| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ Upstream commit 3d4bf93ac12003f9b8e1e2de37fe27983deebdcf ]
In case an attacker feeds tiny packets completely out of order,
tcp_collapse_ofo_queue() might scan the whole rb-tree, performing
expensive copies, but not changing socket memory usage at all.
1) Do not attempt to collapse tiny skbs.
2) Add logic to exit early when too many tiny skbs are detected.
We prefer not doing aggressive collapsing (which copies packets)
for pathological flows, and revert to tcp_prune_ofo_queue() which
will be less expensive.
In the future, we might add the possibility of terminating flows
that are proven to be malicious.
Change-Id: I635a058ea387b224d1d0ac7653cc4dfc0aadab3a
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Chenbo Feng <fengc@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ Upstream commit f4a3313d8e2ca9fd8d8f45e40a2903ba782607e7 ]
Right after a TCP flow is created, receiving tiny out of order
packets allways hit the condition :
if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
tcp_clamp_window(sk);
tcp_clamp_window() increases sk_rcvbuf to match sk_rmem_alloc
(guarded by tcp_rmem[2])
Calling tcp_collapse_ofo_queue() in this case is not useful,
and offers a O(N^2) surface attack to malicious peers.
Better not attempt anything before full queue capacity is reached,
forcing attacker to spend lots of resource and allow us to more
easily detect the abuse.
Change-Id: Ib4fabbd6f22b51fd6eea66a0f3b210543d3ebe01
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Signed-off-by: Chenbo Feng <fengc@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
modification of a breakpoint - simplify it and remove the pointless
local variables.
Also update the stale Docbook while at it.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Bug: 110918800
Change-Id: Ifbfc57ae4a1aa708d673aff91206a278201b130d
(cherry picked from commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f)
Signed-off-by: Steve Muckle <smuckle@google.com>
|
| |
|
|
|
|
|
|
|
| |
We forgot to remov memory footprint accounting of per-cpu type
variables, fix it.
Fixes: 35782b233f37 ("f2fs: remove percpu_count due to performance regression")
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
|
| |
|
|
|
|
|
|
| |
No need to read nat block if nat_block_bitmap is set.
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
|
| |
|
|
|
|
|
| |
Handle this asynchronously to avoid wake-up delay.
Use system_power_efficient_wq since this is not CPU intensive.
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Wait until invalid blocks to reach 3% of utilization before triggering rapid GC
to avoid unnecessarily aggressive GC.
We use 3% from (total - written) to avoid GC not doing its job
when the storage gets nearly full.
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
|
| |
|
|
|
|
|
| |
With the previous patch, we now have plenty of chances to GC properly
even with a very long interval between looped GC runs.
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rapidly GC'ing all invalid blocks only takes a few minute,
even under extreme scenario.
Wait until the screen goes off and detect if the power source is plugged in.
If it is, GC thread runs repeatedly with 1ms interval.
Since the device can go to sleep even with power source plugged in,
catch an additional wakelock.
When no more GC victim block is found, GC thread sleeps for
gc_no_gc_sleep_time(5m).
With the previous ioprio patch, the impact to system responsiveness
(e.g. waking up the screen) is minimal, if not zero.
This patch is intended to optimize background GC behavior specific to Android.
So, disable background_gc by default as well.
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
GC should run conservatively as possible to reduce latency spikes to the user.
Setting ioprio to idle class will allow the kernel to schedule GC thread's I/O
to not affect any other processes' I/O requests.
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
|
| |
|
|
|
|
| |
modified to match meizu m2 note
Signed-off-by: Moyster <oysterized@gmail.com>
|
| |
|
|
| |
This reverts commit 4383cfbb3fe503cff5d7384986eb1b1b34133c01.
|
| |
|
|
| |
Signed-off-by: Moyster <oysterized@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix warning by checkpatch.pl:
Prefer 'unsigned int' to bare use of 'unsigned'
Patch applied by running fix inplace capability of checkpatch:
checkpatch.pl -f *.[ch] --types UNSPECIFIED_INT --fix-inplace
Change-Id: I2ba09a70e3a748ea8440f77d5c8e0349db248d49
Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fix checkpatch.pl warning:
Block comments use * on subsequent lines
Change-Id: I9c92f128fdb3aeeb6ab9c7039e11f857bebb9539
Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fix warning generated by checkpatch.pl:
Missing a blank line after declarations
Change-Id: I8c1b069a57f90027edfdb3cd8fa011dfe87e44b7
Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Removing duplicate allocation of usb accessory's bulk out endpoint
Issue: 67180
Change-Id: Icfb8111cdafa487e54b66f9450d49e52a02ae7a6
Signed-off-by: Anson Jacob <ansonkuzhumbil@gmail.com>
|
| |
|
|
|
|
|
|
| |
Since the Android gadget is a superset of the audio and MIDI gadgets, it
needs to take on their dependencies too
Change-Id: Ib7444962dcdb197e8b7ad66f7a41f7bc40879d2c
Signed-off-by: Greg Hackmann <ghackmann@google.com>
|
| |
|
|
|
|
|
|
|
| |
free_ep_req and alloc_ep_req are static open coded and conflicting
in f_midi.c. The exported versions are present in f_sourcesink.c.
Changed names to protect the innocent.
Change-Id: I4aee40054b5715d0532d433d23dea2bccff7ec30
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
|
| |
|
|
|
| |
Change-Id: I4c4b99f9d54314fc31445cf42b825527ca483af9
Signed-off-by: Mike Lockwood <lockwood@google.com>
|
| |
|
|
|
| |
Change-Id: I424b942d64c9f818351e49ee2150f466b9cc7f84
Signed-off-by: Mike Lockwood <lockwood@google.com>
|
| |
|
|
|
|
|
|
|
| |
Using snd_card_free_when_closed rather than snd_card_free in f_midi_unbind
makes it safe to disable the driver while a userspace client has the
ALSA device open.
Change-Id: Ibc40c01e7b1ce90fc61d3ea654b4816fadfc7ffd
Signed-off-by: Mike Lockwood <lockwood@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While disabling ConfigFS Android gadget, android_disconnect() calls
kill_all_hid_devices(), if CONFIG_USB_CONFIGFS_F_ACC is enabled, to free
the registered HIDs without checking whether the USB accessory device
really exist or not. If USB accessory device doesn't exist then we run into
following kernel panic:
----8<----
[ 136.724761] Unable to handle kernel NULL pointer dereference at virtual address 00000064
[ 136.724809] pgd = c0204000
[ 136.731924] [00000064] *pgd=00000000
[ 136.737830] Internal error: Oops: 5 [#1] SMP ARM
[ 136.738108] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.18.0-rc4-00400-gf75300e-dirty #76
[ 136.742788] task: c0fb19d8 ti: c0fa4000 task.ti: c0fa4000
[ 136.750890] PC is at _raw_spin_lock_irqsave+0x24/0x60
[ 136.756246] LR is at kill_all_hid_devices+0x24/0x114
---->8----
This patch adds a test to check if USB Accessory device exists before freeing HIDs.
Change-Id: Ie229feaf0de3f4f7a151fcaa9a994e34e15ff73b
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
(cherry picked from commit 32a71bce154cb89a549b9b7d28e8cf03b889d849)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The android_setup() function currently gives the f_accessory
setup function first opportunity to handle control requests
in order to support Android Open Accessory (AOA) hosts. That
function makes use of cdev->req and overrides its completion
function, but not in all cases. Thus, if a later request uses
the same request pointer but doesn't (re)set req->complete it
could result in the wrong completion function being called and
causing invalid memory access.
One way to fix this would be to explicitly set req->complete in
all cases but that might require auditing all function drivers
that have ep0 handling. Instead, note that the composite device
had already initially set cdev->req->complete and simply cache
and restore that pointer at the start of android_setup().
Change-Id: I33bcd17bd20687a349d537d1013b52a2afef6996
Signed-off-by: Jack Pham <jackp@codeaurora.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sync_file_range(2) is documented to issue writeback only for pages that
are not currently being written. After all the system call has been
created for userspace to be able to issue background writeout and so
waiting for in-flight IO is undesirable there. However commit
ee53a891f474 ("mm: do_sync_mapping_range integrity fix") switched
do_sync_mapping_range() and thus sync_file_range() to issue writeback in
WB_SYNC_ALL mode since do_sync_mapping_range() was used by other code
relying on WB_SYNC_ALL semantics.
These days do_sync_mapping_range() went away and we can switch
sync_file_range(2) back to issuing WB_SYNC_NONE writeback. That should
help PostgreSQL avoid large latency spikes when flushing data in the
background.
Andres measured a 20% increase in transactions per second on an SSD disk.
Change-Id: Ib3e8a5e27501165fdd10486792d2a1989a841c9e
Signed-off-by: Jan Kara <jack@suse.com>
Reported-by: Andres Freund <andres@anarazel.de>
Tested-By: Andres Freund <andres@anarazel.de>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: engstk <eng.stk@sapo.pt>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 65d8fc777f6dcfee12785c057a6b57f679641c90 upstream.
When dealing with key handling for shared futexes, we can drastically reduce
the usage/need of the page lock. 1) For anonymous pages, the associated futex
object is the mm_struct which does not require the page lock. 2) For inode
based, keys, we can check under RCU read lock if the page mapping is still
valid and take reference to the inode. This just leaves one rare race that
requires the page lock in the slow path when examining the swapcache.
Additionally realtime users currently have a problem with the page lock being
contended for unbounded periods of time during futex operations.
Task A
get_futex_key()
lock_page()
---> preempted
Now any other task trying to lock that page will have to wait until
task A gets scheduled back in, which is an unbound time.
With this patch, we pretty much have a lockless futex_get_key().
Experiments show that this patch can boost/speedup the hashing of shared
futexes with the perf futex benchmarks (which is good for measuring such
change) by up to 45% when there are high (> 100) thread counts on a 60 core
Westmere. Lower counts are pretty much in the noise range or less than 10%,
but mid range can be seen at over 30% overall throughput (hash ops/sec).
This makes anon-mem shared futexes much closer to its private counterpart.
Signed-off-by: Mel Gorman <mgorman@suse.de>
[ Ported on top of thp refcount rework, changelog, comments, fixes. ]
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Chris Mason <clm@fb.com>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1455045314-8305-3-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 74250718
Change-Id: I80e300aa740a553fbbbf84143d6a4165f31c8a90
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the list search in sg_get_rq_mark() fails to find a valid request, we
return a bogus element. This then can later lead to a GPF in
sg_remove_scat().
So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
the list search doesn't find a valid request.
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Doug Gilbert <dgilbert@interlog.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Acked-by: Doug Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Chenbo Feng <fengc@google.com>
(cherry picked from commit 48ae8484e9fc324b4968d33c585e54bc98e44d61)
Change-Id: If95d1a8eef3748c9937201e524184b89a5eaaf2e
Bug: 75300370
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a USB-audio device is disconnected while PCM is still running, we
still see some race: the disconnect callback calls
snd_usb_endpoint_free() that calls release_urbs() and then kfree()
while a PCM stream would be closed at the same time and calls
stop_endpoints() that leads to wait_clear_urbs(). That is, the EP
object might be deallocated while a PCM stream is syncing with
wait_clear_urbs() with the same EP.
Basically calling multiple wait_clear_urbs() would work fine, also
calling wait_clear_urbs() and release_urbs() would work, too, as
wait_clear_urbs() just reads some fields in ep. The problem is the
succeeding kfree() in snd_pcm_endpoint_free().
This patch moves out the EP deallocation into the later point, the
destructor callback. At this stage, all PCMs must have been already
closed, so it's safe to free the objects.
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Change-Id: Ia550e71981fcf7cb36312ca458029f34471c1d1e
Git-commit: 92a586bdc06de6629dae1b357dac221253f55ff8
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[jackp@codeaurora.org: fixed minor conflict in sound/usb/endpoint.h]
Signed-off-by: Jack Pham <jackp@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
kzalloc() and usb_ifnum_to_if() both APIs can return NULL. Current
code is not checking return value and derefencing which may crash
device if it is set to NULL. Fix this by checking return value
against NULL and handling the same.
CRs-Fixed: 562273
Change-Id: I0d2c910f43321e94fc447b19ae3e3207727e24f3
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SNDRV_RAWMIDI_STREAM_{OUTPUT,INPUT} ioctls may reallocate
runtime->buffer while other kernel threads are accessing it. If the
underlying krealloc() call frees the original buffer, then this can turn
into a use-after-free.
Most of these accesses happen while the thread is holding runtime->lock,
and can be fixed by just holding the same lock while replacing
runtime->buffer, however we can't hold this spinlock while
snd_rawmidi_kernel_{read1,write1} are copying to/from userspace. We
need to add and acquire a new mutex to prevent this from happening
concurrently with reallocation. We hold this mutex during the entire
reallocation process, to also prevent multiple concurrent reallocations
leading to a double-free.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
bug: 64315347
Change-Id: I05764d4f1a38f373eb7c0ac1c98607ee5ff0eded
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When multiple threads is trying to tag/delete the same socket at the
same time, there is a chance the tag_ref_entry of the target socket to
be null before the uid_tag_data entry is freed. It is caused by the
ctrl_cmd_tag function where it doesn't correctly grab the spinlocks
when tagging a socket.
Signed-off-by: Chenbo Feng <fengc@google.com>
Bug: 65853158
Change-Id: I5d89885918054cf835370a52bff2d693362ac5f0
|
| |
|
|
|
|
|
|
|
|
|
| |
Based on upstream change 06ebb06d49486676272a3c030bfeef4bd969a8e6
One more instance when the caller requests 0 bytes instead of running
off and dereferencing potentially invalid iovecs.
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Bug: 36279469
Change-Id: Ib8d529e17c07c77357ab70bd6a2d7e305d6b27f0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream.
A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma->file check, before
setting asma->size, asma->file can be set in mmap. That would result in
having different asma->size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.
Signed-off-by: Viktor Slavkovic <viktors@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This was extracted from the PaX RANDUSTACK feature in grsecurity, where
all of the lower bits are randomized. PaX keeps 16-byte alignment.
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
|
| |
|
|
| |
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stack mapping entropy is currently hard-wired to 11 bits of entropy on
32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra
8 bits of entropy from lower bit randomization within 16 byte alignment
constraints. The argument block could have all lower bits randomized but
it currently only gets the mapping randomization.
Rather than hard-wiring values this switches to using the mmap entropy
configuration like the mmap base and executable base, resulting in a
range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k
pages) depending on kernel configuration and overridable via the sysctl
entries.
It's worth noting that since these kernel configuration options default
to the minimum supported entropy value, the entropy on 32-bit will drop
from 11 to 8 bits for builds using the defaults. However, following the
configuration seems like the right thing to do regardless. At the very
least, changing the defaults for COMPAT (32-bit processes on 64-bit)
should be considered due to the larger address space compared to real
32-bit.
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The stack ASLR base was not included in the gap size for rlimit values
larger than MIN_GAP, resulting in insufficient space being reserved.
PaX uses an alternate approach where the mmap base is instead offset
from the actual random stack base, but this works for the time being.
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Taken from PaX.
|
| |
|
|
| |
Based on the grsecurity feature, but with a per-cache random value.
|
| | |
|
| | |
|
