git.stricted.de - GitHub/mt8127/android_kernel_alcatel

net: core: add UID to flows, rules, and routes

- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a
  range of UIDs.
- Define a RTA_UID attribute for per-UID route lookups and dumps.
- Support passing these attributes to and from userspace via
  rtnetlink. The value INVALID_UID indicates no UID was
  specified.
- Add a UID field to the flow structures.

[Backport of net-next 622ec2c9d52405973c9f1ca5116eb1c393adfc7d]

Bug: 16355602
Change-Id: I7e3ab388ed862c4b7e39dc8b0209d977cb1129ac
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Revert "net: core: Support UID-based routing."

This reverts commit 99a6ea48b591877d1cd6a51732c40a1d5321d961.

Change-Id: If71f34f71c84d2256f0d21c234e7c30276c07b08

Revert "Handle 'sk' being NULL in UID-based routing."

This reverts commit 455b09d66a9ccfc572497ae88375ae343ff9ae66.

Change-Id: I1d95864d8b48ae3ca418cfd790cfd62c07f54f66

ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif

As suggested by Julian:

Simply, flowi4_iif must not contain 0, it does not
look logical to ignore all ip rules with specified iif.

because in fib_rule_match() we do:

        if (rule->iifindex && (rule->iifindex != fl->flowi_iif))
                goto out;

flowi4_iif should be LOOPBACK_IFINDEX by default.

We need to move LOOPBACK_IFINDEX to include/net/flow.h:

1) It is mostly used by flowi_iif

2) Fix the following compile error if we use it in flow.h
by the patches latter:

In file included from include/linux/netfilter.h:277:0,
                 from include/net/netns/netfilter.h:5,
                 from include/net/net_namespace.h:21,
                 from include/linux/netdevice.h:43,
                 from include/linux/icmpv6.h:12,
                 from include/linux/ipv6.h:61,
                 from include/net/ipv6.h:16,
                 from include/linux/sunrpc/clnt.h:27,
                 from include/linux/nfs_fs.h:30,
                 from init/do_mounts.c:32:
include/net/flow.h: In function ‘flowi4_init_output’:
include/net/flow.h:84:32: error: ‘LOOPBACK_IFINDEX’ undeclared (first use in this function)

[Backport of net-next 6a662719c9868b3d6c7d26b3a085f0cd3cc15e64]

Change-Id: Ib7a0a08d78c03800488afa1b2c170cb70e34cfd9
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Julian Anastasov <ja@ssi.bg>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>

minimal port of grsecurity's DENYUSB feature

Change-Id: Ic5ac1b115ab3d6332be9329ddb0d611643da6fd6

mtkfb: remove useless debug spam

Change-Id: If06ac4ce57e51534aab078bbe729d3ed6a259c48

fix mali API_VERSION grep

fix mali for ttab

import OT_8063_20170412 mali driver

Revert "usb: gadget: Enable HID function for charging mode"

This reverts commit 2a397b60665d5e1b8d1ecb044eb77ff79a65c52f.

Revert "usb: gadget: Add file for USB HID function"

This reverts commit 2aa1159f573e0d5dee4f8a9a3411acc56baa27d4.

* No longer needed in M

Change-Id: If6f95e9fff14268f3e47efc96bf26452ba6a306d

usb: gadget: FunctionFS and SuperSpeed updates

usb: gadget: f_fs: HACK: Round reads up to 512 bytes to work with dwc3

Signed-off-by: Arve Hjønnevåg <arve@android.com>
USB: f_fs: Fix epfile crash during composition switch

epfile's ep pointer may be NULL during adb transfer
and composition switch happening in parallel. As part
of composition switch, first it is set to NONE. Setting
sys.usb.config to NONE stops adb and disables the composition.
stop adb is not blocking call and adb still might be doing
epfile read/write for some time when function unbind is
ongoing making the data structures NULL.

To fix this crash, call usb_ep_dequeue only if ep->ep is
valid. Similarly in success case, return ep->status only
if ep->ep is valid otherwise return -ENODEV.

CRs-Fixed: 643663
Change-Id: Ic152fc1db31cad6f97b8d16d91350dad857a4bf9
Signed-off-by: Sujeet Kumar <ksujeet@codeaurora.org>
USB: gadget: f_fs: Release endpoint upon disable

Endpoints are claimed using usb_ep_autoconfig function,
It will choose an unclaimed usb_ep and prevent the endpoint
from being returned by a later autoconfig calls. We can mark
the driver_data pointer once ep_enable is done in bind.

If we cannot mark to null upon function disable the corresponding
endpoint is not allocated by a later autoconfig call. The current
code does not make the ep->driver_data to null upon function disable.
This is leading to unclaimed endpoints for later autoconfig calls.
Claim the endpoints by assigning ep->driver_data to NULL.

CRs-Fixed: 633673
Change-Id: I221b98ef36cc2a60d27507a2442061a30ed410f4
Signed-off-by: ChandanaKishori Chiluveru <cchilu@codeaurora.org>
USB: gagget: f_fs: Return error if TX req is queued during device offline

when USB cable is disconnected during TX data transfers, endpoints will
be disabled during function disable. If userspace client tries to queue
requests on disabled endpoints, driver will wait till endpoints are
enabled and then queues previous session requests. This results in kernel
driver and userspace driver out of sync and due to this, stall will be
seen. Hence fix this issue by returning error value if client tries to
queue requests on TX endpoint during device offline.

CRs-Fixed: 633497
Change-Id: I3e43b8a704367aff7fe8dd88159315aef811c51c
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
USB: f_fs: Fail stale read IOs after disconnect

After a USB disconnect, endpoints for adb are disabled.
After this no IO is allowed on the endpoints.
Since, adbd is not aware of this disconnect, it may
still perform read/writes IO. For adb writes, IOs are
failed, but for adb reads kernel waits untill endpoints
are enabled.

When a USB disconnect and adb read still queued
a buffer to kernel, ffs_epfile_io simply waits for
endpoint to be enabled. A next connect happens
and endpoints are enabled after set_alt, the adb
read stale buffer from previous session continues
and queues to endpoint.

All this time, adb did not close the epfile because
it did not get return status on the IOs which it
queued. This is an issue, because a new session
is not established and both userspace and kernel
goes out of sync.

To fix this issue, when endpoints are disbled
set epfile error. This epfile error is only cleared
in epfile open. This will ensure that after a USB
disconnect and connect, new session is established.

Also, return ENODEV if endpoints not enabled rather
than EINTR as EINTR case, and simply retries the
request. Incase usb_ep_queue failed, return -EIO
inspite of depend on return status from usb_ep_queue.

CRs-Fixed: 633497
Change-Id: I6e677e98ec28e5462b372ed290acdde251286f48
Signed-off-by: Sujeet Kumar <ksujeet@codeaurora.org>
USB: f_fs: Cutoff epfile IO before epfile could get freed

epfile may get freed and accessing epfile's error flag to
cut off IOs may lead to use after free.

Move the epfile error flag setting above in the order
so that it guaranteed to be valid.

CRs-Fixed: 668046
Change-Id: I0017513393ddb4fd288cd4e1c2adf9d5ee3bc660
Signed-off-by: Sujeet Kumar <ksujeet@codeaurora.org>
USB: f_fs: Check error status before doing epfile I/O

Set error status before disabling endpoint during function
disable and also check error status before handling I/O. If error
status is set, return error status to read/write calls made by
userspace. Also set file's private data to NULL during epfile
release.

CRs-Fixed: 671880
Change-Id: I14b5ee541dfc18a7802ef4a8033878a7729d9adb
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
USB: f_fs: Fix disconnect check during ongoing IO

F_FS function driver allocated ffs_eps and updates ffs_ep->ep
to corresponding usb_ep during func->bind and never clears it.
On bind it also saves ffs_ep context in epfile->ep.
During func->disable, it clears only ffs_ep context in epfile->ep
and on func->unbind it frees ffs_eps memory.
ffs_epfile_io routine currently relies on ffs_ep->ep (which is
never cleared and ffs_ep could be freed on unbind) to detect any
disconnect during active IO. This can result in various issues e.g.
use after free use of ffs_ep if unbind finished before epfile_io
could resume or "stop adbd" trying to dequeue a freed USB request
when epfile_io could execute only after F_FS got disabled as
'if (ep->ep)' check would be TRUE.
Fix this by checking stored ffs_ep context against latest epfile->ep
to figure out if endpoint got disabled or changed before acquiring
spin_lock.

Change-Id: I6bdcdf0dff0813ed7b2af8c24f544a22796b0369
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
USB: f_fs: Move ep completion out of stack

Allocating completion on the stack may lead to
invalid access when udc irq tries to complete
the request but interrupted completion returns
immediately. This happens because request is not
held to be dequeued anymore making the completion
invalid.

Move the completions in ffs data like it is for ep0.

CRs-Fixed: 653761
Change-Id: I15102538d1b5bee14dfa3c7b3fa1f8e3f767cf71
Signed-off-by: Sujeet Kumar <ksujeet@codeaurora.org>
usb: dwc3: gadget: Release gadget lock when handling suspend/resume

gadget_driver suspend/resume operations might require some
dwc3-gadget operations, such as enabling and disabling
endpoints. If the lock is not released, this can cause a
deadlock scenario.

Change-Id: I1e12de65e40492b115ab35de78c2352730649db5
Signed-off-by: Bar Weiner <bweiner@codeaurora.org>
usb: dwc3: gadget: Iterate only over valid endpoints

Make dwc3_gadget_resize_tx_fifos() iterate only over IN
endpoints that are actually present, based on the
num_in_eps parameter. This terminates the loop so as to
prevent dereferencing a potential NULL dwc->eps[i] where
i >= (num_in_eps + num_out_eps).

Change-Id: I07f711bfd380dce212e86b59cf417f84ca7eb006
Signed-off-by: Jack Pham <jackp@codeaurora.org>
usb: dwc3: gadget: Protect against ep disabling during completion

In dwc3_cleanup_done_reqs(), a potential race condition
could arise when dwc3_gadget_giveback() temporarily
releases the main spinlock.  If during this window the
very endpoint being handled becomes disabled, it would
lead to a NULL pointer dereference in the code that
follows.  Guard against this by making sure the endpoint
is still enabled after returning from the giveback call.

CRs-fixed: 628972
Change-Id: Ifdb823fff12747f699217d871a5959c85b5340f7
Signed-off-by: Jack Pham <jackp@codeaurora.org>
usb: dwc3: calculate the number of endpoints

hwparams2 holds the number of endpoints which
were selected during RTL generation, we can
use that on our driver.

Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: dwc3: gadget: use num_(in|out)_eps from HW params

that way we will only tell gadget framework about
the endpoints we actually have.

Change-Id: Iabc6a5712b640a9f5b0310984650a4ac44e5f579
Signed-off-by: Felipe Balbi <balbi@ti.com>
usb: gadget: always update HS/SS descriptors and create a copy of them

HS and SS descriptors are staticaly created. They are updated during the
bind process with the endpoint address, string id or interface numbers.

After that, the descriptor chain is linked to struct usb_function which
is used by composite in order to serve the GET_DESCRIPTOR requests,
number of available configs and so on.

There is no need to assign the HS descriptor only if the UDC supports
HS speed because composite won't report those to the host if HS support
has not been reached. The same reasoning is valid for SS.

This patch makes sure each function updates HS/SS descriptors
unconditionally and uses the newly introduced helper function to create a
copy the descriptors for the speed which is supported by the UDC.

While at that, also rename f->descriptors to f->fs_descriptors in order
to make it more explicit what that means.

Change-Id: Id670fcc25b0a1cb3020722cfc6eda2e1b08441f1
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Felipe Balbi <balbi@ti.com>
USB: Add super speed descriptors for android functions

Update android function drivers like diag, adb, modem, rmnet, mtp
and accessory to operate in super speed.  The burst capability is
not enabled for now.

Change-Id: Ie95cbfc9444c56c8268b70e2916713190699c71a
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
usb: gadget: Finish conversion to fs_descriptor change

Change-Id: Iaf72d66bb5cd6b84f14c5aaeb01ffb286568c97b

usb: gadget: f_fs: Add support for SuperSpeed Mode

Allow userspace to pass SuperSpeed descriptors and
handle them in the driver accordingly.
This change doesn't modify existing desc_header and thereby
keeps the ABI changes backward compatible i.e. existing
userspace drivers compiled with old header (functionfs.h)
would continue to work with the updated kernel.

Change-Id: Ic27035fdef2a83828024348d75be1518e9f8c5c6
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
USB: f_fs: Set ffs->func to NULL after disabling endpoint in set_alt()

When adb root is performed, userspace will close and open ffs_epsfile.
Closing this file will call ffs_functionfs_callback() which does call
remove_config(). This will call ffs_function_eps_disable to disable
endpoints and then calls ffs_func_unbind(). Unbind() will also call
endpoint disable which might lead to disabling endpoint which is already
disabled. Hence set ffs->func to NULL after disabling endpoints in
set_alt().

CRs-Fixed: 557532
Change-Id: I3052bdee74a1793d4e003de4b991d353e5d699b0
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
usb: gadget: throttle IRQ rate for SuperSpeed

There was a merge error from commit 6e0c86d12 "USB: gadget:
u_ether: Fix data stall issue in RNDIS tethering mode"
that resulted in the accidental removal of checking if
the gadget is connected at SuperSpeed. Re-introduce this
check so that IRQs on the downlink path are throttled,
decreasing the load on the CPU.

Change-Id: Ic2aa1d433e0fded95c6e825a760e89f726360522
Signed-off-by: Jack Pham <jackp@codeaurora.org>
USB: mbim: Add super speed descriptors for MBIM function

This change adds super speed descriptors which is required to
get MBIM function to work with SSUSB mode. The burst
capability is not enabled for now.

CRs-Fixed: 626744
Change-Id: I2a492182c94265ab58014cac470448f61782625c
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
usb: gadget: ECM: Add super speed descriptors for qc_ecm function

This change adds super speed descriptors which is required to get
ECM function to work with SSUSB mode.

CRs-Fixed: 627063
Change-Id: I275a32f6cb957b59bfdf1c5b5377ba6e189efb6d
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
usb: gadget: Add file for USB HID function

This file the same as f_hid.c.

Change-Id: I951b3067f477c3cb502c8320693ab11df90150d2
Signed-off-by: muluhe <muluhe@codeaurora.org>
Signed-off-by: Aravind Asam <aasam@codeaurora.org>
Signed-off-by: Ameya Thakur <ameyat@codeaurora.org>
usb: gadget: Enable HID function for charging mode

Provide HID function for only charging mode, in this mode device
enumerated as one input device.

Change-Id: I769adf76807b8a28adcc298de0536fa779176016
Signed-off-by: Mulu He <muluhe@codeaurora.org>
usb: gadget: composite: Fix USB version number for L1

When usb version number is greater than 2.01 USB-CV expects to find a
Super Speed USB Device Capability descriptor. When we want to enable BOS
descriptor capabilities for a high-speed device the USB version number
should be 2.01.

CRs-Fixed: 521752
Change-Id: Ic75b5e570b3c2df8e67370389dfddc8de6fb72d4
Signed-off-by: Shimrit Malichi <smalichi@codeaurora.org>
usb: gadget: Fix compilation of f_mbim driver after SS updates

Change-Id: I72e7dfa5c8f3905bbe57e227ebb7e7035d8b671c

USB: android: Fix a NULL pointer dereference

Fix a possible NULL pointer dereference of dev pointer in
android_disable() called from adb_closed_callback(). It happens
when adb device file is opened/closed and adb is not in the
current composition.

CRs-Fixed: 492464
Change-Id: I80f646658ce56c6883eb79773705e01967f9234e
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
usb: gadget: Fix a race condition in dynamic composition switching

This fix solves a race condition that causes a crash when switching
composition with USB cable disconnected.
The following race condition is fixed by protecting data->opened
with a mutex:

1. enable_store(0) is called.
2. While in enable_store(), adb_closed_callback() is invoked and
data->opened is set to false.
3. The execution is blocked on a mutex in closed_callback().
4. From adb_android_function_disable(), android_enable is invoked,
where we didn't call android_disable() just yet.

CRs-fixed: 482312
Change-Id: I7e37850a594e2e1c6d2cabbdb39760b00827afbd
Signed-off-by: Amit Blay <ablay@codeaurora.org>
USB: android: Fail ffs_ready (i.e. start adbd) if ADB not enabled

F_FS function notifies android composite driver of userspace client's
open and close (start/stop adbd) using android.c's ready and closed
callbacks. Typically userspace starts adbd only in ADB composition as
functionfs_bind from ready_callback happens only if ADB is enabled.
Current design has couple of issues:
1) If adbd is started before enabling ADB then USB composition gets
enabled without functionfs_bind resulting a crash in ffs_func->set_alt.
2) Additionally, even if userspace script for composition switch performs
"stop adbd" before enabling new composition, there is a possibility that
closed_callback runs in parallel with ffs_enable/disable as adb daemon
is stopped asynchronously. Even though these functions use android_dev
mutex but closed callback may not use this mutex if ready_callback
gets called before ADB/FFS is enabled, resulting in different crashes.
This is possible mainly due to above 1st issue or during quick
composition switches from ADB to non-ADB to ADB and by the time adb got
started, userspace enabled non-ADB composition.

To fix both of the above issues only option is to fail ffs_ready
callback (start adbd) if ADB is not enabled. This restriction clearly
avoid 1st issue, and for 2nd: closed callback would always use mutex
to avoid any potential synchronization issues. While we are at this,
also fix config->opened getting cleared twice from disabled_callback.

Change-Id: I9fe80d09b9eefaa87e396ff451a71026b798175b
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>

arm: configs: regenerate ttab_defconfig

ipv6: add option to drop unicast encapsulated in L2 multicast

In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv6 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.

Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

ipv4: add option to drop unicast encapsulated in L2 multicast

In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv4 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.

Additionally, enabling this option provides compliance with a SHOULD
clause of RFC 1122.

Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

UPSTREAM: capabilities: ambient capabilities

Credit where credit is due: this idea comes from Christoph Lameter with
a lot of valuable input from Serge Hallyn.  This patch is heavily based
on Christoph's patch.

===== The status quo =====

On Linux, there are a number of capabilities defined by the kernel.  To
perform various privileged tasks, processes can wield capabilities that
they hold.

Each task has four capability masks: effective (pE), permitted (pP),
inheritable (pI), and a bounding set (X).  When the kernel checks for a
capability, it checks pE.  The other capability masks serve to modify
what capabilities can be in pE.

Any task can remove capabilities from pE, pP, or pI at any time.  If a
task has a capability in pP, it can add that capability to pE and/or pI.
If a task has CAP_SETPCAP, then it can add any capability to pI, and it
can remove capabilities from X.

Tasks are not the only things that can have capabilities; files can also
have capabilities.  A file can have no capabilty information at all [1].
If a file has capability information, then it has a permitted mask (fP)
and an inheritable mask (fI) as well as a single effective bit (fE) [2].
File capabilities modify the capabilities of tasks that execve(2) them.

A task that successfully calls execve has its capabilities modified for
the file ultimately being excecuted (i.e.  the binary itself if that
binary is ELF or for the interpreter if the binary is a script.) [3] In
the capability evolution rules, for each mask Z, pZ represents the old
value and pZ' represents the new value.  The rules are:

  pP' = (X & fP) | (pI & fI)
  pI' = pI
  pE' = (fE ? pP' : 0)
  X is unchanged

For setuid binaries, fP, fI, and fE are modified by a moderately
complicated set of rules that emulate POSIX behavior.  Similarly, if
euid == 0 or ruid == 0, then fP, fI, and fE are modified differently
(primary, fP and fI usually end up being the full set).  For nonroot
users executing binaries with neither setuid nor file caps, fI and fP
are empty and fE is false.

As an extra complication, if you execute a process as nonroot and fE is
set, then the "secure exec" rules are in effect: AT_SECURE gets set,
LD_PRELOAD doesn't work, etc.

This is rather messy.  We've learned that making any changes is
dangerous, though: if a new kernel version allows an unprivileged
program to change its security state in a way that persists cross
execution of a setuid program or a program with file caps, this
persistent state is surprisingly likely to allow setuid or file-capped
programs to be exploited for privilege escalation.

===== The problem =====

Capability inheritance is basically useless.

If you aren't root and you execute an ordinary binary, fI is zero, so
your capabilities have no effect whatsoever on pP'.  This means that you
can't usefully execute a helper process or a shell command with elevated
capabilities if you aren't root.

On current kernels, you can sort of work around this by setting fI to
the full set for most or all non-setuid executable files.  This causes
pP' = pI for nonroot, and inheritance works.  No one does this because
it's a PITA and it isn't even supported on most filesystems.

If you try this, you'll discover that every nonroot program ends up with
secure exec rules, breaking many things.

This is a problem that has bitten many people who have tried to use
capabilities for anything useful.

===== The proposed change =====

This patch adds a fifth capability mask called the ambient mask (pA).
pA does what most people expect pI to do.

pA obeys the invariant that no bit can ever be set in pA if it is not
set in both pP and pI.  Dropping a bit from pP or pI drops that bit from
pA.  This ensures that existing programs that try to drop capabilities
still do so, with a complication.  Because capability inheritance is so
broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and
then calling execve effectively drops capabilities.  Therefore,
setresuid from root to nonroot conditionally clears pA unless
SECBIT_NO_SETUID_FIXUP is set.  Processes that don't like this can
re-add bits to pA afterwards.

The capability evolution rules are changed:

  pA' = (file caps or setuid or setgid ? 0 : pA)
  pP' = (X & fP) | (pI & fI) | pA'
  pI' = pI
  pE' = (fE ? pP' : pA')
  X is unchanged

If you are nonroot but you have a capability, you can add it to pA.  If
you do so, your children get that capability in pA, pP, and pE.  For
example, you can set pA = CAP_NET_BIND_SERVICE, and your children can
automatically bind low-numbered ports.  Hallelujah!

Unprivileged users can create user namespaces, map themselves to a
nonzero uid, and create both privileged (relative to their namespace)
and unprivileged process trees.  This is currently more or less
impossible.  Hallelujah!

You cannot use pA to try to subvert a setuid, setgid, or file-capped
program: if you execute any such program, pA gets cleared and the
resulting evolution rules are unchanged by this patch.

Users with nonzero pA are unlikely to unintentionally leak that
capability.  If they run programs that try to drop privileges, dropping
privileges will still work.

It's worth noting that the degree of paranoia in this patch could
possibly be reduced without causing serious problems.  Specifically, if
we allowed pA to persist across executing non-pA-aware setuid binaries
and across setresuid, then, naively, the only capabilities that could
leak as a result would be the capabilities in pA, and any attacker
*already* has those capabilities.  This would make me nervous, though --
setuid binaries that tried to privilege-separate might fail to do so,
and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have
unexpected side effects.  (Whether these unexpected side effects would
be exploitable is an open question.) I've therefore taken the more
paranoid route.  We can revisit this later.

An alternative would be to require PR_SET_NO_NEW_PRIVS before setting
ambient capabilities.  I think that this would be annoying and would
make granting otherwise unprivileged users minor ambient capabilities
(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than
it is with this patch.

===== Footnotes =====

[1] Files that are missing the "security.capability" xattr or that have
unrecognized values for that xattr end up with has_cap set to false.
The code that does that appears to be complicated for no good reason.

[2] The libcap capability mask parsers and formatters are dangerously
misleading and the documentation is flat-out wrong.  fE is *not* a mask;
it's a single bit.  This has probably confused every single person who
has tried to use file capabilities.

[3] Linux very confusingly processes both the script and the interpreter
if applicable, for reasons that elude me.  The results from thinking
about a script's file capabilities and/or setuid bits are mostly
discarded.

Preliminary userspace code is here, but it needs updating:
https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2

Here is a test program that can be used to verify the functionality
(from Christoph):

/*
* Test program for the ambient capabilities. This program spawns a shell
* that allows running processes with a defined set of capabilities.
*
* (C) 2015 Christoph Lameter <cl@linux.com>
* Released under: GPL v3 or later.
*
*
* Compile using:
*
* gcc -o ambient_test ambient_test.o -lcap-ng
*
* This program must have the following capabilities to run properly:
* Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
*
* A command to equip the binary with the right caps is:
*
* setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
*
*
* To get a shell with additional caps that can be inherited by other processes:
*
* ./ambient_test /bin/bash
*
*
* Verifying that it works:
*
* From the bash spawed by ambient_test run
*
* cat /proc/$$/status
*
* and have a look at the capabilities.
*/

/*
* Definitions from the kernel header files. These are going to be removed
* when the /usr/include files have these defined.
*/

static void set_ambient_cap(int cap)
{
int rc;

capng_get_caps_process();
rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
if (rc) {
printf("Cannot add inheritable cap\n");
exit(2);
}
capng_apply(CAPNG_SELECT_CAPS);

/* Note the two 0s at the end. Kernel checks for these */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
perror("Cannot set cap");
exit(1);
}
}

int main(int argc, char **argv)
{
int rc;

set_ambient_cap(CAP_NET_RAW);
set_ambient_cap(CAP_NET_ADMIN);
set_ambient_cap(CAP_SYS_NICE);

printf("Ambient_test forking shell\n");
if (execv(argv[1], argv + 1))
perror("Cannot exec");

return 0;
}

Signed-off-by: Christoph Lameter <cl@linux.com> # Original author
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Aaron Jones <aaronmdjones@gmail.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Markku Savela <msa@moth.iki.fi>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)

Bug: 31038224
Change-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c
Signed-off-by: Jorge Lucangeli Obes <jorgelo@google.com>

FROMLIST: arm: mm: support ARCH_MMAP_RND_BITS.

(cherry picked from commit https://lkml.org/lkml/2015/12/21/341)

arm: arch_mmap_rnd() uses a hard-code value of 8 to generate the
random offset for the mmap base address. This value represents a
compromise between increased ASLR effectiveness and avoiding
address-space fragmentation. Replace it with a Kconfig option, which
is sensibly bounded, so that platform developers may choose where to
place this compromise. Keep 8 as the minimum acceptable value.

Bug: 24047224
Signed-off-by: Daniel Cashman <dcashman@android.com>
Signed-off-by: Daniel Cashman <dcashman@google.com>
Change-Id: I2f6c18a0060e1c21b53200ecdcfde9a8c2e3db98

FROMLIST: mm: mmap: Add new /proc tunable for mmap_base ASLR.

(cherry picked from commit https://lkml.org/lkml/2015/12/21/337)

ASLR only uses as few as 8 bits to generate the random offset for the
mmap base address on 32 bit architectures. This value was chosen to
prevent a poorly chosen value from dividing the address space in such
a way as to prevent large allocations. This may not be an issue on all
platforms. Allow the specification of a minimum number of bits so that
platforms desiring greater ASLR protection may determine where to place
the trade-off.

Bug: 24047224
Signed-off-by: Daniel Cashman <dcashman@android.com>
Signed-off-by: Daniel Cashman <dcashman@google.com>
Change-Id: Ic74424e07710cd9ccb4a02871a829d14ef0cc4bc

BACKPORT: ARM: 8091/2: add get_user() support for 8 byte types

Recent contributions, including to DRM and binder, introduce 64-bit
values in their interfaces. A common motivation for this is to allow
the same ABI for 32- and 64-bit userspaces (and therefore also a shared
ABI for 32/64 hybrid userspaces). Anyhow, the developers would like to
avoid gotchas like having to use copy_from_user().

This feature is already implemented on x86-32 and the majority of other
32-bit architectures. The current list of get_user_8 hold out
architectures are: arm, avr32, blackfin, m32r, metag, microblaze,
mn10300, sh.

Credit:

    My name sits rather uneasily at the top of this patch. The v1 and
    v2 versions of the patch were written by Rob Clark and to produce v4
    I mostly copied code from Russell King and H. Peter Anvin. However I
    have mangled the patch sufficiently that *blame* is rightfully mine
    even if credit should more widely shared.

Changelog:

v5: updated to use the ret macro (requested by Russell King)
v4: remove an inlined add on big endian systems (spotted by Russell King),
    used __ARMEB__ rather than BIG_ENDIAN (to match rest of file),
    cleared r3 on EFAULT during __get_user_8.
v3: fix a couple of checkpatch issues
v2: pass correct size to check_uaccess, and better handling of narrowing
    double word read with __get_user_xb() (Russell King's suggestion)
v1: original

Change-Id: I41787d73f0844c15b6bd0424a5f83cafaba8b508
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[flex1911: backport to 3.4: use "mov pc" instruction instead of
           nonexistent here "ret" macro]
Signed-off-by: Artem Borisov <dedsa2002@gmail.com>

binder: Sync with Android Binder from android-4.9-o

Change-Id: I5327d1d9d3a98d5c9ca6c1c07164d1889fc4f941

drivers: power: report battery voltage in AOSP compatible format

fs/exec: fix use after free in execve

"file" can be already freed if bprm->file is NULL after
search_binary_handler() return. binfmt_script will do exactly that for
example. If the VM reuses the file after fput run(), this will result in
a use ater free.

So obtain d_is_su before search_binary_handler() runs.

This should explain this crash:

[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
[..]
[25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474

Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>

fs: readdir: Fix su hide patch for non-iterate filesystems

* 3.10 doesn't normally use iterate for filesystems,
  but it was backported in hopes of removing vfs_readdir()
* Because the romnt variable was only set for filesystems
  using iterate, the su hide patches were broken for many
  filesytems like ext4, which still use vfs_readdir()
  instead of iterate_dir() like their mainline counterparts
* Remove the iterate check around setting romnt to fix this

Change-Id: I26426683df0fd199a80f053294f352e31754bec5

kernel: Fix potential refcount leak in su check

Change-Id: I7e1ecb78bfc951bf645a1462988dcd93c4247a9b

kernel: Only expose su when daemon is running

It has been claimed that the PG implementation of 'su' has security
vulnerabilities even when disabled. Unfortunately, the people that
find these vulnerabilities often like to keep them private so they
can profit from exploits while leaving users exposed to malicious
hackers.

In order to reduce the attack surface for vulnerabilites, it is
therefore necessary to make 'su' completely inaccessible when it
is not in use (except by the root and system users).

Change-Id: I79716c72f74d0b7af34ec3a8054896c6559a181d

introduce ->iterate(), ctx->pos, dir_emit()

New method - ->iterate(file, ctx). That's the replacement for ->readdir();
it takes callback from ctx->actor, uses ctx->pos instead of file->f_pos and
calls dir_emit(ctx, ...) instead of filldir(data, ...). It does *not*
update file->f_pos (or look at it, for that matter); iterate_dir() does the
update.

Note that dir_emit() takes the offset from ctx->pos (and eventually
filldir_t will lose that argument).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

introduce iterate_dir() and dir_context

iterate_dir(): new helper, replacing vfs_readdir().

struct dir_context: contains the readdir callback (and will get more stuff
in it), embedded into whatever data that callback wants to deal with;
eventually, we'll be passing it to ->readdir() replacement instead of
(data,filldir) pair.

Change-Id: Idb3843e77b97d52490b297b1f9e7d7efab18eaef
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

security: update selinux

security: add ioctl specific auditing to lsm_audit

(cherry pick from commit 671a2781ff01abf4fdc8904881fc3abd3a8279af)

Add information about ioctl calls to the LSM audit data. Log the
file path and command number.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I88a6ecdd59297a315a6fb9c82c0a798bdb6bafaa

set CONFIG_LOCALVERSION_AUTO

remove is_data_mounted crap entirely

store gtp_ref.bin and gtp_clk.bin on /cache

this is safe as the files are getting generated when they dont exist

work around silly sysfs node requirement for working touch

fix mali API_VERSION grep

fix section mismatch warnings

Update tpd_debug.c

change include statement to prevent compiler-error because header file not found

get rid of drvgen

fix compilation after merge

Merge tag 'v3.10.108' into update

This is the 3.10.108 stable release

Merge tag 'v3.10.107' into update

This is the 3.10.107 stable release

Merge tag 'v3.10.106' into update

This is the 3.10.106 stable release

Merge tag 'v3.10.105' into update

This is the 3.10.105 stable release

Merge tag 'v3.10.104' into update

This is the 3.10.104 stable release

Merge tag 'v3.10.103' into update

This is the 3.10.103 stable release

Merge tag 'v3.10.102' into update

This is the 3.10.102 stable release

Merge tag 'v3.10.101' into update

This is the 3.10.101 stable release

Merge tag 'v3.10.100' into update

This is the 3.10.100 stable release

Merge tag 'v3.10.99' into update

This is the 3.10.99 stable release

Merge tag 'v3.10.98' into update

This is the 3.10.98 stable release

Merge tag 'v3.10.97' into update

This is the 3.10.97 stable release

Merge tag 'v3.10.96' into update

This is the 3.10.96 stable release

Merge tag 'v3.10.95' into update

This is the 3.10.95 stable release

Merge tag 'v3.10.94' into update

This is the 3.10.94 stable release

Merge tag 'v3.10.93' into update

This is the 3.10.93 stable release

Merge tag 'v3.10.92' into update

This is the 3.10.92 stable release

Merge tag 'v3.10.91' into update

This is the 3.10.91 stable release

Merge tag 'v3.10.90' into update

This is the 3.10.90 stable release

Merge tag 'v3.10.89' into update

This is the 3.10.89 stable release

Merge tag 'v3.10.88' into update

This is the 3.10.88 stable release

Merge tag 'v3.10.87' into update

This is the 3.10.87 stable release

Merge tag 'v3.10.86' into update

This is the 3.10.86 stable release

Merge tag 'v3.10.85' into update

This is the 3.10.85 stable release

Merge tag 'v3.10.84' into update

This is the 3.10.84 stable release

Merge tag 'v3.10.83' into update

This is the 3.10.83 stable release

Merge tag 'v3.10.82' into update

This is the 3.10.82 stable release

Merge tag 'v3.10.81' into update

This is the 3.10.81 stable release

Merge tag 'v3.10.80' into update

This is the 3.10.80 stable release

Merge tag 'v3.10.79' into update

This is the 3.10.79 stable release

Merge tag 'v3.10.78' into update

This is the 3.10.78 stable release

Merge tag 'v3.10.77' into update

This is the 3.10.77 stable release

Merge tag 'v3.10.76' into update

This is the 3.10.76 stable release

Merge tag 'v3.10.75' into update

This is the 3.10.75 stable release

Merge tag 'v3.10.74' into update

This is the 3.10.74 stable release

Merge tag 'v3.10.73' into update

This is the 3.10.73 stable release

Merge tag 'v3.10.72' into update

This is the 3.10.72 stable release

Merge tag 'v3.10.71' into update

This is the 3.10.71 stable release

Merge tag 'v3.10.70' into update

This is the 3.10.70 stable release

Merge tag 'v3.10.69' into update

This is the 3.10.69 stable release

Merge tag 'v3.10.68' into update

This is the 3.10.68 stable release

Merge tag 'v3.10.67' into update

This is the 3.10.67 stable release

Merge tag 'v3.10.66' into update

This is the 3.10.66 stable release

Merge tag 'v3.10.65' into update

This is the 3.10.65 stable release

Merge tag 'v3.10.64' into update

This is the 3.10.64 stable release

Merge tag 'v3.10.63' into update

This is the 3.10.63 stable release

Merge tag 'v3.10.62' into update

This is the 3.10.62 stable release

Merge tag 'v3.10.61' into update

This is the 3.10.61 stable release

Merge tag 'v3.10.60' into update

This is the 3.10.60 stable release

Merge tag 'v3.10.59' into update

This is the 3.10.59 stable release

Merge tag 'v3.10.58' into update

This is the 3.10.58 stable release

Merge tag 'v3.10.57' into update

This is the 3.10.57 stable release

Merge tag 'v3.10.56' into update

This is the 3.10.56 stable release

Merge tag 'v3.10.55' into update

This is the 3.10.55 stable release

disable some mediatekl custom warnings

scripts: kconfig: fix jump initialization

scripts: sortextable: fix relocs_size initialization

cleanup Makefile

remove useless makefiles and build script

Add an option to multiplex AP and STA on wlan0

This adds CONFIG_MTK_COMBO_AOSP_TETHERING_SUPPORT which, when enabled,
allows ap and wlan to co-exist in the same interface, as Android
expects.

Most of this functionality is also available (albeit not compilable broken)
under CFG_TC1_FEATURE but that has larger implications around the radio
and usb stack that we do not want to adopt.

Change-Id: Ib1d1be40566f1bb9ccc7be45b49ec8d1f3b3ba58
Ticket: PORRIDGE-30

ignore all warning

i dont really want fix this mess that mediatek did here to get a clean build log
so lets disable the warning for now instead

ARM: add seccomp syscall

Wires up the new seccomp syscall.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Change-Id: I31a2d38b892e2cd81bf3998a916c7bb539a37767