OSDN Git Service
Guenter Roeck [Mon, 30 Jan 2017 20:26:08 +0000 (12:26 -0800)]
ANDROID: fs: Export free_fs_struct and set_fs_pwd
allmodconfig builds fail with:
ERROR: "free_fs_struct" undefined!
ERROR: "set_fs_pwd" undefined!
Export the missing symbols.
Change-Id: I4877ead19d7e7f0c93d4c4cad5681364284323aa
Fixes:
0ec03f845799 ("ANDROID: sdcardfs: override umask on mkdir and create")
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Cameron Gutman [Wed, 29 Jun 2016 16:51:35 +0000 (09:51 -0700)]
BACKPORT: Input: xpad - validate USB endpoint count during probe
This prevents a malicious USB device from causing an oops.
Change-Id: I47c27541a4c2f0cec354eb83b3013bb825ed6e90
Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cameron Gutman [Thu, 23 Jun 2016 17:24:42 +0000 (10:24 -0700)]
BACKPORT: Input: xpad - fix oops when attaching an unknown Xbox One gamepad
Xbox One controllers have multiple interfaces which all have the
same class, subclass, and protocol. One of the these interfaces
has only a single endpoint. When Xpad attempts to bind to this
interface, it causes an oops when trying initialize the output URB
by trying to access the second endpoint's descriptor.
This situation was avoided for known Xbox One devices by checking
the XTYPE constant associated with the VID and PID tuple. However,
this breaks when new or previously unknown Xbox One controllers
are attached to the system.
This change addresses the problem by deriving the XTYPE for Xbox
One controllers based on the interface protocol before checking
the interface number.
Change-Id: If15a19cde514ffdeddb506da9c4d34479408005a
Fixes:
1a48ff81b391 ("Input: xpad - add support for Xbox One controllers")
Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Daniel Rosenberg [Thu, 5 Jan 2017 22:37:11 +0000 (14:37 -0800)]
ANDROID: mnt: remount should propagate to slaves of slaves
propagate_remount was not accounting for the slave mounts
of other slave mounts, leading to some namespaces not
recieving the remount information.
bug:
33731928
Change-Id: Idc9e8c2ed126a4143229fc23f10a959c2d0a3854
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Thu, 5 Jan 2017 22:37:11 +0000 (14:37 -0800)]
ANDROID: sdcardfs: Switch ->d_inode to d_inode()
Change-Id: I12375cc2d6e82fb8adf0319be971f335f8d7a312
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Tue, 27 Dec 2016 20:36:29 +0000 (12:36 -0800)]
ANDROID: sdcardfs: Fix locking issue with permision fix up
Don't use lookup_one_len so we can grab the spinlock that
protects d_subdirs.
Bug:
30954918
Change-Id: I0c6a393252db7beb467e0d563739a3a14e1b5115
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Tue, 15 Nov 2016 21:35:18 +0000 (13:35 -0800)]
ANDROID: sdcardfs: Change magic value
Sdcardfs uses the same magic value as wrapfs.
This should not be the case. As it is entirely
in memory, the value can be changed without any
loss of compatibility.
Change-Id: I24200b805d5e6d32702638be99e47d50d7f2f746
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Thu, 27 Oct 2016 03:27:20 +0000 (20:27 -0700)]
ANDROID: sdcardfs: Use per mount permissions
This switches sdcardfs over to using permission2.
Instead of mounting several sdcardfs instances onto
the same underlaying directory, you bind mount a
single mount several times, and remount with the
options you want. These are stored in the private
mount data, allowing you to maintain the same tree,
but have different permissions for different mount
points.
Warning functions have been added for permission,
as it should never be called, and the correct
behavior is unclear.
Change-Id: I841b1d70ec60cf2b866fa48edeb74a0b0f8334f5
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Thu, 27 Oct 2016 00:36:05 +0000 (17:36 -0700)]
ANDROID: sdcardfs: Add gid and mask to private mount data
Adds support for mount2, remount2, and the functions
to allocate/clone/copy the private data
The next patch will switch over to actually using it.
Change-Id: I8a43da26021d33401f655f0b2784ead161c575e3
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 26 Oct 2016 23:48:45 +0000 (16:48 -0700)]
ANDROID: sdcardfs: User new permission2 functions
Change-Id: Ic7e0fb8fdcebb31e657b079fe02ac834c4a50db9
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 26 Oct 2016 23:33:11 +0000 (16:33 -0700)]
ANDROID: vfs: Add setattr2 for filesystems with per mount permissions
This allows filesystems to use their mount private data to
influence the permssions they use in setattr2. It has
been separated into a new call to avoid disrupting current
setattr users.
Change-Id: I19959038309284448f1b7f232d579674ef546385
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 26 Oct 2016 23:27:45 +0000 (16:27 -0700)]
ANDROID: vfs: Add permission2 for filesystems with per mount permissions
This allows filesystems to use their mount private data to
influence the permssions they return in permission2. It has
been separated into a new call to avoid disrupting current
permission users.
Change-Id: I9d416e3b8b6eca84ef3e336bd2af89ddd51df6ca
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 26 Oct 2016 22:58:22 +0000 (15:58 -0700)]
ANDROID: vfs: Allow filesystems to access their private mount data
Now we pass the vfsmount when mounting and remounting.
This allows the filesystem to actually set up the mount
specific data, although we can't quite do anything with
it yet. show_options is expanded to include data that
lives with the mount.
To avoid changing existing filesystems, these have
been added as new vfs functions.
Change-Id: If80670bfad9f287abb8ac22457e1b034c9697097
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 26 Oct 2016 22:29:51 +0000 (15:29 -0700)]
ANDROID: mnt: Add filesystem private data to mount points
This starts to add private data associated directly
to mount points. The intent is to give filesystems
a sense of where they have come from, as a means of
letting a filesystem take different actions based on
this information.
Change-Id: Ie769d7b3bb2f5972afe05c1bf16cf88c91647ab2
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Mon, 26 Sep 2016 21:48:22 +0000 (14:48 -0700)]
ANDROID: sdcardfs: Move directory unlock before touch
This removes a deadlock under low memory conditions.
filp_open can call lookup_slow, which will attempt to
lock the parent.
Change-Id: I940643d0793f5051d1e79a56f4da2fa8ca3d8ff7
Signed-off-by: Daniel Rosenberg <drosen@google.com>
alvin_liang [Mon, 19 Sep 2016 08:59:12 +0000 (16:59 +0800)]
ANDROID: sdcardfs: fix external storage exporting incorrect uid
Symptom: App cannot write into per-app folder
Root Cause: sdcardfs exports incorrect uid
Solution: fix uid
Project: All
Note:
Test done by RD: passed
Change-Id: Iff64f6f40ba4c679f07f4426d3db6e6d0db7e3ca
Daniel Rosenberg [Wed, 18 May 2016 23:57:10 +0000 (16:57 -0700)]
ANDROID: sdcardfs: Added top to sdcardfs_inode_info
Adding packages to the package list and moving files
takes a large amount of locks, and is currently a
heavy operation. This adds a 'top' field to the
inode_info, which points to the inode for the top
most directory whose owner you would like to match.
On permission checks and get_attr, we look up the
owner based on the information at top. When we change
a package mapping, we need only modify the information
in the corresponding top inode_info's. When renaming,
we must ensure top is set correctly in all children.
This happens when an app specific folder gets moved
outside of the folder for that app.
Change-Id: Ib749c60b568e9a45a46f8ceed985c1338246ec6c
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Tue, 10 May 2016 20:42:43 +0000 (13:42 -0700)]
ANDROID: sdcardfs: Switch package list to RCU
Switched the package id hashmap to use RCU.
Change-Id: I9fdcab279009005bf28536247d11e13babab0b93
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Tue, 16 Aug 2016 22:19:26 +0000 (15:19 -0700)]
ANDROID: sdcardfs: Fix locking for permission fix up
Iterating over d_subdirs requires taking d_lock.
Removed several unneeded locks.
Change-Id: I5b1588e54c7e6ee19b756d6705171c7f829e2650
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 27 Apr 2016 22:31:29 +0000 (15:31 -0700)]
ANDROID: sdcardfs: Check for other cases on path lookup
This fixes a bug where the first lookup of a
file or folder created under a different view
would not be case insensitive. It will now
search through for a case insensitive match
if the initial lookup fails.
Bug:
28024488
Change-Id: I4ff9ce297b9f2f9864b47540e740fd491c545229
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 13 Apr 2016 23:38:34 +0000 (16:38 -0700)]
ANDROID: sdcardfs: override umask on mkdir and create
The mode on files created on the lower fs should
not be affected by the umask of the calling
task's fs_struct. Instead, we create a copy
and modify it as needed. This also lets us avoid
the string shenanigans around .nomedia files.
Bug:
27992761
Change-Id: Ia3a6e56c24c6e19b3b01c1827e46403bb71c2f4c
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Brendan Jackman [Tue, 10 Jan 2017 11:31:01 +0000 (11:31 +0000)]
DEBUG: sched/fair: Fix sched_load_avg_cpu events for task_groups
The current sched_load_avg_cpu event traces the load for any cfs_rq that is
updated. This is not representative of the CPU load - instead we should only
trace this event when the cfs_rq being updated is in the root_task_group.
Change-Id: I345c2f13f6b5718cb4a89beb247f7887ce97ed6b
Signed-off-by: Brendan Jackman <brendan.jackman@arm.com>
Brendan Jackman [Mon, 9 Jan 2017 17:20:11 +0000 (17:20 +0000)]
DEBUG: sched/fair: Fix missing sched_load_avg_cpu events
update_cfs_rq_load_avg is called from update_blocked_averages without triggering
the sched_load_avg_cpu event. Move the event trigger to inside
update_cfs_rq_load_avg to avoid this missing event.
Change-Id: I6c4f66f687a644e4e7f798db122d28a8f5919b7b
Signed-off-by: Brendan Jackman <brendan.jackman@arm.com>
Guillaume Nault [Fri, 18 Nov 2016 21:13:00 +0000 (22:13 +0100)]
UPSTREAM: l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
(cherry picked from commit
32c231164b762dddefa13af5a0101032c70b50ef)
Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.
BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr
ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
[<
ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
[<
ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
[< inline >] print_address_description mm/kasan/report.c:194
[<
ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
[< inline >] kasan_report mm/kasan/report.c:303
[<
ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
[< inline >] __write_once_size ./include/linux/compiler.h:249
[< inline >] __hlist_del ./include/linux/list.h:622
[< inline >] hlist_del_init ./include/linux/list.h:637
[<
ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
[<
ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[<
ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[<
ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
[<
ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
[<
ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
[<
ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
[<
ffffffff813774f9>] task_work_run+0xf9/0x170
[<
ffffffff81324aae>] do_exit+0x85e/0x2a00
[<
ffffffff81326dc8>] do_group_exit+0x108/0x330
[<
ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
[<
ffffffff811b49af>] do_signal+0x7f/0x18f0
[<
ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[<
ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
[<
ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at
ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
[ 1116.897025] [<
ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1116.897025] [<
ffffffff8174c736>] save_stack+0x46/0xd0
[ 1116.897025] [<
ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
[ 1116.897025] [<
ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
[ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417
[ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708
[ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716
[ 1116.897025] [<
ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
[ 1116.897025] [<
ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
[ 1116.897025] [<
ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
[ 1116.897025] [<
ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
[ 1116.897025] [<
ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
[ 1116.897025] [< inline >] sock_create net/socket.c:1193
[ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223
[ 1116.897025] [<
ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
[ 1116.897025] [<
ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
[ 1116.897025] [<
ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1116.897025] [<
ffffffff8174c736>] save_stack+0x46/0xd0
[ 1116.897025] [<
ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
[ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352
[ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374
[ 1116.897025] [< inline >] slab_free mm/slub.c:2951
[ 1116.897025] [<
ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
[ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369
[ 1116.897025] [<
ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
[ 1116.897025] [<
ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
[ 1116.897025] [<
ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
[ 1116.897025] [<
ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
[ 1116.897025] [<
ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
[ 1116.897025] [<
ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
[ 1116.897025] [<
ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[ 1116.897025] [<
ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[ 1116.897025] [<
ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
[ 1116.897025] [<
ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
[ 1116.897025] [<
ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
[ 1116.897025] [<
ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
[ 1116.897025] [<
ffffffff813774f9>] task_work_run+0xf9/0x170
[ 1116.897025] [<
ffffffff81324aae>] do_exit+0x85e/0x2a00
[ 1116.897025] [<
ffffffff81326dc8>] do_group_exit+0x108/0x330
[ 1116.897025] [<
ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
[ 1116.897025] [<
ffffffff811b49af>] do_signal+0x7f/0x18f0
[ 1116.897025] [<
ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
[ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[ 1116.897025] [<
ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
[ 1116.897025] [<
ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>
ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
Fixes:
c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I74b0e6bf0d0a5e0e2f4d8a3c6e52ea75a572b114
Bug:
33753815
Philip Pettersson [Wed, 30 Nov 2016 22:55:36 +0000 (14:55 -0800)]
UPSTREAM: packet: fix race condition in packet_set_ring
(cherry picked from commit
84ac7260236a49c79eede91617700174c2c19b0c)
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Fixes:
f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ice451620ecf2c2a5ba3709f45fbb5f3f5c5bb389
Bug:
33358926
Herbert Xu [Mon, 16 May 2016 09:28:16 +0000 (17:28 +0800)]
UPSTREAM: netlink: Fix dump skb leak/double free
(cherry picked from commit
92964c79b357efd980812c4de5c1fd2ec8bb5520)
When we free cb->skb after a dump, we do it after releasing the
lock. This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.
This patch saves the skb and module before we unlock so we free
the right memory.
Fixes:
16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ie2db6a32a49686c6d22c4a88c251b288343c7813
Bug:
33393474
Eric Dumazet [Fri, 2 Dec 2016 17:44:53 +0000 (09:44 -0800)]
UPSTREAM: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
(cherry picked from commit
b98b0bc8c431e3ceb4b26b0dfc8db509518fb290)
CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...
Note that before commit
82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.
This needs to be backported to all known linux kernels.
Again, many thanks to syzkaller team for discovering this gem.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I2b621c28c02267af5b34a379b2970fe5fb61a4f6
Bug:
33363517
Paul Burton [Thu, 21 Apr 2016 17:04:53 +0000 (18:04 +0100)]
MIPS: Prevent "restoration" of MSA context in non-MSA kernels
commit
6533af4d4831c421cd9aa4dce7cfc19a3514cc09 upstream.
If a kernel doesn't support MSA context (ie. CONFIG_CPU_HAS_MSA=n) then
it will only keep 64 bits per FP register in thread context, and the
calls to set_fpr64 in restore_msa_extcontext will overrun the end of the
FP register context into the FCSR & MSACSR values. GCC 6.x has become
smart enough to detect this & complain like so:
arch/mips/kernel/signal.c: In function 'protected_restore_fp_context':
./arch/mips/include/asm/processor.h:114:17: error: array subscript is above array bounds [-Werror=array-bounds]
fpr->val##width[FPR_IDX(width, idx)] = val; \
~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
./arch/mips/include/asm/processor.h:118:1: note: in expansion of macro 'BUILD_FPR_ACCESS'
BUILD_FPR_ACCESS(64)
The only way to trigger this code to run would be for a program to set
up an artificial extended MSA context structure following a sigframe &
execute sigreturn. Whilst this doesn't allow a program to write to any
state that it couldn't already, it makes little sense to allow this
"restoration" of MSA context in a system that doesn't support MSA.
Fix this by killing a program with SIGSYS if it tries something as crazy
as "restoring" fake MSA context in this way, also fixing the build error
& allowing for most of restore_msa_extcontext to be optimised out of
kernels without support for MSA.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Reported-by: Michal Toman <michal.toman@imgtec.com>
Fixes:
bf82cb30c7e5 ("MIPS: Save MSA extended context around signals")
Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Michal Toman <michal.toman@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13164/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Fri, 30 Dec 2016 23:42:32 +0000 (17:42 -0600)]
net: socket: don't set sk_uid to garbage value in ->setattr()
->setattr() was recently implemented for socket files to sync the socket
inode's uid to the new 'sk_uid' member of struct sock. It does this by
copying over the ia_uid member of struct iattr. However, ia_uid is
actually only valid when ATTR_UID is set in ia_valid, indicating that
the uid is being changed, e.g. by chown. Other metadata operations such
as chmod or utimes leave ia_uid uninitialized. Therefore, sk_uid could
be set to a "garbage" value from the stack.
Fix this by only copying the uid over when ATTR_UID is set.
[cherry-pick of net
e1a3a60a2ebe991605acb14cd58e39c0545e174e]
Bug:
16355602
Change-Id: I20e53848e54282b72a388ce12bfa88da5e3e9efe
Fixes:
86741ec25462 ("net: core: Add a UID field to struct sock.")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Tested-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sami Tolvanen [Wed, 4 Jan 2017 17:11:04 +0000 (09:11 -0800)]
ANDROID: configs: CONFIG_ARM64_SW_TTBR0_PAN=y
Bug:
31432001
Change-Id: Ia72c3aa70a463d3a7f52b76e5082520aa328d29b
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Marc Zyngier [Mon, 12 Dec 2016 13:50:26 +0000 (13:50 +0000)]
UPSTREAM: arm64: Disable PAN on uaccess_enable()
Commit
4b65a5db3627 ("arm64: Introduce uaccess_{disable,enable}
functionality based on TTBR0_EL1") added conditional user access
enable/disable. Unfortunately, a typo prevents the PAN bit from being
cleared for user access functions.
Restore the PAN functionality by adding the missing '!'.
Fixes:
b65a5db3627 ("arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1")
Reported-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: If61cb6cc756affc7df7fa06213723a8b96eb1e80
(cherry picked from commit
75037120e62b58c536999eb23d70cfcb6d6c0bcc)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 17:25:31 +0000 (18:25 +0100)]
UPSTREAM: arm64: Enable CONFIG_ARM64_SW_TTBR0_PAN
This patch adds the Kconfig option to enable support for TTBR0 PAN
emulation. The option is default off because of a slight performance hit
when enabled, caused by the additional TTBR0_EL1 switching during user
access operations or exception entry/exit code.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I2f0b5f332e3c56ea0453ff69826525dec49f034b
(cherry picked from commit
ba42822af1c287f038aa550f3578c61c212a892e)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Tue, 5 Jul 2016 11:25:15 +0000 (12:25 +0100)]
UPSTREAM: arm64: xen: Enable user access before a privcmd hvc call
Privcmd calls are issued by the userspace. The kernel needs to enable
access to TTBR0_EL1 as the hypervisor would issue stage 1 translations
to user memory via AT instructions. Since AT instructions are not
affected by the PAN bit (ARMv8.1), we only need the explicit
uaccess_enable/disable if the TTBR0 PAN option is enabled.
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I64d827923d869c1868702c8a18efa99ea91d3151
(cherry picked from commit
9cf09d68b89ae5fe0261dcc69464bcc676900af6)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 17:22:39 +0000 (18:22 +0100)]
UPSTREAM: arm64: Handle faults caused by inadvertent user access with PAN enabled
When TTBR0_EL1 is set to the reserved page, an erroneous kernel access
to user space would generate a translation fault. This patch adds the
checks for the software-set PSR_PAN_BIT to emulate a permission fault
and report it accordingly.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I87e48f6075f84878e4d26d4fadf6eaac49d2cb4e
(cherry picked from commit
786889636ad75296c213547d1ca656af4c59f390)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 2 Sep 2016 13:54:03 +0000 (14:54 +0100)]
BACKPORT: arm64: Disable TTBR0_EL1 during normal kernel execution
When the TTBR0 PAN feature is enabled, the kernel entry points need to
disable access to TTBR0_EL1. The PAN status of the interrupted context
is stored as part of the saved pstate, reusing the PSR_PAN_BIT (22).
Restoring access to TTBR0_EL1 is done on exception return if returning
to user or returning to a context where PAN was disabled.
Context switching via switch_mm() must defer the update of TTBR0_EL1
until a return to user or an explicit uaccess_enable() call.
Special care needs to be taken for two cases where TTBR0_EL1 is set
outside the normal kernel context switch operation: EFI run-time
services (via efi_set_pgd) and CPU suspend (via cpu_(un)install_idmap).
Code has been added to avoid deferred TTBR0_EL1 switching as in
switch_mm() and restore the reserved TTBR0_EL1 when uninstalling the
special TTBR0_EL1.
User cache maintenance (user_cache_maint_handler and
__flush_cache_user_range) needs the TTBR0_EL1 re-instated since the
operations are performed by user virtual address.
This patch also removes a stale comment on the switch_mm() function.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I85a49f70e13b153b9903851edf56f6531c14e6de
(cherry picked from commit
39bc88e5e38e9b213bd7d833ce0df6ec029761ad)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 15:53:00 +0000 (16:53 +0100)]
BACKPORT: arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1
This patch adds the uaccess macros/functions to disable access to user
space by setting TTBR0_EL1 to a reserved zeroed page. Since the value
written to TTBR0_EL1 must be a physical address, for simplicity this
patch introduces a reserved_ttbr0 page at a constant offset from
swapper_pg_dir. The uaccess_disable code uses the ttbr1_el1 value
adjusted by the reserved_ttbr0 offset.
Enabling access to user is done by restoring TTBR0_EL1 with the value
from the struct thread_info ttbr0 variable. Interrupts must be disabled
during the uaccess_ttbr0_enable code to ensure the atomicity of the
thread_info.ttbr0 read and TTBR0_EL1 write. This patch also moves the
get_thread_info asm macro from entry.S to assembler.h for reuse in the
uaccess_ttbr0_* macros.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I54ada623160cb47f5762e0e39a5e84a75252dbfd
(cherry picked from commit
4b65a5db362783ab4b04ca1c1d2ad70ed9b0ba2a)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 14:48:55 +0000 (15:48 +0100)]
BACKPORT: arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro
This patch takes the errata workaround code out of cpu_do_switch_mm into
a dedicated post_ttbr0_update_workaround macro which will be reused in a
subsequent patch.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I2b45b11ab7390c3545b9e162532109c1526bef14
(cherry picked from commit
f33bcf03e6079668da6bf4eec4a7dcf9289131d0)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Catalin Marinas [Fri, 1 Jul 2016 13:58:21 +0000 (14:58 +0100)]
BACKPORT: arm64: Factor out PAN enabling/disabling into separate uaccess_* macros
This patch moves the directly coded alternatives for turning PAN on/off
into separate uaccess_{enable,disable} macros or functions. The asm
macros take a few arguments which will be used in subsequent patches.
Note that any (unlikely) access that the compiler might generate between
uaccess_enable() and uaccess_disable(), other than those explicitly
specified by the user access code, will not be protected by PAN.
Cc: Will Deacon <will.deacon@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Bug:
31432001
Change-Id: I75a410139d0756edab3210ee091fa5d047a22e04
(cherry picked from commit
bd38967d406fb4f9fca67d612db71b5d74cfb0f5)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Mark Rutland [Wed, 7 Sep 2016 10:07:08 +0000 (11:07 +0100)]
UPSTREAM: arm64: alternative: add auto-nop infrastructure
In some cases, one side of an alternative sequence is simply a number of
NOPs used to balance the other side. Keeping track of this manually is
tedious, and the presence of large chains of NOPs makes the code more
painful to read than necessary.
To ameliorate matters, this patch adds a new alternative_else_nop_endif,
which automatically balances an alternative sequence with a trivial NOP
sled.
In many cases, we would like a NOP-sled in the default case, and
instructions patched in in the presence of a feature. To enable the NOPs
to be generated automatically for this case, this patch also adds a new
alternative_if, and updates alternative_else and alternative_endif to
work with either alternative_if or alternative_endif.
Cc: Andre Przywara <andre.przywara@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Martin <dave.martin@arm.com>
Cc: James Morse <james.morse@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
[will: use new nops macro to generate nop sequences]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
31432001
Change-Id: I28d8aae073e113048577c41cfe27c91215fb4cf3
(cherry picked from commit
792d47379f4d4c76692f1795f33d38582f8907fa)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Will Deacon [Tue, 6 Sep 2016 15:40:23 +0000 (16:40 +0100)]
UPSTREAM: arm64: barriers: introduce nops and __nops macros for NOP sequences
NOP sequences tend to get used for padding out alternative sections
and uarch-specific pipeline flushes in errata workarounds.
This patch adds macros for generating these sequences as both inline
asm blocks, but also as strings suitable for embedding in other asm
blocks directly.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Bug:
31432001
Change-Id: I7f82b677a065ede302a763d39ffcc3fef83f8fbe
(cherry picked from commit
f99a250cb6a3b301b101b4c0f5fcb80593bba6dc)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:56 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Factor out PAN enabling/disabling into separate uaccess_* macros"
This reverts commit
23368b642deb01ac6ce668ec1dedfcc0cab25c71.
Bug:
31432001
Change-Id: Ia59e5fc75ef905b89d5f9194f1e762c1e5eff5bf
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:46 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro"
This reverts commit
3b66929169de053042d47e482dd5748794756153.
Bug:
31432001
Change-Id: Ib38fcf553ca2077531cbf550fbaa75378a8723c5
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:37 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1"
This reverts commit
1911d36b27ba58ee18592df25b7ee636d4d4c41d.
Bug:
31432001
Change-Id: Iee77eed8454f379b948dbbaf65c105952ea30bef
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:25 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Disable TTBR0_EL1 during normal kernel execution"
This reverts commit
5775ca34829caf0664c8ccc02fd0e93cb6022e0f.
Bug:
31432001
Change-Id: I9b07c2f01bc2bcfed51f60ab487034639f5e1960
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:16 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: Handle faults caused by inadvertent user access with PAN enabled"
This reverts commit
5dc2b7c7bb33138270ff9494be6cf334bd3d20e1.
Bug:
31432001
Change-Id: I384a9af199f502f8fa3ae3733db67a4c547dbd55
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:32:07 +0000 (12:32 -0800)]
Revert "FROMLIST: arm64: xen: Enable user access before a privcmd hvc call"
This reverts commit
4dbc88bd2b6a74fd33483ee2593dcf2bd858eabe.
Bug:
31432001
Change-Id: I2c3d591a2c631e7ff02c0bcb91624735e8c12f0a
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Sami Tolvanen [Wed, 14 Dec 2016 20:31:55 +0000 (12:31 -0800)]
Revert "FROMLIST: arm64: Enable CONFIG_ARM64_SW_TTBR0_PAN"
This reverts commit
67cd3bda54dadba4f8892105adf9c2f3982bfa0a.
Bug:
31432001
Change-Id: I1e5836ce0b41b2262d95c5c4c49ace3b96ae0b1f
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Amit Pundir [Mon, 2 Jan 2017 14:48:05 +0000 (20:18 +0530)]
ANDROID: sched/walt: fix build failure if FAIR_GROUP_SCHED=n
Fix SCHED_WALT dependency on FAIR_GROUP_SCHED otherwise we run
into following build failure:
CC kernel/sched/walt.o
kernel/sched/walt.c: In function 'walt_inc_cfs_cumulative_runnable_avg':
kernel/sched/walt.c:148:8: error: 'struct cfs_rq' has no member named 'cumulative_runnable_avg'
cfs_rq->cumulative_runnable_avg += p->ravg.demand;
^
kernel/sched/walt.c: In function 'walt_dec_cfs_cumulative_runnable_avg':
kernel/sched/walt.c:154:8: error: 'struct cfs_rq' has no member named 'cumulative_runnable_avg'
cfs_rq->cumulative_runnable_avg -= p->ravg.demand;
^
Reported-at: https://bugs.linaro.org/show_bug.cgi?id=2793
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
mukesh agrawal [Tue, 12 Jul 2016 18:28:05 +0000 (11:28 -0700)]
ANDROID: trace: net: use %pK for kernel pointers
We want to use network trace events in production
builds, to help diagnose Wifi problems. However, we
don't want to expose raw kernel pointers in such
builds.
Change the format specifier for the skbaddr field,
so that, if kptr_restrict is enabled, the pointers
will be reported as 0.
Bug:
30090733
Change-Id: Ic4bd583d37af6637343601feca875ee24479ddff
Signed-off-by: mukesh agrawal <quiche@google.com>
Jin Qian [Tue, 20 Dec 2016 19:08:34 +0000 (11:08 -0800)]
ANDROID: android-base: Enable QUOTA related configs
Bug:
33757366
Change-Id: Iec4f55c3ca4a16dbc8695054f481d9261c56d0f6
Lorenzo Colitti [Tue, 29 Nov 2016 17:56:47 +0000 (02:56 +0900)]
net: ipv4: Don't crash if passing a null sk to ip_rt_update_pmtu.
Commit
e2d118a1cb5e ("net: inet: Support UID-based routing in IP
protocols.") made __build_flow_key call sock_net(sk) to determine
the network namespace of the passed-in socket. This crashes if sk
is NULL.
Fix this by getting the network namespace from the skb instead.
Bug:
16355602
Change-Id: I27161b70f448bb95adce3994a97920d54987ce4e
Fixes:
e2d118a1cb5e ("net: inet: Support UID-based routing in IP protocols.")
Reported-by: Erez Shitrit <erezsh@dev.mellanox.co.il>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Thu, 3 Nov 2016 17:23:43 +0000 (02:23 +0900)]
net: inet: Support UID-based routing in IP protocols.
- Use the UID in routing lookups made by protocol connect() and
sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
(e.g., Path MTU discovery) take the UID of the socket into
account.
- For packets not associated with a userspace socket, (e.g., ping
replies) use UID 0 inside the user namespace corresponding to
the network namespace the socket belongs to. This allows
all namespaces to apply routing and iptables rules to
kernel-originated traffic in that namespaces by matching UID 0.
This is better than using the UID of the kernel socket that is
sending the traffic, because the UID of kernel sockets created
at namespace creation time (e.g., the per-processor ICMP and
TCP sockets) is the UID of the user that created the socket,
which might not be mapped in the namespace.
Bug:
16355602
Change-Id: I910504b508948057912bc188fd1e8aca28294de3
Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Thu, 3 Nov 2016 17:23:42 +0000 (02:23 +0900)]
net: core: add UID to flows, rules, and routes
- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a
range of UIDs.
- Define a RTA_UID attribute for per-UID route lookups and dumps.
- Support passing these attributes to and from userspace via
rtnetlink. The value INVALID_UID indicates no UID was
specified.
- Add a UID field to the flow structures.
Bug:
16355602
Change-Id: Iea98e6fedd0fd4435a1f4efa3deb3629505619ab
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Thu, 3 Nov 2016 17:23:41 +0000 (02:23 +0900)]
net: core: Add a UID field to struct sock.
Protocol sockets (struct sock) don't have UIDs, but most of the
time, they map 1:1 to userspace sockets (struct socket) which do.
Various operations such as the iptables xt_owner match need
access to the "UID of a socket", and do so by following the
backpointer to the struct socket. This involves taking
sk_callback_lock and doesn't work when there is no socket
because userspace has already called close().
Simplify this by adding a sk_uid field to struct sock whose value
matches the UID of the corresponding struct socket. The semantics
are as follows:
1. Whenever sk_socket is non-null: sk_uid is the same as the UID
in sk_socket, i.e., matches the return value of sock_i_uid.
Specifically, the UID is set when userspace calls socket(),
fchown(), or accept().
2. When sk_socket is NULL, sk_uid is defined as follows:
- For a socket that no longer has a sk_socket because
userspace has called close(): the previous UID.
- For a cloned socket (e.g., an incoming connection that is
established but on which userspace has not yet called
accept): the UID of the socket it was cloned from.
- For a socket that has never had an sk_socket: UID 0 inside
the user namespace corresponding to the network namespace
the socket belongs to.
Kernel sockets created by sock_create_kern are a special case
of #1 and sk_uid is the user that created them. For kernel
sockets created at network namespace creation time, such as the
per-processor ICMP and TCP sockets, this is the user that created
the network namespace.
Bug:
16355602
Change-Id: Idbc3e9a0cec91c4c6e01916b967b6237645ebe59
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Mon, 12 Dec 2016 02:41:11 +0000 (11:41 +0900)]
Revert "net: core: Support UID-based routing."
This reverts commit
fd2cf795f3ab193752781be7372949ac1780d0ed.
Bug:
16355602
Change-Id: I1ec2d1eb3d53f4186b60c6ca5d6a20fcca46d442
Ard Biesheuvel [Wed, 30 Mar 2016 07:46:23 +0000 (09:46 +0200)]
UPSTREAM: efi/arm64: Don't apply MEMBLOCK_NOMAP to UEFI memory map mapping
(Cherry picked from commit
7cc8cbcf82d165dd658d89a7a287140948e76413)
Commit
4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as
MEMBLOCK_NOMAP") updated the mapping logic of both the RuntimeServices
regions as well as the kernel's copy of the UEFI memory map to set the
MEMBLOCK_NOMAP flag, which causes these regions to be omitted from the
kernel direct mapping, and from being covered by a struct page.
For the RuntimeServices regions, this is an obvious win, since the contents
of these regions have significance to the firmware executable code itself,
and are mapped in the EFI page tables using attributes that are described in
the UEFI memory map, and which may differ from the attributes we use for
mapping system RAM. It also prevents the contents from being modified
inadvertently, since the EFI page tables are only live during runtime
service invocations.
None of these concerns apply to the allocation that covers the UEFI memory
map, since it is entirely owned by the kernel. Setting the MEMBLOCK_NOMAP on
the region did allow us to use ioremap_cache() to map it both on arm64 and
on ARM, since the latter does not allow ioremap_cache() to be used on
regions that are covered by a struct page.
The ioremap_cache() on ARM restriction will be lifted in the v4.7 timeframe,
but in the mean time, it has been reported that commit
4dffbfc48d65 causes
a regression on 64k granule kernels. This is due to the fact that, given
the 64 KB page size, the region that we end up removing from the kernel
direct mapping is rounded up to 64 KB, and this 64 KB page frame may be
shared with the initrd when booting via GRUB (which does not align its
EFI_LOADER_DATA allocations to 64 KB like the stub does). This will crash
the kernel as soon as it tries to access the initrd.
Since the issue is specific to arm64, revert back to memblock_reserve()'ing
the UEFI memory map when running on arm64. This is a temporary fix for v4.5
and v4.6, and will be superseded in the v4.7 timeframe when we will be able
to move back to memblock_reserve() unconditionally.
Fixes:
4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP")
Reported-by: Mark Salter <msalter@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Jeremy Linton <jeremy.linton@arm.com>
Cc: Mark Langsdorf <mlangsdo@redhat.com>
Cc: <stable@vger.kernel.org> # v4.5
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Fixes: Change-Id: Ia3ce78f40f8d41a9afdd42238fe9cbfd81bbff08
("UPSTREAM: arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP")
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Will Deacon [Tue, 7 Jun 2016 16:55:15 +0000 (17:55 +0100)]
UPSTREAM: arm64: mm: always take dirty state from new pte in ptep_set_access_flags
(Cherry picked from commit
0106d456c4cb1770253fefc0ab23c9ca760b43f7)
Commit
66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for
hardware AF/DBM") ensured that pte flags are updated atomically in the
face of potential concurrent, hardware-assisted updates. However, Alex
reports that:
| This patch breaks swapping for me.
| In the broken case, you'll see either systemd cpu time spike (because
| it's stuck in a page fault loop) or the system hang (because the
| application owning the screen is stuck in a page fault loop).
It turns out that this is because the 'dirty' argument to
ptep_set_access_flags is always 0 for read faults, and so we can't use
it to set PTE_RDONLY. The failing sequence is:
1. We put down a PTE_WRITE | PTE_DIRTY | PTE_AF pte
2. Memory pressure -> pte_mkold(pte) -> clear PTE_AF
3. A read faults due to the missing access flag
4. ptep_set_access_flags is called with dirty = 0, due to the read fault
5. pte is then made PTE_WRITE | PTE_DIRTY | PTE_AF | PTE_RDONLY (!)
6. A write faults, but pte_write is true so we get stuck
The solution is to check the new page table entry (as would be done by
the generic, non-atomic definition of ptep_set_access_flags that just
calls set_pte_at) to establish the dirty state.
Cc: <stable@vger.kernel.org> # 4.3+
Fixes:
66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM")
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: Alexander Graf <agraf@suse.de>
Tested-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Fixes: Change-Id: Id2a0b0d8eb6e7df6325ecb48b88b8401a5dd09e5
("UPSTREAM: arm64: Implement ptep_set_access_flags() for hardware AF/DBM")
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Catalin Marinas [Thu, 5 May 2016 09:44:00 +0000 (10:44 +0100)]
UPSTREAM: arm64: Implement pmdp_set_access_flags() for hardware AF/DBM
(Cherry picked from commit
282aa7051b0169991b34716f0f22d9c2f59c46c4)
The update to the accessed or dirty states for block mappings must be
done atomically on hardware with support for automatic AF/DBM. The
ptep_set_access_flags() function has been fixed as part of commit
66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware
AF/DBM"). This patch brings pmdp_set_access_flags() in line with the pte
counterpart.
Fixes:
2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits")
Cc: <stable@vger.kernel.org> # 4.4.x: 66dbd6e61a52: arm64: Implement ptep_set_access_flags() for hardware AF/DBM
Cc: <stable@vger.kernel.org> # 4.3+
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Catalin Marinas [Thu, 5 May 2016 09:43:59 +0000 (10:43 +0100)]
UPSTREAM: arm64: Fix typo in the pmdp_huge_get_and_clear() definition
(Cherry picked from commit
911f56eeb87ee378f5e215469268a7a2f68a5a8a)
With hardware AF/DBM support, pmd modifications (transparent huge pages)
should be performed atomically using load/store exclusive. The initial
patches defined the get-and-clear function and __HAVE_ARCH_* macro
without the "huge" word, leaving the pmdp_huge_get_and_clear() to the
default, non-atomic implementation.
Fixes:
2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits")
Cc: <stable@vger.kernel.org> # 4.3+
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Ard Biesheuvel [Thu, 3 Mar 2016 14:10:59 +0000 (15:10 +0100)]
UPSTREAM: arm64: enable CONFIG_DEBUG_RODATA by default
(Cherry picked from commit
57efac2f7108e3255d0dfe512290c9896f4ed55f)
In spite of its name, CONFIG_DEBUG_RODATA is an important hardening feature
for production kernels, and distros all enable it by default in their
kernel configs. However, since enabling it used to result in more granular,
and thus less efficient kernel mappings, it is not enabled by default for
performance reasons.
However, since commit
2f39b5f91eb4 ("arm64: mm: Mark .rodata as RO"), the
various kernel segments (.text, .rodata, .init and .data) are already
mapped individually, and the only effect of setting CONFIG_DEBUG_RODATA is
that the existing .text and .rodata mappings are updated late in the boot
sequence to have their read-only attributes set, which means that any
performance concerns related to enabling CONFIG_DEBUG_RODATA are no longer
valid.
So from now on, make CONFIG_DEBUG_RODATA default to 'y'
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Jin Qian [Fri, 9 Dec 2016 01:06:03 +0000 (17:06 -0800)]
goldfish: enable CONFIG_INET_DIAG_DESTROY
Bug:
31648368
Change-Id: I3715cc6474129ba2176be62ed2c0a7d09a6f2ac7
Juri Lelli [Tue, 6 Dec 2016 11:50:53 +0000 (11:50 +0000)]
sched/walt: kill {min,max}_capacity
{min,max}_capacity are static variables that are only updated from
__update_min_max_capacity(), but not used anywhere else.
Remove them together with the function updating them. This has also
the nice side effect of fixing a LOCKDEP warning related to locking
all CPUs in update_min_max_capacity(), as reported by Ke Wang:
[ 2.853595] c0 =============================================
[ 2.859219] c0 [ INFO: possible recursive locking detected ]
[ 2.864852] c0 4.4.6+ #5 Tainted: G W
[ 2.869604] c0 ---------------------------------------------
[ 2.875230] c0 swapper/0/1 is trying to acquire lock:
[ 2.880248] (&rq->lock){-.-.-.}, at: [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 2.888815] c0
[ 2.888815] c0 but task is already holding lock:
[ 2.895132] (&rq->lock){-.-.-.}, at: [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 2.903700] c0
[ 2.903700] c0 other info that might help us debug this:
[ 2.910710] c0 Possible unsafe locking scenario:
[ 2.910710] c0
[ 2.917112] c0 CPU0
[ 2.919795] c0 ----
[ 2.922478] lock(&rq->lock);
[ 2.925507] lock(&rq->lock);
[ 2.928536] c0
[ 2.928536] c0 *** DEADLOCK ***
[ 2.928536] c0
[ 2.935200] c0 May be due to missing lock nesting notation
[ 2.935200] c0
[ 2.942471] c0 7 locks held by swapper/0/1:
[ 2.946623] #0: (&dev->mutex){......}, at: [<
ffffff800850e118>] __driver_attach+0x64/0xb8
[ 2.954931] #1: (&dev->mutex){......}, at: [<
ffffff800850e128>] __driver_attach+0x74/0xb8
[ 2.963239] #2: (cpu_hotplug.lock){++++++}, at: [<
ffffff80080cb218>] get_online_cpus+0x48/0xa8
[ 2.971979] #3: (subsys mutex#6){+.+.+.}, at: [<
ffffff800850bed4>] subsys_interface_register+0x44/0xc0
[ 2.981411] #4: (&policy->rwsem){+.+.+.}, at: [<
ffffff8008720338>] cpufreq_online+0x330/0x76c
[ 2.990065] #5: ((cpufreq_policy_notifier_list).rwsem){.+.+..}, at: [<
ffffff80080f3418>] blocking_notifier_call_chain+0x38/0xc4
[ 3.001661] #6: (&rq->lock){-.-.-.}, at: [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 3.010661] c0
[ 3.010661] c0 stack backtrace:
[ 3.015514] c0 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.4.6+ #5
[ 3.022864] c0 Hardware name: Spreadtrum SP9860g Board (DT)
[ 3.028402] c0 Call trace:
[ 3.031092] c0 [<
ffffff800808b50c>] dump_backtrace+0x0/0x210
[ 3.036716] c0 [<
ffffff800808b73c>] show_stack+0x20/0x28
[ 3.041994] c0 [<
ffffff8008433310>] dump_stack+0xa8/0xe0
[ 3.047273] c0 [<
ffffff80081349e0>] __lock_acquire+0x1e0c/0x2218
[ 3.053243] c0 [<
ffffff80081353c0>] lock_acquire+0xe0/0x280
[ 3.058784] c0 [<
ffffff8008abfdfc>] _raw_spin_lock+0x44/0x58
[ 3.064407] c0 [<
ffffff80081241cc>] cpufreq_notifier_policy+0x2e8/0x37c
[ 3.070983] c0 [<
ffffff80080f3458>] blocking_notifier_call_chain+0x78/0xc4
[ 3.077820] c0 [<
ffffff8008720294>] cpufreq_online+0x28c/0x76c
[ 3.083618] c0 [<
ffffff80087208a4>] cpufreq_add_dev+0x98/0xdc
[ 3.089331] c0 [<
ffffff800850bf14>] subsys_interface_register+0x84/0xc0
[ 3.095907] c0 [<
ffffff800871fa0c>] cpufreq_register_driver+0x168/0x28c
[ 3.102486] c0 [<
ffffff80087272f8>] sprd_cpufreq_probe+0x134/0x19c
[ 3.108629] c0 [<
ffffff8008510768>] platform_drv_probe+0x58/0xd0
[ 3.114599] c0 [<
ffffff800850de2c>] driver_probe_device+0x1e8/0x470
[ 3.120830] c0 [<
ffffff800850e168>] __driver_attach+0xb4/0xb8
[ 3.126541] c0 [<
ffffff800850b750>] bus_for_each_dev+0x6c/0xac
[ 3.132339] c0 [<
ffffff800850d6c0>] driver_attach+0x2c/0x34
[ 3.137877] c0 [<
ffffff800850d234>] bus_add_driver+0x210/0x298
[ 3.143676] c0 [<
ffffff800850f1f4>] driver_register+0x7c/0x114
[ 3.149476] c0 [<
ffffff8008510654>] __platform_driver_register+0x60/0x6c
[ 3.156139] c0 [<
ffffff8008f49f40>] sprd_cpufreq_platdrv_init+0x18/0x20
[ 3.162714] c0 [<
ffffff8008082a64>] do_one_initcall+0xd0/0x1d8
[ 3.168514] c0 [<
ffffff8008f0bc58>] kernel_init_freeable+0x1fc/0x29c
[ 3.174834] c0 [<
ffffff8008ab554c>] kernel_init+0x20/0x12c
[ 3.180281] c0 [<
ffffff8008086290>] ret_from_fork+0x10/0x40
Reported-by: Ke Wang <ke.wang@spreadtrum.com>
Signed-off-by: Juri Lelli <juri.lelli@arm.com>
Ke Wang [Thu, 8 Dec 2016 06:02:10 +0000 (14:02 +0800)]
sched: fix wrong truncation of walt_avg
The result of "__entry->walt_avg = (__entry->demand << 10)" will exceed
the range of "unsigned int", which will be truncated and make the trace
looks like as follows:
UnityMain-4588 [004] 6029.645672: walt_update_history: 4588(UnityMain): runtime
9928307 samples 1 event 4
demand
9928307 walt 157 pelt 870 (hist:
9928307 9604307 8440077 87392
34144328) cpu 4
UnityMain-4588 [004] 6029.653658: walt_update_history: 4588(UnityMain): runtime
10000000 samples 1 event 4
demand
10000000 walt 165 pelt 886 (hist:
10000000 9955691 6549308 64000
34144328) cpu 4
Fix this by using a u64 type instead of unsgined int type and make the
trace as below:
UnityMain-4617 [004] 117.613558: walt_update_history: 4617(UnityMain): runtime
5770597 samples 1 event 4
demand
7038739 walt 720 pelt 680 (hist:
5770597 7680001 8904509 65596 156) cpu 4
UnityMain-4617 [004] 117.633560: walt_update_history: 4617(UnityMain): runtime
9911238 samples 1 event 4
demand
9911238 walt 1014 pelt 769 (hist:
9911238 5770597 7680001 0
1664188058) cpu 4
Signed-off-by: Ke Wang <ke.wang@spreadtrum.com>
Jin Qian [Thu, 8 Dec 2016 02:11:48 +0000 (18:11 -0800)]
build: fix build config kernel_dir
Change-Id: I88b87a9c85990b12dc8174349cfc14eddfb379d2
Keun-young Park [Tue, 15 Nov 2016 02:25:15 +0000 (18:25 -0800)]
ANDROID: dm verity: add minimum prefetch size
- For device like eMMC, it gives better performance to read more hash
blocks at a time.
- For android, set it to default 128.
For other devices, set it to 1 which is the same as now.
- saved boot-up time by 300ms in tested device
bug:
32246564
Cc: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Keun-young Park <keunyoung@google.com>
Jin Qian [Mon, 12 Sep 2016 22:51:35 +0000 (15:51 -0700)]
build: add build server configs for goldfish
Change-Id: Icd7a8d44df2b09394be5c6230c64ecb374cae236
Ke Wang [Fri, 25 Nov 2016 05:38:45 +0000 (13:38 +0800)]
sched: tune: Fix lacking spinlock initialization
The spinlock used by boost_groups in sched tune must be initialized.
This commit fixes this lack and the following errors:
[ 0.384739] c2 BUG: spinlock bad magic on CPU#2, swapper/2/0
[ 0.390313] c2 lock: 0xffffffc15fe1fc80, .magic:
00000000, .owner: <none>/-1, .owner_cpu: 0
[ 0.398739] c2 CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.4.6+ #4
[ 0.404816] c2 Hardware name: Spreadtrum SP9860gBoard (DT)
[ 0.410462] c2 Call trace:
[ 0.413159] c2 [<
ffffff800808b50c>] dump_backtrace+0x0/0x210
[ 0.418803] c2 [<
ffffff800808b73c>] show_stack+0x20/0x28
[ 0.424100] c2 [<
ffffff8008433310>] dump_stack+0xa8/0xe0
[ 0.429398] c2 [<
ffffff8008139398>] spin_dump+0x78/0x9c
[ 0.434608] c2 [<
ffffff80081393ec>] spin_bug+0x30/0x3c
[ 0.439644] c2 [<
ffffff80081394e4>] do_raw_spin_lock+0xac/0x1b4
[ 0.445639] c2 [<
ffffff8008abffe4>] _raw_spin_lock_irqsave+0x58/0x68
[ 0.451977] c2 [<
ffffff800812a560>] schedtune_enqueue_task+0x84/0x3bc
[ 0.458320] c2 [<
ffffff8008111678>] enqueue_task_fair+0x438/0x208c
[ 0.464487] c2 [<
ffffff80080feeec>] activate_task+0x70/0xd0
[ 0.470130] c2 [<
ffffff80080ff4a4>] ttwu_do_activate.constprop.131+0x4c/0x98
[ 0.477079] c2 [<
ffffff80081005d0>] try_to_wake_up+0x254/0x54c
[ 0.482899] c2 [<
ffffff80081009d4>] default_wake_function+0x30/0x3c
[ 0.489154] c2 [<
ffffff8008122464>] autoremove_wake_function+0x3c/0x6c
[ 0.495754] c2 [<
ffffff8008121b70>] __wake_up_common+0x64/0xa4
[ 0.501574] c2 [<
ffffff8008121e9c>] __wake_up+0x48/0x60
[ 0.506788] c2 [<
ffffff8008150fac>] rcu_gp_kthread_wake+0x50/0x5c
[ 0.512866] c2 [<
ffffff8008151fec>] note_gp_changes+0xac/0xd4
[ 0.518597] c2 [<
ffffff8008153044>] rcu_process_callbacks+0xe8/0x93c
[ 0.524940] c2 [<
ffffff80080d0b84>] __do_softirq+0x24c/0x5b8
[ 0.530584] c2 [<
ffffff80080d1284>] irq_exit+0xc0/0xec
[ 0.535623] c2 [<
ffffff8008144208>] __handle_domain_irq+0x94/0xf8
[ 0.541789] c2 [<
ffffff8008082554>] gic_handle_irq+0x64/0xc0
Signed-off-by: Ke Wang <ke.wang@spreadtrum.com>
Joel Fernandes [Mon, 28 Nov 2016 22:35:24 +0000 (14:35 -0800)]
UPSTREAM: trace: Update documentation for mono, mono_raw and boot clock
Documentation was missing for mono and mono_raw, add them and also for
the boot clock introduced in this series.
Bug: b/
33184060
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Joel Fernandes <joelaf@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Joel Fernandes [Mon, 28 Nov 2016 22:35:23 +0000 (14:35 -0800)]
UPSTREAM: trace: Add an option for boot clock as trace clock
Unlike monotonic clock, boot clock as a trace clock will account for
time spent in suspend useful for tracing suspend/resume. This uses
earlier introduced infrastructure for using the fast boot clock.
Bug: b/
33184060
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Joel Fernandes <joelaf@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Joel Fernandes [Mon, 28 Nov 2016 22:35:22 +0000 (14:35 -0800)]
UPSTREAM: timekeeping: Add a fast and NMI safe boot clock
This boot clock can be used as a tracing clock and will account for
suspend time.
To keep it NMI safe since we're accessing from tracing, we're not using a
separate timekeeper with updates to monotonic clock and boot offset
protected with seqlocks. This has the following minor side effects:
(1) Its possible that a timestamp be taken after the boot offset is updated
but before the timekeeper is updated. If this happens, the new boot offset
is added to the old timekeeping making the clock appear to update slightly
earlier:
CPU 0 CPU 1
timekeeping_inject_sleeptime64()
__timekeeping_inject_sleeptime(tk, delta);
timestamp();
timekeeping_update(tk, TK_CLEAR_NTP...);
(2) On 32-bit systems, the 64-bit boot offset (tk->offs_boot) may be
partially updated. Since the tk->offs_boot update is a rare event, this
should be a rare occurrence which postprocessing should be able to handle.
Bug: b/
33184060
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Joel Fernandes <joelaf@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Jin Qian [Fri, 18 Nov 2016 19:40:40 +0000 (11:40 -0800)]
ANDROID: goldfish_pipe: fix allmodconfig build
tree: https://android.googlesource.com/kernel/common android-4.4
head:
6297c6ba0d217d5b0998738fbfaff2f04cad77e6
commit:
bc43565e1ac5ba3f204886a2275726bb4c3d44e6 [18/20] ANDROID:
goldfish_pipe: An implementation of more parallel pipe
config: i386-randconfig-s1-201646 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0
20160901
reproduce:
git checkout
bc43565e1ac5ba3f204886a2275726bb4c3d44e6
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
>> ERROR: "goldfish_pipe_device_deinit_v1" [drivers/platform/goldfish/goldfish_pipe_v2.ko] undefined!
>> ERROR: "goldfish_pipe_device_init_v1" [drivers/platform/goldfish/goldfish_pipe_v2.ko] undefined!
>> ERROR: "pipe_dev" [drivers/platform/goldfish/goldfish_pipe.ko] undefined!
Change-Id: Ibd51441edf82e6bb6824acc05ea795570cc374e8
Greg Hackmann [Fri, 18 Nov 2016 19:09:02 +0000 (11:09 -0800)]
ANDROID: goldfish: goldfish_pipe: fix locking errors
If the get_user_pages_fast() call in goldfish_pipe_read_write() failed,
it would return while still holding pipe->lock.
goldfish_pipe_read_write() later releases and tries to re-acquire
pipe->lock. If the re-acquire call failed, goldfish_pipe_read_write()
would try unlock pipe->lock on exit anyway.
This fixes the smatch messages:
drivers/platform/goldfish/goldfish_pipe.c:392 goldfish_pipe_read_write() error: double unlock 'mutex:&pipe->lock'
drivers/platform/goldfish/goldfish_pipe.c:397 goldfish_pipe_read_write() warn: inconsistent returns 'mutex:&pipe->lock'.
Change-Id: Ifd06a76b32027ca451a001704ade0c5440ed69c4
Signed-off-by: Greg Hackmann <ghackmann@google.com>
kbuild test robot [Fri, 18 Nov 2016 05:16:07 +0000 (13:16 +0800)]
ANDROID: video: goldfishfb: fix platform_no_drv_owner.cocci warnings
drivers/video/fbdev/goldfishfb.c:318:3-8: No need to set .owner here. The core will do it.
Remove .owner field if calls are used which set it automatically
Generated by: scripts/coccinelle/api/platform_no_drv_owner.cocci
CC: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Julia Lawall [Fri, 18 Nov 2016 06:26:19 +0000 (07:26 +0100)]
ANDROID: goldfish_pipe: fix call_kern.cocci warnings
Function get_free_pipe_id_locked called on line 671 inside lock on line
669 but uses GFP_KERNEL. Replace with GFP_ATOMIC.
Generated by: scripts/coccinelle/locks/call_kern.cocci
CC: Yurii Zubrytskyi <zyy@google.com>
Signed-off-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Jin Qian [Fri, 18 Nov 2016 01:01:43 +0000 (17:01 -0800)]
arm64: rename ranchu defconfig to ranchu64
Change-Id: Ib7cd1ef722167905957623f65c3cc064e9d5c357
Greg Hackmann [Thu, 23 Jul 2015 17:40:57 +0000 (10:40 -0700)]
ANDROID: arch: x86: disable pic for Android toolchain
Android toolchains enable PIC, so explicitly disable it with
-fno-pic (this is the upstream gcc default)
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit
892606ece2bebfa5a1ed62e9552cc973707ae9d3)
Change-Id: I1e600363e5d18e459479fe4eb23d76855e16868d
Yurii Zubrytskyi [Fri, 29 Jul 2016 17:51:46 +0000 (10:51 -0700)]
ANDROID: goldfish_pipe: An implementation of more parallel pipe
This is a driver code for a redesigned android pipe.
Currently it works for x86 and x64 emulators with the following
performance results:
ADB push to /dev/null,
Ubuntu,
400 MB file,
times are for 1/10/100 parallel adb commands
x86 adb push: (4.4s / 11.5s / 2m10s) -> (2.8s / 6s / 51s)
x64 adb push: (7s / 15s / (too long, 6m+) -> (2.7s / 6.2s / 52s)
ADB pull and push to /data/ have the same %% of speedup
More importantly, I don't see any signs of slowdowns when
run in parallel with Antutu benchmark, so it is definitely
making much better job at multithreading.
The code features dynamic host detection: old emulator gets
the previous version of the pipe driver code.
Combine follow patch from android-goldfish-3.10
b543285 [pipe] Increase the default pipe buffers size, make it configurable
Signed-off-by: "Yurii Zubrytskyi" <zyy@google.com>
Change-Id: I140d506204cab6e78dd503e5a43abc8886e4ffff
Yurii Zubrytskyi [Wed, 4 May 2016 20:05:38 +0000 (13:05 -0700)]
ANDROID: goldfish_pipe: bugfixes and performance improvements.
Combine following patches from android-goldfish-3.18 branch:
c0f015a [pipe] Fix the pipe driver for x64 platform + correct pages count
48e6bf5 [pipe] Use get_use_pages_fast() which is possibly faster
fb20f13 [goldfish] More pages in goldfish pipe
f180e6d goldfish_pipe: Return from read_write on signal and EIO
3dec3b7 [pipe] Fix a minor leak in setup_access_params_addr()
Change-Id: I1041fd65d7faaec123e6cedd3dbbc5a2fbb86c4d
Lingfeng Yang [Mon, 13 Jun 2016 16:24:07 +0000 (09:24 -0700)]
ANDROID: goldfish: Add goldfish sync driver
This is kernel driver for controlling the Goldfish sync
device on the host. It is used to maintain ordering
in critical OpenGL state changes while using
GPU emulation.
The guest open()'s the Goldfish sync device to create
a context for possibly maintaining sync timeline and fences.
There is a 1:1 correspondence between such sync contexts
and OpenGL contexts in the guest that need synchronization
(which in turn, is anything involving swapping buffers,
SurfaceFlinger, or Hardware Composer).
The ioctl QUEUE_WORK takes a handle to a sync object
and attempts to tell the host GPU to wait on the sync object
and deal with signaling it. It possibly outputs
a fence FD on which the Android systems that use them
(GLConsumer, SurfaceFlinger, anything employing
EGL_ANDROID_native_fence_sync) can use to wait.
Design decisions and work log:
- New approach is to have the guest issue ioctls that
trigger host wait, and then host increments timeline.
- We need the host's sync object handle and sync thread handle
as the necessary information for that.
- ioctl() from guest can work simultaneously with the
interrupt handling for commands from host.
- optimization: don't write back on timeline inc
- Change spin lock design to be much more lightweight;
do not call sw_sync functions or loop too long
anywhere.
- Send read/write commands in batches to minimize guest/host
transitions.
- robustness: BUG if we will overrun the cmd buffer.
- robustness: return fd -1 if we cannot get an unused fd.
- correctness: remove global mutex
- cleanup pass done, incl. but not limited to:
- removal of clear_upto and
- switching to devm_***
This is part of a sequential, multi-CL change:
external/qemu:
https://android-review.googlesource.com/239442 <- host-side device's
host interface
https://android-review.googlesource.com/221593
https://android-review.googlesource.com/248563
https://android-review.googlesource.com/248564
https://android-review.googlesource.com/223032
external/qemu-android:
https://android-review.googlesource.com/238790 <- host-side device
implementation
kernel/goldfish:
https://android-review.googlesource.com/232631 <- needed
https://android-review.googlesource.com/238399 <- this CL
Also squash following bug fixes from android-goldfish-3.18 branch.
b44d486 goldfish_sync: provide a signal to detect reboot
ad1f597 goldfish_sync: fix stalls by avoiding early kfree()
de208e8 [goldfish-sync] Fix possible race between kernel and user space
Change-Id: I22f8a0e824717a7e751b1b0e1b461455501502b6
Jin Qian [Fri, 7 Oct 2016 23:20:47 +0000 (16:20 -0700)]
ANDROID: goldfish: add ranchu defconfigs
Change-Id: I73ef1b132b6203ae921a1e1d4850eaadf58f8926
Joshua Lang [Sat, 18 Jun 2016 00:30:55 +0000 (17:30 -0700)]
ANDROID: goldfish_audio: Clear audio read buffer status after each read
The buffer_status field is interrupt updated. After every read request,
the buffer_status read field should be reset so that on the next loop
iteration we don't read a stale value and read data before the
device is ready.
Signed-off-by: “Joshua Lang” <joshualang@google.com>
Change-Id: I4943d5aaada1cad9c7e59a94a87c387578dabe86
Lingfeng Yang [Fri, 18 Dec 2015 20:04:43 +0000 (12:04 -0800)]
ANDROID: goldfish_events: no extra EV_SYN; register goldfish
If we send SYN_REPORT on every single
multitouch event, it breaks the multitouch.
The multitouch becomes janky and
having to click 2-3 times to
do stuff (plus randomly activating notification
bars when not clicking)
If we suppress these SYN_REPORTS,
multitouch will work fine, plus the events
will have a protocol that looks nice.
In addition, we need to register Goldfish Events
as a multitouch device by issuing
input_mt_init_slots, otherwise
input_handle_abs_event in drivers/input/input.c
will silently drop all ABS_MT_SLOT events,
making it so that touches with more than 1 finger
do not work properly.
Signed-off-by: "Lingfeng Yang" <lfy@google.com>
Change-Id: Ib2350f7d1732449d246f6f0d9b7b08f02cc7c2dd
(cherry picked from commit
6cf40d0a16330e1ef42bdf07d9aba6c16ee11fbc)
Christoffer Dall [Thu, 19 Jun 2014 14:24:04 +0000 (16:24 +0200)]
ANDROID: goldfish_fb: Set pixclock = 0
User space Android code identifies pixclock == 0 as a sign for emulation
and will set the frame rate to 60 fps when reading this value, which is
the desired outcome.
Change-Id: I759bf518bf6683446bc786bf1be3cafa02dd8d42
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Yu Ning [Tue, 31 Mar 2015 06:41:48 +0000 (14:41 +0800)]
ANDROID: goldfish: Enable ACPI-based enumeration for goldfish audio
Follow the same way in which ACPI was enabled for goldfish battery. See
commit
d3be10e for details.
Change-Id: I6ffe38ebc80fb8af8322152370b9d1fd227eaf50
Signed-off-by: Yu Ning <yu.ning@intel.com>
Yu Ning [Thu, 12 Feb 2015 03:44:40 +0000 (11:44 +0800)]
ANDROID: goldfish: Enable ACPI-based enumeration for goldfish framebuffer
Follow the same way in which ACPI was enabled for goldfish battery. See
commit
d3be10e for details.
Note that this patch also depends on commit
af33cac.
Change-Id: Ic63b6e7e0a4b9896ef9a9d0ed135a7796a4c1fdb
Signed-off-by: Yu Ning <yu.ning@intel.com>
Greg Hackmann [Mon, 28 Oct 2013 22:33:33 +0000 (15:33 -0700)]
ANDROID: video: goldfishfb: add devicetree bindings
Change-Id: I5f4ba861b981edf39af537001f8ac72202927031
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Fri, 26 Feb 2016 19:00:18 +0000 (19:00 +0000)]
BACKPORT: staging: goldfish: audio: fix compiliation on arm
We do actually need slab.h, by luck we get it on other platforms but not
always on ARM. Include it properly.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
4532150762ceb0d6fd765ebcb3ba6966fbb8faab)
Change-Id: I93a0c35da40f26aaa7c253e3c0cefaa883ea3391
Jason Hu [Fri, 26 Feb 2016 20:06:47 +0000 (12:06 -0800)]
BACKPORT: Input: goldfish_events - enable ACPI-based enumeration for goldfish events
Add ACPI binding to the goldfish events driver.
Signed-off-by: Jason Hu <jia-cheng.hu@intel.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit
0581ce09fd2c976125a20791268d7206db156d2f)
Change-Id: Ic3e4f1cffb111ea6c69977e63dd598e3fcb55f19
Yu Ning [Tue, 1 Mar 2016 23:46:10 +0000 (23:46 +0000)]
BACKPORT: goldfish: Enable ACPI-based enumeration for goldfish battery
Add the ACPI bindings to the goldfish battery driver.
Signed-off-by: Yu Ning <yu.ning@intel.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
(cherry picked from commit
fdb2f37a54470473c6b7c9d680c4c114dd9bc434)
Change-Id: I3b53481b5868b0b26848397420c9ba16a747819f
Miodrag Dinic [Fri, 26 Feb 2016 19:00:44 +0000 (19:00 +0000)]
BACKPORT: drivers: tty: goldfish: Add device tree bindings
Enable support for registering this device using the device tree.
Device tree node example for registering Goldfish TTY device :
goldfish_tty@
1f004000 {
interrupts = <0xc>;
reg = <0x1f004000 0x1000>;
compatible = "google,goldfish-tty";
};
Signed-off-by: Miodrag Dinic <miodrag.dinic@imgtec.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
9b883eea26ccf043b608e398cf6a26231d44f5fb)
Change-Id: Idbe1bbac4f371e2feb6730712b08b66be1188ea7
Greg Hackmann [Fri, 26 Feb 2016 19:01:05 +0000 (19:01 +0000)]
BACKPORT: tty: goldfish: support platform_device with id -1
When the platform bus sets the platform_device id to -1 (PLATFORM_DEVID_NONE),
use an incrementing counter for the TTY index instead
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
465893e18878e119d8d0255439fad8debbd646fd)
Change-Id: Ifec5ee9d71c7c076e59bb7af77c0184d1b1383cb
Greg Hackmann [Fri, 26 Feb 2016 20:05:02 +0000 (12:05 -0800)]
BACKPORT: Input: goldfish_events - add devicetree bindings
Add device tree bindings to the Goldfish virtual platform event driver.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
(cherry picked from commit
8c5dc5a1ada2b79259e55a4bd150135d23529c6a)
Change-Id: I677d8e0d92294f53f7cc5a79300b6462b65e8aad
Greg Hackmann [Fri, 26 Feb 2016 18:45:30 +0000 (18:45 +0000)]
BACKPORT: power: goldfish_battery: add devicetree bindings
Add device tree bindings to the Goldfish virtual platform battery drivers.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
(cherry picked from commit
65d687a7b7d6f27e4306fe8cc8a1ca66a1a760f6)
Change-Id: If947ea3341ff0cb713c56e14d18d51a3f5912b64
Greg Hackmann [Fri, 26 Feb 2016 19:00:03 +0000 (19:00 +0000)]
BACKPORT: staging: goldfish: audio: add devicetree bindings
Introduce devicetree bindings to the Goldfish staging audio driver.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
283ded10312a3b75e384313f6f529ec2c636cf2c)
Change-Id: Ib75d3a4cac7353084a8da18a96fb298a759bacc0
Anson Jacob [Fri, 11 Nov 2016 06:10:04 +0000 (01:10 -0500)]
ANDROID: usb: gadget: function: cleanup: Add blank line after declaration
Fix warning generated by checkpatch.pl:
Missing a blank line after declarations
Change-Id: Id129bb8cc8fa37c67a647e2e5996bb2817020e65
Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com>
Viresh Kumar [Tue, 15 Nov 2016 06:28:52 +0000 (11:58 +0530)]
cpufreq: sched: Fix kernel crash on accessing sysfs file
If the cpufreq driver hasn't set the CPUFREQ_HAVE_GOVERNOR_PER_POLICY
flag, then the kernel will crash on accessing sysfs files for the sched
governor.
CPUFreq governors we can have the governor specific sysfs files in two
places:
A. /sys/devices/system/cpu/cpuX/cpufreq/<governor>
B. /sys/devices/system/cpu/cpufreq/<governor>
The case A. is for governor per policy case, where we can control the
governor tunables for each policy separately. The case B. is for system
wide tunable values.
The schedfreq governor only implements the case A. and not B. The sysfs
files in case B will still be present in
/sys/devices/system/cpu/cpufreq/<governor>, but accessing them will
crash kernel as the governor doesn't support that.
Moreover the sched governor is pretty new and will be used only for the
ARM platforms and there is no need to support the case B at all.
Hence use policy->kobj instead of get_governor_parent_kobj(), so that we
always create the sysfs files in path A.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Steven Rostedt (Red Hat) [Fri, 13 May 2016 13:34:12 +0000 (09:34 -0400)]
UPSTREAM: ring-buffer: Prevent overflow of size in ring_buffer_resize()
(Cherry picked from commit
59643d1535eb220668692a5359de22545af579f6)
If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.
Here's the details:
# echo
18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb
tracing_entries_write() processes this and converts kb to bytes.
18014398509481980 << 10 =
18446744073709547520
and this is passed to ring_buffer_resize() as unsigned long size.
size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
Where DIV_ROUND_UP(a, b) is (a + b - 1)/b
BUF_PAGE_SIZE is 4080 and here
18446744073709547520 + 4080 - 1 =
18446744073709551599
where
18446744073709551599 is still smaller than 2^64
2^64 -
18446744073709551599 = 17
But now
18446744073709551599 / 4080 =
4521260802379792
and size = size * 4080 =
18446744073709551360
This is checked to make sure its still greater than 2 * 4080,
which it is.
Then we convert to the number of buffer pages needed.
nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)
but this time size is
18446744073709551360 and
2^64 - (
18446744073709551360 + 4080 - 1) = -3823
Thus it overflows and the resulting number is less than 4080, which makes
3823 / 4080 = 0
an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.
There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.
Cc: stable@vger.kernel.org # 3.5+
Fixes:
83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: I1147672317a3ad0fc995b1f32baaa050a7976ac4
Bug:
32659848
Amit Pundir [Tue, 11 Aug 2015 07:04:45 +0000 (12:34 +0530)]
usb: gadget: f_mtp: simplify ptp NULL pointer check
Simplify MTP/PTP dev NULL pointer check introduced in
Change-Id: Ic44a699d96df2e13467fc081bff88b97dcc5afb2
and restrict it to MTP/PTP function level only.
Return ERR_PTR() instead of NULL from mtp_ptp function
to skip doing NULL pointer checks all the way up to
configfs.c
Fixes: Change-Id: Ic44a699d96df2e13467fc081bff88b97dcc5afb2
("usb: gadget: fix NULL ptr derefer while symlinking PTP func")
Change-Id: Iab7c55089c115550c3506f6cca960a07ae52713d
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Jonathan Hamilton [Wed, 21 Sep 2016 19:40:51 +0000 (12:40 -0700)]
ANDROID: video: adf: Avoid directly referencing user pointers
Enabling KASAN on a kernel using ADF causes a number of places where
user-supplied pointers to ioctls pointers are directly dereferenced
without copy_from_user or access_ok.
Bug:
31806036
Signed-off-by: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Change-Id: I6e86237aaa6cec0f6e1c385336aefcc5332080ae
Amit Pundir [Thu, 15 Sep 2016 10:35:40 +0000 (16:05 +0530)]
ANDROID: usb: gadget: audio_source: fix comparison of distinct pointer types
Use div_s64() instead of do_div() to fix following "comparison of
distinct pointer types lacks a cast" warning in do_div() call in
audio_send() for ARCH=arm in Linux 4.8-rc6:
CC drivers/usb/gadget/function/f_audio_source.o
In file included from ./arch/arm/include/asm/div64.h:126:0,
from ./include/linux/kernel.h:142,
from ./include/linux/list.h:8,
from ./include/linux/kobject.h:20,
from ./include/linux/device.h:17,
from drivers/usb/gadget/function/f_audio_source.c:17:
drivers/usb/gadget/function/f_audio_source.c: In function ‘audio_send’:
./include/asm-generic/div64.h:207:28: warning: comparison of distinct pointer types lacks a cast
(void)(((typeof((n)) *)0) == ((uint64_t *)0)); \
^
drivers/usb/gadget/function/f_audio_source.c:381:2: note: in expansion of macro ‘do_div’
do_div(msecs,
1000000);
^
./include/asm-generic/div64.h:207:28: warning: comparison of distinct pointer types lacks a cast
(void)(((typeof((n)) *)0) == ((uint64_t *)0)); \
^
drivers/usb/gadget/function/f_audio_source.c:383:2: note: in expansion of macro ‘do_div’
do_div(frames, 1000);
^
LD drivers/usb/gadget/function/usb_f_audio_source.o
Change-Id: Ie1a920c8948f3fc3f1263add25a402ded132fd66
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
OSDN Git Service
