aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* ipv4: keep skb->dst around in presence of IP optionsEric Dumazet2017-04-161-1/+8
| | | | | | | | | | | | | | | | | | | Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst is accessed. ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options are present. We could refine the test to the presence of ts_needtime or srr, but IP options are not often used, so let's be conservative. Thanks to syzkaller team for finding this bug. Upstream commit: 34b2cef20f19c87999fff3da4071e66937db9644 Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ANDROID: sdcardfs: Directly pass lower file for mmapDaniel Rosenberg2017-04-162-35/+25
| | | | | | | | | | | | | | Instead of relying on a copy hack, pass the lower file as private data. This lets the kernel find the vma mapping for pages used by the file, allowing pages used by mapping to be reclaimed. This is adapted from following esdfs patches commit 0647e638d: ("esdfs: store lower file in vm_file for mmap") commit 064850866: ("esdfs: keep a counter for mmaped file") Change-Id: I75b74d1e5061db1b8c13be38d184e118c0851a1a Signed-off-by: Daniel Rosenberg <drosen@google.com>
* BACKPORT: ion:synchronize debugfs callback and ion_client_destroyNeil Zhang2017-04-161-0/+43
| | | | | | | | | | | (cherry picked from commit 948c4db4ee10d85fe78ed3755dcaeb85cd37a148) There are race condition B/T ion_client_destroy and debugfs callbacks. Let's use a mutex to synchronize them. Change-Id: I4d73b258ac1fb67604b62f237da0e004275fd3da Signed-off-by: Neil Zhang <neilzhang1123@hotmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* sdcardfs: indentationMister Oyster2017-04-164-8/+16
|
* ANDROID: ion: Protect kref from userspace manipulationNick Desaulniers2017-04-162-7/+75
| | | | | | | | | | | | | | This separates the kref for ion handles into two components. Userspace requests through the ioctl will hold at most one reference to the internally used kref. All additional requests will increment a separate counter, and the original reference is only put once that counter hits 0. This protects the kernel from a poorly behaving userspace. Bug: 34276203 Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0 Signed-off-by: Daniel Rosenberg <drosen@google.com>
* ANDROID: ion: check for kref overflowDaniel Rosenberg2017-04-161-3/+14
| | | | | | | | | | | | | | | Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 31992382 Test: See bug for poc Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782 Git-repo: https://android.googlesource.com/kernel/msm Git-commit: 0c702db4d90de88df11057bcf0d8fb2dfe741605 Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org> Signed-off-by: c_vkeert <vkeert@codeaurora.org>
* Security patchesfire8552017-04-1615-94/+121
| | | | Signed-off-by: Mister Oyster <oysterized@gmail.com>
* ion: indMister Oyster2017-04-161-117/+115
|
* ashmem: missing braces & indentMister Oyster2017-04-161-17/+15
|
* lmk: indent & sym perm -> octalMister Oyster2017-04-161-14/+15
|
* alarmtimer: fix log and indentMister Oyster2017-04-161-3/+6
|
* defconfig: remove mtk_nfcMister Oyster2017-04-161-1/+0
|
* mtk: nfc: remove nfc driverMister Oyster2017-04-165-902/+0
|
* zram: sym permissions -> octal perm (checkpath warnings)Mister Oyster2017-04-161-8/+8
|
* zram: fix indents/warnings from checkpathMister Oyster2017-04-164-15/+25
|
* alarm-dev/timerfd: cleanupMister Oyster2017-04-162-14/+18
|
* checkpatch: update from 4.7 kernelMister Oyster2017-04-163-377/+3537
|
* staging: android: ashmem: lseek failed due to no FMODE_LSEEK.zhangshuxiao2017-04-161-0/+1
| | | | | | | | | | | vfs_llseek will check whether the file mode has FMODE_LSEEK, no return failure. But ashmem can be lseek, so add FMODE_LSEEK to ashmem file. Change-Id: Ia78ef4c7c96adb89d52e70b63f7c00636fe60d01 Signed-off-by: zhangshuxiao <zhangshuxiao@xiaomi.com> (cherry picked from commit 6c8d409129bbebe36cde9f8e511011756216163a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
* netlink: Queue the kernel socket after setting the flag.Vinay Krishna Eranna2017-04-161-7/+7
| | | | | | | | | | | | | Queueing the socket after setting the NETLINK_KERNEL_SOCKET on the kernel socket. This change is required in-order to avoid the BUG check which is caused due to race condition between setting this flag and a message from the app space for this kernel netlink sock. Change-Id: I19a8edf2fe009a3020b194684a6172654f8f257a CRs-Fixed: 681815 Signed-off-by: Vinay Krishna Eranna <veran@codeaurora.org>
* net: unix: suppress initialization warningsSrinivasarao P2017-04-131-18/+4
| | | | | | | | compilation failed for ARCH=um due to uninitialized variable 'path' so fixing it by initializing 'path' variable. Change-Id: I3d745793876ffe4c518eff97f9d4acf79cc86cf7 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
* netlink: Fix dump skb leak/double freeHerbert Xu2017-04-131-2/+5
| | | | | | | | | | | | | | | | When we free cb->skb after a dump, we do it after releasing the lock. This means that a new dump could have started in the time being and we'll end up freeing their skb instead of ours. This patch saves the skb and module before we unlock so we free the right memory. Change-Id: Icdf8adc86b334c32d2f820b5b203989b294fb19f Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.") Reported-by: Baozeng Ding <sploving1@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netlink: Eliminate kmalloc in netlink dump operation.Pravin B Shelar2017-04-132-56/+44
| | | | | | | | | | | | Following patch stores struct netlink_callback in netlink_sock to avoid allocating and freeing it on every netlink dump msg. Only one dump operation is allowed for a given socket at a time therefore we can safely convert cb pointer to cb struct inside netlink_sock. Change-Id: I376b6feef396010e3ebd98673a30518b62af9425 Signed-off-by: Pravin B Shelar <pshelar@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* defconfig: make sure it's in device defconfig as wellMoyster2017-04-131-0/+1
|
* random32: include missing header filePatrick Tjin2017-04-131-0/+1
| | | | | | | | Add missing include for timer.h. Bug: 29621447 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I20f0369871c522d66af7e15a3b04efbb4fbf10e9
* ANDROID: android-base.cfg: add CONFIG_MODULES optionGreg Kroah-Hartman2017-04-131-0/+3
| | | | | | | | This adds CONFIG_MODULES, CONFIG_MODULE_UNLOAD, and CONFIG_MODVERSIONS which are required by the O release. Bug: 35803310 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
* ANDROID: android-base.cfg: add CONFIG_IKCONFIG optionGreg Kroah-Hartman2017-04-131-0/+2
| | | | | | | | This adds CONFIG_IKCONFIG and CONFIG_IKCONFIG_PROC options, which are a requirement for the O release. Bug: 35803310 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
* ANDROID: android-base.cfg: properly sort the fileGreg Kroah-Hartman2017-04-131-1/+1
| | | | | | | It somehow got out of alphabetical order, fix it to make merges and testing easier. Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
* conn_soc: Security Vulnerability in Mediatek driver : arbitrary kernel writeEddie Chen2017-04-131-9/+19
| | | | | | | | | | google security issue fix Bug num:25873324 Change-Id: I2eb8e03dc67209d9a709fc4a27976f986f0b7606 Signed-off-by: Eddie Chen <eddie.chen@mediatek.com> Signed-off-by: Mister Oyster <oysterized@gmail.com>
* mtk: alarmtimer: get rid of xlog and debugMister Oyster2017-04-131-29/+4
|
* Set the device to wake up 1 1/2 minutes beforeMarcos Marado2017-04-131-1/+2
| | | | | | | | | | | | | Setting RTC_PWRON_SEC to -90, so it will wake up 1 and 1/2 minutes before the requested time, giving time for the system to boot up and AlarmManager to be ready for when the time comes. Note: Original commit was for 120 seconds, reduced because of faster hardware. Change-Id: Ie579529f417ad2f6044e347a55e88d1b72503731 Ticket: PORRIDGE-12 Signed-off-by: Mister Oyster <oysterized@gmail.com>
* Fix ANDROID_ALARM_POWER_ON on stop/start sequenceMarcos Marado2017-04-131-1/+4
| | | | | | | | The POWER_ON alarm structures must be initialized as ALARM_REALTIME timers, not hrtimers. Change-Id: Ib3a7e8cb8fe4f5dfabb6af47eddadac92ebadbc1 Ticket: PORRIDGE-12
* ANDROID_ALARM_POWER_ON is now 6 (mathing fw/base)Marcos Marado2017-04-131-2/+1
| | | | | Change-Id: Idaf4238a0280d47fcf83d5335a46b04b44fc92a3 Ticket: PORRIDGE-12
* staging: alarm-dev: Set the license to GPLPramod Gurav2017-04-131-1/+1
| | | | | | | | | Adding "GPL" license to fix a warning while compiling as module. CC: Brian Swetland <swetland@google.com> Signed-off-by: Pramod Gurav <pramod.gurav.etc@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* staging: alarm-dev: Seperate functions with one blank lineSeongJae Park2017-04-131-0/+1
| | | | | Signed-off-by: SeongJae Park <sj38.park@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* staging: alarm-dev: Remove unnecessary blank linesSeongJae Park2017-04-131-3/+0
| | | | | Signed-off-by: SeongJae Park <sj38.park@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* staging: alarm-dev: Remove unnecessary parenthesisSeongJae Park2017-04-131-2/+2
| | | | | Signed-off-by: SeongJae Park <sj38.park@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* staging/android: Add kerneldoc to one function in alarm-dev.cCruz Julian Bishop2017-04-131-1/+6
| | | | | | | | | | | | Sorry. I thought that this would be a nice easy class to document fully. Turns out I was very wrong - I will have to research the Linux alarm and timer subsystem one day next week and try again. Here is what I started out with, anyway. It's not much, but it's better than nothing! Signed-off-by: Cruz Julian Bishop <cruzjbishop@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* PowerOffAlarms: Clean a bit ...Cesar Matias2017-04-131-4/+0
|
* PowerOffAlarms: Fixs for 3.10 kernelCesar Matias2017-04-131-51/+11
|
* PowerOffAlarms: add ANDROID_INTF_ALARM_DEV and activate itDerTeufel2017-04-134-0/+678
| | | | | | | Provides non-wakeup and rtc backed wakeup alarms based on rtc or elapsed realtime, and a non-wakeup alarm on the monotonic clock. Espically for wake up alarm ioctl. Also exports the alarm interface to user-space.
* UPSTREAM: arm64: Allow hw watchpoint of length 3,5,6 and 7Pratyush Anand2017-04-132-0/+40
| | | | | | | | | | | | | (cherry picked from commit 0ddb8e0b784ba034f3096d5a54684d0d73155e2a) Since, arm64 can support all offset within a double word limit. Therefore, now support other lengths within that range as well. Signed-off-by: Pratyush Anand <panand@redhat.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Pavel Labath <labath@google.com> Change-Id: Ibcb263a3903572336ccbf96e0180d3990326545a Bug: 30919905
* BACKPORT: arm64: hw_breakpoint: Handle inexact watchpoint addressesPavel Labath2017-04-131-27/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (cherry picked from commit fdfeff0f9e3d9be2b68fa02566017ffc581ae17b) Arm64 hardware does not always report a watchpoint hit address that matches one of the watchpoints set. It can also report an address "near" the watchpoint if a single instruction access both watched and unwatched addresses. There is no straight-forward way, short of disassembling the offending instruction, to map that address back to the watchpoint. Previously, when the hardware reported a watchpoint hit on an address that did not match our watchpoint (this happens in case of instructions which access large chunks of memory such as "stp") the process would enter a loop where we would be continually resuming it (because we did not recognise that watchpoint hit) and it would keep hitting the watchpoint again and again. The tracing process would never get notified of the watchpoint hit. This commit fixes the problem by looking at the watchpoints near the address reported by the hardware. If the address does not exactly match one of the watchpoints we have set, it attributes the hit to the nearest watchpoint we have. This heuristic is a bit dodgy, but I don't think we can do much more, given the hardware limitations. Signed-off-by: Pavel Labath <labath@google.com> [panand: reworked to rebase on his patches] Signed-off-by: Pratyush Anand <panand@redhat.com> [will: use __ffs instead of ffs - 1] Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Pavel Labath <labath@google.com> [pavel: trivial fixup in hw_breakpoint.c:watchpoint_handler] Change-Id: I714dfaa3947d89d89a9e9a1ea84914d44ba0faa3 Bug: 30919905
* UPSTREAM: arm64: Allow hw watchpoint at varied offset from base addressPratyush Anand2017-04-133-28/+28
| | | | | | | | | | | | | | | | | | | ARM64 hardware supports watchpoint at any double word aligned address. However, it can select any consecutive bytes from offset 0 to 7 from that base address. For example, if base address is programmed as 0x420030 and byte select is 0x1C, then access of 0x420032,0x420033 and 0x420034 will generate a watchpoint exception. Currently, we do not have such modularity. We can only program byte, halfword, word and double word access exception from any base address. This patch adds support to overcome above limitations. Signed-off-by: Pratyush Anand <panand@redhat.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Pavel Labath <labath@google.com> Change-Id: I28b1ca63f63182c10c3d6b6b3bacf6c56887ddbe Bug: 30919905
* BACKPORT: hw_breakpoint: Allow watchpoint of length 3,5,6 and 7Pratyush Anand2017-04-131-0/+4
| | | | | | | | | | | | | | | | | | | | | | (cherry picked from commit 651be3cb085341a21847e47c694c249c3e1e4e5b) We only support breakpoint/watchpoint of length 1, 2, 4 and 8. If we can support other length as well, then user may watch more data with less number of watchpoints (provided hardware supports it). For example: if we have to watch only 4th, 5th and 6th byte from a 64 bit aligned address, we will have to use two slots to implement it currently. One slot will watch a half word at offset 4 and other a byte at offset 6. If we can have a watchpoint of length 3 then we can watch it with single slot as well. ARM64 hardware does support such functionality, therefore adding these new definitions in generic layer. Signed-off-by: Pratyush Anand <panand@redhat.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Pavel Labath <labath@google.com> [pavel: tools/include/uapi/linux/hw_breakpoint.h is not present in this branch] Change-Id: Ie17ed89ca526e4fddf591bb4e556fdfb55fc2eac Bug: 30919905
* scsi: sg: check length passed to SG_NEXT_CMD_LENpeter chang2017-04-131-0/+2
| | | | | | | | | | | | The user can control the size of the next command passed along, but the value passed to the ioctl isn't checked against the usable max command size. Change-Id: I9e8eb8ca058c0103a22f5d99d77919432893aa4c Cc: <stable@vger.kernel.org> Signed-off-by: Peter Chang <dpf@google.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
* BACKPORT: sg: relax 16 byte cdb restrictionDouglas Gilbert2017-04-131-17/+29
| | | | | | | | | | | | | | | - remove the 16 byte CDB (SCSI command) length limit from the sg driver by handling longer CDBs the same way as the bsg driver. Remove comment from sg.h public interface about the cmd_len field being limited to 16 bytes. - remove some dead code caused by this change - cleanup comment block at the top of sg.h, fix urls Change-Id: Ie8150e5375b3316d5d5206f079c4a50f1c50b755 Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> Reviewed-by: Mike Christie <michaelc@cs.wisc.edu> Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Christoph Hellwig <hch@lst.de>
* BACKPORT: block: add blk_rq_set_block_pc()Jens Axboe2017-04-1317-20/+41
| | | | | | | | | | | | | | | | | With the optimizations around not clearing the full request at alloc time, we are leaving some of the needed init for REQ_TYPE_BLOCK_PC up to the user allocating the request. Add a blk_rq_set_block_pc() that sets the command type to REQ_TYPE_BLOCK_PC, and properly initializes the members associated with this type of request. Update callers to use this function instead of manipulating rq->cmd_type directly. Includes fixes from Christoph Hellwig <hch@lst.de> for my half-assed attempt. Change-Id: Ifc386dfb951c5d6adebf48ff38135dda28e4b1ce Signed-off-by: Jens Axboe <axboe@fb.com>
* irda: Fix lockdep annotations in hashbin_delete().David S. Miller2017-04-131-18/+16
| | | | | | | | | | | | | A nested lock depth was added to the hasbin_delete() code but it doesn't actually work some well and results in tons of lockdep splats. Fix the code instead to properly drop the lock around the operation and just keep peeking the head of the hashbin queue. Change-Id: I0cb630739aa44b9e7c4a5b775e906713775f13ef Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* GPIO: Remove unused gpio debug cmd arraryDavid Chu2017-04-131-20/+2
| | | | | | | | | [Detail] Remove unused gpio debug cmd arrary which will cause secure problem Bug: ALPS02943506 Change-Id: If5f63928fd5788f853e5e956d7117775e58e32a2
* Security Vulnerability in Mediatek driver : arbitrary kernel writeEddie Chen2017-04-131-17/+19
| | | | | | | | | google security issue fix Bug num:25873324 Change-Id: I2eb8e03dc67209d9a709fc4a27976f986f0b7606 Signed-off-by: Eddie Chen <eddie.chen@mediatek.com>
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-23 05:03:40 +0000