Seung-Woo Kim [Wed, 7 Sep 2016 05:53:43 +0000 (14:53 +0900)]
Input: ist30xxc: remove touch event log
This patch removes touch event log.
Change-Id: I4a3ec5ccaf8455a48a8f67769c2056162a97c4de
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Mon, 5 Sep 2016 01:52:21 +0000 (10:52 +0900)]
usb: gadget: f_fs: remove build warnings from ffs_epfile_io
This patch removes build warnings to convert unsigned int pointer
to char pointer from ffs_epfile_io().
Change-Id: I2b46093add10c647f3488220b123e3920a1cfeb4
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Krzysztof Opasiak [Fri, 2 Sep 2016 10:52:40 +0000 (12:52 +0200)]
Build dummy_hcd and g_ffs as a modules
Change-Id: Ic505dd282eaf2740848fddbb98678d8fb147be1e
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Thu, 1 Sep 2016 16:49:43 +0000 (18:49 +0200)]
Update config for TM1 board due to changes in Kconfig
Just a simple update due to changes in Kconfig of usb
gadget subsystem.
Change-Id: I21f96fd9ac826efe8bb056a67f0bba62643f13c8
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Thu, 1 Sep 2016 16:37:59 +0000 (18:37 +0200)]
usb: gadget: Allow to build multiple legacy gadgets
Currently it is possible to build in only one legac gadget *OR*
compile multiple of them as a modules. It's not possible to mix
those 2 ways of building them. This is limited only by Kconfig not
any functionality.
This patch removes this limitation. With this patch it is possible
to set up all build combinations:
1) Multiple gadgets build in
2) Some gadgets build in and some build as a modules
etc.
As this patch makes Kconfig quite complicated let me clarify how it works:
USB_F_<func name> - used in makefile for compilation
USB_G_<gadget name>_REQ_F_<func name> - set up by gadget to mark
that this particular gadget requires this func to work
USB_F_<func name>_SELECTOR - helper config which is used to determine
if function should be build in or compiled as a module
Change-Id: I43b764ff27d08484df140835a6f2dee35d621248
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
jooseong lee [Fri, 2 Sep 2016 08:09:30 +0000 (17:09 +0900)]
Smack: Fix wrong backporting for Smack
Regard of:
Smack: secmark support for netfilter (
d587ffac0e6b0849334d575bca4e9e1caa48f891)
Smack used to use a mix of smack_known struct and char* throughout its
APIs and implementation. I confused it. It should be char*, not smack_known struct.
(The latest kernel has a unified format, smack_known struct.)
Change-Id: Ifd93e8b3d85c867c8d7a903470abc45e589a1a37
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Seung-Woo Kim [Wed, 31 Aug 2016 11:21:04 +0000 (20:21 +0900)]
build: scripts: add input parameters to sprd_mkdzimage.sh
Instead of fixed kernel and dtb files, this patch adds input
parameters to get proper kernel and dtb files.
Change-Id: Icd253cff63e7bccf12ddead4360417da05a7c7ef
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Wed, 31 Aug 2016 04:33:11 +0000 (13:33 +0900)]
build: scripts: add input parameters to sprd_dtbtool.sh
Instead of fixed dtb file list and its hw platform information,
this patch adds input parameters to get proper dtb files and to
consider reversed dtc hw platform information.
Change-Id: I29b8da3c3520ac6619777d1b4e4456a32d28ba44
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Mon, 29 Aug 2016 10:15:29 +0000 (19:15 +0900)]
packaging: remove not used release type build parameter
There is not build parameter about release type, and it does not
really fix anything. So this patch removes not used release type
build parameter from packaging spec file.
Change-Id: I930e9beff52ce884f5676da93dbfe847f0fff576
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Charles (Chas) Williams [Tue, 16 Aug 2016 20:50:11 +0000 (16:50 -0400)]
tcp: make challenge acks less predictable
commit
75ff39ccc1bd5d3c455b6822ab09e533c551f758 upstream.
From: Eric Dumazet <edumazet@google.com>
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.
This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.
Based on initial analysis and patch from Linus.
Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.
v2: randomize the count of challenge acks per second, not the period.
Fixes:
282f23c6ee34 ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao <ycao009@ucr.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ ciwillia: backport to 3.10-stable ]
Signed-off-by: Chas Williams <ciwillia@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from linux-3.10.y to fix CVE-2016-5696]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ida4b2baa58464341147f2ef082c6c6002f9c799a
jooseong lee [Tue, 3 May 2016 10:40:36 +0000 (19:40 +0900)]
ARM: tizen_tm1_defconfig: enable netfilter_audit and smack_netfilter
This patch enables smack netfilter to support nether serivce.
Nether is for network access control in Tizen3.0.
Change-Id: I011f5b2a51583d493d4d5bbc6f7165782b468913
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Roman Kubiak [Tue, 12 Apr 2016 05:41:30 +0000 (14:41 +0900)]
netfilter: nfnetlink_queue: add security context information
This patch adds an additional attribute when sending
packet information via netlink in netfilter_queue module.
It will send additional security context data, so that
userspace applications can verify this context against
their own security databases.
Change-Id: I1f8e8bea84e05abfc78808f6fccc513aa5bb0a9f
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
David S. Miller [Tue, 12 Apr 2016 05:17:16 +0000 (14:17 +0900)]
netfilter: Fix build failure in nfnetlink_queue_core.c.
net/netfilter/nfnetlink_queue_core.c: In function 'nfqnl_put_sk_uidgid':
net/netfilter/nfnetlink_queue_core.c:304:35: error: 'TCP_TIME_WAIT' undeclared (first use in this function)
net/netfilter/nfnetlink_queue_core.c:304:35: note: each undeclared identifier is reported only once for each function it appears in
make[3]: *** [net/netfilter/nfnetlink_queue_core.o] Error 1
Just a missing include of net/tcp_states.h
Change-Id: Ie82a35d53e3b73c5838b2b4a6c539a6d4251d4af
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Valentina Giusti [Tue, 12 Apr 2016 05:13:52 +0000 (14:13 +0900)]
netfilter: nfnetlink_queue: enable UID/GID socket info retrieval
Thanks to commits 41063e9 (ipv4: Early TCP socket demux) and 421b388
(udp: ipv4: Add udp early demux) it is now possible to parse UID and
GID socket info also for incoming TCP and UDP connections. Having
this info available, it is convenient to let NFQUEUE parse it in
order to improve and refine the traffic analysis in userspace.
Change-Id: Ie38c073a3543534497ef0cc6080642c808690b85
Signed-off-by: Valentina Giusti <valentina.giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Pablo Neira Ayuso [Wed, 7 Aug 2013 16:13:20 +0000 (18:13 +0200)]
netfilter: nfnetlink_queue: allow to attach expectations to conntracks
This patch adds the capability to attach expectations via nfnetlink_queue.
This is required by conntrack helpers that trigger expectations based on
the first packet seen like the TFTP and the DHCPv6 user-space helpers.
Change-Id: I1944cc4c4660b41d4eeafd44e3038bd2749ae655
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Casey Schaufler [Tue, 26 Apr 2016 07:40:01 +0000 (16:40 +0900)]
Smack: secmark connections
If the secmark is available us it on connection as
well as packet delivery.
Change-Id: I570e750dc3753908f361b894c470784ec00a468e
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 26 Apr 2016 07:36:31 +0000 (16:36 +0900)]
Smack: Repair netfilter dependency
On 1/23/2015 8:20 AM, Jim Davis wrote:
> Building with the attached random configuration file,
>
> security/smack/smack_netfilter.c: In function ‘smack_ipv4_output’:
> security/smack/smack_netfilter.c:55:6: error: ‘struct sk_buff’ has no
> member named ‘secmark’
> skb->secmark = skp->smk_secid;
> ^
> make[2]: *** [security/smack/smack_netfilter.o] Error 1
The existing Makefile used the wrong configuration option to
determine if smack_netfilter should be built. This sets it right.
Change-Id: Iba5ff1e171a49d9750884503d9a20d06463b5a2c
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 26 Apr 2016 07:28:27 +0000 (16:28 +0900)]
Smack: secmark support for netfilter
Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.
As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.
The best part is that the netfilter tools use "contexts" that
are just strings, and they work just as well for Smack as they
do for SELinux.
All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[jooseong.lee: Backported from mainline]
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Change-Id: Ia4cf70850795c50ab9f2d58f4d1b42cca7411c21
Nagaraj D R [Thu, 5 May 2016 08:53:06 +0000 (14:23 +0530)]
bluetooth: Increase the manufacturer data type size
To support tizen specific manufacturer data, data length needs to be increased.
Change-Id: I2c7d5d01348074d09684b52fac4b106609327ab0
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
Joonyoung Shim [Mon, 22 Aug 2016 07:13:17 +0000 (16:13 +0900)]
packaging: remove BuildRequires for system-tools
TM1 kernel doesn't need system-tools package anymore, so remove
BuildRequires for system-tools.
Change-Id: I906a32f81f0b3c28518d7a1b610c01ddbc48c407
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Mon, 22 Aug 2016 07:13:08 +0000 (16:13 +0900)]
build: use scripts to make kernel binary
Use our scripts to make kernel binary instead of binaries of
system-tools package, then we can remove dependency with system-tools
package.
Change-Id: I86a2de0af8743eaa22d1de5fa7dc68debadfc43c
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Mon, 22 Aug 2016 02:24:57 +0000 (11:24 +0900)]
scripts: add sprd_mkdzimage.sh
sprd_mkdzimage.sh is script file to make dzImage binary that is TM1
specific kernel binary from zImage and merged-dtb binary. This will
substitute mkdzimage binary of system-tools.
Change-Id: Idb78c73eb5b195b7122c9cc5a033ae136769cf79
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Thu, 18 Aug 2016 08:52:44 +0000 (17:52 +0900)]
scripts: add sprd_dtbtool.sh
sprd_dtbtool.sh is script file to make to one merged-dtb binary from
multi dtb binaries for TM1. This will substitute dtbtool binary of
system-tools.
Change-Id: I69b73426ee43e0a5de3d6b4f5a28ec8965da5c6d
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Seung-Woo Kim [Thu, 11 Aug 2016 06:02:52 +0000 (15:02 +0900)]
packaging: fix not to provide kernel-headers
The kernel-headers pakcage is provided for common kernel headers
from linux-glibc-devel pacakge but currently, it is also provided
from tm1 kernel. So this patch fixes not to provide kernel-headers.
Change-Id: Idcf7b8c6f605eea0bc7f8a0f70d9443f9dfe2c39
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seonah Moon [Tue, 2 Aug 2016 09:00:56 +0000 (18:00 +0900)]
wlan_cfg80211: Add SOFTAP WPS type to support WPS in tethering
The tethering and soft AP should offer features of general APs.
The WPS is one of security types and standard to create a secure wireless home network.
This patch makes 80211 packets(beacon, probe response and associate response) include WPS ies.
Change-Id: I89f60d5ee7a797c48b80b9f3dbfa2eca6825b5f2
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>
Joonyoung Shim [Tue, 9 Aug 2016 00:40:05 +0000 (17:40 -0700)]
Merge "wlan_cfg80211: Set the hidden ssid scan properly." into tizen
hyunuktak [Fri, 29 Jul 2016 01:42:41 +0000 (10:42 +0900)]
wlan_cfg80211: Set the hidden ssid scan properly.
"vif->cfg80211.hidden_ssid_scan" value is always setting as true although "ssid[i].ssid_len" value is zero.
If there are no ssids passed from celler, then unable to do ssid scan.
So it is needed to properly set it.
Change-Id: Id4064ab1b65b29a375c276c16c095309ca4a92b1
Signed-off-by: hyunuktak <hyunuk.tak@samsung.com>
Seung-Woo Kim [Thu, 4 Aug 2016 00:35:23 +0000 (09:35 +0900)]
packaging: exclude build except target TM1
This patch excludes build except target TM1.
Change-Id: I21fd72c705af10bb61b7b99a4bb8b3d60babaee3
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Ben Hutchings [Sun, 1 Nov 2015 16:22:53 +0000 (16:22 +0000)]
ppp, slip: Validate VJ compression slot parameters completely
[ Upstream commit
4ab42d78e37a294ac7bc56901d563c642e03c4ae ]
Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).
Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.
Compile-tested only.
Change-Id: I4bd504aa497919117fec9d5ba97365fcca266b4c
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Ben Hutchings [Sun, 1 Nov 2015 16:21:24 +0000 (16:21 +0000)]
isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
[ Upstream commit
0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 ]
Compile-tested only.
Change-Id: I32e9c951314f1ce66338c560aaa299b4536e4b93
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Johan Hovold [Wed, 23 Sep 2015 18:41:42 +0000 (11:41 -0700)]
USB: whiteheat: fix potential null-deref at probe
commit
cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
Fix potential null-pointer dereference at probe by making sure that the
required endpoints are present.
The whiteheat driver assumes there are at least five pairs of bulk
endpoints, of which the final pair is used for the "command port". An
attempt to bind to an interface with fewer bulk endpoints would
currently lead to an oops.
Fixes CVE-2015-5257.
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ib2b005674463119d8f6ebcaa1184cba668b1400e
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Oliver Neukum [Thu, 31 Mar 2016 16:04:24 +0000 (12:04 -0400)]
USB: mct_u232: add sanity checking in probe
commit
4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.
An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: Icd1c5482b10f647177c7793c93fc7b592df4e79e
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Oliver Neukum [Thu, 31 Mar 2016 16:04:25 +0000 (12:04 -0400)]
USB: cypress_m8: add endpoint sanity check
commit
c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.
An attack using missing endpoints exists.
CVE-2016-3137
Change-Id: I58a2e1025bf8f3f0ba3ce9e949c1fa80f78636ce
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
willy tarreau [Sun, 10 Jan 2016 06:54:56 +0000 (07:54 +0100)]
unix: properly account for FDs passed over unix sockets
[ Upstream commit
712f4aad406bb1ed67f3f98d04c044191f0ff593 ]
It is possible for a process to allocate and accumulate far more FDs than
the process' limit by sending them over a unix socket then closing them
to keep the process' fd count low.
This change addresses this problem by keeping track of the number of FDs
in flight per user and preventing non-privileged processes from having
more FDs in flight than their configured FD limit.
Change-Id: I5e4f12dada69f3c253ead12f893ccf5f88053765
Reported-by: socketpair@gmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Ben Hutchings [Thu, 29 Jan 2015 02:50:33 +0000 (02:50 +0000)]
splice: Apply generic position and size checks to each write
commit
894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
We need to check the position and size of file writes against various
limits, using generic_write_check(). This was not being done for
the splice write path. It was fixed upstream by commit
8d0207652cbe
("->splice_write() via ->write_iter()") but we can't apply that.
CVE-2014-7822
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I10f6cd44e0223d515d905ee5f3043b5d22c31057
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Quentin Casasnovas [Tue, 24 Nov 2015 22:13:21 +0000 (17:13 -0500)]
RDS: fix race condition when sending a message on unbound socket
Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket. The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket. This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().
Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.
Complete earlier incomplete fix to CVE-2015-6937:
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
Change-Id: I697622374cf9a4b8d805fb5a58987cfe8646afed
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Ben Hutchings [Tue, 16 Jun 2015 21:11:06 +0000 (22:11 +0100)]
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not. The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset. This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.
This was fixed upstream by commits
f0d1bec9d58d ("new helper:
copy_page_from_iter()") and
637b58c2887e ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable. This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.
CVE-2015-1805
Change-Id: Iedade4714500e63ad26599fe7aaa91d886df84a9
References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Florian Westphal [Fri, 26 Sep 2014 09:35:42 +0000 (11:35 +0200)]
netfilter: conntrack: disable generic tracking for known protocols
commit
db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
Given following iptables ruleset:
-P FORWARD DROP
-A FORWARD -m sctp --dport 9 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
One would assume that this allows SCTP on port 9 and TCP on port 80.
Unfortunately, if the SCTP conntrack module is not loaded, this allows
*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
which we think is a security issue.
This is because on the first SCTP packet on port 9, we create a dummy
"generic l4" conntrack entry without any port information (since
conntrack doesn't know how to extract this information).
All subsequent packets that are unknown will then be in established
state since they will fallback to proto_generic and will match the
'generic' entry.
Our originally proposed version [1] completely disabled generic protocol
tracking, but Jozsef suggests to not track protocols for which a more
suitable helper is available, hence we now mitigate the issue for in
tree known ct protocol helpers only, so that at least NAT and direction
information will still be preserved for others.
[1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
Joint work with Daniel Borkmann.
Fixes CVE-2014-8160.
Change-Id: I8dbb1b870c0724acba5f20d353c856f16ec00ae0
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Hannes Frederic Sowa [Mon, 14 Dec 2015 21:03:39 +0000 (22:03 +0100)]
net: add validation for the socket syscall protocol argument
[ Upstream commit
79462ad02e861803b3840cc782248c7359451cd9 ]
郭永刚 reported that one could simply crash the kernel as root by
using a simple program:
int socket_fd;
struct sockaddr_in addr;
addr.sin_port = 0;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_family = 10;
socket_fd = socket(10,3,0x40000000);
connect(socket_fd , &addr,16);
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.
This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.
kernel: Call Trace:
kernel: [<
ffffffff816db90e>] ? inet_autobind+0x2e/0x70
kernel: [<
ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
kernel: [<
ffffffff81645069>] SYSC_connect+0xd9/0x110
kernel: [<
ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
kernel: [<
ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
kernel: [<
ffffffff81645e0e>] SyS_connect+0xe/0x10
kernel: [<
ffffffff81779515>] tracesys_phase2+0x84/0x89
I found no particular commit which introduced this problem.
Change-Id: I30cd09ffb9705304bcda7247fe28ac14c8bb20a9
CVE: CVE-2015-8543
Cc: Cong Wang <cwang@twopensource.com>
Reported-by: 郭永刚 <guoyonggang@360.cn>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Sasha Levin [Mon, 29 Dec 2014 14:39:01 +0000 (09:39 -0500)]
KEYS: close race between key lookup and freeing
commit
a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.
This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).
This would cause either a panic, or corrupt memory.
Fixes CVE-2014-9529.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Iab7bb60ba1db5931cd8911ed04452cdb55358eda
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
David Howells [Fri, 18 Dec 2015 01:34:26 +0000 (01:34 +0000)]
KEYS: Fix race between read and revoke
commit
b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream.
This fixes CVE-2015-7550.
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.
This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.
Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.
I think the bug was introduced with the original keyrings code.
This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller). Here's a cleaned up version:
#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}
Build as:
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
Run as:
while keyctl-race; do :; done
as it may need several iterations to crash the kernel. The crash can be
summarised as:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
IP: [<
ffffffff81279b08>] user_read+0x56/0xa3
...
Call Trace:
[<
ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
[<
ffffffff81277815>] SyS_keyctl+0x83/0xe0
[<
ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ie59035bed50d4e1aa2248a0bd5128a0f997ab29a
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Filipe Manana [Sun, 9 Nov 2014 08:38:39 +0000 (08:38 +0000)]
Btrfs: make xattr replace operations atomic
commit
5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 upstream.
Replacing a xattr consists of doing a lookup for its existing value, delete
the current value from the respective leaf, release the search path and then
finally insert the new value. This leaves a time window where readers (getxattr,
listxattrs) won't see any value for the xattr. Xattrs are used to store ACLs,
so this has security implications.
This change also fixes 2 other existing issues which were:
*) Deleting the old xattr value without verifying first if the new xattr will
fit in the existing leaf item (in case multiple xattrs are packed in the
same item due to name hash collision);
*) Returning -EEXIST when the flag XATTR_CREATE is given and the xattr doesn't
exist but we have have an existing item that packs muliple xattrs with
the same name hash as the input xattr. In this case we should return ENOSPC.
A test case for xfstests follows soon.
Thanks to Alexandre Oliva for reporting the non-atomicity of the xattr replace
implementation.
Change-Id: I286d47858be086bb974cb4fa8eee5d32e8bee61d
Reported-by: Alexandre Oliva <oliva@gnu.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
[shengyong: backport to 3.10
- FIX: CVE-2014-9710
- adjust context
- ASSERT() was added v3.12, so we do check with if statement
- set the first parameter of btrfs_item_nr() as NULL, because it is not
used, and is removed in v3.13
]
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Michal Bloch [Thu, 21 Jul 2016 11:41:02 +0000 (13:41 +0200)]
kmsg: allow binary characters
* do not touch unprintable characters. This is so that logs can have formatting
such as newlines, tabulation, or colours.
* the textual part is now delimited by \0. This is because \n which used to be
the delimiter is now available for logs.
Signed-off-by: Michal Bloch <m.bloch@samsung.com>
Change-Id: I030a4eab791f4468897d3dcdc5bb04549f30b2f7
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>
jooseong lee [Wed, 20 Jul 2016 01:07:11 +0000 (10:07 +0900)]
Smack: Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
Creating struct sock by sk_alloc function in various kernel subsystems
like bluetooth dosen't call smack_socket_post_create(). In such case,
received sock label is the floor('_') label and makes access deny.
Refers to:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
7412301b76bd53ee53b860f611fc3b5b1c2245b5
Change-Id: I614c5f0e6d59be5ca6b49f0581edfef79fc334cf
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Seung-Woo Kim [Wed, 6 Jul 2016 10:59:19 +0000 (19:59 +0900)]
sensors/ims1911: use deffered probe for i2c fail case from probe
This patch fixes to use deffered probe error for i2c read fail
from probe.
Change-Id: Ic4bc12fef0c9dee69d98bbdfb1ed1d5f2c2f62de
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Joonyoung Shim [Mon, 20 Jun 2016 09:42:18 +0000 (18:42 +0900)]
input: touchkey: add resume function
Now, there is only suspend function then it will cause a problem that
touchkey is not working after sleep, so add resume function.
It's enough only that resume function calls tc300k_input_open() because
suspend function calls just tc300k_input_close().
Change-Id: I2b96fe797a94fbd20cd3082c9460130dd6b848eb
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Tue, 10 May 2016 06:27:25 +0000 (15:27 +0900)]
ARM: tizen_tm1_defconfig: Enable mali400 r5p2_rel0
Enable mali400 r5p2_rel0 instead of r5p0_rel0.
Change-Id: I4f7f01788d91b6d4e9c102029cbfa5a1b5c3f300
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Seung-Woo Kim [Mon, 23 May 2016 08:23:22 +0000 (17:23 +0900)]
ARM: mali400: r5p2_rel0: replace CONFIG_PM_RUNTIME to CONFIG_PM
After commit
464ed18ebdb6 ("PM: Eliminate CONFIG_PM_RUNTIME") which
is applied kernel version 3.19, PM_RUNTIME is eliminated. So this
patch replaces CONFIG_PM_RUNTIME to CONFIG_PM for kernel version
larger than 3.19.
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
[jy0922.shim: apply to mali400 r5p2_rel0 with some modification]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Change-Id: Iab2e17c07b397fe164623e1ecec58c54296c83a7
Joonyoung Shim [Mon, 23 May 2016 06:35:41 +0000 (15:35 +0900)]
ARM: mali400: r5p2_rel0: fix build error
Include pm_runtime.h to fix below build error when CONFIG_PM_RUNTIME is
disabled.
drivers/gpu/arm/mali400/r5p2_rel0/linux/mali_kernel_linux.c: In function ‘mali_driver_suspend_scheduler’:
drivers/gpu/arm/mali400/r5p2_rel0/linux/mali_kernel_linux.c:595:2: error: implicit declaration of function ‘pm_runtime_active’ [-Werror=implicit-function-declaration]
if (pm_runtime_active(dev))
^
Change-Id: Ic613dd9785a9d563e50361328944bd23d33fd70c
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Tue, 17 May 2016 04:58:08 +0000 (13:58 +0900)]
ARM: mali400: fix building out of tree
s/$(src)/$(srctree)\/$(src)/
$(srctree) has absolute path of kernel root directory, so with this
commit, building problem by relative path will be gone from outside of
kernel tree.
Change-Id: Ib6e4a23a5858b029c75b7e760082846a2247f21a
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
YoungJun Cho [Tue, 21 Jul 2015 04:19:27 +0000 (13:19 +0900)]
ARM: mali400: r5p2_rel0: add GLES mem profiler feature
This patch adds GLES mem profiler feature.
You could use it by "cat /sys/kernel/debug/mali/gles_mem/<PID>".
Without user-DDK's MALI_IOC_MEM_PROFILE_GLES_MEM, it only show layout.
With this ioctl, you could check current GLES relevant memory status
in opened session and also check memory leakage in trash subdirectory.
The mechanism of detecting memory leakage is checking information when
the session is closed. So the user misses to free (GLES)memory during
session, it(the PID) could be found in trash.
Caution! When app is killed and the session is forcely shut down, then
it(the PID) could be found in trash but we can not guarantee there is a
real memory leakage. That is because like this case, it is impossible
to call MALI_IOC_MEM_PROFILE_GLES_MEM to remove allocated memory.
Change-Id: I78a08f7b53594dc20f8cc6f4c892250fdc9e8208
Signed-off-by: YoungJun Cho <yj44.cho@samsung.com>
[jy0922.shim: applied to r5p2_rel0 from r5p0_rel0]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
YoungJun Cho [Thu, 2 Jul 2015 10:44:49 +0000 (19:44 +0900)]
ARM: mali400: r5p2_rel0: delete proprietary word in Kbuild
This is to guid for non-gpl case, not related with license,
but Tango detects it because it simply compares string.
Change-Id: Iad42e139fd5d040b3242f1e7358720ef24343570
Signed-off-by: YoungJun Cho <yj44.cho@samsung.com>
[jy0922.shim: applied to r5p2_rel0 from r5p0_rel0]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Tue, 10 May 2016 06:49:03 +0000 (15:49 +0900)]
ARM: mali400: r5p2_rel0: add sc8830 platform codes
This comes from r5p0_rel0.
Change-Id: I673ca4624c96f7aaedc15a5caa3ec72aeadb6656
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Tue, 10 May 2016 07:18:10 +0000 (16:18 +0900)]
ARM: mali400: r5p2_rel0: sync codes for TM1 from r5p0_rel0
Spectrum added some codes on r5p0_rel0 public, so do it on r5p2_rel0.
But except some codes related with below defines
SPRD_MEM_OPT_PAGE_TABLE_SHRINK
MALI_IOC_MEM_INIT
MALI_IOC_MEM_TERM
because we cannot add them by changed codes from r5p2_rel0.
Change-Id: I1423e7ce5181d4f1a08f3fbd01f9d426290eff29
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Tue, 10 May 2016 05:59:10 +0000 (14:59 +0900)]
ARM: mali400: r5p2_rel0: fix Makefile & Kconfig
For building of r5p2_rel0.
Change-Id: I23c3144d886b9cbfe6061650ab16d180eb74e94c
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Zbigniew Jasinski [Tue, 26 Apr 2016 06:54:45 +0000 (15:54 +0900)]
Smack: limited capability for changing process label
This feature introduces new kernel interface:
- <smack_fs>/relabel-self - for setting transition labels list
This list is used to control smack label transition mechanism.
List is set by, and per process. Process can transit to new label only if
label is on the list. Only process with CAP_MAC_ADMIN capability can add
labels to this list. With this list, process can change it's label without
CAP_MAC_ADMIN but only once. After label changing, list is unset.
Changes in v2:
* use list_for_each_entry instead of _rcu during label write
* added missing description in security/Smack.txt
Changes in v3:
* squashed into one commit
Changes in v4:
* switch from global list to per-task list
* since the per-task list is accessed only by the task itself
there is no need to use synchronization mechanisms on it
Changes in v5:
* change smackfs interface of relabel-self to the one used for onlycap
multiple labels are accepted, separated by space, which
replace the previous list upon write
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[jooseong.lee: Backported from mainline]
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Change-Id: Id16abb77e09f89fd6c9d950e6be76eab220b801f
Rafal Krypa [Tue, 12 Apr 2016 01:48:51 +0000 (10:48 +0900)]
Smack: allow multiple labels in onlycap
Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
processes running with the configured label. But having single privileged
label is not enough in some real use cases. On a complex system like Tizen,
there maybe few programs that need to configure Smack policy in run-time
and running them all with a single label is not always practical.
This patch extends onlycap feature for multiple labels. They are configured
in the same smackfs "onlycap" interface, separated by spaces.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
[jooseong.lee: We applied this patch before but some codes are missed]
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Change-Id: I4a312874be5b88d43f8af146ecde9552731dc454
Joonyoung Shim [Tue, 10 May 2016 05:57:26 +0000 (14:57 +0900)]
ARM: mali400: r5p2_rel0: add public codes from ARM
This comes from DX910-SW-99002-r5p2-00rel0.tgz of ARM web site.
Change-Id: I8d556f4abba5497679068eec6540a1d7716f6ebb
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Seung-Woo Kim [Thu, 12 May 2016 02:49:07 +0000 (11:49 +0900)]
ARM: tizen_tm1_defconfig: enable xts blk cipher config
For luks support on cryptsetup in system, xts blk cipher is
required. So this patch enables xts blk cipher config option.
Change-Id: I2b7495a3d9cee974542f817c6821577b8b57acf9
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Joonyoung Shim [Tue, 22 Mar 2016 07:39:19 +0000 (16:39 +0900)]
drm/sprd: save pid/tgid in private file data
Let's save pid/tgid in private file data only once when gem object is
created or prime_fd is imported and use them on gem_info. This can solve
wrong pid/tgid information of gem_info node for imported gem object
found on tizen_3.0 platform.
Change-Id: Icfefe0d140ff2955144d509c862875d2d48241eb
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Kunhoon Baik [Wed, 30 Mar 2016 08:59:31 +0000 (17:59 +0900)]
[Multiple Kmsg] avoid not-allowable mutex lock condition
Change-Id: Icd2c90535687558aa3f294471edb865ef178a5b4
Seung-Woo Kim [Wed, 23 Mar 2016 10:55:03 +0000 (19:55 +0900)]
build: change model name as tm1
The model name, tm1 hsould be used for build and module build. So
this patch fixes to change model name.
Change-Id: I0bf1aeacc54ca1bb88d684161c2ff531d160f1e5
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Tue, 22 Mar 2016 07:29:50 +0000 (16:29 +0900)]
packaging: remove unnecessary dzImage-recovery
This patch removes unnecessary dzImage-recovery from the package.
Change-Id: I5be95182a69566948930d5821bc7b5ffb8319f81
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Joonyoung Shim [Thu, 11 Feb 2016 02:01:03 +0000 (11:01 +0900)]
drm/sprd: fix always gem creation of imported dma-buf
The sprd_prime_import() creates gem object always even though there is
existing gem object that refers memory of imported dma-buf. This patch
will make to reuse existing gem object on this case.
Change-Id: I4aa31bd2a41a511774b9e1aaf150ddbf45728c22
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Kichan Kwon [Fri, 11 Mar 2016 01:51:32 +0000 (10:51 +0900)]
kmsg: set config to use multiple kmssage at TM1
Change-Id: I4eeaaf17b35ecae108d52f67e880e1e374b05955
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>
Paul Osmialowski [Fri, 12 Feb 2016 15:01:23 +0000 (16:01 +0100)]
kmsg: selftests
this patch adds selftests framework and four test scenarios for kmsg. The framework shape and code was inspired by similar selftests framework for kdbus.
Signed-off-by: Paul Osmialowski <p.osmialowsk@samsung.com>
[Fixed multithreaded test bug: buffer size > LOG_LINE_MAX]
Signed-off-by: Kazimierz Krosman <k.krosman@samsung.com>
Change-Id: Icedc0fee86c90430dcdb59d592392fbac05b42f5
Marcin Niesluchowski [Thu, 21 May 2015 14:24:30 +0000 (16:24 +0200)]
kmsg: add ioctl for kmsg* devices operating on buffers
There is no possibility to clear additional kmsg buffers,
get size of them or know what size should be passed to read
file operation (too small size causes it to retrun -EINVAL).
Add following ioctls which solve those issues:
* KMSG_CMD_GET_BUF_SIZE
* KMSG_CMD_GET_READ_SIZE_MAX
* KMSG_CMD_CLEAR
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Change-Id: Ideade7e0b5c66bde3415f3190059742bac79333b
Marcin Niesluchowski [Thu, 18 Jun 2015 09:31:00 +0000 (11:31 +0200)]
kmsg: add ioctl for adding and deleting kmsg* devices
There is no possibility to add/delete kmsg* buffers from userspace.
Adds following ioctl for main kmsg device adding and deleting
additional kmsg devices:
* KMSG_CMD_BUFFER_ADD
* KMSG_CMD_BUFFER_DEL
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Change-Id: Idead7a787892706249f50f1a19ca7a568753845a
Marcin Niesluchowski [Mon, 27 Apr 2015 09:20:34 +0000 (11:20 +0200)]
kmsg: add predefined _PID, _TID, _COMM keywords to kmsg* log dict
kmsg* devices write operation wrote no dict along with message
Due to usage of kmsg devices in userspace dict has been added
identifying pid, tid and comm of writing process.
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Change-Id: Idead2fa29607785031e37542c2f48481b04f9949
Marcin Niesluchowski [Mon, 20 Apr 2015 11:03:10 +0000 (13:03 +0200)]
kmsg: add function for adding and deleting additional buffers
Additional kmsg buffers should be created and deleted dynamically.
Adding two functions
* kmsg_sys_buffer_add() creates additional kmsg buffer returning minor
* kmsg_sys_buffer_del() deletes one based on provided minor
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Change-Id: Idead13dfef110bc05fee3fcf91ce7d44b6e5a46c
Marcin Niesluchowski [Mon, 20 Jul 2015 12:52:06 +0000 (14:52 +0200)]
kmsg: add additional buffers support to memory class
Memory class does not support additional kmsg buffers.
Add additional kmsg buffers support to:
* devnode() callback of "mem" class
* file operations of major "mem" character device
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Change-Id: Ideadca14d2f2e8abd653ab8677e04132b7d9757e
Marcin Niesluchowski [Wed, 29 Apr 2015 17:37:05 +0000 (19:37 +0200)]
kmsg: introduce additional kmsg devices support
kmsg device provides operations on cyclic logging buffer used mainly
by kernel but also in userspace by privileged processes.
Additional kmsg devices keep the same log format but may be added
dynamically with custom size.
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Change-Id: Ideada11d07e2a9c9b8c342a1027a350c9531d6f1
Marcin Niesluchowski [Thu, 2 Jul 2015 14:54:51 +0000 (16:54 +0200)]
printk: add one function for storing log in proper format
Preparation commit for future changes purpose.
Separate code responsible for storing log message in proper format
from operations on consoles by putting it in another function.
Change-Id: Idead21785b8e8a57cd504471d0537a399b4d9cd9
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Marcin Niesluchowski [Thu, 2 Jul 2015 14:32:28 +0000 (16:32 +0200)]
printk: move code regarding log message storing format
Preparation commit for future changes purpose.
Moves some code responsible for storing log messages in proper format.
Change-Id: Idead14e73d498e1e9ecba2da0e897a99ee15c583
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
Tejun Heo [Thu, 14 May 2015 15:36:36 +0000 (11:36 -0400)]
printk: guard the amount written per line by devkmsg_read()
This patchset updates netconsole so that it can emit messages with the
same header as used in /dev/kmsg which gives neconsole receiver full log
information which enables things like structured logging and detection
of lost messages.
This patch:
devkmsg_read() uses 8k buffer and assumes that the formatted output
message won't overrun which seems safe given LOG_LINE_MAX, the current use
of dict and the escaping method being used; however, we're planning to use
devkmsg formatting wider and accounting for the buffer size properly isn't
that complicated.
This patch defines CONSOLE_EXT_LOG_MAX as 8192 and updates devkmsg_read()
so that it limits output accordingly.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: David Miller <davem@davemloft.net>
Cc: Kay Sievers <kay@vrfy.org>
Reviewed-by: Petr Mladek <pmladek@suse.cz>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Idead54c1fb93161aebd0e00be0b66f96b907233b
Michal Bloch [Thu, 11 Feb 2016 16:52:58 +0000 (17:52 +0100)]
Preparation patch for KMSG.
This is the first of a series of patches which implement KMSG, which is
a replacement for old android log devices, serving as a fast dlog backend.
The patches are not applied onto the original printk file, but to a copy.
This is to keep the codebase maintainable. Any future backports will be
able to merge conflictlessly and preprocessor macroes are prevented from
excessive piling in the original file.
This patch adds a MULTIPLE_KMSG config flag and creates the copy of the
printk file which will serve as the target of subsequent KMSG patches.
Change-Id: Idead56234820ff9d024da88310dc2e505cf051d0
Signed-off-by: Michal Bloch <m.bloch@samsung.com>
Hyuk Lee [Thu, 3 Mar 2016 02:35:41 +0000 (11:35 +0900)]
Enable the Joystick(JOYDEV)
Change-Id: Ieedec7196065b8b620b004180b30a9a4cfd4a6ab
Signed-off-by: Hyuk Lee <hyuk0512.lee@samsung.com>
Joonyoung Shim [Wed, 17 Feb 2016 00:53:58 +0000 (09:53 +0900)]
video: sprdfd: disable ESD feature
The problem that the screen had been changed to block was reported at
some targets. I'm not sure but it might be related with ESD feature of
sprdfd driver, so as workaround, disable ESD feature.
And add some #ifdef to avoid below build errors.
drivers/built-in.o: In function `sprd_enable_vblank':
/home/pub/git/public/tm1_tizen_3.0/linux-3.10-sc7730/drivers/gpu/drm/sprd/sprd_drm_irq.c:265: undefined reference to `panel_esd_enable'
drivers/built-in.o: In function `sprd_disable_vblank':
/home/pub/git/public/tm1_tizen_3.0/linux-3.10-sc7730/drivers/gpu/drm/sprd/sprd_drm_irq.c:284: undefined reference to `panel_esd_enable'
Change-Id: I9228d883b0aa874e45b14b8f07cec9810634ab47
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Yevgeny Pats [Tue, 19 Jan 2016 22:09:04 +0000 (22:09 +0000)]
KEYS: Fix keyring ref leak in join_session_keyring()
This fixes CVE-2016-0728.
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.
This can be tested with the following program:
#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>
int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}
for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}
return 0;
}
If, after the program has run, there something like the following line in
/proc/keys:
3f3d898f I--Q--- 100 perm
3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.
Change-Id: I08e8b8e929575583a94b6c84826c8f05e4dca075
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
[Backport from mainline commit
23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 to resolve CVE-2016-0728]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Jin-young Jeon [Fri, 22 Jan 2016 03:01:22 +0000 (12:01 +0900)]
Tizen: drm/sprd: change pid information on gem_info.
Change-Id: If04b48e0fb9f24f0d2939d5ab7b1f6a62418e188
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Hyeongsik Min [Fri, 15 Jan 2016 00:51:03 +0000 (09:51 +0900)]
gator: Merge gator version 5.23.1
Updated gator driver/daemon version from 5.20 to 5.23.1
Newer version supports ttrace annotation
Change-Id: If863ab4ccfd429cb8735635ed812823da8915f8d
Signed-off-by: Hyeongsik Min <hyeongsik.min@samsung.com>
Joonyoung Shim [Wed, 13 Jan 2016 00:44:54 +0000 (09:44 +0900)]
staging/ion: fix build warnings
This fixed below warnings.
include/video/ion_sprd.h:128:7: warning: ‘struct ion_handle’ declared inside parameter list
include/video/ion_sprd.h:128:7: warning: its scope is only this definition or declaration, which is probably not what you want
include/video/ion_sprd.h:129:29: warning: ‘struct ion_handle’ declared inside parameter list
drivers/staging/android/ion/ion.h:126:13: warning: ‘struct drm_gem_object’ declared inside parameter list
drivers/staging/android/ion/ion.h:126:13: warning: its scope is only this definition or declaration, which is probably not what you want
Change-Id: If51462fad12a1f7d20777835b39b1a276149cef1
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Tue, 12 Jan 2016 02:03:42 +0000 (11:03 +0900)]
staging/ion: decrease gem reference count in release of dma-buf
Gem reference count is increased hen dma-buf is exported, so release
of dma-buf should decrease gem reference count.
Change-Id: Id298ea79aa14908860e5d87527813994dfdb790d
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Signed-off-by: Rohit kumar <rohit.kr@samsung.com>
Rohit kumar [Wed, 6 Jan 2016 09:24:11 +0000 (14:54 +0530)]
drm/sprd: include correct ion.h header file in sprd_drm
This patch updates sprd_drm to include staging/ion header
file instead of include/linux/ion.h as we are now using
staging ion driver.
Change-Id: I799c8553aa43278ecab85bc55d518b572b5ef9ea
Signed-off-by: Rohit kumar <rohit.kr@samsung.com>
Rohit kumar [Tue, 12 Jan 2016 09:34:07 +0000 (15:04 +0530)]
staging/ion: sync ion.h with include/linux/ion.h
Change-Id: I7961603a6f9615cf7768841edf0168461b477007
Signed-off-by: Rohit kumar <rohit.kr@samsung.com>
Rohit kumar [Tue, 12 Jan 2016 09:32:31 +0000 (15:02 +0530)]
Revert "TizenYoung23gdtv: drm: add ion.h."
This reverts commit
4748300326836a2f632b60f8ec8d8cf01f2b4f85.
Joonyoung Shim [Thu, 10 Dec 2015 10:10:52 +0000 (19:10 +0900)]
drm/sprd: use prime dma-buf to convert fd and gem handle
The sprd drm driver used specific functions to convert fd and gem handle
but they don't support some mechanism of prime dma-buf functions like
reusing of handle exported already, so use prime dma-buf functions.
Change-Id: Ieb591944015bfab0cb15cc21d714f70bffe4b18c
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Rohit kumar [Mon, 11 Jan 2016 09:50:13 +0000 (15:20 +0530)]
Tizen: ion: Fix dma_buf refcount issue in get_ion_handle_from_dmabuf
Change-Id: If9eef4cc5dcdf89e89af062a56607b01e3640c25
Signed-off-by: Rohit kumar <rohit.kr@samsung.com>
Rohit kumar [Tue, 22 Dec 2015 04:14:51 +0000 (09:44 +0530)]
staging/ion: Add support to get ion handle from dma buf
Currently we can only import dma buf fd's to get ion_handle.
Adding support to import dma buf handles to support kernel
use cases.
Change-Id: I85b6027b6b142e3f91bce51b717e408530d5523c
Signed-off-by: Rohit kumar <rohit.kr@samsung.com>
Joonyoung Shim [Mon, 11 Jan 2016 03:08:13 +0000 (12:08 +0900)]
drm/sprd: fix locking usage
This fixes locking usage made by backporting patchse to solve dma-buf
issue.
Change-Id: I99c3792cecc5e9974b1fb7c321d8c963de411ea4
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Mon, 11 Jan 2016 02:57:17 +0000 (11:57 +0900)]
drm/sprd: fix build errors
This fixes build errors made by backporting patchse to solve dma-buf
issue.
Change-Id: I855c8a98a8b6d1ea9119a51c5249ee470052d076
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Daniel Vetter [Wed, 14 Aug 2013 22:02:49 +0000 (00:02 +0200)]
drm/prime: Always add exported buffers to the handle cache
... not only when the dma-buf is freshly created. In contrived
examples someone else could have exported/imported the dma-buf already
and handed us the gem object with a flink name. If such on object gets
reexported as a dma_buf we won't have it in the handle cache already,
which breaks the guarantee that for dma-buf imports we always hand
back an existing handle if there is one.
This is exercised by igt/prime_self_import/with_one_bo_two_files
Now if we extend the locked sections just a notch more we can also
plug th racy buf/handle cache setup in handle_to_fd:
If evil userspace races a concurrent gem close against a prime export
operation we can end up tearing down the gem handle before the dma buf
handle cache is set up. When handle_to_fd gets around to adding the
handle to the cache there will be no one left to clean it up,
effectily leaking the bo (and the dma-buf, since the handle cache
holds a ref on the dma-buf):
Thread A Thread B
handle_to_fd:
lookup gem object from handle
creates new dma_buf
gem_close on the same handle
obj->dma_buf is set, but file priv buf
handle cache has no entry
obj->handle_count drops to 0
drm_prime_add_buf_handle sets up the handle cache
-> We have a dma-buf reference in the handle cache, but since the
handle_count of the gem object already dropped to 0 no on will clean
it up. When closing the drm device fd we'll hit the WARN_ON in
drm_prime_destroy_file_private.
The important change is to extend the critical section of the
filp->prime.lock to cover the gem handle lookup. This serializes with
a concurrent gem handle close.
This leak is exercised by igt/prime_self_import/export-vs-gem_close-race
Change-Id: I19ceb9107a318dc299eb103df4042684f0a4252e
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel Vetter [Wed, 14 Aug 2013 22:02:48 +0000 (00:02 +0200)]
drm/prime: make drm_prime_lookup_buf_handle static
... and move it to the top of the function to avoid a forward
declaration.
Change-Id: I1e8ce7ca0bd845ff10d72da56a6a992f3eca75ac
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel Vetter [Wed, 14 Aug 2013 22:02:47 +0000 (00:02 +0200)]
drm/prime: Simplify drm_gem_remove_prime_handles
with the reworking semantics and locking of the obj->dma_buf pointer
this pointer is always set as long as there's still a gem handle
around and a dma_buf associated with this gem object.
Also, the per file-priv lookup-cache for dma-buf importing is also
unified between foreign and native objects.
Hence we don't need to special case the clean any more and can simply
drop the clause which only runs for foreing objects, i.e. with
obj->import_attach set.
Note that with this change (actually with the previous one to always
set up obj->dma_buf even for foreign objects) it is no longer required
to set obj->import_attach when importing a foreing object. So update
comments accordingly, too.
Change-Id: If153ff3c09c4380b86497d7cb26b5b02b40ec020
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel Vetter [Wed, 14 Aug 2013 22:02:46 +0000 (00:02 +0200)]
drm/prime: proper locking+refcounting for obj->dma_buf link
The export dma-buf cache is semantically similar to an flink name. So
semantically it makes sense to treat it the same and remove the name
(i.e. the dma_buf pointer) and its references when the last gem handle
disappears.
Again we need to be careful, but double so: Not just could someone
race and export with a gem close ioctl (so we need to recheck
obj->handle_count again when assigning the new name), but multiple
exports can also race against each another. This is prevented by
holding the dev->object_name_lock across the entire section which
touches obj->dma_buf.
With the new scheme we also need to reinstate the obj->dma_buf link at
import time (in case the only reference userspace has held in-between
was through the dma-buf fd and not through any native gem handle). For
simplicity we don't check whether it's a native object but
unconditionally set up that link - with the new scheme of removing the
obj->dma_buf reference when the last handle disappears we can do that.
To make it clear that this is not just for exported buffers anymore
als rename it from export_dma_buf to dma_buf.
To make sure that now one can race a fd_to_handle or handle_to_fd with
gem_close we use the same tricks as in flink of extending the
dev->object_name_locking critical section. With this change we finally
have a guaranteed 1:1 relationship (at least for native objects)
between gem objects and dma-bufs, even accounting for races (which can
happen since the dma-buf itself holds a reference while in-flight).
This prevent igt/prime_self_import/export-vs-gem_close-race from
Oopsing the kernel. There is still a leak though since the per-file
priv dma-buf/handle cache handling is racy. That will be fixed in a
later patch.
v2: Remove the bogus dma_buf_put from the export_and_register_object
failure path if we've raced with the handle count dropping to 0.
Change-Id: I89173f8802ccc12fbf48f053a7701c114e92692b
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel Vetter [Wed, 14 Aug 2013 22:02:45 +0000 (00:02 +0200)]
drm/gem: completely close gem_open vs. gem_close races
The gem flink name holds a reference onto the object itself, and this
self-reference would prevent an flink'ed object from every being
freed. To break that loop we remove the flink name when the last
userspace handle disappears, i.e. when obj->handle_count reaches 0.
Now in gem_open we drop the dev->object_name_lock between the flink
name lookup and actually adding the handle. This means a concurrent
gem_close of the last handle could result in the flink name getting
reaped right inbetween, i.e.
Thread 1 Thread 2
gem_open gem_close
flink -> obj lookup
handle_count drops to 0
remove flink name
create_handle
handle_count++
If someone now flinks this object again, we'll get a new flink name.
We can close this race by removing the lock dropping and making the
entire lookup+handle_create sequence atomic. Unfortunately to still be
able to share the handle_create logic this requires a
handle_create_tail function which drops the lock - we can't hold the
object_name_lock while calling into a driver's ->gem_open callback.
Note that for flink fixing this race isn't really important, since
racing gem_open against gem_close is clearly a userspace bug. And no
matter how the race ends, we won't leak any references.
But with dma-buf where the userspace dma-buf fd itself is refcounted
this is a valid sequence and hence we should fix it. Therefore this
patch here is just a warm-up exercise (and for consistency between
flink buffer sharing and dma-buf buffer sharing with self-imports).
Also note that this extension of the critical section in gem_open
protected by dev->object_name_lock only works because it's now a
mutex: A spinlock would conflict with the potential memory allocation
in idr_preload().
This is exercises by igt/gem_flink_race/flink_name.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[jy0922.shim: fix up fuzz to apply]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Change-Id: I7fc3ffb1a77b2b5ca7e04a38c26ccd3a73b67f62
Daniel Vetter [Wed, 14 Aug 2013 22:02:44 +0000 (00:02 +0200)]
drm/gem: switch dev->object_name_lock to a mutex
I want to wrap the creation of a dma-buf from a gem object in it,
so that the obj->export_dma_buf cache can be atomically filled in.
Instead of creating a new mutex just for that variable I've figured
I can reuse the existing dev->object_name_lock, especially since
the new semantics will exactly mirror the flink obj->name already
protected by that lock.
v2: idr_preload/idr_preload_end is now an atomic section, so need to
move the mutex locking outside.
[airlied: fix up conflict with patch to make debugfs use lock]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[jy0922.shim: fix up fuzz to apply]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Change-Id: Iffcd6e849d13b7c79bbd6571c92bcdd4f45f3a69
Daniel Vetter [Wed, 14 Aug 2013 22:02:43 +0000 (00:02 +0200)]
drm/prime: clarify logic a bit in drm_gem_prime_fd_to_handle
if (!ret) implies that ret == 0, so no need to clear it again. And
explicitly check for ret == 0 to indicate that we're checking an errno
integer.
Change-Id: Ica8aaed3a759dd0c8f7cfa87977e7b74aaddda85
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel Vetter [Wed, 14 Aug 2013 22:02:42 +0000 (00:02 +0200)]
drm/prime: shrink critical section protected by prime lock
When exporting a gem object as a dma-buf the critical section for the
per-fd prime lock is just the adding (and in case of errors, removing)
of the handle to the per-fd lookup cache.
So restrict the critical section to just that part of the function.
This simplifies later reordering.
Change-Id: I6e571c0ae6d1aa5840781cc38a7637d01ed8849a
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel Vetter [Wed, 14 Aug 2013 22:02:41 +0000 (00:02 +0200)]
drm/prime: use proper pointer in drm_gem_prime_handle_to_fd
Part of the function uses the properly-typed dmabuf variable, the
other an untyped void *buf. Kill the later.
Change-Id: I93a9d67a8106b9fa9933c78967c445f0c1709817
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
projects / profile / mobile / platform / kernel / linux-3.10-sc7730.git / log