firefly-linux-kernel-4.4.55.git
8 years agoandroid: base-cfg: Add CONFIG_INET_DIAG_DESTROY
Dmitry Shmidt [Thu, 31 Mar 2016 20:21:09 +0000 (13:21 -0700)]
android: base-cfg: Add CONFIG_INET_DIAG_DESTROY

Change-Id: I67430b05eca8fd520d2795d3db60faf2ec0fab9e
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
8 years agocpufreq: interactive: only apply interactive boost when enabled
Daniel Kurtz [Thu, 28 May 2015 04:08:11 +0000 (12:08 +0800)]
cpufreq: interactive: only apply interactive boost when enabled

Only apply the interactive boost when the interactive governor is
enabled.  This seems like the right thing to do.

This was originally reviewed on
https://chromium-review.googlesource.com/273501

Change-Id: I5f4a7320683eada099f9a4253e3d6b0f03057fe8
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Dmitry Torokhov <dtor@google.com>
8 years agocpufreq: interactive: fix policy locking
Dmitry Torokhov [Wed, 4 Feb 2015 21:54:48 +0000 (13:54 -0800)]
cpufreq: interactive: fix policy locking

cpufreq_interactive_speedchange_task() is running as a separate kernel
thread and is calling __cpufreq_driver_target(), which requires callers
to hold policy->rwsem for writing to prevent racing with other parts of
the kernel trying to adjust the frequency, for example kernel thermal
throttling. Let's change the code to take policy->rwsem and while at it
refactor the code a bit.

This was originally 2 changes reviewed at:
https://chromium-review.googlesource.com/246273
https://chromium-review.googlesource.com/256120

Change-Id: Icc2d97c6c1b929acd2ee32e8c81d81fd2af778ab
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Dmitry Torokhov <dtor@google.com>
8 years agoANDROID: dm verity fec: add sysfs attribute fec/corrected
Sami Tolvanen [Wed, 30 Mar 2016 21:10:13 +0000 (14:10 -0700)]
ANDROID: dm verity fec: add sysfs attribute fec/corrected

Add a sysfs entry that allows user space to determine whether dm-verity
has come across correctable errors on the underlying block device.

Bug: 22655252
Bug: 27928374
Change-Id: I80547a2aa944af2fb9ffde002650482877ade31b
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
(cherry picked from commit 7911fad5f0a2cf5afc2215657219a21e6630e001)

8 years agoANDROID: android: base-cfg: enable CONFIG_DM_VERITY_FEC
Sami Tolvanen [Wed, 16 Dec 2015 16:23:49 +0000 (16:23 +0000)]
ANDROID: android: base-cfg: enable CONFIG_DM_VERITY_FEC

Bug: 21893453
Change-Id: Idd0dfe4e3e527df2eff2f0d734effc40dce294c7
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
(cherry picked from commit 9408350ed80005174918ce5147490035b2cf451b)

8 years agoUPSTREAM: dm verity: add ignore_zero_blocks feature
Sami Tolvanen [Thu, 3 Dec 2015 14:26:31 +0000 (14:26 +0000)]
UPSTREAM: dm verity: add ignore_zero_blocks feature

If ignore_zero_blocks is enabled dm-verity will return zeroes for blocks
matching a zero hash without validating the content.

Change-Id: I728fa4b2586b29f2793ea5cb014289892819d249
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit 0cc37c2df4fa0aa702f9662edce4b7ce12c86b7a)

8 years agoUPSTREAM: dm verity: add support for forward error correction
Sami Tolvanen [Thu, 3 Dec 2015 14:26:30 +0000 (14:26 +0000)]
UPSTREAM: dm verity: add support for forward error correction

Add support for correcting corrupted blocks using Reed-Solomon.

This code uses RS(255, N) interleaved across data and hash
blocks. Each error-correcting block covers N bytes evenly
distributed across the combined total data, so that each byte is a
maximum distance away from the others. This makes it possible to
recover from several consecutive corrupted blocks with relatively
small space overhead.

In addition, using verity hashes to locate erasures nearly doubles
the effectiveness of error correction. Being able to detect
corrupted blocks also improves performance, because only corrupted
blocks need to corrected.

For a 2 GiB partition, RS(255, 253) (two parity bytes for each
253-byte block) can correct up to 16 MiB of consecutive corrupted
blocks if erasures can be located, and 8 MiB if they cannot, with
16 MiB space overhead.

Change-Id: Ife4f8889f7fbf0974bf3ed4be6d3322ae9b4cb0e
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit a739ff3f543afbb4a041c16cd0182c8e8d366e70)

8 years agoUPSTREAM: dm verity: factor out verity_for_bv_block()
Sami Tolvanen [Thu, 3 Dec 2015 21:30:36 +0000 (16:30 -0500)]
UPSTREAM: dm verity: factor out verity_for_bv_block()

verity_for_bv_block() will be re-used by optional dm-verity object.

Change-Id: I80e0f8e7c9f234fce3fbdf21cb05aba3041d7f98
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit bb4d73ac5e4f0a6c4853f35824f6cb2d396a2f9c)

8 years agoUPSTREAM: dm verity: factor out structures and functions useful to separate object
Sami Tolvanen [Thu, 3 Dec 2015 21:01:51 +0000 (16:01 -0500)]
UPSTREAM: dm verity: factor out structures and functions useful to separate object

Prepare for an optional verity object to make use of existing dm-verity
structures and functions.

Change-Id: Ib14c3834bfed222b33e068908fb5f71a53e1187b
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit ffa393807cd69656d5b6bc9d9622e205071cbab8)

8 years agoUPSTREAM: dm verity: move dm-verity.c to dm-verity-target.c
Sami Tolvanen [Thu, 3 Dec 2015 20:36:00 +0000 (15:36 -0500)]
UPSTREAM: dm verity: move dm-verity.c to dm-verity-target.c

Prepare for extending dm-verity with an optional object.  Follows the
naming convention used by other DM targets (e.g. dm-cache and dm-era).

Change-Id: If6d2f27b290adf14fa77f3745fdc13aaa417c8dc
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit 03045cbafa2d663ad8d0a583ac219d202d824344)

8 years agoUPSTREAM: dm verity: separate function for parsing opt args
Sami Tolvanen [Thu, 5 Nov 2015 02:02:32 +0000 (02:02 +0000)]
UPSTREAM: dm verity: separate function for parsing opt args

Move optional argument parsing into a separate function to make it
easier to add more of them without making verity_ctr even longer.

Change-Id: I9cd9df41c3326824f8cca5764075501987e78a52
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit 753c1fd02807cb43a1c5d01d75d454054d46bdad)

8 years agoUPSTREAM: dm verity: clean up duplicate hashing code
Sami Tolvanen [Thu, 5 Nov 2015 02:02:31 +0000 (02:02 +0000)]
UPSTREAM: dm verity: clean up duplicate hashing code

Handle dm-verity salting in one place to simplify the code.

Change-Id: If923a01dc63ae5123af13ba1b0863b73e33ddf46
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit 6dbeda3469ced777bc3138ed5918f7ae79670b7b)

8 years agoUPSTREAM: dm: don't save and restore bi_private
Mikulas Patocka [Wed, 25 Nov 2015 21:03:31 +0000 (16:03 -0500)]
UPSTREAM: dm: don't save and restore bi_private

Device mapper used the field bi_private to point to dm_target_io. However,
since kernel 3.15, the bi_private field is unused, and so the targets do
not need to save and restore this field.

This patch removes code that saves and restores bi_private from dm-cache,
dm-snapshot and dm-verity.

Change-Id: Ic72905ccb6d58ff94eafaa47ba54b2688d92d3d1
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
(cherry picked from commit fe3265b180d6282648f03bc6ac3958c733df01c2)

8 years agomm: Export do_munmap
Guenter Roeck [Thu, 24 Mar 2016 17:39:14 +0000 (10:39 -0700)]
mm: Export do_munmap

The 0-day build bot reports the following build error, seen if SDCARD_FS
is built as module.

ERROR: "do_munmap" undefined!

Fixes: 84a1b7d3d312 ("Included sdcardfs source code for kernel 3.0")
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agosdcardfs: remove unneeded __init and __exit
Daniel Rosenberg [Mon, 28 Mar 2016 23:00:34 +0000 (16:00 -0700)]
sdcardfs: remove unneeded __init and __exit

Change-Id: I2a2d45d52f891332174c3000e8681c5167c1564f

8 years agosdcardfs: Remove unused code
Daniel Rosenberg [Mon, 28 Mar 2016 22:00:20 +0000 (15:00 -0700)]
sdcardfs: Remove unused code

Change-Id: Ie97cba27ce44818ac56cfe40954f164ad44eccf6

8 years agofs: Export d_absolute_path
Guenter Roeck [Thu, 24 Mar 2016 17:32:35 +0000 (10:32 -0700)]
fs: Export d_absolute_path

The 0-day build bot reports the following build error, seen if SDCARD_FS
is built as module.

ERROR: "d_absolute_path" undefined!

Fixes: 84a1b7d3d312 ("Included sdcardfs source code for kernel 3.0")
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agosdcardfs: remove effectless config option
Daniel Rosenberg [Wed, 23 Mar 2016 23:39:30 +0000 (16:39 -0700)]
sdcardfs: remove effectless config option

CONFIG_SDCARD_FS_CI_SEARCH only guards a define for
LOOKUP_CASE_INSENSITIVE, which is never used in the
kernel. Remove both, along with the option matching
that supports it.

Change-Id: I363a8f31de8ee7a7a934d75300cc9ba8176e2edf
Signed-off-by: Daniel Rosenberg <drosen@google.com>
8 years agoinotify: Fix erroneous update of bit count
Daniel Rosenberg [Wed, 23 Mar 2016 19:09:25 +0000 (12:09 -0700)]
inotify: Fix erroneous update of bit count

Patch "vfs: add d_canonical_path for stacked filesystem support"
erroneously updated the ALL_INOTIFY_BITS count. This changes it back

Change-Id: Idb04edc736da276159d30f04c40cff9d6b1e070f

8 years agofs: sdcardfs: Declare LOOKUP_CASE_INSENSITIVE unconditionally
Guenter Roeck [Wed, 23 Mar 2016 15:32:23 +0000 (08:32 -0700)]
fs: sdcardfs: Declare LOOKUP_CASE_INSENSITIVE unconditionally

Attempts to build sdcardfs as module fail with

fs/sdcardfs/lookup.c: In function '__sdcardfs_lookup':
fs/sdcardfs/lookup.c:243:5: error: 'LOOKUP_CASE_INSENSITIVE' undeclared

This occurs because the define is enclosed with #ifdef
CONFIG_SDCARD_FS_CI_SEARCH. If SDCARD_FS_CI_SEARCH is configured to be
built as module, this does not work. Alternatives would be to use #if
IS_ENABLED(CONFIG_SDCARD_FS_CI_SEARCH), or to declare SDCARD_FS_CI_SEARCH
as bool, but that does not work because the define is used unconditionally
in the source.

Note that LOOKUP_CASE_INSENSITIVE is only set but not evaluated in the
current source code, so setting the flag has no real effect.

Fixes: 84a1b7d3d312 ("Included sdcardfs source code for kernel 3.0")
Cc: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agotrace: cpufreq: fix typo in min/max cpufreq
Thierry Strudel [Wed, 23 Mar 2016 17:02:15 +0000 (10:02 -0700)]
trace: cpufreq: fix typo in min/max cpufreq

Change-Id: Ieed402d3a912b7a318826e101efe2c24b07ebfe4
Signed-off-by: Thierry Strudel <tstrudel@google.com>
8 years agosdcardfs: Add support for d_canonical_path
Daniel Rosenberg [Fri, 12 Feb 2016 00:53:36 +0000 (16:53 -0800)]
sdcardfs: Add support for d_canonical_path

Change-Id: I5d6f0e71b8ca99aec4b0894412f1dfd1cfe12add
Signed-off-by: Daniel Rosenberg <drosen@google.com>
8 years agovfs: add d_canonical_path for stacked filesystem support
Daniel Rosenberg [Fri, 12 Feb 2016 00:44:15 +0000 (16:44 -0800)]
vfs: add d_canonical_path for stacked filesystem support

Inotify does not currently know when a filesystem
is acting as a wrapper around another fs. This means
that inotify watchers will miss any modifications to
the base file, as well as any made in a separate
stacked fs that points to the same file.
d_canonical_path solves this problem by allowing the fs
to map a dentry to a path in the lower fs. Inotify
can use it to find the appropriate place to watch to
be informed of all changes to a file.

Change-Id: I09563baffad1711a045e45c1bd0bd8713c2cc0b6
Signed-off-by: Daniel Rosenberg <drosen@google.com>
8 years agosdcardfs: Bring up to date with Android M permissions:
Daniel Rosenberg [Thu, 4 Feb 2016 05:08:21 +0000 (21:08 -0800)]
sdcardfs: Bring up to date with Android M permissions:

In M, the workings of sdcardfs were changed significantly.
This brings sdcardfs into line with the changes.

Change-Id: I10e91a84a884c838feef7aa26c0a2b21f02e052e

8 years agoChanged type-casting in packagelist management
Daniel Campello [Mon, 20 Jul 2015 23:33:46 +0000 (16:33 -0700)]
Changed type-casting in packagelist management

Fixed existing type-casting in packagelist management code. All
warnings at compile time were taken care of.

Change-Id: I1ea97786d1d1325f31b9f09ae966af1f896a2af5
Signed-off-by: Daniel Campello <campello@google.com>
8 years agoPort of sdcardfs to 4.4
Daniel Campello [Mon, 20 Jul 2015 23:27:37 +0000 (16:27 -0700)]
Port of sdcardfs to 4.4

Change-Id: I25b99ecf214e72ebf6a57ec3085972542a8d7951
Signed-off-by: Daniel Rosenberg <drosen@google.com>
8 years agoIncluded sdcardfs source code for kernel 3.0
Daniel Campello [Mon, 20 Jul 2015 23:23:50 +0000 (16:23 -0700)]
Included sdcardfs source code for kernel 3.0

Only included the source code as is for kernel 3.0. Following patches
take care of porting this file system to version 3.10.

Change-Id: I09e76db77cd98a059053ba5b6fd88572a4b75b5b
Signed-off-by: Daniel Campello <campello@google.com>
8 years agoANDROID: usb: gadget: Add support for MTP OS desc
Badhri Jagan Sridharan [Wed, 7 Oct 2015 03:32:01 +0000 (20:32 -0700)]
ANDROID: usb: gadget: Add support for MTP OS desc

Windows requires OS specific descriptors for automatic
install of drivers for MTP devices.

https://msdn.microsoft.com/en-us/library/windows/
hardware/gg463179.aspx

BUG=24583401
BUG=chrome-os-partner:43409

Change-Id: I9397072ca3d183efbc9571c6cde3790f10d8851e
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Reviewed-on: https://chromium-review.googlesource.com/304346
Commit-Ready: Andrew Bresticker <abrestic@chromium.org>
Tested-by: Andrew Bresticker <abrestic@chromium.org>
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
8 years agoCHROMIUM: usb: gadget: f_accessory: add .raw_request callback
Mark Kuo [Mon, 11 Jan 2016 11:07:12 +0000 (19:07 +0800)]
CHROMIUM: usb: gadget: f_accessory: add .raw_request callback

After this upstream commit: 3c86726cfe38952f0366f86acfbbb025813ec1c2,
.raw_request is mandatory in hid_ll_driver structure, hence add an empty
raw_request() function.

BUG=chrome-os-partner:49140
TEST=none

Change-Id: Idd0bbe6960aad2c557376e4a24827d7e1df8e023
Signed-off-by: Mark Kuo <mkuo@nvidia.com>
Reviewed-on: https://chromium-review.googlesource.com/321038
Commit-Ready: Andrew Bresticker <abrestic@chromium.org>
Tested-by: Andrew Bresticker <abrestic@chromium.org>
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
8 years agoCHROMIUM: usb: gadget: audio_source: add .free_func callback
Mark Kuo [Mon, 11 Jan 2016 09:49:16 +0000 (17:49 +0800)]
CHROMIUM: usb: gadget: audio_source: add .free_func callback

When userspace unbinds gadget functions through configfs, the
.free_func() callback is always invoked. (in config_usb_cfg_unlink())
Implement it as a no-op to avoid the following crash:

[ 68.125679] configfs-gadget gadget: unbind function 'accessory'/ffffffc0720bf000
[ 68.133202] configfs-gadget gadget: unbind function 'audio_source'/ffffffc0012ca3c0
[ 68.142668] tegra-xudc 700d0000.usb-device: ep 0 disabled
[ 68.148186] Bad mode in Synchronous Abort handler detected, code 0x86000006
[ 68.155144] CPU: 2 PID: 1 Comm: init Tainted: G    U W 3.18.0-09419-g87296c3-dirty #561
[ 68.163743] Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
[ 68.169566] task: ffffffc0bc8d0000 ti: ffffffc0bc8bc000 task.ti: ffffffc0bc8bc000
[ 68.177039] PC is at 0x0
[ 68.179577] LR is at usb_put_function+0x14/0x1c
....

BUG=chrome-os-partner:49140
TEST="setprop sys.usb.config accessory,audio_source" on A44 and then
switch back to default: "setprop sys.usb.config mtp,adb", no crash will
be seen.

Change-Id: I5b6141964aab861e86e3afb139ded02d4d122dab
Signed-off-by: Mark Kuo <mkuo@nvidia.com>
Reviewed-on: https://chromium-review.googlesource.com/321013
Commit-Ready: Andrew Bresticker <abrestic@chromium.org>
Tested-by: Andrew Bresticker <abrestic@chromium.org>
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
8 years agoCHROMIUM: usb: gadget: f_mtp: fix usb_ss_ep_comp_descriptor
Mark Kuo [Fri, 11 Sep 2015 08:12:59 +0000 (16:12 +0800)]
CHROMIUM: usb: gadget: f_mtp: fix usb_ss_ep_comp_descriptor

wBytesPerInterval in SuperSpeed Endpoint Companion Descriptor needs
to be set large enough to reserve enough bus time for associated
periodic endpoint.

Originally, wBytesPerInterval for mtp's interrupt IN endpoint is set
to 2 and its single interrupt transfer will be split into many 2 bytes
interrupt transfers. So, we change wBytesPerInterval to INTR_BUFFER_SIZE
to ensure interrupt transfer will not be split.

BUG=none
TEST=Smaug works as a MTP device

Change-Id: I49c0df892b2d9e0193a684eef23f73664ced9f91
Signed-off-by: Henry Lin <henryl@nvidia.com>
Signed-off-by: Mark Kuo <mkuo@nvidia.com>
Reviewed-on: https://chromium-review.googlesource.com/299091
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
8 years agoCHROMIUM: usb: gadget: f_mtp: Add SuperSpeed support
Mark Kuo [Thu, 20 Aug 2015 05:01:46 +0000 (13:01 +0800)]
CHROMIUM: usb: gadget: f_mtp: Add SuperSpeed support

Add SuperSpeed endpoint and companion descriptors.

BUG=chrome-os-partner:43682
TEST=Smaug enumerates as a SuperSpeed device.

Change-Id: I2bf3125d180fcb07222a5740fa67f3526cf3e95c
Signed-off-by: Hui Fu <hfu@nvidia.com>
Signed-off-by: Henry Lin <henryl@nvidia.com>
Signed-off-by: Mark Kuo <mkuo@nvidia.com>
Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/294950

8 years agoFROMLIST: mmc: block: fix ABI regression of mmc_blk_ioctl
Shawn Lin [Wed, 16 Mar 2016 10:15:47 +0000 (18:15 +0800)]
FROMLIST: mmc: block: fix ABI regression of mmc_blk_ioctl

If mmc_blk_ioctl returns -EINVAL, blkdev_ioctl continues to
work without returning err to user-space. But now we check
CAP_SYS_RAWIO firstly, so we return -EPERM to blkdev_ioctl,
which make blkdev_ioctl return -EPERM to user-space directly.
So this will break all the ioctl with BLKROSET. Now we find
Android-adb suffer it for the following log:

remount of /system failed;
couldn't make block device writable: Operation not permitted
openat(AT_FDCWD, "/dev/block/platform/ff420000.dwmmc/by-name/system", O_RDONLY) = 3
ioctl(3, BLKROSET, 0)  = -1 EPERM (Operation not permitted)

Fixes: a5f5774c55a2 ("mmc: block: Add new ioctl to send multi commands")
Change-Id: Ie9ba728e366abf4ab73fd6102d2a2aa0d4ee5c66
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
8 years agoFROMLIST: mm: ASLR: use get_random_long()
dcashman [Wed, 24 Feb 2016 21:31:22 +0000 (13:31 -0800)]
FROMLIST: mm: ASLR: use get_random_long()

(cherry picked from commit https://lkml.org/lkml/2016/2/4/833)

Replace calls to get_random_int() followed by a cast to (unsigned long)
with calls to get_random_long().  Also address shifting bug which, in case
of x86 removed entropy mask for mmap_rnd_bits values > 31 bits.

Bug: 26963541
Signed-off-by: Daniel Cashman <dcashman@android.com>
Signed-off-by: Daniel Cashman <dcashman@google.com>
Change-Id: I36c156c9b8d7d157134895fddd4cd6efddcbee86

8 years agoFROMLIST: drivers: char: random: add get_random_long()
dcashman [Wed, 24 Feb 2016 21:27:06 +0000 (13:27 -0800)]
FROMLIST: drivers: char: random: add get_random_long()

(cherry picked from commit https://lkml.org/lkml/2016/2/4/831)

d07e22597d1d355 ("mm: mmap: add new /proc tunable for mmap_base ASLR")
added the ability to choose from a range of values to use for entropy
count in generating the random offset to the mmap_base address.  The
maximum value on this range was set to 32 bits for 64-bit x86 systems, but
this value could be increased further, requiring more than the 32 bits of
randomness provided by get_random_int(), as is already possible for arm64.
Add a new function: get_random_long() which more naturally fits with the
mmap usage of get_random_int() but operates exactly the same as
get_random_int().

Also, fix the shifting constant in mmap_rnd() to be an unsigned long so
that values greater than 31 bits generate an appropriate mask without
overflow.  This is especially important on x86, as its shift instruction
uses a 5-bit mask for the shift operand, which meant that any value for
mmap_rnd_bits over 31 acts as a no-op and effectively disables mmap_base
randomization.

Finally, replace calls to get_random_int() with get_random_long() where
appropriate.

Bug: 26963541
Signed-off-by: Daniel Cashman <dcashman@android.com>
Signed-off-by: Daniel Cashman <dcashman@google.com>
Change-Id: I5b45621088666d5d1dfbf43952f25ea0798b10ba

8 years agoFROMLIST: pstore-ram: fix NULL reference when used with pdata
Brian Norris [Mon, 14 Mar 2016 20:34:44 +0000 (13:34 -0700)]
FROMLIST: pstore-ram: fix NULL reference when used with pdata

When using platform-data (not DT), we get an OOPS, because drvdata is
only initialized after we try to use it.

This addresses my comments made on the upstream submission here:

https://patchwork.kernel.org/patch/7980651/

Fixes boot on Chrome OS systems, including the Pixel 2.

Change-Id: I97360edf2ce61c83dc543cb6c169f3287e2dae4b
Fixes: b1d1b7187c11 ("FROMLIST: pstore-ram: add Device Tree bindings")
Signed-off-by: Brian Norris <briannorris@google.com>
8 years agousb: u_ether: Add missing rx_work init
Matthew Moeller [Thu, 10 Mar 2016 02:19:25 +0000 (20:19 -0600)]
usb: u_ether: Add missing rx_work init

commit 398a708ed5f3ef771d96dfb9b95b5d5170d17eb7
usb: u_ether: Add workqueue as bottom half handler for rx data path

set up a worker for the rx data path but missed a case where the
work_struct needed to be initialized.

This patch adds the missing 'INIT_WORK'

Change-Id: I2daabd39d35b3e17a3054837282d649d9c78a0aa
Signed-off-by: Matthew Moeller <moeller.matt@gmail.com>
8 years agoANDROID: dm-crypt: run in a WQ_HIGHPRI workqueue
Tim Murray [Wed, 20 Jan 2016 00:33:27 +0000 (16:33 -0800)]
ANDROID: dm-crypt: run in a WQ_HIGHPRI workqueue

(cherry pick from commit ad3ac5180979e5dd1f84e4a807f76fb9fb19f814)

Running dm-crypt in a standard workqueue results in IO competing for CPU
time with standard user apps, which can lead to pipeline bubbles and
seriously degraded performance. Move to a WQ_HIGHPRI workqueue to
protect against that.

Signed-off-by: Tim Murray <timmurray@google.com>
Bug: 25392275
Change-Id: I2828587c754a7c2cafdd78b3323b9896cb8cd4e7

8 years agomisc: uid_stat: Include linux/atomic.h instead of asm/atomic.h
Guenter Roeck [Fri, 4 Mar 2016 20:44:33 +0000 (12:44 -0800)]
misc: uid_stat: Include linux/atomic.h instead of asm/atomic.h

Building the uid_stat driver on sparc32 fails with the following errors.

include/linux/atomic.h: In function 'atomic_add_unless':
include/linux/atomic.h:437:2: error:
implicit declaration of function '__atomic_add_unless'
include/linux/atomic.h: In function 'atomic_andnot':
include/linux/atomic.h:454:2: error:
implicit declaration of function 'atomic_and'
include/linux/atomic.h: In function 'atomic_set_mask':
include/linux/atomic.h:465:2: error:
implicit declaration of function 'atomic_or'
include/linux/atomic.h: In function 'atomic_inc_not_zero_hint':
include/linux/atomic.h:490:3: error:
implicit declaration of function 'atomic_cmpxchg'
include/linux/atomic.h: In function 'atomic_dec_if_positive':
include/linux/atomic.h:537:2: error:
implicit declaration of function 'atomic_read'

Fixes: 6b6d5fbf9ae5 ("misc: uidstat: Adding uid stat driver to collect network statistics.")
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agohid-sensor-hub.c: fix wrong do_div() usage
Nicolas Pitre [Tue, 3 Nov 2015 22:01:46 +0000 (17:01 -0500)]
hid-sensor-hub.c: fix wrong do_div() usage

do_div() must only be used with a u64 dividend.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
(cherry picked from commit 8d43b49e7e0070f96ac46d30659a336c0224fa0b)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agopower: Provide dummy log_suspend_abort_reason() if SUSPEND is disabled
Guenter Roeck [Fri, 4 Mar 2016 15:22:27 +0000 (07:22 -0800)]
power: Provide dummy log_suspend_abort_reason() if SUSPEND is disabled

The API to log the suspend reason was introduced with commit 57caa2ad5ce3
("power: Adds functionality to log the last suspend abort reason.").
It is called from functions enabled with PM_SLEEP and from functions
enabled with SUSPEND, but only available if SUSPEND is enabled.
This can result in build failures such as the following if PM_SLEEP
is enabled, but SUSPEND is not.

kernel/built-in.o: In function `try_to_freeze_tasks':
process.c:(.text+0x30928): undefined reference to `log_suspend_abort_reason'
drivers/built-in.o: In function `syscore_suspend':
(.text+0x6e250): undefined reference to `log_suspend_abort_reason'
drivers/built-in.o: In function `__device_suspend':
main.c:(.text+0x7a528): undefined reference to `log_suspend_abort_reason'

Fixes: 57caa2ad5ce3 ("power: Adds functionality to log the last suspend abort reason.")
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agoPM / suspend: Add dependency on RTC_LIB
Guenter Roeck [Thu, 3 Mar 2016 18:33:40 +0000 (10:33 -0800)]
PM / suspend: Add dependency on RTC_LIB

Commit 1eff8f99f9f9 ("PM / Suspend: Print wall time at suspend entry and
exit") calls rtc_time_to_tm(), which in turn calls rtc_time64_to_tm().
Since RTC_LIB is not mandatory for all architetures, this can result in
the following build error.

suspend.c:(.text+0x2f36c): undefined reference to `rtc_time64_to_tm'

rtc_time64_to_tm() is implemented in rtc-lib, so SUSPEND now needs to
select RTC_LIB.

Fixes: 1eff8f99f9f9 ("PM / Suspend: Print wall time at suspend entry and exit")
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agodrivers: power: use 'current' instead of 'get_current()'
Guenter Roeck [Thu, 3 Mar 2016 17:44:44 +0000 (09:44 -0800)]
drivers: power: use 'current' instead of 'get_current()'

get_current() to get the current thread pointer is not defined for all
architectures. This results in the following build error for several
architectures (s390, powerpc, and possibly others).

drivers/base/power/main.c: In function '__device_suspend':
drivers/base/power/main.c:1415:2: error:
implicit declaration of function 'get_current'

Use 'current' instead. Also include asm/current.h instead of depending on
an implicit include.

Fixes: ad86cc8ad632 ("drivers: power: Add watchdog timer to catch drivers which lockup during suspend."
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agovideo: adf: Set ADF_MEMBLOCK to boolean
Guenter Roeck [Thu, 3 Mar 2016 17:30:33 +0000 (09:30 -0800)]
video: adf: Set ADF_MEMBLOCK to boolean

Attempts to build with CONFIG_ADF_MEMBLOCK=m result in the following
build error.

ERROR: "memblock_free" [drivers/video/adf/adf_memblock.ko] undefined!

memblock_free() is marked as __init_memblock, so exporting it seems to be
a bad idea. All other callers are only configurable into the kernel,
so do the same with ADF_MEMBLOCK.

Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agovideo: adf: Fix modular build
Guenter Roeck [Tue, 1 Mar 2016 17:52:27 +0000 (09:52 -0800)]
video: adf: Fix modular build

Builds with ADF configured as module fail the following errors.

ERROR: "adf_fops" [drivers/video/adf/adf_sysfs.ko] undefined!
ERROR: "adf_obj_sysfs_find" [drivers/video/adf/adf_fops.ko] undefined!
ERROR: "adf_buffer_cleanup" [drivers/video/adf/adf_fops.ko] undefined!
ERROR: "adf_attachment_validate" [drivers/video/adf/adf_client.ko] undefined!
ERROR: "adf_attachment_find" [drivers/video/adf/adf_client.ko] undefined!
ERROR: "adf_buffer_mapping_cleanup" [drivers/video/adf/adf_client.ko] undefined!
ERROR: "adf_attachment_free" [drivers/video/adf/adf_client.ko] undefined!
ERROR: "adf_obj_find_event_refcount" [drivers/video/adf/adf_client.ko] undefined!
ERROR: "adf_file_queue_event" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_interface_sysfs_init" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_interface_sysfs_destroy" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_device_sysfs_init" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_device_sysfs_destroy" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_sysfs_destroy" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_overlay_engine_sysfs_init" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_overlay_engine_sysfs_destroy" [drivers/video/adf/adf.ko] undefined!
ERROR: "adf_sysfs_init" [drivers/video/adf/adf.ko] undefined!

If ADF is configured as module, each of the object files ends up being
a separate module. Since the functions are used across the various files
but not exported, this results in the observed build errors.
Modify the Makefile to create a single module instead.

Fixes: 066a50cee536 ("video: add atomic display framework")
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agonet: ppp: Fix modular build for PPPOLAC and PPPOPNS
Guenter Roeck [Tue, 1 Mar 2016 17:47:32 +0000 (09:47 -0800)]
net: ppp: Fix modular build for PPPOLAC and PPPOPNS

Unlike other configurations in net/ppp, PPPOLAC and PPPOPNS
are defined as boolean configuration options. In allmodconfig builds
(or, specifically, if PPP and some of the other PPP protocols were
built as modules), this resulted in build errors such as the following,
since pppox was built both as module and into the kernel.

ERROR: "pppox_ioctl" [net/l2tp/l2tp_ppp.ko] undefined!
ERROR: "unregister_pppox_proto" [net/l2tp/l2tp_ppp.ko] undefined!
ERROR: "register_pppox_proto" [net/l2tp/l2tp_ppp.ko] undefined!
ERROR: "pppox_unbind_sock" [net/l2tp/l2tp_ppp.ko] undefined!

Fix the problem by defining PPPOLAC and PPPOPNS tristate.

Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agonet: pppolac/pppopns: Replace msg.msg_iov with iov_iter_kvec()
Guenter Roeck [Tue, 1 Mar 2016 17:44:17 +0000 (09:44 -0800)]
net: pppolac/pppopns: Replace msg.msg_iov with iov_iter_kvec()

Commit 1af89c1ef3b6 ("Hack: net: PPPoPNS and PPPoLAC build fixes for 4.1")
fixed the build for PPPoPNS and PPPoLAC by re-introducing a field in
struct msghdr which was removed upstream. Re-introducing the field doesn't
get it used, so it is quite likely that the code never worked. Fix it up for
good.

Fixes: 1af89c1ef3b6 ("Hack: net: PPPoPNS and PPPoLAC build fixes for 4.1")
Signed-off-by: Guenter Roeck <groeck@chromium.org>
8 years agoANDROID: mmc: sdio: Disable retuning in sdio_reset_comm()
Andrew Bresticker [Tue, 10 Nov 2015 22:11:46 +0000 (14:11 -0800)]
ANDROID: mmc: sdio: Disable retuning in sdio_reset_comm()

Since sdio_reset_comm() re-initializes the SDIO card, disable retuning
before idling and shutting down the card.  Tuning will be re-enabled (if
necessary) in mmc_sdio_init_card().

BUG=chrome-os-partner:46444
TEST=With CL:311815, toggle WiFi on/off on Smaug and observe that the
WiFi card comes back up and is able to tune successfully.

Change-Id: Ib4a5cfd4d75fc9e3ed7bb3f1e2ffd30de16c5d28
Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/311797
Reviewed-by: Derek Basehore <dbasehore@chromium.org>
[briannorris: brought from Chromium kernel in 3.18 -> 4.4 rebase]

Signed-off-by: Brian Norris <briannorris@google.com>
8 years agoANDROID: mmc: Move tracepoint creation and export symbols
Dylan Reid [Tue, 3 Mar 2015 01:09:07 +0000 (17:09 -0800)]
ANDROID: mmc: Move tracepoint creation and export symbols

Move the tracepoint creation to core from card, as core shouldn't depend
on card.

Also add EXPORT_SYMBOL_GPL calls to enable module build.

Change-Id: Ie39fcdadc0516df99600d0963efe09b6cd7a9bf8
Signed-off-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit da5fbd1e7e50fee3a8271f50d25c848d0ede64b3,
from android-3.14)
Signed-off-by: Brian Norris <briannorris@google.com>
8 years agoANDROID: kernel/watchdog: fix unused variable warning
Brian Norris [Tue, 1 Mar 2016 01:42:29 +0000 (17:42 -0800)]
ANDROID: kernel/watchdog: fix unused variable warning

kernel/watchdog.c:122:22: warning: ‘hardlockup_allcpu_dumped’ defined but not used [-Wunused-variable]

Change-Id: I99e97e7cc31b589cd674fd4495832c9ef036d0b9
Signed-off-by: Brian Norris <briannorris@google.com>
8 years agoANDROID: usb: gadget: f_mtp: don't use le16 for u8 field
Brian Norris [Tue, 1 Mar 2016 01:44:51 +0000 (17:44 -0800)]
ANDROID: usb: gadget: f_mtp: don't use le16 for u8 field

The 'bCount' field is u8. Noticed by this warning:

drivers/usb/gadget/function/f_mtp.c:264:3: warning: large integer implicitly truncated to unsigned type [-Woverflow]

Change-Id: Ie82dfd1a8986ecd3acf143e41c46822f0d1aca4f
Signed-off-by: Brian Norris <briannorris@google.com>
8 years agoANDROID: lowmemorykiller: fix declaration order warnings
Brian Norris [Tue, 1 Mar 2016 01:40:05 +0000 (17:40 -0800)]
ANDROID: lowmemorykiller: fix declaration order warnings

drivers/staging/android/lowmemorykiller.c: In function ‘lowmem_scan’:
drivers/staging/android/lowmemorykiller.c:174:3: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]

Change-Id: I9de6cf2c374bc43131725a7ed666a033a4449ea9
Signed-off-by: Brian Norris <briannorris@google.com>
8 years agoANDROID: net: fix 'const' warnings
Brian Norris [Tue, 1 Mar 2016 01:38:34 +0000 (17:38 -0800)]
ANDROID: net: fix 'const' warnings

See the following build log splats. The sock_i_uid() helper doesn't
quite treat the parameter as 'const' (it acquires a member lock), but
this cast is the same approach taken by other callers in this file, so I
don't feel too bad about the fix.

  CC      net/ipv4/inet_connection_sock.o
  CC      net/ipv6/inet6_connection_sock.o
net/ipv6/inet6_connection_sock.c: In function ‘inet6_csk_route_req’:
net/ipv6/inet6_connection_sock.c:89:2: warning: passing argument 1 of ‘sock_i_uid’ discards ‘const’ qualifier from pointer target type [enabled by default]
In file included from include/linux/tcp.h:22:0,
                 from include/linux/ipv6.h:73,
                 from net/ipv6/inet6_connection_sock.c:18:
include/net/sock.h:1689:8: note: expected ‘struct sock *’ but argument is of type ‘const struct sock *’
net/ipv4/inet_connection_sock.c: In function ‘inet_csk_route_req’:
net/ipv4/inet_connection_sock.c:423:7: warning: passing argument 1 of ‘sock_i_uid’ discards ‘const’ qualifier from pointer target type [enabled by default]
In file included from include/net/inet_sock.h:27:0,
                 from include/net/inet_connection_sock.h:23,
                 from net/ipv4/inet_connection_sock.c:19:
include/net/sock.h:1689:8: note: expected ‘struct sock *’ but argument is of type ‘const struct sock *’
net/ipv4/inet_connection_sock.c: In function ‘inet_csk_route_child_sock’:
net/ipv4/inet_connection_sock.c:460:7: warning: passing argument 1 of ‘sock_i_uid’ discards ‘const’ qualifier from pointer target type [enabled by default]
In file included from include/net/inet_sock.h:27:0,
                 from include/net/inet_connection_sock.h:23,
                 from net/ipv4/inet_connection_sock.c:19:
include/net/sock.h:1689:8: note: expected ‘struct sock *’ but argument is of type ‘const struct sock *’

Change-Id: I5c156fc1a81f90323717bffd93c31d205b85620c
Signed-off-by: Brian Norris <briannorris@google.com>
8 years agonet: diag: support v4mapped sockets in inet_diag_find_one_icsk()
Eric Dumazet [Thu, 21 Jan 2016 00:25:01 +0000 (16:25 -0800)]
net: diag: support v4mapped sockets in inet_diag_find_one_icsk()

Lorenzo reported that we could not properly find v4mapped sockets
in inet_diag_find_one_icsk(). This patch fixes the issue.

[cherry-pick of fc439d9489479411fbf9bbbec2c768df89e85503]

Change-Id: I13515e83fb76d4729f00047f9eb142c929390fb2
Reported-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
8 years agonet: tcp: deal with listen sockets properly in tcp_abort.
Lorenzo Colitti [Mon, 21 Dec 2015 15:03:44 +0000 (00:03 +0900)]
net: tcp: deal with listen sockets properly in tcp_abort.

When closing a listen socket, tcp_abort currently calls
tcp_done without clearing the request queue. If the socket has a
child socket that is established but not yet accepted, the child
socket is then left without a parent, causing a leak.

Fix this by setting the socket state to TCP_CLOSE and calling
inet_csk_listen_stop with the socket lock held, like tcp_close
does.

Tested using net_test. With this patch, calling SOCK_DESTROY on a
listen socket that has an established but not yet accepted child
socket results in the parent and the child being closed, such
that they no longer appear in sock_diag dumps.

[cherry-pick of net-next 2010b93e9317cc12acd20c4aed385af7f9d1681e]

Change-Id: I0555a142f11d8b36362ffd7c8ef4a5ecae8987c9
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
8 years agotcp: diag: add support for request sockets to tcp_abort()
Eric Dumazet [Fri, 18 Dec 2015 00:14:11 +0000 (16:14 -0800)]
tcp: diag: add support for request sockets to tcp_abort()

Adding support for SYN_RECV request sockets to tcp_abort()
is quite easy after our tcp listener rewrite.

Note that we also need to better handle listeners, or we might
leak not yet accepted children, because of a missing
inet_csk_listen_stop() call.

[cherry-pick of net-next 07f6f4a31e5a8dee67960fc07bb0b37c5f879d4d]

Change-Id: I8ec6b2e6ec24f330a69595abf1d5469ace79b3fd
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Tested-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
8 years agonet: diag: Support destroying TCP sockets.
Lorenzo Colitti [Wed, 16 Dec 2015 03:30:05 +0000 (12:30 +0900)]
net: diag: Support destroying TCP sockets.

This implements SOCK_DESTROY for TCP sockets. It causes all
blocking calls on the socket to fail fast with ECONNABORTED and
causes a protocol close of the socket. It informs the other end
of the connection by sending a RST, i.e., initiating a TCP ABORT
as per RFC 793. ECONNABORTED was chosen for consistency with
FreeBSD.

[cherry-pick of net-next c1e64e298b8cad309091b95d8436a0255c84f54a]

Change-Id: I728a01ef03f2ccfb9016a3f3051ef00975980e49
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
8 years agonet: diag: Support SOCK_DESTROY for inet sockets.
Lorenzo Colitti [Wed, 16 Dec 2015 03:30:04 +0000 (12:30 +0900)]
net: diag: Support SOCK_DESTROY for inet sockets.

This passes the SOCK_DESTROY operation to the underlying protocol
diag handler, or returns -EOPNOTSUPP if that handler does not
define a destroy operation.

Most of this patch is just renaming functions. This is not
strictly necessary, but it would be fairly counterintuitive to
have the code to destroy inet sockets be in a function whose name
starts with inet_diag_get.

[backport of net-next 6eb5d2e08f071c05ecbe135369c9ad418826cab2]

Change-Id: Idc13a7def20f492a5323ad2f8de105426293bd37
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
8 years agonet: diag: Add the ability to destroy a socket.
Lorenzo Colitti [Wed, 16 Dec 2015 03:30:03 +0000 (12:30 +0900)]
net: diag: Add the ability to destroy a socket.

This patch adds a SOCK_DESTROY operation, a destroy function
pointer to sock_diag_handler, and a diag_destroy function
pointer.  It does not include any implementation code.

[backport of net-next 64be0aed59ad519d6f2160868734f7e278290ac1]

Change-Id: Ic5327ff14b39dd268083ee4c1dc2c934b2820df5
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
8 years agonet: diag: split inet_diag_dump_one_icsk into two
Lorenzo Colitti [Wed, 16 Dec 2015 03:30:02 +0000 (12:30 +0900)]
net: diag: split inet_diag_dump_one_icsk into two

Currently, inet_diag_dump_one_icsk finds a socket and then dumps
its information to userspace. Split it into a part that finds the
socket and a part that dumps the information.

[cherry-pick of net-next b613f56ec9baf30edf5d9d607b822532a273dad7]

Change-Id: I144765afb6ff1cd66eb4757c9418112fb0b08a6f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
8 years agoRevert "mmc: Extend wakelock if bus is dead"
Dmitry Shmidt [Wed, 24 Feb 2016 20:45:14 +0000 (12:45 -0800)]
Revert "mmc: Extend wakelock if bus is dead"

This reverts commit dde72f9e313fc52d467ef0aad41cecd2c9f9f212.

8 years agoRevert "mmc: core: Hold a wake lock accross delayed work + mmc rescan"
Dmitry Shmidt [Wed, 24 Feb 2016 19:17:02 +0000 (11:17 -0800)]
Revert "mmc: core: Hold a wake lock accross delayed work + mmc rescan"

Patch mmc: core: Signal wakeup event at card insert/removal
provides wake lock for mmc_detect_change()

This reverts commit bec7bcbb707d10b80d450f6f02384efeff294799.

8 years agoANDROID: mmc: move to a SCHED_FIFO thread
Tim Murray [Wed, 20 Jan 2016 00:36:40 +0000 (16:36 -0800)]
ANDROID: mmc: move to a SCHED_FIFO thread

(cherry picked from commit 011e507b413393eab8279dac8b778ad9b6e9971b)

Running mmcqd as a prio 120 thread forces it to compete with standard
user processes for IO performance, especially when the system is under
severe CPU load. Move it to a SCHED_FIFO thread to reduce the impact of
load on IO performance.

Signed-off-by: Tim Murray <timmurray@google.com>
Bug: 25392275
Change-Id: I1edfe73baa25e181367c30c1f40fee886e92b60d

8 years agoMerge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
Alex Shi [Tue, 22 Mar 2016 06:56:54 +0000 (14:56 +0800)]
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

8 years agoMerge branch 'v4.4/topic/ro-vdso' into linux-linaro-lsk-v4.4
Alex Shi [Tue, 22 Mar 2016 06:56:29 +0000 (14:56 +0800)]
Merge branch 'v4.4/topic/ro-vdso' into linux-linaro-lsk-v4.4

8 years agoarm64: vdso: Mark vDSO code as read-only
David Brown [Mon, 21 Mar 2016 20:16:37 +0000 (14:16 -0600)]
arm64: vdso: Mark vDSO code as read-only

commit 88d8a7994e564d209d4b2583496631c2357d386b upstream.

Although the arm64 vDSO is cleanly separated by code/data with the
code being read-only in userspace mappings, the code page is still
writable from the kernel.  There have been exploits (such as
http://itszn.com/blog/?p=21) that take advantage of this on x86 to go
from a bad kernel write to full root.

Prevent this specific exploit on arm64 by putting the vDSO code page
in read-only memory as well.

Before the change:
[    3.138366] vdso: 2 pages (1 code @ ffffffc000a71000, 1 data @ ffffffc000a70000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b6000        1752K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b6000-0xffffffc000c00000        2344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

After:
[    3.138368] vdso: 2 pages (1 code @ ffffffc0006de000, 1 data @ ffffffc000a74000)
---[ Kernel Mapping ]---
0xffffffc000000000-0xffffffc000082000         520K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000082000-0xffffffc000200000        1528K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc000200000-0xffffffc000800000           6M     ro x  SHD AF        BLK UXN MEM/NORMAL
0xffffffc000800000-0xffffffc0009b8000        1760K     ro x  SHD AF            UXN MEM/NORMAL
0xffffffc0009b8000-0xffffffc000c00000        2336K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc000c00000-0xffffffc008000000         116M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc00c000000-0xffffffc07f000000        1840M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc800000000-0xffffffc840000000           1G     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc840000000-0xffffffc87ae00000         942M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87ae00000-0xffffffc87ae70000         448K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af80000-0xffffffc87af8a000          40K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87af8b000-0xffffffc87b000000         468K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87b000000-0xffffffc87fe00000          78M     RW NX SHD AF        BLK UXN MEM/NORMAL
0xffffffc87fe00000-0xffffffc87ff50000        1344K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87ff90000-0xffffffc87ffa0000          64K     RW NX SHD AF            UXN MEM/NORMAL
0xffffffc87fff0000-0xffffffc880000000          64K     RW NX SHD AF            UXN MEM/NORMAL

Inspired by https://lkml.org/lkml/2016/1/19/494 based on work by the
PaX Team, Brad Spengler, and Kees Cook.

Signed-off-by: David Brown <david.brown@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[catalin.marinas@arm.com: removed superfluous __PAGE_ALIGNED_DATA]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
8 years agoMerge remote-tracking branch 'lsk/linux-linaro-lsk-v4.4-android' into linux-linaro...
Mark Brown [Fri, 18 Mar 2016 09:50:49 +0000 (09:50 +0000)]
Merge remote-tracking branch 'lsk/linux-linaro-lsk-v4.4-android' into linux-linaro-lsk-v4.4-android

8 years agoMerge remote-tracking branch 'lsk/linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4
Mark Brown [Fri, 18 Mar 2016 09:48:58 +0000 (09:48 +0000)]
Merge remote-tracking branch 'lsk/linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4

8 years agoMerge tag 'v4.4.5' into linux-linaro-lsk-v4.4
Mark Brown [Fri, 18 Mar 2016 09:45:54 +0000 (09:45 +0000)]
Merge tag 'v4.4.5' into linux-linaro-lsk-v4.4

This is the 4.4.5 stable release

# gpg: Signature made Wed 09 Mar 2016 23:36:03 GMT using RSA key ID 6092693E
# gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

8 years agoMerge remote-tracking branch 'lsk/v4.4/topic/ro-vdso' into linux-linaro-lsk-v4.4
Mark Brown [Thu, 17 Mar 2016 18:54:33 +0000 (18:54 +0000)]
Merge remote-tracking branch 'lsk/v4.4/topic/ro-vdso' into linux-linaro-lsk-v4.4

8 years agoARM/vdso: Mark the vDSO code read-only after init
David Brown [Wed, 16 Mar 2016 23:10:28 +0000 (17:10 -0600)]
ARM/vdso: Mark the vDSO code read-only after init

commit 11bf9b865898961cee60a41c483c9f27ec76e12e upstream.

Although the ARM vDSO is cleanly separated by code/data with the code
being read-only in userspace mappings, the code page is still writable
from the kernel.

There have been exploits (such as http://itszn.com/blog/?p=21) that
take advantage of this on x86 to go from a bad kernel write to full
root.

Prevent this specific exploit class on ARM as well by putting the vDSO
code page in post-init read-only memory as well.

Before:
vdso: 1 text pages at base 80927000
root@Vexpress:/ cat /sys/kernel/debug/kernel_page_tables
---[ Modules ]---
---[ Kernel Mapping ]---
0x80000000-0x80100000           1M     RW NX SHD
0x80100000-0x80600000           5M     ro x  SHD
0x80600000-0x80800000           2M     ro NX SHD
0x80800000-0xbe000000         984M     RW NX SHD

After:
vdso: 1 text pages at base 8072b000
root@Vexpress:/ cat /sys/kernel/debug/kernel_page_tables
---[ Modules ]---
---[ Kernel Mapping ]---
0x80000000-0x80100000           1M     RW NX SHD
0x80100000-0x80600000           5M     ro x  SHD
0x80600000-0x80800000           2M     ro NX SHD
0x80800000-0xbe000000         984M     RW NX SHD

Inspired by https://lkml.org/lkml/2016/1/19/494 based on work by the
PaX Team, Brad Spengler, and Kees Cook.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nathan Lynch <nathan_lynch@mentor.com>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/1455748879-21872-8-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
8 years agox86/vdso: Mark the vDSO code read-only after init
Kees Cook [Wed, 16 Mar 2016 23:10:27 +0000 (17:10 -0600)]
x86/vdso: Mark the vDSO code read-only after init

commit 018ef8dcf3de5f62e2cc1a9273cc27e1c6ba8de5 upstream.

The vDSO does not need to be writable after __init, so mark it as
__ro_after_init. The result kills the exploit method of writing to the
vDSO from kernel space resulting in userspace executing the modified code,
as shown here to bypass SMEP restrictions: http://itszn.com/blog/?p=21

The memory map (with added vDSO address reporting) shows the vDSO moving
into read-only memory:

Before:
[    0.143067] vDSO @ ffffffff82004000
[    0.143551] vDSO @ ffffffff82006000
---[ High Kernel Mapping ]---
0xffffffff80000000-0xffffffff81000000      16M                         pmd
0xffffffff81000000-0xffffffff81800000       8M   ro     PSE     GLB x  pmd
0xffffffff81800000-0xffffffff819f3000    1996K   ro             GLB x  pte
0xffffffff819f3000-0xffffffff81a00000      52K   ro                 NX pte
0xffffffff81a00000-0xffffffff81e00000       4M   ro     PSE     GLB NX pmd
0xffffffff81e00000-0xffffffff81e05000      20K   ro             GLB NX pte
0xffffffff81e05000-0xffffffff82000000    2028K   ro                 NX pte
0xffffffff82000000-0xffffffff8214f000    1340K   RW             GLB NX pte
0xffffffff8214f000-0xffffffff82281000    1224K   RW                 NX pte
0xffffffff82281000-0xffffffff82400000    1532K   RW             GLB NX pte
0xffffffff82400000-0xffffffff83200000      14M   RW     PSE     GLB NX pmd
0xffffffff83200000-0xffffffffc0000000     974M                         pmd

After:
[    0.145062] vDSO @ ffffffff81da1000
[    0.146057] vDSO @ ffffffff81da4000
---[ High Kernel Mapping ]---
0xffffffff80000000-0xffffffff81000000      16M                         pmd
0xffffffff81000000-0xffffffff81800000       8M   ro     PSE     GLB x  pmd
0xffffffff81800000-0xffffffff819f3000    1996K   ro             GLB x  pte
0xffffffff819f3000-0xffffffff81a00000      52K   ro                 NX pte
0xffffffff81a00000-0xffffffff81e00000       4M   ro     PSE     GLB NX pmd
0xffffffff81e00000-0xffffffff81e0b000      44K   ro             GLB NX pte
0xffffffff81e0b000-0xffffffff82000000    2004K   ro                 NX pte
0xffffffff82000000-0xffffffff8214c000    1328K   RW             GLB NX pte
0xffffffff8214c000-0xffffffff8227e000    1224K   RW                 NX pte
0xffffffff8227e000-0xffffffff82400000    1544K   RW             GLB NX pte
0xffffffff82400000-0xffffffff83200000      14M   RW     PSE     GLB NX pmd
0xffffffff83200000-0xffffffffc0000000     974M                         pmd

Based on work by PaX Team and Brad Spengler.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Andy Lutomirski <luto@kernel.org>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Brown <david.brown@linaro.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Link: http://lkml.kernel.org/r/1455748879-21872-7-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
8 years agolkdtm: Verify that '__ro_after_init' works correctly
Kees Cook [Wed, 16 Mar 2016 23:10:26 +0000 (17:10 -0600)]
lkdtm: Verify that '__ro_after_init' works correctly

commit 7cca071ccbd2a293ea69168ace6abbcdce53098e upstream.

The new __ro_after_init section should be writable before init, but
not after. Validate that it gets updated at init and can't be written
to afterwards.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Brown <david.brown@linaro.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Link: http://lkml.kernel.org/r/1455748879-21872-6-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
8 years agoarch: Introduce post-init read-only memory
Kees Cook [Wed, 16 Mar 2016 23:10:25 +0000 (17:10 -0600)]
arch: Introduce post-init read-only memory

commit c74ba8b3480da6ddaea17df2263ec09b869ac496 upstream.

One of the easiest ways to protect the kernel from attack is to reduce
the internal attack surface exposed when a "write" flaw is available. By
making as much of the kernel read-only as possible, we reduce the
attack surface.

Many things are written to only during __init, and never changed
again. These cannot be made "const" since the compiler will do the wrong
thing (we do actually need to write to them). Instead, move these items
into a memory region that will be made read-only during mark_rodata_ro()
which happens after all kernel __init code has finished.

This introduces __ro_after_init as a way to mark such memory, and adds
some documentation about the existing __read_mostly marking.

This improves the security of the Linux kernel by marking formerly
read-write memory regions as read-only on a fully booted up system.

Based on work by PaX Team and Brad Spengler.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Brown <david.brown@linaro.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Link: http://lkml.kernel.org/r/1455748879-21872-5-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
8 years agox86/mm: Always enable CONFIG_DEBUG_RODATA and remove the Kconfig option
Kees Cook [Wed, 16 Mar 2016 23:10:24 +0000 (17:10 -0600)]
x86/mm: Always enable CONFIG_DEBUG_RODATA and remove the Kconfig option

commit 9ccaf77cf05915f51231d158abfd5448aedde758 upstream.

This removes the CONFIG_DEBUG_RODATA option and makes it always enabled.

This simplifies the code and also makes it clearer that read-only mapped
memory is just as fundamental a security feature in kernel-space as it is
in user-space.

Suggested-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Brown <david.brown@linaro.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Link: http://lkml.kernel.org/r/1455748879-21872-4-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
8 years agomm/init: Add 'rodata=off' boot cmdline parameter to disable read-only kernel mappings
Kees Cook [Wed, 16 Mar 2016 23:10:23 +0000 (17:10 -0600)]
mm/init: Add 'rodata=off' boot cmdline parameter to disable read-only kernel mappings

commit d2aa1acad22f1bdd0cfa67b3861800e392254454 upstream.

It may be useful to debug writes to the readonly sections of memory,
so provide a cmdline "rodata=off" to allow for this. This can be
expanded in the future to support "log" and "write" modes, but that
will need to be architecture-specific.

This also makes KDB software breakpoints more usable, as read-only
mappings can now be disabled on any kernel.

Suggested-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Brown <david.brown@linaro.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Link: http://lkml.kernel.org/r/1455748879-21872-3-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
8 years agoasm-generic: Consolidate mark_rodata_ro()
Kees Cook [Wed, 16 Mar 2016 23:10:22 +0000 (17:10 -0600)]
asm-generic: Consolidate mark_rodata_ro()

commit e267d97b83d9cecc16c54825f9f3ac7f72dc1e1e upstream.

Instead of defining mark_rodata_ro() in each architecture, consolidate it.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Gross <agross@codeaurora.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Ashok Kumar <ashoks@broadcom.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bp@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David Brown <david.brown@linaro.org>
Cc: David Hildenbrand <dahi@linux.vnet.ibm.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Helge Deller <deller@gmx.de>
Cc: James E.J. Bottomley <jejb@parisc-linux.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Stephen Boyd <sboyd@codeaurora.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Toshi Kani <toshi.kani@hp.com>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-parisc@vger.kernel.org
Link: http://lkml.kernel.org/r/1455748879-21872-2-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
8 years agoMerge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
Alex Shi [Thu, 17 Mar 2016 04:51:17 +0000 (12:51 +0800)]
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

8 years ago Merge tag 'v4.4.6' into linux-linaro-lsk-v4.4
Alex Shi [Thu, 17 Mar 2016 04:51:14 +0000 (12:51 +0800)]
 Merge tag 'v4.4.6' into linux-linaro-lsk-v4.4

 This is the 4.4.6 stable release

8 years agoLinux 4.4.6
Greg Kroah-Hartman [Wed, 16 Mar 2016 15:43:17 +0000 (08:43 -0700)]
Linux 4.4.6

8 years agold-version: Fix awk regex compile failure
James Hogan [Tue, 8 Mar 2016 16:47:53 +0000 (16:47 +0000)]
ld-version: Fix awk regex compile failure

commit 4b7b1ef2c2f83d702272555e8adb839a50ba0f8e upstream.

The ld-version.sh script fails on some versions of awk with the
following error, resulting in build failures for MIPS:

awk: scripts/ld-version.sh: line 4: regular expression compile failed (missing '(')

This is due to the regular expression ".*)", meant to strip off the
beginning of the ld version string up to the close bracket, however
brackets have a meaning in regular expressions, so lets escape it so
that awk doesn't expect a corresponding open bracket.

Fixes: ccbef1674a15 ("Kbuild, lto: add ld-version and ld-ifversion ...")
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Cc: Michal Marek <mmarek@suse.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kbuild@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12838/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agotarget: Drop incorrect ABORT_TASK put for completed commands
Nicholas Bellinger [Sun, 6 Mar 2016 04:00:12 +0000 (20:00 -0800)]
target: Drop incorrect ABORT_TASK put for completed commands

commit 7f54ab5ff52fb0b91569bc69c4a6bc5cac1b768d upstream.

This patch fixes a recent ABORT_TASK regression associated
with commit febe562c, where a left-over target_put_sess_cmd()
would still be called when __target_check_io_state() detected
a command has already been completed, and explicit ABORT must
be avoided.

Note commit febe562c dropped the local kref_get_unless_zero()
check in core_tmr_abort_task(), but did not drop this extra
corresponding target_put_sess_cmd() in the failure path.

So go ahead and drop this now bogus target_put_sess_cmd(),
and avoid this potential use-after-free.

Reported-by: Dan Lane <dracodan@gmail.com>
Cc: Quinn Tran <quinn.tran@qlogic.com>
Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
Cc: Sagi Grimberg <sagig@mellanox.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Andy Grover <agrover@redhat.com>
Cc: Mike Christie <mchristi@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agoblock: don't optimize for non-cloned bio in bio_get_last_bvec()
Ming Lei [Sat, 12 Mar 2016 14:56:19 +0000 (22:56 +0800)]
block: don't optimize for non-cloned bio in bio_get_last_bvec()

commit 90d0f0f11588ec692c12f9009089b398be395184 upstream.

For !BIO_CLONED bio, we can use .bi_vcnt safely, but it
doesn't mean we can just simply return .bi_io_vec[.bi_vcnt - 1]
because the start postion may have been moved in the middle of
the bvec, such as splitting in the middle of bvec.

Fixes: 7bcd79ac50d9(block: bio: introduce helpers to get the 1st and last bvec)
Reported-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agoMIPS: smp.c: Fix uninitialised temp_foreign_map
James Hogan [Fri, 4 Mar 2016 10:10:51 +0000 (10:10 +0000)]
MIPS: smp.c: Fix uninitialised temp_foreign_map

commit d825c06bfe8b885b797f917ad47365d0e9c21fbb upstream.

When calculate_cpu_foreign_map() recalculates the cpu_foreign_map
cpumask it uses the local variable temp_foreign_map without initialising
it to zero. Since the calculation only ever sets bits in this cpumask
any existing bits at that memory location will remain set and find their
way into cpu_foreign_map too. This could potentially lead to cache
operations suboptimally doing smp calls to multiple VPEs in the same
core, even though the VPEs share primary caches.

Therefore initialise temp_foreign_map using cpumask_clear() before use.

Fixes: cccf34e9411c ("MIPS: c-r4k: Fix cache flushing for MT cores")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12759/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agoMIPS: Fix build error when SMP is used without GIC
Hauke Mehrtens [Sun, 6 Mar 2016 21:28:56 +0000 (22:28 +0100)]
MIPS: Fix build error when SMP is used without GIC

commit 7a50e4688dabb8005df39b2b992d76629b8af8aa upstream.

The MIPS_GIC_IPI should only be selected when MIPS_GIC is also
selected, otherwise it results in a compile error. smp-gic.c uses some
functions from include/linux/irqchip/mips-gic.h like
plat_ipi_call_int_xlate() which are only added to the header file when
MIPS_GIC is set. The Lantiq SoC does not use the GIC, but supports SMP.
The calls top the functions from smp-gic.c are already protected by
some #ifdefs

The first part of this was introduced in commit 72e20142b2bf ("MIPS:
Move GIC IPI functions out of smp-cmp.c")

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12774/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agoovl: fix getcwd() failure after unsuccessful rmdir
Rui Wang [Fri, 8 Jan 2016 15:09:59 +0000 (23:09 +0800)]
ovl: fix getcwd() failure after unsuccessful rmdir

commit ce9113bbcbf45a57c082d6603b9a9f342be3ef74 upstream.

ovl_remove_upper() should do d_drop() only after it successfully
removes the dir, otherwise a subsequent getcwd() system call will
fail, breaking userspace programs.

This is to fix: https://bugzilla.kernel.org/show_bug.cgi?id=110491

Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Reviewed-by: Konstantin Khlebnikov <koct9i@gmail.com>
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agoovl: copy new uid/gid into overlayfs runtime inode
Konstantin Khlebnikov [Sun, 31 Jan 2016 13:21:29 +0000 (16:21 +0300)]
ovl: copy new uid/gid into overlayfs runtime inode

commit b81de061fa59f17d2730aabb1b84419ef3913810 upstream.

Overlayfs must update uid/gid after chown, otherwise functions
like inode_owner_or_capable() will check user against stale uid.
Catched by xfstests generic/087, it chowns file and calls utimes.

Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agouserfaultfd: don't block on the last VM updates at exit time
Linus Torvalds [Tue, 1 Mar 2016 19:56:22 +0000 (11:56 -0800)]
userfaultfd: don't block on the last VM updates at exit time

commit 39680f50ae54cbbb6e72ac38b8329dd3eb9105f4 upstream.

The exit path will do some final updates to the VM of an exiting process
to inform others of the fact that the process is going away.

That happens, for example, for robust futex state cleanup, but also if
the parent has asked for a TID update when the process exits (we clear
the child tid field in user space).

However, at the time we do those final VM accesses, we've already
stopped accepting signals, so the usual "stop waiting for userfaults on
signal" code in fs/userfaultfd.c no longer works, and the process can
become an unkillable zombie waiting for something that will never
happen.

To solve this, just make handle_userfault() abort any user fault
handling if we're already in the exit path past the signal handling
state being dead (marked by PF_EXITING).

This VM special case is pretty ugly, and it is possible that we should
look at finalizing signals later (or move the VM final accesses
earlier).  But in the meantime this is a fairly minimally intrusive fix.

Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agopowerpc/powernv: Fix OPAL_CONSOLE_FLUSH prototype and usages
Russell Currey [Wed, 13 Jan 2016 01:04:32 +0000 (12:04 +1100)]
powerpc/powernv: Fix OPAL_CONSOLE_FLUSH prototype and usages

commit c88c5d43732a0356f99e5e4d1ad62ab1ea516b81 upstream.

The recently added OPAL API call, OPAL_CONSOLE_FLUSH, originally took no
parameters and returned nothing.  The call was updated to accept the
terminal number to flush, and returned various values depending on the
state of the output buffer.

The prototype has been updated and its usage in the OPAL kmsg dumper has
been modified to support its new behaviour as an incremental flush.

Signed-off-by: Russell Currey <ruscur@russell.cc>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agopowerpc/powernv: Add a kmsg_dumper that flushes console output on panic
Russell Currey [Fri, 27 Nov 2015 06:23:07 +0000 (17:23 +1100)]
powerpc/powernv: Add a kmsg_dumper that flushes console output on panic

commit affddff69c55eb68969448f35f59054a370bc7c1 upstream.

On BMC machines, console output is controlled by the OPAL firmware and is
only flushed when its pollers are called.  When the kernel is in a panic
state, it no longer calls these pollers and thus console output does not
completely flush, causing some output from the panic to be lost.

Output is only actually lost when the kernel is configured to not power off
or reboot after panic (i.e. CONFIG_PANIC_TIMEOUT is set to 0) since OPAL
flushes the console buffer as part of its power down routines.  Before this
patch, however, only partial output would be printed during the timeout wait.

This patch adds a new kmsg_dumper which gets called at panic time to ensure
panic output is not lost.  It accomplishes this by calling OPAL_CONSOLE_FLUSH
in the OPAL API, and if that is not available, the pollers are called enough
times to (hopefully) completely flush the buffer.

The flushing mechanism will only affect output printed at and before the
kmsg_dump call in kernel/panic.c:panic().  As such, the "end Kernel panic"
message may still be truncated as follows:

>Call Trace:
>[c000000f1f603b00] [c0000000008e9458] dump_stack+0x90/0xbc (unreliable)
>[c000000f1f603b30] [c0000000008e7e78] panic+0xf8/0x2c4
>[c000000f1f603bc0] [c000000000be4860] mount_block_root+0x288/0x33c
>[c000000f1f603c80] [c000000000be4d14] prepare_namespace+0x1f4/0x254
>[c000000f1f603d00] [c000000000be43e8] kernel_init_freeable+0x318/0x350
>[c000000f1f603dc0] [c00000000000bd74] kernel_init+0x24/0x130
>[c000000f1f603e30] [c0000000000095b0] ret_from_kernel_thread+0x5c/0xac
>---[ end Kernel panic - not

This functionality is implemented as a kmsg_dumper as it seems to be the
most sensible way to introduce platform-specific functionality to the
panic function.

Signed-off-by: Russell Currey <ruscur@russell.cc>
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agopowerpc: Fix dedotify for binutils >= 2.26
Andreas Schwab [Fri, 5 Feb 2016 18:50:03 +0000 (19:50 +0100)]
powerpc: Fix dedotify for binutils >= 2.26

commit f15838e9cac8f78f0cc506529bb9d3b9fa589c1f upstream.

Since binutils 2.26 BFD is doing suffix merging on STRTAB sections.  But
dedotify modifies the symbol names in place, which can also modify
unrelated symbols with a name that matches a suffix of a dotted name.  To
remove the leading dot of a symbol name we can just increment the pointer
into the STRTAB section instead.

Backport to all stables to avoid breakage when people update their
binutils - mpe.

Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agoRevert "drm/radeon/pm: adjust display configuration after powerstate"
Alex Deucher [Tue, 8 Mar 2016 16:31:00 +0000 (11:31 -0500)]
Revert "drm/radeon/pm: adjust display configuration after powerstate"

commit d74e766e1916d0e09b86e4b5b9d0f819628fd546 upstream.

This reverts commit 39d4275058baf53e89203407bf3841ff2c74fa32.

This caused a regression on some older hardware.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=113891

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agodrm/radeon: Fix error handling in radeon_flip_work_func.
Mario Kleiner [Tue, 1 Mar 2016 20:31:17 +0000 (21:31 +0100)]
drm/radeon: Fix error handling in radeon_flip_work_func.

commit 1e1490a38504419e349caa1b7d55d5c141a9bccb upstream.

This is a port of the patch "drm/amdgpu: Fix error handling in amdgpu_flip_work_func."
to fix the following problem for radeon as well which was
reported against amdgpu:

The patch e1d09dc0ccc6: "drm/amdgpu: Don't hang in
amdgpu_flip_work_func on disabled crtc." from Feb 19, 2016, leads to
the following static checker warning, as reported by Dan Carpenter in
https://lists.freedesktop.org/archives/dri-devel/2016-February/101987.html

drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:127 amdgpu_flip_work_func()     warn: should this be 'repcnt == -1'
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:136 amdgpu_flip_work_func() error: double unlock 'spin_lock:&crtc->dev->event_lock'
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:136 amdgpu_flip_work_func() error: double unlock 'irqsave:flags'

This patch fixes both reported problems:

Change post-decrement of repcnt to pre-decrement, so
it can't underflow anymore, but still performs up to
three repetitions - three is the maximum one could
expect in practice.

Move the spin_unlock_irqrestore to where it actually
belongs.

Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Michel Dänzer <michel.daenzer@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agodrm/amdgpu: Fix error handling in amdgpu_flip_work_func.
Mario Kleiner [Tue, 1 Mar 2016 20:31:16 +0000 (21:31 +0100)]
drm/amdgpu: Fix error handling in amdgpu_flip_work_func.

commit 90e94b160c7f647ddffda707f5e3c0c66c170df8 upstream.

The patch e1d09dc0ccc6: "drm/amdgpu: Don't hang in
amdgpu_flip_work_func on disabled crtc." from Feb 19, 2016, leads to
the following static checker warning, as reported by Dan Carpenter in
https://lists.freedesktop.org/archives/dri-devel/2016-February/101987.html

drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:127 amdgpu_flip_work_func() warn: should this be 'repcnt == -1'
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:136 amdgpu_flip_work_func() error: double unlock 'spin_lock:&crtc->dev->event_lock'
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:136 amdgpu_flip_work_func() error: double unlock 'irqsave:flags'

This patch fixes both reported problems:

Change post-decrement of repcnt to pre-decrement, so
it can't underflow anymore, but still performs up to
three repetitions - three is the maximum one could
expect in practice.

Move the spin_unlock_irqrestore to where it actually
belongs.

Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Michel Dänzer <michel.daenzer@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agoRevert "drm/radeon: call hpd_irq_event on resume"
Linus Torvalds [Mon, 7 Mar 2016 21:15:09 +0000 (13:15 -0800)]
Revert "drm/radeon: call hpd_irq_event on resume"

commit 256faedcfd646161477d47a1a78c32a562d2e845 upstream.

This reverts commit dbb17a21c131eca94eb31136eee9a7fe5aff00d9.

It turns out that commit can cause problems for systems with multiple
GPUs, and causes X to hang on at least a HP Pavilion dv7 with hybrid
graphics.

This got noticed originally in 4.4.4, where this patch had already
gotten back-ported, but 4.5-rc7 was verified to have the same problem.

Alexander Deucher says:
 "It looks like you have a muxed system so I suspect what's happening is
  that one of the display is being reported as connected for both the
  IGP and the dGPU and then the desktop environment gets confused or
  there some sort problem in the detect functions since the mux is not
  switched to the dGPU.  I don't see an easy fix unless Dave has any
  ideas.  I'd say just revert for now"

Reported-by: Jörg-Volker Peetz <jvpeetz@web.de>
Acked-by: Alexander Deucher <Alexander.Deucher@amd.com>
Cc: Dave Airlie <airlied@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agox86/mm: Fix slow_virt_to_phys() for X86_PAE again
Dexuan Cui [Thu, 25 Feb 2016 09:58:12 +0000 (01:58 -0800)]
x86/mm: Fix slow_virt_to_phys() for X86_PAE again

commit bf70e5513dfea29c3682e7eb3dbb45f0723bac09 upstream.

"d1cd12108346: x86, pageattr: Prevent overflow in slow_virt_to_phys() for
X86_PAE" was unintentionally removed by the recent "34437e67a672: x86/mm: Fix
slow_virt_to_phys() to handle large PAT bit".

And, the variable 'phys_addr' was defined as "unsigned long" by mistake -- it should
be "phys_addr_t".

As a result, Hyper-V network driver in 32-PAE Linux guest can't work again.

Fixes: commit 34437e67a672: "x86/mm: Fix slow_virt_to_phys() to handle large PAT bit"
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Cc: olaf@aepfle.de
Cc: jasowang@redhat.com
Cc: driverdev-devel@linuxdriverproject.org
Cc: linux-mm@kvack.org
Cc: apw@canonical.com
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Link: http://lkml.kernel.org/r/1456394292-9030-1-git-send-email-decui@microsoft.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agogpu: ipu-v3: Do not bail out on missing optional port nodes
Philipp Zabel [Mon, 4 Jan 2016 16:32:26 +0000 (17:32 +0100)]
gpu: ipu-v3: Do not bail out on missing optional port nodes

commit 17e0521750399205f432966e602e125294879cdd upstream.

The port nodes are documented as optional, treat them accordingly.

Reported-by: Martin Fuzzey <mfuzzey@parkeon.com>
Reported-by: Chris Healy <Chris.Healy@zii.aero>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Fixes: 304e6be652e2 ("gpu: ipu-v3: Assign of_node of child platform devices to corresponding ports")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agomac80211: Fix Public Action frame RX in AP mode
Jouni Malinen [Mon, 29 Feb 2016 22:29:00 +0000 (00:29 +0200)]
mac80211: Fix Public Action frame RX in AP mode

commit 1ec7bae8bec9b72e347e01330c745ab5cdd66f0e upstream.

Public Action frames use special rules for how the BSSID field (Address
3) is set. A wildcard BSSID is used in cases where the transmitter and
recipient are not members of the same BSS. As such, we need to accept
Public Action frames with wildcard BSSID.

Commit db8e17324553 ("mac80211: ignore frames between TDLS peers when
operating as AP") added a rule that drops Action frames to TDLS-peers
based on an Action frame having different DA (Address 1) and BSSID
(Address 3) values. This is not correct since it misses the possibility
of BSSID being a wildcard BSSID in which case the Address 1 would not
necessarily match.

Fix this by allowing mac80211 to accept wildcard BSSID in an Action
frame when in AP mode.

Fixes: db8e17324553 ("mac80211: ignore frames between TDLS peers when operating as AP")
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agomac80211: check PN correctly for GCMP-encrypted fragmented MPDUs
Johannes Berg [Fri, 26 Feb 2016 21:13:40 +0000 (22:13 +0100)]
mac80211: check PN correctly for GCMP-encrypted fragmented MPDUs

commit 9acc54beb474c81148e2946603d141cf8716b19f upstream.

Just like for CCMP we need to check that for GCMP the fragments
have PNs that increment by one; the spec was updated to fix this
security issue and now has the following text:

The receiver shall discard MSDUs and MMPDUs whose constituent
MPDU PN values are not incrementing in steps of 1.

Adapt the code for CCMP to work for GCMP as well, luckily the
relevant fields already alias each other so no code duplication
is needed (just check the aliasing with BUILD_BUG_ON.)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8 years agomac80211: minstrel_ht: fix a logic error in RTS/CTS handling
Felix Fietkau [Wed, 24 Feb 2016 11:07:17 +0000 (12:07 +0100)]
mac80211: minstrel_ht: fix a logic error in RTS/CTS handling

commit c36dd3eaf1a674a45b58b922258d6eaa8932e292 upstream.

RTS/CTS needs to be enabled if the rate is a fallback rate *or* if it's
a dual-stream rate and the sta is in dynamic SMPS mode.

Fixes: a3ebb4e1b763 ("mac80211: minstrel_ht: handle peers in dynamic SMPS")
Reported-by: Matías Richart <mrichart@fing.edu.uy>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>