Philip Pettersson [Wed, 30 Nov 2016 22:55:36 +0000 (14:55 -0800)]
UPSTREAM: packet: fix race condition in packet_set_ring
(cherry picked from commit
84ac7260236a49c79eede91617700174c2c19b0c)
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Fixes:
f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ice451620ecf2c2a5ba3709f45fbb5f3f5c5bb389
Bug:
33358926
Herbert Xu [Mon, 16 May 2016 09:28:16 +0000 (17:28 +0800)]
UPSTREAM: netlink: Fix dump skb leak/double free
(cherry picked from commit
92964c79b357efd980812c4de5c1fd2ec8bb5520)
When we free cb->skb after a dump, we do it after releasing the
lock. This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.
This patch saves the skb and module before we unlock so we free
the right memory.
Fixes:
16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ie2db6a32a49686c6d22c4a88c251b288343c7813
Bug:
33393474
Eric Dumazet [Fri, 2 Dec 2016 17:44:53 +0000 (09:44 -0800)]
UPSTREAM: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
(cherry picked from commit
b98b0bc8c431e3ceb4b26b0dfc8db509518fb290)
CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...
Note that before commit
82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.
This needs to be backported to all known linux kernels.
Again, many thanks to syzkaller team for discovering this gem.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I2b621c28c02267af5b34a379b2970fe5fb61a4f6
Bug:
33363517
Paul Burton [Thu, 21 Apr 2016 17:04:53 +0000 (18:04 +0100)]
MIPS: Prevent "restoration" of MSA context in non-MSA kernels
commit
6533af4d4831c421cd9aa4dce7cfc19a3514cc09 upstream.
If a kernel doesn't support MSA context (ie. CONFIG_CPU_HAS_MSA=n) then
it will only keep 64 bits per FP register in thread context, and the
calls to set_fpr64 in restore_msa_extcontext will overrun the end of the
FP register context into the FCSR & MSACSR values. GCC 6.x has become
smart enough to detect this & complain like so:
arch/mips/kernel/signal.c: In function 'protected_restore_fp_context':
./arch/mips/include/asm/processor.h:114:17: error: array subscript is above array bounds [-Werror=array-bounds]
fpr->val##width[FPR_IDX(width, idx)] = val; \
~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
./arch/mips/include/asm/processor.h:118:1: note: in expansion of macro 'BUILD_FPR_ACCESS'
BUILD_FPR_ACCESS(64)
The only way to trigger this code to run would be for a program to set
up an artificial extended MSA context structure following a sigframe &
execute sigreturn. Whilst this doesn't allow a program to write to any
state that it couldn't already, it makes little sense to allow this
"restoration" of MSA context in a system that doesn't support MSA.
Fix this by killing a program with SIGSYS if it tries something as crazy
as "restoring" fake MSA context in this way, also fixing the build error
& allowing for most of restore_msa_extcontext to be optimised out of
kernels without support for MSA.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Reported-by: Michal Toman <michal.toman@imgtec.com>
Fixes:
bf82cb30c7e5 ("MIPS: Save MSA extended context around signals")
Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Michal Toman <michal.toman@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13164/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Fri, 30 Dec 2016 23:42:32 +0000 (17:42 -0600)]
net: socket: don't set sk_uid to garbage value in ->setattr()
->setattr() was recently implemented for socket files to sync the socket
inode's uid to the new 'sk_uid' member of struct sock. It does this by
copying over the ia_uid member of struct iattr. However, ia_uid is
actually only valid when ATTR_UID is set in ia_valid, indicating that
the uid is being changed, e.g. by chown. Other metadata operations such
as chmod or utimes leave ia_uid uninitialized. Therefore, sk_uid could
be set to a "garbage" value from the stack.
Fix this by only copying the uid over when ATTR_UID is set.
[cherry-pick of net
e1a3a60a2ebe991605acb14cd58e39c0545e174e]
Bug:
16355602
Change-Id: I20e53848e54282b72a388ce12bfa88da5e3e9efe
Fixes:
86741ec25462 ("net: core: Add a UID field to struct sock.")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Tested-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sami Tolvanen [Wed, 4 Jan 2017 17:11:04 +0000 (09:11 -0800)]
ANDROID: configs: CONFIG_ARM64_SW_TTBR0_PAN=y
Bug:
31432001
Change-Id: Ia72c3aa70a463d3a7f52b76e5082520aa328d29b
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Marc Zyngier [Mon, 12 Dec 2016 13:50:26 +0000 (13:50 +0000)]
UPSTREAM: arm64: Disable PAN on uaccess_enable()
Commit
4b65a5db3627 ("arm64: Introduce uaccess_{disable,enable}
functionality based on TTBR0_EL1") added conditional user access
enable/disable. Unfortunately, a typo prevents the PAN bit from being
cleared for user access functions.
Restore the PAN functionality by adding the missing '!'.
Fixes:
b65a5db3627 ("arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1")
Reported-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: If61cb6cc756affc7df7fa06213723a8b96eb1e80
(cherry picked from commit
75037120e62b58c536999eb23d70cfcb6d6c0bcc)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 17:25:31 +0000 (18:25 +0100)]
UPSTREAM: arm64: Enable CONFIG_ARM64_SW_TTBR0_PAN
This patch adds the Kconfig option to enable support for TTBR0 PAN
emulation. The option is default off because of a slight performance hit
when enabled, caused by the additional TTBR0_EL1 switching during user
access operations or exception entry/exit code.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I2f0b5f332e3c56ea0453ff69826525dec49f034b
(cherry picked from commit
ba42822af1c287f038aa550f3578c61c212a892e)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Tue, 5 Jul 2016 11:25:15 +0000 (12:25 +0100)]
UPSTREAM: arm64: xen: Enable user access before a privcmd hvc call
Privcmd calls are issued by the userspace. The kernel needs to enable
access to TTBR0_EL1 as the hypervisor would issue stage 1 translations
to user memory via AT instructions. Since AT instructions are not
affected by the PAN bit (ARMv8.1), we only need the explicit
uaccess_enable/disable if the TTBR0 PAN option is enabled.
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I64d827923d869c1868702c8a18efa99ea91d3151
(cherry picked from commit
9cf09d68b89ae5fe0261dcc69464bcc676900af6)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 17:22:39 +0000 (18:22 +0100)]
UPSTREAM: arm64: Handle faults caused by inadvertent user access with PAN enabled
When TTBR0_EL1 is set to the reserved page, an erroneous kernel access
to user space would generate a translation fault. This patch adds the
checks for the software-set PSR_PAN_BIT to emulate a permission fault
and report it accordingly.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I87e48f6075f84878e4d26d4fadf6eaac49d2cb4e
(cherry picked from commit
786889636ad75296c213547d1ca656af4c59f390)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 2 Sep 2016 13:54:03 +0000 (14:54 +0100)]
BACKPORT: arm64: Disable TTBR0_EL1 during normal kernel execution
When the TTBR0 PAN feature is enabled, the kernel entry points need to
disable access to TTBR0_EL1. The PAN status of the interrupted context
is stored as part of the saved pstate, reusing the PSR_PAN_BIT (22).
Restoring access to TTBR0_EL1 is done on exception return if returning
to user or returning to a context where PAN was disabled.
Context switching via switch_mm() must defer the update of TTBR0_EL1
until a return to user or an explicit uaccess_enable() call.
Special care needs to be taken for two cases where TTBR0_EL1 is set
outside the normal kernel context switch operation: EFI run-time
services (via efi_set_pgd) and CPU suspend (via cpu_(un)install_idmap).
Code has been added to avoid deferred TTBR0_EL1 switching as in
switch_mm() and restore the reserved TTBR0_EL1 when uninstalling the
special TTBR0_EL1.
User cache maintenance (user_cache_maint_handler and
__flush_cache_user_range) needs the TTBR0_EL1 re-instated since the
operations are performed by user virtual address.
This patch also removes a stale comment on the switch_mm() function.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I85a49f70e13b153b9903851edf56f6531c14e6de
(cherry picked from commit
39bc88e5e38e9b213bd7d833ce0df6ec029761ad)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 15:53:00 +0000 (16:53 +0100)]
BACKPORT: arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1
This patch adds the uaccess macros/functions to disable access to user
space by setting TTBR0_EL1 to a reserved zeroed page. Since the value
written to TTBR0_EL1 must be a physical address, for simplicity this
patch introduces a reserved_ttbr0 page at a constant offset from
swapper_pg_dir. The uaccess_disable code uses the ttbr1_el1 value
adjusted by the reserved_ttbr0 offset.
Enabling access to user is done by restoring TTBR0_EL1 with the value
from the struct thread_info ttbr0 variable. Interrupts must be disabled
during the uaccess_ttbr0_enable code to ensure the atomicity of the
thread_info.ttbr0 read and TTBR0_EL1 write. This patch also moves the
get_thread_info asm macro from entry.S to assembler.h for reuse in the
uaccess_ttbr0_* macros.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I54ada623160cb47f5762e0e39a5e84a75252dbfd
(cherry picked from commit
4b65a5db362783ab4b04ca1c1d2ad70ed9b0ba2a)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 14:48:55 +0000 (15:48 +0100)]
BACKPORT: arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro
This patch takes the errata workaround code out of cpu_do_switch_mm into
a dedicated post_ttbr0_update_workaround macro which will be reused in a
subsequent patch.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I2b45b11ab7390c3545b9e162532109c1526bef14
(cherry picked from commit
f33bcf03e6079668da6bf4eec4a7dcf9289131d0)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 13:58:21 +0000 (14:58 +0100)]
BACKPORT: arm64: Factor out PAN enabling/disabling into separate uaccess_* macros
This patch moves the directly coded alternatives for turning PAN on/off
into separate uaccess_{enable,disable} macros or functions. The asm
macros take a few arguments which will be used in subsequent patches.
Note that any (unlikely) access that the compiler might generate between
uaccess_enable() and uaccess_disable(), other than those explicitly
specified by the user access code, will not be protected by PAN.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I75a410139d0756edab3210ee091fa5d047a22e04
(cherry picked from commit
bd38967d406fb4f9fca67d612db71b5d74cfb0f5)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Mark Rutland [Wed, 7 Sep 2016 10:07:08 +0000 (11:07 +0100)]
UPSTREAM: arm64: alternative: add auto-nop infrastructure
In some cases, one side of an alternative sequence is simply a number of
NOPs used to balance the other side. Keeping track of this manually is
tedious, and the presence of large chains of NOPs makes the code more
painful to read than necessary.
To ameliorate matters, this patch adds a new alternative_else_nop_endif,
which automatically balances an alternative sequence with a trivial NOP
sled.
In many cases, we would like a NOP-sled in the default case, and
instructions patched in in the presence of a feature. To enable the NOPs
to be generated automatically for this case, this patch also adds a new
alternative_if, and updates alternative_else and alternative_endif to
work with either alternative_if or alternative_endif.
Cc: Andre Przywara <andre.przywara@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Martin <dave.martin@arm.com>
Cc: James Morse <james.morse@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
[will: use new nops macro to generate nop sequences]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
31432001
Change-Id: I28d8aae073e113048577c41cfe27c91215fb4cf3
(cherry picked from commit
792d47379f4d4c76692f1795f33d38582f8907fa)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Will Deacon [Tue, 6 Sep 2016 15:40:23 +0000 (16:40 +0100)]
UPSTREAM: arm64: barriers: introduce nops and __nops macros for NOP sequences
NOP sequences tend to get used for padding out alternative sections
and uarch-specific pipeline flushes in errata workarounds.
This patch adds macros for generating these sequences as both inline
asm blocks, but also as strings suitable for embedding in other asm
blocks directly.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
31432001
Change-Id: I7f82b677a065ede302a763d39ffcc3fef83f8fbe
(cherry picked from commit
f99a250cb6a3b301b101b4c0f5fcb80593bba6dc)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:56 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Factor out PAN enabling/disabling into separate uaccess_* macros"
This reverts commit
23368b642deb01ac6ce668ec1dedfcc0cab25c71.
Bug:
31432001
Change-Id: Ia59e5fc75ef905b89d5f9194f1e762c1e5eff5bf
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:46 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro"
This reverts commit
3b66929169de053042d47e482dd5748794756153.
Bug:
31432001
Change-Id: Ib38fcf553ca2077531cbf550fbaa75378a8723c5
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:37 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1"
This reverts commit
1911d36b27ba58ee18592df25b7ee636d4d4c41d.
Bug:
31432001
Change-Id: Iee77eed8454f379b948dbbaf65c105952ea30bef
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:25 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Disable TTBR0_EL1 during normal kernel execution"
This reverts commit
5775ca34829caf0664c8ccc02fd0e93cb6022e0f.
Bug:
31432001
Change-Id: I9b07c2f01bc2bcfed51f60ab487034639f5e1960
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:16 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Handle faults caused by inadvertent user access with PAN enabled"
This reverts commit
5dc2b7c7bb33138270ff9494be6cf334bd3d20e1.
Bug:
31432001
Change-Id: I384a9af199f502f8fa3ae3733db67a4c547dbd55
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:07 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: xen: Enable user access before a privcmd hvc call"
This reverts commit
4dbc88bd2b6a74fd33483ee2593dcf2bd858eabe.
Bug:
31432001
Change-Id: I2c3d591a2c631e7ff02c0bcb91624735e8c12f0a
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:31:55 +0000 (12:31 -0800)]
Revert "FROMLIST: arm64: Enable CONFIG_ARM64_SW_TTBR0_PAN"
This reverts commit
67cd3bda54dadba4f8892105adf9c2f3982bfa0a.
Bug:
31432001
Change-Id: I1e5836ce0b41b2262d95c5c4c49ace3b96ae0b1f
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Amit Pundir [Mon, 2 Jan 2017 14:48:05 +0000 (20:18 +0530)]
ANDROID: sched/walt: fix build failure if FAIR_GROUP_SCHED=n
Fix SCHED_WALT dependency on FAIR_GROUP_SCHED otherwise we run
into following build failure:
CC kernel/sched/walt.o
kernel/sched/walt.c: In function 'walt_inc_cfs_cumulative_runnable_avg':
kernel/sched/walt.c:148:8: error: 'struct cfs_rq' has no member named 'cumulative_runnable_avg'
cfs_rq->cumulative_runnable_avg += p->ravg.demand;
^
kernel/sched/walt.c: In function 'walt_dec_cfs_cumulative_runnable_avg':
kernel/sched/walt.c:154:8: error: 'struct cfs_rq' has no member named 'cumulative_runnable_avg'
cfs_rq->cumulative_runnable_avg -= p->ravg.demand;
^
Reported-at: https://bugs.linaro.org/show_bug.cgi?id=2793
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
mukesh agrawal [Tue, 12 Jul 2016 18:28:05 +0000 (11:28 -0700)]
ANDROID: trace: net: use %pK for kernel pointers
We want to use network trace events in production
builds, to help diagnose Wifi problems. However, we
don't want to expose raw kernel pointers in such
builds.
Change the format specifier for the skbaddr field,
so that, if kptr_restrict is enabled, the pointers
will be reported as 0.
Bug:
30090733
Change-Id: Ic4bd583d37af6637343601feca875ee24479ddff
Signed-off-by: mukesh agrawal <quiche@google.com>
Jin Qian [Tue, 20 Dec 2016 19:08:34 +0000 (11:08 -0800)]
ANDROID: android-base: Enable QUOTA related configs
Bug:
33757366
Change-Id: Iec4f55c3ca4a16dbc8695054f481d9261c56d0f6
Lorenzo Colitti [Tue, 29 Nov 2016 17:56:47 +0000 (02:56 +0900)]
net: ipv4: Don't crash if passing a null sk to ip_rt_update_pmtu.
Commit
e2d118a1cb5e ("net: inet: Support UID-based routing in IP
protocols.") made __build_flow_key call sock_net(sk) to determine
the network namespace of the passed-in socket. This crashes if sk
is NULL.
Fix this by getting the network namespace from the skb instead.
Bug:
16355602
Change-Id: I27161b70f448bb95adce3994a97920d54987ce4e
Fixes:
e2d118a1cb5e ("net: inet: Support UID-based routing in IP protocols.")
Reported-by: Erez Shitrit <erezsh@dev.mellanox.co.il>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Thu, 3 Nov 2016 17:23:43 +0000 (02:23 +0900)]
net: inet: Support UID-based routing in IP protocols.
- Use the UID in routing lookups made by protocol connect() and
sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
(e.g., Path MTU discovery) take the UID of the socket into
account.
- For packets not associated with a userspace socket, (e.g., ping
replies) use UID 0 inside the user namespace corresponding to
the network namespace the socket belongs to. This allows
all namespaces to apply routing and iptables rules to
kernel-originated traffic in that namespaces by matching UID 0.
This is better than using the UID of the kernel socket that is
sending the traffic, because the UID of kernel sockets created
at namespace creation time (e.g., the per-processor ICMP and
TCP sockets) is the UID of the user that created the socket,
which might not be mapped in the namespace.
Bug:
16355602
Change-Id: I910504b508948057912bc188fd1e8aca28294de3
Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Thu, 3 Nov 2016 17:23:42 +0000 (02:23 +0900)]
net: core: add UID to flows, rules, and routes
- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a
range of UIDs.
- Define a RTA_UID attribute for per-UID route lookups and dumps.
- Support passing these attributes to and from userspace via
rtnetlink. The value INVALID_UID indicates no UID was
specified.
- Add a UID field to the flow structures.
Bug:
16355602
Change-Id: Iea98e6fedd0fd4435a1f4efa3deb3629505619ab
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Thu, 3 Nov 2016 17:23:41 +0000 (02:23 +0900)]
net: core: Add a UID field to struct sock.
Protocol sockets (struct sock) don't have UIDs, but most of the
time, they map 1:1 to userspace sockets (struct socket) which do.
Various operations such as the iptables xt_owner match need
access to the "UID of a socket", and do so by following the
backpointer to the struct socket. This involves taking
sk_callback_lock and doesn't work when there is no socket
because userspace has already called close().
Simplify this by adding a sk_uid field to struct sock whose value
matches the UID of the corresponding struct socket. The semantics
are as follows:
1. Whenever sk_socket is non-null: sk_uid is the same as the UID
in sk_socket, i.e., matches the return value of sock_i_uid.
Specifically, the UID is set when userspace calls socket(),
fchown(), or accept().
2. When sk_socket is NULL, sk_uid is defined as follows:
- For a socket that no longer has a sk_socket because
userspace has called close(): the previous UID.
- For a cloned socket (e.g., an incoming connection that is
established but on which userspace has not yet called
accept): the UID of the socket it was cloned from.
- For a socket that has never had an sk_socket: UID 0 inside
the user namespace corresponding to the network namespace
the socket belongs to.
Kernel sockets created by sock_create_kern are a special case
of #1 and sk_uid is the user that created them. For kernel
sockets created at network namespace creation time, such as the
per-processor ICMP and TCP sockets, this is the user that created
the network namespace.
Bug:
16355602
Change-Id: Idbc3e9a0cec91c4c6e01916b967b6237645ebe59
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Mon, 12 Dec 2016 02:41:11 +0000 (11:41 +0900)]
Revert "net: core: Support UID-based routing."
This reverts commit
fd2cf795f3ab193752781be7372949ac1780d0ed.
Bug:
16355602
Change-Id: I1ec2d1eb3d53f4186b60c6ca5d6a20fcca46d442
Ard Biesheuvel [Wed, 30 Mar 2016 07:46:23 +0000 (09:46 +0200)]
UPSTREAM: efi/arm64: Don't apply MEMBLOCK_NOMAP to UEFI memory map mapping
(Cherry picked from commit
7cc8cbcf82d165dd658d89a7a287140948e76413)
Commit
4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as
MEMBLOCK_NOMAP") updated the mapping logic of both the RuntimeServices
regions as well as the kernel's copy of the UEFI memory map to set the
MEMBLOCK_NOMAP flag, which causes these regions to be omitted from the
kernel direct mapping, and from being covered by a struct page.
For the RuntimeServices regions, this is an obvious win, since the contents
of these regions have significance to the firmware executable code itself,
and are mapped in the EFI page tables using attributes that are described in
the UEFI memory map, and which may differ from the attributes we use for
mapping system RAM. It also prevents the contents from being modified
inadvertently, since the EFI page tables are only live during runtime
service invocations.
None of these concerns apply to the allocation that covers the UEFI memory
map, since it is entirely owned by the kernel. Setting the MEMBLOCK_NOMAP on
the region did allow us to use ioremap_cache() to map it both on arm64 and
on ARM, since the latter does not allow ioremap_cache() to be used on
regions that are covered by a struct page.
The ioremap_cache() on ARM restriction will be lifted in the v4.7 timeframe,
but in the mean time, it has been reported that commit
4dffbfc48d65 causes
a regression on 64k granule kernels. This is due to the fact that, given
the 64 KB page size, the region that we end up removing from the kernel
direct mapping is rounded up to 64 KB, and this 64 KB page frame may be
shared with the initrd when booting via GRUB (which does not align its
EFI_LOADER_DATA allocations to 64 KB like the stub does). This will crash
the kernel as soon as it tries to access the initrd.
Since the issue is specific to arm64, revert back to memblock_reserve()'ing
the UEFI memory map when running on arm64. This is a temporary fix for v4.5
and v4.6, and will be superseded in the v4.7 timeframe when we will be able
to move back to memblock_reserve() unconditionally.
Fixes:
4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP")
Reported-by: Mark Salter <msalter@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Jeremy Linton <jeremy.linton@arm.com>
Cc: Mark Langsdorf <mlangsdo@redhat.com>
Cc: <stable@vger.kernel.org> # v4.5
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Fixes: Change-Id: Ia3ce78f40f8d41a9afdd42238fe9cbfd81bbff08
("UPSTREAM: arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP")
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Will Deacon [Tue, 7 Jun 2016 16:55:15 +0000 (17:55 +0100)]
UPSTREAM: arm64: mm: always take dirty state from new pte in ptep_set_access_flags
(Cherry picked from commit
0106d456c4cb1770253fefc0ab23c9ca760b43f7)
Commit
66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for
hardware AF/DBM") ensured that pte flags are updated atomically in the
face of potential concurrent, hardware-assisted updates. However, Alex
reports that:
| This patch breaks swapping for me.
| In the broken case, you'll see either systemd cpu time spike (because
| it's stuck in a page fault loop) or the system hang (because the
| application owning the screen is stuck in a page fault loop).
It turns out that this is because the 'dirty' argument to
ptep_set_access_flags is always 0 for read faults, and so we can't use
it to set PTE_RDONLY. The failing sequence is:
1. We put down a PTE_WRITE | PTE_DIRTY | PTE_AF pte
2. Memory pressure -> pte_mkold(pte) -> clear PTE_AF
3. A read faults due to the missing access flag
4. ptep_set_access_flags is called with dirty = 0, due to the read fault
5. pte is then made PTE_WRITE | PTE_DIRTY | PTE_AF | PTE_RDONLY (!)
6. A write faults, but pte_write is true so we get stuck
The solution is to check the new page table entry (as would be done by
the generic, non-atomic definition of ptep_set_access_flags that just
calls set_pte_at) to establish the dirty state.
Cc: <stable@vger.kernel.org> # 4.3+
Fixes:
66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM")
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: Alexander Graf <agraf@suse.de>
Tested-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Fixes: Change-Id: Id2a0b0d8eb6e7df6325ecb48b88b8401a5dd09e5
("UPSTREAM: arm64: Implement ptep_set_access_flags() for hardware AF/DBM")
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Catalin Marinas [Thu, 5 May 2016 09:44:00 +0000 (10:44 +0100)]
UPSTREAM: arm64: Implement pmdp_set_access_flags() for hardware AF/DBM
(Cherry picked from commit
282aa7051b0169991b34716f0f22d9c2f59c46c4)
The update to the accessed or dirty states for block mappings must be
done atomically on hardware with support for automatic AF/DBM. The
ptep_set_access_flags() function has been fixed as part of commit
66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware
AF/DBM"). This patch brings pmdp_set_access_flags() in line with the pte
counterpart.
Fixes:
2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits")
Cc: <stable@vger.kernel.org> # 4.4.x: 66dbd6e61a52: arm64: Implement ptep_set_access_flags() for hardware AF/DBM
Cc: <stable@vger.kernel.org> # 4.3+
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Catalin Marinas [Thu, 5 May 2016 09:43:59 +0000 (10:43 +0100)]
UPSTREAM: arm64: Fix typo in the pmdp_huge_get_and_clear() definition
(Cherry picked from commit
911f56eeb87ee378f5e215469268a7a2f68a5a8a)
With hardware AF/DBM support, pmd modifications (transparent huge pages)
should be performed atomically using load/store exclusive. The initial
patches defined the get-and-clear function and __HAVE_ARCH_* macro
without the "huge" word, leaving the pmdp_huge_get_and_clear() to the
default, non-atomic implementation.
Fixes:
2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits")
Cc: <stable@vger.kernel.org> # 4.3+
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Ard Biesheuvel [Thu, 3 Mar 2016 14:10:59 +0000 (15:10 +0100)]
UPSTREAM: arm64: enable CONFIG_DEBUG_RODATA by default
(Cherry picked from commit
57efac2f7108e3255d0dfe512290c9896f4ed55f)
In spite of its name, CONFIG_DEBUG_RODATA is an important hardening feature
for production kernels, and distros all enable it by default in their
kernel configs. However, since enabling it used to result in more granular,
and thus less efficient kernel mappings, it is not enabled by default for
performance reasons.
However, since commit
2f39b5f91eb4 ("arm64: mm: Mark .rodata as RO"), the
various kernel segments (.text, .rodata, .init and .data) are already
mapped individually, and the only effect of setting CONFIG_DEBUG_RODATA is
that the existing .text and .rodata mappings are updated late in the boot
sequence to have their read-only attributes set, which means that any
performance concerns related to enabling CONFIG_DEBUG_RODATA are no longer
valid.
So from now on, make CONFIG_DEBUG_RODATA default to 'y'
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Jin Qian [Fri, 9 Dec 2016 01:06:03 +0000 (17:06 -0800)]
goldfish: enable CONFIG_INET_DIAG_DESTROY
Bug:
31648368
Change-Id: I3715cc6474129ba2176be62ed2c0a7d09a6f2ac7
Juri Lelli [Tue, 6 Dec 2016 11:50:53 +0000 (11:50 +0000)]
sched/walt: kill {min,max}_capacity
{min,max}_capacity are static variables that are only updated from
__update_min_max_capacity(), but not used anywhere else.
Remove them together with the function updating them. This has also
the nice side effect of fixing a LOCKDEP warning related to locking
all CPUs in update_min_max_capacity(), as reported by Ke Wang:
[ 2.853595] c0 =============================================
[ 2.859219] c0 [ INFO: possible recursive locking detected ]
[ 2.864852] c0 4.4.6+ #5 Tainted: G W
[ 2.869604] c0 ---------------------------------------------
[ 2.875230] c0 swapper/0/1 is trying to acquire lock:
[ 2.880248] (&rq->lock){-.-.-.}, at: [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 2.888815] c0
[ 2.888815] c0 but task is already holding lock:
[ 2.895132] (&rq->lock){-.-.-.}, at: [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 2.903700] c0
[ 2.903700] c0 other info that might help us debug this:
[ 2.910710] c0 Possible unsafe locking scenario:
[ 2.910710] c0
[ 2.917112] c0 CPU0
[ 2.919795] c0 ----
[ 2.922478] lock(&rq->lock);
[ 2.925507] lock(&rq->lock);
[ 2.928536] c0
[ 2.928536] c0 *** DEADLOCK ***
[ 2.928536] c0
[ 2.935200] c0 May be due to missing lock nesting notation
[ 2.935200] c0
[ 2.942471] c0 7 locks held by swapper/0/1:
[ 2.946623] #0: (&dev->mutex){......}, at: [<
ffffff800850e118>] __driver_attach+0x64/0xb8
[ 2.954931] #1: (&dev->mutex){......}, at: [<
ffffff800850e128>] __driver_attach+0x74/0xb8
[ 2.963239] #2: (cpu_hotplug.lock){++++++}, at: [<
ffffff80080cb218>] get_online_cpus+0x48/0xa8
[ 2.971979] #3: (subsys mutex#6){+.+.+.}, at: [<
ffffff800850bed4>] subsys_interface_register+0x44/0xc0
[ 2.981411] #4: (&policy->rwsem){+.+.+.}, at: [<
ffffff8008720338>] cpufreq_online+0x330/0x76c
[ 2.990065] #5: ((cpufreq_policy_notifier_list).rwsem){.+.+..}, at: [<
ffffff80080f3418>] blocking_notifier_call_chain+0x38/0xc4
[ 3.001661] #6: (&rq->lock){-.-.-.}, at: [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 3.010661] c0
[ 3.010661] c0 stack backtrace:
[ 3.015514] c0 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.4.6+ #5
[ 3.022864] c0 Hardware name: Spreadtrum SP9860g Board (DT)
[ 3.028402] c0 Call trace:
[ 3.031092] c0 [<
ffffff800808b50c>] dump_backtrace+0x0/0x210
[ 3.036716] c0 [<
ffffff800808b73c>] show_stack+0x20/0x28
[ 3.041994] c0 [<
ffffff8008433310>] dump_stack+0xa8/0xe0
[ 3.047273] c0 [<
ffffff80081349e0>] __lock_acquire+0x1e0c/0x2218
[ 3.053243] c0 [<
ffffff80081353c0>] lock_acquire+0xe0/0x280
[ 3.058784] c0 [<
ffffff8008abfdfc>] _raw_spin_lock+0x44/0x58
[ 3.064407] c0 [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 3.070983] c0 [<
ffffff80080f3458>] blocking_notifier_call_chain+0x78/0xc4
[ 3.077820] c0 [<
ffffff8008720294>] cpufreq_online+0x28c/0x76c
[ 3.083618] c0 [<
ffffff80087208a4>] cpufreq_add_dev+0x98/0xdc
[ 3.089331] c0 [<
ffffff800850bf14>] subsys_interface_register+0x84/0xc0
[ 3.095907] c0 [<
ffffff800871fa0c>] cpufreq_register_driver+0x168/0x28c
[ 3.102486] c0 [<
ffffff80087272f8>] sprd_cpufreq_probe+0x134/0x19c
[ 3.108629] c0 [<
ffffff8008510768>] platform_drv_probe+0x58/0xd0
[ 3.114599] c0 [<
ffffff800850de2c>] driver_probe_device+0x1e8/0x470
[ 3.120830] c0 [<
ffffff800850e168>] __driver_attach+0xb4/0xb8
[ 3.126541] c0 [<
ffffff800850b750>] bus_for_each_dev+0x6c/0xac
[ 3.132339] c0 [<
ffffff800850d6c0>] driver_attach+0x2c/0x34
[ 3.137877] c0 [<
ffffff800850d234>] bus_add_driver+0x210/0x298
[ 3.143676] c0 [<
ffffff800850f1f4>] driver_register+0x7c/0x114
[ 3.149476] c0 [<
ffffff8008510654>] __platform_driver_register+0x60/0x6c
[ 3.156139] c0 [<
ffffff8008f49f40>] sprd_cpufreq_platdrv_init+0x18/0x20
[ 3.162714] c0 [<
ffffff8008082a64>] do_one_initcall+0xd0/0x1d8
[ 3.168514] c0 [<
ffffff8008f0bc58>] kernel_init_freeable+0x1fc/0x29c
[ 3.174834] c0 [<
ffffff8008ab554c>] kernel_init+0x20/0x12c
[ 3.180281] c0 [<
ffffff8008086290>] ret_from_fork+0x10/0x40
Reported-by: Ke Wang <ke.wang@spreadtrum.com>
Signed-off-by: Juri Lelli <juri.lelli@arm.com>
Ke Wang [Thu, 8 Dec 2016 06:02:10 +0000 (14:02 +0800)]
sched: fix wrong truncation of walt_avg
The result of "__entry->walt_avg = (__entry->demand << 10)" will exceed
the range of "unsigned int", which will be truncated and make the trace
looks like as follows:
UnityMain-4588 [004] 6029.645672: walt_update_history: 4588(UnityMain): runtime
9928307 samples 1 event 4
demand
9928307 walt 157 pelt 870 (hist:
9928307 9604307 8440077 87392
34144328) cpu 4
UnityMain-4588 [004] 6029.653658: walt_update_history: 4588(UnityMain): runtime
10000000 samples 1 event 4
demand
10000000 walt 165 pelt 886 (hist:
10000000 9955691 6549308 64000
34144328) cpu 4
Fix this by using a u64 type instead of unsgined int type and make the
trace as below:
UnityMain-4617 [004] 117.613558: walt_update_history: 4617(UnityMain): runtime
5770597 samples 1 event 4
demand
7038739 walt 720 pelt 680 (hist:
5770597 7680001 8904509 65596 156) cpu 4
UnityMain-4617 [004] 117.633560: walt_update_history: 4617(UnityMain): runtime
9911238 samples 1 event 4
demand
9911238 walt 1014 pelt 769 (hist:
9911238 5770597 7680001 0
1664188058) cpu 4
Signed-off-by: Ke Wang <ke.wang@spreadtrum.com>
Jin Qian [Thu, 8 Dec 2016 02:11:48 +0000 (18:11 -0800)]
build: fix build config kernel_dir
Change-Id: I88b87a9c85990b12dc8174349cfc14eddfb379d2
Keun-young Park [Tue, 15 Nov 2016 02:25:15 +0000 (18:25 -0800)]
ANDROID: dm verity: add minimum prefetch size
- For device like eMMC, it gives better performance to read more hash
blocks at a time.
- For android, set it to default 128.
For other devices, set it to 1 which is the same as now.
- saved boot-up time by 300ms in tested device
bug:
32246564
Cc: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Keun-young Park <keunyoung@google.com>
Jin Qian [Mon, 12 Sep 2016 22:51:35 +0000 (15:51 -0700)]
build: add build server configs for goldfish
Change-Id: Icd7a8d44df2b09394be5c6230c64ecb374cae236
Ke Wang [Fri, 25 Nov 2016 05:38:45 +0000 (13:38 +0800)]
sched: tune: Fix lacking spinlock initialization
The spinlock used by boost_groups in sched tune must be initialized.
This commit fixes this lack and the following errors:
[ 0.384739] c2 BUG: spinlock bad magic on CPU#2, swapper/2/0
[ 0.390313] c2 lock: 0xffffffc15fe1fc80, .magic:
00000000, .owner: <none>/-1, .owner_cpu: 0
[ 0.398739] c2 CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.4.6+ #4
[ 0.404816] c2 Hardware name: Spreadtrum SP9860gBoard (DT)
[ 0.410462] c2 Call trace:
[ 0.413159] c2 [<
ffffff800808b50c>] dump_backtrace+0x0/0x210
[ 0.418803] c2 [<
ffffff800808b73c>] show_stack+0x20/0x28
[ 0.424100] c2 [<
ffffff8008433310>] dump_stack+0xa8/0xe0
[ 0.429398] c2 [<
ffffff8008139398>] spin_dump+0x78/0x9c
[ 0.434608] c2 [<
ffffff80081393ec>] spin_bug+0x30/0x3c
[ 0.439644] c2 [<
ffffff80081394e4>] do_raw_spin_lock+0xac/0x1b4
[ 0.445639] c2 [<
ffffff8008abffe4>] _raw_spin_lock_irqsave+0x58/0x68
[ 0.451977] c2 [<
ffffff800812a560>] schedtune_enqueue_task+0x84/0x3bc
[ 0.458320] c2 [<
ffffff8008111678>] enqueue_task_fair+0x438/0x208c
[ 0.464487] c2 [<
ffffff80080feeec>] activate_task+0x70/0xd0
[ 0.470130] c2 [<
ffffff80080ff4a4>] ttwu_do_activate.constprop.131+0x4c/0x98
[ 0.477079] c2 [<
ffffff80081005d0>] try_to_wake_up+0x254/0x54c
[ 0.482899] c2 [<
ffffff80081009d4>] default_wake_function+0x30/0x3c
[ 0.489154] c2 [<
ffffff8008122464>] autoremove_wake_function+0x3c/0x6c
[ 0.495754] c2 [<
ffffff8008121b70>] __wake_up_common+0x64/0xa4
[ 0.501574] c2 [<
ffffff8008121e9c>] __wake_up+0x48/0x60
[ 0.506788] c2 [<
ffffff8008150fac>] rcu_gp_kthread_wake+0x50/0x5c
[ 0.512866] c2 [<
ffffff8008151fec>] note_gp_changes+0xac/0xd4
[ 0.518597] c2 [<
ffffff8008153044>] rcu_process_callbacks+0xe8/0x93c
[ 0.524940] c2 [<
ffffff80080d0b84>] __do_softirq+0x24c/0x5b8
[ 0.530584] c2 [<
ffffff80080d1284>] irq_exit+0xc0/0xec
[ 0.535623] c2 [<
ffffff8008144208>] __handle_domain_irq+0x94/0xf8
[ 0.541789] c2 [<
ffffff8008082554>] gic_handle_irq+0x64/0xc0
Signed-off-by: Ke Wang <ke.wang@spreadtrum.com>
Joel Fernandes [Mon, 28 Nov 2016 22:35:24 +0000 (14:35 -0800)]
UPSTREAM: trace: Update documentation for mono, mono_raw and boot clock
Documentation was missing for mono and mono_raw, add them and also for
the boot clock introduced in this series.
Bug: b/
33184060
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Joel Fernandes <joelaf@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Joel Fernandes [Mon, 28 Nov 2016 22:35:23 +0000 (14:35 -0800)]
UPSTREAM: trace: Add an option for boot clock as trace clock
Unlike monotonic clock, boot clock as a trace clock will account for
time spent in suspend useful for tracing suspend/resume. This uses
earlier introduced infrastructure for using the fast boot clock.
Bug: b/
33184060
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Joel Fernandes <joelaf@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Joel Fernandes [Mon, 28 Nov 2016 22:35:22 +0000 (14:35 -0800)]
UPSTREAM: timekeeping: Add a fast and NMI safe boot clock
This boot clock can be used as a tracing clock and will account for
suspend time.
To keep it NMI safe since we're accessing from tracing, we're not using a
separate timekeeper with updates to monotonic clock and boot offset
protected with seqlocks. This has the following minor side effects:
(1) Its possible that a timestamp be taken after the boot offset is updated
but before the timekeeper is updated. If this happens, the new boot offset
is added to the old timekeeping making the clock appear to update slightly
earlier:
CPU 0 CPU 1
timekeeping_inject_sleeptime64()
__timekeeping_inject_sleeptime(tk, delta);
timestamp();
timekeeping_update(tk, TK_CLEAR_NTP...);
(2) On 32-bit systems, the 64-bit boot offset (tk->offs_boot) may be
partially updated. Since the tk->offs_boot update is a rare event, this
should be a rare occurrence which postprocessing should be able to handle.
Bug: b/
33184060
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Joel Fernandes <joelaf@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Jin Qian [Fri, 18 Nov 2016 19:40:40 +0000 (11:40 -0800)]
ANDROID: goldfish_pipe: fix allmodconfig build
tree: https://android.googlesource.com/kernel/common android-4.4
head:
6297c6ba0d217d5b0998738fbfaff2f04cad77e6
commit:
bc43565e1ac5ba3f204886a2275726bb4c3d44e6 [18/20] ANDROID:
goldfish_pipe: An implementation of more parallel pipe
config: i386-randconfig-s1-201646 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0
20160901
reproduce:
git checkout
bc43565e1ac5ba3f204886a2275726bb4c3d44e6
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
>> ERROR: "goldfish_pipe_device_deinit_v1" [drivers/platform/goldfish/goldfish_pipe_v2.ko] undefined!
>> ERROR: "goldfish_pipe_device_init_v1" [drivers/platform/goldfish/goldfish_pipe_v2.ko] undefined!
>> ERROR: "pipe_dev" [drivers/platform/goldfish/goldfish_pipe.ko] undefined!
Change-Id: Ibd51441edf82e6bb6824acc05ea795570cc374e8
Greg Hackmann [Fri, 18 Nov 2016 19:09:02 +0000 (11:09 -0800)]
ANDROID: goldfish: goldfish_pipe: fix locking errors
If the get_user_pages_fast() call in goldfish_pipe_read_write() failed,
it would return while still holding pipe->lock.
goldfish_pipe_read_write() later releases and tries to re-acquire
pipe->lock. If the re-acquire call failed, goldfish_pipe_read_write()
would try unlock pipe->lock on exit anyway.
This fixes the smatch messages:
drivers/platform/goldfish/goldfish_pipe.c:392 goldfish_pipe_read_write() error: double unlock 'mutex:&pipe->lock'
drivers/platform/goldfish/goldfish_pipe.c:397 goldfish_pipe_read_write() warn: inconsistent returns 'mutex:&pipe->lock'.
Change-Id: Ifd06a76b32027ca451a001704ade0c5440ed69c4
Signed-off-by: Greg Hackmann <ghackmann@google.com>
kbuild test robot [Fri, 18 Nov 2016 05:16:07 +0000 (13:16 +0800)]
ANDROID: video: goldfishfb: fix platform_no_drv_owner.cocci warnings
drivers/video/fbdev/goldfishfb.c:318:3-8: No need to set .owner here. The core will do it.
Remove .owner field if calls are used which set it automatically
Generated by: scripts/coccinelle/api/platform_no_drv_owner.cocci
CC: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Julia Lawall [Fri, 18 Nov 2016 06:26:19 +0000 (07:26 +0100)]
ANDROID: goldfish_pipe: fix call_kern.cocci warnings
Function get_free_pipe_id_locked called on line 671 inside lock on line
669 but uses GFP_KERNEL. Replace with GFP_ATOMIC.
Generated by: scripts/coccinelle/locks/call_kern.cocci
CC: Yurii Zubrytskyi <zyy@google.com>
Signed-off-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Jin Qian [Fri, 18 Nov 2016 01:01:43 +0000 (17:01 -0800)]
arm64: rename ranchu defconfig to ranchu64
Change-Id: Ib7cd1ef722167905957623f65c3cc064e9d5c357
Greg Hackmann [Thu, 23 Jul 2015 17:40:57 +0000 (10:40 -0700)]
ANDROID: arch: x86: disable pic for Android toolchain
Android toolchains enable PIC, so explicitly disable it with
-fno-pic (this is the upstream gcc default)
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit
892606ece2bebfa5a1ed62e9552cc973707ae9d3)
Change-Id: I1e600363e5d18e459479fe4eb23d76855e16868d
Yurii Zubrytskyi [Fri, 29 Jul 2016 17:51:46 +0000 (10:51 -0700)]
ANDROID: goldfish_pipe: An implementation of more parallel pipe
This is a driver code for a redesigned android pipe.
Currently it works for x86 and x64 emulators with the following
performance results:
ADB push to /dev/null,
Ubuntu,
400 MB file,
times are for 1/10/100 parallel adb commands
x86 adb push: (4.4s / 11.5s / 2m10s) -> (2.8s / 6s / 51s)
x64 adb push: (7s / 15s / (too long, 6m+) -> (2.7s / 6.2s / 52s)
ADB pull and push to /data/ have the same %% of speedup
More importantly, I don't see any signs of slowdowns when
run in parallel with Antutu benchmark, so it is definitely
making much better job at multithreading.
The code features dynamic host detection: old emulator gets
the previous version of the pipe driver code.
Combine follow patch from android-goldfish-3.10
b543285 [pipe] Increase the default pipe buffers size, make it configurable
Signed-off-by: "Yurii Zubrytskyi" <zyy@google.com>
Change-Id: I140d506204cab6e78dd503e5a43abc8886e4ffff
Yurii Zubrytskyi [Wed, 4 May 2016 20:05:38 +0000 (13:05 -0700)]
ANDROID: goldfish_pipe: bugfixes and performance improvements.
Combine following patches from android-goldfish-3.18 branch:
c0f015a [pipe] Fix the pipe driver for x64 platform + correct pages count
48e6bf5 [pipe] Use get_use_pages_fast() which is possibly faster
fb20f13 [goldfish] More pages in goldfish pipe
f180e6d goldfish_pipe: Return from read_write on signal and EIO
3dec3b7 [pipe] Fix a minor leak in setup_access_params_addr()
Change-Id: I1041fd65d7faaec123e6cedd3dbbc5a2fbb86c4d
Lingfeng Yang [Mon, 13 Jun 2016 16:24:07 +0000 (09:24 -0700)]
ANDROID: goldfish: Add goldfish sync driver
This is kernel driver for controlling the Goldfish sync
device on the host. It is used to maintain ordering
in critical OpenGL state changes while using
GPU emulation.
The guest open()'s the Goldfish sync device to create
a context for possibly maintaining sync timeline and fences.
There is a 1:1 correspondence between such sync contexts
and OpenGL contexts in the guest that need synchronization
(which in turn, is anything involving swapping buffers,
SurfaceFlinger, or Hardware Composer).
The ioctl QUEUE_WORK takes a handle to a sync object
and attempts to tell the host GPU to wait on the sync object
and deal with signaling it. It possibly outputs
a fence FD on which the Android systems that use them
(GLConsumer, SurfaceFlinger, anything employing
EGL_ANDROID_native_fence_sync) can use to wait.
Design decisions and work log:
- New approach is to have the guest issue ioctls that
trigger host wait, and then host increments timeline.
- We need the host's sync object handle and sync thread handle
as the necessary information for that.
- ioctl() from guest can work simultaneously with the
interrupt handling for commands from host.
- optimization: don't write back on timeline inc
- Change spin lock design to be much more lightweight;
do not call sw_sync functions or loop too long
anywhere.
- Send read/write commands in batches to minimize guest/host
transitions.
- robustness: BUG if we will overrun the cmd buffer.
- robustness: return fd -1 if we cannot get an unused fd.
- correctness: remove global mutex
- cleanup pass done, incl. but not limited to:
- removal of clear_upto and
- switching to devm_***
This is part of a sequential, multi-CL change:
external/qemu:
https://android-review.googlesource.com/239442 <- host-side device's
host interface
https://android-review.googlesource.com/221593
https://android-review.googlesource.com/248563
https://android-review.googlesource.com/248564
https://android-review.googlesource.com/223032
external/qemu-android:
https://android-review.googlesource.com/238790 <- host-side device
implementation
kernel/goldfish:
https://android-review.googlesource.com/232631 <- needed
https://android-review.googlesource.com/238399 <- this CL
Also squash following bug fixes from android-goldfish-3.18 branch.
b44d486 goldfish_sync: provide a signal to detect reboot
ad1f597 goldfish_sync: fix stalls by avoiding early kfree()
de208e8 [goldfish-sync] Fix possible race between kernel and user space
Change-Id: I22f8a0e824717a7e751b1b0e1b461455501502b6
Jin Qian [Fri, 7 Oct 2016 23:20:47 +0000 (16:20 -0700)]
ANDROID: goldfish: add ranchu defconfigs
Change-Id: I73ef1b132b6203ae921a1e1d4850eaadf58f8926
Joshua Lang [Sat, 18 Jun 2016 00:30:55 +0000 (17:30 -0700)]
ANDROID: goldfish_audio: Clear audio read buffer status after each read
The buffer_status field is interrupt updated. After every read request,
the buffer_status read field should be reset so that on the next loop
iteration we don't read a stale value and read data before the
device is ready.
Signed-off-by: “Joshua Lang” <joshualang@google.com>
Change-Id: I4943d5aaada1cad9c7e59a94a87c387578dabe86
Lingfeng Yang [Fri, 18 Dec 2015 20:04:43 +0000 (12:04 -0800)]
ANDROID: goldfish_events: no extra EV_SYN; register goldfish
If we send SYN_REPORT on every single
multitouch event, it breaks the multitouch.
The multitouch becomes janky and
having to click 2-3 times to
do stuff (plus randomly activating notification
bars when not clicking)
If we suppress these SYN_REPORTS,
multitouch will work fine, plus the events
will have a protocol that looks nice.
In addition, we need to register Goldfish Events
as a multitouch device by issuing
input_mt_init_slots, otherwise
input_handle_abs_event in drivers/input/input.c
will silently drop all ABS_MT_SLOT events,
making it so that touches with more than 1 finger
do not work properly.
Signed-off-by: "Lingfeng Yang" <lfy@google.com>
Change-Id: Ib2350f7d1732449d246f6f0d9b7b08f02cc7c2dd
(cherry picked from commit
6cf40d0a16330e1ef42bdf07d9aba6c16ee11fbc)
Christoffer Dall [Thu, 19 Jun 2014 14:24:04 +0000 (16:24 +0200)]
ANDROID: goldfish_fb: Set pixclock = 0
User space Android code identifies pixclock == 0 as a sign for emulation
and will set the frame rate to 60 fps when reading this value, which is
the desired outcome.
Change-Id: I759bf518bf6683446bc786bf1be3cafa02dd8d42
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Yu Ning [Tue, 31 Mar 2015 06:41:48 +0000 (14:41 +0800)]
ANDROID: goldfish: Enable ACPI-based enumeration for goldfish audio
Follow the same way in which ACPI was enabled for goldfish battery. See
commit
d3be10e for details.
Change-Id: I6ffe38ebc80fb8af8322152370b9d1fd227eaf50
Signed-off-by: Yu Ning <yu.ning@intel.com>
Yu Ning [Thu, 12 Feb 2015 03:44:40 +0000 (11:44 +0800)]
ANDROID: goldfish: Enable ACPI-based enumeration for goldfish framebuffer
Follow the same way in which ACPI was enabled for goldfish battery. See
commit
d3be10e for details.
Note that this patch also depends on commit
af33cac.
Change-Id: Ic63b6e7e0a4b9896ef9a9d0ed135a7796a4c1fdb
Signed-off-by: Yu Ning <yu.ning@intel.com>
Greg Hackmann [Mon, 28 Oct 2013 22:33:33 +0000 (15:33 -0700)]
ANDROID: video: goldfishfb: add devicetree bindings
Change-Id: I5f4ba861b981edf39af537001f8ac72202927031
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Fri, 26 Feb 2016 19:00:18 +0000 (19:00 +0000)]
BACKPORT: staging: goldfish: audio: fix compiliation on arm
We do actually need slab.h, by luck we get it on other platforms but not
always on ARM. Include it properly.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
4532150762ceb0d6fd765ebcb3ba6966fbb8faab)
Change-Id: I93a0c35da40f26aaa7c253e3c0cefaa883ea3391
Jason Hu [Fri, 26 Feb 2016 20:06:47 +0000 (12:06 -0800)]
BACKPORT: Input: goldfish_events - enable ACPI-based enumeration for goldfish events
Add ACPI binding to the goldfish events driver.
Signed-off-by: Jason Hu <jia-cheng.hu@intel.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit
0581ce09fd2c976125a20791268d7206db156d2f)
Change-Id: Ic3e4f1cffb111ea6c69977e63dd598e3fcb55f19
Yu Ning [Tue, 1 Mar 2016 23:46:10 +0000 (23:46 +0000)]
BACKPORT: goldfish: Enable ACPI-based enumeration for goldfish battery
Add the ACPI bindings to the goldfish battery driver.
Signed-off-by: Yu Ning <yu.ning@intel.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
(cherry picked from commit
fdb2f37a54470473c6b7c9d680c4c114dd9bc434)
Change-Id: I3b53481b5868b0b26848397420c9ba16a747819f
Miodrag Dinic [Fri, 26 Feb 2016 19:00:44 +0000 (19:00 +0000)]
BACKPORT: drivers: tty: goldfish: Add device tree bindings
Enable support for registering this device using the device tree.
Device tree node example for registering Goldfish TTY device :
goldfish_tty@
1f004000 {
interrupts = <0xc>;
reg = <0x1f004000 0x1000>;
compatible = "google,goldfish-tty";
};
Signed-off-by: Miodrag Dinic <miodrag.dinic@imgtec.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
9b883eea26ccf043b608e398cf6a26231d44f5fb)
Change-Id: Idbe1bbac4f371e2feb6730712b08b66be1188ea7
Greg Hackmann [Fri, 26 Feb 2016 19:01:05 +0000 (19:01 +0000)]
BACKPORT: tty: goldfish: support platform_device with id -1
When the platform bus sets the platform_device id to -1 (PLATFORM_DEVID_NONE),
use an incrementing counter for the TTY index instead
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
465893e18878e119d8d0255439fad8debbd646fd)
Change-Id: Ifec5ee9d71c7c076e59bb7af77c0184d1b1383cb
Greg Hackmann [Fri, 26 Feb 2016 20:05:02 +0000 (12:05 -0800)]
BACKPORT: Input: goldfish_events - add devicetree bindings
Add device tree bindings to the Goldfish virtual platform event driver.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit
8c5dc5a1ada2b79259e55a4bd150135d23529c6a)
Change-Id: I677d8e0d92294f53f7cc5a79300b6462b65e8aad
Greg Hackmann [Fri, 26 Feb 2016 18:45:30 +0000 (18:45 +0000)]
BACKPORT: power: goldfish_battery: add devicetree bindings
Add device tree bindings to the Goldfish virtual platform battery drivers.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
(cherry picked from commit
65d687a7b7d6f27e4306fe8cc8a1ca66a1a760f6)
Change-Id: If947ea3341ff0cb713c56e14d18d51a3f5912b64
Greg Hackmann [Fri, 26 Feb 2016 19:00:03 +0000 (19:00 +0000)]
BACKPORT: staging: goldfish: audio: add devicetree bindings
Introduce devicetree bindings to the Goldfish staging audio driver.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
283ded10312a3b75e384313f6f529ec2c636cf2c)
Change-Id: Ib75d3a4cac7353084a8da18a96fb298a759bacc0
Anson Jacob [Fri, 11 Nov 2016 06:10:04 +0000 (01:10 -0500)]
ANDROID: usb: gadget: function: cleanup: Add blank line after declaration
Fix warning generated by checkpatch.pl:
Missing a blank line after declarations
Change-Id: Id129bb8cc8fa37c67a647e2e5996bb2817020e65
Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com>
Viresh Kumar [Tue, 15 Nov 2016 06:28:52 +0000 (11:58 +0530)]
cpufreq: sched: Fix kernel crash on accessing sysfs file
If the cpufreq driver hasn't set the CPUFREQ_HAVE_GOVERNOR_PER_POLICY
flag, then the kernel will crash on accessing sysfs files for the sched
governor.
CPUFreq governors we can have the governor specific sysfs files in two
places:
A. /sys/devices/system/cpu/cpuX/cpufreq/<governor>
B. /sys/devices/system/cpu/cpufreq/<governor>
The case A. is for governor per policy case, where we can control the
governor tunables for each policy separately. The case B. is for system
wide tunable values.
The schedfreq governor only implements the case A. and not B. The sysfs
files in case B will still be present in
/sys/devices/system/cpu/cpufreq/<governor>, but accessing them will
crash kernel as the governor doesn't support that.
Moreover the sched governor is pretty new and will be used only for the
ARM platforms and there is no need to support the case B at all.
Hence use policy->kobj instead of get_governor_parent_kobj(), so that we
always create the sysfs files in path A.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Steven Rostedt (Red Hat) [Fri, 13 May 2016 13:34:12 +0000 (09:34 -0400)]
UPSTREAM: ring-buffer: Prevent overflow of size in ring_buffer_resize()
(Cherry picked from commit
59643d1535eb220668692a5359de22545af579f6)
If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.
Here's the details:
# echo
18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb
tracing_entries_write() processes this and converts kb to bytes.
18014398509481980 << 10 =
18446744073709547520
and this is passed to ring_buffer_resize() as unsigned long size.
size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
Where DIV_ROUND_UP(a, b) is (a + b - 1)/b
BUF_PAGE_SIZE is 4080 and here
18446744073709547520 + 4080 - 1 =
18446744073709551599
where
18446744073709551599 is still smaller than 2^64
2^64 -
18446744073709551599 = 17
But now
18446744073709551599 / 4080 =
4521260802379792
and size = size * 4080 =
18446744073709551360
This is checked to make sure its still greater than 2 * 4080,
which it is.
Then we convert to the number of buffer pages needed.
nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)
but this time size is
18446744073709551360 and
2^64 - (
18446744073709551360 + 4080 - 1) = -3823
Thus it overflows and the resulting number is less than 4080, which makes
3823 / 4080 = 0
an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.
There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.
Cc: stable@vger.kernel.org # 3.5+
Fixes:
83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: I1147672317a3ad0fc995b1f32baaa050a7976ac4
Bug:
32659848
Amit Pundir [Tue, 11 Aug 2015 07:04:45 +0000 (12:34 +0530)]
usb: gadget: f_mtp: simplify ptp NULL pointer check
Simplify MTP/PTP dev NULL pointer check introduced in
Change-Id: Ic44a699d96df2e13467fc081bff88b97dcc5afb2
and restrict it to MTP/PTP function level only.
Return ERR_PTR() instead of NULL from mtp_ptp function
to skip doing NULL pointer checks all the way up to
configfs.c
Fixes: Change-Id: Ic44a699d96df2e13467fc081bff88b97dcc5afb2
("usb: gadget: fix NULL ptr derefer while symlinking PTP func")
Change-Id: Iab7c55089c115550c3506f6cca960a07ae52713d
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Jonathan Hamilton [Wed, 21 Sep 2016 19:40:51 +0000 (12:40 -0700)]
ANDROID: video: adf: Avoid directly referencing user pointers
Enabling KASAN on a kernel using ADF causes a number of places where
user-supplied pointers to ioctls pointers are directly dereferenced
without copy_from_user or access_ok.
Bug:
31806036
Signed-off-by: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Change-Id: I6e86237aaa6cec0f6e1c385336aefcc5332080ae
Amit Pundir [Thu, 15 Sep 2016 10:35:40 +0000 (16:05 +0530)]
ANDROID: usb: gadget: audio_source: fix comparison of distinct pointer types
Use div_s64() instead of do_div() to fix following "comparison of
distinct pointer types lacks a cast" warning in do_div() call in
audio_send() for ARCH=arm in Linux 4.8-rc6:
CC drivers/usb/gadget/function/f_audio_source.o
In file included from ./arch/arm/include/asm/div64.h:126:0,
from ./include/linux/kernel.h:142,
from ./include/linux/list.h:8,
from ./include/linux/kobject.h:20,
from ./include/linux/device.h:17,
from drivers/usb/gadget/function/f_audio_source.c:17:
drivers/usb/gadget/function/f_audio_source.c: In function ‘audio_send’:
./include/asm-generic/div64.h:207:28: warning: comparison of distinct pointer types lacks a cast
(void)(((typeof((n)) *)0) == ((uint64_t *)0)); \
^
drivers/usb/gadget/function/f_audio_source.c:381:2: note: in expansion of macro ‘do_div’
do_div(msecs,
1000000);
^
./include/asm-generic/div64.h:207:28: warning: comparison of distinct pointer types lacks a cast
(void)(((typeof((n)) *)0) == ((uint64_t *)0)); \
^
drivers/usb/gadget/function/f_audio_source.c:383:2: note: in expansion of macro ‘do_div’
do_div(frames, 1000);
^
LD drivers/usb/gadget/function/usb_f_audio_source.o
Change-Id: Ie1a920c8948f3fc3f1263add25a402ded132fd66
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Martijn Coenen [Tue, 18 Oct 2016 11:58:55 +0000 (13:58 +0200)]
android: binder: support for file-descriptor arrays.
This patch introduces a new binder_fd_array object,
that allows us to support one or more file descriptors
embedded in a buffer that is scatter-gathered.
Change-Id: I647a53cf0d905c7be0dfd9333806982def68dd74
Signed-off-by: Martijn Coenen <maco@google.com>
Martijn Coenen [Fri, 30 Sep 2016 12:10:07 +0000 (14:10 +0200)]
android: binder: support for scatter-gather.
Previously all data passed over binder needed
to be serialized, with the exception of Binder
objects and file descriptors.
This patchs adds support for scatter-gathering raw
memory buffers into a binder transaction, avoiding
the need to first serialize them into a Parcel.
To remain backwards compatibile with existing
binder clients, it introduces two new command
ioctls for this purpose - BC_TRANSACTION_SG and
BC_REPLY_SG. These commands may only be used with
the new binder_transaction_data_sg structure,
which adds a field for the total size of the
buffers we are scatter-gathering.
Because memory buffers may contain pointers to
other buffers, we allow callers to specify
a parent buffer and an offset into it, to indicate
this is a location pointing to the buffer that
we are fixing up. The kernel will then take care
of fixing up the pointer to that buffer as well.
Change-Id: I02417f28cff14688f2e1d6fcb959438fd96566cc
Signed-off-by: Martijn Coenen <maco@google.com>
Martijn Coenen [Fri, 30 Sep 2016 12:05:40 +0000 (14:05 +0200)]
android: binder: add extra size to allocator.
The binder_buffer allocator currently only allocates
space for the data and offsets buffers of a Parcel.
This change allows for requesting an additional chunk
of data in the buffer, which can for example be used
to hold additional meta-data about the transaction
(eg a security context).
Change-Id: I58ab9c383a2e1a3057aae6adaa596ce867f1b157
Signed-off-by: Martijn Coenen <maco@google.com>
Martijn Coenen [Thu, 29 Sep 2016 13:38:14 +0000 (15:38 +0200)]
android: binder: refactor binder_transact()
Moved handling of fixup for binder objects,
handles and file descriptors into separate
functions.
Change-Id: If6849f1caee3834aa87d0ab08950bb1e21ec6e38
Signed-off-by: Martijn Coenen <maco@google.com>
Martijn Coenen [Fri, 30 Sep 2016 14:08:09 +0000 (16:08 +0200)]
android: binder: support multiple /dev instances.
Add a new module parameter 'devices', that can be
used to specify the names of the binder device
nodes we want to populate in /dev.
Each device node has its own context manager, and
is therefore logically separated from all the other
device nodes.
The config option CONFIG_ANDROID_BINDER_DEVICES can
be used to set the default value of the parameter.
This approach was favored over using IPC namespaces,
mostly because we require a single process to be a
part of multiple binder contexts, which seemed harder
to achieve with namespaces.
Change-Id: I3df72b2a19b5ad5a0360e6322482db7b00a12b24
Signed-off-by: Martijn Coenen <maco@google.com>
Martijn Coenen [Mon, 17 Oct 2016 13:17:31 +0000 (15:17 +0200)]
android: binder: deal with contexts in debugfs.
Properly print the context in debugfs entries.
Change-Id: If10c2129536d9f39bae542afd7318ca79af60e3a
Signed-off-by: Martijn Coenen <maco@google.com>
Martijn Coenen [Fri, 30 Sep 2016 13:51:48 +0000 (15:51 +0200)]
android: binder: support multiple context managers.
Move the context manager state into a separate
struct context, and allow for each process to have
its own context associated with it.
Change-Id: Ifa934370241a2d447dd519eac3fd0682c6d00ab4
Signed-off-by: Martijn Coenen <maco@google.com>
Martijn Coenen [Wed, 13 Jul 2016 10:06:49 +0000 (12:06 +0200)]
android: binder: split flat_binder_object.
flat_binder_object is used for both handling
binder objects and file descriptors, even though
the two are mostly independent. Since we'll
have more fixup objects in binder in the future,
instead of extending flat_binder_object again,
split out file descriptors to their own object
while retaining backwards compatibility to
existing user-space clients. All binder objects
just share a header.
Change-Id: If3c55f27a2aa8f21815383e0e807be47895e4786
Signed-off-by: Martijn Coenen <maco@google.com>
Daniel Micay [Thu, 20 Oct 2016 19:45:01 +0000 (15:45 -0400)]
disable aio support in recommended configuration
The aio interface adds substantial attack surface for a feature that's
not being exposed by Android at all. It's unlikely that anyone is using
the kernel feature directly either. This feature is rarely used even on
servers. The glibc POSIX aio calls really use thread pools. The lack of
widespread usage also means this is relatively poorly audited/tested.
The kernel's aio rarely provides performance benefits over using a
thread pool and is quite incomplete in terms of system call coverage
along with having edge cases where blocking can occur. Part of the
performance issue is the fact that it only supports direct io, not
buffered io. The existing API is considered fundamentally flawed
and it's unlikely it will be expanded, but rather replaced:
https://marc.info/?l=linux-aio&m=
145255815216051&w=2
Since ext4 encryption means no direct io support, kernel aio isn't even
going to work properly on Android devices using file-based encryption.
Change-Id: Iccc7cab4437791240817e6275a23e1d3f4a47f2d
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
John Stultz [Tue, 18 Oct 2016 23:20:23 +0000 (16:20 -0700)]
[RFC]cgroup: Change from CAP_SYS_NICE to CAP_SYS_RESOURCE for cgroup migration permissions
Try to better match what we're pushing upstream, use CAP_SYS_RESOURCE
instead of CAP_SYS_NICE, which shoudln't affect Android as Zygote and
system_server already use CAP_SYS_RESOURCE.
Signed-off-by: John Stultz <john.stultz@linaro.org>
Lianwei Wang [Fri, 10 Jun 2016 06:43:28 +0000 (23:43 -0700)]
UPSTREAM: cpu/hotplug: Handle unbalanced hotplug enable/disable
(cherry picked from commit
01b41159066531cc8d664362ff0cd89dd137bbfa)
When cpu_hotplug_enable() is called unbalanced w/o a preceeding
cpu_hotplug_disable() the code emits a warning, but happily decrements the
disabled counter. This causes the next operations to malfunction.
Prevent the decrement and just emit a warning.
Signed-off-by: Lianwei Wang <lianwei.wang@gmail.com>
Cc: peterz@infradead.org
Cc: linux-pm@vger.kernel.org
Cc: oleg@redhat.com
Link: http://lkml.kernel.org/r/1465541008-12476-1-git-send-email-lianwei.wang@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Ard Biesheuvel [Thu, 13 Oct 2016 16:42:09 +0000 (17:42 +0100)]
UPSTREAM: arm64: kaslr: fix breakage with CONFIG_MODVERSIONS=y
As it turns out, the KASLR code breaks CONFIG_MODVERSIONS, since the
kcrctab has an absolute address field that is relocated at runtime
when the kernel offset is randomized.
This has been fixed already for PowerPC in the past, so simply wire up
the existing code dealing with this issue.
Cc: <stable@vger.kernel.org>
Fixes:
f80fb3a3d508 ("arm64: add support for kernel ASLR")
Tested-by: Timur Tabi <timur@codeaurora.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
30369029
(cherry picked from commit
8fe88a4145cdeee486af60e61f5d5a14f804fa45)
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Change-Id: Ia40bb68eb5ba7df14214243657948d469f1d5717
Ard Biesheuvel [Mon, 17 Oct 2016 15:18:39 +0000 (16:18 +0100)]
UPSTREAM: arm64: kaslr: keep modules close to the kernel when DYNAMIC_FTRACE=y
The RANDOMIZE_MODULE_REGION_FULL Kconfig option allows KASLR to be
configured in such a way that kernel modules and the core kernel are
allocated completely independently, which implies that modules are likely
to require branches via PLT entries to reach the core kernel. The dynamic
ftrace code does not expect that, and assumes that it can patch module
code to perform a relative branch to anywhere in the core kernel. This
may result in errors such as
branch_imm_common: offset out of range
------------[ cut here ]------------
WARNING: CPU: 3 PID: 196 at kernel/trace/ftrace.c:1995 ftrace_bug+0x220/0x2e8
Modules linked in:
CPU: 3 PID: 196 Comm: systemd-udevd Not tainted 4.8.0-22-generic #24
Hardware name: AMD Seattle/Seattle, BIOS 10:34:40 Oct 6 2016
task:
ffff8d1bef7dde80 task.stack:
ffff8d1bef6b0000
PC is at ftrace_bug+0x220/0x2e8
LR is at ftrace_process_locs+0x330/0x430
So make RANDOMIZE_MODULE_REGION_FULL mutually exclusive with DYNAMIC_FTRACE
at the Kconfig level.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
30369029
(cherry picked from commit
8fe88a4145cdeee486af60e61f5d5a14f804fa45)
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Change-Id: Ifb2474dcbb7a3066fe5724ee53a2048d61e80ccc
Guenter Roeck [Tue, 18 Oct 2016 19:35:03 +0000 (12:35 -0700)]
cgroup: Remove leftover instances of allow_attach
Fix:
kernel/sched/tune.c:718:2: error:
unknown field ‘allow_attach’ specified in initializer
kernel/cpuset.c:2087:2: error:
unknown field 'allow_attach' specified in initializer
Change-Id: Ie524350ffc6158f3182d90095cca502e58b6f197
Fixes:
e78f134a78a0 ("CHROMIUM: remove Android's cgroup generic permissions checks")
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Mark Rutland [Tue, 11 Oct 2016 20:51:27 +0000 (13:51 -0700)]
BACKPORT: lib: harden strncpy_from_user
The strncpy_from_user() accessor is effectively a copy_from_user()
specialised to copy strings, terminating early at a NUL byte if possible.
In other respects it is identical, and can be used to copy an arbitrarily
large buffer from userspace into the kernel. Conceptually, it exposes a
similar attack surface.
As with copy_from_user(), we check the destination range when the kernel
is built with KASAN, but unlike copy_from_user() we do not check the
destination buffer when using HARDENED_USERCOPY. As strncpy_from_user()
calls get_user() in a loop, we must call check_object_size() explicitly.
This patch adds this instrumentation to strncpy_from_user(), per the same
rationale as with the regular copy_from_user(). In the absence of
hardened usercopy this will have no impact as the instrumentation expands
to an empty static inline function.
Link: http://lkml.kernel.org/r/1472221903-31181-1-git-send-email-mark.rutland@arm.com
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Bug:
31374226
Change-Id: I898e4e9f19307e37a9be497cb1a0d7f1e3911661
(cherry picked from commit
bf90e56e467ed5766722972d483e6711889ed1b0)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Dmitry Torokhov [Thu, 6 Oct 2016 23:14:16 +0000 (16:14 -0700)]
CHROMIUM: cgroups: relax permissions on moving tasks between cgroups
Android expects system_server to be able to move tasks between different
cgroups/cpusets, but does not want to be running as root. Let's relax
permission check so that processes can move other tasks if they have
CAP_SYS_NICE in the affected task's user namespace.
BUG=b:
31790445,chromium:647994
TEST=Boot android container, examine logcat
Change-Id: Ia919c66ab6ed6a6daf7c4cf67feb38b13b1ad09b
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/394927
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Dmitry Torokhov [Thu, 6 Oct 2016 22:53:38 +0000 (15:53 -0700)]
CHROMIUM: remove Android's cgroup generic permissions checks
The implementation is utterly broken, resulting in all processes being
allows to move tasks between sets (as long as they have access to the
"tasks" attribute), and upstream is heading towards checking only
capability anyway, so let's get rid of this code.
BUG=b:
31790445,chromium:647994
TEST=Boot android container, examine logcat
Change-Id: I2f780a5992c34e52a8f2d0b3557fc9d490da2779
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/394967
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: John Stultz <john.stultz@linaro.org>
Ard Biesheuvel [Mon, 18 Apr 2016 15:09:47 +0000 (17:09 +0200)]
UPSTREAM: arm64: relocatable: deal with physically misaligned kernel images
When booting a relocatable kernel image, there is no practical reason
to refuse an image whose load address is not exactly TEXT_OFFSET bytes
above a 2 MB aligned base address, as long as the physical and virtual
misalignment with respect to the swapper block size are equal, and are
both aligned to THREAD_SIZE.
Since the virtual misalignment is under our control when we first enter
the kernel proper, we can simply choose its value to be equal to the
physical misalignment.
So treat the misalignment of the physical load address as the initial
KASLR offset, and fix up the remaining code to deal with that.
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
30369029
Bug:
32122850
(cherry picked from commit
08cdac619c81b3fa8cd73aeed2330ffe0a0b73ca)
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Change-Id: I658cb3467ba9a4f5b1f5a1cbb972fdc5a3562bf0
Ard Biesheuvel [Tue, 8 Mar 2016 14:09:29 +0000 (21:09 +0700)]
UPSTREAM: arm64: account for sparsemem section alignment when choosing vmemmap offset
Commit
dfd55ad85e4a ("arm64: vmemmap: use virtual projection of linear
region") fixed an issue where the struct page array would overflow into the
adjacent virtual memory region if system RAM was placed so high up in
physical memory that its addresses were not representable in the build time
configured virtual address size.
However, the fix failed to take into account that the vmemmap region needs
to be relatively aligned with respect to the sparsemem section size, so that
a sequence of page structs corresponding with a sparsemem section in the
linear region appears naturally aligned in the vmemmap region.
So round up vmemmap to sparsemem section size. Since this essentially moves
the projection of the linear region up in memory, also revert the reduction
of the size of the vmemmap region.
Cc: <stable@vger.kernel.org>
Fixes:
dfd55ad85e4a ("arm64: vmemmap: use virtual projection of linear region")
Tested-by: Mark Langsdorf <mlangsdo@redhat.com>
Tested-by: David Daney <david.daney@cavium.com>
Tested-by: Robert Richter <rrichter@cavium.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
30369029
(cherry picked from commit
36e5cd6b897e17d03008f81e075625d8e43e52d0)
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Change-Id: I77bad8c6a7c1a7c3dda92a37ceef5ddfb196ec70
Tejun Heo [Wed, 25 May 2016 15:48:25 +0000 (11:48 -0400)]
UPSTREAM: percpu: fix synchronization between synchronous map extension and chunk destruction
(cherry picked from commit
6710e594f71ccaad8101bc64321152af7cd9ea28)
For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.
This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes:
1a4d76076cda ("percpu: implement asynchronous chunk population")
Change-Id: I8800962e658e78eac866fff4a4e00294c58a3dec
Bug:
31596597
Tejun Heo [Wed, 25 May 2016 15:48:25 +0000 (11:48 -0400)]
UPSTREAM: percpu: fix synchronization between chunk->map_extend_work and chunk destruction
(cherry picked from commit
4f996e234dad488e5d9ba0858bc1bae12eff82c3)
Atomic allocations can trigger async map extensions which is serviced
by chunk->map_extend_work. pcpu_balance_work which is responsible for
destroying idle chunks wasn't synchronizing properly against
chunk->map_extend_work and may end up freeing the chunk while the work
item is still in flight.
This patch fixes the bug by rolling async map extension operations
into pcpu_balance_work.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes:
9c824b6a172c ("percpu: make sure chunk->map array has available space")
Change-Id: I8f4aaf7fe0bc0e9f353d41e0a7840c40d6a32117
Bug:
31596597
Arve Hjønnevåg [Fri, 12 Aug 2016 23:04:28 +0000 (16:04 -0700)]
ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
Prevents leaking pointers between processes
BUG:
30768347
Change-Id: Id898076926f658a1b8b27a3ccb848756b36de4ca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Arve Hjønnevåg [Tue, 2 Aug 2016 22:40:39 +0000 (15:40 -0700)]
ANDROID: binder: Add strong ref checks
Prevent using a binder_ref with only weak references where a strong
reference is required.
BUG:
30445380
Change-Id: I66c15b066808f28bd27bfe50fd0e03ff45a09fca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
EunTaik Lee [Wed, 24 Feb 2016 04:38:06 +0000 (04:38 +0000)]
UPSTREAM: staging/android/ion : fix a race condition in the ion driver
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
ion_handle_get_by_id()
(ref == 3)
ion_free()
(ref == 2)
ion_handle_put()
(ref == 1)
ion_free()
(ref == 0 so ion_handle_destroy() is
called
and the handle is freed.)
ion_handle_put() is called and it
decreases the slub's next free pointer
The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.
This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.
To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
9590232bb4f4cc824f3425a6e1349afbe6d6d2b7)
bug:
31568617
Change-Id: I4ea2be0cad3305c4e196126a02e2ab7108ef0976
projects / GitHub / exynos8895 / android_kernel_samsung_universal8895.git / log