Seung-Woo Kim [Mon, 27 Mar 2017 06:21:34 +0000 (15:21 +0900)]
packaging: install license for rpm package instead of license package
This patch replaces license rpm package to license file in rpm
package.
Change-Id: If3038ca2fad6f62027c2caaa5f35f961f17b2e6d
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Marek Szyprowski [Tue, 21 Feb 2017 11:20:25 +0000 (12:20 +0100)]
dma-buf: Add ioctls to allow userspace to flush
The userspace might need some sort of cache coherency management e.g. when CPU
and GPU domains are being accessed through dma-buf at the same time. To
circumvent this problem there are begin/end coherency markers, that forward
directly to existing dma-buf device drivers vfunc hooks. Userspace can make use
of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The sequence would be
used like following:
- mmap dma-buf fd
- for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
want (with the new data being consumed by the GPU or say scanout device)
- munmap once you don't need the buffer any more
v2 (Tiago): Fix header file type names (u64 -> __u64)
v3 (Tiago): Add documentation. Use enum dma_buf_sync_flags to the begin/end
dma-buf functions. Check for overflows in start/length.
v4 (Tiago): use 2d regions for sync.
v5 (Tiago): forget about 2d regions (v4); use _IOW in DMA_BUF_IOCTL_SYNC and
remove range information from struct dma_buf_sync.
v6 (Tiago): use __u64 structured padded flags instead enum. Adjust
documentation about the recommendation on using sync ioctls.
v7 (Tiago): Alex' nit on flags definition and being even more wording in the
doc about sync usage.
v9 (Tiago): remove useless is_dma_buf_file check. Fix sync.flags conditionals
and its mask order check. Add <linux/types.h> include in dma-buf.h.
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[mszyprow: backport of mainline commit
c11e391da2a8fe973c3c2398452000bed505851e]
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Change-Id: I74eabf0faafebadabce17cb91e9962a44b5af544
Vishnu Pratap Singh [Thu, 2 Mar 2017 01:15:14 +0000 (10:15 +0900)]
staging/ion: free ION buffer after gem object unreference
It's bug that ION buffer is accessed to unreference gem object after ION
buffer is freed. It can cause memory corruption.
Change-Id: Idbfb5f66e8223b408d529d88b5af5079daac7018
Fixes:
03a9b03a2ab2 ("staging/ion: decrease gem reference count in release of dma-buf")
Signed-off-by: Vishnu Pratap Singh <vishnu.ps@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Jaehoon Chung [Wed, 15 Feb 2017 05:06:32 +0000 (14:06 +0900)]
ARM: tizen_tm1_defconfig: enable CONFIG_NF_NAT_IPV6
Enable CONFIG_NF_NAT_IPV6 for supporting IPv6 tethering.
Change-Id: I62399e8b15d8af8e0a34879a75ca0e91cdeffb84
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Dongwoo Lee [Thu, 9 Feb 2017 10:53:03 +0000 (19:53 +0900)]
power: battery: sec-battery: Support force disabling battery charge
The new attribute "disable_charge" will be added. If this attribute is
set to 1, battery charging is completely stopped within "discharging"
state.
Until setting the attribute to 0 or reboot the target, charging cannot
be resumed.
Change-Id: Ib57d3dbcc1e0925940d818c9bc5eced94b7bfddc
Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>
Andrey Ryabinin [Thu, 24 Nov 2016 13:23:10 +0000 (13:23 +0000)]
mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
commit
f5527fffff3f002b0a6b376163613b82f69de073 upstream.
This fixes CVE-2016-8650.
If mpi_powm() is given a zero exponent, it wants to immediately return
either 1 or 0, depending on the modulus. However, if the result was
initalised with zero limb space, no limbs space is allocated and a
NULL-pointer exception ensues.
Fix this by allocating a minimal amount of limb space for the result when
the 0-exponent case when the result is 1 and not touching the limb space
when the result is 0.
This affects the use of RSA keys and X.509 certificates that carry them.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
PGD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
task:
ffff8804011944c0 task.stack:
ffff880401294000
RIP: 0010:[<
ffffffff8138ce5d>] [<
ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
RSP: 0018:
ffff880401297ad8 EFLAGS:
00010212
RAX:
0000000000000000 RBX:
ffff88040868bec0 RCX:
ffff88040868bba0
RDX:
ffff88040868b260 RSI:
ffff88040868bec0 RDI:
ffff88040868bee0
RBP:
ffff880401297ba8 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000047 R11:
ffffffff8183b210 R12:
0000000000000000
R13:
ffff8804087c7600 R14:
000000000000001f R15:
ffff880401297c50
FS:
00007f7a7918c700(0000) GS:
ffff88041fb80000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000000 CR3:
0000000401250000 CR4:
00000000001406e0
Stack:
ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
Call Trace:
[<
ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
[<
ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
[<
ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
[<
ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
[<
ffffffff8132a95c>] rsa_verify+0x9d/0xee
[<
ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
[<
ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
[<
ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
[<
ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
[<
ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
[<
ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
[<
ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
[<
ffffffff812fc9f3>] key_create_or_update+0x145/0x399
[<
ffffffff812fe227>] SyS_add_key+0x154/0x19e
[<
ffffffff81001c2b>] do_syscall_64+0x80/0x191
[<
ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
RIP [<
ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
RSP <
ffff880401297ad8>
CR2:
0000000000000000
---[ end trace
d82015255d4a5d8d ]---
Basically, this is a backport of a libgcrypt patch:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=
6e1adb05d290aeeb1c230c763970695f4a538526
Fixes:
cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
cc: linux-ima-devel@lists.sourceforge.net
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from v3.10.105 to fix CVE security issue]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I0f600412772c8975f31c98360f7febb96c3afcc2
David Howells [Wed, 26 Oct 2016 14:01:54 +0000 (15:01 +0100)]
KEYS: Fix short sprintf buffer in /proc/keys show function
commit
03dab869b7b239c4e013ec82aea22e181e441cfc upstream.
This fixes CVE-2016-7042.
Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.
The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:
(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 =
30500568904943
That's 14 chars plus NUL, not 11 chars plus NUL.
Expand the buffer to 16 chars.
I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.
The panic incurred looks something like:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in:
ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
[<
ffffffff813d941f>] dump_stack+0x63/0x84
[<
ffffffff811b2cb6>] panic+0xde/0x22a
[<
ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
[<
ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
[<
ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
[<
ffffffff81350410>] ? key_validate+0x50/0x50
[<
ffffffff8134db30>] ? key_default_cmp+0x20/0x20
[<
ffffffff8126b31c>] seq_read+0x2cc/0x390
[<
ffffffff812b6b12>] proc_reg_read+0x42/0x70
[<
ffffffff81244fc7>] __vfs_read+0x37/0x150
[<
ffffffff81357020>] ? security_file_permission+0xa0/0xc0
[<
ffffffff81246156>] vfs_read+0x96/0x130
[<
ffffffff81247635>] SyS_read+0x55/0xc0
[<
ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from v3.10.105 to fix CVE security issue]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I791f4ca1ec351cc7dba684bb2216a797ce945633
Seung-Woo Kim [Thu, 26 Jan 2017 06:26:37 +0000 (15:26 +0900)]
packaging: add provided name for kernel image package
This patch adds default provided name for kernel image package as
linux-kernel.
Change-Id: I294b76f6b28e7682949568f74b253ee16856e626
Suggested-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Thu, 8 Dec 2016 06:14:16 +0000 (15:14 +0900)]
power: fuel_gauge: sprd2713: fix division by zero during initialization
This patch fixes following division by zero during initialization.
Division by zero in kernel.
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 3.10.65 #1-Tizen
[<
c00153bc>] (unwind_backtrace+0x0/0x118) from [<
c0013010>] (show_stack+0x10/0x14)
[<
c0013010>] (show_stack+0x10/0x14) from [<
c021487c>] (Ldiv0+0x8/0x10)
[<
c021487c>] (Ldiv0+0x8/0x10) from [<
c043b184>] (:+0x38c/0xb70)
[<
c043b184>] (sprdfgu_init+0x38c/0xb70) from [<
c0438b00>] (sec_hal_fg_init+0x1b0/0x22c)
[<
c0438b00>] (sec_hal_fg_init+0x1b0/0x22c) from [<
c043965c>] (sec_fuelgauge_probe+0x154/0x2fc)
[<
c043965c>] (sec_fuelgauge_probe+0x154/0x2fc) from [<
c02c1b14>] (driver_probe_device+0x124/0x32c)
[<
c02c1b14>] (driver_probe_device+0x124/0x32c) from [<
c02c1dc8>] (__driver_attach+0x68/0x8c)
[<
c02c1dc8>] (__driver_attach+0x68/0x8c) from [<
c02bfffc>] (bus_for_each_dev+0x68/0x8c)
[<
c02bfffc>] (bus_for_each_dev+0x68/0x8c) from [<
c02c1120>] (bus_add_driver+0x104/0x240)
[<
c02c1120>] (bus_add_driver+0x104/0x240) from [<
c02c2340>] (driver_register+0x9c/0x120)
[<
c02c2340>] (driver_register+0x9c/0x120) from [<
c0009550>] (do_one_initcall+0xb8/0x160)
[<
c0009550>] (do_one_initcall+0xb8/0x160) from [<
c09c6be4>] (kernel_init_freeable+0x158/0x220)
[<
c09c6be4>] (kernel_init_freeable+0x158/0x220) from [<
c06c2efc>] (kernel_init+0x8/0xe8)
[<
c06c2efc>] (kernel_init+0x8/0xe8) from [<
c000f258>] (ret_from_fork+0x14/0x3c)
Change-Id: Iba009b1eab23c34456c8d2b0283efda4b003498b
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Fri, 13 Jan 2017 05:19:37 +0000 (14:19 +0900)]
packaging: remove To-Be-Unsupported macro
The tizen_target_name macro will be removed, so this patch removes
it.
Change-Id: I58a8fbe2a9005c307f8b3c621958860b06086861
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Andi Shyti [Wed, 7 Dec 2016 07:52:25 +0000 (16:52 +0900)]
input: ist3xx: replace misused strncat with s(n)printf
strncat is used improperly exposing the driver to a buffer
overflow risk.
Use s(n)printf instead.
An implicit result of this patch is some code simplification.
Change-Id: I7dfb61addf015362fed1a4ebd595ac533a012a48
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Rafal Krypa [Tue, 13 Dec 2016 12:46:54 +0000 (13:46 +0100)]
ARM: tizen_tm1_defconfig: enable SECURITY_SMACK_APPEND_SIGNALS
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Change-Id: Iba70704a166d50ef295acd3166bf5d738adb9295
Casey Schaufler [Tue, 30 Aug 2016 17:31:39 +0000 (10:31 -0700)]
Smack: Signal delivery as an append operation
Under a strict subject/object security policy delivering a
signal or delivering network IPC could be considered either
a write or an append operation. The original choice to make
both write operations leads to an issue where IPC delivery
is desired under policy, but delivery of signals is not.
This patch provides the option of making signal delivery
an append operation, allowing Smack rules that deny signal
delivery while allowing IPC. This was requested for Tizen.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[mainline backport of commit
c60b906673eebb4f65840fa9dc204401caf276ea]
Change-Id: I969f0f9eefc076d81a95f3d36e695cd07507bfd4
jooseong lee [Tue, 13 Dec 2016 01:12:48 +0000 (10:12 +0900)]
Smack: fix d_instantiate logic for sockfs and pipefs
Since
4b936885a (v2.6.32) all inodes on sockfs and pipefs are disconnected.
It caused filesystem specific code in smack_d_instantiate to be skipped,
because all inodes on those pseudo filesystems were treated as root inodes.
As a result all sockfs inodes had the Smack label set to floor.
In most cases access checks for sockets use socket_smack data so the inode
label is not important. But there are special cases that were broken.
One example would be calling fcntl with F_SETOWN command on a socket fd.
Now smack_d_instantiate expects all pipefs and sockfs inodes to be
disconnected and has the logic in appropriate place.
Change-Id: I06e1977d30afe39f6758ea18245046d413fa46a4
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
[jooseong.lee: Backported from mainline]
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Pablo Neira Ayuso [Wed, 7 Aug 2013 17:12:34 +0000 (19:12 +0200)]
netfilter: ctnetlink: refactor ctnetlink_create_expect
This patch refactors ctnetlink_create_expect by spliting it in two
chunks. As a result, we have a new function ctnetlink_alloc_expect
to allocate and to setup the expectation from ctnetlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[Applied from mainline v3.11 for the other backported commit
930a2d023b07 ("netfilter: nfnetlink_queue: allow to attach expectations to conntracks")]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I97e8ac912bab81a4668cbaa602c5ba7bc52fb2e8
Jiri Slaby [Mon, 13 Apr 2015 14:41:28 +0000 (16:41 +0200)]
core, nfqueue, openvswitch: fix compilation warning
Stable commit "core, nfqueue, openvswitch: Orphan frags in
skb_zerocopy and handle errors", upstream commit
36d5fe6a000790f56039afe26834265db0a3ad4c, was not correctly backported
and missed to change a const 'from' parameter to non-const. This
results in a new batch of warnings:
net/netfilter/nfnetlink_queue_core.c: In function ‘nfqnl_zcopy’:
net/netfilter/nfnetlink_queue_core.c:272:2: warning: passing argument 1 of ‘skb_orphan_frags’ discards ‘const’ qualifier from pointer target type [enabled by default]
if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
^
In file included from net/netfilter/nfnetlink_queue_core.c:18:0:
include/linux/skbuff.h:1822:19: note: expected ‘struct sk_buff *’ but argument is of type ‘const struct sk_buff *’
static inline int skb_orphan_frags(struct sk_buff *skb, gfp_t gfp_mask)
^
net/netfilter/nfnetlink_queue_core.c:273:3: warning: passing argument 1 of ‘skb_tx_error’ discards ‘const’ qualifier from pointer target type [enabled by default]
skb_tx_error(from);
^
In file included from net/netfilter/nfnetlink_queue_core.c:18:0:
include/linux/skbuff.h:630:13: note: expected ‘struct sk_buff *’ but argument is of type ‘const struct sk_buff *’
extern void skb_tx_error(struct sk_buff *skb);
Remove const from the 'from' parameter, the same as in the upstream
commit.
As far as I can see, this leaked into 3.10, 3.12, and 3.13 already.
Cc: Zoltan Kiss <zoltan.kiss@citrix.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kamal Mostafa <kamal.mostafa@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[applied from linux-3.10.y to fix build warning]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I8ea0f40716ad40c79d5b076546ba2ac567eda0ee
Philip Pettersson [Thu, 8 Dec 2016 08:18:53 +0000 (17:18 +0900)]
packet: fix race condition in packet_set_ring
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Ps. This is CVE-2016-8655 patch,
http://seclists.org/oss-sec/2016/q4/607
Change-Id: I3396f1bfe60b03082a981ae9d8a787b41cb5a529
Fixes:
f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Jin-young Jeon [Thu, 10 Nov 2016 08:18:58 +0000 (17:18 +0900)]
video/sprdfb: dispc: fix clipping problem for yuv buffer.
Aligned width(pitch) instead of width of buffer should be used to
calculate base address of UV and V of YUV image format, then this will
solve clipping problem for YUV image.
This commit comes from product kernel.
Change-Id: Idafe5d0231888693a41450fe65b1af85d35f6911
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
[jy0922.shim: rewrite commit messages]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Jin-young Jeon [Mon, 28 Mar 2016 04:29:36 +0000 (13:29 +0900)]
video/sprdfb: add dispc_is_yuv_format() on dispc.
This adds dispc_is_yuv_format() function to be easy to check whether
image format is YUV or not, and can cleanup related codes.
This commit comes from product kernel.
Change-Id: I934756c355b533bdbadbeb10b5555ab597a43fce
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
[jy0922.shim: remove unfit changes and write commit messages]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Sergei Rogachev [Fri, 21 Oct 2016 13:24:15 +0000 (16:24 +0300)]
mmc: sdhost: fix scheduling while atomic
The function mmc_regulator_set_ocr() cannot be called under the spinlock,
because internally it calls regulator_disable() which uses a sleeping primitive:
regulator_dev->mutex.
The patch unlocks the spinlock sdhost_host->lock to avoid scheduling in atomic
context and prevent possible consequent live-locks.
It is done totally the same way as it is done in drivers/mmc/host/sdhci.c and
many other places.
Change-Id: I2a7b893124efb2a515a3d55706d9a292a3d27edd
Signed-off-by: Sergei Rogachev <s.rogachev@samsung.com>
jooseong lee [Thu, 8 Dec 2016 02:46:33 +0000 (11:46 +0900)]
netfilter: Fix wrong backporting
Regard of:
the commit
930a2d023b07 ("netfilter: nfnetlink_queue: allow to attach expectations to conntracks")
lock() was missed.
Change-Id: I8d5b4bec6dcee0ac43e9207180bb949b9cb1a49f
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Sudha Bheemanna [Wed, 30 Nov 2016 09:59:46 +0000 (15:29 +0530)]
Bluetooth: Fix Set IRK Mgmt opcode to match product codeline.
Modified the Mgmt opcode value to match the header in product code.
Change-Id: Ifcfbe313540527238950f1afbe2c33378bd4de29
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
jooseong lee [Mon, 28 Nov 2016 05:52:17 +0000 (14:52 +0900)]
ARM: tizen_tm1_defconfig: enable CONFIG_NETFILTER_XT_TARGET_SECMARK
The config allows security marking of network packets.
Iptable need to set packet's secmark to 'System' label to avoid
Smack deny issue only for multicast address range.
* Refer to : https://review.tizen.org/gerrit/#/c/100096/
Change-Id: Ia2902525a76d31a9db6d4665b4b488f4a4c45b22
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Mon, 28 Nov 2016 05:51:26 +0000 (14:51 +0900)]
Revert "ARM: tizen_tm1_defconfig: disable smack_netfilter temporarily"
This reverts commit
9807397c2e1c82653b1df12f5022f138b298d6f4.
Change-Id: Ie5a993dfcb58130cbb1d5bb3a278a337d01eab2e
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Inki Dae [Mon, 28 Nov 2016 05:17:24 +0000 (14:17 +0900)]
config: tizen_tm1_defconfig: sync defconfig file
This patch makes the defconfig file to sync with menuconfig
Change-Id: Ied39f624f82fb800d2fabc5bf0825065b309202c
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Inki Dae [Fri, 25 Nov 2016 05:46:35 +0000 (14:46 +0900)]
misc: remove SLP Global lock module
This patch removes SLP Global lock module which is unnecessary anymore.
Change-Id: I200c6bfb701b124c531e5da0fa793c434808d122
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Inki Dae [Fri, 25 Nov 2016 05:45:16 +0000 (14:45 +0900)]
arm: config: tizen_tm1_defconfig: enable Tizen global lock
This patch enables Tizen global lock instead of SGL module.
Change-Id: Ida728764728980b6484e6e2b178aefc7590b460c
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Inki Dae [Fri, 25 Nov 2016 05:41:49 +0000 (14:41 +0900)]
misc: add Tizen global lock module
This module is enhanced version - including some refactoring
and bug fixups - of SGL module which resolves rendering order
issue of Utgard DDK.
Change-Id: I94a59232e31fb7bba1be22c463b8c9c469667a8b
Signed-off-by: Inki Dae <inki.dae@samsung.com>
h.sandeep [Mon, 21 Nov 2016 10:23:26 +0000 (15:53 +0530)]
Bluetooth: Fix IRK dstribution issue when Privacy is disabled
The devices, like Android 6.x, which don't support privacy 1.2
couldn't make BLE connection to the device which doesn't distribute
IRK when pairing because they use use wrong address type.
For compatibility, it needs to distribute IRK even though Privacy
feature is disabled. So setting IRK interface is added and BlueZ
will set IRK if privacy feature is disabled. And when BLE pairing,
IRK will be always distributed.
Change-Id: I196b6e726bff3a396ba040201c760f74ddfba946
Signed-off-by: h.sandeep <h.sandeep@samsung.com>
h.sandeep [Tue, 15 Nov 2016 09:12:18 +0000 (14:42 +0530)]
Bluetooth: Add MGMT interface for setting IRK
It is required to set IRK from BlueZ if privacy feature is disabled,
so this patch adds setting IRK interface to MGMT.
Change-Id: I2343ce34c894ad24557218ed41b61151caa8a1a5
Signed-off-by: h.sandeep <h.sandeep@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
h.sandeep [Tue, 15 Nov 2016 09:04:01 +0000 (14:34 +0530)]
Bluetooth: add to support LE privacy 1.2 & MGMT to load device RPA resolution
RPA resolution support of peer device to be checked before starting
directed advertising. This patch load the resolution support info of
device and check before starting directed advertising.
Change-Id: I9c982e72e83024bcb493488e29c33aba7ffbf485
Signed-off-by: h.sandeep <h.sandeep@samsung.com>
[Fix coding style and adjust commit-msg]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Hyuk Lee [Mon, 21 Nov 2016 00:49:40 +0000 (09:49 +0900)]
Bluetooth: distinguish the interface about LE scan set state
Actually, it has the function both "BR/EDR" discovery set state function and
"LE" discovery set state function. So, it is better to distinguish the "LE"
discovery set state function for "LE" scenario.
Change-Id: I7694a58a793b7ecef5c57a85563c99ca0cefd1cf
Signed-off-by: Hyuk Lee <hyuk0512.lee@samsung.com>
Slava Barinov [Wed, 12 Oct 2016 09:06:23 +0000 (12:06 +0300)]
packaging: switch find calls from -exec to xargs
The -delete and xargs approach is faster than -exec and in Tizen 3.0
cross-builds it grants huge build acceleration due to tool acceleration
system peculiarities.
Change-Id: Ibbbb82962235cd098cd6952c288e9f120bb63ed3
Signed-off-by: Slava Barinov <v.barinov@samsung.com>
Linus Torvalds [Thu, 13 Oct 2016 20:07:36 +0000 (13:07 -0700)]
mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
commit
19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit
4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit
f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in
abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from linux-3.10.104 to fix CVE-2016-5195]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I5a99df42c34af2b109a8f9e1647b606324e981e7
Joe Perches [Thu, 25 Jun 2015 22:01:02 +0000 (15:01 -0700)]
compiler-gcc: integrate the various compiler-gcc[345].h files
commit
cb984d101b30eb7478d32df56a0023e4603cba7f upstream.
As gcc major version numbers are going to advance rather rapidly in the
future, there's no real value in separate files for each compiler
version.
Deduplicate some of the macros #defined in each file too.
Neaten comments using normal kernel commenting style.
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Segher Boessenkool <segher@kernel.crashing.org>
Cc: Sasha Levin <levinsasha928@gmail.com>
Cc: Anton Blanchard <anton@samba.org>
Cc: Alan Modra <amodra@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ philm: backport to 3.10-stable ]
Signed-off-by: Philip Müller <philm@manjaro.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from linux-3.10.102 for supporting build with gcc6]
Reported-by: Sung-jae Park <nicesj@nicesj.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ideba2a089dba420a5d8fda0b56942ad949e93e71
Seung-Woo Kim [Thu, 27 Oct 2016 05:26:15 +0000 (14:26 +0900)]
cpufreq: sprd: move unused prototypes to blocked area
This patch blocks unused prototypes which causes following build
error on specific toolchains.
In file included from include/asm-generic/percpu.h:6:0,
from /home/sw0312.kim/linux-3.10-sc7730/arch/arm/include/asm/percpu.h:50,
from include/linux/percpu.h:10,
from include/linux/kernel_stat.h:6,
from drivers/cpufreq/cpufreq_sprdemand.c:18:
drivers/cpufreq/cpufreq_sprdemand.c: At top level:
drivers/cpufreq/cpufreq_sprdemand.c:101:48: error: storage size of 'uwi' isn't known
static DEFINE_PER_CPU(struct unplug_work_info, uwi);
^
Change-Id: Ida47ea5e16a2f3f8883afe37adf9fcb9975c9ef1
Reported-by: Sung-jae Park <nicesj@nicesj.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Behan Webster [Wed, 24 Sep 2014 00:06:46 +0000 (01:06 +0100)]
ARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h
With compilers which follow the C99 standard (like modern versions of gcc and
clang), "extern inline" does the wrong thing (emits code for an externally
linkable version of the inline function). In this case using static inline
and removing the NULL version of return_address in return_address.c does
the right thing.
Signed-off-by: Behan Webster <behanw@converseincode.com>
Reviewed-by: Mark Charlebois <charlebm@gmail.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[Backport from mainline to fix build error with gcc 5.x or later]
Reported-by: Sung-jae Park <nicesj@nicesj.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I8a1cbff2ce69a9d9d021b434ae062fdf0bbc67c0
Joonyoung Shim [Mon, 10 Oct 2016 01:31:24 +0000 (10:31 +0900)]
staging/ion: enable debugfs for pool
Define DEBUG_HEAP_SHRINKER to enable debugfs to shrink pool and read
pool size.
Change-Id: Ic3d5ef7a68eb8b3a08d4d6e98872f895aa7f7de4
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Dmitry Kovalenko [Mon, 3 Oct 2016 14:27:23 +0000 (17:27 +0300)]
packaging: devel package name unification
All kernels provides unified kernel-devel-tizen package and located at
/boot/kernel/devel/tizen-devel (solved using symlink).
Change-Id: Ie0fd3d6572d78d3eeaa3df0bca83cafa5700caa2
Signed-off-by: Dmitry Kovalenko <d.kovalenko@samsung.com>
[Update commit-msg and just add Provided name for devel package instead of replacing]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Wed, 5 Oct 2016 02:08:31 +0000 (11:08 +0900)]
Bluetooth: add missing 6lowpan connect in mgmt handler
The 6lowpan connect api is added, but it is missed from mgmt handler,
so this patch adds it.
Change-Id: Ib2ac9c227cec0ce8b7c1c6a9d01329788810511a
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 11:52:52 +0000 (17:22 +0530)]
Bluetooth: Fix IPSP connection callback event issue.
This patch fixes the IPSP connection callback event issue
between kernel and bluez layer.
Change-Id: I3c0308873a1acd270696af300cacd3e0aead0346
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 11:41:16 +0000 (17:11 +0530)]
Bluetooth: Set le data length command and event
Sets the data length for the le data packet with in the
advised limits. MGMT command and event are added to handle
the setting of data length.
Change-Id: Icc7db1a7361764fcb3d5a990357408942effe25d
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 11:10:04 +0000 (16:40 +0530)]
Bluetooth: Read host suggested default le data length
This patch adds MGMT command and code for supporting reading
default le data length value set at the controller.
Change-Id: I96d33e17259e847df443d63536a92930e46b02a1
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 10:56:38 +0000 (16:26 +0530)]
Bluetooth: Write host suggested default le data length
This patch adds MGMT command and code for supporting write
default le data length command to the controller.
Change-Id: Icc3509186261831cad7be98708a13bfa49730d93
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 10:30:53 +0000 (16:00 +0530)]
Bluetooth: Read LE Max data length command
This patch adds the MGMT command and code to support reading
the maximum data length supported command for LE.
Change-Id: I3fd266b3a2fe0be755d2f00a38a603a2f887a938
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 09:16:09 +0000 (14:46 +0530)]
Bluetooth: IPSP Connect/Disconnect apis
This patch adds MGMT code to support IPSP connect and
disconnect apis and handle connection state changed event.
Change-Id: I372ea923acd06c25cfa4c50094bf946e55dc30c8
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 06:06:17 +0000 (11:36 +0530)]
Bluetooth: Add support to enable/disable IPSP
This patch supports MGMT commands and code to enable or disable
IPSP 6LowPan features.
Change-Id: I4fa404d01493562251b821a68a400a5e05d48078
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Michal Bloch [Tue, 20 Sep 2016 15:21:25 +0000 (17:21 +0200)]
kmsg: format back to previous for /dev/kmsg
* no binary characters and no \0 at the end
* done because the new format breaks various tools (such as sd-journal)
* only affects prime /dev/kmsg, the additional /dev/kmsg12 etc unaffected
Signed-off-by: Michal Bloch <m.bloch@samsung.com>
Change-Id: Icafebabe08f960fa7a2766b91ab2a72e8d2891b6
jooseong lee [Tue, 20 Sep 2016 10:36:24 +0000 (19:36 +0900)]
ARM: tizen_tm1_defconfig: disable smack_netfilter temporarily
smack_netfilter was enabled to check network permission in Nether.
But it makes unintended Smack denial issue. For stability, we disable
smack_netfilter temporarily untill fixing the problem.
Change-Id: I63636e6bda95c35976c0fed5c49ff6bf359aa657
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Krzysztof Opasiak [Mon, 12 Sep 2016 20:19:31 +0000 (22:19 +0200)]
usb: gadget: g_ffs: Allow to set bmAttributes of configuration
usb host tests expect configuration bmAttributes to have
a predefined value. As on 3.10 kernel we cannot use
ConfigFS to achieve this let's add a module parameter
which allows us to set it.
Change-Id: Iecf773d98c398ce1d3c529e7202155fb1e5e9ba6
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Mon, 12 Sep 2016 20:23:26 +0000 (22:23 +0200)]
usb: gadget: g_ffs: Allow to set configuration string
usb host tests expect configuration string to have
a predefined value. As on 3.10 kernel we cannot use
ConfigFS to achieve this let's add a module parameter
which allows us to set it.
Change-Id: I7556ef87fb4da7ae1f86fa4f110f78ffd5d2b854
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Mon, 12 Sep 2016 18:54:59 +0000 (20:54 +0200)]
usb: gadget: fix: Call usb_gadget_connect() for dummy_udc
Ugly hack which comes from Android removes a call
to usb_gadget_connect() in udc_bind_to_driver() to
prevent android/slp gadget from communication before
userspace explicitly enables it.
Mainline gadgets (like g_ffs) expect this function
to be called as they don't have any sysfs interface
to enable them later.
As for usb-host API tests we need to use dummy_hcd
and g_ffs let's call usb_gadget_connect() for all
dummy_udc's.
Change-Id: I782bbb51c54e0b87ff6ef976070b6d8870a1a745
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Paweł Szewczyk [Wed, 7 Sep 2016 19:24:12 +0000 (21:24 +0200)]
usb: gadget: f_fs: add poll for endpoint 0
This patch adds poll function for file representing ep0.
Ability of read from or write to ep0 file is related with actual state of ffs:
- When desctiptors or strings are not written yet, POLLOUT flag is set.
- If there is any event to read, POLLIN flag is set.
- If setup request was read, POLLIN and POLLOUT flag is set, to allow
send response (by performing I/O operation consistent with setup request
direction) or set stall (by performing I/O operation opposite setup
request direction).
Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[Backported from mainline commit 23de91e]
Signed-off-by: Paweł Szewczyk <p.szewczyk@samsung.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I4286847252357b4796cc3794ce71d5a4ec2af9f5
Seung-Woo Kim [Wed, 7 Sep 2016 06:12:48 +0000 (15:12 +0900)]
Input: tc305k: remove event log
This patch removes key event log.
Change-Id: I86f1967e54be571ab41d6025a1443e3aa2a25fda
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Wed, 7 Sep 2016 06:07:44 +0000 (15:07 +0900)]
Input: sc_keypad: remove event log
This patch removes key event log.
Change-Id: I3cbe04efcd4e16b30616c59f96a30cafa72b6827
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Wed, 7 Sep 2016 05:56:10 +0000 (14:56 +0900)]
Input: sprd_eic_keys: remove event log
This patch removes event log.
Change-Id: Iaeeaab3c71d3513edd3af51df5dbb870099fecd2
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Wed, 7 Sep 2016 05:53:43 +0000 (14:53 +0900)]
Input: ist30xxc: remove touch event log
This patch removes touch event log.
Change-Id: I4a3ec5ccaf8455a48a8f67769c2056162a97c4de
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Mon, 5 Sep 2016 01:52:21 +0000 (10:52 +0900)]
usb: gadget: f_fs: remove build warnings from ffs_epfile_io
This patch removes build warnings to convert unsigned int pointer
to char pointer from ffs_epfile_io().
Change-Id: I2b46093add10c647f3488220b123e3920a1cfeb4
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Krzysztof Opasiak [Fri, 2 Sep 2016 10:52:40 +0000 (12:52 +0200)]
Build dummy_hcd and g_ffs as a modules
Change-Id: Ic505dd282eaf2740848fddbb98678d8fb147be1e
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Thu, 1 Sep 2016 16:49:43 +0000 (18:49 +0200)]
Update config for TM1 board due to changes in Kconfig
Just a simple update due to changes in Kconfig of usb
gadget subsystem.
Change-Id: I21f96fd9ac826efe8bb056a67f0bba62643f13c8
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Thu, 1 Sep 2016 16:37:59 +0000 (18:37 +0200)]
usb: gadget: Allow to build multiple legacy gadgets
Currently it is possible to build in only one legac gadget *OR*
compile multiple of them as a modules. It's not possible to mix
those 2 ways of building them. This is limited only by Kconfig not
any functionality.
This patch removes this limitation. With this patch it is possible
to set up all build combinations:
1) Multiple gadgets build in
2) Some gadgets build in and some build as a modules
etc.
As this patch makes Kconfig quite complicated let me clarify how it works:
USB_F_<func name> - used in makefile for compilation
USB_G_<gadget name>_REQ_F_<func name> - set up by gadget to mark
that this particular gadget requires this func to work
USB_F_<func name>_SELECTOR - helper config which is used to determine
if function should be build in or compiled as a module
Change-Id: I43b764ff27d08484df140835a6f2dee35d621248
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
jooseong lee [Fri, 2 Sep 2016 08:09:30 +0000 (17:09 +0900)]
Smack: Fix wrong backporting for Smack
Regard of:
Smack: secmark support for netfilter (
d587ffac0e6b0849334d575bca4e9e1caa48f891)
Smack used to use a mix of smack_known struct and char* throughout its
APIs and implementation. I confused it. It should be char*, not smack_known struct.
(The latest kernel has a unified format, smack_known struct.)
Change-Id: Ifd93e8b3d85c867c8d7a903470abc45e589a1a37
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Seung-Woo Kim [Wed, 31 Aug 2016 11:21:04 +0000 (20:21 +0900)]
build: scripts: add input parameters to sprd_mkdzimage.sh
Instead of fixed kernel and dtb files, this patch adds input
parameters to get proper kernel and dtb files.
Change-Id: Icd253cff63e7bccf12ddead4360417da05a7c7ef
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Wed, 31 Aug 2016 04:33:11 +0000 (13:33 +0900)]
build: scripts: add input parameters to sprd_dtbtool.sh
Instead of fixed dtb file list and its hw platform information,
this patch adds input parameters to get proper dtb files and to
consider reversed dtc hw platform information.
Change-Id: I29b8da3c3520ac6619777d1b4e4456a32d28ba44
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Mon, 29 Aug 2016 10:15:29 +0000 (19:15 +0900)]
packaging: remove not used release type build parameter
There is not build parameter about release type, and it does not
really fix anything. So this patch removes not used release type
build parameter from packaging spec file.
Change-Id: I930e9beff52ce884f5676da93dbfe847f0fff576
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Charles (Chas) Williams [Tue, 16 Aug 2016 20:50:11 +0000 (16:50 -0400)]
tcp: make challenge acks less predictable
commit
75ff39ccc1bd5d3c455b6822ab09e533c551f758 upstream.
From: Eric Dumazet <edumazet@google.com>
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.
This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.
Based on initial analysis and patch from Linus.
Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.
v2: randomize the count of challenge acks per second, not the period.
Fixes:
282f23c6ee34 ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao <ycao009@ucr.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ ciwillia: backport to 3.10-stable ]
Signed-off-by: Chas Williams <ciwillia@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from linux-3.10.y to fix CVE-2016-5696]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ida4b2baa58464341147f2ef082c6c6002f9c799a
jooseong lee [Tue, 3 May 2016 10:40:36 +0000 (19:40 +0900)]
ARM: tizen_tm1_defconfig: enable netfilter_audit and smack_netfilter
This patch enables smack netfilter to support nether serivce.
Nether is for network access control in Tizen3.0.
Change-Id: I011f5b2a51583d493d4d5bbc6f7165782b468913
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Roman Kubiak [Tue, 12 Apr 2016 05:41:30 +0000 (14:41 +0900)]
netfilter: nfnetlink_queue: add security context information
This patch adds an additional attribute when sending
packet information via netlink in netfilter_queue module.
It will send additional security context data, so that
userspace applications can verify this context against
their own security databases.
Change-Id: I1f8e8bea84e05abfc78808f6fccc513aa5bb0a9f
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
David S. Miller [Tue, 12 Apr 2016 05:17:16 +0000 (14:17 +0900)]
netfilter: Fix build failure in nfnetlink_queue_core.c.
net/netfilter/nfnetlink_queue_core.c: In function 'nfqnl_put_sk_uidgid':
net/netfilter/nfnetlink_queue_core.c:304:35: error: 'TCP_TIME_WAIT' undeclared (first use in this function)
net/netfilter/nfnetlink_queue_core.c:304:35: note: each undeclared identifier is reported only once for each function it appears in
make[3]: *** [net/netfilter/nfnetlink_queue_core.o] Error 1
Just a missing include of net/tcp_states.h
Change-Id: Ie82a35d53e3b73c5838b2b4a6c539a6d4251d4af
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Valentina Giusti [Tue, 12 Apr 2016 05:13:52 +0000 (14:13 +0900)]
netfilter: nfnetlink_queue: enable UID/GID socket info retrieval
Thanks to commits 41063e9 (ipv4: Early TCP socket demux) and 421b388
(udp: ipv4: Add udp early demux) it is now possible to parse UID and
GID socket info also for incoming TCP and UDP connections. Having
this info available, it is convenient to let NFQUEUE parse it in
order to improve and refine the traffic analysis in userspace.
Change-Id: Ie38c073a3543534497ef0cc6080642c808690b85
Signed-off-by: Valentina Giusti <valentina.giusti@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Pablo Neira Ayuso [Wed, 7 Aug 2013 16:13:20 +0000 (18:13 +0200)]
netfilter: nfnetlink_queue: allow to attach expectations to conntracks
This patch adds the capability to attach expectations via nfnetlink_queue.
This is required by conntrack helpers that trigger expectations based on
the first packet seen like the TFTP and the DHCPv6 user-space helpers.
Change-Id: I1944cc4c4660b41d4eeafd44e3038bd2749ae655
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Casey Schaufler [Tue, 26 Apr 2016 07:40:01 +0000 (16:40 +0900)]
Smack: secmark connections
If the secmark is available us it on connection as
well as packet delivery.
Change-Id: I570e750dc3753908f361b894c470784ec00a468e
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 26 Apr 2016 07:36:31 +0000 (16:36 +0900)]
Smack: Repair netfilter dependency
On 1/23/2015 8:20 AM, Jim Davis wrote:
> Building with the attached random configuration file,
>
> security/smack/smack_netfilter.c: In function ‘smack_ipv4_output’:
> security/smack/smack_netfilter.c:55:6: error: ‘struct sk_buff’ has no
> member named ‘secmark’
> skb->secmark = skp->smk_secid;
> ^
> make[2]: *** [security/smack/smack_netfilter.o] Error 1
The existing Makefile used the wrong configuration option to
determine if smack_netfilter should be built. This sets it right.
Change-Id: Iba5ff1e171a49d9750884503d9a20d06463b5a2c
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 26 Apr 2016 07:28:27 +0000 (16:28 +0900)]
Smack: secmark support for netfilter
Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.
As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.
The best part is that the netfilter tools use "contexts" that
are just strings, and they work just as well for Smack as they
do for SELinux.
All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[jooseong.lee: Backported from mainline]
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Change-Id: Ia4cf70850795c50ab9f2d58f4d1b42cca7411c21
Nagaraj D R [Thu, 5 May 2016 08:53:06 +0000 (14:23 +0530)]
bluetooth: Increase the manufacturer data type size
To support tizen specific manufacturer data, data length needs to be increased.
Change-Id: I2c7d5d01348074d09684b52fac4b106609327ab0
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
Joonyoung Shim [Mon, 22 Aug 2016 07:13:17 +0000 (16:13 +0900)]
packaging: remove BuildRequires for system-tools
TM1 kernel doesn't need system-tools package anymore, so remove
BuildRequires for system-tools.
Change-Id: I906a32f81f0b3c28518d7a1b610c01ddbc48c407
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Mon, 22 Aug 2016 07:13:08 +0000 (16:13 +0900)]
build: use scripts to make kernel binary
Use our scripts to make kernel binary instead of binaries of
system-tools package, then we can remove dependency with system-tools
package.
Change-Id: I86a2de0af8743eaa22d1de5fa7dc68debadfc43c
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Mon, 22 Aug 2016 02:24:57 +0000 (11:24 +0900)]
scripts: add sprd_mkdzimage.sh
sprd_mkdzimage.sh is script file to make dzImage binary that is TM1
specific kernel binary from zImage and merged-dtb binary. This will
substitute mkdzimage binary of system-tools.
Change-Id: Idb78c73eb5b195b7122c9cc5a033ae136769cf79
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Joonyoung Shim [Thu, 18 Aug 2016 08:52:44 +0000 (17:52 +0900)]
scripts: add sprd_dtbtool.sh
sprd_dtbtool.sh is script file to make to one merged-dtb binary from
multi dtb binaries for TM1. This will substitute dtbtool binary of
system-tools.
Change-Id: I69b73426ee43e0a5de3d6b4f5a28ec8965da5c6d
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Seung-Woo Kim [Thu, 11 Aug 2016 06:02:52 +0000 (15:02 +0900)]
packaging: fix not to provide kernel-headers
The kernel-headers pakcage is provided for common kernel headers
from linux-glibc-devel pacakge but currently, it is also provided
from tm1 kernel. So this patch fixes not to provide kernel-headers.
Change-Id: Idcf7b8c6f605eea0bc7f8a0f70d9443f9dfe2c39
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seonah Moon [Tue, 2 Aug 2016 09:00:56 +0000 (18:00 +0900)]
wlan_cfg80211: Add SOFTAP WPS type to support WPS in tethering
The tethering and soft AP should offer features of general APs.
The WPS is one of security types and standard to create a secure wireless home network.
This patch makes 80211 packets(beacon, probe response and associate response) include WPS ies.
Change-Id: I89f60d5ee7a797c48b80b9f3dbfa2eca6825b5f2
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>
Joonyoung Shim [Tue, 9 Aug 2016 00:40:05 +0000 (17:40 -0700)]
Merge "wlan_cfg80211: Set the hidden ssid scan properly." into tizen
hyunuktak [Fri, 29 Jul 2016 01:42:41 +0000 (10:42 +0900)]
wlan_cfg80211: Set the hidden ssid scan properly.
"vif->cfg80211.hidden_ssid_scan" value is always setting as true although "ssid[i].ssid_len" value is zero.
If there are no ssids passed from celler, then unable to do ssid scan.
So it is needed to properly set it.
Change-Id: Id4064ab1b65b29a375c276c16c095309ca4a92b1
Signed-off-by: hyunuktak <hyunuk.tak@samsung.com>
Seung-Woo Kim [Thu, 4 Aug 2016 00:35:23 +0000 (09:35 +0900)]
packaging: exclude build except target TM1
This patch excludes build except target TM1.
Change-Id: I21fd72c705af10bb61b7b99a4bb8b3d60babaee3
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Ben Hutchings [Sun, 1 Nov 2015 16:22:53 +0000 (16:22 +0000)]
ppp, slip: Validate VJ compression slot parameters completely
[ Upstream commit
4ab42d78e37a294ac7bc56901d563c642e03c4ae ]
Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).
Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.
Compile-tested only.
Change-Id: I4bd504aa497919117fec9d5ba97365fcca266b4c
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Ben Hutchings [Sun, 1 Nov 2015 16:21:24 +0000 (16:21 +0000)]
isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
[ Upstream commit
0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 ]
Compile-tested only.
Change-Id: I32e9c951314f1ce66338c560aaa299b4536e4b93
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Johan Hovold [Wed, 23 Sep 2015 18:41:42 +0000 (11:41 -0700)]
USB: whiteheat: fix potential null-deref at probe
commit
cbb4be652d374f64661137756b8f357a1827d6a4 upstream.
Fix potential null-pointer dereference at probe by making sure that the
required endpoints are present.
The whiteheat driver assumes there are at least five pairs of bulk
endpoints, of which the final pair is used for the "command port". An
attempt to bind to an interface with fewer bulk endpoints would
currently lead to an oops.
Fixes CVE-2015-5257.
Reported-by: Moein Ghasemzadeh <moein@istuary.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ib2b005674463119d8f6ebcaa1184cba668b1400e
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Oliver Neukum [Thu, 31 Mar 2016 16:04:24 +0000 (12:04 -0400)]
USB: mct_u232: add sanity checking in probe
commit
4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.
An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: Icd1c5482b10f647177c7793c93fc7b592df4e79e
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Oliver Neukum [Thu, 31 Mar 2016 16:04:25 +0000 (12:04 -0400)]
USB: cypress_m8: add endpoint sanity check
commit
c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.
An attack using missing endpoints exists.
CVE-2016-3137
Change-Id: I58a2e1025bf8f3f0ba3ce9e949c1fa80f78636ce
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
willy tarreau [Sun, 10 Jan 2016 06:54:56 +0000 (07:54 +0100)]
unix: properly account for FDs passed over unix sockets
[ Upstream commit
712f4aad406bb1ed67f3f98d04c044191f0ff593 ]
It is possible for a process to allocate and accumulate far more FDs than
the process' limit by sending them over a unix socket then closing them
to keep the process' fd count low.
This change addresses this problem by keeping track of the number of FDs
in flight per user and preventing non-privileged processes from having
more FDs in flight than their configured FD limit.
Change-Id: I5e4f12dada69f3c253ead12f893ccf5f88053765
Reported-by: socketpair@gmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Ben Hutchings [Thu, 29 Jan 2015 02:50:33 +0000 (02:50 +0000)]
splice: Apply generic position and size checks to each write
commit
894c6350eaad7e613ae267504014a456e00a3e2a from the 3.2-stable branch.
We need to check the position and size of file writes against various
limits, using generic_write_check(). This was not being done for
the splice write path. It was fixed upstream by commit
8d0207652cbe
("->splice_write() via ->write_iter()") but we can't apply that.
CVE-2014-7822
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[Ben fixed it in 3.2 stable, i ported it to 3.10 stable]
Signed-off-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I10f6cd44e0223d515d905ee5f3043b5d22c31057
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Quentin Casasnovas [Tue, 24 Nov 2015 22:13:21 +0000 (17:13 -0500)]
RDS: fix race condition when sending a message on unbound socket
Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket. The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket. This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().
Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.
Complete earlier incomplete fix to CVE-2015-6937:
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
Change-Id: I697622374cf9a4b8d805fb5a58987cfe8646afed
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Ben Hutchings [Tue, 16 Jun 2015 21:11:06 +0000 (22:11 +0100)]
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not. The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset. This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.
This was fixed upstream by commits
f0d1bec9d58d ("new helper:
copy_page_from_iter()") and
637b58c2887e ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable. This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.
CVE-2015-1805
Change-Id: Iedade4714500e63ad26599fe7aaa91d886df84a9
References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Florian Westphal [Fri, 26 Sep 2014 09:35:42 +0000 (11:35 +0200)]
netfilter: conntrack: disable generic tracking for known protocols
commit
db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
Given following iptables ruleset:
-P FORWARD DROP
-A FORWARD -m sctp --dport 9 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
One would assume that this allows SCTP on port 9 and TCP on port 80.
Unfortunately, if the SCTP conntrack module is not loaded, this allows
*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
which we think is a security issue.
This is because on the first SCTP packet on port 9, we create a dummy
"generic l4" conntrack entry without any port information (since
conntrack doesn't know how to extract this information).
All subsequent packets that are unknown will then be in established
state since they will fallback to proto_generic and will match the
'generic' entry.
Our originally proposed version [1] completely disabled generic protocol
tracking, but Jozsef suggests to not track protocols for which a more
suitable helper is available, hence we now mitigate the issue for in
tree known ct protocol helpers only, so that at least NAT and direction
information will still be preserved for others.
[1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
Joint work with Daniel Borkmann.
Fixes CVE-2014-8160.
Change-Id: I8dbb1b870c0724acba5f20d353c856f16ec00ae0
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Hannes Frederic Sowa [Mon, 14 Dec 2015 21:03:39 +0000 (22:03 +0100)]
net: add validation for the socket syscall protocol argument
[ Upstream commit
79462ad02e861803b3840cc782248c7359451cd9 ]
郭永刚 reported that one could simply crash the kernel as root by
using a simple program:
int socket_fd;
struct sockaddr_in addr;
addr.sin_port = 0;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_family = 10;
socket_fd = socket(10,3,0x40000000);
connect(socket_fd , &addr,16);
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.
This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.
kernel: Call Trace:
kernel: [<
ffffffff816db90e>] ? inet_autobind+0x2e/0x70
kernel: [<
ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
kernel: [<
ffffffff81645069>] SYSC_connect+0xd9/0x110
kernel: [<
ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
kernel: [<
ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
kernel: [<
ffffffff81645e0e>] SyS_connect+0xe/0x10
kernel: [<
ffffffff81779515>] tracesys_phase2+0x84/0x89
I found no particular commit which introduced this problem.
Change-Id: I30cd09ffb9705304bcda7247fe28ac14c8bb20a9
CVE: CVE-2015-8543
Cc: Cong Wang <cwang@twopensource.com>
Reported-by: 郭永刚 <guoyonggang@360.cn>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Sasha Levin [Mon, 29 Dec 2014 14:39:01 +0000 (09:39 -0500)]
KEYS: close race between key lookup and freeing
commit
a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.
This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).
This would cause either a panic, or corrupt memory.
Fixes CVE-2014-9529.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Iab7bb60ba1db5931cd8911ed04452cdb55358eda
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
David Howells [Fri, 18 Dec 2015 01:34:26 +0000 (01:34 +0000)]
KEYS: Fix race between read and revoke
commit
b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream.
This fixes CVE-2015-7550.
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.
This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.
Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.
I think the bug was introduced with the original keyrings code.
This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller). Here's a cleaned up version:
#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}
Build as:
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
Run as:
while keyctl-race; do :; done
as it may need several iterations to crash the kernel. The crash can be
summarised as:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
IP: [<
ffffffff81279b08>] user_read+0x56/0xa3
...
Call Trace:
[<
ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
[<
ffffffff81277815>] SyS_keyctl+0x83/0xe0
[<
ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ie59035bed50d4e1aa2248a0bd5128a0f997ab29a
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Filipe Manana [Sun, 9 Nov 2014 08:38:39 +0000 (08:38 +0000)]
Btrfs: make xattr replace operations atomic
commit
5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 upstream.
Replacing a xattr consists of doing a lookup for its existing value, delete
the current value from the respective leaf, release the search path and then
finally insert the new value. This leaves a time window where readers (getxattr,
listxattrs) won't see any value for the xattr. Xattrs are used to store ACLs,
so this has security implications.
This change also fixes 2 other existing issues which were:
*) Deleting the old xattr value without verifying first if the new xattr will
fit in the existing leaf item (in case multiple xattrs are packed in the
same item due to name hash collision);
*) Returning -EEXIST when the flag XATTR_CREATE is given and the xattr doesn't
exist but we have have an existing item that packs muliple xattrs with
the same name hash as the input xattr. In this case we should return ENOSPC.
A test case for xfstests follows soon.
Thanks to Alexandre Oliva for reporting the non-atomicity of the xattr replace
implementation.
Change-Id: I286d47858be086bb974cb4fa8eee5d32e8bee61d
Reported-by: Alexandre Oliva <oliva@gnu.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
[shengyong: backport to 3.10
- FIX: CVE-2014-9710
- adjust context
- ASSERT() was added v3.12, so we do check with if statement
- set the first parameter of btrfs_item_nr() as NULL, because it is not
used, and is removed in v3.13
]
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
Michal Bloch [Thu, 21 Jul 2016 11:41:02 +0000 (13:41 +0200)]
kmsg: allow binary characters
* do not touch unprintable characters. This is so that logs can have formatting
such as newlines, tabulation, or colours.
* the textual part is now delimited by \0. This is because \n which used to be
the delimiter is now available for logs.
Signed-off-by: Michal Bloch <m.bloch@samsung.com>
Change-Id: I030a4eab791f4468897d3dcdc5bb04549f30b2f7
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>
jooseong lee [Wed, 20 Jul 2016 01:07:11 +0000 (10:07 +0900)]
Smack: Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
Creating struct sock by sk_alloc function in various kernel subsystems
like bluetooth dosen't call smack_socket_post_create(). In such case,
received sock label is the floor('_') label and makes access deny.
Refers to:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
7412301b76bd53ee53b860f611fc3b5b1c2245b5
Change-Id: I614c5f0e6d59be5ca6b49f0581edfef79fc334cf
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
projects / profile / mobile / platform / kernel / linux-3.10-sc7730.git / log