged by Ulrich, quote:
----
[..]
pmd_none_or_trans_huge_or_clear_bad() loads the content of edx and
eax.
496 static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t
*pmd)
497 {
498 /* depend on compiler for an atomic pmd read */
499 pmd_t pmdval = *pmd;
// edi = pmd pointer
0xc0507a74 <sys_mincore+548>: mov 0x8(%esp),%edi
...
// edx = PTE page table high address
0xc0507a84 <sys_mincore+564>: mov 0x4(%edi),%edx
...
// eax = PTE page table low address
0xc0507a8e <sys_mincore+574>: mov (%edi),%eax
[..]
Please note that the PMD is not read atomically. These are two "mov"
instructions where the high order bits of the PMD entry are fetched
first. Hence, the above machine code is prone to the following race.
- The PMD entry {high|low} is 0x0000000000000000.
The "mov" at 0xc0507a84 loads 0x00000000 into edx.
- A page fault (on another CPU) sneaks in between the two "mov"
instructions and instantiates the PMD.
- The PMD entry {high|low} is now 0x00000003fda38067.
The "mov" at 0xc0507a8e loads 0xfda38067 into eax.
----
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Weiping Pan [Mon, 23 Jul 2012 02:37:48 +0000 (10:37 +0800)]
rds: set correct msg_namelen
commit
06b6a1cf6e776426766298d055bb3991957d90a7 upstream.
Jay Fenlason (fenlason@redhat.com) found a bug,
that recvfrom() on an RDS socket can return the contents of random kernel
memory to userspace if it was called with a address length larger than
sizeof(struct sockaddr_in).
rds_recvmsg() also fails to set the addr_len paramater properly before
returning, but that's just a bug.
There are also a number of cases wher recvfrom() can return an entirely bogus
address. Anything in rds_recvmsg() that returns a non-negative value but does
not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path
at the end of the while(1) loop will return up to 128 bytes of kernel memory
to userspace.
And I write two test programs to reproduce this bug, you will see that in
rds_server, fromAddr will be overwritten and the following sock_fd will be
destroyed.
Yes, it is the programmer's fault to set msg_namelen incorrectly, but it is
better to make the kernel copy the real length of address to user space in
such case.
How to run the test programs ?
I test them on 32bit x86 system, 3.5.0-rc7.
1 compile
gcc -o rds_client rds_client.c
gcc -o rds_server rds_server.c
2 run ./rds_server on one console
3 run ./rds_client on another console
4 you will see something like:
server is waiting to receive data...
old socket fd=3
server received data from client:data from client
msg.msg_namelen=32
new socket fd=-
1067277685
sendmsg()
: Bad file descriptor
/***************** rds_client.c ********************/
int main(void)
{
int sock_fd;
struct sockaddr_in serverAddr;
struct sockaddr_in toAddr;
char recvBuffer[128] = "data from client";
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if (sock_fd < 0) {
perror("create socket error\n");
exit(1);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4001);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind() error\n");
close(sock_fd);
exit(1);
}
memset(&toAddr, 0, sizeof(toAddr));
toAddr.sin_family = AF_INET;
toAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
toAddr.sin_port = htons(4000);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = strlen(recvBuffer) + 1;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendto() error\n");
close(sock_fd);
exit(1);
}
printf("client send data:%s\n", recvBuffer);
memset(recvBuffer, '\0', 128);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("receive data from server:%s\n", recvBuffer);
close(sock_fd);
return 0;
}
/***************** rds_server.c ********************/
int main(void)
{
struct sockaddr_in fromAddr;
int sock_fd;
struct sockaddr_in serverAddr;
unsigned int addrLen;
char recvBuffer[128];
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if(sock_fd < 0) {
perror("create socket error\n");
exit(0);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4000);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind error\n");
close(sock_fd);
exit(1);
}
printf("server is waiting to receive data...\n");
msg.msg_name = &fromAddr;
/*
* I add 16 to sizeof(fromAddr), ie 32,
* and pay attention to the definition of fromAddr,
* recvmsg() will overwrite sock_fd,
* since kernel will copy 32 bytes to userspace.
*
* If you just use sizeof(fromAddr), it works fine.
* */
msg.msg_namelen = sizeof(fromAddr) + 16;
/* msg.msg_namelen = sizeof(fromAddr); */
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
while (1) {
printf("old socket fd=%d\n", sock_fd);
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("server received data from client:%s\n", recvBuffer);
printf("msg.msg_namelen=%d\n", msg.msg_namelen);
printf("new socket fd=%d\n", sock_fd);
strcat(recvBuffer, "--data from server");
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendmsg()\n");
close(sock_fd);
exit(1);
}
}
close(sock_fd);
return 0;
}
Signed-off-by: Weiping Pan <wpan@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Hutchings [Mon, 30 Jul 2012 16:11:42 +0000 (16:11 +0000)]
tcp: Apply device TSO segment limit earlier
[ Upstream commit
1485348d2424e1131ea42efc033cbd9366462b01 ]
Cache the device gso_max_segs in sock::sk_gso_max_segs and use it to
limit the size of TSO skbs. This avoids the need to fall back to
software GSO for local TCP senders.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Hutchings [Mon, 30 Jul 2012 15:57:44 +0000 (15:57 +0000)]
sfc: Fix maximum number of TSO segments and minimum TX queue size
[ Upstream commit
7e6d06f0de3f74ca929441add094518ae332257c ]
Currently an skb requiring TSO may not fit within a minimum-size TX
queue. The TX queue selected for the skb may stall and trigger the TX
watchdog repeatedly (since the problem skb will be retried after the
TX reset). This issue is designated as CVE-2012-3412.
Set the maximum number of TSO segments for our devices to 100. This
should make no difference to behaviour unless the actual MSS is less
than about 700. Increase the minimum TX queue size accordingly to
allow for 2 worst-case skbs, so that there will definitely be space
to add an skb after we wake a queue.
To avoid invalidating existing configurations, change
efx_ethtool_set_ringparam() to fix up values that are too small rather
than returning -EINVAL.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Hutchings [Mon, 30 Jul 2012 15:57:00 +0000 (15:57 +0000)]
net: Allow driver to limit number of GSO segments per skb
[ Upstream commit
30b678d844af3305cda5953467005cebb5d7b687 ]
A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.
In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset). This particularly affects sfc, for which the
issue is designated as CVE-2012-3412.
Therefore:
1. Add the field net_device::gso_max_segs holding the device-specific
limit.
2. In netif_skb_features(), if the number of segments is too high then
mask out GSO features to force fall back to software GSO.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Oleg Nesterov [Mon, 9 Apr 2012 19:03:50 +0000 (21:03 +0200)]
cred: copy_process() should clear child->replacement_session_keyring
commit
79549c6dfda0603dba9a70a53467ce62d9335c33 upstream.
keyctl_session_to_parent(task) sets ->replacement_session_keyring,
it should be processed and cleared by key_replace_session_keyring().
However, this task can fork before it notices TIF_NOTIFY_RESUME and
the new child gets the bogus ->replacement_session_keyring copied by
dup_task_struct(). This is obviously wrong and, if nothing else, this
leads to put_cred(already_freed_cred).
change copy_creds() to clear this member. If copy_process() fails
before this point the wrong ->replacement_session_keyring doesn't
matter, exit_creds() won't be called.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Fri, 4 May 2012 19:09:39 +0000 (12:09 -0700)]
hfsplus: Fix potential buffer overflows
commit
6f24f892871acc47b40dd594c63606a17c714f77 upstream.
Commit
ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem. But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.
Reported-by: Timo Warns <warns@pre-sense.de>
Acked-by: WANG Cong <amwang@redhat.com>
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Miklos Szeredi <mszeredi@suse.cz>
Cc: Sage Weil <sage@newdream.net>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jason Wang [Wed, 30 May 2012 21:18:10 +0000 (21:18 +0000)]
net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
[ Upstream commit
cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc ]
We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrea Arcangeli [Wed, 21 Mar 2012 23:33:42 +0000 (16:33 -0700)]
mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
commit
1a5a9906d4e8d1976b701f889d8f35d54b928f25 upstream.
In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode. In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.
It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds). The race is only with
the huge pagefaults that can convert a pmd_none() into a
pmd_trans_huge().
Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously. This is
probably why it wasn't common to run into this. For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.
Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a
pmd_trans_huge()).
The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value. Even if the real pmd is changing under the
value we hold on the stack, we don't care. If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained
above).
All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd. The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds). I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and
pmd_none_or_clear_bad).
if (pmd_trans_huge(*pmd)) {
if (next-addr != HPAGE_PMD_SIZE) {
VM_BUG_ON(!rwsem_is_locked(&tlb->mm->mmap_sem));
split_huge_page_pmd(vma->vm_mm, pmd);
} else if (zap_huge_pmd(tlb, vma, pmd, addr))
continue;
/* fall through */
}
if (pmd_none_or_clear_bad(pmd))
Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.
The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.
====== start quote =======
mapcount 0 page_mapcount 1
kernel BUG at mm/huge_memory.c:1384!
At some point prior to the panic, a "bad pmd ..." message similar to the
following is logged on the console:
mm/memory.c:145: bad pmd
ffff8800376e1f98(
80000000314000e7).
The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
the page's PMD table entry.
143 void pmd_clear_bad(pmd_t *pmd)
144 {
-> 145 pmd_ERROR(*pmd);
146 pmd_clear(pmd);
147 }
After the PMD table entry has been cleared, there is an inconsistency
between the actual number of PMD table entries that are mapping the page
and the page's map count (_mapcount field in struct page). When the page
is subsequently reclaimed, __split_huge_page() detects this inconsistency.
1381 if (mapcount != page_mapcount(page))
1382 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
1383 mapcount, page_mapcount(page));
-> 1384 BUG_ON(mapcount != page_mapcount(page));
The root cause of the problem is a race of two threads in a multithreaded
process. Thread B incurs a page fault on a virtual address that has never
been accessed (PMD entry is zero) while Thread A is executing an madvise()
system call on a virtual address within the same 2 MB (huge page) range.
virtual address space
.---------------------.
| |
| |
.-|---------------------|
| | |
| | |<-- B(fault)
| | |
2 MB | |/////////////////////|-.
huge < |/////////////////////| > A(range)
page | |/////////////////////|-'
| | |
| | |
'-|---------------------|
| |
| |
'---------------------'
- Thread A is executing an madvise(..., MADV_DONTNEED) system call
on the virtual address range "A(range)" shown in the picture.
sys_madvise
// Acquire the semaphore in shared mode.
down_read(¤t->mm->mmap_sem)
...
madvise_vma
switch (behavior)
case MADV_DONTNEED:
madvise_dontneed
zap_page_range
unmap_vmas
unmap_page_range
zap_pud_range
zap_pmd_range
//
// Assume that this huge page has never been accessed.
// I.e. content of the PMD entry is zero (not mapped).
//
if (pmd_trans_huge(*pmd)) {
// We don't get here due to the above assumption.
}
//
// Assume that Thread B incurred a page fault and
.---------> // sneaks in here as shown below.
| //
| if (pmd_none_or_clear_bad(pmd))
| {
| if (unlikely(pmd_bad(*pmd)))
| pmd_clear_bad
| {
| pmd_ERROR
| // Log "bad pmd ..." message here.
| pmd_clear
| // Clear the page's PMD entry.
| // Thread B incremented the map count
| // in page_add_new_anon_rmap(), but
| // now the page is no longer mapped
| // by a PMD entry (-> inconsistency).
| }
| }
|
v
- Thread B is handling a page fault on virtual address "B(fault)" shown
in the picture.
...
do_page_fault
__do_page_fault
// Acquire the semaphore in shared mode.
down_read_trylock(&mm->mmap_sem)
...
handle_mm_fault
if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
// We get here due to the above assumption (PMD entry is zero).
do_huge_pmd_anonymous_page
alloc_hugepage_vma
// Allocate a new transparent huge page here.
...
__do_huge_pmd_anonymous_page
...
spin_lock(&mm->page_table_lock)
...
page_add_new_anon_rmap
// Here we increment the page's map count (starts at -1).
atomic_set(&page->_mapcount, 0)
set_pmd_at
// Here we set the page's PMD entry which will be cleared
// when Thread A calls pmd_clear_bad().
...
spin_unlock(&mm->page_table_lock)
The mmap_sem does not prevent the race because both threads are acquiring
it in shared mode (down_read). Thread B holds the page_table_lock while
the page's map count and PMD table entry are updated. However, Thread A
does not synchronize on that lock.
====== end quote =======
[akpm@linux-foundation.org: checkpatch fixes]
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Jones <davej@redhat.com>
Acked-by: Larry Woodman <lwoodman@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Paris [Tue, 17 Apr 2012 20:26:54 +0000 (16:26 -0400)]
fcaps: clear the same personality flags as suid when fcaps are used
commit
d52fc5dde171f030170a6cb78034d166b13c9445 upstream.
If a process increases permissions using fcaps all of the dangerous
personality flags which are cleared for suid apps should also be cleared.
Thus programs given priviledge with fcaps will continue to have address space
randomization enabled even if the parent tried to disable it to make it
easier to attack.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jeff Layton [Thu, 23 Feb 2012 14:37:45 +0000 (09:37 -0500)]
cifs: fix dentry refcount leak when opening a FIFO on lookup
commit
5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream.
The cifs code will attempt to open files on lookup under certain
circumstances. What happens though if we find that the file we opened
was actually a FIFO or other special file?
Currently, the open filehandle just ends up being leaked leading to
a dentry refcount mismatch and oops on umount. Fix this by having the
code close the filehandle on the server if it turns out not to be a
regular file. While we're at it, change this spaghetti if statement
into a switch too.
Reported-by: CAI Qian <caiqian@redhat.com>
Tested-by: CAI Qian <caiqian@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
H. Peter Anvin [Fri, 2 Mar 2012 18:43:49 +0000 (10:43 -0800)]
regset: Return -EFAULT, not -EIO, on host-side memory fault
commit
5189fa19a4b2b4c3bec37c3a019d446148827717 upstream.
There is only one error code to return for a bad user-space buffer
pointer passed to a system call in the same address space as the
system call is executed, and that is EFAULT. Furthermore, the
low-level access routines, which catch most of the faults, return
EFAULT already.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
H. Peter Anvin [Fri, 2 Mar 2012 18:43:48 +0000 (10:43 -0800)]
regset: Prevent null pointer reference on readonly regsets
commit
c8e252586f8d5de906385d8cf6385fee289a825e upstream.
The regset common infrastructure assumed that regsets would always
have .get and .set methods, but not necessarily .active methods.
Unfortunately people have since written regsets without .set methods.
Rather than putting in stub functions everywhere, handle regsets with
null .get or .set methods explicitly.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Hutchings [Mon, 9 Jan 2012 22:06:46 +0000 (14:06 -0800)]
igmp: Avoid zero delay when receiving odd mixture of IGMP queries
commit
a8c1f65c79cbbb2f7da782d4c9d15639a9b94b27 upstream.
Commit
5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP
behavior on v3 query during v2-compatibility mode') added yet another
case for query parsing, which can result in max_delay = 0. Substitute
a value of 1, as in the usual v3 case.
Reported-by: Simon McVittie <smcv@debian.org>
References: http://bugs.debian.org/654876
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Vorontsov [Fri, 24 Feb 2012 01:14:46 +0000 (05:14 +0400)]
mm: memcg: Correct unregistring of events attached to the same eventfd
commit
371528caec553785c37f73fa3926ea0de84f986f upstream.
There is an issue when memcg unregisters events that were attached to
the same eventfd:
- On the first call mem_cgroup_usage_unregister_event() removes all
events attached to a given eventfd, and if there were no events left,
thresholds->primary would become NULL;
- Since there were several events registered, cgroups core will call
mem_cgroup_usage_unregister_event() again, but now kernel will oops,
as the function doesn't expect that threshold->primary may be NULL.
That's a good question whether mem_cgroup_usage_unregister_event()
should actually remove all events in one go, but nowadays it can't
do any better as cftype->unregister_event callback doesn't pass
any private event-associated cookie. So, let's fix the issue by
simply checking for threshold->primary.
FWIW, w/o the patch the following oops may be observed:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000004
IP: [<
ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
RIP: 0010:[<
ffffffff810be32c>] [<
ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
RSP: 0018:
ffff88001d0b9d60 EFLAGS:
00010246
Process kworker/0:2 (pid: 574, threadinfo
ffff88001d0b8000, task
ffff88001de91cc0)
Call Trace:
[<
ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
[<
ffffffff8103db94>] process_one_work+0x174/0x450
[<
ffffffff8103e413>] worker_thread+0x123/0x2d0
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Sandeen [Mon, 20 Feb 2012 22:53:01 +0000 (17:53 -0500)]
jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
commit
15291164b22a357cb211b618adfef4fa82fc0de3 upstream.
journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
state ala discard_buffer(), but does not touch _Delay or _Unwritten as
discard_buffer() does.
This can be problematic in some areas of the ext4 code which assume
that if they have found a buffer marked unwritten or delay, then it's
a live one. Perhaps those spots should check whether it is mapped
as well, but if jbd2 is going to tear down a buffer, let's really
tear it down completely.
Without this I get some fsx failures on sub-page-block filesystems
up until v3.2, at which point
4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
and
189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
away, because buried within that large change is some more flag
clearing. I still think it's worth doing in jbd2, since
->invalidatepage leads here directly, and it's the right place
to clear away these flags.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Wed, 23 Nov 2011 06:12:01 +0000 (01:12 -0500)]
drm: integer overflow in drm_mode_dirtyfb_ioctl()
commit
a5cd335165e31db9dbab636fd29895d41da55dd2 upstream.
There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips. The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.
Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Xi Wang [Mon, 23 Apr 2012 08:06:42 +0000 (04:06 -0400)]
drm/i915: fix integer overflow in i915_gem_do_execbuffer()
commit
44afb3a04391a74309d16180d1e4f8386fdfa745 upstream.
On 32-bit systems, a large args->num_cliprects from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit
432e58ed ("drm/i915: Avoid
allocation for execbuffer object list").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Mon, 23 Apr 2012 08:06:41 +0000 (04:06 -0400)]
drm/i915: fix integer overflow in i915_gem_execbuffer2()
commit
ed8cd3b2cd61004cab85380c52b1817aca1ca49b upstream.
On 32-bit systems, a large args->buffer_count from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit
8408c282 ("drm/i915:
First try a normal large kmalloc for the temporary exec buffers").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Avi Kivity [Mon, 5 Mar 2012 12:23:29 +0000 (14:23 +0200)]
KVM: Ensure all vcpus are consistent with in-kernel irqchip settings
(cherry picked from commit
3e515705a1f46beb1c942bb8043c16f8ac7b1e9e)
If some vcpus are created before KVM_CREATE_IRQCHIP, then
irqchip_in_kernel() and vcpu->arch.apic will be inconsistent, leading
to potential NULL pointer dereferences.
Fix by:
- ensuring that no vcpus are installed when KVM_CREATE_IRQCHIP is called
- ensuring that a vcpu has an apic if it is installed after KVM_CREATE_IRQCHIP
This is somewhat long winded because vcpu->arch.apic is created without
kvm->lock held.
Based on earlier patch by Michael Ellerman.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alex Williamson [Fri, 27 Apr 2012 21:54:08 +0000 (16:54 -0500)]
KVM: unmap pages from the iommu when slots are removed
commit
32f6daad4651a748a58a3ab6da0611862175722f upstream.
We've been adding new mappings, but not destroying old mappings.
This can lead to a page leak as pages are pinned using
get_user_pages, but only unpinned with put_page if they still
exist in the memslots list on vm shutdown. A memslot that is
destroyed while an iommu domain is enabled for the guest will
therefore result in an elevated page reference count that is
never cleared.
Additionally, without this fix, the iommu is only programmed
with the first translation for a gpa. This can result in
peer-to-peer errors if a mapping is destroyed and replaced by a
new mapping at the same gpa as the iommu will still be pointing
to the original, pinned memory address.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Gibson [Wed, 21 Mar 2012 23:34:12 +0000 (16:34 -0700)]
hugepages: fix use after free bug in "quota" handling
commit
90481622d75715bfcb68501280a917dbfe516029 upstream.
hugetlbfs_{get,put}_quota() are badly named. They don't interact with the
general quota handling code, and they don't much resemble its behaviour.
Rather than being about maintaining limits on on-disk block usage by
particular users, they are instead about maintaining limits on in-memory
page usage (including anonymous MAP_PRIVATE copied-on-write pages)
associated with a particular hugetlbfs filesystem instance.
Worse, they work by having callbacks to the hugetlbfs filesystem code from
the low-level page handling code, in particular from free_huge_page().
This is a layering violation of itself, but more importantly, if the
kernel does a get_user_pages() on hugepages (which can happen from KVM
amongst others), then the free_huge_page() can be delayed until after the
associated inode has already been freed. If an unmount occurs at the
wrong time, even the hugetlbfs superblock where the "quota" limits are
stored may have been freed.
Andrew Barry proposed a patch to fix this by having hugepages, instead of
storing a pointer to their address_space and reaching the superblock from
there, had the hugepages store pointers directly to the superblock,
bumping the reference count as appropriate to avoid it being freed.
Andrew Morton rejected that version, however, on the grounds that it made
the existing layering violation worse.
This is a reworked version of Andrew's patch, which removes the extra, and
some of the existing, layering violation. It works by introducing the
concept of a hugepage "subpool" at the lower hugepage mm layer - that is a
finite logical pool of hugepages to allocate from. hugetlbfs now creates
a subpool for each filesystem instance with a page limit set, and a
pointer to the subpool gets added to each allocated hugepage, instead of
the address_space pointer used now. The subpool has its own lifetime and
is only freed once all pages in it _and_ all other references to it (i.e.
superblocks) are gone.
subpools are optional - a NULL subpool pointer is taken by the code to
mean that no subpool limits are in effect.
Previous discussion of this bug found in: "Fix refcounting in hugetlbfs
quota handling.". See: https://lkml.org/lkml/2011/8/11/28 or
http://marc.info/?l=linux-mm&m=
126928970510627&w=1
v2: Fixed a bug spotted by Hillf Danton, and removed the extra parameter to
alloc_huge_page() - since it already takes the vma, it is not necessary.
Signed-off-by: Andrew Barry <abarry@cray.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Cc: Hugh Dickins <hughd@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2: adjust context to apply after commit
c50ac050811d6485616a193eb0f37bfbd191cc89 'hugetlb: fix resv_map leak in
error path', backported in 3.2.20]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Dave Hansen [Tue, 29 May 2012 22:06:46 +0000 (15:06 -0700)]
hugetlb: fix resv_map leak in error path
commit
c50ac050811d6485616a193eb0f37bfbd191cc89 and
4523e1458566a0e8ecfaff90f380dd23acc44d27 upstream.
When called for anonymous (non-shared) mappings, hugetlb_reserve_pages()
does a resv_map_alloc(). It depends on code in hugetlbfs's
vm_ops->close() to release that allocation.
However, in the mmap() failure path, we do a plain unmap_region() without
the remove_vma() which actually calls vm_ops->close().
This is a decent fix. This leak could get reintroduced if new code (say,
after hugetlb_reserve_pages() in hugetlbfs_file_mmap()) decides to return
an error. But, I think it would have to unroll the reservation anyway.
Christoph's test case:
http://marc.info/?l=linux-mm&m=
133728900729735
This patch applies to 3.4 and later. A version for earlier kernels is at
https://lkml.org/lkml/2012/5/22/418.
Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Acked-by: Mel Gorman <mel@csn.ul.ie>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reported-by: Christoph Lameter <cl@linux.com>
Tested-by: Christoph Lameter <cl@linux.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Tue, 10 Jan 2012 16:51:10 +0000 (11:51 -0500)]
ext4: fix undefined behavior in ext4_fill_flex_info()
commit
d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.
Commit
503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.
sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex < 2) { ... }
This patch fixes two potential issues in the previous commit.
1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount. That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.
2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways. Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex == 0 || groups_per_flex == 1) {
We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original. GCC keeps the check, but
there is no guarantee that future versions will do the same.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Al Viro [Fri, 9 Dec 2011 04:20:45 +0000 (23:20 -0500)]
procfs: fix a vfsmount longterm reference leak
kern_mount() doesn't pair with plain mntput()...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tim Chen [Tue, 19 Jul 2011 16:32:38 +0000 (09:32 -0700)]
VFS : mount lock scalability for internal mounts
For a number of file systems that don't have a mount point (e.g. sockfs
and pipefs), they are not marked as long term. Therefore in
mntput_no_expire, all locks in vfs_mount lock are taken instead of just
local cpu's lock to aggregate reference counts when we release
reference to file objects. In fact, only local lock need to have been
taken to update ref counts as these file systems are in no danger of
going away until we are ready to unregister them.
The attached patch marks file systems using kern_mount without
mount point as long term. The contentions of vfs_mount lock
is now eliminated. Before un-registering such file system,
kern_unmount should be called to remove the long term flag and
make the mount point ready to be freed.
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Stephan Bärwolf [Thu, 12 Jan 2012 15:43:04 +0000 (16:43 +0100)]
KVM: x86: fix missing checks in syscall emulation
commit
c2226fc9e87ba3da060e47333657cd6616652b84 upstream.
On hosts without this patch, 32bit guests will crash (and 64bit guests
may behave in a wrong way) for example by simply executing following
nasm-demo-application:
[bits 32]
global _start
SECTION .text
_start: syscall
(I tested it with winxp and linux - both always crashed)
Disassembly of section .text:
00000000 <_start>:
0: 0f 05 syscall
The reason seems a missing "invalid opcode"-trap (int6) for the
syscall opcode "0f05", which is not available on Intel CPUs
within non-longmodes, as also on some AMD CPUs within legacy-mode.
(depending on CPU vendor, MSR_EFER and cpuid)
Because previous mentioned OSs may not engage corresponding
syscall target-registers (STAR, LSTAR, CSTAR), they remain
NULL and (non trapping) syscalls are leading to multiple
faults and finally crashs.
Depending on the architecture (AMD or Intel) pretended by
guests, various checks according to vendor's documentation
are implemented to overcome the current issue and behave
like the CPUs physical counterparts.
[mtosatti: cleanup/beautify code]
Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Mon, 12 Dec 2011 21:55:52 +0000 (21:55 +0000)]
xfs: fix acl count validation in xfs_acl_from_disk()
commit
093019cf1b18dd31b2c3b77acce4e000e2cbc9ce upstream.
Commit
fa8b18ed didn't prevent the integer overflow and possible
memory corruption. "count" can go negative and bypass the check.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Christoph Hellwig [Tue, 6 Dec 2011 21:21:05 +0000 (16:21 -0500)]
xfs: validate acl count
commit
fa8b18edd752a8b4e9d1ee2cd615b82c93cf8bba upstream.
This prevents in-memory corruption and possible panics if the on-disk
ACL is badly corrupted.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Acked-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Markus Lehtonen [Thu, 7 Feb 2013 10:29:59 +0000 (12:29 +0200)]
Fix net/Makefile
Remove nonexistent entries, to allow 'make mrproper'.
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Wed, 3 Apr 2013 11:18:02 +0000 (14:18 +0300)]
Update changelog
Change-Id: Iff435b688caa6cc80ef02a2caaaf7497a9c23cf9
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Austin Zhang [Tue, 5 Mar 2013 09:35:04 +0000 (17:35 +0800)]
Enable 'perf' tool for performance tunning.
Change-Id: I2ebe9b101b71926c1ed36ef5890bb4b2efc22cdb
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Elena Reshetova [Tue, 5 Feb 2013 13:25:59 +0000 (15:25 +0200)]
Enable security hardening options in kernel
Change-Id:Id10b561335ad8f01519a621001059fc817dc4ef6
Markus Lehtonen [Mon, 4 Mar 2013 14:16:20 +0000 (16:16 +0200)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Marko Ollonen [Wed, 23 Jan 2013 15:00:55 +0000 (17:00 +0200)]
camera: keep exposure from previous frame in still image mode change.
Marko Ollonen [Wed, 23 Jan 2013 07:39:35 +0000 (09:39 +0200)]
camera: exposure value query to mt9e013
Nicolas Bertrand [Thu, 7 Feb 2013 16:57:12 +0000 (17:57 +0100)]
n_gsm: Remove unused include
Li Peng [Tue, 29 Jan 2013 06:49:28 +0000 (14:49 +0800)]
pvr: enable bc_video driver
Change-Id: I62216f7310c6c457593ce8a5b5e4110e124f6644
Signed-off-by: Li Peng <peng.li@intel.com>
Arron Wang [Wed, 23 Jan 2013 06:46:22 +0000 (14:46 +0800)]
wl12xx: build two wireless tools calibrate and wlan_prov
Change-Id: Ieb6082039cd31798d78962ab292175cd89e56ef0
Markus Lehtonen [Wed, 5 Dec 2012 14:34:46 +0000 (23:34 +0900)]
Merge "Support usb mode framework in Tizen"
Chengwei Yang [Wed, 5 Dec 2012 09:34:23 +0000 (17:34 +0800)]
Support usb mode framework in Tizen
So far, we have a forked usb-server for PR3 to make sure the usb mode
framework works on PR3. However, we'd like to patch kernel now rather
than maintain another forked package.
This is the correct way because there maybe no way to work out without
patch kernel in future. So it's better to patch one rather than two.
Change-Id: I3ac4052c288b2a647fe560f42308872d1de2741f
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Arron Wang [Thu, 22 Nov 2012 07:08:50 +0000 (15:08 +0800)]
config: Enable NFC p2p support
Change-Id: Icef6b4de2a9d6c735bc7186cbb621192fdd96637
Signed-off-by: Arron Wang <arron.wang@intel.com>
Arron Wang [Thu, 22 Nov 2012 07:07:52 +0000 (15:07 +0800)]
NFC: Backport upstream latest NFC code
Change-Id: Icdf455992d8fb88596038a6b6ac1823436480a06
Signed-off-by: Arron Wang <arron.wang@intel.com>
Chengwei Yang [Mon, 29 Oct 2012 06:25:16 +0000 (14:25 +0800)]
Disable console output on screen
Change-Id: I9c559abc6b2270611c9ded3ef6ba338f4bdeaf93
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Markus Lehtonen [Thu, 25 Oct 2012 11:35:39 +0000 (14:35 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Thu, 25 Oct 2012 11:27:22 +0000 (14:27 +0300)]
Merge branch 'devel'
Wang, Yong [Thu, 25 Oct 2012 08:43:15 +0000 (01:43 -0700)]
Merge "gfx: delay gfx h/w resume if early_suspend flag is true" into devel
Li Peng [Thu, 25 Oct 2012 02:31:18 +0000 (10:31 +0800)]
gfx: delay gfx h/w resume if early_suspend flag is true
Here early_suspend means we trigger gfx suspend at screen off,
which is gfx_runtime_suspend, and there are two points that we
can resume gfx back: gfx_resume() and gfx_runtime_resume().
The two functions looks same but in reality delay gfx resume to
gfx_runtime_resume() works better than gfx_resume(), because we
see some cases that screen can't resume back from gfx_resume().
Change-Id: I133a035cae0202f913ba918f798859fff0b920c0
Signed-off-by: Li Peng <peng.li@intel.com>
Yong Wang [Wed, 24 Oct 2012 00:42:00 +0000 (08:42 +0800)]
atomisp: do not do full release if more video pipes are on use
The bug (TZSP-3288) is more or less easily reproducible on systems with
udev-like software. The helper (v4l_id) is run in parallel for all /dev/videoX
nodes twice with only purpose of checking capabilities:
->open("/dev/videoX")
->ioctl(VIDIOC_QUERYCAP)
->release("/dev/videoX")
The atomisp_open() call does two stages init of the internal structures. In
case of 1st opened node it does full (stage 1 + stage 2) init. Otherwise it is
a fast path (stage 1 only).
However, atomisp_release() does a fast path for non-main pipes as well. This
triggers the unbalanced power management calls:
->open
-> stage 1
-> stage 2
-> pm_runtime_get_sync
->release
-> stage 1
-> is_main? -> (no) -> fast path
The patch is a rough approach to fix this. Any better solution is welcome.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Tested-by: Yong Wang <yong.y.wang@intel.com>
Markus Lehtonen [Tue, 23 Oct 2012 14:52:01 +0000 (17:52 +0300)]
packaging: rename spec and changelog files
To reflect the new RPM package name
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Mon, 22 Oct 2012 12:00:46 +0000 (15:00 +0300)]
Rename package to kernel-mfld-blackbay
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Mon, 22 Oct 2012 11:36:51 +0000 (14:36 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Lehtonen, Markus [Mon, 22 Oct 2012 11:10:47 +0000 (04:10 -0700)]
Merge changes I24aa0ada,I1ea490fa,Icd2c967a,I141a80e4,I31cad4f6,Ib1e59c1f,I6153487e,I30dc58a5,I674745c3,I93f8da0c,Ic54db980,I9ca287ac,I153caac1,I9b40a8f1 into devel
* changes:
Smack: setprocattr memory leak fix
Smack: implement revoking all rules for a subject label
Smack: remove task_wait() hook.
smack: off by one error
Smack: don't show empty rules when /smack/load or /smack/load2 is read
Smack: user access check bounds
Smack: onlycap limits on CAP_MAC_ADMIN
Smack: fix smack_new_inode bogosities
split ->file_mmap() into ->mmap_addr()/->mmap_file()
split cap_mmap_addr() out of cap_file_mmap()
SELinux: rename dentry_open to file_open
Smack: allow for significantly longer Smack labels v4
gfp flags for security_inode_alloc()?
Smack: recursive tramsmute
Yan Zhang [Mon, 22 Oct 2012 06:55:43 +0000 (14:55 +0800)]
Enable TOPAZ power management; Remove useless files(lnc_*) for mrst
Casey Schaufler [Wed, 22 Aug 2012 18:44:03 +0000 (11:44 -0700)]
Smack: setprocattr memory leak fix
The data structure allocations being done in prepare_creds
are duplicated in smack_setprocattr. This results in the
structure allocated in prepare_creds being orphaned and
never freed. The duplicate code is removed from
smack_setprocattr.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Rafal Krypa [Wed, 11 Jul 2012 15:49:30 +0000 (17:49 +0200)]
Smack: implement revoking all rules for a subject label
Add /smack/revoke-subject special file. Writing a SMACK label to this file will
set the access to '-' for all access rules with that subject label.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Casey Schaufler [Fri, 10 Aug 2012 00:46:38 +0000 (17:46 -0700)]
Smack: remove task_wait() hook.
On 12/20/2011 11:20 PM, Jarkko Sakkinen wrote:
> Allow SIGCHLD to be passed to child process without
> explicit policy. This will help to keep the access
> control policy simple and easily maintainable with
> complex applications that require use of multiple
> security contexts. It will also help to keep them
> as isolated as possible.
>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
I have a slightly different version that applies to the
current smack-next tree.
Allow SIGCHLD to be passed to child process without
explicit policy. This will help to keep the access
control policy simple and easily maintainable with
complex applications that require use of multiple
security contexts. It will also help to keep them
as isolated as possible.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
security/smack/smack_lsm.c | 37 ++++++++-----------------------------
1 files changed, 8 insertions(+), 29 deletions(-)
Alan Cox [Thu, 26 Jul 2012 21:47:11 +0000 (14:47 -0700)]
smack: off by one error
Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0
In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)
will put 65 bytes into subject.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Rafal Krypa [Mon, 9 Jul 2012 17:36:34 +0000 (19:36 +0200)]
Smack: don't show empty rules when /smack/load or /smack/load2 is read
This patch removes empty rules (i.e. with access set to '-') from the
rule list presented to user space.
Smack by design never removes labels nor rules from its lists. Access
for a rule may be set to '-' to effectively disable it. Such rules would
show up in the listing generated when /smack/load or /smack/load2 is
read. This may cause clutter if many rules were disabled.
As a rule with access set to '-' is equivalent to no rule at all, they
may be safely hidden from the listing.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 19 Jun 2012 02:01:36 +0000 (19:01 -0700)]
Smack: user access check bounds
Some of the bounds checking used on the /smack/access
interface was lost when support for long labels was
added. No kernel access checks are affected, however
this is a case where /smack/access could be used
incorrectly and fail to detect the error. This patch
reintroduces the original checks.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 5 Jun 2012 22:28:30 +0000 (15:28 -0700)]
Smack: onlycap limits on CAP_MAC_ADMIN
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.
This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Thu, 24 May 2012 00:46:58 +0000 (17:46 -0700)]
Smack: fix smack_new_inode bogosities
In January of 2012 Al Viro pointed out three bits of code that
he titled "new_inode_smack bogosities". This patch repairs these
errors.
1. smack_sb_kern_mount() included a NULL check that is impossible.
The check and NULL case are removed.
2. smack_kb_kern_mount() included pointless locking. The locking is
removed. Since this is the only place that lock was used the lock
is removed from the superblock_smack structure.
3. smk_fill_super() incorrectly and unnecessarily set the Smack label
for the smackfs root inode. The assignment has been removed.
Targeted for git://gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Al Viro [Wed, 30 May 2012 17:30:51 +0000 (13:30 -0400)]
split ->file_mmap() into ->mmap_addr()/->mmap_file()
... i.e. file-dependent and address-dependent checks.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 30 May 2012 17:11:37 +0000 (13:11 -0400)]
split cap_mmap_addr() out of cap_file_mmap()
... switch callers.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Eric Paris [Wed, 4 Apr 2012 17:45:40 +0000 (13:45 -0400)]
SELinux: rename dentry_open to file_open
dentry_open takes a file, rename it to file_open
Signed-off-by: Eric Paris <eparis@redhat.com>
Conflicts:
security/tomoyo/tomoyo.c
Casey Schaufler [Sun, 6 May 2012 22:22:02 +0000 (15:22 -0700)]
Smack: allow for significantly longer Smack labels v4
V4 updated to current linux-security#next
Targeted for git://gitorious.org/smack-next/kernel.git
Modern application runtime environments like to use
naming schemes that are structured and generated without
human intervention. Even though the Smack limit of 23
characters for a label name is perfectly rational for
human use there have been complaints that the limit is
a problem in environments where names are composed from
a set or sources, including vendor, author, distribution
channel and application name. Names like
softwarehouse-pgwodehouse-coolappstore-mellowmuskrats
are becoming harder to avoid. This patch introduces long
label support in Smack. Labels are now limited to 255
characters instead of the old 23.
The primary reason for limiting the labels to 23 characters
was so they could be directly contained in CIPSO category sets.
This is still done were possible, but for labels that are too
large a mapping is required. This is perfectly safe for communication
that stays "on the box" and doesn't require much coordination
between boxes beyond what would have been required to keep label
names consistent.
The bulk of this patch is in smackfs, adding and updating
administrative interfaces. Because existing APIs can't be
changed new ones that do much the same things as old ones
have been introduced.
The Smack specific CIPSO data representation has been removed
and replaced with the data format used by netlabel. The CIPSO
header is now computed when a label is imported rather than
on use. This results in improved IP performance. The smack
label is now allocated separately from the containing structure,
allowing for larger strings.
Four new /smack interfaces have been introduced as four
of the old interfaces strictly required labels be specified
in fixed length arrays.
The access interface is supplemented with the check interface:
access "Subject Object rwxat"
access2 "Subject Object rwaxt"
The load interface is supplemented with the rules interface:
load "Subject Object rwxat"
load2 "Subject Object rwaxt"
The load-self interface is supplemented with the self-rules interface:
load-self "Subject Object rwxat"
load-self2 "Subject Object rwaxt"
The cipso interface is supplemented with the wire interface:
cipso "Subject lvl cnt c1 c2 ..."
cipso2 "Subject lvl cnt c1 c2 ..."
The old interfaces are maintained for compatibility.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Tetsuo Handa [Thu, 29 Mar 2012 07:19:05 +0000 (16:19 +0900)]
gfp flags for security_inode_alloc()?
Dave Chinner wrote:
> Yes, because you have no idea what the calling context is except
> for the fact that is from somewhere inside filesystem code and the
> filesystem could be holding locks. Therefore, GFP_NOFS is really the
> only really safe way to allocate memory here.
I see. Thank you.
I'm not sure, but can call trace happen where somewhere inside network
filesystem or stackable filesystem code with locks held invokes operations that
involves GFP_KENREL memory allocation outside that filesystem?
----------
[PATCH] SMACK: Fix incorrect GFP_KERNEL usage.
new_inode_smack() which can be called from smack_inode_alloc_security() needs
to use GFP_NOFS like SELinux's inode_alloc_security() does, for
security_inode_alloc() is called from inode_init_always() and
inode_init_always() is called from xfs_inode_alloc() which is using GFP_NOFS.
smack_inode_init_security() needs to use GFP_NOFS like
selinux_inode_init_security() does, for initxattrs() callback function (e.g.
btrfs_initxattrs()) which is called from security_inode_init_security() is
using GFP_NOFS.
smack_audit_rule_match() needs to use GFP_ATOMIC, for
security_audit_rule_match() can be called from audit_filter_user_rules() and
audit_filter_user_rules() is called from audit_filter_user() with RCU read lock
held.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>
Casey Schaufler [Wed, 14 Mar 2012 02:14:19 +0000 (19:14 -0700)]
Smack: recursive tramsmute
The transmuting directory feature of Smack requires that
the transmuting attribute be explicitly set in all cases.
It seems the users of this facility would expect that the
transmuting attribute be inherited by subdirectories that
are created in a transmuting directory. This does not seem
to add any additional complexity to the understanding of
how the system works.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Markus Lehtonen [Wed, 17 Oct 2012 10:14:42 +0000 (13:14 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Li Peng [Mon, 15 Oct 2012 15:16:08 +0000 (23:16 +0800)]
gfx: enable runtime power management
In DPMS off, current implementation simply turn off the panel and call PMU
to cut power supply of gfx h/w, but app in userspace may still want to access
gfx h/w after screen off, that will cause system hang.
enable gfx runtime PM will make sure gfx device can be suspended or resumed
based on device access demand so that above hang case will not happen.
Change-Id: I492aaac7313908165377fd539467b479af44baa0
Signed-off-by: Li Peng <peng.li@intel.com>
Chengwei Yang [Wed, 17 Oct 2012 03:06:38 +0000 (11:06 +0800)]
Change adb protocol to sdb protocol
Currently, we have a forked sdbd for our kernel so there was no need to
patch our kernel.
However, the forked sdbd will be merged to upstream sdbd and to make it
compatible with adb in userspace cost a large effort.
So the better way is patch our kernel to adopt sdb protocol, on the
other hand, no patch needed to sdbd user space server and client.
Change-Id: I4b3f426d33b2c8fdb5042f9cd60a7b1226c92eb1
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Markus Lehtonen [Wed, 10 Oct 2012 08:10:28 +0000 (11:10 +0300)]
Merge branch 'bb-2.0_beta' into bb-devel
Li Peng [Thu, 27 Sep 2012 07:26:08 +0000 (15:26 +0800)]
remove mac802154 and openvswitch from net/Makefile
They don't exist in kernel tree and it fixes error in "make mrproper"
Signed-off-by: Li Peng <peng.li@intel.com>
Markus Lehtonen [Thu, 27 Sep 2012 05:21:19 +0000 (08:21 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Chengwei Yang [Wed, 26 Sep 2012 04:28:00 +0000 (12:28 +0800)]
Export usb connection status
There are several components depends on kernel export usb connection
status correctly. First, system-server check usb status by calling OEM
interface to launch usb-server; second, usb-server does the usb mode
setting work and launch syspopup. In addition, setting usb mode from UI
depends on usb-server too.
This also fix TZSP-3142.
Change-Id: I430e588069a807b195cb364846d1a6421cafff14
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Markus Lehtonen [Wed, 26 Sep 2012 06:45:59 +0000 (09:45 +0300)]
Merge remote-tracking branch 'tzg/2.0_beta' into bb-devel
Yong Wang [Wed, 19 Sep 2012 07:58:13 +0000 (15:58 +0800)]
Update changelog
Signed-off-by: Yong Wang <yong.y.wang@intel.com>
Yong Wang [Wed, 19 Sep 2012 07:55:01 +0000 (15:55 +0800)]
hwmon/lis3dh: add screen on/off notifier callback
Add screen on/off notifier callback so that accelerometer
sensor can be enabled/disabled upon screen on/off operations
as it behaves on Android.
Signed-off-by: Yong Wang <yong.y.wang@intel.com>
projects / platform / kernel / kernel-mfld-blackbay.git / log