If two processes share a common memory region, they usually want some
guarantees to allow safe access. This often includes:
- one side cannot overwrite data while the other reads it
- one side cannot shrink the buffer while the other accesses it
- one side cannot grow the buffer beyond previously set boundaries
If there is a trust-relationship between both parties, there is no need
for policy enforcement. However, if there's no trust relationship (eg.,
for general-purpose IPC) sharing memory-regions is highly fragile and
often not possible without local copies. Look at the following two
use-cases:
1) A graphics client wants to share its rendering-buffer with a
graphics-server. The memory-region is allocated by the client for
read/write access and a second FD is passed to the server. While
scanning out from the memory region, the server has no guarantee that
the client doesn't shrink the buffer at any time, requiring rather
cumbersome SIGBUS handling.
2) A process wants to perform an RPC on another process. To avoid huge
bandwidth consumption, zero-copy is preferred. After a message is
assembled in-memory and a FD is passed to the remote side, both sides
want to be sure that neither modifies this shared copy, anymore. The
source may have put sensible data into the message without a separate
copy and the target may want to parse the message inline, to avoid a
local copy.
While SIGBUS handling, POSIX mandatory locking and MAP_DENYWRITE provide
ways to achieve most of this, the first one is unproportionally ugly to
use in libraries and the latter two are broken/racy or even disabled due
to denial of service attacks.
This patch introduces the concept of SEALING. If you seal a file, a
specific set of operations is blocked on that file forever. Unlike locks,
seals can only be set, never removed. Hence, once you verified a specific
set of seals is set, you're guaranteed that no-one can perform the blocked
operations on this file, anymore.
An initial set of SEALS is introduced by this patch:
- SHRINK: If SEAL_SHRINK is set, the file in question cannot be reduced
in size. This affects ftruncate() and open(O_TRUNC).
- GROW: If SEAL_GROW is set, the file in question cannot be increased
in size. This affects ftruncate(), fallocate() and write().
- WRITE: If SEAL_WRITE is set, no write operations (besides resizing)
are possible. This affects fallocate(PUNCH_HOLE), mmap() and
write().
- SEAL: If SEAL_SEAL is set, no further seals can be added to a file.
This basically prevents the F_ADD_SEAL operation on a file and
can be set to prevent others from adding further seals that you
don't want.
The described use-cases can easily use these seals to provide safe use
without any trust-relationship:
1) The graphics server can verify that a passed file-descriptor has
SEAL_SHRINK set. This allows safe scanout, while the client is
allowed to increase buffer size for window-resizing on-the-fly.
Concurrent writes are explicitly allowed.
2) For general-purpose IPC, both processes can verify that SEAL_SHRINK,
SEAL_GROW and SEAL_WRITE are set. This guarantees that neither
process can modify the data while the other side parses it.
Furthermore, it guarantees that even with writable FDs passed to the
peer, it cannot increase the size to hit memory-limits of the source
process (in case the file-storage is accounted to the source).
The new API is an extension to fcntl(), adding two new commands:
F_GET_SEALS: Return a bitset describing the seals on the file. This
can be called on any FD if the underlying file supports
sealing.
F_ADD_SEALS: Change the seals of a given file. This requires WRITE
access to the file and F_SEAL_SEAL may not already be set.
Furthermore, the underlying file must support sealing and
there may not be any existing shared mapping of that file.
Otherwise, EBADF/EPERM is returned.
The given seals are _added_ to the existing set of seals
on the file. You cannot remove seals again.
The fcntl() handler is currently specific to shmem and disabled on all
files. A file needs to explicitly support sealing for this interface to
work. A separate syscall is added in a follow-up, which creates files that
support sealing. There is no intention to support this on other
file-systems. Semantics are unclear for non-volatile files and we lack any
use-case right now. Therefore, the implementation is specific to shmem.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Ryan Lortie <desrt@desrt.ca>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Daniel Mack <zonque@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Angelo G. Del Regno <kholk11@gmail.com>
Change-Id: I9c9c75bfad0aa07c2ce855a79d92b493369bfa74
Commit 9183df25fe7b ("shm: add memfd_create() syscall") added a new
system call (memfd_create) but didn't update the asm-generic unistd
header.
This patch adds the new system call to the asm-generic version of
unistd.h so that it can be used by architectures such as arm64.
Cc: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Change-Id: Iad3d0fb7df6c8062424ec1a8d5e9ee78c8d897dc
memfd_create() is similar to mmap(MAP_ANON), but returns a file-descriptor
that you can pass to mmap(). It can support sealing and avoids any
connection to user-visible mount-points. Thus, it's not subject to quotas
on mounted file-systems, but can be used like malloc()'ed memory, but with
a file-descriptor to it.
memfd_create() returns the raw shmem file, so calls like ftruncate() can
be used to modify the underlying inode. Also calls like fstat() will
return proper information and mark the file as regular file. If you want
sealing, you can specify MFD_ALLOW_SEALING. Otherwise, sealing is not
supported (like on all other regular files).
Compared to O_TMPFILE, it does not require a tmpfs mount-point and is not
subject to a filesystem size limit. It is still properly accounted to
memcg limits, though, and to the same overcommit or no-overcommit
accounting as all user memory.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Ryan Lortie <desrt@desrt.ca>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Daniel Mack <zonque@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Angelo G. Del Regno <kholk11@gmail.com>
Change-Id: Ic31cd7825081779919492d82d44486a598c0bf22
Codec specific metadata is sent only for first stream in gapless
playback. This causes incorrect configuration to be set for second
stream and distortions are observed due to framedrops in adsp.
Add support to send codec specific format during start of
next stream in gapless using set_next_track_param.
Change-Id: Ieec6b2afedec156e47873efcad9b3571160b0a29
Signed-off-by: Chaithanya Krishna Bacharaju <chaithan@codeaurora.org>
Signed-off-by: Alexy Joseph <alexyj@codeaurora.org>
Conflicts:
include/sound/compress_driver.h
[suggested by Rasmus Villemoes] make O_DIRECTORY | O_RDWR part of O_TMPFILE;
that will fail on old kernels in a lot more cases than what I came up with.
And make sure O_CREAT doesn't get there...
Change-Id: I4818563d79ca1abf9ea99f5ccea9317eb2f3b678
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCWp3GSgAKCRDorT+BmrEO
eH+BAJ0Z1NF9Qsc8eCHx2GPuLc9Oh4BiuwCeIRJt6qJwTgqwGhBrzLEy4WtvR18=
=Rbhg
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlqd0TEACgkQmXOSYMts
txYuSg/+Nz5WSONRPD1P5fJds0JPlQaT4UUxwJy0QJJQwQLzKdhBObLjZHI07Kwg
wVaJ0QjFd2TP5RGqBI4ACreePkpLZLtY0fNlMFrqJAczU+SCyjrR8jEpwLESFa0W
Uy83dc7+8nNPYo4A2WHW596paXkkf/zzexIYvc0KPBbqbR1MEHxl2M9WQ1FpbDtX
ebzlhPGHxP99n6R2DYFU4Fh4bp1XXP5i0Yp+083HXobkU8L9svdouyGzN3DaC/gh
oy3LS/QOh80V60nl+QuMtlrv2WmGycaWypa5PkYVJO80HVxzJV6Wmw9nioBghgVB
h6kv5UuJRMH6MqUSdqc9WVfeA1ndDwFPdrYn8xuroljKWOBdz7UInblYoT4U2kpR
oYy822xKssqPEyVP48pFP+iN2LwOc7Qr/W5dYRRkg0uTooZWzDhrpvvVgPaddpvU
sKLrI4z2Z4y3/fJJ1BynpL046H4UHFDA7/9m4ehIwK8eX+/QCSi6gEvEtZcU+k+F
czGVR843MKpbcDztGnyw+ml7K2hajkC394syAaLQs+pq/1CUkQ2JoRbukmladTIS
4A7OnSr4Q3kHaZnoV1axvtzCRNkUr3f5VeOMA6IrYSw9dsGGWQ78fy7mp/BgJbcI
Fpt7iRDzIy813oegQz4D9AQ3bqIbBBvWQ3uvRr4EUz1WLYQ+jc0=
=AhfL
-----END PGP SIGNATURE-----
Merge tag 'android-8.1.0_r0.37' into android-msm-bullhead-3.10-oreo-m5
Android 8.1.0 Release 0.36 (OPM5.171019.017,angler)
* tag 'android-8.1.0_r0.37':
qcacld-2.0: Add sanity check to limit mgmt frames data len
qcacld-2.0: Set length of challenge text sent by SAP to 128
BACKPORT: packet: in packet_do_bind, test fanout with bind_lock held
qcacld-2.0: Avoid OEM message overread
msm: sensor: flash: add conditional check for ioctl
msm:ipa: Fix to incorrect structure access
ASoC: msm: qdsp6v2: Set freed pointers to NULL
UPSTREAM: packet: fix tp_reserve race in packet_set_ring
diag: Add protection while de-initializing clients
qcacld-2.0: Fix out-of-bounds access in limProcessActionFrameNoSession
qcacld-2.0: Check for upper bound in P2P NOA event
qcacld-2.0: Check for the max number of P2P NOA descriptors
qcacld-2.0: Check for valid vdev ID in wma_nlo_match_evt_handler
qcacld-2.0: Avoid possible buffer overwrite in wma_process_utf_event
UPSTREAM: USB: serial: console: fix use-after-free after failed setup
UPSTREAM: ALSA: usb-audio: Kill stray URB at exiting
UPSTREAM: ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
UPSTREAM: USB: fix out-of-bounds in usb_set_configuration
UPSTREAM: HID: usbhid: fix out-of-bounds bug
UPSTREAM: USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
UPSTREAM: packet: hold bind lock when rebinding to fanout hook
power: qcom: msm-core: Add mutex lock for ioctl
qcacld-2.0: Fix int overflow in wma_unified_link_peer_stats_event_handler
qcacld-2.0: Check vdev_id against wma->max_bssid
FROMLIST: power: Fix user ptr in EA_LEAKAGE ioctl
diag: Add mutex protection while reading dci debug statistics
qcacld-2.0: Fix Integer overflow with latest framesc_linux tool
qcacld-2.0: Avoid integer overflow in lim_update_ibss_prop_add_ies
qcacld-2.0: Fix the size of array ch_list in sme_set_plm_request
ANDROID: sdcardfs: Add default_normal option
ANDROID: sdcardfs: notify lower file of opens
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJZUiosAAoJEE44bZycYXAvcHYP/1OKMYQB/3G7GfEhMXdlpV31
VjdzUg5X1JOE60anYNopvWQJgDFXMy9mTceUI3axDkfYb5iDFUpRBFEh70ggDL04
bGB/J4n2Linjkj35u+S5P3fK6qBfg9+VDpTfUYPZGB5YjOjmaD06E8InBF8iUuC3
6pkMtQKOptmKOc2hw84PsB3qm9ER2MMa92Lrs1rtcOihEqQMyKjkI/kzogs8XGje
5gMt31VweScZed3d7i1r9tl/DTmzGcpEyVpz/x8gI7Xwi69FeeLy6cWbhK0VOsLA
u7ul9mDa77bUC/jpBzJmIkS8fhzaTyUw8NQbtol9RSSIfzb+mvXyx9Vr7o4LYK2B
P6AekC16x6R8KUED1hfxKdagguRACDfKf91bMAxDCN/PXqITVbk3RxxxH6wHAvOx
Ihf4G5h800/ks6X1oMBYZcbFFbNCUHZjyL7V1M/iy1TrKuRhEtou4Ft3X+gOauLS
CG8VR9Jo1/BAvMaJmy5Hg9RPNoxEMstDi6x3ugD0wH57XHSZ5QmFMBzCbuWR6hWM
q1DvBK/I54BXlsdYU9WySn1hm2gKCNPZ+zGzLTo1l426vme+YjhC5911V7Tv+WHm
lc5FTXWtXGhoAZuNSIGDrlv3Dyq44iMNrqXrhlPmJjWD3Hx4hFGGp2GyHOpK+5+7
7egPk9m1WrhUKzA9m1/M
=InCr
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqfQUACgkQmXOSYMts
txZNghAApD/SW4fTOx6RZFCPVjAP70FfXvZsQYf3Zfp44Ytm2Kax3GIABPuknlI+
IZRAPnXb6KP8DNDdCyGcJ0avI5uw96sXyeZWlDZyeS1WHHizJq3+BLB09zzdegSk
K1dJrobXCYNESmcQMT5diGwqLYkdOs3hh7Ehqut29njwCzVzNG3n43H9F15o9cUZ
6lAM8/Zb6ai+0KgVgwC40QJneVltDEFfXVr6wo/IJXnYNaRCPKQM5lsG09pxxopG
NVSsmUyeJI5bPWEm5vbuBL2JVhaCcMtTfAPHflqbtykE8eSVEWdTeCWPuGWcATB+
2sGp3cVR2W7+4CHpbcnrXolmP/OI3jXHbG1LvyRqg4Iw1jgtZ8wwjCEkdsPz3fED
g2+EtSYl/NLW7N8P4KQV9jzihYIfELBj9HQsEs5aPOstyjyxl12RxJvjw835v5ts
oa7qKQAHIwZsuaB34qK+DjI5coNeKRvDMy5mm0GL3TqmLLFEzSVpaTceGpdvNLi0
6k3RkuJzU0TwAoTShWyYu6AbV+8aHniBQbjzYs5sufRgDy9pjnfWzDqtUM+chTsm
WaxwhpHdpOomwAfZr8/Zaf0xIxP/M99SFKevntE04Ft93P8dKuLqFcNAjQkMdibY
UHrJ67nBllmDtlH8yGO9j4FD89O0QaBX4J3qGyIu5eE73/iibvo=
=J7vi
-----END PGP SIGNATURE-----
Merge 3.10.107 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.107: (270 commits)
Revert "Btrfs: don't delay inode ref updates during log, replay"
Btrfs: fix memory leak in reading btree blocks
ext4: use more strict checks for inodes_per_block on mount
ext4: fix in-superblock mount options processing
ext4: add sanity checking to count_overhead()
ext4: validate s_first_meta_bg at mount time
jbd2: don't leak modified metadata buffers on an aborted journal
ext4: fix fencepost in s_first_meta_bg validation
ext4: trim allocation requests to group size
ext4: preserve the needs_recovery flag when the journal is aborted
ext4: return EROFS if device is r/o and journal replay is needed
ext4: fix inode checksum calculation problem if i_extra_size is small
block: fix use-after-free in sys_ioprio_get()
block: allow WRITE_SAME commands with the SG_IO ioctl
block: fix del_gendisk() vs blkdev_ioctl crash
dm crypt: mark key as invalid until properly loaded
dm space map metadata: fix 'struct sm_metadata' leak on failed create
md/raid5: limit request size according to implementation limits
md:raid1: fix a dead loop when read from a WriteMostly disk
md linear: fix a race between linear_add() and linear_congested()
CIFS: Fix a possible memory corruption during reconnect
CIFS: Fix missing nls unload in smb2_reconnect()
CIFS: Fix a possible memory corruption in push locks
CIFS: remove bad_network_name flag
fs/cifs: make share unaccessible at root level mountable
cifs: Do not send echoes before Negotiate is complete
ocfs2: fix crash caused by stale lvb with fsdlm plugin
ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()
can: raw: raw_setsockopt: limit number of can_filter that can be set
can: peak: fix bad memory access and free sequence
can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer
can: ti_hecc: add missing prepare and unprepare of the clock
can: bcm: fix hrtimer/tasklet termination in bcm op removal
can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
ALSA: hda - Fix up GPIO for ASUS ROG Ranger
ALSA: seq: Fix race at creating a queue
ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
ALSA: timer: Reject user params with too small ticks
ALSA: seq: Fix link corruption by event error handling
ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
ALSA: seq: Fix race during FIFO resize
ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks
usb: gadgetfs: restrict upper bound on device configuration size
USB: gadgetfs: fix unbounded memory allocation bug
USB: gadgetfs: fix use-after-free bug
USB: gadgetfs: fix checks of wTotalLength in config descriptors
xhci: free xhci virtual devices with leaf nodes first
USB: serial: io_ti: bind to interface after fw download
usb: gadget: composite: always set ep->mult to a sensible value
USB: cdc-acm: fix double usb_autopm_put_interface() in acm_port_activate()
USB: cdc-acm: fix open and suspend race
USB: cdc-acm: fix failed open not being detected
usb: dwc3: gadget: make Set Endpoint Configuration macros safe
usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
usb: dwc3: gadget: delay unmap of bounced requests
usb: hub: Wait for connection to be reestablished after port reset
usb: gadget: composite: correctly initialize ep->maxpacket
USB: UHCI: report non-PME wakeup signalling for Intel hardware
arm/xen: Use alloc_percpu rather than __alloc_percpu
xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
xfs: clear _XBF_PAGES from buffers when readahead page
ssb: Fix error routine when fallback SPROM fails
drivers/gpu/drm/ast: Fix infinite loop if read fails
scsi: avoid a permanent stop of the scsi device's request queue
scsi: move the nr_phys_segments assert into scsi_init_io
scsi: don't BUG_ON() empty DMA transfers
scsi: storvsc: properly handle SRB_ERROR when sense message is present
scsi: storvsc: properly set residual data length on errors
target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
scsi: lpfc: Add shutdown method for kexec
scsi: sr: Sanity check returned mode data
scsi: sd: Fix capacity calculation with 32-bit sector_t
s390/vmlogrdr: fix IUCV buffer allocation
libceph: verify authorize reply on connect
nfs_write_end(): fix handling of short copies
powerpc/ps3: Fix system hang with GCC 5 builds
sg_write()/bsg_write() is not fit to be called under KERNEL_DS
ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it
cred/userns: define current_user_ns() as a function
net: ti: cpmac: Fix compiler warning due to type confusion
tick/broadcast: Prevent NULL pointer dereference
netvsc: reduce maximum GSO size
drop_monitor: add missing call to genlmsg_end
drop_monitor: consider inserted data in genlmsg_end
igmp: Make igmp group member RFC 3376 compliant
HID: hid-cypress: validate length of report
Input: xpad - use correct product id for x360w controllers
Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
Input: iforce - validate number of endpoints before using them
Input: kbtab - validate number of endpoints before using them
Input: joydev - do not report stale values on first open
Input: tca8418 - use the interrupt trigger from the device tree
Input: mpr121 - handle multiple bits change of status register
Input: mpr121 - set missing event capability
Input: i8042 - add Clevo P650RS to the i8042 reset list
i2c: fix kernel memory disclosure in dev interface
vme: Fix wrong pointer utilization in ca91cx42_slave_get
sysrq: attach sysrq handler correctly for 32-bit kernel
pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE
x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
qla2xxx: Fix crash due to null pointer access
ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
ARM: dts: da850-evm: fix read access to SPI flash
NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT
vmxnet3: Wake queue from reset work
Fix memory leaks in cifs_do_mount()
Compare prepaths when comparing superblocks
Move check for prefix path to within cifs_get_root()
Fix regression which breaks DFS mounting
apparmor: fix uninitialized lsm_audit member
apparmor: exec should not be returning ENOENT when it denies
apparmor: fix disconnected bind mnts reconnection
apparmor: internal paths should be treated as disconnected
apparmor: check that xindex is in trans_table bounds
apparmor: add missing id bounds check on dfa verification
apparmor: don't check for vmalloc_addr if kvzalloc() failed
apparmor: fix oops in profile_unpack() when policy_db is not present
apparmor: fix module parameters can be changed after policy is locked
apparmor: do not expose kernel stack
vfio/pci: Fix integer overflows, bitmask check
bna: Add synchronization for tx ring.
sg: Fix double-free when drives detach during SG_IO
move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon)
serial: 8250_pci: Detach low-level driver during PCI error recovery
bnx2x: Correct ringparam estimate when DOWN
tile/ptrace: Preserve previous registers for short regset write
sysctl: fix proc_doulongvec_ms_jiffies_minmax()
ISDN: eicon: silence misleading array-bounds warning
ARC: [arcompact] handle unaligned access delay slot corner case
parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
af_unix: move unix_mknod() out of bindlock
drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
ata: sata_mv:- Handle return value of devm_ioremap.
mm/memory_hotplug.c: check start_pfn in test_pages_in_a_zone()
mm, fs: check for fatal signals in do_generic_file_read()
ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
sched/debug: Don't dump sched debug info in SysRq-W
tcp: fix 0 divide in __tcp_select_window()
macvtap: read vnet_hdr_size once
packet: round up linear to header len
vfs: fix uninitialized flags in splice_to_pipe()
siano: make it work again with CONFIG_VMAP_STACK
futex: Move futex_init() to core_initcall
rtc: interface: ignore expired timers when enqueuing new timers
irda: Fix lockdep annotations in hashbin_delete().
tty: serial: msm: Fix module autoload
rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down
af_packet: remove a stray tab in packet_set_ring()
MIPS: Fix special case in 64 bit IP checksumming.
mm: vmpressure: fix sending wrong events on underflow
ipc/shm: Fix shmat mmap nil-page protection
sd: get disk reference in sd_check_events()
samples/seccomp: fix 64-bit comparison macros
ath5k: drop bogus warning on drv_set_key with unsupported cipher
rdma_cm: fail iwarp accepts w/o connection params
NFSv4: fix getacl ERANGE for some ACL buffer sizes
bcma: use (get|put)_device when probing/removing device driver
powerpc/xmon: Fix data-breakpoint
KVM: VMX: use correct vmcs_read/write for guest segment selector/base
KVM: PPC: Book3S PR: Fix illegal opcode emulation
KVM: s390: fix task size check
s390: TASK_SIZE for kernel threads
xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD
mac80211: flush delayed work when entering suspend
drm/ast: Fix test for VGA enabled
drm/ttm: Make sure BOs being swapped out are cacheable
fat: fix using uninitialized fields of fat_inode/fsinfo_inode
drivers: hv: Turn off write permission on the hypercall page
xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers
crypto: improve gcc optimization flags for serpent and wp512
mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
cpmac: remove hopeless #warning
mvsas: fix misleading indentation
l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
net: don't call strlen() on the user buffer in packet_bind_spkt()
dccp: Unlock sock before calling sk_free()
tcp: fix various issues for sockets morphing to listen state
uapi: fix linux/packet_diag.h userspace compilation error
ipv6: avoid write to a possibly cloned skb
dccp: fix memory leak during tear-down of unsuccessful connection request
futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
futex: Add missing error handling to FUTEX_REQUEUE_PI
give up on gcc ilog2() constant optimizations
cancel the setfilesize transation when io error happen
crypto: ghash-clmulni - Fix load failure
crypto: cryptd - Assign statesize properly
ACPI / video: skip evaluating _DOD when it does not exist
Drivers: hv: balloon: don't crash when memory is added in non-sorted order
s390/pci: fix use after free in dma_init
cpufreq: Fix and clean up show_cpuinfo_cur_freq()
igb: Workaround for igb i210 firmware issue
igb: add i211 to i210 PHY workaround
ipv4: provide stronger user input validation in nl_fib_input()
tcp: initialize icsk_ack.lrcvtime at session start time
ACM gadget: fix endianness in notifications
mmc: sdhci: Do not disable interrupts while waiting for clock
uvcvideo: uvc_scan_fallback() for webcams with broken chain
fbcon: Fix vc attr at deinit
crypto: algif_hash - avoid zero-sized array
virtio_balloon: init 1st buffer in stats vq
c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
sparc/ptrace: Preserve previous registers for short regset write
metag/ptrace: Preserve previous registers for short regset write
metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
metag/ptrace: Reject partial NT_METAG_RPIPE writes
libceph: force GFP_NOIO for socket allocations
ACPI: Fix incompatibility with mcount-based function graph tracing
ACPI / power: Avoid maybe-uninitialized warning
rtc: s35390a: make sure all members in the output are set
rtc: s35390a: implement reset routine as suggested by the reference
rtc: s35390a: improve irq handling
padata: avoid race in reordering
HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2
HID: i2c-hid: Add sleep between POWER ON and RESET
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
drm/vmwgfx: Remove getparam error message
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
Reset TreeId to zero on SMB2 TREE_CONNECT
metag/usercopy: Drop unused macros
metag/usercopy: Zero rest of buffer from copy_from_user
powerpc: Don't try to fix up misaligned load-with-reservation instructions
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
mtd: bcm47xxpart: fix parsing first block after aligned TRX
net/packet: fix overflow in check for priv area size
x86/vdso: Plug race between mapping and ELF header setup
iscsi-target: Fix TMR reference leak during session shutdown
iscsi-target: Drop work-around for legacy GlobalSAN initiator
xen, fbfront: fix connecting to backend
char: lack of bool string made CONFIG_DEVPORT always on
platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event
platform/x86: acer-wmi: setup accelerometer when ACPI device was found
mm: Tighten x86 /dev/mem with zeroing reads
virtio-console: avoid DMA from stack
catc: Combine failure cleanup code in catc_probe()
catc: Use heap buffer for memory size test
net: ipv6: check route protocol when deleting routes
Drivers: hv: don't leak memory in vmbus_establish_gpadl()
Drivers: hv: get rid of timeout in vmbus_open()
ubi/upd: Always flush after prepared for an update
x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
powerpc: Reject binutils 2.24 when building little endian
net/packet: fix overflow in check for tp_frame_nr
net/packet: fix overflow in check for tp_reserve
tty: nozomi: avoid a harmless gcc warning
hostap: avoid uninitialized variable use in hfa384x_get_rid
gfs2: avoid uninitialized variable warning
net: neigh: guard against NULL solicit() method
sctp: listen on the sock only when it's state is listening or closed
ip6mr: fix notification device destruction
MIPS: Fix crash registers on non-crashing CPUs
RDS: Fix the atomicity for congestion map update
xen/x86: don't lose event interrupts
p9_client_readdir() fix
nfsd: check for oversized NFSv2/v3 arguments
ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)
tun: read vnet_hdr_sz once
printk: use rcuidle console tracepoint
ipv6: check raw payload size correctly in ioctl
x86: standardize mmap_rnd() usage
x86/mm/32: Enable full randomization on i386 and X86_32
mm: larger stack guard gap, between vmas
mm: fix new crash in unmapped_area_topdown()
Allow stack to grow up to address space limit
Linux 3.10.107
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
arch/x86/mm/mmap.c
drivers/mmc/host/sdhci.c
drivers/usb/host/xhci-plat.c
fs/ext4/super.c
kernel/sched/core.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJXXS5iAAoJEE44bZycYXAvDj8P/jbhmGAgW6tw2cnS90QIZDqG
M/nclEId61jICNvbfP6zsioKeWyrmzr5G7NjqTThsSNhCo/DXs3ddMqLy3pOaFdq
mytXtHIUpwZoplEib+ODinW40CMqnu11XSWEcee2nrsPuGNsnc7BY0wmFBa6UVCV
rOZef9SN9lJcZSYY/auvgLDXOXdQ+NMxp5hau30aF5HBO8hTDXStjPRcUwCvz7aR
govTQJHlS4HzLH3JOYS3Dt8IYFDOrKhQIby2nFdw7eiUxHCRy2F0asabTh3DzCw1
iLvFroozjyVXwozfWMqLCvMa+514MXJy8Nkva6xiAHraC8UrgfPtcNsTdgtkdH9T
V2Am9b0L7yiBdG6hsZLxkU3akk7vU/0dtppwzvudANT6i2tGcDSBeaZq3T2pAv7B
7coY53GzHZdQnbdTZbYeS1fxebxyXw50D5OJkF8DyLhoL7Uj2Dvv0QdjKv+U/e5D
VQ+ZyGcBdCLuOzflXysI10E01y0/M3FrkubgGBM4Oh0eYKCHJaHG/NCZy5JY/qxy
S0phem8RbeZPbcL14z+5buWIi1lUkTiCIMG8c32ZEmDh84drnICqABA0RzKmqdkj
ucQa+PzkMQ1DyhAMUl/CwpBfSqf1Zs3agLo78Kp5MTGfeAA90m0SeVqhmDgWhwqG
HhSlsPFfMfmJl5S0uJpQ
=UhFl
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqdSoACgkQmXOSYMts
txbb1A/6A1pJjz3//6RsYU7G2f4WgAjqCRzQDPtVtBUwpyBtj7DuAxNGeOAvw0KM
BfOTy0fhtgHfOV6F4kynIuU6scNY8zZlZ2ZCgndhiC45dlDBSto2mYgF9DmDl7m3
rRhiWmmSqFvJW+USxCETg8PxXVIs0Si+TU8AfBKJt3Mf25UyLsrm/hIDqg3FtkyP
STZlpmACGQEJl6qTVTubTv6/psJc0oE7gUZ2G4TTuFxt+p3/4MPf+pnicl5jcP04
laN1k2ce8ciV8Tc7f5zM55ArLGM+M4QQNRqO6Wrl7gQvtXpn6Efno9aY2MuaXtdm
7sKKvQWj0QMS/9tei+wGS73gDsfIb1qrsaMWD9UF9zGb7miGkRr3wdDZPYurysWy
5cIL1TErJDiIVlVedL/o8EYOxCYamSQPJ35WGxSgeS9kqfTlh3C1angGy9EOpv27
ER1myFM4TUc51ziPIFlEeBu1ku4vVY7atCsZU25VqKFLAapeDG3xuK1RDmal/PTd
d2JahllwPQ4Uh8OUNeHcN4Ptxf/fBVezSCZw1tv6vkAUdt6uXcbweutDw74cWlNJ
KbKd5yluWVCAVsOSiVNRFX8ij/9GeJvu94eU5o7jiC578TQTRrMdKyxEqVKzz6te
39rFoX20GZ7IosRoJDp9gsJTA7GAVsCcfU9CK/SNL3jxGLFvJbo=
=CaKB
-----END PGP SIGNATURE-----
Merge 3.10.102 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.102: (144 commits)
pipe: Fix buffer offset after partially failed read
x86/iopl/64: Properly context-switch IOPL on Xen PV
ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
compiler-gcc: integrate the various compiler-gcc[345].h files
x86: LLVMLinux: Fix "incomplete type const struct x86cpu_device_id"
KVM: i8254: change PIT discard tick policy
KVM: fix spin_lock_init order on x86
EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
PCI: Disable IO/MEM decoding for devices with non-compliant BARs
linux/const.h: Add _BITUL() and _BITULL()
x86: Rename X86_CR4_RDWRGSFS to X86_CR4_FSGSBASE
x86, processor-flags: Fix the datatypes and add bit number defines
x86/iopl: Fix iopl capability check on Xen PV
sg: fix dxferp in from_to case
aacraid: Fix memory leak in aac_fib_map_free
be2iscsi: set the boot_kset pointer to NULL in case of failure
usb: retry reset if a device times out
USB: cdc-acm: more sanity checking
USB: iowarrior: fix oops with malicious USB descriptors
USB: usb_driver_claim_interface: add sanity checking
USB: mct_u232: add sanity checking in probe
USB: digi_acceleport: do sanity checking for the number of ports
USB: cypress_m8: add endpoint sanity check
USB: serial: cp210x: Adding GE Healthcare Device ID
USB: option: add "D-Link DWM-221 B1" device id
pwc: Add USB id for Philips Spc880nc webcam
Input: powermate - fix oops with malicious USB descriptors
net: irda: Fix use-after-free in irtty_open()
8250: use callbacks to access UART_DLL/UART_DLM
bttv: Width must be a multiple of 16 when capturing planar formats
media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32
ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.
jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path
bcache: fix cache_set_flush() NULL pointer dereference on OOM
watchdog: rc32434_wdt: fix ioctl error handling
splice: handle zero nr_pages in splice_to_pipe()
xtensa: ISS: don't hang if stdin EOF is reached
xtensa: clear all DBREAKC registers on start
md/raid5: Compare apples to apples (or sectors to sectors)
rapidio/rionet: fix deadlock on SMP
ipr: Fix out-of-bounds null overwrite
ipr: Fix regression when loading firmware
drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.
tracing: Have preempt(irqs)off trace preempt disabled functions
tracing: Fix crash from reading trace_pipe with sendfile
tracing: Fix trace_printk() to print when not using bprintk()
scripts/coccinelle: modernize &
Input: ims-pcu - sanity check against missing interfaces
Input: ati_remote2 - fix crashes on detecting device with invalid descriptor
ocfs2/dlm: fix race between convert and recovery
ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
mtd: onenand: fix deadlock in onenand_block_markbad
sched/cputime: Fix steal time accounting vs. CPU hotplug
perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere
hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated
parisc: Avoid function pointers for kernel exception routines
parisc: Fix kernel crash with reversed copy_from_user()
ALSA: timer: Use mod_timer() for rearming the system timer
net: jme: fix suspend/resume on JMC260
sctp: lack the check for ports in sctp_v6_cmp_addr
ipv6: re-enable fragment header matching in ipv6_find_hdr
cdc_ncm: toggle altsetting to force reset before setup
usbnet: cleanup after bind() in probe()
udp6: fix UDP/IPv6 encap resubmit path
sh_eth: fix NULL pointer dereference in sh_eth_ring_format()
net: Fix use after free in the recvmmsg exit path
farsync: fix off-by-one bug in fst_add_one
ath9k: fix buffer overrun for ar9287
qlge: Fix receive packets drop.
ppp: take reference on channels netns
qmi_wwan: add "D-Link DWM-221 B1" device id
ipv4: l2tp: fix a potential issue in l2tp_ip_recv
ipv6: l2tp: fix a potential issue in l2tp_ip6_recv
ip6_tunnel: set rtnl_link_ops before calling register_netdevice
usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
ext4: add lockdep annotations for i_data_sem
HID: usbhid: fix inconsistent reset/resume/reset-resume behavior
drm/radeon: hold reference to fences in radeon_sa_bo_new (3.17 and older)
usbvision-video: fix memory leak of alt_max_pkt_size
usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
usbvision: fix crash on detecting device with invalid configuration
usb: xhci: fix wild pointers in xhci_mem_cleanup
usb: hcd: out of bounds access in for_each_companion
crypto: gcm - Fix rfc4543 decryption crash
nl80211: check netlink protocol in socket release notification
Input: gtco - fix crash on detecting device without endpoints
i2c: cpm: Fix build break due to incompatible pointer types
EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
ASoC: s3c24xx: use const snd_soc_component_driver pointer
efi: Fix out-of-bounds read in variable_matches()
workqueue: fix ghost PENDING flag while doing MQ IO
USB: usbip: fix potential out-of-bounds write
paride: make 'verbose' parameter an 'int' again
fbdev: da8xx-fb: fix videomodes of lcd panels
misc/bmp085: Enable building as a module
rtc: vr41xx: Wire up alarm_irq_enable
drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
include/linux/poison.h: fix LIST_POISON{1,2} offset
Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors
perf stat: Document --detailed option
ARM: OMAP3: Add cpuidle parameters table for omap3430
compiler-gcc: disable -ftracer for __noclone functions
ipvs: correct initial offset of Call-ID header search in SIP persistence engine
nbd: ratelimit error msgs after socket close
clk: versatile: sp810: support reentrance
lpfc: fix misleading indentation
ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
proc: prevent accessing /proc/<PID>/environ until it's ready
batman-adv: Fix broadcast/ogm queue limit on a removed interface
MAINTAINERS: Remove asterisk from EFI directory names
ACPICA: Dispatcher: Update thread ID for recursive method calls
USB: serial: cp210x: add ID for Link ECU
USB: serial: cp210x: add Straizona Focusers device ids
Input: ads7846 - correct the value got from SPI
powerpc: scan_features() updates incorrect bits for REAL_LE
crypto: hash - Fix page length clamping in hash walk
get_rock_ridge_filename(): handle malformed NM entries
Input: max8997-haptic - fix NULL pointer dereference
asmlinkage, pnp: Make variables used from assembler code visible
ARM: OMAP3: Fix booting with thumb2 kernel
decnet: Do not build routes to devices without decnet private data.
route: do not cache fib route info on local routes with oif
packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface
atl2: Disable unimplemented scatter/gather feature
net: fix infoleak in llc
net: fix infoleak in rtnetlink
VSOCK: do not disconnect socket when peer has shutdown SEND only
net: bridge: fix old ioctl unlocked net device walk
net: fix a kernel infoleak in x25 module
fs/cifs: correctly to anonymous authentication via NTLMSSP
ring-buffer: Use long for nr_pages to avoid overflow failures
ring-buffer: Prevent overflow of size in ring_buffer_resize()
mfd: omap-usb-tll: Fix scheduling while atomic BUG
mmc: mmc: Fix partition switch timeout for some eMMCs
mmc: longer timeout for long read time quirk
Bluetooth: vhci: purge unhandled skbs
USB: serial: keyspan: fix use-after-free in probe error path
USB: serial: quatech2: fix use-after-free in probe error path
USB: serial: io_edgeport: fix memory leaks in probe error path
USB: serial: option: add support for Cinterion PH8 and AHxx
tty: vt, return error when con_startup fails
serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios()
Linux 3.10.102
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
drivers/media/v4l2-core/v4l2-compat-ioctl32.c
fs/pipe.c
kernel/trace/trace_printk.c
net/core/rtnetlink.c
net/socket.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJVv5fSAAoJEDjbvchgkmk+cCEP/08rxgFQc0/T4NHeojs8WJHm
lJKa+EqW9zEPiuCQ9b+MpXHHnvvwCLQ/aSW0f4kg6795jXW9xmea0iUDiGHV8sck
3M6Mg4rnrpOxfDUQYf6n1ajOGCtyCunjbekSD+qt5+gyjmj7Zn1xU+1iuyvaFouY
mnEH5VdBpOLkYLLH5mz996yFi95cSUrXUDNWEybUG0ce+T5rAPmwrzoqs6VAQ+8f
sPHYtWCY1Rdnww203L02Ske57GXk/yikEbEqTruVjg4i43XANfMUOYPZ6gfQV12J
Rzfb54XhXkMfgH5BYirKcAy3h/CMqw0AlxRWazyrJGshSIlw4Ftznrr1q9ba2720
4haXDmc5apJ0FG1Xl63+zhpQvJgKPAJ/BrFUqM7nQC4+IkcWNGfslygJCUcnoizT
SlmohUSYyeFZtqKtr5uO7FIVP6M73g7ZBDGOgWjWXTuFlqVCEM+14Tn/2acIBuBU
R5/c+ZNEjm/XQXHdHJIPNztG+hDxhHTrCtG8MwVabC+/2IjMyzJZFctEErKC7jI4
+n4TG2SfU06ypVHFRmhCc7xRrC29W0GYQ2nMgWVslL2E2cT3ttZeQA0osOT7vvtO
CgNZFub/bWXvhh9yeKeWr2tRijCcnjH4tK0Tf9SuY+JYz3lIkQb9MdaScuZKxl2g
mwDqJkXxXNwaNI6KeL09
=OvlT
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqbtgACgkQmXOSYMts
txZsgQ/6AsdHDYDrjM4MPw0EGej1oLq3QlYuCfRSFhtPYVPimDZJ7uc+8s5Cx143
M1ifgn9ZFXhteg0sMnwbV410CXaqc/4WZWnj0yMpTsP/SoMWPs/3gJhc+9wYnFvD
nP95ykDsH/vXlMyLjreQTZaRRhUWhMjJ8zTkzC+HaPw71B6k+KKBDEwdkxgu8u7p
TihWxAjqKULv41on088TdzX33lBsFD57z9JASjC27gxtlxBdYZsU3ZR1LiYHrXSb
Mc9CiETcj7reBQZzLo+IkLQK5S3WxMo/wMAUGh+20i4iEn07HGymsSgg1YsjtJ/a
aSmnqwPnGdcipM+RY0G4pGV4bit6OUp5La32rXnFGpp7JTYebp3C5f2NJGs/I7HY
KVwhmbS9lfHA8fpS6IG/WF/by9DsR/VTenBkCX3sQ3fggnkmIDceVv+TdnaITik0
/edZYK3vhENXfzeP1ZzpxE5husF9s63RwoStMvrEJot406KN72EBkrXcr0r2Jx/t
gzq+HSua929RjwE6MNMRMXPgGZA0if7JoWMXnBVHfWDFzvjgq68nI406imPN4ENM
kPJhclaHI+sgedO3PXlmnVSa44re37PQlUlQkmGGJjIRjWeI/GOC78+StDvRiJnn
4rj30RgwOJPvYTCpFPCjwNlkBlBPw79XiHaqIR5uU7uMCqhZ4E4=
=xdrR
-----END PGP SIGNATURE-----
Merge 3.10.85 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.85: (90 commits)
ipr: Increase default adapter init stage change timeout
Disable write buffering on Toshiba ToPIC95
ALSA: hda - Add headset support to Acer Aspire V5
ALSA: hda - Fix the dock headphone output on Fujitsu Lifebook E780
ARC: add compiler barrier to LLSC based cmpxchg
arm64: Do not attempt to use init_mm in reset_context()
arm64: mm: Fix freeing of the wrong memmap entries with !SPARSEMEM_VMEMMAP
arm64: vdso: work-around broken ELF toolchains in Makefile
cpuidle / menu: Return (-1) if there are no suitable states
regmap: Fix regmap_bulk_read in BE mode
regulator: core: fix constraints output buffer
spi: pl022: Specify 'num-cs' property as required in devicetree binding
mtd: fix: avoid race condition when accessing mtd->usecount
mtd: dc21285: use raw spinlock functions for nw_gpio_lock
pinctrl: mvebu: armada-370: fix spi0 pin description
pinctrl: mvebu: armada-xp: remove non-existing NAND pins
pinctrl: mvebu: armada-xp: remove non-existing VDD cpu_pd functions
pinctrl: mvebu: armada-xp: fix functions of MPP48
Bluetooth: btusb: Fix memory leak in Intel setup routine
ath9k: fix DMA stop sequence for AR9003+
staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
ext4: fix race between truncate and __ext4_journalled_writepage()
ext4: call sync_blockdev() before invalidate_bdev() in put_super()
ext4: don't retry file block mapping on bigalloc fs with non-extent file
ext4: fix reservation release on invalidatepage for delalloc fs
ext4: be more strict when migrating to non-extent based file
ext4: correctly migrate a file with a hole at the beginning
ext4: replace open coded nofail allocation in ext4_free_blocks()
jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail()
jbd2: fix ocfs2 corrupt when updating journal superblock fails
i2c: at91: fix a race condition when using the DMA controller
iio: DAC: ad5624r_spi: fix bit shift of output data value
af9013: Don't accept invalid bandwidth
s5h1420: fix a buffer overflow when checking userspace params
cx24116: fix a buffer overflow when checking userspace params
ASoC: wm8737: Fixup setting VMID Impedance control register
ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits
ASoC: wm8903: Fix define for WM8903_VMID_RES_250K
ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1]
libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER
libata: increase the timeout when setting transfer mode
usb: dwc3: gadget: return error if command sent to DGCMD register fails
usb: dwc3: gadget: return error if command sent to DEPCMD register fails
usb: dwc3: Reset the transfer resource index on SET_INTERFACE
USB: devio: fix a condition in async_completed()
USB: cp210x: add ID for Aruba Networks controllers
USB: option: add 2020:4000 ID
usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function
dm btree remove: fix bug in redistribute3
dm btree: silence lockdep lock inversion in dm_btree_del()
mmc: block: Add missing mmc_blk_put() in power_ro_lock_show()
drm/qxl: Do not cause spice-server to clean our objects
drm/radeon: take the mode_config mutex when dealing with hpds (v2)
drm/radeon: Don't flush the GART TLB if rdev->gart.ptr == NULL
drm: add a check for x/y in drm_mode_setcrtc
xfs: fix remote symlinks on V5/CRC filesystems
vTPM: set virtual device before passing to ibmvtpm_reset_crq
libata: add ATA_HORKAGE_NOTRIM
libata: force disable trim for SuperSSpeed S238
tracing/filter: Do not WARN on operand count going below zero
tracing/filter: Do not allow infix to exceed end of string
tracing: Have branch tracer use recursive field of task struct
dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup
hwmon: (mcp3021) Fix broken output scaling
md: fix a build warning
Btrfs: use kmem_cache_free when freeing entry in inode cache
fuse: initialize fc->release before calling it
crush: fix a bug in tree bucket decode
ACPICA: Tables: Fix an issue that FACS initialization is performed twice
iscsi-target: Convert iscsi_thread_set usage to kthread.h
iser-target: Fix possible deadlock in RDMA_CM connection error
iser-target: release stale iser connections
mmc: card: Fixup request missing in mmc_blk_issue_rw_rq
__bitmap_parselist: fix bug in empty string handling
mac80211: prevent possible crypto tx tailroom corruption
USB: usbfs: allow URBs to be reaped after disconnection
watchdog: omap: assert the counter being stopped before reprogramming
NFS: Fix size of NFSACL SETACL operations
fixing infinite OPEN loop in 4.0 stateid recovery
nfs: increase size of EXCHANGE_ID name string buffer
SUNRPC: Fix a memory leak in the backchannel code
9p: forgetting to cancel request on interrupted zero-copy RPC
9p: don't leave a half-initialized inode sitting around
rbd: use GFP_NOIO in rbd_obj_request_create()
agp/intel: Fix typo in needs_ilk_vtd_wa()
hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead
Fix firmware loader uevent buffer NULL pointer dereference
qla2xxx: Mark port lost when we receive an RSCN for it.
MIPS: KVM: Do not sign extend on unsigned MMIO load
Linux 3.10.85
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
drivers/usb/dwc3/gadget.c
commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb
Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor. He writes:
It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
descriptor. It's only checked that the size is >= 2 in
usb_parse_configuration(), so find_iad() might do out-of-bounds access
to intf_assoc->bInterfaceCount.
And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem. Yet another issue found by syzkaller...
Bug: 69052055
Change-Id: I2cc3b5a66d16abd0fc567d69457fc90a45eb12d8
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 745cb7f8a5de0805cade3de3991b7a95317c7c73 upstream.
Replace MAX_ADDR_LEN with its numeric value to fix the following
linux/packet_diag.h userspace compilation error:
/usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function)
__u8 pdmc_addr[MAX_ADDR_LEN];
This is not the first case in the UAPI where the numeric value
of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h
already does the same:
$ grep MAX_ADDR_LEN include/uapi/linux/if_link.h
__u8 mac[32]; /* MAX_ADDR_LEN */
There are no UAPI headers besides these two that use MAX_ADDR_LEN.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Acked-by: Pavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 332b05ca7a438f857c61a3c21a88489a21532364 upstream.
This patch adds a check to limit the number of can_filters that can be
set via setsockopt on CAN_RAW sockets. Otherwise allocations > MAX_ORDER
are not prevented resulting in a warning.
Reference: https://lkml.org/lkml/2016/12/2/230
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Merge 'android-msm-bullhead-3.10-nyc-mr2' into
'android-msm-bullhead-3.10'
July 2017.1
Bug: 38137577
Change-Id: Id2935b141bbaa52d6ec63648551ac5dec3e21487
The cache maintenance routines in ashmem were causing
several security issues. Since they are not being used
anymore by any drivers, its well to remove them entirely.
Bug: 34126808
Bug: 34173755
Bug: 34203176
CRs-Fixed: 1107034, 2001129, 2007786
Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Robust context attempts to perform a rendering that takes too long
whether due to an infinite loop in a shader or even just a rendering
operation that takes too long on the given hardware. This type of
attempts can result into GPU faults. Robust context expect driver
to replay IB instead skip IB and if it fails on replay context has
to be invalidated.
KGSL_CONTEXT_INVALIDATE_ON_FAULT flag allows draw context to execute
only replay policy on GPU fault recovery instead of going to default
recovery policy. User space has to set this flag during the context
creation.
Bug: 34887800
Change-Id: If42dc5afc7d5ed1226b73ae5abfa2648d7acf2c3
Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
This implements:
https://tools.ietf.org/html/rfc7559
Backoff is performed according to RFC3315 section 14:
https://tools.ietf.org/html/rfc3315#section-14
We allow setting /proc/sys/net/ipv6/conf/*/router_solicitations
to a negative value meaning an unlimited number of retransmits,
and we make this the new default (inline with the RFC).
We also add a new setting:
/proc/sys/net/ipv6/conf/*/router_solicitation_max_interval
defaulting to 1 hour (per RFC recommendation).
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Acked-by: Erik Kline <ek@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit bd11f0741fa5a2c296629898ad07759dd12b35bb in
DaveM's net-next/master, should make Linus' tree in 4.9-rc1)
Change-Id: Ia32cdc5c61481893ef8040734e014bf2229fc39e
This commit adds a new sysctl accept_ra_rt_info_min_plen that
defines the minimum acceptable prefix length of Route Information
Options. The new sysctl is intended to be used together with
accept_ra_rt_info_max_plen to configure a range of acceptable
prefix lengths. It is useful to prevent misconfigurations from
unintentionally blackholing too much of the IPv6 address space
(e.g., home routers announcing RIOs for fc00::/7, which is
incorrect).
Backport of net-next commit bbea124bc99d ("net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs.")
[lorenzo@google.com: fixed conflicts in include/uapi/linux/ipv6.h]
Bug: 33333670
Test: net_test passes
Signed-off-by: Joel Scherpelz <jscherpelz@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add the necessary feature flags and a scan flag to support using
random MAC addresses for scan while unassociated.
The configuration for this supports an arbitrary MAC address
value and mask, so that any kind of configuration (e.g. fixed
OUI or full 46-bit random) can be requested. Full 46-bit random
is the default when no other configuration is passed.
Also add a small helper function to use the addr/mask correctly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: ad2b26abc157460ca6fac1a53a2bfeade283adfa
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
[dasaris@codeaurora.org: backport to 3.18 excluding the changes in
nl80211_parse_wowlan_nd]
Change-Id: Id30d201358654c77a99f46500178ebf975d609d5
CRs-Fixed: 1082480
Bug: 35436707
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
(cherry picked from commit 651be3cb085341a21847e47c694c249c3e1e4e5b)
We only support breakpoint/watchpoint of length 1, 2, 4 and 8. If we can
support other length as well, then user may watch more data with less
number of watchpoints (provided hardware supports it). For example: if we
have to watch only 4th, 5th and 6th byte from a 64 bit aligned address, we
will have to use two slots to implement it currently. One slot will watch a
half word at offset 4 and other a byte at offset 6. If we can have a
watchpoint of length 3 then we can watch it with single slot as well.
ARM64 hardware does support such functionality, therefore adding these new
definitions in generic layer.
Signed-off-by: Pratyush Anand <panand@redhat.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Pavel Labath <labath@google.com>
[pavel: tools/include/uapi/linux/hw_breakpoint.h is not present in this branch]
Change-Id: Ie17ed89ca526e4fddf591bb4e556fdfb55fc2eac
Bug: 30919905
Prevent conflict with possible new upstream ioctls
before it itself is upstreamed.
Test: None
Change-Id: I10cbc01c25f920a626ea7559e8ca80ee08865333
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
Almost clean cherry pick of c6e9d6f38894798696f23c8084ca7edbf16ee895,
includes change made by merge 0891ad829d2a0501053703df66029e843e3b8365.
The getrandom(2) system call was requested by the LibreSSL Portable
developers. It is analoguous to the getentropy(2) system call in
OpenBSD.
The rationale of this system call is to provide resiliance against
file descriptor exhaustion attacks, where the attacker consumes all
available file descriptors, forcing the use of the fallback code where
/dev/[u]random is not available. Since the fallback code is often not
well-tested, it is better to eliminate this potential failure mode
entirely.
The other feature provided by this new system call is the ability to
request randomness from the /dev/urandom entropy pool, but to block
until at least 128 bits of entropy has been accumulated in the
/dev/urandom entropy pool. Historically, the emphasis in the
/dev/urandom development has been to ensure that urandom pool is
initialized as quickly as possible after system boot, and preferably
before the init scripts start execution.
This is because changing /dev/urandom reads to block represents an
interface change that could potentially break userspace which is not
acceptable. In practice, on most x86 desktop and server systems, in
general the entropy pool can be initialized before it is needed (and
in modern kernels, we will printk a warning message if not). However,
on an embedded system, this may not be the case. And so with this new
interface, we can provide the functionality of blocking until the
urandom pool has been initialized. Any userspace program which uses
this new functionality must take care to assure that if it is used
during the boot process, that it will not cause the init scripts or
other portions of the system startup to hang indefinitely.
SYNOPSIS
#include <linux/random.h>
int getrandom(void *buf, size_t buflen, unsigned int flags);
DESCRIPTION
The system call getrandom() fills the buffer pointed to by buf
with up to buflen random bytes which can be used to seed user
space random number generators (i.e., DRBG's) or for other
cryptographic uses. It should not be used for Monte Carlo
simulations or other programs/algorithms which are doing
probabilistic sampling.
If the GRND_RANDOM flags bit is set, then draw from the
/dev/random pool instead of the /dev/urandom pool. The
/dev/random pool is limited based on the entropy that can be
obtained from environmental noise, so if there is insufficient
entropy, the requested number of bytes may not be returned.
If there is no entropy available at all, getrandom(2) will
either block, or return an error with errno set to EAGAIN if
the GRND_NONBLOCK bit is set in flags.
If the GRND_RANDOM bit is not set, then the /dev/urandom pool
will be used. Unlike using read(2) to fetch data from
/dev/urandom, if the urandom pool has not been sufficiently
initialized, getrandom(2) will block (or return -1 with the
errno set to EAGAIN if the GRND_NONBLOCK bit is set in flags).
The getentropy(2) system call in OpenBSD can be emulated using
the following function:
int getentropy(void *buf, size_t buflen)
{
int ret;
if (buflen > 256)
goto failure;
ret = getrandom(buf, buflen, 0);
if (ret < 0)
return ret;
if (ret == buflen)
return 0;
failure:
errno = EIO;
return -1;
}
RETURN VALUE
On success, the number of bytes that was filled in the buf is
returned. This may not be all the bytes requested by the
caller via buflen if insufficient entropy was present in the
/dev/random pool, or if the system call was interrupted by a
signal.
On error, -1 is returned, and errno is set appropriately.
ERRORS
EINVAL An invalid flag was passed to getrandom(2)
EFAULT buf is outside the accessible address space.
EAGAIN The requested entropy was not available, and
getentropy(2) would have blocked if the
GRND_NONBLOCK flag was not set.
EINTR While blocked waiting for entropy, the call was
interrupted by a signal handler; see the description
of how interrupted read(2) calls on "slow" devices
are handled with and without the SA_RESTART flag
in the signal(7) man page.
NOTES
For small requests (buflen <= 256) getrandom(2) will not
return EINTR when reading from the urandom pool once the
entropy pool has been initialized, and it will return all of
the bytes that have been requested. This is the recommended
way to use getrandom(2), and is designed for compatibility
with OpenBSD's getentropy() system call.
However, if you are using GRND_RANDOM, then getrandom(2) may
block until the entropy accounting determines that sufficient
environmental noise has been gathered such that getrandom(2)
will be operating as a NRBG instead of a DRBG for those people
who are working in the NIST SP 800-90 regime. Since it may
block for a long time, these guarantees do *not* apply. The
user may want to interrupt a hanging process using a signal,
so blocking until all of the requested bytes are returned
would be unfriendly.
For this reason, the user of getrandom(2) MUST always check
the return value, in case it returns some error, or if fewer
bytes than requested was returned. In the case of
!GRND_RANDOM and small request, the latter should never
happen, but the careful userspace code (and all crypto code
should be careful) should check for this anyway!
Finally, unless you are doing long-term key generation (and
perhaps not even then), you probably shouldn't be using
GRND_RANDOM. The cryptographic algorithms used for
/dev/urandom are quite conservative, and so should be
sufficient for all purposes. The disadvantage of GRND_RANDOM
is that it can block, and the increased complexity required to
deal with partially fulfilled getrandom(2) requests.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Zach Brown <zab@zabbo.net>
Bug: http://b/29621447
Change-Id: I189ba74070dd6d918b0fdf83ff30bb74ec0f7556
(cherry picked from commit 4af712e8df998475736f3e2727701bd31e3751a9)
Sdcardfs uses the same magic value as wrapfs.
This should not be the case. As it is entirely
in memory, the value can be changed without any
loss of compatibility.
Change-Id: I24200b805d5e6d32702638be99e47d50d7f2f746
Signed-off-by: Daniel Rosenberg <drosen@google.com>
- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a
range of UIDs.
- Define a RTA_UID attribute for per-UID route lookups and dumps.
- Support passing these attributes to and from userspace via
rtnetlink. The value INVALID_UID indicates no UID was
specified.
- Add a UID field to the flow structures.
[Backport of net-next 622ec2c9d52405973c9f1ca5116eb1c393adfc7d]
Bug: 16355602
Change-Id: I7e3ab388ed862c4b7e39dc8b0209d977cb1129ac
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This creates an ioctl named FUNCTIONFS_ENDPOINT_ALLOC which will
preallocate buffers for a given size. Any reads/writes on that
endpoint below that size will use those buffers instead of allocating
their own. If the endpoint is not active, the buffer will not be
allocated until it becomes active.
Change-Id: I4da517620ed913161ea9e21a31f6b92c9a012b44
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
This patch introduces ioctl named FUNCTIONFS_ENDPOINT_DESC, which
returns endpoint descriptor to userspace. It works only if function
is active.
Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
Change-Id: I55987bf0c6744327f7763b567b5a2b39c50d18e6
Credit where credit is due: this idea comes from Christoph Lameter with
a lot of valuable input from Serge Hallyn. This patch is heavily based
on Christoph's patch.
===== The status quo =====
On Linux, there are a number of capabilities defined by the kernel. To
perform various privileged tasks, processes can wield capabilities that
they hold.
Each task has four capability masks: effective (pE), permitted (pP),
inheritable (pI), and a bounding set (X). When the kernel checks for a
capability, it checks pE. The other capability masks serve to modify
what capabilities can be in pE.
Any task can remove capabilities from pE, pP, or pI at any time. If a
task has a capability in pP, it can add that capability to pE and/or pI.
If a task has CAP_SETPCAP, then it can add any capability to pI, and it
can remove capabilities from X.
Tasks are not the only things that can have capabilities; files can also
have capabilities. A file can have no capabilty information at all [1].
If a file has capability information, then it has a permitted mask (fP)
and an inheritable mask (fI) as well as a single effective bit (fE) [2].
File capabilities modify the capabilities of tasks that execve(2) them.
A task that successfully calls execve has its capabilities modified for
the file ultimately being excecuted (i.e. the binary itself if that
binary is ELF or for the interpreter if the binary is a script.) [3] In
the capability evolution rules, for each mask Z, pZ represents the old
value and pZ' represents the new value. The rules are:
pP' = (X & fP) | (pI & fI)
pI' = pI
pE' = (fE ? pP' : 0)
X is unchanged
For setuid binaries, fP, fI, and fE are modified by a moderately
complicated set of rules that emulate POSIX behavior. Similarly, if
euid == 0 or ruid == 0, then fP, fI, and fE are modified differently
(primary, fP and fI usually end up being the full set). For nonroot
users executing binaries with neither setuid nor file caps, fI and fP
are empty and fE is false.
As an extra complication, if you execute a process as nonroot and fE is
set, then the "secure exec" rules are in effect: AT_SECURE gets set,
LD_PRELOAD doesn't work, etc.
This is rather messy. We've learned that making any changes is
dangerous, though: if a new kernel version allows an unprivileged
program to change its security state in a way that persists cross
execution of a setuid program or a program with file caps, this
persistent state is surprisingly likely to allow setuid or file-capped
programs to be exploited for privilege escalation.
===== The problem =====
Capability inheritance is basically useless.
If you aren't root and you execute an ordinary binary, fI is zero, so
your capabilities have no effect whatsoever on pP'. This means that you
can't usefully execute a helper process or a shell command with elevated
capabilities if you aren't root.
On current kernels, you can sort of work around this by setting fI to
the full set for most or all non-setuid executable files. This causes
pP' = pI for nonroot, and inheritance works. No one does this because
it's a PITA and it isn't even supported on most filesystems.
If you try this, you'll discover that every nonroot program ends up with
secure exec rules, breaking many things.
This is a problem that has bitten many people who have tried to use
capabilities for anything useful.
===== The proposed change =====
This patch adds a fifth capability mask called the ambient mask (pA).
pA does what most people expect pI to do.
pA obeys the invariant that no bit can ever be set in pA if it is not
set in both pP and pI. Dropping a bit from pP or pI drops that bit from
pA. This ensures that existing programs that try to drop capabilities
still do so, with a complication. Because capability inheritance is so
broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and
then calling execve effectively drops capabilities. Therefore,
setresuid from root to nonroot conditionally clears pA unless
SECBIT_NO_SETUID_FIXUP is set. Processes that don't like this can
re-add bits to pA afterwards.
The capability evolution rules are changed:
pA' = (file caps or setuid or setgid ? 0 : pA)
pP' = (X & fP) | (pI & fI) | pA'
pI' = pI
pE' = (fE ? pP' : pA')
X is unchanged
If you are nonroot but you have a capability, you can add it to pA. If
you do so, your children get that capability in pA, pP, and pE. For
example, you can set pA = CAP_NET_BIND_SERVICE, and your children can
automatically bind low-numbered ports. Hallelujah!
Unprivileged users can create user namespaces, map themselves to a
nonzero uid, and create both privileged (relative to their namespace)
and unprivileged process trees. This is currently more or less
impossible. Hallelujah!
You cannot use pA to try to subvert a setuid, setgid, or file-capped
program: if you execute any such program, pA gets cleared and the
resulting evolution rules are unchanged by this patch.
Users with nonzero pA are unlikely to unintentionally leak that
capability. If they run programs that try to drop privileges, dropping
privileges will still work.
It's worth noting that the degree of paranoia in this patch could
possibly be reduced without causing serious problems. Specifically, if
we allowed pA to persist across executing non-pA-aware setuid binaries
and across setresuid, then, naively, the only capabilities that could
leak as a result would be the capabilities in pA, and any attacker
*already* has those capabilities. This would make me nervous, though --
setuid binaries that tried to privilege-separate might fail to do so,
and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have
unexpected side effects. (Whether these unexpected side effects would
be exploitable is an open question.) I've therefore taken the more
paranoid route. We can revisit this later.
An alternative would be to require PR_SET_NO_NEW_PRIVS before setting
ambient capabilities. I think that this would be annoying and would
make granting otherwise unprivileged users minor ambient capabilities
(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than
it is with this patch.
===== Footnotes =====
[1] Files that are missing the "security.capability" xattr or that have
unrecognized values for that xattr end up with has_cap set to false.
The code that does that appears to be complicated for no good reason.
[2] The libcap capability mask parsers and formatters are dangerously
misleading and the documentation is flat-out wrong. fE is *not* a mask;
it's a single bit. This has probably confused every single person who
has tried to use file capabilities.
[3] Linux very confusingly processes both the script and the interpreter
if applicable, for reasons that elude me. The results from thinking
about a script's file capabilities and/or setuid bits are mostly
discarded.
Preliminary userspace code is here, but it needs updating:
https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2
Here is a test program that can be used to verify the functionality
(from Christoph):
/*
* Test program for the ambient capabilities. This program spawns a shell
* that allows running processes with a defined set of capabilities.
*
* (C) 2015 Christoph Lameter <cl@linux.com>
* Released under: GPL v3 or later.
*
*
* Compile using:
*
* gcc -o ambient_test ambient_test.o -lcap-ng
*
* This program must have the following capabilities to run properly:
* Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
*
* A command to equip the binary with the right caps is:
*
* setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
*
*
* To get a shell with additional caps that can be inherited by other processes:
*
* ./ambient_test /bin/bash
*
*
* Verifying that it works:
*
* From the bash spawed by ambient_test run
*
* cat /proc/$$/status
*
* and have a look at the capabilities.
*/
/*
* Definitions from the kernel header files. These are going to be removed
* when the /usr/include files have these defined.
*/
static void set_ambient_cap(int cap)
{
int rc;
capng_get_caps_process();
rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
if (rc) {
printf("Cannot add inheritable cap\n");
exit(2);
}
capng_apply(CAPNG_SELECT_CAPS);
/* Note the two 0s at the end. Kernel checks for these */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
perror("Cannot set cap");
exit(1);
}
}
int main(int argc, char **argv)
{
int rc;
set_ambient_cap(CAP_NET_RAW);
set_ambient_cap(CAP_NET_ADMIN);
set_ambient_cap(CAP_SYS_NICE);
printf("Ambient_test forking shell\n");
if (execv(argv[1], argv + 1))
perror("Cannot exec");
return 0;
}
Signed-off-by: Christoph Lameter <cl@linux.com> # Original author
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Aaron Jones <aaronmdjones@gmail.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Markku Savela <msa@moth.iki.fi>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)
Bug: 31038224
Test: Builds.
Change-Id: Ib4ebe89343b032765b3b1dc79dd3817192ad3788
Signed-off-by: Jorge Lucangeli Obes <jorgelo@google.com>
This is needed for MTP to know if writes are aligned to packet size.
Change-Id: If504511e649d46eb8d52f1fafeda071dddeec263
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
This adds the capability for a process that has CAP_NET_ADMIN on
a socket to see the socket mark in socket dumps.
Commit a52e95abf772 ("net: diag: allow socket bytecode filters to
match socket marks") recently gave privileged processes the
ability to filter socket dumps based on mark. This patch is
complementary: it ensures that the mark is also passed to
userspace in the socket's netlink attributes. It is useful for
tools like ss which display information about sockets.
[backport of net-next d545caca827b65aab557a9e9dcdcf1e5a3823c2d]
Change-Id: I0c9708aae5ab8dfa296b8a1e6aecceb2a382415a
Tested: https://android-review.googlesource.com/270210
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This allows a privileged process to filter by socket mark when
dumping sockets via INET_DIAG_BY_FAMILY. This is useful on
systems that use mark-based routing such as Android.
The ability to filter socket marks requires CAP_NET_ADMIN, which
is consistent with other privileged operations allowed by the
SOCK_DIAG interface such as the ability to destroy sockets and
the ability to inspect BPF filters attached to packet sockets.
[backport of net-next a52e95abf772b43c9226e9a72d3c1353903ba96f]
Change-Id: Ic02caf628a71007cc7c48c9da220b4088f5aa4f4
Tested: https://android-review.googlesource.com/261350
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add support to inet_diag facility to filter sockets based on device
index. If an interface index is in the filter only sockets bound
to that index (sk_bound_dev_if) are returned.
[backport of net-next 637c841dd7a5f9bd97b75cbe90b526fa1a52e530]
Change-Id: Ib430cfb44f1b3b1a771a561247ee9140737e52fd
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add support for shortcircuited read/write for files
when enabled through a userspace init option of
FUSE_SHORTCIRCUIT.
When FUSE_SHORTCIRCUIT is enabled all the reads and writes
to the fuse mount point go directly to the native filesystem
rather than through the fuse daemon. All requsts that aren't
read/write still go thought the userspace code.
This allows for significantly better performance on read and writes
and the difference between fuse and the native lower filesystem is
negligible.
Bug: 30222859
Change-Id: I49e21b77813595c2faec6fcba38a74e8f686d020
Signed-off-by: Nikhilesh Reddy <reddyn@codeaurora.org>
commit 2fc016c5bd8aad2e201cdf71b9fb4573f94775bd upstream.
Add macros for single bit definitions of a specific type. These are
similar to the BIT() macro that already exists, but with a few
exceptions:
1. The namespace is such that they can be used in uapi definitions.
2. The type is set with the _AC() macro to allow it to be used in
assembly.
3. The type is explicitly specified to be UL or ULL.
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Link: http://lkml.kernel.org/n/tip-nbca8p7cg6jyjoit7klh3o91@git.kernel.org
[wt: backported to 3.10 only to keep next patch clean]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Allows FUSE to report to inotify that it is acting
as a layered filesystem. The userspace component
returns a string representing the location of the
underlying file. If the string cannot be resolved
into a path, the top level path is returned instead.
bug: 23904372
Change-Id: Iabdca0bbedfbff59e9c820c58636a68ef9683d9f
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Since there are frequency bands (e.g. 5.9GHz) allowing channels
with only 10 or 5 MHz bandwidth, this patch adds attributes that
allow keeping track about this information.
When channel attributes are reported to user-space, make sure to
not break old tools, i.e. if the 'split wiphy dump' is enabled,
report the extra attributes (if present) describing the bandwidth
restrictions. If the 'split wiphy dump' is not enabled,
completely omit those channels that have flags set to either
IEEE80211_CHAN_NO_10MHZ or IEEE80211_CHAN_NO_20MHZ.
Add the check for new bandwidth restriction flags in
cfg80211_chandef_usable() to comply with the restrictions.
Signed-off-by: Rostislav Lisovy <rostislav.lisovy@fel.cvut.cz>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: ea077c1cea36a6b5ded1256dcd56c72ff2a22c62
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Change-Id: I8610e5a7594099a99a28b699c42c40a2a62ab397
CRs-Fixed: 754373
Signed-off-by: Samuel Ahn <sahn@codeaurora.org>
Signed-off-by: Sunil Dutt <usdutt@codeaurora.org>
Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
This patch adds a SOCK_DESTROY operation, a destroy function
pointer to sock_diag_handler, and a diag_destroy function
pointer. It does not include any implementation code.
[Backport of net-next 64be0aed59ad519d6f2160868734f7e278290ac1]
Change-Id: I3db262a7e41f1f8452ff0968d4001234598190d8
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add support for filesystem stacked read/write of files
when enabled through a userspace init option of FUSE_STACKED_IO.
When FUSE_STACKED_IO is enabled all the reads and writes
to the fuse mount point go directly to the native filesystem
rather than through the fuse daemon. All requests that aren't
read/write still go thought the userspace code.
Mmaped I/O is still not supported through stacking and can be
added in.
This allows for significantly better performance on read and writes.
The difference in performance between fuse and the native lower
filesystem is negligible.
There is also a significant cpu/power savings that is achieved which
is really important on embedded systems that use fuse for I/O
Change-Id: Ic2e6b69df5acd92844999a0b7dd9c1c1db185d50
Signed-off-by: Nikhilesh Reddy <reddyn@codeaurora.org>
David Herrmann