-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJW2MPMAAoJEDjbvchgkmk+xlkP/3pLYC8OxOPz11sBFOWDB6Jn
+/La3kW252TMcY7K8Z6R2UJC93HxXaCySAZTrLrwUL6mqpSStiHhX/1HQMI6If4c
jMtsbgWpU+HZzprPzY8IK6rdrZJKz+Nxu3LMuV0pYTAFKLnCa4d9bSYZ52UArVnC
w13KGpk/gnWTO7A6ZNx4dcRpMqYHWcG+eJsT9zdExmyk65qBCxhhUxXh+DijmSn7
QXrFJ4zjWr1kIdsk6Moat/HCTt/zvwMiWuHdnqYIzUSmvWZWbaQsqGw0cFvKM2hL
pOJ3zf3fgUY6fsV0vG+SFdrMmL6RtL/v0c2EGM5ZlYCIPbUZcK+XMlaEqOe6UAHz
hITIE+r03l2zqagWVb/2HOen8liHIxnfqUPYgHd6vmXz2qWXg9sWTsOhr3ZAQQLA
tf0JDjmx/KCyBmiA7ZyhRLeyhx0jD/csxxo14YME8N3tJCyw5gEIOgXlOLNxhWRu
uCqSN27FDnnf6ppbX1euMeWxzqi4DCZFMDJQT743V5sJIz10BsVR9HJS6mwyUioN
ia4qVc99JfSEsXuawlZhC44Ht+Z/tTSxQPcZjWMHvftGVfxS9AZVf85BM5zNa91t
52mtJivT25N7JxHE41iEQA9t4V1shCjGmEUKD4cVMKgC18cpXD/awDlJ1Or1YuAO
ro6ElZeHj+O3YETFp31/
=GlVi
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqdM8ACgkQmXOSYMts
txacfQ//SS35oIq6UFvp2viMaloy++Ec9fBNUqMI8GLbdJ25Fwt2lA0kuhOCR+dH
bHjwCsb/lo4uf0g+gYuQU4M9XqusWbmsQouTObILBidMt1K2MavKXLqzZsQ+bVD5
pDHLK9ZJwGqTpGgPLlRo1KLIPq+Byf2T+mWiAdoR873gJAJSDPns4PhjJIRvsv52
lnqnIDcjJ//7RzZkBv1hqlA294ttEKRfDqRk+WhLHAJVtnxwpbaiMyRjZgcXvxec
rvPgnppkkhIi/EyrJPU3GkZEce8bj3WQBVDLEw+4NxXNQGANwUEo14jgbBVZaQTg
/Wrx5QR8S+qqxCeKBN825oHcsgfRdLzmX28J13m6R3hW3RMTH0cTjjLTIW/Ms/LI
wiwBW8rYIwkSFUY6r2HYzi9goC9wm1bP/rAJ5n9OdcFkyHc7sVtqkejQEdfmHRfT
UQmIzxe8nH21j88xXXmZ2OiVv0AJqZDcc6rBwvhFdxXRqySdZDKzbl6l7tNXVDBM
amOzbk6pbv245Mbr9i6BvkhUsoWkAmNpX6ZZeo98RAiGsQs9cvUPllgzNZmW0+KW
uDRHreI1ZGBdr7tFYmUCP0JeJYNXv0K3I8bsKIbC97q9xGa/T73M9PFFpQ8r0Cot
hd+rsq+fGC6CuXsYg6xAcuVDwM4ljuHwKbAnQTYSEiXvGEd0dDM=
=iIAf
-----END PGP SIGNATURE-----
Merge 3.10.99 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.99: (80 commits)
tracepoints: Do not trace when cpu is offline
drm/ast: Initialized data needed to map fbdev memory
netfilter: nf_conntrack: fix RCU race in nf_conntrack_find_get
bcache: unregister reboot notifier if bcache fails to unregister device
tools: Add a "make all" rule
drm/radeon: fix hotplug race at startup
efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
dm thin metadata: fix bug when taking a metadata snapshot
dm thin: fix race condition when destroying thin pool workqueue
can: ems_usb: Fix possible tx overflow
USB: cp210x: add IDs for GE B650V3 and B850V3 boards
USB: option: add support for SIM7100E
USB: option: add "4G LTE usb-modem U901"
proc: Fix ptrace-based permission checks for accessing task maps
iw_cxgb3: Fix incorrectly returning error on success
MIPS: KVM: Fix ASID restoration logic
MIPS: KVM: Fix CACHE immediate offset sign extension
MIPS: KVM: Uninit VCPU in vcpu_create error path
splice: sendfile() at once fails for big files
Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount
unix: correctly track in-flight fds in sending process user_struct
genirq: Prevent chip buslock deadlock
clocksource/drivers/vt8500: Increase the minimum delta
lockd: create NSM handles per net namespace
devres: fix a for loop bounds check
wm831x_power: Use IRQF_ONESHOT to request threaded IRQs
megaraid_sas: Do not use PAGE_SIZE for max_sectors
megaraid_sas : SMAP restriction--do not access user memory from IOCTL code
mmc: remove bondage between REQ_META and reliable write
mac: validate mac_partition is within sector
ARC: dw2 unwind: Remove falllback linear search thru FDE entries
vfs: Avoid softlockups with sendfile(2)
ring-buffer: Update read stamp with first real commit on page
virtio: fix memory leak of virtio ida cache layers
mac80211: mesh: fix call_rcu() usage
RDS: fix race condition when sending a message on unbound socket
can: sja1000: clear interrupts on start
sched/core: Remove false-positive warning from wake_up_process()
sata_sil: disable trim
dm btree: fix bufio buffer leaks in dm_btree_del() error path
vgaarb: fix signal handling in vga_get()
rfkill: copy the name into the rfkill struct
ses: Fix problems with simple enclosures
ses: fix additional element traversal bug
scripts: recordmcount: break hardlinks
Btrfs: add missing brelse when superblock checksum fails
Btrfs: igrab inode in writepage
Btrfs: send, don't BUG_ON() when an empty symlink is found
Btrfs: fix number of transaction units required to create symlink
s390: fix normalization bug in exception table sorting
s390/dasd: prevent incorrect length error under z/VM after PAV changes
s390/dasd: fix refcount for PAV reassignment
uml: flush stdout before forking
uml: fix hostfs mknod()
media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
gspca: ov534/topro: prevent a division by 0
tda1004x: only update the frontend properties if locked
dm snapshot: fix hung bios when copy error occurs
posix-clock: Fix return code on the poll method's error path
mmc: mmci: fix an ages old detection error
sparc64: fix incorrect sign extension in sys_sparc64_personality
drm/vmwgfx: respect 'nomodeset'
drm/radeon: clean up fujitsu quirks
drm/radeon: hold reference to fences in radeon_sa_bo_new
drm/radeon: use post-decrement in error handling
IB/qib: fix mcast detach when qp not attached
libceph: don't bail early from try_read() when skipping a message
cdc-acm:exclude Samsung phone 04e8:685d
rfkill: fix rfkill_fop_read wait_event usage
Revert "workqueue: make sure delayed work run in local cpu"
libata: fix sff host state machine locking while polling
PCI/AER: Flush workqueue on device remove to avoid use-after-free
nfs: fix nfs_size_to_loff_t
KVM: async_pf: do not warn on page allocation failures
tracing: Fix showing function event in available_events
sunrpc/cache: fix off-by-one in qword_get()
kernel/resource.c: fix muxed resource handling in __request_region()
do_last(): don't let a bogus return value from ->open() et.al. to confuse us
xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.
Linux 3.10.99
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWz1zgAAoJEDjbvchgkmk+yU8P/10DITNzrhCfz5wbhvvn9Uvo
7H1DziOora3u9h8/rz6xqgFEz2/9cZ03KoLcpGha7kEFBsvgVhN3uSI0YFpVV2mT
8/oh1ADdkky3Pld0f7gDGydDvrmgqx83/69SQ8hDQ8Mr2QTaKNvK05QGC2/EO9kI
OcUAXjdAGglmf5rfhNhXodG/F2DtsA55uCzeyuBhcPE3bM7d4/48pwr1b2tW2CR8
hsprRvSz+kGgHXQy8jYdxKEI66OC/i22xVnxEc8PZmPZ0fFfmszzc9nzhcseWfpe
0JGgfwAtM8Va+bX4kfvqPpc2qR0r8Z2iEKNnAHnGutOvSWvow0l1OEedsb/+s1J6
/AYlPIkgTxwLDAwBIymPgowkEMOPVZzPL0tkoZI8wjB+eqUxxLlIa2dNByCyUs/U
1xTy+0UDMMDXG911mJl+yZFvd4R7lQUavIEStmMQ+A/Go2KrATaqIM8WETBlm7oH
s3hZ3E+RBWmfD/6JQwsJNkwv6yWeaRXNE+bj8C1r/uBdPyGqX9T22OaIOlio+I71
XBNEM5mrTlNeNVIUIKW29qmLBxBrH2LLwpv/dRyfOfzfhi1B+dl9+3sJauvrSmWi
jrR1khGmmaZcfOT2DVmpwlDQCQcyMcy8S8RTTAHhhuNmWtSjdc3TcfRlHXvP0sOu
ruXBufxernb94E7sqsvF
=LW9r
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqdMoACgkQmXOSYMts
txYJKxAAkVgmXLjjtJbCUkYLzohjXabtfF9ekfy7UPRdBU+PPRC2c8tHcR6LCqXd
v+hEiI80h72BqEVE4y3ztFZlhbpSonIcmRrG+/gWsWcWmY9S0owilHwhmrl3uvmC
Fvso6+5oWVvVXuM8I4Ul/3bXmScVhv/rh22iN2hhOS7WgEVdqlhmYHC/KIpRK+rD
dyUQ2eONgr14FyGswgK0zLaFKXvKhQfEjvAu4KXJek0sIPIUEVdZ5xgS2v4eLigN
W0+ewi4DCTESCU8GCnZwwU1OIbe2De09sPIVwBM644bOIJRxOJxnL0a11IjwOaye
P9ne98G3M1vTruiM+/dA40eGh7kFiKKlIqCO1mf1IqrQSYq+sNEuDSmD9XY+huRZ
ktDue8NcUmFgJzJxeRYfdatCNF/esfdIzuzbFnw+Jr+EPACn6FiOXFgkJkUpo204
wvv+nOhiYlSJQT81jqmVTn3iGyvZIJd15uCEryguNt8LmLafGlztYBZ5dSUkejcu
nAipexnYGyrufD5XhshZlcBt1S1FCQZd3lUBETmqLzP+hiZG76ti96i2ro2hnyM5
TWva2zmC1Cp89l0dWJjtNSohD4S6226Jc6ebHTDO/67gpsj3dlbH3IR7rDqKXgof
AFltzPMYnfMPYuDmANTu7vqlJGI5974xrDA1hRAUN49YVxD5YKk=
=fJ2P
-----END PGP SIGNATURE-----
Merge 3.10.98 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.98: (55 commits)
ALSA: seq: Fix double port list deletion
wan/x25: Fix use-after-free in x25_asy_open_tty()
staging/speakup: Use tty_ldisc_ref() for paste kworker
pty: fix possible use after free of tty->driver_data
pty: make sure super_block is still valid in final /dev/tty close
AIO: properly check iovec sizes
ext4: fix potential integer overflow
Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl
perf: Fix inherited events vs. tracepoint filters
ptrace: use fsuid, fsgid, effective creds for fs access checks
tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines
tracing: Fix freak link error caused by branch tracer
klist: fix starting point removed bug in klist iterators
scsi: restart list search after unlock in scsi_remove_target
scsi_sysfs: Fix queue_ramp_up_period return code
iscsi-target: Fix rx_login_comp hang after login failure
Fix a memory leak in scsi_host_dev_release()
SCSI: Fix NULL pointer dereference in runtime PM
iscsi-target: Fix potential dead-lock during node acl delete
SCSI: fix crashes in sd and sr runtime PM
drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration
scsi_dh_rdac: always retry MODE SELECT on command lock violation
scsi: fix soft lockup in scsi_remove_target() on module removal
iio:ad7793: Fix ad7785 product ID
iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
iio: adis_buffer: Fix out-of-bounds memory access
iio: dac: mcp4725: set iio name property in sysfs
cifs: fix erroneous return value
nfs: Fix race in __update_open_stateid()
udf: limit the maximum number of indirect extents in a row
udf: Prevent buffer overrun with multi-byte characters
udf: Check output buffer length when converting name to CS0
ARM: 8519/1: ICST: try other dividends than 1
ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()
fuse: break infinite loop in fuse_fill_write_pages()
mm: soft-offline: check return value in second __get_any_page() call
Input: elantech - add Fujitsu Lifebook U745 to force crc_enabled
Input: elantech - mark protocols v2 and v3 as semi-mt
Input: i8042 - add Fujitsu Lifebook U745 to the nomux list
iommu/vt-d: Fix 64-bit accesses to 32-bit DMAR_GSTS_REG
mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone()
xhci: Fix list corruption in urb dequeue at host removal
m32r: fix m32104ut_defconfig build fail
dma-debug: switch check from _text to _stext
scripts/bloat-o-meter: fix python3 syntax error
memcg: only free spare array when readers are done
radix-tree: fix race in gang lookup
radix-tree: fix oops after radix_tree_iter_retry
intel_scu_ipcutil: underflow in scu_reg_access()
x86/asm/irq: Stop relying on magic JMP behavior for early_idt_handlers
futex: Drop refcount if requeue_pi() acquired the rtmutex
ip6mr: call del_timer_sync() in ip6mr_free_table()
module: wrapper for symbol name.
Linux 3.10.98
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWqv2IAAoJEDjbvchgkmk+180QAKqYrypT3cyClNOHGRFRaxID
Sxo8S9tr8apxaIeP/nfZH3fYXyoadKBwxet15PNYwGVex3jBIVO0M0kspNPu9guG
ogM0hf558EiWpdN5kydwCyN2ukJkhPP9r1ZQ5T84UcqflIboLDYXksqW1w8JX7wm
dumt8kbbnN42e9S1bXD79CRaBB+dkNBTg0fdfpCi7pOQvUQD9DAs/j6XM1ZkOouX
P+/vnIWbRwzbVqlJSaWNfBotlNsydosazJD9lg8iFIRDpVGJPKYbDMP2MPpyrmyA
mesNRIy0wD9cixXW6jMS3fkSOY27N5hZIYYVPWQ8vfCcooTej4GHw37C7Inlh8z6
iWf/sy1Hu+vniJKAr0BD86ocZxnaMv//BQtwCJZv3TfuQ93QkaRmEznEnCHYGN4M
thoaS7oYGfrJnsHKkh913Kr3K7QuvyFttOE058PloYzJbCPV+YVRa/UGyuR6qOCl
SbuSMXDdUDcf/Wznr6S6p6T2GIfM8GYvfm7hzIYwHpClCQpDR3lRdonDAg82mdMh
YCNbEZQ32+l8idBX/YG97MskMD869237yh4MLUUWoxLTbevAblkYSt81WuDO4Gya
PcWcB+zH4t2Y25W9yVoTKmaJSJPhT4ngNFSy7V8zKgVG2Vmz4YIuLRhd6N2/fGcd
FVSXw7uHZhrn+SEl+L6W
=tiwo
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcPkACgkQmXOSYMts
txZ4uw/9Hej/LcL0HWcjPVYvTS/aESazHijvR4eX/nQwC5d01JjVprP63xk58W5W
qv/6hobuEiS/L3nlvTEleQ+NXmEFnt0SXme5bBYHl/BeWwHSd5fPQpOcPm/Wul39
L1SuaNcLkf/+dW8asr5X6R0zUrPRaUhAmIwaRy79u/vr/tdJoTygAt5xRWxYZYLT
etUYPpZPKNm5UVZ0Zb0ppJlTrQWJPRpuhsM9hXoL37fPOk7yDbXXzmfo4VkHrFVm
8RM7PZIa4rVkN6rH2cZyH3aPj11CRB2VHe09Zj/by86rgXFEbccO70MwPoE66w4Z
Q7rdAo6rx0MErcTAp/zx27IcFiQD9xfeDqbWG8By5CwaEACu2PwW2jl4FTy4UY2B
sFX05SKFnJE/tWuQCictvlJ2QMIoJCb5VLv3bjmaco2/hnrn2aPvfMReXVthWXlx
WkUNw9LoP8f4OC2v6I+SnliN9QM1JBQ3u2cEEF2ul8wksPFsRTBUqQhXtdoUFexO
TThtRmSkpbXe8ZHIaIFVnQWiUO28Z50lkZo+axLH+soxNVWUJD2MgzjKMLj70a9k
2PR9gZIC9UBLGtnQm3hWommFFWCCUhfGtnWY77SRrE5CuyI00c4qmWAQRfFpa+nM
1DWw8fIv9w7t+RJ+xxs3umwXcwBKQ8EMUMsyZhnvoFgFqy93ZYg=
=QpjP
-----END PGP SIGNATURE-----
Merge 3.10.96 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.96: (54 commits)
af_unix: fix incorrect revert of 'lock_interruptible' in stream receive code
x86/signal: Fix restart_syscall number for x32 tasks
xen/gntdev: Grant maps should not be subject to NUMA balancing
x86/xen: don't reset vcpu_info on a cancelled suspend
KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR
x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
x86/boot: Double BOOT_HEAP_SIZE to 64KB
ipmi: move timer init to before irq is setup
ALSA: hda - Add Intel Lewisburg device IDs Audio
ALSA: hda - Apply pin fixup for HP ProBook 6550b
ALSA: rme96: Fix unexpected volume reset after rate changes
ALSA: hda - Add inverted dmic for Packard Bell DOTS
ALSA: hda - Set SKL+ hda controller power at freeze() and thaw()
ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2)
ALSA: seq: Fix missing NULL check at remove_events ioctl
ALSA: seq: Fix race at timer setup and close
ALSA: timer: Harden slave timer list handling
ALSA: timer: Fix race among timer ioctls
ALSA: timer: Fix double unlink of active_list
ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
ALSA: hrtimer: Fix stall by hrtimer_cancel()
ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
ASoC: wm8962: correct addresses for HPF_C_0/1
ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz
ASoC: compress: Fix compress device direction check
usb: xhci: fix config fail of FS hub behind a HS hub with MTT
USB: ipaq.c: fix a timeout loop
USB: cp210x: add ID for ELV Marble Sound Board 1
xhci: refuse loading if nousb is used
veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.
ipv6/addrlabel: fix ip6addrlbl_get()
sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close
connector: bump skb->users before callback invocation
unix: properly account for FDs passed over unix sockets
bridge: Only call /sbin/bridge-stp for the initial network namespace
net: possible use after free in dst_release
tcp_yeah: don't set ssthresh below 2
phonet: properly unshare skbs in phonet_rcv()
isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
ppp, slip: Validate VJ compression slot parameters completely
team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
powerpc/tm: Block signal return setting invalid MSR state
powerpc: Make value-returning atomics fully ordered
powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
scripts/recordmcount.pl: support data in text section on powerpc
arm64: fix building without CONFIG_UID16
arm64: Clear out any singlestep state on a ptrace detach operation
arm64: mm: ensure that the zero page is visible to the page table walker
parisc iommu: fix panic due to trying to allocate too large region
HID: core: Avoid uninitialized buffer access
openrisc: fix CONFIG_UID16 setting
mn10300: Select CONFIG_HAVE_UID16 to fix build failure
Linux 3.10.96
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
arch/mn10300/Kconfig
sound/core/timer.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWowK8AAoJEDjbvchgkmk+sFIP/3HvyY47jKTX7ykzRa78wJZK
0ihPIOzV1OjgjvfRQZ4d6olGDMDuP5YbSAc0gHlIy71FO/cP7uPYSKZI9IrJAwSB
ZEovaAS05nhbA1UuJFZo9V7JVYSc4IXNH/QoMvzJS+Zrpr0v0tlnxQSvP3kaeQpL
Z5dbSd27XyzPp7gYM87Bn+OMkI1tPl+addyhqe7YwJ3MM7OUluLsZYxf30exoPjH
bdckbaXVi1U+WUzA1OI7XboOuKQZh6NT+ZixheB7EQPvbN5kxZRDQKtNJWjnk24d
ycU0KfGC1VntMULWhwJnn+elTxrQf0aVWkJcZM6xBri+g0BmGIli1DAD1WyYj3c7
NSPDlTiNFcm95SUgDpB2PvT7Bue6T/0kRadpZJNgpjZgLtVMXo0r62Lo9Y11Y9Oa
jRqSf7f7BsUJ+X3SDylcXXL60uiz5DOLpAyMp8TmI9JBh1hTymUhiHcEHR9iSUz+
0QOw6P/XKfIXVe0qhzSeWXaRCKIFZIwWrNMztfj2U/SZtAmsoQ76Lpx2jCf/nqGz
3IFAQ/dVhcfLRvOrcYPKFsMDWiLKMJNVTeKe2a9ywh8WCWajROfZvozm856dY42F
gUTUn2MsAnm2T+wNnYcFZo0y2i8EaA4FfjEYfoUeEgyIDqc3w8+YjvgCFwDldLr4
oMm63KBsozCC09L5rRpU
=8AjQ
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcIwACgkQmXOSYMts
txZYsA//V8o4K4DIOIKDba1XSfocbydB4MyS8+rfavpSyRlrRdSdsR4p29mCY97H
R3fem9CXUaRbW0gvQszYvZ7QgE/GgBeqAhuqIZzpX45F/o573XaPTFW7lSK1e4F/
zn+kn7sww21AlQVoc6EMHyTWXqNtrKwwAaItUD7M4j5ZSYZ6b6FCPABSnJWLoNdl
mkl2VmxcuOc48jgN3TV/K0igy4JxJlj94Uz3fomHcYdzCE2knHpkI2mP4ThOrmmn
VWVr3F+IuX11J5Y9iR5DEzMq8KL9K+0P7P/k8xzuriYXi58+LYtiLZ0KgPU6vkLD
1TvOlO/Katv2GOr2nHW4xo/NNtabkL0OaovuSHisbnqk1HXZHUMMvePDm45LY0Wl
h/AdFlCJbt/8lF4I9VrYHCLKMa7kRnKl15vJLiMic5IWm3GSprtg7bOWYx0koUff
ic5y/VduP6lJ6xfMDMKAO5yPFssCjxU+VBpVHF1zFe2ipeHnlCpG+q457Ic/PhRc
iMXicZtGDVQ+l3T0RvJqpB03bx9vVV5M+EOOVY/esMUXIN2zE5jBVW3D1LSdcNq3
cHeK0lILycbF0SfC3J72ASusbhu+tut4XIYXZEYWcbhxANTRhEudRqa+MwHQXBr/
VTbkaYoCXRJBVMOG7lVZPveMMzTrDhqzOklmHn3VdCcPkY+yrfE=
=SyC6
-----END PGP SIGNATURE-----
Merge 3.10.95 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.95: (36 commits)
unix: avoid use-after-free in ep_remove_wait_queue
sctp: translate host order to network order when setting a hmacid
snmp: Remove duplicate OUTMCAST stat increment
net: qmi_wwan: add XS Stick W100-2 from 4G Systems
tcp: md5: fix lockdep annotation
tcp: initialize tp->copied_seq in case of cross SYN connection
net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds
net: ipmr: fix static mfc/dev leaks on table destruction
net: ip6mr: fix static mfc/dev leaks on table destruction
broadcom: fix PHY_ID_BCM5481 entry in the id table
ipv6: distinguish frag queues by device for multicast and link-local packets
ipv6: sctp: implement sctp_v6_destroy_sock()
Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow
ext4, jbd2: ensure entering into panic after recording an error in superblock
firewire: ohci: fix JMicron JMB38x IT context discovery
nfs4: start callback_ident at idr 1
nfs: if we have no valid attrs, then don't declare the attribute cache valid
USB: cdc_acm: Ignore Infineon Flash Loader utility
USB: cp210x: Remove CP2110 ID from compatibility list
USB: add quirk for devices with broken LPM
USB: whci-hcd: add check for dma mapping error
usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
gre6: allow to update all parameters via rtnl
atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
sctp: update the netstamp_needed counter when copying sockets
ipv6: sctp: clone options to avoid use after free
net: add validation for the socket syscall protocol argument
sh_eth: fix kernel oops in skb_put()
pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
bluetooth: Validate socket address length in sco_sock_bind().
af_unix: Revert 'lock_interruptible' in stream receive code
KEYS: Fix race between key destruction and finding a keyring by name
KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
KEYS: Fix race between read and revoke
KEYS: Fix keyring ref leak in join_session_keyring()
Linux 3.10.95
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
net/bluetooth/sco.c
net/unix/af_unix.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWLskYAAoJEDjbvchgkmk+SuwP/151KbisBhxbvKfGEjdpp/CJ
4SVg8zEgRPhnlUoJKEpnWBf67I7SSz9FOpdG7x6CpA3sKbv3hiR3QYsD+L9HUIIN
MNHJyGaHkKkMoLWYj+WJXixy4gE1JLESgpxZ2JE979vdpFNzgIL+8W3DqxNO9deF
HzWv+VVX4SUeyd4O9uuVHsq7+NKgKzR2gAniRfeiYqw4Co/IMXNwV91nlS/Tt7E1
sqUw17UGLP0Jx5avI4o2P6e3nZhEAkzcPt8YIwBVN4PheNuUK5AHu5seGArUObiP
DfzFCsSgh6OJUSLawZ6Qw/zoJqDgWF8fBfDRbm+5vUJA49pF7xYG0dZFXkqHrCa1
SSYOi0H0OPnz/a5/qyW3jN8e3TEmoz6d58NetDUs6ogAoxpoCtR3m+OgfjXlRuvU
hIpA4GFa+duvatpAvYN+XFVJ1gUke1JGjBU+CKrZZFtE7M/hOWIw1FLcVkNzGun5
i/o9R05cW8muNcovFpipyW/vCpvBuG4qIiuHgn1H7iL0IxYvLxAI4RTPiLtN73Pi
MJ5E4CRpMJOvNZq01v5FD/VV6L9tgVGrdTg8PYkWGxE+e85E0ZMnqqfJ05jgxw4W
iOthNYpoIu0BFogljKXwMUjR8EzSLoe6tJoPzXWTndnCbSVii2Zigj6nFtUdZBqw
JK05rEMDE6+QVYABlhUu
=gSSH
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcFMACgkQmXOSYMts
txb2+hAAsUnK2xFlpIhAXoy9PdEfCmbcUDc6rfToTv7e4JehC81IEEDiAE3+vwJh
mMwCkI1DkBEm9ECqvZLo4YiT2RZ0mkiuKn4mHdqbOZgVrJX+CMAlunwuVfBpZIab
fKjI2sJ7xf29s+TJfFgYw53iydnOgnhrOHrRXmGOWsPQMNPqvs+Vsk3ICaXQwtlx
TzWAZBonrKME2zpBgFK89JK9oaw8pzMF6hkFDcL65ZIWfE5M9xfxqW9DZ3mDRkeD
oo/qM7W38Sp9CN5PVgeXL2s+YnwIOhV/QzN8W2DuoMkGLPzmn5HmN/iIxjVpKSqR
bGVgwToxXYMXbjLrVn7SnwnpqZGkGcnkRPDH+Zc/OOdSrJqgf4VlkwFvwx3CSyXX
nW6OGWyw2Nt6zGJxRuXZtPdCO2tg0SPliU1bMVv9S+cHLcFbV0AlZONqKAweWMIS
5HXirtajV/SwciqWoSPFyuKa60Insusq4AvG5kQ6GnD1WN2IWIhslfkfAn4nmqEi
zn891Q8HlHPVOwH8WskvZ6mzlgUZo02Ve4AnQF0dmGzW9B7vI6sivJj9MQd536P1
aTuRNwZh/epY7K10DpcY3wnj7+0RAMQGdrcYGUxu0fzN1O7m67F9h8kElOuB81U6
ZVz75nDl8cQuLsuyHS28gza/2qQZwrP8bEpdAgVI5q67wHr7ATE=
=wnEo
-----END PGP SIGNATURE-----
Merge 3.10.92 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.92: (18 commits)
l2tp: protect tunnel->del_work by ref_count
af_unix: Convert the unix_sk macro to an inline function for type safety
af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
skbuff: Fix skb checksum flag on skb pull
skbuff: Fix skb checksum partial check.
net: add pfmemalloc check in sk_add_backlog()
ppp: don't override sk->sk_state in pppoe_flush_dev()
ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
asix: Don't reset PHY on if_up for ASIX 88772
asix: Do full reset during ax88772_bind
m68k/uaccess: Fix asm constraints for userspace access
crypto: sparc - initialize blkcipher.ivsize
crypto: ahash - ensure statesize is non-zero
i2c: rcar: enable RuntimePM before registering to the core
workqueue: make sure delayed work run in local cpu
dm thin: fix missing pool reference count decrement in pool_ctr error path
rbd: fix double free on rbd_dev->header_name
Linux 3.10.92
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWKVdBAAoJEDjbvchgkmk+wnQP/0DzHATjkB3+8HRtYAbsKGCi
9dCZQKYpsBpySWF17aF+PV5sVRFE57K6wmVz39d2j4XkFN2JWXRf6xL9Y1kaJ6kN
D/jn5zsCoIgq5laUpaJaCbeIKsDb3GNx5QUNy55cqceRYekfPkrjj1ayGQ92rqQw
F0fwppAzNeX+dZFtRIN9+OcQ03VE4+vfF/NPqnVaCXKD13rB+967b/rWU6vTladT
jHlrWdR88MaPXbep1RS4wJk4d+YjTwlYMb1SfMXfE2QnjVkqpWVEOTO2uaVoSgC/
Ihu8C0+EHq8+tVnXU3XQlG+jsOwviYPf7m0y2uq5RNnOU3nlQMta20S10yGQhJNR
ccGYN0ZphTdgDRsFD89qaiGphQK0QsxTp/BqB/7+Vnekq4K2AzhW4I0CT3qWJnPl
44P7R4aQp14uSrrAG1VgCHpu8ZnFYlpdpD49oyvR/KAiRlPyMGrtKM4fas5193Mf
Yx0D9JkFtLXHMks4k6g408N+qtdB6+K/KhZTYU69rfUqFtChFOBwMYafYIGj3O+R
gypvTypjhmPq8+wcrBxLAIzTQcvfT+7/w1IYzA4ewhx3aQvsIwX55chu1rIES6W7
fp3z+3vzY2nEPfryDC5GfxaiZDUjO9TG5CMdO/+P0/1LPpK4E1xRx5Tvc3+D0gUw
UXjt6P13kTwiCE2rZBBf
=fw+q
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcEoACgkQmXOSYMts
txa7kg/+PmSiTnE01uoWAdd2h3ejiUPmxKoNPAMWNI1dO45Ow5D5hdqW90usKkYW
17jGCQlIIuILe0ctm1ZeiIGUZtMlFsFxt1H+fbsNWVaiS3MctyjZeusWj9BpiQ+Y
MmeFsM+yDtvk1ODbiydPiRKa+bIolUE6B0f/EtDppmDylTQQvtMYCXC7Qlhpy2X0
JZqtF6X58laCvbyTb7n441+aorKoyIlFsR/+Lzg1GwC/xGs4wWWNhJ0ExcGNLWb+
Ngbmwg7RBrzo4MAmkQM+fo0jQSRYwRvL7gpjbxQyaxlY638uhEezb9vydqQ36R9w
DpwrWKzmzP2EgbtTHmNf7/5LxoGAM1Buqyqk2wYqru6aD04rBdJDKKP5S3LM9dC4
ThCBzddhRKh9hze7Vf/2yzye/Lm/pHfmWnXQJbHyEjdhb43ve6NbhZ235zsr8cSp
GS0y3bPvR4WcFf5ddfHlpUfiLEB0CJF1tJEN5i+u9roYjao27FNg2W++/8iwkOTr
nfQTXz8pgRoqr5XNIgr3L5bwd+3d78hN9IyZYj/yDwBu523iDTZa9SCWR4LUhh/3
UlmukWRLepyBU681xnGzUC25/qVQxsiiF6za3/fQS5CxvxM4++pjz4Z8eu4ei0SV
U1aGwpnI2M4tgUaJjIRGP6TFJmFFHSnV1xhkIr2sTlzTayk6HHE=
=ITb8
-----END PGP SIGNATURE-----
Merge 3.10.91 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.91: (55 commits)
scsi: fix scsi_error_handler vs. scsi_host_dev_release race
perf header: Fixup reading of HEADER_NRCPUS feature
ARM: 8429/1: disable GCC SRA optimization
windfarm: decrement client count when unregistering
x86/apic: Serialize LVTT and TSC_DEADLINE writes
x86/platform: Fix Geode LX timekeeping in the generic x86 build
Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS
x86/mm: Set NX on gap between __ex_table and rodata
x86/xen: Support kexec/kdump in HVM guests by doing a soft reset
spi: Fix documentation of spi_alloc_master()
spi: spi-pxa2xx: Check status register to determine if SSSR_TINT is disabled
mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault
ALSA: synth: Fix conflicting OSS device registration on AWE32
ASoC: fix broken pxa SoC support
ASoC: dwc: correct irq clear method
btrfs: skip waiting on ordered range for special files
staging: comedi: adl_pci7x3x: fix digital output on PCI-7230
dm btree: add ref counting ops for the leaves of top level btrees
USB: option: add ZTE PIDs
dm raid: fix round up of default region size
netfilter: nf_conntrack: Support expectations in different zones
disabling oplocks/leases via module parm enable_oplocks broken for SMB3
drm: Reject DRI1 hw lock ioctl functions for kms drivers
USB: whiteheat: fix potential null-deref at probe
usb: xhci: Clear XHCI_STATE_DYING on start
xhci: change xhci 1.0 only restrictions to support xhci 1.1
usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg transfers
Initialize msg/shm IPC objects before doing ipc_addid()
ipvs: do not use random local source address for tunnels
ipvs: fix crash with sync protocol v0 and FTP
udf: Check length of extended attributes and allocation descriptors
regmap: debugfs: Ensure we don't underflow when printing access masks
regmap: debugfs: Don't bother actually printing when calculating max length
security: fix typo in security_task_prctl
usb: Use the USB_SS_MULT() macro to get the burst multiplier.
usb: Add device quirk for Logitech PTZ cameras
USB: Add reset-resume quirk for two Plantronics usb headphones.
MIPS: dma-default: Fix 32-bit fall back to GFP_DMA
md: flush ->event_work before stopping array.
powerpc/MSI: Fix race condition in tearing down MSI interrupts
UBI: Validate data_size
UBI: return ENOSPC if no enough space available
IB/qib: Change lkey table allocation to support more MRs
dcache: Handle escaped paths in prepend_path
vfs: Test for and handle paths that are unreachable from their mnt_root
arm64: readahead: fault retry breaks mmap file read random detection
m68k: Define asmlinkage_protect
bonding: correct the MAC address for "follow" fail_over_mac policy
fib_rules: Fix dump_rules() not to exit early
genirq: Fix race in register_irq_proc()
x86: Add 1/2/4/8 byte optimization to 64bit __copy_{from,to}_user_inatomic
dm cache: fix NULL pointer when switching from cleaner policy
staging: speakup: fix speakup-r regression
3w-9xxx: don't unmap bounce buffered commands
Linux 3.10.91
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
kernel/irq/proc.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWDQYBAAoJEDjbvchgkmk+PrcQAICXm5q6InTIv16/Q2PKdny6
iydBdhM8sBUYt2fFv0hOJgEXgzQ1HeNQ4JLNrfUHocoSw6gTq4e7pFN4AsyhoZzy
DB2ZQ6cpxK6C3QPUa0C+zevoY/LsJac5TkNKT5RCxGRRolPgtTgtFw9RIXZdGPYo
3Fpt8xrwBp+SS6cXUH7j7hJEeSCpcDN3P8xq1DcAmLX1fm8At9MLOujyaILQis4U
oSaAinjg7rfTYbIpZFYix6B9F8PGqWe6/+bKLljhQhH7V7oR7aAyGKfKM53Gr1/h
Y0j+FbLxa9GNeYlR/Kw79fiX8fMpW88qGQ26rSAVIN7JtMReu7CBRHY7/hvTsyrR
wYywcHs9+zDUDlDMbp/v5ecTBkXVNRecEJpKtd7wQ7P4M79K3lR3Ar8sNxRvnP77
IHLBBNQTzOagZLQXWAYfTdmsWXjf1J4Ij673Ae1DZf2/mkSp/3wXslDYwHbrLIP4
WIYDlqc8B4+TxyJWNPXflfI6c2/nWU0ASYP/bMGGA9Kg+hReMW2DrGY0MTYCsfPg
uhu9hq8AW9JIEwA5t8sj4iebq2U1Nl1QgdpuwmgolmROwmie7zf6+yuK6e7XKpwe
A5vC7fDNTNmZOOo2tcNIH5QdHjrF/S19Re3dd1J44eBtkYiR4KM7vuBTMCrYf7r8
cknJgSXzT1VMvcpM84Zq
=w0iE
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcAwACgkQmXOSYMts
txZtmA/+IzGuQW8ZtcxJgkca+QNgod6AW32WiH5btVRwRe0SiifT1vFSqIouKSWI
rwIG0E2qDpYMitydli5zooSF5pUGW+zzyKiNElBQhbBQvZuS2VxUBlaqRvWXIk6e
heDueAC/0OfXTuDRNf4Omj9BcI78881LTz/VUd3NKkOrf4qA6Xjjj8HGIlGgYO0h
UtkbsGP2QzWo51X1Ad2TqZbs0rFP0kO2dOHIohVd4QQKIxNctLOj2+5oYpgxyNnA
uxGOGQp5JnBOolclT2yVTuKLSHLRIzdqX+fB/swxoUjmeFMEsj8KEEtfZEIP+vP3
b0rhNReA/v0j5Z6r/0oKtwqWm4p2aBjjhmmloMNu8xmpyxCnS5o9zits3HEzJ8EL
MJ/NbRIhIGi2eLtGHn54+yS9MeX5AWurzLI+iNw8SBnDRKdbAMy0iki+puLtNP1f
OaNmH67mHXNTt5juowHAMmbqb7UAHSIpHR1AthpahRZ+nSob9Z1I8b7aTvjB96n0
sYBoe2eDIIFS6hqvkFh5pfv4uH9Ut171yu0G5fI7J9mfRsPuPhwmk0ZhBTby2a2n
u8XuJe5oOwMphYCAZELdkfU6Y8ZpNWGySV7nIxKIc7bnYsDP/PukzbGqoITgtxU8
W6CDDk8TVH0aCtnodpgiIvihYoPUc2FpodRD2aQRgcPVomO//wc=
=qmSH
-----END PGP SIGNATURE-----
Merge 3.10.90 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.90: (55 commits)
unshare: Unsharing a thread does not require unsharing a vm
rtlwifi: rtl8192cu: Add new device ID
tg3: Fix temperature reporting
mac80211: enable assoc check for mesh interfaces
arm64: kconfig: Move LIST_POISON to a safe value
arm64: compat: fix vfp save/restore across signal handlers in big-endian
arm64: head.S: initialise mdcr_el2 in el2_setup
ALSA: hda - Enable headphone jack detect on old Fujitsu laptops
ALSA: hda - Use ALC880_FIXUP_FUJITSU for FSC Amilo M1437
powerpc/mm: Fix pte_pagesize_index() crash on 4K w/64K hash
powerpc/rtas: Introduce rtas_get_sensor_fast() for IRQ handlers
Add radeon suspend/resume quirk for HP Compaq dc5750.
x86/mm: Initialize pmd_idx in page_table_range_init_count()
rc-core: fix remove uevent generation
NFSv4: don't set SETATTR for O_RDONLY|O_EXCL
NFS: nfs_set_pgio_error sometimes misses errors
parisc: Filter out spurious interrupts in PA-RISC irq handler
vmscan: fix increasing nr_isolated incurred by putback unevictable pages
fs: if a coredump already exists, unlink and recreate with O_EXCL
mmc: core: fix race condition in mmc_wait_data_done
md/raid10: always set reshape_safe when initializing reshape_position.
xen/gntdev: convert priv->lock to a mutex
hfs: fix B-tree corruption after insertion at position 0
IB/uverbs: reject invalid or unknown opcodes
IB/uverbs: Fix race between ib_uverbs_open and remove_one
IB/mlx4: Forbid using sysfs to change RoCE pkeys
IB/mlx4: Use correct SL on AH query under RoCE
hfs,hfsplus: cache pages correctly between bnode_create and bnode_free
sctp: fix ASCONF list handling
vhost/scsi: potential memory corruption
x86: bpf_jit: fix compilation of large bpf programs
ipv6: Make MLD packets to only be processed locally
net/tipc: initialize security state for new connection socket
bridge: mdb: zero out the local br_ip variable before use
net: pktgen: fix race between pktgen_thread_worker() and kthread_stop()
net: call rcu_read_lock early in process_backlog
net: Clone skb before setting peeked flag
net: Fix skb csum races when peeking
net: Fix skb_set_peeked use-after-free bug
bridge: mdb: fix double add notification
isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
ipv6: lock socket in ip6_datagram_connect()
bonding: fix destruction of bond with devices different from arphrd_ether
inet: frags: fix defragmented packet's IP header for af_packet
netlink: don't hold mutex in rcu callback when releasing mmapd ring
rds: fix an integer overflow test in rds_info_getsockopt()
ip6_gre: release cached dst on tunnel removal
usbnet: Get EVENT_NO_RUNTIME_PM bit before it is cleared
ipv6: fix exthdrs offload registration in out_rt path
net/ipv6: Correct PIM6 mrt_lock handling
sctp: fix race on protocol/netns initialization
fib_rules: fix fib rule dumps across multiple skbs
vfs: Remove incorrect debugging WARN in prepend_path
Revert "iio: bmg160: IIO_BUFFER and IIO_TRIGGERED_BUFFER are required"
Linux 3.10.90
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJVv5fSAAoJEDjbvchgkmk+cCEP/08rxgFQc0/T4NHeojs8WJHm
lJKa+EqW9zEPiuCQ9b+MpXHHnvvwCLQ/aSW0f4kg6795jXW9xmea0iUDiGHV8sck
3M6Mg4rnrpOxfDUQYf6n1ajOGCtyCunjbekSD+qt5+gyjmj7Zn1xU+1iuyvaFouY
mnEH5VdBpOLkYLLH5mz996yFi95cSUrXUDNWEybUG0ce+T5rAPmwrzoqs6VAQ+8f
sPHYtWCY1Rdnww203L02Ske57GXk/yikEbEqTruVjg4i43XANfMUOYPZ6gfQV12J
Rzfb54XhXkMfgH5BYirKcAy3h/CMqw0AlxRWazyrJGshSIlw4Ftznrr1q9ba2720
4haXDmc5apJ0FG1Xl63+zhpQvJgKPAJ/BrFUqM7nQC4+IkcWNGfslygJCUcnoizT
SlmohUSYyeFZtqKtr5uO7FIVP6M73g7ZBDGOgWjWXTuFlqVCEM+14Tn/2acIBuBU
R5/c+ZNEjm/XQXHdHJIPNztG+hDxhHTrCtG8MwVabC+/2IjMyzJZFctEErKC7jI4
+n4TG2SfU06ypVHFRmhCc7xRrC29W0GYQ2nMgWVslL2E2cT3ttZeQA0osOT7vvtO
CgNZFub/bWXvhh9yeKeWr2tRijCcnjH4tK0Tf9SuY+JYz3lIkQb9MdaScuZKxl2g
mwDqJkXxXNwaNI6KeL09
=OvlT
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqbtgACgkQmXOSYMts
txZsgQ/6AsdHDYDrjM4MPw0EGej1oLq3QlYuCfRSFhtPYVPimDZJ7uc+8s5Cx143
M1ifgn9ZFXhteg0sMnwbV410CXaqc/4WZWnj0yMpTsP/SoMWPs/3gJhc+9wYnFvD
nP95ykDsH/vXlMyLjreQTZaRRhUWhMjJ8zTkzC+HaPw71B6k+KKBDEwdkxgu8u7p
TihWxAjqKULv41on088TdzX33lBsFD57z9JASjC27gxtlxBdYZsU3ZR1LiYHrXSb
Mc9CiETcj7reBQZzLo+IkLQK5S3WxMo/wMAUGh+20i4iEn07HGymsSgg1YsjtJ/a
aSmnqwPnGdcipM+RY0G4pGV4bit6OUp5La32rXnFGpp7JTYebp3C5f2NJGs/I7HY
KVwhmbS9lfHA8fpS6IG/WF/by9DsR/VTenBkCX3sQ3fggnkmIDceVv+TdnaITik0
/edZYK3vhENXfzeP1ZzpxE5husF9s63RwoStMvrEJot406KN72EBkrXcr0r2Jx/t
gzq+HSua929RjwE6MNMRMXPgGZA0if7JoWMXnBVHfWDFzvjgq68nI406imPN4ENM
kPJhclaHI+sgedO3PXlmnVSa44re37PQlUlQkmGGJjIRjWeI/GOC78+StDvRiJnn
4rj30RgwOJPvYTCpFPCjwNlkBlBPw79XiHaqIR5uU7uMCqhZ4E4=
=xdrR
-----END PGP SIGNATURE-----
Merge 3.10.85 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.85: (90 commits)
ipr: Increase default adapter init stage change timeout
Disable write buffering on Toshiba ToPIC95
ALSA: hda - Add headset support to Acer Aspire V5
ALSA: hda - Fix the dock headphone output on Fujitsu Lifebook E780
ARC: add compiler barrier to LLSC based cmpxchg
arm64: Do not attempt to use init_mm in reset_context()
arm64: mm: Fix freeing of the wrong memmap entries with !SPARSEMEM_VMEMMAP
arm64: vdso: work-around broken ELF toolchains in Makefile
cpuidle / menu: Return (-1) if there are no suitable states
regmap: Fix regmap_bulk_read in BE mode
regulator: core: fix constraints output buffer
spi: pl022: Specify 'num-cs' property as required in devicetree binding
mtd: fix: avoid race condition when accessing mtd->usecount
mtd: dc21285: use raw spinlock functions for nw_gpio_lock
pinctrl: mvebu: armada-370: fix spi0 pin description
pinctrl: mvebu: armada-xp: remove non-existing NAND pins
pinctrl: mvebu: armada-xp: remove non-existing VDD cpu_pd functions
pinctrl: mvebu: armada-xp: fix functions of MPP48
Bluetooth: btusb: Fix memory leak in Intel setup routine
ath9k: fix DMA stop sequence for AR9003+
staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
ext4: fix race between truncate and __ext4_journalled_writepage()
ext4: call sync_blockdev() before invalidate_bdev() in put_super()
ext4: don't retry file block mapping on bigalloc fs with non-extent file
ext4: fix reservation release on invalidatepage for delalloc fs
ext4: be more strict when migrating to non-extent based file
ext4: correctly migrate a file with a hole at the beginning
ext4: replace open coded nofail allocation in ext4_free_blocks()
jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail()
jbd2: fix ocfs2 corrupt when updating journal superblock fails
i2c: at91: fix a race condition when using the DMA controller
iio: DAC: ad5624r_spi: fix bit shift of output data value
af9013: Don't accept invalid bandwidth
s5h1420: fix a buffer overflow when checking userspace params
cx24116: fix a buffer overflow when checking userspace params
ASoC: wm8737: Fixup setting VMID Impedance control register
ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits
ASoC: wm8903: Fix define for WM8903_VMID_RES_250K
ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1]
libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER
libata: increase the timeout when setting transfer mode
usb: dwc3: gadget: return error if command sent to DGCMD register fails
usb: dwc3: gadget: return error if command sent to DEPCMD register fails
usb: dwc3: Reset the transfer resource index on SET_INTERFACE
USB: devio: fix a condition in async_completed()
USB: cp210x: add ID for Aruba Networks controllers
USB: option: add 2020:4000 ID
usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function
dm btree remove: fix bug in redistribute3
dm btree: silence lockdep lock inversion in dm_btree_del()
mmc: block: Add missing mmc_blk_put() in power_ro_lock_show()
drm/qxl: Do not cause spice-server to clean our objects
drm/radeon: take the mode_config mutex when dealing with hpds (v2)
drm/radeon: Don't flush the GART TLB if rdev->gart.ptr == NULL
drm: add a check for x/y in drm_mode_setcrtc
xfs: fix remote symlinks on V5/CRC filesystems
vTPM: set virtual device before passing to ibmvtpm_reset_crq
libata: add ATA_HORKAGE_NOTRIM
libata: force disable trim for SuperSSpeed S238
tracing/filter: Do not WARN on operand count going below zero
tracing/filter: Do not allow infix to exceed end of string
tracing: Have branch tracer use recursive field of task struct
dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup
hwmon: (mcp3021) Fix broken output scaling
md: fix a build warning
Btrfs: use kmem_cache_free when freeing entry in inode cache
fuse: initialize fc->release before calling it
crush: fix a bug in tree bucket decode
ACPICA: Tables: Fix an issue that FACS initialization is performed twice
iscsi-target: Convert iscsi_thread_set usage to kthread.h
iser-target: Fix possible deadlock in RDMA_CM connection error
iser-target: release stale iser connections
mmc: card: Fixup request missing in mmc_blk_issue_rw_rq
__bitmap_parselist: fix bug in empty string handling
mac80211: prevent possible crypto tx tailroom corruption
USB: usbfs: allow URBs to be reaped after disconnection
watchdog: omap: assert the counter being stopped before reprogramming
NFS: Fix size of NFSACL SETACL operations
fixing infinite OPEN loop in 4.0 stateid recovery
nfs: increase size of EXCHANGE_ID name string buffer
SUNRPC: Fix a memory leak in the backchannel code
9p: forgetting to cancel request on interrupted zero-copy RPC
9p: don't leave a half-initialized inode sitting around
rbd: use GFP_NOIO in rbd_obj_request_create()
agp/intel: Fix typo in needs_ilk_vtd_wa()
hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead
Fix firmware loader uevent buffer NULL pointer dereference
qla2xxx: Mark port lost when we receive an RSCN for it.
MIPS: KVM: Do not sign extend on unsigned MMIO load
Linux 3.10.85
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
drivers/usb/dwc3/gadget.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJVl0l6AAoJEDjbvchgkmk+zxsP/inK1pJeQd3q7k8/e8vg60yi
vtyuLZwcgZ5LqBeMBRYwXM5TRVgMsKYltIzLmZj/foK5cH+SrpANrFXZrjl6T32x
k1UMd/xY5yoylGmNdIUnLjgxMCQ0XCBVhASA7Xvh6OEdMinVmcgsoB8OJSrcQZy+
5HL30uBDO2QtBWLaioZikLie77JoDLQmCM83otlSsWd6f0A0eCRRJzJ7zS9UUxR1
wA1eNmhwvbGVQE1FNmBMhAdh7kSRkaR6wrOcn2qDoNXiZ87wVnKUSrKXxrXo1E3z
fFtui6dJUYlyjskfkFM+KJ8FaGkjShVWh9VJGQs3x3WGlQMZTrDhoOsKbwl8iFyl
58cJ/vojCe76pbxcL1g+koPRAe917C6yV7nR+yRi7Epsv5NwWwQfsR7OmMwIAulj
QIxqPos1a33DdNdesPYrZfUG1vcZ1JhNko4G8CIr5OmrPcZPe6QI1X3qwaM52ML0
nTDwjHxZGiruNl4OkDHfwX+aOXWKqJivqzWA239XDePz/peNL0DZJFCFc9Ado1h5
2bt1gNxn1Oiy0TPlDr3wLwjBjcYXIwICxGj0Hqh9hUv+IRL4JkfBUhG68koCgc2i
KbKZZioPamF7MvMukahF87f/SMOXYPhqs7pSKR9zzkzwLFBNpZ6h+rYvii8xB4LX
LztDlieyin8YFXI9MbM2
=YwGL
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqbKIACgkQmXOSYMts
txZZPg//fMdsCYndbngE1i784SkIo80ilvQkEfIvIXA6YlT+BSW0DedZ4yE1nMED
cf3NIaIYxtId6MyTqA7HUBZnq/j2Xoa4f3Nq9cY0S3X0NJjLRD8fd9LxGy0iUWkn
BiODFt/lXB8OiMCpAsV8u7/71oTeRC3RyKOHGjkyMT1+sGzWDzdq688R4/ZmajoF
nKjL6tBwSFmWY7yyCoJB+5me4UTHmM5hh0dq8JoOUTYdhoJtN8nBK79yOd5VJazZ
B2MmSPNgnGD0ieFY6yTa0WbpbM2vZGzJSAnRFdb9WpOh5LGcQ2Tbz/+kD5uRzQNQ
lykb+jhPaNYo3v60ufVK3Jhfy1si2O36V2GibZgDiJFcN3tgi5666Ho6PnB6dFs2
V9NxBChAdeRHd5eLfDvO5mZxZtnnO45zvoVT4BVjqBFXA66RIVENw2bYvS7NFSUw
K1e6YyUjV3WAd7Rmo4/tYPVfvwecEmC/vqMyXIugl5rOZ/5i8mol9qCU8tR6+JOQ
cWKWsJIPZebSUGZ6ByTR7v22UxwRwL8vAir5UwX5Qxa6HnfcefXjrcxgn854ORr8
nVSjRsJ8Q4cdC73Uja3gXmzcQkk67INWHfGqJBfS4nKSJrxD1WE1iPXTev9wlG7a
h7m3j0XudE2dNN/8EFat8GBuedekIu0K1AYx6ESTAWMvXIzOSX4=
=8vm4
-----END PGP SIGNATURE-----
Merge 3.10.83 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.83: (23 commits)
fput: turn "list_head delayed_fput_list" into llist_head
get rid of s_files and files_lock
config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected
netfilter: nfnetlink_cthelper: Remove 'const' and '&' to avoid warnings
netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
include/linux/sched.h: don't use task->pid/tgid in same_thread_group/has_group_leader_pid
__ptrace_may_access() should not deny sub-threads
ACPICA: Utilities: Cleanup to convert physical address printing formats.
ACPICA: Utilities: Cleanup to remove useless ACPI_PRINTF/FORMAT_xxx helpers.
sb_edac: Fix erroneous bytes->gigabytes conversion
hpsa: refine the pci enable/disable handling
hpsa: add missing pci_set_master in kdump path
fs: take i_mutex during prepare_binprm for set[ug]id executables
x86/microcode/intel: Guard against stack overflow in the loader
Btrfs: make xattr replace operations atomic
xfrm: Increase the garbage collector threshold
ipv6: prevent fib6_run_gc() contention
ipv6: update ip6_rt_last_gc every time GC is run
d_walk() might skip too much
ARM: clk-imx6q: refine sata's parent
KVM: nSVM: Check for NRIPS support before updating control field
bus: mvebu: pass the coherency availability information at init time
Linux 3.10.83
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
fs/exec.c
fs/super.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJVcpElAAoJEDjbvchgkmk+19UP/AyyYNDVLsjpZUvoK+In6n8u
O65FZ0nCoA/pGs+tvXzLlXAv/0wdMTOcFD4OqQy0OS+DmgyMR/QxJHf7OVlaerUn
9Nb6aqTp4y6b82mi9qbr/sEGvR9gE9mZqE5pFNojR7fSW4KDEPm5V5FEk4qgEG4d
8MWXuX5GsTyIzDNjTUGsg/DyDoxuqFhUlv5CP4I8JFExCqea2o/HSH3AZCfVyWla
bloovnFBknjCgIEZPX5S///BRdktZ35tnz/K3JEsgPf0v9eFYlRDmqKT1MKxbp6X
pjScyuR1VtrGzUTrQU6nzXM4AbfqbPAFSKn98aLTPA8YOEgdLzpoxrW3hM4OrURu
2yVnfNZiou6qzHXMphCFnHnm5igCwh89os40I9jBxNfVPc3DBqH2jM4juFw4EGYO
4q1VHSN7gYOEQiqjG/NEruc4JPKHHqvmWyYwWiLLmEqGegTmOUqZDxJRnpXhyvuj
o2cSsepoMSWjQh1RLt8q0mzJ99Va6FN1DjyCC/5J5xASij2mfsSHMbAa5e/PrzhN
MGuuBdNvUfUfTozeBL38kkUizG6jovyo/CyjPayO65dVCxHLPbyL/kQv29OpV7L1
uZXL/UsHbLweDn6XCceiEARj36eFOW5mL3UbdgAtGHze4kB4fE0OtA00BqPqZsPP
hpE6S9BsLSxsbkNqMqXg
=dmNW
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqbBUACgkQmXOSYMts
txYKrQ/+NJ8kUv5i25sy6Tvj+fXrCEJIXUU8CO+2uif7MrNTMsm/z4sjGMAG4E1C
ZeJNVIV9ydhuLb1suErwChaFvEAMP+pI+6kg+5mdLZZx4JSok7hBwtUtBQ8vIJfr
9oLWN0ceaHbtxuSv/T93H5c35LVlsX6v6IV16ffF6dF/2kYd8Dwsm/g993zPZ6aO
x2+uj/+knf7xH5hmPaWaXwfp2fQtGGNK7T46s1th7WMuEIr+Fp0LHLIdWzOafQuu
dFIqCDKIbyNdpH6NBa8ZrbKvwcWqfVbw1YZiz7WULvw9LH8wUPdz3I9HPJf1uoWh
JR/rTVARWKOhYWitOaJOhsbTcMeYbj1cl910Zl/PjTDvGN9MKsbMQQnBMmeFbJcI
01EOeZR4Yxv/LBgLx1kVVbjlec5wG7fGd4DeBDlvBsT9NFJKUnek2ugbTI6ZUmt/
g+q5/MHaZaMdT3H3I7LC56FMDTzcMIFwH8yFtfN4HREeIMFTNeFgwqaKRCdBV5pX
zCrpVIG3MNte41MMfFdWmSfbteD/i3s2exOGdOi62IV1bu6Z+JGOzjNnqqSHvPIb
+jbU4ILOsG4zbn2a+zRZ03zb5D2TjaaEK+td0cZI4fptsB1NsBlfUsvdxAHGENIN
3/57Ghh8hUXgsvmmPx6C8I79vYNean8up+FkYOX5/gyxLP0+9a4=
=xlgy
-----END PGP SIGNATURE-----
Merge 3.10.80 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.80: (46 commits)
staging: wlags49_h2: fix extern inline functions
drm/i915: Fix declaration of intel_gmbus_{is_forced_bit/is_port_falid}
staging, rtl8192e, LLVMLinux: Change extern inline to static inline
staging: rtl8712, rtl8712: avoid lots of build warnings
staging, rtl8192e, LLVMLinux: Remove unused inline prototype
kernel: use the gnu89 standard explicitly
net: socket: Fix the wrong returns for recvmsg and sendmsg
KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages
fs, omfs: add NULL terminator in the end up the token list
lguest: fix out-by-one error in address checking.
libceph: request a new osdmap if lingering request maps to no osd
hwmon: (ntc_thermistor) Ensure iio channel is of type IIO_VOLTAGE
lib: Fix strnlen_user() to not touch memory after specified maximum
d_walk() might skip too much
ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724
ALSA: hda - Add headphone quirk for Lifebook E752
ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls
ASoC: wm8960: fix "RINPUT3" audio route error
ASoC: wm8994: correct BCLK DIV 348 to 384
target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST
xhci: fix isoc endpoint dequeue from advancing too far on transaction error
xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256
xhci: gracefully handle xhci_irq dead device
USB: visor: Match I330 phone more precisely
USB: pl2303: Remove support for Samsung I330
USB: cp210x: add ID for KCF Technologies PRN device
usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices
usb: gadget: configfs: Fix interfaces array NULL-termination
powerpc: Align TOC to 256 bytes
mmc: atmel-mci: fix bad variable type for clkdiv
ext4: convert write_begin methods to stable_page_writes semantics
ext4: check for zero length extent explicitly
libata: Add helper to determine when PHY events should be ignored
libata: Ignore spurious PHY event on LPM policy change
rt2x00: add new rt2800usb device DWA 130
crypto: s390/ghash - Fix incorrect ghash icv buffer handling.
ARM: dts: imx27: only map 4 Kbyte for fec registers
ARM: fix missing syscall trace exit
svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures
md/raid5: don't record new size if resize_stripes fails.
rtlwifi: rtl8192cu: Fix kernel deadlock
Input: elantech - fix semi-mt protocol for v3 HW
ACPI / init: Fix the ordering of acpi_reserve_resources()
vfs: read file_handle only once in handle_to_path
fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings
Linux 3.10.80
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJVSnIfAAoJEDjbvchgkmk+oZYQAMVn7/47hP0u6+24fUyyUM1i
3X58qPhPQJU+BHVTY67JXjBbc5RqXA45JXLXeZSL1oExD7mWmj6CTndqB4dogegE
OB+6D4eQpQwtURfNpEuFYBqKp5vQkHf8e5BMi1JKxX7dMgf6rQbUkI4Di93PfL0M
4kqyW2R6ZJICdvKgiLiRrHE1NINjt0eEWL+v2NF4S6U68/8pT29GyZKi1y+lX9rN
Qt7Gs8XBBIznfX3rb+L56Qk4SbCRnKw+5PyPoeg9r738Kh4977BmZG8C1IJBhZ5+
uBwDTjbrcBvnu3fjjav0OioFD0HmOqaQMPZ+xgGgo7GX339dQDgzY+THpiLKxxcj
qei4sZQB4mHrufiHpVnr6gZa9Sk6OptASqAlPfLOgLoUxNDb50IzRjW9Zwt9fXrd
thsDXXzh06RBLP89mgR95P92MC9+SuURAhCHD0iSgcjjkCV/rcrQKB1msT1uo+1f
Crf2uZa0g4ir7rUqUxrcsIoQL+3gCIY0DuFghyQEB655M6ANSJ/gbX4Q+x1NroDr
JSZkahuB6L1zxABUurbaeFpUzVbaWe+B3ZllKmF47U/fXA9wsRSv6mKOjg+eW39J
xGNfnoCtIfQSUtz/NszH7yrV1TE19jQs52A110cBcjOHBTTJtzmvXFm8QGSCLQKC
avMvZ84NgBOeaX73Rqzz
=wnEX
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqa+8ACgkQmXOSYMts
txZfIw//VQ0vu6wCHmmGgw2Cul8SOz9pO7udVa8zLcGFJqrcnWMkkks2sxun+3p8
91Zij1fMjGCjOEaw5NG0AOWi5rBFdMnM1egXJ7oEMgQcm5uxbGejh0dmUSI02kqn
5v9WLWXDLEjYUyeZnPCMG9C7NR30XNf+9ZfeLKc8qzGtUX4V2D5br6TK1YTxs0Tc
Jqtl6jWwmHVu9RMFKsrxnEtaBM3ZqhudUc9f1oaDLm5WuXO1QHoEWlb0KVxQy5/z
nbNX7vj3Bz1yPS0IsSYsGssf5/DUpR+XEcU1gAD+qkdY1Y2jmeFhhOjY1M281txU
1dLYDzqaTKPtU4z9X4WDpQgDrUGMx4kcrTgOAUN6ejmB9dNW0+2XvE8pF0WdghCv
UpVaoLXVTAT/9wLhqUEH4Q7bnTjEqceTNx6McpGPt2i1FY3D5VUU9DgXKcPA5IkI
vc/uFWx/EYKUGQxDWVAlSB0Tcpb/OWba5QQxFsZWNCAo5JSrhmnTthnAe7cqeqex
0xFWhGzE3NWGZQ68Lt/pucPH6TiISIsw6i173IreGijQdFEkHAiGteRhfvYIhDpo
s5Tr3V4hEVhzUwJjwTfigzkT01Vg4LLm+BcCJAtV8hySFIaJbuBq+gIK7UcsNon4
wlAgLhjWi/YNpnCDULJOwQlkBwgMvYLeur0PfT5dhMJWHxT8T5s=
=SSUg
-----END PGP SIGNATURE-----
Merge 3.10.77 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.77: (65 commits)
ip_forward: Drop frames with attached skb->sk
tcp: fix possible deadlock in tcp_send_fin()
tcp: avoid looping in tcp_send_fin()
Btrfs: fix log tree corruption when fs mounted with -o discard
Btrfs: fix inode eviction infinite loop after cloning into it
usb: gadget: composite: enable BESL support
KVM: s390: Zero out current VMDB of STSI before including level3 data.
s390/hibernate: fix save and restore of kernel text section
KVM: use slowpath for cross page cached accesses
MIPS: Hibernate: flush TLB entries earlier
cdc-wdm: fix endianness bug in debug statements
spi: spidev: fix possible arithmetic overflow for multi-transfer message
ring-buffer: Replace this_cpu_*() with __this_cpu_*()
power_supply: lp8788-charger: Fix leaked power supply on probe fail
ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE
ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts on Cragganmore
usb: phy: Find the right match in devm_usb_phy_match
usb: define a generic USB_RESUME_TIMEOUT macro
usb: host: r8a66597: use new USB_RESUME_TIMEOUT
usb: host: isp116x: use new USB_RESUME_TIMEOUT
usb: host: xhci: use new USB_RESUME_TIMEOUT
usb: host: sl811: use new USB_RESUME_TIMEOUT
usb: core: hub: use new USB_RESUME_TIMEOUT
ALSA: emu10k1: don't deadlock in proc-functions
Input: elantech - fix absolute mode setting on some ASUS laptops
fs/binfmt_elf.c: fix bug in loading of PIE binaries
ptrace: fix race between ptrace_resume() and wait_task_stopped()
rtlwifi: rtl8192cu: Add new USB ID
rtlwifi: rtl8192cu: Add new device ID
parport: disable PC-style parallel port support on cris
drivers: parport: Kconfig: exclude h8300 for PARPORT_PC
console: Disable VGA text console support on cris
video: vgacon: Don't build on arm64
arm64: kernel: compiling issue, need delete read_current_timer()
ext4: make fsync to sync parent dir in no-journal for real this time
powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH
tools/power turbostat: Use $(CURDIR) instead of $(PWD) and add support for O= option in Makefile
UBI: account for bitflips in both the VID header and data
UBI: fix out of bounds write
UBI: initialize LEB number variable
UBI: fix check for "too many bytes"
scsi: storvsc: Fix a bug in copy_from_bounce_buffer()
drivers: parport: Kconfig: exclude arm64 for PARPORT_PC
ACPICA: Utilities: split IO address types from data type models.
xtensa: xtfpga: fix hardware lockup caused by LCD driver
xtensa: provide __NR_sync_file_range2 instead of __NR_sync_file_range
Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open()
mvsas: fix panic on expander attached SATA devices
stk1160: Make sure current buffer is released
IB/core: disallow registering 0-sized memory region
IB/core: don't disallow registering region starting at 0x0
IB/mlx4: Fix WQE LSO segment calculation
i2c: core: Export bus recovery functions
drm/radeon: fix doublescan modes (v2)
drm/i915: cope with large i2c transfers
RCU pathwalk breakage when running into a symlink overmounting something
ksoftirqd: Enable IRQs and call cond_resched() before poking RCU
e1000: add dummy allocator to fix race condition between mtu change and netpoll
lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
wl18xx: show rx_frames_per_rates as an array as it really is
C6x: time: Ensure consistency in __init
memstick: mspro_block: add missing curly braces
nosave: consolidate __nosave_{begin,end} in <asm/sections.h>
s390: Fix build error
Linux 3.10.77
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
arch/arm64/kernel/time.c
fs/ext4/namei.c
This will come back as commit 1ad9a25dd0 ("mm: larger stack guard gap,
between vmas") in 3.10.107 and it causes a conflict with 3.10.76.
This reverts commit 25cd784141.
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJVM2NqAAoJEDjbvchgkmk+YtIQAKHNWU09GUrIxzg2va+9cVYI
pCyiUHd1JF/DLmWQG4TeBn4OowIqvwOuljPDg/0RoVrfX2cx33oAyo+R6Cgyay5c
1s7hPgTIsrV5QHTTWODXsV48fWE/AsqFqw01XvMnhMgFPRc3859Thh9zy29fwxjR
2xlzf5GBtWfmmuSLO8TtC1FOnvi7BuNKvhMR/5pJZ40kS1vpw6qpJvMPMSR2hEVT
fFfO87c9XPUhh94kRhMIaDoMk7OeZFbr0R7IJCW1WcUJVqFP8YQOK/YYLQmJERjG
OnGOF5W2VKGV0lWdMJ+NiNKZ3eLAjMHHqvzqbhl8ANU7AkRsw8bvwZeXjJJGFcqS
L9Ik94MakuuZDypyejZCC3QmlCGQUjR0PjmNGhuXZlPn63y0/dlxCEHlBxUdvdHh
OkfNDPMXqbRFzQ6ASjOPW0O41KiTOIw2oGezFkQRxq65KkGmBiCrHaEqmUtBLoP6
s5xPf7quMOvINn5GTEBTpZjGz4mH2UadCoRVXJ27Wn+KAxZqJgwpGodoyk+lHMc/
Xo3ndTVJGPnwKgAixkOINusEY2ne/TWyjPlGQBju/NoVTXsotdCf8HDtbRCY0mj4
EkxytoSnoI7/S2jGSFoUB8uDQuoQgveOSfe1IxUmWvBaIuUKHtM8h4n6f+Os7BzG
S+lI/rnXJHBkB8Oz1AGv
=vntV
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqaNgACgkQmXOSYMts
txaJrQ/+OLQnIVrcr0DdA1ZElDmt186GuGE4sNRorp8F+zNEmRKOwz0qXG8YmXq0
UzM9CvwYWdKtBVZFkFqOEEivgtrgmtcB8BEtki+MmOcQS0iMJD4XyZdwbgG1UUn/
JyQQcSLa4Bde2xkUEn/VUcxYjYYbwmhywYDIS0ApxMotFHu7NSVvtyYYUhnZXYmv
u3110UKu1va2R8gnxv9jN0PIe3yfFb5DaSQHrPcGkjeLhRM2W1ae2KYG1oBG7Yo/
7OCdRjGJTz+Hxzt1zGl1g6ROWZesy9/hnC+kWOif2QSkSEckWbM32dcCpQUh6Cmw
8GUs9yV7c8nMvNB8GWMGn8z8Mur5opt1r/FbVifgzlDZ8irFeVa5qkIVbdgCI4P1
cPui1+2Rgsocn5HbEoGNjGONtsn20YzC4EI2vWPkZVJirMB6J1HRLT8WGOLXoFB5
SnnDzLPnk7qAb5xIiAg1TaogrRk+2vwyHEf65OpAFGlYYL7Ng5019Zj4eetWO9OW
zZ7+kLSw8AWK5MTpZbLWVn6571oKenstNQM6nfOLkDH/YIXN4Q1JWIJSLG/Fcg+/
AY1hCKiJ0S3NipuHDQjCPA8es+AoIeHSLTKJPQ0I3AH36thEGIIFMiPAC1BRq+eX
ebmtn0N+ZErt3RTx/SBS80qfBJzakoU0dmdZOrT6+nQdZjhtqEU=
=uI+2
-----END PGP SIGNATURE-----
Merge 3.10.75 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.75: (35 commits)
ALSA: hda - Add one more node in the EAPD supporting candidate list
ALSA: usb - Creative USB X-Fi Pro SB1095 volume knob support
ALSA: hda - Fix headphone pin config for Lifebook T731
selinux: fix sel_write_enforce broken return value
tcp: Fix crash in TCP Fast Open
IB/core: Avoid leakage from kernel to user space
IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic
iwlwifi: dvm: run INIT firmware again upon .start()
nbd: fix possible memory leak
mm/memory hotplug: postpone the reset of obsolete pgdat
writeback: add missing INITIAL_JIFFIES init in global_update_bandwidth()
writeback: fix possible underflow in write bandwidth calculation
radeon: Do not directly dereference pointers to BIOS area.
USB: ftdi_sio: Added custom PID for Synapse Wireless product
USB: ftdi_sio: Use jtag quirk for SNAP Connect E10
Defer processing of REQ_PREEMPT requests for blocked devices
iio: inv_mpu6050: Clear timestamps fifo while resetting hardware fifo
iio: imu: Use iio_trigger_get for indio_dev->trig assignment
dmaengine: omap-dma: Fix memory leak when terminating running transfer
cpuidle: ACPI: do not overwrite name and description of C0
usb: xhci: apply XHCI_AVOID_BEI quirk to all Intel xHCI controllers
cifs: fix use-after-free bug in find_writable_file
be2iscsi: Fix kernel panic when device initialization fails
ocfs2: _really_ sync the right range
iscsi target: fix oops when adding reject pdu
media: s5p-mfc: fix mmap support for 64bit arch
core, nfqueue, openvswitch: fix compilation warning
ipc: fix compat msgrcv with negative msgtyp
net: rds: use correct size for max unacked packets and bytes
net: llc: use correct size for sysctl timeout entries
kernel.h: define u8, s8, u32, etc. limits
IB/mlx4: Saturate RoCE port PMA counters in case of overflow
console: Fix console name size mismatch
pagemap: do not leak physical addresses to non-privileged userspace
Linux 3.10.75
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
fs/proc/task_mmu.c
include/linux/kernel.h
commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb
Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor. He writes:
It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
descriptor. It's only checked that the size is >= 2 in
usb_parse_configuration(), so find_iad() might do out-of-bounds access
to intf_assoc->bInterfaceCount.
And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem. Yet another issue found by syzkaller...
Bug: 69052055
Change-Id: I2cc3b5a66d16abd0fc567d69457fc90a45eb12d8
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
It has been claimed that the PG implementation of 'su' has security
vulnerabilities even when disabled. Unfortunately, the people that
find these vulnerabilities often like to keep them private so they
can profit from exploits while leaving users exposed to malicious
hackers.
In order to reduce the attack surface for vulnerabilites, it is
therefore necessary to make 'su' completely inaccessible when it
is not in use (except by the root and system users).
Change-Id: I79716c72f74d0b7af34ec3a8054896c6559a181d
(cherry picked from commit 853e06c28f8655040d8c00f0ee2f1d72a1d8dc14)
The SNDRV_RAWMIDI_STREAM_{OUTPUT,INPUT} ioctls may reallocate
runtime->buffer while other kernel threads are accessing it. If the
underlying krealloc() call frees the original buffer, then this can turn
into a use-after-free.
Most of these accesses happen while the thread is holding runtime->lock,
and can be fixed by just holding the same lock while replacing
runtime->buffer, however we can't hold this spinlock while
snd_rawmidi_kernel_{read1,write1} are copying to/from userspace. We
need to add and acquire a new mutex to prevent this from happening
concurrently with reallocation. We hold this mutex during the entire
reallocation process, to also prevent multiple concurrent reallocations
leading to a double-free.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
bug: 64315347
Change-Id: I05764d4f1a38f373eb7c0ac1c98607ee5ff0eded
commit 0a94efb5acbb6980d7c9ab604372d93cd507e4d8 upstream.
5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be
ordered") automatically enabled ordered attribute for unbound
workqueues w/ max_active == 1. Because ordered workqueues reject
max_active and some attribute changes, this implicit ordered mode
broke cases where the user creates an unbound workqueue w/ max_active
== 1 and later explicitly changes the related attributes.
This patch distinguishes explicit and implicit ordered setting and
overrides from attribute changes if implict.
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered")
Cc: Holger Hoffstätte <holger@applied-asynchrony.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 upstream.
Alexander reported various KASAN messages triggered in recent kernels
The problem is that ping sockets should not use udp_poll() in the first
place, and recent changes in UDP stack finally exposed this old bug.
Fixes: c319b4d76b ("net: ipv4: add IPPROTO_ICMP socket kind")
Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Sasha Levin <alexander.levin@verizon.com>
Cc: Solar Designer <solar@openwall.com>
Cc: Vasiliy Kulikov <segoon@openwall.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Acked-By: Lorenzo Colitti <lorenzo@google.com>
Tested-By: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: removed the parts related to ping6 as 6d0bfe226116 is not in 3.10]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit fa5f7b51fc3080c2b195fa87c7eca7c05e56f673 upstream.
This code causes a static checker warning because Smatch doesn't trust
anything that comes from skb->data. I've reviewed this code and I do
think skb->data can be controlled by the user here.
The sctp_event_subscribe struct has 13 __u8 fields and we want to see
if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range.
We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read
either before the start of the struct or after the end.
This is a very old bug and it's surprising that it would go undetected
for so long but my theory is that it just doesn't have a big impact so
it would be hard to notice.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 6b84202c946cd3da3a8daa92c682510e9ed80321 upstream.
Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving
_sctp_walk_{params, errors}()") tried to fix the issue that it
may overstep the chunk end for _sctp_walk_{params, errors} with
'chunk_end > offset(length) + sizeof(length)'.
But it introduced a side effect: When processing INIT, it verifies
the chunks with 'param.v == chunk_end' after iterating all params
by sctp_walk_params(). With the check 'chunk_end > offset(length)
+ sizeof(length)', it would return when the last param is not yet
accessed. Because the last param usually is fwdtsn supported param
whose size is 4 and 'chunk_end == offset(length) + sizeof(length)'
This is a badly issue even causing sctp couldn't process 4-shakes.
Client would always get abort when connecting to server, due to
the failure of INIT chunk verification on server.
The patch is to use 'chunk_end <= offset(length) + sizeof(length)'
instead of 'chunk_end < offset(length) + sizeof(length)' for both
_sctp_walk_params and _sctp_walk_errors.
Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 93be2b74279c15c2844684b1a027fdc71dd5d9bf upstream.
gcc-7 complains that wl3501_cs passes NULL into a function that
then uses the argument as the input for memcpy:
drivers/net/wireless/wl3501_cs.c: In function 'wl3501_get_scan':
include/net/iw_handler.h:559:3: error: argument 2 null where non-null expected [-Werror=nonnull]
memcpy(stream + point_len, extra, iwe->u.data.length);
This works fine here because iwe->u.data.length is guaranteed to be 0
and the memcpy doesn't actually have an effect.
Making the length check explicit avoids the warning and should have
no other effect here.
Also check the pointer itself, since otherwise we get warnings
elsewhere in the code.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
It was possible for an unprivileged user to create the user and user
session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
keyctl add keyring _uid_ses.4000 "" @u
sleep 15' &
sleep 1
sudo -u '#4000' keyctl describe @u
sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right
permissions. In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:
-4: alswrv-----v------------ 3000 0 keyring: _uid.4000
-5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.
Fixes: 69664cf16a ("keys: don't generate user and user session keyrings unless they're accessed")
Cc: <stable@vger.kernel.org> [v2.6.26+]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[wt: adjust context]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 49cb77e297dc611a1b795cfeb79452b3002bd331 upstream.
This patch closes a race between se_lun deletion during configfs
unlink in target_fabric_port_unlink() -> core_dev_del_lun()
-> core_tpg_remove_lun(), when transport_clear_lun_ref() blocks
waiting for percpu_ref RCU grace period to finish, but a new
NodeACL mappedlun is added before the RCU grace period has
completed.
This can happen in target_fabric_mappedlun_link() because it
only checks for se_lun->lun_se_dev, which is not cleared until
after transport_clear_lun_ref() percpu_ref RCU grace period
finishes.
This bug originally manifested as NULL pointer dereference
OOPsen in target_stat_scsi_att_intr_port_show_attr_dev() on
v4.1.y code, because it dereferences lun->lun_se_dev without
a explicit NULL pointer check.
In post v4.1 code with target-core RCU conversion, the code
in target_stat_scsi_att_intr_port_show_attr_dev() no longer
uses se_lun->lun_se_dev, but the same race still exists.
To address the bug, go ahead and set se_lun>lun_shutdown as
early as possible in core_tpg_remove_lun(), and ensure new
NodeACL mappedlun creation in target_fabric_mappedlun_link()
fails during se_lun shutdown.
Reported-by: James Shen <jcs@datera.io>
Cc: James Shen <jcs@datera.io>
Tested-by: James Shen <jcs@datera.io>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit e1a10ef7fa876f8510aaec36ea5c0cf34baba410 upstream.
Pure refactor. This helper will be required in the xmit timer fix
later in the patch series. (Because the TLP logic will want to make
this calculation.)
[This version of the commit was compiled and briefly tested
based on top of v3.10.107.]
Change-Id: I1ccfba0b00465454bf5ce22e6fef5f7b5dd94d15
Fixes: 6ba8a3b19e ("tcp: Tail loss probe (TLP)")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Nandita Dukkipati <nanditad@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 49d31c2f389acfe83417083e1208422b4091cd9e upstream.
take_dentry_name_snapshot() takes a safe snapshot of dentry name;
if the name is a short one, it gets copied into caller-supplied
structure, otherwise an extra reference to external name is grabbed
(those are never modified). In either case the pointer to stable
string is stored into the same structure.
dentry must be held by the caller of take_dentry_name_snapshot(),
but may be freely dropped afterwards - the snapshot will stay
until destroyed by release_dentry_name_snapshot().
Intended use:
struct name_snapshot s;
take_dentry_name_snapshot(&s, dentry);
...
access s.name
...
release_dentry_name_snapshot(&s);
Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name
to pass down with event.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[carnil: backport 4.9: adjust context]
[bwh: Backported to 3.16:
- External names are not ref-counted, so copy them
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[ghackmann@google.com: backported to 3.10: adjust context]
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Change-Id: I612e687cbffa1a03107331a6b3f00911ffbebd8e
Bug: 63689921
To test whether an address is aligned to PAGE_SIZE.
Cc: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 0fa73b86ef0797ca4fde5334117ca0b330f08030)
Bug: 36007193
Change-Id: I7e912bb0dbd8c9737fb13c5b48acb54ee39dd5fc
This was reported many times, and this was even mentioned in commit
52ee2dfdd4 "pids: refactor vnr/nr_ns helpers to make them safe" but
somehow nobody bothered to fix the obvious problem: task_tgid_nr_ns()
is not safe because task->group_leader points to nowhere after the
exiting task passes exit_notify(), rcu_read_lock() can not help.
We really need to change __unhash_process() to nullify group_leader,
parent, and real_parent, but this needs some cleanups. Until then we
can turn task_tgid_nr_ns() into another user of __task_pid_nr_ns() and
fix the problem.
Reported-by: Troy Kensinger <tkensinger@google.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
(url: https://patchwork.kernel.org/patch/9913055/)
Bug: 31495866
Change-Id: I5e67b02a77e805f71fa3a787249f13c1310f02e2
commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
Stack guard page is a useful feature to reduce a risk of stack smashing
into a different mapping. We have been using a single page gap which
is sufficient to prevent having stack adjacent to a different mapping.
But this seems to be insufficient in the light of the stack usage in
userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
which is 256kB or stack strings with MAX_ARG_STRLEN.
This will become especially dangerous for suid binaries and the default
no limit for the stack size limit because those applications can be
tricked to consume a large portion of the stack and a single glibc call
could jump over the guard page. These attacks are not theoretical,
unfortunatelly.
Make those attacks less probable by increasing the stack guard gap
to 1MB (on systems with 4k pages; but make it depend on the page size
because systems with larger base pages might cap stack allocations in
the PAGE_SIZE units) which should cover larger alloca() and VLA stack
allocations. It is obviously not a full fix because the problem is
somehow inherent, but it should reduce attack space a lot.
One could argue that the gap size should be configurable from userspace,
but that can be done later when somebody finds that the new 1MB is wrong
for some special case applications. For now, add a kernel command line
option (stack_guard_gap) to specify the stack gap size (in page units).
Implementation wise, first delete all the old code for stack guard page:
because although we could get away with accounting one extra page in a
stack vma, accounting a larger gap can break userspace - case in point,
a program run with "ulimit -S -v 20000" failed when the 1MB gap was
counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
and strict non-overcommit mode.
Instead of keeping gap inside the stack vma, maintain the stack guard
gap as a gap between vmas: using vm_start_gap() in place of vm_start
(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
places which need to respect the gap - mainly arch_get_unmapped_area(),
and and the vma tree's subtree_gap support for that.
Original-patch-by: Oleg Nesterov <oleg@redhat.com>
Original-patch-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
[wt: backport to 4.11: adjust context]
[wt: backport to 4.9: adjust context ; kernel doc was not in
admin-guide]
[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
[wt: backport to 3.18: adjust context ; no FOLL_POPULATE ;
s390 uses generic arch_get_unmapped_area()]
[wt: backport to 3.16: adjust context]
[wt: backport to 3.10: adjust context ; code logic in PARISC's
arch_get_unmapped_area() wasn't found ; code inserted into
expand_upwards() and expand_downwards() runs under anon_vma lock;
changes for gup.c:faultin_page go to memory.c:__get_user_pages();
included Hugh Dickins' fixes]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 1ad9a25dd0)
Bug: 38413813
Change-Id: I07f79cec09c9e98fc3d82458f9a5f3f2e21e6ab4
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
This was found during userspace fuzzing test when a large size
allocation is made from ion
[<ffffffc00008a098>] show_stack+0x10/0x1c
[<ffffffc00119c390>] dump_stack+0x74/0xc8
[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
[<ffffffc00020dbd4>] kasan_report+0x34/0x40
[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
[<ffffffc00020d228>] memset+0x20/0x44
[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
Bug: 38195738
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
Signed-off-by: Maggie White <maggiewhite@google.com>
Change-Id: I6b1a0a3eaec10500cd4e73290efad4023bc83da5
commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.
Stack guard page is a useful feature to reduce a risk of stack smashing
into a different mapping. We have been using a single page gap which
is sufficient to prevent having stack adjacent to a different mapping.
But this seems to be insufficient in the light of the stack usage in
userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
which is 256kB or stack strings with MAX_ARG_STRLEN.
This will become especially dangerous for suid binaries and the default
no limit for the stack size limit because those applications can be
tricked to consume a large portion of the stack and a single glibc call
could jump over the guard page. These attacks are not theoretical,
unfortunatelly.
Make those attacks less probable by increasing the stack guard gap
to 1MB (on systems with 4k pages; but make it depend on the page size
because systems with larger base pages might cap stack allocations in
the PAGE_SIZE units) which should cover larger alloca() and VLA stack
allocations. It is obviously not a full fix because the problem is
somehow inherent, but it should reduce attack space a lot.
One could argue that the gap size should be configurable from userspace,
but that can be done later when somebody finds that the new 1MB is wrong
for some special case applications. For now, add a kernel command line
option (stack_guard_gap) to specify the stack gap size (in page units).
Implementation wise, first delete all the old code for stack guard page:
because although we could get away with accounting one extra page in a
stack vma, accounting a larger gap can break userspace - case in point,
a program run with "ulimit -S -v 20000" failed when the 1MB gap was
counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
and strict non-overcommit mode.
Instead of keeping gap inside the stack vma, maintain the stack guard
gap as a gap between vmas: using vm_start_gap() in place of vm_start
(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
places which need to respect the gap - mainly arch_get_unmapped_area(),
and and the vma tree's subtree_gap support for that.
Original-patch-by: Oleg Nesterov <oleg@redhat.com>
Original-patch-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
[wt: backport to 4.11: adjust context]
[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
[wt: backport to 3.18: adjust context ; no FOLL_POPULATE ;
s390 uses generic arch_get_unmapped_area()]
[wt: backport to 3.16: adjust context]
[wt: backport to 3.10: adjust context ; code logic in PARISC's
arch_get_unmapped_area() wasn't found ; code inserted into
expand_upwards() and expand_downwards() runs under anon_vma lock;
changes for gup.c:faultin_page go to memory.c:__get_user_pages();
included Hugh Dickins' fixes]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 474c90156c8dcc2fa815e6716cc9394d7930cb9c upstream.
gcc-7 has an "optimization" pass that completely screws up, and
generates the code expansion for the (impossible) case of calling
ilog2() with a zero constant, even when the code gcc compiles does not
actually have a zero constant.
And we try to generate a compile-time error for anybody doing ilog2() on
a constant where that doesn't make sense (be it zero or negative). So
now gcc7 will fail the build due to our sanity checking, because it
created that constant-zero case that didn't actually exist in the source
code.
There's a whole long discussion on the kernel mailing about how to work
around this gcc bug. The gcc people themselevs have discussed their
"feature" in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
but it's all water under the bridge, because while it looked at one
point like it would be solved by the time gcc7 was released, that was
not to be.
So now we have to deal with this compiler braindamage.
And the only simple approach seems to be to just delete the code that
tries to warn about bad uses of ilog2().
So now "ilog2()" will just return 0 not just for the value 1, but for
any non-positive value too.
It's not like I can recall anybody having ever actually tried to use
this function on any invalid value, but maybe the sanity check just
meant that such code never made it out in public.
[js] no tools/include/linux/log2.h copy of that yet
Reported-by: Laura Abbott <labbott@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>,
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 745cb7f8a5de0805cade3de3991b7a95317c7c73 upstream.
Replace MAX_ADDR_LEN with its numeric value to fix the following
linux/packet_diag.h userspace compilation error:
/usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function)
__u8 pdmc_addr[MAX_ADDR_LEN];
This is not the first case in the UAPI where the numeric value
of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h
already does the same:
$ grep MAX_ADDR_LEN include/uapi/linux/if_link.h
__u8 mac[32]; /* MAX_ADDR_LEN */
There are no UAPI headers besides these two that use MAX_ADDR_LEN.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Acked-by: Pavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 059aa734824165507c65fd30a55ff000afd14983 upstream.
Xuan Qi reports that the Linux NFSv4 client failed to lock a file
that was migrated. The steps he observed on the wire:
1. The client sent a LOCK request to the source server
2. The source server replied NFS4ERR_MOVED
3. The client switched to the destination server
4. The client sent the same LOCK request to the destination
server with a bumped lock sequence ID
5. The destination server rejected the LOCK request with
NFS4ERR_BAD_SEQID
RFC 3530 section 8.1.5 provides a list of NFS errors which do not
bump a lock sequence ID.
However, RFC 3530 is now obsoleted by RFC 7530. In RFC 7530 section
9.1.7, this list has been updated by the addition of NFS4ERR_MOVED.
Reported-by: Xuan Qi <xuan.qi@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 0335695dfa4df01edff5bb102b9a82a0668ee51e upstream.
The current_user_ns() macro currently returns &init_user_ns when user
namespaces are disabled, and that causes several warnings when building
with gcc-6.0 in code that compares the result of the macro to
&init_user_ns itself:
fs/xfs/xfs_ioctl.c: In function 'xfs_ioctl_setattr_check_projid':
fs/xfs/xfs_ioctl.c:1249:22: error: self-comparison always evaluates to true [-Werror=tautological-compare]
if (current_user_ns() == &init_user_ns)
This is a legitimate warning in principle, but here it isn't really
helpful, so I'm reprasing the definition in a way that shuts up the
warning. Apparently gcc only warns when comparing identical literals,
but it can figure out that the result of an inline function can be
identical to a constant expression in order to optimize a condition yet
not warn about the fact that the condition is known at compile time.
This is exactly what we want here, and it looks reasonable because we
generally prefer inline functions over macros anyway.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Yaowei Bai <baiyaowei@cmss.chinamobile.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 332b05ca7a438f857c61a3c21a88489a21532364 upstream.
This patch adds a check to limit the number of can_filters that can be
set via setsockopt on CAN_RAW sockets. Otherwise allocations > MAX_ORDER
are not prevented resulting in a warning.
Reference: https://lkml.org/lkml/2016/12/2/230
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 90db10434b163e46da413d34db8d0e77404cc645 upstream.
No caller currently checks the return value of
kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
freeing their device. A stale reference will remain in the io_bus,
getting at least used again, when the iobus gets teared down on
kvm_destroy_vm() - leading to use after free errors.
There is nothing the callers could do, except retrying over and over
again.
So let's simply remove the bus altogether, print an error and make
sure no one can access this broken bus again (returning -ENOMEM on any
attempt to access it).
Fixes: e93f8a0f82 ("KVM: convert io_bus to SRCU")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[wt: no kvm_io_bus_read_cookie in 3.10, slightly different constructs]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 6ea34c9b78c10289846db0abeebd6b84d5aca084 upstream.
We can easily reach the 1000 limit by start VM with a couple
hundred I/O devices (multifunction=on). The hardcode limit
already been adjusted 3 times (6 ~ 200 ~ 300 ~ 1000).
In userspace, we already have maximum file descriptor to
limit ioeventfd count. But kvm_io_bus devices also are used
for pit, pic, ioapic, coalesced_mmio. They couldn't be limited
by maximum file descriptor.
Currently only ioeventfds take too much kvm_io_bus devices,
so just exclude it from counting kvm_io_range limit.
Also fixed one indent issue in kvm_host.h
Signed-off-by: Amos Kong <akong@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
[wt: next patch depends on this one]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit f1712c73714088a7252d276a57126d56c7d37e64 upstream.
Zhang Yanmin reported crashes [1] and provided a patch adding a
synchronize_rcu() call in can_rx_unregister()
The main problem seems that the sockets themselves are not RCU
protected.
If CAN uses RCU for delivery, then sockets should be freed only after
one RCU grace period.
Recent kernels could use sock_set_flag(sk, SOCK_RCU_FREE), but let's
ease stable backports with the following fix instead.
[1]
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff81495e25>] selinux_socket_sock_rcv_skb+0x65/0x2a0
Call Trace:
<IRQ>
[<ffffffff81485d8c>] security_sock_rcv_skb+0x4c/0x60
[<ffffffff81d55771>] sk_filter+0x41/0x210
[<ffffffff81d12913>] sock_queue_rcv_skb+0x53/0x3a0
[<ffffffff81f0a2b3>] raw_rcv+0x2a3/0x3c0
[<ffffffff81f06eab>] can_rcv_filter+0x12b/0x370
[<ffffffff81f07af9>] can_receive+0xd9/0x120
[<ffffffff81f07beb>] can_rcv+0xab/0x100
[<ffffffff81d362ac>] __netif_receive_skb_core+0xd8c/0x11f0
[<ffffffff81d36734>] __netif_receive_skb+0x24/0xb0
[<ffffffff81d37f67>] process_backlog+0x127/0x280
[<ffffffff81d36f7b>] net_rx_action+0x33b/0x4f0
[<ffffffff810c88d4>] __do_softirq+0x184/0x440
[<ffffffff81f9e86c>] do_softirq_own_stack+0x1c/0x30
<EOI>
[<ffffffff810c76fb>] do_softirq.part.18+0x3b/0x40
[<ffffffff810c8bed>] do_softirq+0x1d/0x20
[<ffffffff81d30085>] netif_rx_ni+0xe5/0x110
[<ffffffff8199cc87>] slcan_receive_buf+0x507/0x520
[<ffffffff8167ef7c>] flush_to_ldisc+0x21c/0x230
[<ffffffff810e3baf>] process_one_work+0x24f/0x670
[<ffffffff810e44ed>] worker_thread+0x9d/0x6f0
[<ffffffff810e4450>] ? rescuer_thread+0x480/0x480
[<ffffffff810ebafc>] kthread+0x12c/0x150
[<ffffffff81f9ccef>] ret_from_fork+0x3f/0x70
Reported-by: Zhang Yanmin <yanmin.zhang@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 0294112ee3135fbd15eaa70015af8283642dd970 upstream.
This effectively reverts the following three commits:
7bc10388ccdd ACPI / resources: free memory on error in add_region_before()
0f1b414d1907 ACPI / PNP: Avoid conflicting resource reservations
b9a5e5e18fbf ACPI / init: Fix the ordering of acpi_reserve_resources()
(commit b9a5e5e18fbf introduced regressions some of which, but not
all, were addressed by commit 0f1b414d1907 and commit 7bc10388ccdd
was a fixup on top of the latter) and causes ACPI fixed hardware
resources to be reserved at the fs_initcall_sync stage of system
initialization.
The story is as follows. First, a boot regression was reported due
to an apparent resource reservation ordering change after a commit
that shouldn't lead to such changes. Investigation led to the
conclusion that the problem happened because acpi_reserve_resources()
was executed at the device_initcall() stage of system initialization
which wasn't strictly ordered with respect to driver initialization
(and with respect to the initialization of the pcieport driver in
particular), so a random change causing the device initcalls to be
run in a different order might break things.
The response to that was to attempt to run acpi_reserve_resources()
as soon as we knew that ACPI would be in use (commit b9a5e5e18fbf).
However, that turned out to be too early, because it caused resource
reservations made by the PNP system driver to fail on at least one
system and that failure was addressed by commit 0f1b414d1907.
That fix still turned out to be insufficient, though, because
calling acpi_reserve_resources() before the fs_initcall stage of
system initialization caused a boot regression to happen on the
eCAFE EC-800-H20G/S netbook. That meant that we only could call
acpi_reserve_resources() at the fs_initcall initialization stage
or later, but then we might just as well call it after the PNP
initalization in which case commit 0f1b414d1907 wouldn't be
necessary any more.
For this reason, the changes made by commit 0f1b414d1907 are reverted
(along with a memory leak fixup on top of that commit), the changes
made by commit b9a5e5e18fbf that went too far are reverted too and
acpi_reserve_resources() is changed into fs_initcall_sync, which
will cause it to be executed after the PNP subsystem initialization
(which is an fs_initcall) and before device initcalls (including
the pcieport driver initialization) which should avoid the initial
issue.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=100581
Link: http://marc.info/?t=143092384600002&r=1&w=2
Link: https://bugzilla.kernel.org/show_bug.cgi?id=99831
Link: http://marc.info/?t=143389402600001&r=1&w=2
Fixes: b9a5e5e18fbf "ACPI / init: Fix the ordering of acpi_reserve_resources()"
Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 0f1b414d190724617eb1cdd615592fa8cd9d0b50 upstream.
Commit b9a5e5e18fbf "ACPI / init: Fix the ordering of
acpi_reserve_resources()" overlooked the fact that the memory
and/or I/O regions reserved by acpi_reserve_resources() may
conflict with those reserved by the PNP "system" driver.
If that conflict actually takes place, it causes the reservations
made by the "system" driver to fail while before commit b9a5e5e18fbf
all reservations made by it and by acpi_reserve_resources() would be
successful. In turn, that allows the resources that haven't been
reserved by the "system" driver to be used by others (e.g. PCI) which
sometimes leads to functional problems (up to and including boot
failures).
To fix that issue, introduce a common resource reservation routine,
acpi_reserve_region(), to be used by both acpi_reserve_resources()
and the "system" driver, that will track all resources reserved by
it and avoid making conflicting requests.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=99831
Link: http://marc.info/?t=143389402600001&r=1&w=2
Fixes: b9a5e5e18fbf "ACPI / init: Fix the ordering of acpi_reserve_resources()"
Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit e33886b38cc82a9fc3b2d655dfc7f50467594138 upstream.
Add two helpers to make it easier to treat the refcount as boolean.
[js] do not involve WARN_ON_ONCE as it causes build failures
Suggested-by: Jason Baron <jasonbaron0@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
[wt: only backported for use in next fix ;
s/static_key_count(key)/atomic_read(&key->enabled)/]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit bf7165cfa23695c51998231c4efa080fe1d3548d upstream.
There are several trace include files that define TRACE_INCLUDE_FILE.
Include several of them in the same .c file (as I currently have in
some code I am working on), and the compile will blow up with a
"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls"
Every other include file in include/trace/events/ avoids that issue
by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h
should have one, too.
Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com
Fixes: b8007ef742 ("tracing: Separate raw syscall from syscall tracer")
Signed-off-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 251af29c320d86071664f02c76f0d063a19fefdf upstream.
It is not sufficient to just check that the lock pids match when
granting a callback, we also need to ensure that we're granting
the callback on the right file.
Reported-by: Pankaj Singh <psingh.ait@gmail.com>
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c upstream.
The RDMA core uses ib_pack() to convert from unpacked CPU structs
to on-the-wire bitpacked structs.
This process requires that 1 bit fields are declared as u8 in the
unpacked struct, otherwise the packing process does not read the
value properly and the packed result is wired to 0. Several
places wrongly used int.
Crucially this means the kernel has never, set reversible
correctly in the path record request. It has always asked for
irreversible paths even if the ULP requests otherwise.
When the kernel is used with a SM that supports this feature, it
completely breaks communication management if reversible paths are
not properly requested.
The only reason this ever worked is because opensm ignores the
reversible bit.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit d71b7896886345c53ef1d84bda2bc758554f5d61 upstream.
syzkaller found another out of bound access in ip_options_compile(),
or more exactly in cipso_v4_validate()
Fixes: 20e2a86485 ("cipso: handle CIPSO options correctly when NetLabel is disabled")
Fixes: 446fda4f26 ("[NetLabel]: CIPSOv4 engine")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 57ea52a865144aedbcd619ee0081155e658b6f7d upstream.
The GRO fast path caches the frag0 address. This address becomes
invalid if frag0 is modified by pskb_may_pull or its variants.
So whenever that happens we must disable the frag0 optimization.
This is usually done through the combination of gro_header_hard
and gro_header_slow, however, the IPv6 extension header path did
the pulling directly and would continue to use the GRO fast path
incorrectly.
This patch fixes it by disabling the fast path when we enter the
IPv6 extension header path.
Fixes: 78a478d0ef ("gro: Inline skb_gro_header and cache frag0 virtual address")
Reported-by: Slava Shwartsman <slavash@mellanox.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 777c6e0daebb3fcefbbd6f620410a946b07ef6d0 upstream.
Yu Zhao has noticed that __unregister_cpu_notifier only unregisters its
notifiers when HOTPLUG_CPU=y while the registration might succeed even
when HOTPLUG_CPU=n if MODULE is enabled. This means that e.g. zswap
might keep a stale notifier on the list on the manual clean up during
the pool tear down and thus corrupt the list. Resulting in the following
[ 144.964346] BUG: unable to handle kernel paging request at ffff880658a2be78
[ 144.971337] IP: [<ffffffffa290b00b>] raw_notifier_chain_register+0x1b/0x40
<snipped>
[ 145.122628] Call Trace:
[ 145.125086] [<ffffffffa28e5cf8>] __register_cpu_notifier+0x18/0x20
[ 145.131350] [<ffffffffa2a5dd73>] zswap_pool_create+0x273/0x400
[ 145.137268] [<ffffffffa2a5e0fc>] __zswap_param_set+0x1fc/0x300
[ 145.143188] [<ffffffffa2944c1d>] ? trace_hardirqs_on+0xd/0x10
[ 145.149018] [<ffffffffa2908798>] ? kernel_param_lock+0x28/0x30
[ 145.154940] [<ffffffffa2a3e8cf>] ? __might_fault+0x4f/0xa0
[ 145.160511] [<ffffffffa2a5e237>] zswap_compressor_param_set+0x17/0x20
[ 145.167035] [<ffffffffa2908d3c>] param_attr_store+0x5c/0xb0
[ 145.172694] [<ffffffffa290848d>] module_attr_store+0x1d/0x30
[ 145.178443] [<ffffffffa2b2b41f>] sysfs_kf_write+0x4f/0x70
[ 145.183925] [<ffffffffa2b2a5b9>] kernfs_fop_write+0x149/0x180
[ 145.189761] [<ffffffffa2a99248>] __vfs_write+0x18/0x40
[ 145.194982] [<ffffffffa2a9a412>] vfs_write+0xb2/0x1a0
[ 145.200122] [<ffffffffa2a9a732>] SyS_write+0x52/0xa0
[ 145.205177] [<ffffffffa2ff4d97>] entry_SYSCALL_64_fastpath+0x12/0x17
This can be even triggered manually by changing
/sys/module/zswap/parameters/compressor multiple times.
Fix this issue by making unregister APIs symmetric to the register so
there are no surprises.
[js] backport to 3.12
Fixes: 47e627bc8c ("[PATCH] hotplug: Allow modules to use the cpu hotplug notifiers even if !CONFIG_HOTPLUG_CPU")
Reported-and-tested-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Cc: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dan Streetman <ddstreet@ieee.org>
Link: http://lkml.kernel.org/r/20161207135438.4310-1-mhocko@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 073931017b49d9458aa351605b43a7e34598caef upstream.
When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2). Fix that.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
[wt: dropped hfsplus changes : no xattr in 3.10]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 6bf37e5aa90f18baf5acf4874bca505dd667c37f upstream.
When comparing MAC hashes, AEAD authentication tags, or other hash
values in the context of authentication or integrity checking, it
is important not to leak timing information to a potential attacker,
i.e. when communication happens over a network.
Bytewise memory comparisons (such as memcmp) are usually optimized so
that they return a nonzero value as soon as a mismatch is found. E.g,
on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
and up to ~850 cyc for a full match (cold). This early-return behavior
can leak timing information as a side channel, allowing an attacker to
iteratively guess the correct result.
This patch adds a new method crypto_memneq ("memory not equal to each
other") to the crypto API that compares memory areas of the same length
in roughly "constant time" (cache misses could change the timing, but
since they don't reveal information about the content of the strings
being compared, they are effectively benign). Iow, best and worst case
behaviour take the same amount of time to complete (in contrast to
memcmp).
Note that crypto_memneq (unlike memcmp) can only be used to test for
equality or inequality, NOT for lexicographical order. This, however,
is not an issue for its use-cases within the crypto API.
We tried to locate all of the places in the crypto API where memcmp was
being used for authentication or integrity checking, and convert them
over to crypto_memneq.
crypto_memneq is declared noinline, placed in its own source file,
and compiled with optimizations that might increase code size disabled
("Os") because a smart compiler (or LTO) might notice that the return
value is always compared against zero/nonzero, and might then
reintroduce the same early-return optimization that we are trying to
avoid.
Using #pragma or __attribute__ optimization annotations of the code
for disabling optimization was avoided as it seems to be considered
broken or unmaintained for long time in GCC [1]. Therefore, we work
around that by specifying the compile flag for memneq.o directly in
the Makefile. We found that this seems to be most appropriate.
As we use ("Os"), this patch also provides a loop-free "fast-path" for
frequently used 16 byte digests. Similarly to kernel library string
functions, leave an option for future even further optimized architecture
specific assembler implementations.
This was a joint work of James Yonan and Daniel Borkmann. Also thanks
for feedback from Florian Weimer on this and earlier proposals [2].
[1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
[2] https://lkml.org/lkml/2013/2/10/131
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Florian Weimer <fw@deneb.enyo.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit b9dd46188edc2f0d1f37328637860bb65a771124 upstream.
F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 36815012
Change-Id: I30ea36df066bc07e32e767336b7cae12063fe415
Merge 'android-msm-bullhead-3.10-nyc-mr2' into
'android-msm-bullhead-3.10'
July 2017.1
Bug: 38137577
Change-Id: Id2935b141bbaa52d6ec63648551ac5dec3e21487
The cache maintenance routines in ashmem were causing
several security issues. Since they are not being used
anymore by any drivers, its well to remove them entirely.
Bug: 34126808
Bug: 34173755
Bug: 34203176
CRs-Fixed: 1107034, 2001129, 2007786
Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
To prevent protential risk of memory leak caused by closing socket with
out untag it from qtaguid module, the qtaguid module now do not hold any
socket file reference count. Instead, it will increase the sk_refcnt of
the sk struct to prevent a reuse of the socket pointer. And when a socket
is released. It will delete the tag if the socket is previously tagged so
no more resources is held by xt_qtaguid moudle. A flag is added to the untag
process to prevent possible kernel crash caused by fail to delete
corresponding socket_tag_entry list.
Bug: 36374484
Test: compile and run test under system/extra/test/iptables,
run cts -m CtsNetTestCases -t android.net.cts.SocketRefCntTest
Signed-off-by: Chenbo Feng <fengc@google.com>
Change-Id: Iea7c3bf0c59b9774a5114af905b2405f6bc9ee52
Robust context attempts to perform a rendering that takes too long
whether due to an infinite loop in a shader or even just a rendering
operation that takes too long on the given hardware. This type of
attempts can result into GPU faults. Robust context expect driver
to replay IB instead skip IB and if it fails on replay context has
to be invalidated.
KGSL_CONTEXT_INVALIDATE_ON_FAULT flag allows draw context to execute
only replay policy on GPU fault recovery instead of going to default
recovery policy. User space has to set this flag during the context
creation.
Bug: 34887800
Change-Id: If42dc5afc7d5ed1226b73ae5abfa2648d7acf2c3
Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
This implements:
https://tools.ietf.org/html/rfc7559
Backoff is performed according to RFC3315 section 14:
https://tools.ietf.org/html/rfc3315#section-14
We allow setting /proc/sys/net/ipv6/conf/*/router_solicitations
to a negative value meaning an unlimited number of retransmits,
and we make this the new default (inline with the RFC).
We also add a new setting:
/proc/sys/net/ipv6/conf/*/router_solicitation_max_interval
defaulting to 1 hour (per RFC recommendation).
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Acked-by: Erik Kline <ek@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit bd11f0741fa5a2c296629898ad07759dd12b35bb in
DaveM's net-next/master, should make Linus' tree in 4.9-rc1)
Change-Id: Ia32cdc5c61481893ef8040734e014bf2229fc39e
Issue:
Missing bound check when writing into the output array
buffer, which can lead to out-of-bound heap write.
Fix:
Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
macro and size check to the place where the array is
accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
Caller will return -EINVAL for '0'.
Bug: 34621613
Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
CRs-Fixed: 2004036
Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
This commit adds a new sysctl accept_ra_rt_info_min_plen that
defines the minimum acceptable prefix length of Route Information
Options. The new sysctl is intended to be used together with
accept_ra_rt_info_max_plen to configure a range of acceptable
prefix lengths. It is useful to prevent misconfigurations from
unintentionally blackholing too much of the IPv6 address space
(e.g., home routers announcing RIOs for fc00::/7, which is
incorrect).
Backport of net-next commit bbea124bc99d ("net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs.")
[lorenzo@google.com: fixed conflicts in include/uapi/linux/ipv6.h]
Bug: 33333670
Test: net_test passes
Signed-off-by: Joel Scherpelz <jscherpelz@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The trace_printk() code will allocate extra buffers if the compile detects
that a trace_printk() is used. To do this, the format of the trace_printk()
is saved to the __trace_printk_fmt section, and if that section is bigger
than zero, the buffers are allocated (along with a message that this has
happened).
If trace_printk() uses a format that is not a constant, and thus something
not guaranteed to be around when the print happens, the compiler optimizes
the fmt out, as it is not used, and the __trace_printk_fmt section is not
filled. This means the kernel will not allocate the special buffers needed
for the trace_printk() and the trace_printk() will not write anything to the
tracing buffer.
Adding a "__used" to the variable in the __trace_printk_fmt section will
keep it around, even though it is set to NULL. This will keep the string
from being printed in the debugfs/tracing/printk_formats section as it is
not needed.
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Fixes: 07d777fe8c "tracing: Add percpu buffers for trace_printk()"
Cc: stable@vger.kernel.org # v3.5+
Bug: 34277115
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Change-Id: I10ce56caa41c7644d9d290d9ed272a6d156c938c
commit c3c87e770458aa004bd7ed3f29945ff436fd6511 upstream.
The fix from 9fc81d87420d ("perf: Fix events installation during
moving group") was incomplete in that it failed to recognise that
creating a group with events for different CPUs is semantically
broken -- they cannot be co-scheduled.
Furthermore, it leads to real breakage where, when we create an event
for CPU Y and then migrate it to form a group on CPU X, the code gets
confused where the counter is programmed -- triggered in practice
as well by me via the perf fuzzer.
Fix this by tightening the rules for creating groups. Only allow
grouping of counters that can be co-scheduled in the same context.
This means for the same task and/or the same cpu.
Fixes: 9fc81d87420d ("perf: Fix events installation during moving group")
Bug: 34515362
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: I72247f51388177f172845ccd4621debcd3158940
Create cnss_genl driver to create a netlink family cld80211
and make it available to cld driver and applications when
they query for it.
This driver creates multicast groups to facilitate communication
from cld driver to userspace and allows cld driver to register
for different commands from user space.
Resolve compilation errors and tweak netlink family creation
Change-Id: I0795dd08b6429fad60187fee724b3fd3ccfa5603
CRs-Fixed: 1100401
Bug: 32775496
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Define macro to indicate backport support for using random MAC
addresses for scan while unassociated.
Change-Id: I2b7318ca8f6af29a9eb13d14e8c1e55bd41ae654
CRs-Fixed: 1082480
Bug: 35436707
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add the necessary feature flags and a scan flag to support using
random MAC addresses for scan while unassociated.
The configuration for this supports an arbitrary MAC address
value and mask, so that any kind of configuration (e.g. fixed
OUI or full 46-bit random) can be requested. Full 46-bit random
is the default when no other configuration is passed.
Also add a small helper function to use the addr/mask correctly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: ad2b26abc157460ca6fac1a53a2bfeade283adfa
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
[dasaris@codeaurora.org: backport to 3.18 excluding the changes in
nl80211_parse_wowlan_nd]
Change-Id: Id30d201358654c77a99f46500178ebf975d609d5
CRs-Fixed: 1082480
Bug: 35436707
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
(cherry pick from commit 073931017b49d9458aa351605b43a7e34598caef)
When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2). Fix that.
NB: conflicts resolution included extending the change to all visible
users of the near deprecated function posix_acl_equiv_mode
replaced with posix_acl_update_mode. We did not resolve the ACL
leak in this CL, require additional upstream fixes.
References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Bug: 32458736
Change-Id: I19591ad452cc825ac282b3cfd2daaa72aa9a1ac1
Add a simple read-only counter to super_block that indicates how deep this
is in the stack of filesystems. Previously ecryptfs was the only stackable
filesystem and it explicitly disallowed multiple layers of itself.
Overlayfs, however, can be stacked recursively and also may be stacked
on top of ecryptfs or vice versa.
To limit the kernel stack usage we must limit the depth of the
filesystem stack. Initially the limit is set to 2.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
(cherry picked from commit 69c433ed2ecd2d3264efd7afec4439524b319121)
Bug: 32761463
Change-Id: I69b2fba2112db2ece09a1bf61a44f8fc4db00820
(cherry picked from commit 651be3cb085341a21847e47c694c249c3e1e4e5b)
We only support breakpoint/watchpoint of length 1, 2, 4 and 8. If we can
support other length as well, then user may watch more data with less
number of watchpoints (provided hardware supports it). For example: if we
have to watch only 4th, 5th and 6th byte from a 64 bit aligned address, we
will have to use two slots to implement it currently. One slot will watch a
half word at offset 4 and other a byte at offset 6. If we can have a
watchpoint of length 3 then we can watch it with single slot as well.
ARM64 hardware does support such functionality, therefore adding these new
definitions in generic layer.
Signed-off-by: Pratyush Anand <panand@redhat.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Pavel Labath <labath@google.com>
[pavel: tools/include/uapi/linux/hw_breakpoint.h is not present in this branch]
Change-Id: Ie17ed89ca526e4fddf591bb4e556fdfb55fc2eac
Bug: 30919905
Add whitelist support for listener to send modified resp to TZ;
also add whitelist support for kernel client; and change the method
to check whitelist feature.
Bug: 31268796
CRs-Fixed: 1021945
Change-Id: I0030b0008d6224cda3fdc1f80308a7e9bcfe4405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
qseecom_send_modfd_cmd converts ION buffer's virtual address to
scatter gather(SG) list and then sends them to TA by populating
SG list into message buffer. As the physical memory address in
SG list is used directly by TA, this allows a malicious TA to
access/corrupt arbitrary physical memory and may lead to the
process gaining kernel/root privileges. Thus, make changes to
have the QSEEComm driver passing a list of whitelist buffers
that is allowed to be mapped by TA, and the QSEE kernel, in turn,
should add checks to the register_shared_buffer syscall to make
sure the shared buffers an application is mapping falls within
one of these whitelist buffers.
Bug: 31268796
CRs-fixed: 1021945
Change-Id: I776ead0030cad167afcf41ab985db7151a42d126
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
commit 9a6dc644512fd083400a96ac4a035ac154fe6b8d upstream.
set_bit() and clear_bit() take the bit number so this code is really
doing "1 << (1 << irq)" which is a double shift bug. It's done
consistently so it won't cause a problem unless "irq" is more than 4.
Fixes: 70c6cce040 ('mfd: Support 88pm80x in 80x driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 upstream.
A timer was used to restart after the bus-off state, leading to a
relatively large can_restart() executed in an interrupt context,
which in turn sets up pinctrl. When this happens during system boot,
there is a high probability of grabbing the pinctrl_list_mutex,
which is locked already by the probe() of other device, making the
kernel suspect a deadlock condition [1].
To resolve this issue, the restart_timer is replaced by a delayed
work.
[1] https://github.com/victronenergy/venus/issues/24
Signed-off-by: Sergei Miroshnichenko <sergeimir@emcraft.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d upstream.
A malicious TCP receiver, sending SACK, can force the sender to split
skbs in write queue and increase its memory usage.
Then, when socket is closed and its write queue purged, we might
overflow sk_forward_alloc (It becomes negative)
sk_mem_reclaim() does nothing in this case, and more than 2GB
are leaked from TCP perspective (tcp_memory_allocated is not changed)
Then warnings trigger from inet_sock_destruct() and
sk_stream_kill_queues() seeing a not zero sk_forward_alloc
All TCP stack can be stuck because TCP is under memory pressure.
A simple fix is to preemptively reclaim from sk_mem_uncharge().
This makes sure a socket wont have more than 2 MB forward allocated,
after burst and idle period.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 1a24e04e4b50939daa3041682b38b82c896ca438 upstream.
sk_mem_reclaim_partial() goal is to ensure each socket has
one SK_MEM_QUANTUM forward allocation. This is needed both for
performance and better handling of memory pressure situations in
follow up patches.
SK_MEM_QUANTUM is currently a page, but might be reduced to 4096 bytes
as some arches have 64KB pages.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 24b27fc4cdf9e10c5e79e5923b6b7c2c5c95096c upstream.
Following few steps will crash kernel -
(a) Create bonding master
> modprobe bonding miimon=50
(b) Create macvlan bridge on eth2
> ip link add link eth2 dev mvl0 address aa:0:0:0:0:01 \
type macvlan
(c) Now try adding eth2 into the bond
> echo +eth2 > /sys/class/net/bond0/bonding/slaves
<crash>
Bonding does lots of things before checking if the device enslaved is
busy or not.
In this case when the notifier call-chain sends notifications, the
bond_netdev_event() assumes that the rx_handler /rx_handler_data is
registered while the bond_enslave() hasn't progressed far enough to
register rx_handler for the new slave.
This patch adds a rx_handler check that can be performed right at the
beginning of the enslave code to avoid getting into this situation.
Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit ac6e780070e30e4c35bd395acfe9191e6268bdd3 upstream.
With syzkaller help, Marco Grassi found a bug in TCP stack,
crashing in tcp_collapse()
Root cause is that sk_filter() can truncate the incoming skb,
but TCP stack was not really expecting this to happen.
It probably was expecting a simple DROP or ACCEPT behavior.
We first need to make sure no part of TCP header could be removed.
Then we need to adjust TCP_SKB_CB(skb)->end_seq
Many thanks to syzkaller team and Marco for giving us a reproducer.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Marco Grassi <marco.gra@gmail.com>
Reported-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit bb1fceca22492109be12640d49f5ea5a544c6bb4 upstream.
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 23f4ffedb7d751c7e298732ba91ca75d224bc1a6 upstream.
skb->cb may contain data from previous layers. In the observed scenario,
the garbage data were misinterpreted as IP6CB(skb)->frag_max_size, so
that small packets sent through the tunnel are mistakenly fragmented.
This patch unconditionally clears the control buffer in ip6tunnel_xmit(),
which affects ip6_tunnel, ip6_udp_tunnel and ip6_gre. Currently none of
these tunnels set IP6CB(skb)->flags, otherwise it needs to be done earlier.
Cc: stable@vger.kernel.org
Signed-off-by: Eli Cooper <elicooper@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit c15b1ccadb323ea50023e8f1cca2954129a62b51 upstream.
addrconf_join_solict and addrconf_join_anycast may cause actions which
need rtnl locked, especially on first address creation.
A new DAD state is introduced which defers processing of the initial
DAD processing into a workqueue.
To get rtnl lock we need to push the code paths which depend on those
calls up to workqueues, specifically addrconf_verify and the DAD
processing.
(v2)
addrconf_dad_failure needs to be queued up to the workqueue, too. This
patch introduces a new DAD state and stop the DAD processing in the
workqueue (this is because of the possible ipv6_del_addr processing
which removes the solicited multicast address from the device).
addrconf_verify_lock is removed, too. After the transition it is not
needed any more.
As we are not processing in bottom half anymore we need to be a bit more
careful about disabling bottom half out when we lock spin_locks which are also
used in bh.
Relevant backtrace:
[ 541.030090] RTNL: assertion failed at net/core/dev.c (4496)
[ 541.031143] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 3.10.33-1-amd64-vyatta #1
[ 541.031145] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 541.031146] ffffffff8148a9f0 000000000000002f ffffffff813c98c1 ffff88007c4451f8
[ 541.031148] 0000000000000000 0000000000000000 ffffffff813d3540 ffff88007fc03d18
[ 541.031150] 0000880000000006 ffff88007c445000 ffffffffa0194160 0000000000000000
[ 541.031152] Call Trace:
[ 541.031153] <IRQ> [<ffffffff8148a9f0>] ? dump_stack+0xd/0x17
[ 541.031180] [<ffffffff813c98c1>] ? __dev_set_promiscuity+0x101/0x180
[ 541.031183] [<ffffffff813d3540>] ? __hw_addr_create_ex+0x60/0xc0
[ 541.031185] [<ffffffff813cfe1a>] ? __dev_set_rx_mode+0xaa/0xc0
[ 541.031189] [<ffffffff813d3a81>] ? __dev_mc_add+0x61/0x90
[ 541.031198] [<ffffffffa01dcf9c>] ? igmp6_group_added+0xfc/0x1a0 [ipv6]
[ 541.031208] [<ffffffff8111237b>] ? kmem_cache_alloc+0xcb/0xd0
[ 541.031212] [<ffffffffa01ddcd7>] ? ipv6_dev_mc_inc+0x267/0x300 [ipv6]
[ 541.031216] [<ffffffffa01c2fae>] ? addrconf_join_solict+0x2e/0x40 [ipv6]
[ 541.031219] [<ffffffffa01ba2e9>] ? ipv6_dev_ac_inc+0x159/0x1f0 [ipv6]
[ 541.031223] [<ffffffffa01c0772>] ? addrconf_join_anycast+0x92/0xa0 [ipv6]
[ 541.031226] [<ffffffffa01c311e>] ? __ipv6_ifa_notify+0x11e/0x1e0 [ipv6]
[ 541.031229] [<ffffffffa01c3213>] ? ipv6_ifa_notify+0x33/0x50 [ipv6]
[ 541.031233] [<ffffffffa01c36c8>] ? addrconf_dad_completed+0x28/0x100 [ipv6]
[ 541.031241] [<ffffffff81075c1d>] ? task_cputime+0x2d/0x50
[ 541.031244] [<ffffffffa01c38d6>] ? addrconf_dad_timer+0x136/0x150 [ipv6]
[ 541.031247] [<ffffffffa01c37a0>] ? addrconf_dad_completed+0x100/0x100 [ipv6]
[ 541.031255] [<ffffffff8105313a>] ? call_timer_fn.isra.22+0x2a/0x90
[ 541.031258] [<ffffffffa01c37a0>] ? addrconf_dad_completed+0x100/0x100 [ipv6]
Hunks and backtrace stolen from a patch by Stephen Hemminger.
Reported-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org> # 3.10.y: b7b1bfce: ipv6: split dad and rs timers
Cc: <stable@vger.kernel.org> # 3.10.y
[Mike Manning <mmanning@brocade.com>: resolved minor conflicts in addrconf.c]
Signed-off-by: Mike Manning <mmanning@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit b7b1bfce0bb68bd8f6e62a28295922785cc63781 upstream.
This patch splits the timers for duplicate address detection and router
solicitations apart. The router solicitations timer goes into inet6_dev
and the dad timer stays in inet6_ifaddr.
The reason behind this patch is to reduce the number of unneeded router
solicitations send out by the host if additional link-local addresses
are created. Currently we send out RS for every link-local address on
an interface.
If the RS timer fires we pick a source address with ipv6_get_lladdr. This
change could hurt people adding additional link-local addresses and
specifying these addresses in the radvd clients section because we
no longer guarantee that we use every ll address as source address in
router solicitations.
Cc: Flavio Leitner <fleitner@redhat.com>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: David Stevens <dlstevens@us.ibm.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reviewed-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org> # 3.10.y
[Mike Manning <mmanning@brocade.com>: resolved conflicts with 36bddb]
Signed-off-by: Mike Manning <mmanning@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 2c861cc65ef4604011a0082e4dcdba2819aa191a upstream.
When loading the ipv6 module, ndisc_init() is called before
ip6_route_init(). As the former registers a handler calling
fib6_run_gc(), this opens a window to run the garbage collector
before necessary data structures are initialized. If a network
device is initialized in this window, adding MAC address to it
triggers a NETDEV_CHANGEADDR event, leading to a crash in
fib6_clean_all().
Take the event handler registration out of ndisc_init() into a
separate function ndisc_late_init() and move it after
ip6_route_init().
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org> # 3.10.y
Signed-off-by: Mike Manning <mmanning@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 8c7fbe5795a016259445a61e072eb0118aaf6a61 upstream.
Commit 3876488444e7 ("include/stddef.h: Move offsetofend() from vfio.h
to a generic kernel header") added offsetofend outside the normal
include #ifndef/#endif guard. Move it inside.
Miscellanea:
o remove unnecessary blank line
o standardize offsetof macros whitespace style
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: backported only for ipv6 out-of-bounds fix]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit b13460b92093b29347e99d6c3242e350052b62cd upstream.
The macro offsetofend() introduces unnecessary temporary variable
"tmp". The patch avoids that and saves a bit memory in stack.
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
[wt: backported only for ipv6 out-of-bounds fix]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit c3c87e770458aa004bd7ed3f29945ff436fd6511 upstream.
The fix from 9fc81d87420d ("perf: Fix events installation during
moving group") was incomplete in that it failed to recognise that
creating a group with events for different CPUs is semantically
broken -- they cannot be co-scheduled.
Furthermore, it leads to real breakage where, when we create an event
for CPU Y and then migrate it to form a group on CPU X, the code gets
confused where the counter is programmed -- triggered in practice
as well by me via the perf fuzzer.
Fix this by tightening the rules for creating groups. Only allow
grouping of counters that can be co-scheduled in the same context.
This means for the same task and/or the same cpu.
Fixes: 9fc81d87420d ("perf: Fix events installation during moving group")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 4097461897df91041382ff6fcd2bfa7ee6b2448c upstream.
As explained in 1407814240-4275-1-git-send-email-decui@microsoft.com we
have a hard load dependency between i8042 and atkbd which prevents
keyboard from working on Gen2 Hyper-V VMs.
> hyperv_keyboard invokes serio_interrupt(), which needs a valid serio
> driver like atkbd.c. atkbd.c depends on libps2.c because it invokes
> ps2_command(). libps2.c depends on i8042.c because it invokes
> i8042_check_port_owner(). As a result, hyperv_keyboard actually
> depends on i8042.c.
>
> For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a
> Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042=m
> rather than =y, atkbd.ko can't load because i8042.ko can't load(due to
> no i8042 device emulated) and finally hyperv_keyboard can't work and
> the user can't input: https://bugs.archlinux.org/task/39820
> (Ubuntu/RHEL/SUSE aren't affected since they use CONFIG_SERIO_I8042=y)
To break the dependency we move away from using i8042_check_port_owner()
and instead allow serio port owner specify a mutex that clients should use
to serialize PS/2 command stream.
Reported-by: Mark Laws <mdl@60hz.org>
Tested-by: Mark Laws <mdl@60hz.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Prevent conflict with possible new upstream ioctls
before it itself is upstreamed.
Test: None
Change-Id: I10cbc01c25f920a626ea7559e8ca80ee08865333
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
commit e23d4159b109167126e5bcd7f3775c95de7fee47 upstream.
Switching iov_iter fault-in to multipages variants has exposed an old
bug in underlying fault_in_multipages_...(); they break if the range
passed to them wraps around. Normally access_ok() done by callers will
prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
such a range and they should not point to any valid objects).
However, on architectures where userland and kernel live in different
MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
with a wraparound can reach fault_in_multipages_...().
Since any wraparound means EFAULT there, the fix is trivial - turn
those
while (uaddr <= end)
...
into
if (unlikely(uaddr > end))
return -EFAULT;
do
...
while (uaddr <= end);
Reported-by: Jan Stancek <jstancek@redhat.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.
... in all cases, including the failing access_ok()
Note that some architectures using asm-generic/uaccess.h have
__copy_from_user() not zeroing the tail on failure halfway
through. This variant works either way.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[wt: s/might_fault/might_sleep]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.
both for access_ok() failures and for faults halfway through
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 454d5d882c7e412b840e3c99010fe81a9862f6fb upstream.
Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly
(i.e., by not considering that the other end may alter the data in the
shared ring while it is being inspected). Safe usage of a request
generally requires taking a local copy.
Provide a RING_COPY_REQUEST() macro to use instead of
RING_GET_REQUEST() and an open-coded memcpy(). This takes care of
ensuring that the copy is done correctly regardless of any possible
compiler optimizations.
Use a volatile source to prevent the compiler from reordering or
omitting the copy.
This is part of XSA155.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 6a935170a980024dd29199e9dbb5c4da4767a1b9 upstream.
This patch allows af_alg_release_parent to be called even for
nokey sockets.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit a1383cd86a062fc798899ab20f0ec2116cce39cb upstream.
This patch adds a way for skcipher users to determine whether a key
is required by a transform.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit a5596d6332787fd383b3b5427b41f94254430827 upstream.
This patch adds a way for ahash users to determine whether a key
is required by a crypto_ahash transform.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 37766586c965d63758ad542325a96d5384f4a8c9 upstream.
This patch adds a compatibility path to support old applications
that do acept(2) before setkey.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit c840ac6af3f8713a71b4d2363419145760bd6044 upstream.
Each af_alg parent socket obtained by socket(2) corresponds to a
tfm object once bind(2) has succeeded. An accept(2) call on that
parent socket creates a context which then uses the tfm object.
Therefore as long as any child sockets created by accept(2) exist
the parent socket must not be modified or freed.
This patch guarantees this by using locks and a reference count
on the parent socket. Any attempt to modify the parent socket will
fail with EBUSY.
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Almost clean cherry pick of c6e9d6f38894798696f23c8084ca7edbf16ee895,
includes change made by merge 0891ad829d2a0501053703df66029e843e3b8365.
The getrandom(2) system call was requested by the LibreSSL Portable
developers. It is analoguous to the getentropy(2) system call in
OpenBSD.
The rationale of this system call is to provide resiliance against
file descriptor exhaustion attacks, where the attacker consumes all
available file descriptors, forcing the use of the fallback code where
/dev/[u]random is not available. Since the fallback code is often not
well-tested, it is better to eliminate this potential failure mode
entirely.
The other feature provided by this new system call is the ability to
request randomness from the /dev/urandom entropy pool, but to block
until at least 128 bits of entropy has been accumulated in the
/dev/urandom entropy pool. Historically, the emphasis in the
/dev/urandom development has been to ensure that urandom pool is
initialized as quickly as possible after system boot, and preferably
before the init scripts start execution.
This is because changing /dev/urandom reads to block represents an
interface change that could potentially break userspace which is not
acceptable. In practice, on most x86 desktop and server systems, in
general the entropy pool can be initialized before it is needed (and
in modern kernels, we will printk a warning message if not). However,
on an embedded system, this may not be the case. And so with this new
interface, we can provide the functionality of blocking until the
urandom pool has been initialized. Any userspace program which uses
this new functionality must take care to assure that if it is used
during the boot process, that it will not cause the init scripts or
other portions of the system startup to hang indefinitely.
SYNOPSIS
#include <linux/random.h>
int getrandom(void *buf, size_t buflen, unsigned int flags);
DESCRIPTION
The system call getrandom() fills the buffer pointed to by buf
with up to buflen random bytes which can be used to seed user
space random number generators (i.e., DRBG's) or for other
cryptographic uses. It should not be used for Monte Carlo
simulations or other programs/algorithms which are doing
probabilistic sampling.
If the GRND_RANDOM flags bit is set, then draw from the
/dev/random pool instead of the /dev/urandom pool. The
/dev/random pool is limited based on the entropy that can be
obtained from environmental noise, so if there is insufficient
entropy, the requested number of bytes may not be returned.
If there is no entropy available at all, getrandom(2) will
either block, or return an error with errno set to EAGAIN if
the GRND_NONBLOCK bit is set in flags.
If the GRND_RANDOM bit is not set, then the /dev/urandom pool
will be used. Unlike using read(2) to fetch data from
/dev/urandom, if the urandom pool has not been sufficiently
initialized, getrandom(2) will block (or return -1 with the
errno set to EAGAIN if the GRND_NONBLOCK bit is set in flags).
The getentropy(2) system call in OpenBSD can be emulated using
the following function:
int getentropy(void *buf, size_t buflen)
{
int ret;
if (buflen > 256)
goto failure;
ret = getrandom(buf, buflen, 0);
if (ret < 0)
return ret;
if (ret == buflen)
return 0;
failure:
errno = EIO;
return -1;
}
RETURN VALUE
On success, the number of bytes that was filled in the buf is
returned. This may not be all the bytes requested by the
caller via buflen if insufficient entropy was present in the
/dev/random pool, or if the system call was interrupted by a
signal.
On error, -1 is returned, and errno is set appropriately.
ERRORS
EINVAL An invalid flag was passed to getrandom(2)
EFAULT buf is outside the accessible address space.
EAGAIN The requested entropy was not available, and
getentropy(2) would have blocked if the
GRND_NONBLOCK flag was not set.
EINTR While blocked waiting for entropy, the call was
interrupted by a signal handler; see the description
of how interrupted read(2) calls on "slow" devices
are handled with and without the SA_RESTART flag
in the signal(7) man page.
NOTES
For small requests (buflen <= 256) getrandom(2) will not
return EINTR when reading from the urandom pool once the
entropy pool has been initialized, and it will return all of
the bytes that have been requested. This is the recommended
way to use getrandom(2), and is designed for compatibility
with OpenBSD's getentropy() system call.
However, if you are using GRND_RANDOM, then getrandom(2) may
block until the entropy accounting determines that sufficient
environmental noise has been gathered such that getrandom(2)
will be operating as a NRBG instead of a DRBG for those people
who are working in the NIST SP 800-90 regime. Since it may
block for a long time, these guarantees do *not* apply. The
user may want to interrupt a hanging process using a signal,
so blocking until all of the requested bytes are returned
would be unfriendly.
For this reason, the user of getrandom(2) MUST always check
the return value, in case it returns some error, or if fewer
bytes than requested was returned. In the case of
!GRND_RANDOM and small request, the latter should never
happen, but the careful userspace code (and all crypto code
should be careful) should check for this anyway!
Finally, unless you are doing long-term key generation (and
perhaps not even then), you probably shouldn't be using
GRND_RANDOM. The cryptographic algorithms used for
/dev/urandom are quite conservative, and so should be
sufficient for all purposes. The disadvantage of GRND_RANDOM
is that it can block, and the increased complexity required to
deal with partially fulfilled getrandom(2) requests.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Zach Brown <zab@zabbo.net>
Bug: http://b/29621447
Change-Id: I189ba74070dd6d918b0fdf83ff30bb74ec0f7556
(cherry picked from commit 4af712e8df998475736f3e2727701bd31e3751a9)
Clean cherry pick of commit 4af712e8df998475736f3e2727701bd31e3751a9.
The Tausworthe PRNG is initialized at late_initcall time. At that time the
entropy pool serving get_random_bytes is not filled sufficiently. This
patch adds an additional reseeding step as soon as the nonblocking pool
gets marked as initialized.
On some machines it might be possible that late_initcall gets called after
the pool has been initialized. In this situation we won't reseed again.
(A call to prandom_seed_late blocks later invocations of early reseed
attempts.)
Joint work with Daniel Borkmann.
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: http://b/29621447
Change-Id: I4d20e60b5df16228f3a3699d16ed2b1dddcceb2b
(cherry picked from commit 4af712e8df998475736f3e2727701bd31e3751a9)
Use the %pP functionality to explicitly allow kernel
pointers to be logged for stack traces
BUG: 30368199
Change-Id: I495915465565293e9e4da5aa28fbd1d14538d99b
Signed-off-by: Dave Weinstein <olorin@google.com>
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.
CRs-Fixed: 1090007
Bug: 32720522
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Yang Guang <guyang@codeaurora.org>
The current mainline has copies propagated to *all* nodes, then
tears down the copies we made for nodes that do not contain
counterparts of the desired mountpoint. That sets the right
propagation graph for the copies (at teardown time we move
the slaves of removed node to a surviving peer or directly
to master), but we end up paying a fairly steep price in
useless allocations. It's fairly easy to create a situation
where N calls of mount(2) create exactly N bindings, with
O(N^2) vfsmounts allocated and freed in process.
Fortunately, it is possible to avoid those allocations/freeings.
The trick is to create copies in the right order and find which
one would've eventually become a master with the current algorithm.
It turns out to be possible in O(nodes getting propagation) time
and with no extra allocations at all.
One part is that we need to make sure that eventual master will be
created before its slaves, so we need to walk the propagation
tree in a different order - by peer groups. And iterate through
the peers before dealing with the next group.
Another thing is finding the (earlier) copy that will be a master
of one we are about to create; to do that we are (temporary) marking
the masters of mountpoints we are attaching the copies to.
Either we are in a peer of the last mountpoint we'd dealt with,
or we have the following situation: we are attaching to mountpoint M,
the last copy S_0 had been attached to M_0 and there are sequences
S_0...S_n, M_0...M_n such that S_{i+1} is a master of S_{i},
S_{i} mounted on M{i} and we need to create a slave of the first S_{k}
such that M is getting propagation from M_{k}. It means that the master
of M_{k} will be among the sequence of masters of M. On the
other hand, the nearest marked node in that sequence will either
be the master of M_{k} or the master of M_{k-1} (the latter -
in the case if M_{k-1} is a slave of something M gets propagation
from, but in a wrong peer group).
So we go through the sequence of masters of M until we find
a marked one (P). Let N be the one before it. Then we go through
the sequence of masters of S_0 until we find one (say, S) mounted
on a node D that has P as master and check if D is a peer of N.
If it is, S will be the master of new copy, if not - the master of S
will be.
That's it for the hard part; the rest is fairly simple. Iterator
is in next_group(), handling of one prospective mountpoint is
propagate_one().
It seems to survive all tests and gives a noticably better performance
than the current mainline for setups that are seriously using shared
subtrees.
Change-Id: I45648e8a405544f768c5956711bdbdf509e2705a
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Sdcardfs uses the same magic value as wrapfs.
This should not be the case. As it is entirely
in memory, the value can be changed without any
loss of compatibility.
Change-Id: I24200b805d5e6d32702638be99e47d50d7f2f746
Signed-off-by: Daniel Rosenberg <drosen@google.com>
This allows filesystems to use their mount private data to
influence the permssions they use in setattr2. It has
been separated into a new call to avoid disrupting current
setattr users.
Change-Id: I19959038309284448f1b7f232d579674ef546385
Signed-off-by: Daniel Rosenberg <drosen@google.com>
This allows filesystems to use their mount private data to
influence the permssions they return in permission2. It has
been separated into a new call to avoid disrupting current
permission users.
Change-Id: I9d416e3b8b6eca84ef3e336bd2af89ddd51df6ca
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Now we pass the vfsmount when mounting and remounting.
This allows the filesystem to actually set up the mount
specific data, although we can't quite do anything with
it yet. show_options is expanded to include data that
lives with the mount.
To avoid changing existing filesystems, these have
been added as new vfs functions.
Change-Id: If80670bfad9f287abb8ac22457e1b034c9697097
Signed-off-by: Daniel Rosenberg <drosen@google.com>
This starts to add private data associated directly
to mount points. The intent is to give filesystems
a sense of where they have come from, as a means of
letting a filesystem take different actions based on
this information.
Change-Id: Ie769d7b3bb2f5972afe05c1bf16cf88c91647ab2
Signed-off-by: Daniel Rosenberg <drosen@google.com>
- Use the UID in routing lookups made by protocol connect() and
sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
(e.g., Path MTU discovery) take the UID of the socket into
account.
- For packets not associated with a userspace socket, (e.g., ping
replies) use UID 0 inside the user namespace corresponding to
the network namespace the socket belongs to. This allows
all namespaces to apply routing and iptables rules to
kernel-originated traffic in that namespaces by matching UID 0.
This is better than using the UID of the kernel socket that is
sending the traffic, because the UID of kernel sockets created
at namespace creation time (e.g., the per-processor ICMP and
TCP sockets) is the UID of the user that created the socket,
which might not be mapped in the namespace.
[Backport of net-next e2d118a1cb5e60d077131a09db1d81b90a5295fe]
Bug: 16355602
Change-Id: I126f8359887b5b5bbac68daf0ded89e899cb7cb0
Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a
range of UIDs.
- Define a RTA_UID attribute for per-UID route lookups and dumps.
- Support passing these attributes to and from userspace via
rtnetlink. The value INVALID_UID indicates no UID was
specified.
- Add a UID field to the flow structures.
[Backport of net-next 622ec2c9d52405973c9f1ca5116eb1c393adfc7d]
Bug: 16355602
Change-Id: I7e3ab388ed862c4b7e39dc8b0209d977cb1129ac
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Protocol sockets (struct sock) don't have UIDs, but most of the
time, they map 1:1 to userspace sockets (struct socket) which do.
Various operations such as the iptables xt_owner match need
access to the "UID of a socket", and do so by following the
backpointer to the struct socket. This involves taking
sk_callback_lock and doesn't work when there is no socket
because userspace has already called close().
Simplify this by adding a sk_uid field to struct sock whose value
matches the UID of the corresponding struct socket. The semantics
are as follows:
1. Whenever sk_socket is non-null: sk_uid is the same as the UID
in sk_socket, i.e., matches the return value of sock_i_uid.
Specifically, the UID is set when userspace calls socket(),
fchown(), or accept().
2. When sk_socket is NULL, sk_uid is defined as follows:
- For a socket that no longer has a sk_socket because
userspace has called close(): the previous UID.
- For a cloned socket (e.g., an incoming connection that is
established but on which userspace has not yet called
accept): the UID of the socket it was cloned from.
- For a socket that has never had an sk_socket: UID 0 inside
the user namespace corresponding to the network namespace
the socket belongs to.
Kernel sockets created by sock_create_kern are a special case
of #1 and sk_uid is the user that created them. For kernel
sockets created at network namespace creation time, such as the
per-processor ICMP and TCP sockets, this is the user that created
the network namespace.
[Backport of net-next 86741ec25462e4c8cdce6df2f41ead05568c7d5e]
Bug: 16355602
Change-Id: I73e1a57dfeedf672f4c2dfc9ce6867838b55974b
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This creates an ioctl named FUNCTIONFS_ENDPOINT_ALLOC which will
preallocate buffers for a given size. Any reads/writes on that
endpoint below that size will use those buffers instead of allocating
their own. If the endpoint is not active, the buffer will not be
allocated until it becomes active.
Change-Id: I4da517620ed913161ea9e21a31f6b92c9a012b44
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
This patch introduces ioctl named FUNCTIONFS_ENDPOINT_DESC, which
returns endpoint descriptor to userspace. It works only if function
is active.
Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
Change-Id: I55987bf0c6744327f7763b567b5a2b39c50d18e6
Credit where credit is due: this idea comes from Christoph Lameter with
a lot of valuable input from Serge Hallyn. This patch is heavily based
on Christoph's patch.
===== The status quo =====
On Linux, there are a number of capabilities defined by the kernel. To
perform various privileged tasks, processes can wield capabilities that
they hold.
Each task has four capability masks: effective (pE), permitted (pP),
inheritable (pI), and a bounding set (X). When the kernel checks for a
capability, it checks pE. The other capability masks serve to modify
what capabilities can be in pE.
Any task can remove capabilities from pE, pP, or pI at any time. If a
task has a capability in pP, it can add that capability to pE and/or pI.
If a task has CAP_SETPCAP, then it can add any capability to pI, and it
can remove capabilities from X.
Tasks are not the only things that can have capabilities; files can also
have capabilities. A file can have no capabilty information at all [1].
If a file has capability information, then it has a permitted mask (fP)
and an inheritable mask (fI) as well as a single effective bit (fE) [2].
File capabilities modify the capabilities of tasks that execve(2) them.
A task that successfully calls execve has its capabilities modified for
the file ultimately being excecuted (i.e. the binary itself if that
binary is ELF or for the interpreter if the binary is a script.) [3] In
the capability evolution rules, for each mask Z, pZ represents the old
value and pZ' represents the new value. The rules are:
pP' = (X & fP) | (pI & fI)
pI' = pI
pE' = (fE ? pP' : 0)
X is unchanged
For setuid binaries, fP, fI, and fE are modified by a moderately
complicated set of rules that emulate POSIX behavior. Similarly, if
euid == 0 or ruid == 0, then fP, fI, and fE are modified differently
(primary, fP and fI usually end up being the full set). For nonroot
users executing binaries with neither setuid nor file caps, fI and fP
are empty and fE is false.
As an extra complication, if you execute a process as nonroot and fE is
set, then the "secure exec" rules are in effect: AT_SECURE gets set,
LD_PRELOAD doesn't work, etc.
This is rather messy. We've learned that making any changes is
dangerous, though: if a new kernel version allows an unprivileged
program to change its security state in a way that persists cross
execution of a setuid program or a program with file caps, this
persistent state is surprisingly likely to allow setuid or file-capped
programs to be exploited for privilege escalation.
===== The problem =====
Capability inheritance is basically useless.
If you aren't root and you execute an ordinary binary, fI is zero, so
your capabilities have no effect whatsoever on pP'. This means that you
can't usefully execute a helper process or a shell command with elevated
capabilities if you aren't root.
On current kernels, you can sort of work around this by setting fI to
the full set for most or all non-setuid executable files. This causes
pP' = pI for nonroot, and inheritance works. No one does this because
it's a PITA and it isn't even supported on most filesystems.
If you try this, you'll discover that every nonroot program ends up with
secure exec rules, breaking many things.
This is a problem that has bitten many people who have tried to use
capabilities for anything useful.
===== The proposed change =====
This patch adds a fifth capability mask called the ambient mask (pA).
pA does what most people expect pI to do.
pA obeys the invariant that no bit can ever be set in pA if it is not
set in both pP and pI. Dropping a bit from pP or pI drops that bit from
pA. This ensures that existing programs that try to drop capabilities
still do so, with a complication. Because capability inheritance is so
broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and
then calling execve effectively drops capabilities. Therefore,
setresuid from root to nonroot conditionally clears pA unless
SECBIT_NO_SETUID_FIXUP is set. Processes that don't like this can
re-add bits to pA afterwards.
The capability evolution rules are changed:
pA' = (file caps or setuid or setgid ? 0 : pA)
pP' = (X & fP) | (pI & fI) | pA'
pI' = pI
pE' = (fE ? pP' : pA')
X is unchanged
If you are nonroot but you have a capability, you can add it to pA. If
you do so, your children get that capability in pA, pP, and pE. For
example, you can set pA = CAP_NET_BIND_SERVICE, and your children can
automatically bind low-numbered ports. Hallelujah!
Unprivileged users can create user namespaces, map themselves to a
nonzero uid, and create both privileged (relative to their namespace)
and unprivileged process trees. This is currently more or less
impossible. Hallelujah!
You cannot use pA to try to subvert a setuid, setgid, or file-capped
program: if you execute any such program, pA gets cleared and the
resulting evolution rules are unchanged by this patch.
Users with nonzero pA are unlikely to unintentionally leak that
capability. If they run programs that try to drop privileges, dropping
privileges will still work.
It's worth noting that the degree of paranoia in this patch could
possibly be reduced without causing serious problems. Specifically, if
we allowed pA to persist across executing non-pA-aware setuid binaries
and across setresuid, then, naively, the only capabilities that could
leak as a result would be the capabilities in pA, and any attacker
*already* has those capabilities. This would make me nervous, though --
setuid binaries that tried to privilege-separate might fail to do so,
and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have
unexpected side effects. (Whether these unexpected side effects would
be exploitable is an open question.) I've therefore taken the more
paranoid route. We can revisit this later.
An alternative would be to require PR_SET_NO_NEW_PRIVS before setting
ambient capabilities. I think that this would be annoying and would
make granting otherwise unprivileged users minor ambient capabilities
(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than
it is with this patch.
===== Footnotes =====
[1] Files that are missing the "security.capability" xattr or that have
unrecognized values for that xattr end up with has_cap set to false.
The code that does that appears to be complicated for no good reason.
[2] The libcap capability mask parsers and formatters are dangerously
misleading and the documentation is flat-out wrong. fE is *not* a mask;
it's a single bit. This has probably confused every single person who
has tried to use file capabilities.
[3] Linux very confusingly processes both the script and the interpreter
if applicable, for reasons that elude me. The results from thinking
about a script's file capabilities and/or setuid bits are mostly
discarded.
Preliminary userspace code is here, but it needs updating:
https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2
Here is a test program that can be used to verify the functionality
(from Christoph):
/*
* Test program for the ambient capabilities. This program spawns a shell
* that allows running processes with a defined set of capabilities.
*
* (C) 2015 Christoph Lameter <cl@linux.com>
* Released under: GPL v3 or later.
*
*
* Compile using:
*
* gcc -o ambient_test ambient_test.o -lcap-ng
*
* This program must have the following capabilities to run properly:
* Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
*
* A command to equip the binary with the right caps is:
*
* setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
*
*
* To get a shell with additional caps that can be inherited by other processes:
*
* ./ambient_test /bin/bash
*
*
* Verifying that it works:
*
* From the bash spawed by ambient_test run
*
* cat /proc/$$/status
*
* and have a look at the capabilities.
*/
/*
* Definitions from the kernel header files. These are going to be removed
* when the /usr/include files have these defined.
*/
static void set_ambient_cap(int cap)
{
int rc;
capng_get_caps_process();
rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
if (rc) {
printf("Cannot add inheritable cap\n");
exit(2);
}
capng_apply(CAPNG_SELECT_CAPS);
/* Note the two 0s at the end. Kernel checks for these */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
perror("Cannot set cap");
exit(1);
}
}
int main(int argc, char **argv)
{
int rc;
set_ambient_cap(CAP_NET_RAW);
set_ambient_cap(CAP_NET_ADMIN);
set_ambient_cap(CAP_SYS_NICE);
printf("Ambient_test forking shell\n");
if (execv(argv[1], argv + 1))
perror("Cannot exec");
return 0;
}
Signed-off-by: Christoph Lameter <cl@linux.com> # Original author
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Aaron Jones <aaronmdjones@gmail.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Markku Savela <msa@moth.iki.fi>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)
Bug: 31038224
Test: Builds.
Change-Id: Ib4ebe89343b032765b3b1dc79dd3817192ad3788
Signed-off-by: Jorge Lucangeli Obes <jorgelo@google.com>
This is needed for MTP to know if writes are aligned to packet size.
Change-Id: If504511e649d46eb8d52f1fafeda071dddeec263
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
(cherry-picked from 9691eac559)
commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db975 ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in abf09bed3c ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: I42e448ecacad4781b460c4c989026307169ba1b5
Bug: 32141528
commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db975 ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in abf09bed3c ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 69874ec233871a62e1bc8c89e643993af93a8630 upstream.
Add the device ID for the PF of the NFP4000. The device ID for the VF,
0x6003, is already present as PCI_DEVICE_ID_NETRONOME_NFP6000_VF.
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
When moving a group_leader perf event from a software-context
to a hardware-context, there's a race in checking and
updating that context. The existing locking solution
doesn't work; note that it tries to grab a lock inside
the group_leader's context object, which you can only
get at by going through a pointer that should be protected
from these races. To avoid that problem, and to produce
a simple solution, we can just use a lock per group_leader
to protect all checks on the group_leader's context.
The new lock is grabbed and released when no context locks
are held.
Bug: 30955111
Bug: 31095224
Change-Id: If37124c100ca6f4aa962559fba3bd5dbbec8e052
This makes sure that sections generated with -fPIC remain part of the
.rodata section so that the kernel marks it correctly read-only.
Signed-off-by: Kees Cook <keescook@google.com>
Bug: 31703084
Change-Id: I66485b52ba9a801bae614e802a301119f04e507c
This adds the capability for a process that has CAP_NET_ADMIN on
a socket to see the socket mark in socket dumps.
Commit a52e95abf772 ("net: diag: allow socket bytecode filters to
match socket marks") recently gave privileged processes the
ability to filter socket dumps based on mark. This patch is
complementary: it ensures that the mark is also passed to
userspace in the socket's netlink attributes. It is useful for
tools like ss which display information about sockets.
[backport of net-next d545caca827b65aab557a9e9dcdcf1e5a3823c2d]
Change-Id: I0c9708aae5ab8dfa296b8a1e6aecceb2a382415a
Tested: https://android-review.googlesource.com/270210
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This implements SOCK_DESTROY for UDP sockets similar to what was done
for TCP with commit c1e64e298b8ca ("net: diag: Support destroying TCP
sockets.") A process with a UDP socket targeted for destroy is awakened
and recvmsg fails with ECONNABORTED.
[backport of net-next 5d77dca82839ef016a93ad7acd7058b14d967752]
Change-Id: I84e71e774c859002f98dcdb5e0ca01f35227a44c
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This allows a privileged process to filter by socket mark when
dumping sockets via INET_DIAG_BY_FAMILY. This is useful on
systems that use mark-based routing such as Android.
The ability to filter socket marks requires CAP_NET_ADMIN, which
is consistent with other privileged operations allowed by the
SOCK_DIAG interface such as the ability to destroy sockets and
the ability to inspect BPF filters attached to packet sockets.
[backport of net-next a52e95abf772b43c9226e9a72d3c1353903ba96f]
Change-Id: Ic02caf628a71007cc7c48c9da220b4088f5aa4f4
Tested: https://android-review.googlesource.com/261350
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add support to inet_diag facility to filter sockets based on device
index. If an interface index is in the filter only sockets bound
to that index (sk_bound_dev_if) are returned.
[backport of net-next 637c841dd7a5f9bd97b75cbe90b526fa1a52e530]
Change-Id: Ib430cfb44f1b3b1a771a561247ee9140737e52fd
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Removing a bounce buffer copy operation in the pmsg driver path is
always better. We also gain in overall performance by not requesting
a vmalloc on every write as this can cause precious RT tasks, such
as user facing media operation, to stall while memory is being
reclaimed. Added a write_buf_user to the pstore functions, a backup
platform write_buf_user that uses the small buffer that is part of
the instance, and implemented a ramoops write_buf_user that only
supports PSTORE_TYPE_PMSG.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 31057326
Change-Id: I4cdee1cd31467aa3e6c605bce2fbd4de5b0f8caa
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
Bug: 28751152
CRs-Fixed: 1064411
Change-Id: I54c28a8942cf1a6a47a4e8272f3159b35d753ead
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>