JP Abgrall [Wed, 23 Jul 2014 23:55:07 +0000 (16:55 -0700)]
ext4: Add support for FIDTRIM, a best-effort ioctl for deep discard trim
* What
This provides an interface for issuing an FITRIM which uses the
secure discard instead of just a discard.
Only the eMMC command is "secure", and not how the FS uses it:
due to the fact that the FS might reassign a region somewhere else,
the original deleted data will not be affected by the "trim" which only
handles un-used regions.
So we'll just call it "deep discard", and note that this is a
"best effort" cleanup.
* Why
Once in a while, We want to be able to cleanup most of the unused blocks
after erasing a bunch of files.
We don't want to constantly secure-discard via a mount option.
From an eMMC spec perspective, it tells the device to really get rid of
all the data for the specified blocks and not just put them back into the
pool of free ones (unlike the normal TRIM). The eMMC spec says the
secure trim handling must make sure the data (and metadata) is not available
anymore. A simple TRIM doesn't clear the data, it just puts blocks in the
free pool.
JEDEC Standard No. 84-A441
7.6.9 Secure Erase
7.6.10 Secure Trim
From an FS perspective, it is acceptable to leave some data behind.
- directory entries related to deleted files
- databases entries related to deleted files
- small-file data stored in inode extents
- blocks held by the FS waiting to be re-used (mitigated by sync).
- blocks reassigned by the FS prior to FIDTRIM.
Change-Id: I676a1404a80130d93930c84898360f2e6fb2f81e
Signed-off-by: Geremy Condra <gcondra@google.com>
Signed-off-by: JP Abgrall <jpa@google.com>
Anson Jacob [Mon, 23 Jun 2014 11:14:01 +0000 (19:14 +0800)]
usb: gadget: f_audio_source: Fixed USB Audio Class Interface Descriptor
Fixed Android Issue #56549.
When both Vendor Class and Audio Class are activated for AOA 2.0,
the baInterfaceNr of the AudioControl Interface Descriptor points
to wrong interface numbers. They should be pointing to
Audio Control Device and Audio Streaming interfaces.
Replaced baInterfaceNr with the correct value.
Change-Id: Iaa083f3d97c1f0fc9481bf87852b2b51278a6351
Signed-off-by: Anson Jacob <ansonkuzhumbil@gmail.com>
Anson Jacob [Tue, 1 Jul 2014 10:17:20 +0000 (18:17 +0800)]
usb: gadget: f_audio_source: change max ISO packet size
Re-applying from
https://gitorious.org/shr/linux/commit/
eb4c9d2db894c3492c0a848581bd4f6790f93d5f
Most USB-AUDIO devices are limited to 256 byte for max iso buffer size.
If a IN_EP_MAX_PACKET_SIZE is bigger than a USB-AUDIO device's max iso
buffer size, it will cause noise. This patch will prevent this case as
possibe by reducing packet size. When using 44.1khz, 2ch, 16bit audio
data, if max packet size is bigger than 176 bytes, it's no problem.
Credits to: Iliyan Malchev <malchev@google.com>
Change-Id: Ic2a1c19ea65d5fb42bf12926b51b255b465d7215
Signed-off-by: Anson Jacob <ansonkuzhumbil@gmail.com>
Jonathan Hamilton [Thu, 17 Jul 2014 22:54:44 +0000 (15:54 -0700)]
video: adf: Cleanup sw_sync timeline at adf_device_destroy
If a sw_sync timeline was created by ADF (for drivers that do not implement
ops->complete_fence) we should clean it up when the ADF device is
destroyed.
Change-Id: Idd90180fcae56a87111f7d12bdd80190756a6b80
Signed-off-by: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Kees Cook [Wed, 28 Aug 2013 20:32:01 +0000 (22:32 +0200)]
HID: check for NULL field when setting values
Defensively check that the field to be worked on is not NULL.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 28 Aug 2013 20:31:52 +0000 (22:31 +0200)]
HID: picolcd_core: validate output report details
A HID device could send a malicious output report that would cause the
picolcd HID driver to trigger a NULL dereference during attr file writing.
[jkosina@suse.cz: changed
report->maxfield < 1
to
report->maxfield != 1
as suggested by Bruno].
CVE-2013-2899
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 28 Aug 2013 20:31:44 +0000 (22:31 +0200)]
HID: sensor-hub: validate feature report details
A HID device could send a malicious feature report that would cause the
sensor-hub HID driver to read past the end of heap allocation, leaking
kernel memory contents to the caller.
CVE-2013-2898
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Benjamin Tissoires [Wed, 11 Sep 2013 19:56:58 +0000 (21:56 +0200)]
HID: multitouch: validate indexes details
When working on report indexes, always validate that they are in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:
[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
Note that we need to change the indexes from s8 to s16 as they can
be between -1 and 255.
CVE-2013-2897
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Benjamin Tissoires [Wed, 11 Sep 2013 19:56:57 +0000 (21:56 +0200)]
HID: validate feature and input report details
When dealing with usage_index, be sure to properly use unsigned instead of
int to avoid overflows.
When working on report fields, always validate that their report_counts are
in bounds.
Without this, a HID device could report a malicious feature report that
could trick the driver into a heap overflow:
[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
...
[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2897
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 28 Aug 2013 20:31:28 +0000 (22:31 +0200)]
HID: ntrig: validate feature report details
A HID device could send a malicious feature report that would cause the
ntrig HID driver to trigger a NULL dereference during initialization:
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
...
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at
0000000000000030
[57383.315308] IP: [<
ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
CVE-2013-2896
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 11 Sep 2013 19:56:56 +0000 (21:56 +0200)]
HID: logitech-dj: validate output report details
A HID device could send a malicious output report that would cause the
logitech-dj HID driver to leak kernel memory contents to the device, or
trigger a NULL dereference during initialization:
[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
...
[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
[ 304.781409] IP: [<
ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
CVE-2013-2895
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 11 Sep 2013 19:56:55 +0000 (21:56 +0200)]
HID: lenovo-tpkbd: validate output report details
A HID device could send a malicious output report that would cause the
lenovo-tpkbd HID driver to write just beyond the output report allocation
during initialization, causing a heap overflow:
[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
...
[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2894
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 11 Sep 2013 19:56:54 +0000 (21:56 +0200)]
HID: LG: validate HID output report details
A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.
CVE-2013-2893
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 28 Aug 2013 20:30:49 +0000 (22:30 +0200)]
HID: pantherlord: validate output report details
A HID device could send a malicious output report that would cause the
pantherlord HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
...
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2892
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 11 Sep 2013 19:56:53 +0000 (21:56 +0200)]
HID: steelseries: validate output report details
A HID device could send a malicious output report that would cause the
steelseries HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
...
[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
CVE-2013-2891
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 11 Sep 2013 19:56:51 +0000 (21:56 +0200)]
HID: zeroplus: validate output report details
The zeroplus HID driver was not checking the size of allocated values
in fields it used. A HID device could send a malicious output report
that would cause the driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
...
[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2889
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 11 Sep 2013 19:56:50 +0000 (21:56 +0200)]
HID: provide a helper for validating hid reports
Many drivers need to validate the characteristics of their HID report
during initialization to avoid misusing the reports. This adds a common
helper to perform validation of the report exisitng, the field existing,
and the expected number of values within the field.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Kees Cook [Wed, 28 Aug 2013 20:29:55 +0000 (22:29 +0200)]
HID: validate HID report id size
The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:
[ 1347.156239] BUG: unable to handle kernel paging request at
ffff88094958a878
[ 1347.156261] IP: [<
ffffffff813e4da0>] hid_register_report+0x2a/0x8b
CVE-2013-2888
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Anson Jacob [Mon, 23 Jun 2014 11:07:44 +0000 (19:07 +0800)]
usb: gadget: f_accessory: Enabled Zero Length Packet (ZLP) for acc_write
Accessory connected to Android Device requires
Zero Length Packet (ZLP) to be written when data
transferred out from the Android device are multiples
of wMaxPacketSize (64bytes (Full-Speed) / 512bytes (High-Speed))
to end the transfer.
Change-Id: Ib2c2c0ab98ef9afa10e74a720142deca5c0ed476
Signed-off-by: Anson Jacob <ansonkuzhumbil@gmail.com>
Sreeram Ramachandran [Tue, 8 Jul 2014 18:57:14 +0000 (11:57 -0700)]
Handle 'sk' being NULL in UID-based routing.
Bug:
15413527
Change-Id: Iab1fae9da6053b284591628ef1de878761b137b1
Signed-off-by: Sreeram Ramachandran <sreeram@google.com>
Daniel Rosenberg [Fri, 27 Jun 2014 23:39:35 +0000 (16:39 -0700)]
input: Made keyreset more robust
Switched do_restart to run in a seperate workqueue to handle
cases where kernel_restart hangs.
Change-Id: I1ecd61f8d0859f1a86d37c692351d644b5db9c69
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Dmitry Shmidt [Tue, 1 Jul 2014 21:48:15 +0000 (14:48 -0700)]
net: cfg80211: Fix wiphy_vendor_command 'doit' type
Change-Id: I5b1732eed7ac4f6bc267b4baa2153f6de2e16dc8
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Yann Soubeyrand [Wed, 18 Jun 2014 12:57:29 +0000 (14:57 +0200)]
net: wireless: fix misplaced #endif in net/wireless/nl80211.c
The patch "nl80211: cumulative vendor command support patch" introduced
compilation error in file net/wireless/nl80211.c. The nl80211_vendor_mcgrp
variable is defined only if the CONFIG_NL80211_TESTMODE preprocessor constant
is defined. However, this variable is later used wether
CONFIG_NL80211_TESTMODE is defined or not. The cause is a misplaced #endif.
Change-Id: I466488285578d57e6554a1f8ebe71d4f3385ecf2
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Minsung Kim [Wed, 25 Jun 2014 10:44:50 +0000 (19:44 +0900)]
cpufreq: fix sleeping in atomic context when realloc freq_table for all_time_in_state
Commit
40cf2f8 (cpufreq: Persist cpufreq time in state data across hotplug)
causes the following call trace to be spit on boot:
BUG: sleeping function called from invalid context at mm/slub.c:936
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
CPU: 6 PID: 1 Comm: swapper/0 Not tainted
3.10.9-20140624.172707-eng-gd6c0f69-dirty #50
Backtrace:
[<
c0012270>] (dump_backtrace+0x0/0x10c) from [<
c001256c>] (show_stack+0x18/0x1c)
r6:
ffff1788 r5:
c0c020c0 r4:
e609c000 r3:
00000000
[<
c0012554>] (show_stack+0x0/0x1c) from [<
c07a2970>] (dump_stack+0x20/0x28)
[<
c07a2950>] (dump_stack+0x0/0x28) from [<
c0057678>] (__might_sleep+0x104/0x120)
[<
c0057574>] (__might_sleep+0x0/0x120) from [<
c00ff000>] (__kmalloc_track_caller+0x144/0x274)
r6:
00000000 r5:
e609c000 r4:
e6802140
[<
c00feebc>] (__kmalloc_track_caller+0x0/0x274) from [<
c00da098>] (krealloc+0x58/0xb0)
[<
c00da040>] (krealloc+0x0/0xb0) from [<
c050266c>] (cpufreq_allstats_create+0x120/0x204)
r8:
e4c4ff00 r7:
c0d266b8 r6:
0013d620 r5:
e4c4e600 r4:
00000001
r3:
e535d6d0
[<
c050254c>] (cpufreq_allstats_create+0x0/0x204) from [<
c0502e38>] (cpufreq_stat_notifier_policy+0xb8/0xd0)
[<
c0502d80>] (cpufreq_stat_notifier_policy+0x0/0xd0) from [<
c00517cc>] (notifier_call_chain+0x4c/0x8c)
r5:
00000000 r4:
fffffffe
[<
c0051780>] (notifier_call_chain+0x0/0x8c) from [<
c00519fc>] (__blocking_notifier_call_chain+0x50/0x68)
r8:
c0cd4d00 r7:
00000002 r6:
e609dd7c r5:
ffffffff r4:
c0d25a4c
r3:
ffffffff
[<
c00519ac>] (__blocking_notifier_call_chain+0x0/0x68) from [<
c0051a34>] (blocking_notifier_call_chain+0x20/0x28)
r7:
c0e24f30 r6:
00000000 r5:
e53e1e00 r4:
e609dd7c
[<
c0051a14>] (blocking_notifier_call_chain+0x0/0x28) from [<
c0500fec>] (__cpufreq_set_policy+0xc0/0x1d0)
[<
c0500f2c>] (__cpufreq_set_policy+0x0/0x1d0) from [<
c0501308>] (cpufreq_add_dev_interface+0x20c/0x270)
r7:
00000008 r6:
00000000 r5:
e53e1e00 r4:
e53e1e58
[<
c05010fc>] (cpufreq_add_dev_interface+0x0/0x270) from [<
c05016a8>] (cpufreq_add_dev+0x33c/0x420)
[<
c050136c>] (cpufreq_add_dev+0x0/0x420) from [<
c03604a4>] (subsys_interface_register+0x80/0xbc)
[<
c0360424>] (subsys_interface_register+0x0/0xbc) from [<
c050035c>] (cpufreq_register_driver+0x8c/0x194)
Change-Id: If77a656d0ea60a8fc4083283d104509fa6c07f8f
Signed-off-by: Minsung Kim <ms925.kim@samsung.com>
Dmitry Shmidt [Thu, 26 Jun 2014 16:26:21 +0000 (09:26 -0700)]
net: wireless: Fix cfg80211_vendor_cmd_alloc_reply_skb
Change-Id: Ia8da6cdacd5668d10f8955972d996177305b7228
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Lorenzo Colitti [Mon, 31 Mar 2014 07:23:51 +0000 (16:23 +0900)]
net: core: Support UID-based routing.
This contains the following commits:
1.
cc2f522 net: core: Add a UID range to fib rules.
2.
d7ed2bd net: core: Use the socket UID in routing lookups.
3.
2f9306a net: core: Add a RTA_UID attribute to routes.
This is so that userspace can do per-UID route lookups.
4.
8e46efb net: ipv6: Use the UID in IPv6 PMTUD
IPv4 PMTUD already does this because ipv4_sk_update_pmtu
uses __build_flow_key, which includes the UID.
Bug:
15413527
Change-Id: I81bd31dae655de9cce7d7a1f9a905dc1c2feba7c
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Stephen Smalley [Tue, 23 Jul 2013 21:38:41 +0000 (17:38 -0400)]
SELinux: Enable setting security contexts on rootfs inodes.
rootfs (ramfs) can support setting of security contexts
by userspace due to the vfs fallback behavior of calling
the security module to set the in-core inode state
for security.* attributes when the filesystem does not
provide an xattr handler. No xattr handler required
as the inodes are pinned in memory and have no backing
store.
This is useful in allowing early userspace to label individual
files within a rootfs while still providing a policy-defined
default via genfs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Dmitry Shmidt [Tue, 24 Jun 2014 20:19:46 +0000 (13:19 -0700)]
net: wireless: Add NL80211_FLAG_NEED_WIPHY flag to vendor command
Change-Id: I52ee3bc8a422c2a4c57cccccccd6ba3e721b4c01
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Dmitry Shmidt [Tue, 24 Jun 2014 16:36:50 +0000 (09:36 -0700)]
net: wireless: Increase scan entry expiration to fit new scan time
Change-Id: I0e23ce45d78d7c17633670973f49943a5ed6032d
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Dmitry Shmidt [Tue, 17 Jun 2014 20:42:34 +0000 (13:42 -0700)]
nl80211: cumulative vendor command support patch
Based on commit
d3fd06d0259232e1362c6d1da136970d26628467
Author: Johannes Berg <johannes.berg@intel.com>
Date: Sat Jan 25 10:17:18 2014 -0800
nl80211: vendor command support
Change-Id: I832eb4da295fe7b2c9bd8ff69ae80fe7bfe30add
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Todd Poynor [Thu, 12 Dec 2013 23:59:09 +0000 (15:59 -0800)]
power: Add property CHARGE_COUNTER_EXT and 64-bit precision properties
Add POWER_SUPPLY_PROP_CHARGE_COUNTER_EXT that stores accumulated charge
in nAh units as a signed 64-bit value.
Add generic support for signed 64-bit property values.
Change-Id: I2bd34b1e95ffba24e7bfef81f398f22bd2aaf05e
Signed-off-by: Todd Poynor <toddpoynor@google.com>
Johannes Berg [Tue, 30 Jul 2013 20:34:28 +0000 (22:34 +0200)]
nl80211: fix another nl80211_fam.attrbuf race
commit
c319d50bfcf678c2857038276d9fab3c6646f3bf upstream.
This is similar to the race Linus had reported, but in this case
it's an older bug: nl80211_prepare_wdev_dump() uses the wiphy
index in cb->args[0] as it is and thus parses the message over
and over again instead of just once because 0 is the first valid
wiphy index. Similar code in nl80211_testmode_dump() correctly
offsets the wiphy_index by 1, do that here as well.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ruchi Kandoi [Sat, 14 Jun 2014 00:03:01 +0000 (17:03 -0700)]
prctl: adds the capable(CAP_SYS_NICE) check to PR_SET_TIMERSLACK_PID.
Adds a capable() check to make sure that arbitary apps do not change the
timer slack for other apps.
Bug:
15000427
Change-Id: I558a2551a0e3579c7f7e7aae54b28aa9d982b209
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Ruchi Kandoi [Sat, 15 Mar 2014 01:27:20 +0000 (18:27 -0700)]
cpufreq: Persist cpufreq time in state data across hotplug
Cpufreq time_in_state data for all CPUs is made persistent across
hotplug and exposed to userspace via sysfs file
/sys/devices/system/cpu/cpufreq/all_time_in_state
Change-Id: I97cb5de24b6de16189bf8b5df9592d0a6e6ddf32
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Ruchi Kandoi [Fri, 13 Jun 2014 23:24:15 +0000 (16:24 -0700)]
cpufreq: interactive: prevents the frequency to directly raise above the
hispeed_freq from a lower frequency.
When the load was below go_hispeed_load, there is a possibility that
choose_freq() would return a frequency which would be higher than the
hispeed_freq. According to the policy we should first jump to the
hispeed_freq, stay there for above_hispeed_delay and then be allowed to
raise higher than that.
Added a check to prevent the frequency to be directly raised to
something higher than the hispeed_freq.
Change-Id: Icda5d848dd9beadcc18835082ddf269732c75bd0
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Sherman Yin [Thu, 12 Jun 2014 21:35:38 +0000 (14:35 -0700)]
netfilter: fix seq_printf type mismatch warning
The return type of atomic64_read() varies depending on arch. The
arm64 version is being changed from long long to long in the mainline
for v3.16, causing a seq_printf type mismatch (%llu) in
guid_ctrl_proc_show().
This commit fixes the type mismatch by casting atomic64_read() to u64.
Change-Id: Iae0a6bd4314f5686a9f4fecbe6203e94ec0870de
Signed-off-by: Sherman Yin <shermanyin@gmail.com>
Mohamad Ayyash [Wed, 11 Jun 2014 21:52:38 +0000 (14:52 -0700)]
arm64: Fix correct dtb clean-files location
This Makefile is evaluated in arch/arm64/boot/Makefile which is what
$(obj) is.
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
Change-Id: I75355f064e249a8db693e06073f5cf395ca29ab6
Thomas Gleixner [Tue, 3 Jun 2014 12:27:08 +0000 (12:27 +0000)]
futex: Make lookup_pi_state more robust
The current implementation of lookup_pi_state has ambigous handling of
the TID value 0 in the user space futex. We can get into the kernel
even if the TID value is 0, because either there is a stale waiters
bit or the owner died bit is set or we are called from the requeue_pi
path or from user space just for fun.
The current code avoids an explicit sanity check for pid = 0 in case
that kernel internal state (waiters) are found for the user space
address. This can lead to state leakage and worse under some
circumstances.
Handle the cases explicit:
Waiter | pi_state | pi->owner | uTID | uODIED | ?
[1] NULL | --- | --- | 0 | 0/1 | Valid
[2] NULL | --- | --- | >0 | 0/1 | Valid
[3] Found | NULL | -- | Any | 0/1 | Invalid
[4] Found | Found | NULL | 0 | 1 | Valid
[5] Found | Found | NULL | >0 | 1 | Invalid
[6] Found | Found | task | 0 | 1 | Valid
[7] Found | Found | NULL | Any | 0 | Invalid
[8] Found | Found | task | ==taskTID | 0/1 | Valid
[9] Found | Found | task | 0 | 0 | Invalid
[10] Found | Found | task | !=taskTID | 0/1 | Invalid
[1] Indicates that the kernel can acquire the futex atomically. We
came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
[2] Valid, if TID does not belong to a kernel thread. If no matching
thread is found then it indicates that the owner TID has died.
[3] Invalid. The waiter is queued on a non PI futex
[4] Valid state after exit_robust_list(), which sets the user space
value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
[5] The user space value got manipulated between exit_robust_list()
and exit_pi_state_list()
[6] Valid state after exit_pi_state_list() which sets the new owner in
the pi_state but cannot access the user space value.
[7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
[8] Owner and user space value match
[9] There is no transient state which sets the user space TID to 0
except exit_robust_list(), but this is indicated by the
FUTEX_OWNER_DIED bit. See [4]
[10] There is no transient state which leaves owner and user space
TID out of sync.
Backport to 3.13
conflicts: kernel/futex.c
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: stable@vger.kernel.org
Thomas Gleixner [Tue, 3 Jun 2014 12:27:07 +0000 (12:27 +0000)]
futex: Always cleanup owner tid in unlock_pi
If the owner died bit is set at futex_unlock_pi, we currently do not
cleanup the user space futex. So the owner TID of the current owner
(the unlocker) persists. That's observable inconsistant state,
especially when the ownership of the pi state got transferred.
Clean it up unconditionally.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: stable@vger.kernel.org
Thomas Gleixner [Tue, 3 Jun 2014 12:27:06 +0000 (12:27 +0000)]
futex: Validate atomic acquisition in futex_lock_pi_atomic()
We need to protect the atomic acquisition in the kernel against rogue
user space which sets the user space futex to 0, so the kernel side
acquisition succeeds while there is existing state in the kernel
associated to the real owner.
Verify whether the futex has waiters associated with kernel state. If
it has, return -EINVAL. The state is corrupted already, so no point in
cleaning it up. Subsequent calls will fail as well. Not our problem.
[ tglx: Use futex_top_waiter() and explain why we do not need to try
restoring the already corrupted user space state. ]
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Thomas Gleixner [Tue, 3 Jun 2014 12:27:06 +0000 (12:27 +0000)]
futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
If uaddr == uaddr2, then we have broken the rule of only requeueing
from a non-pi futex to a pi futex with this call. If we attempt this,
then dangling pointers may be left for rt_waiter resulting in an
exploitable condition.
This change brings futex_requeue() into line with
futex_wait_requeue_pi() which performs the same check as per commit
6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Fixes CVE-2014-3153.
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Mark Salyzyn [Fri, 6 Jun 2014 19:06:42 +0000 (12:06 -0700)]
android: base-cfg: disable LOGGER
Bug:
15384806
Change-Id: If8d324ffdb4ebd56e5d68876f8e229547e20eaf4
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Andreas Henriksson [Thu, 7 Nov 2013 17:26:38 +0000 (18:26 +0100)]
net: Fix "ip rule delete table 256"
[ Upstream commit
13eb2ab2d33c57ebddc57437a7d341995fc9138c ]
When trying to delete a table >= 256 using iproute2 the local table
will be deleted.
The table id is specified as a netlink attribute when it needs more then
8 bits and iproute2 then sets the table field to RT_TABLE_UNSPEC (0).
Preconditions to matching the table id in the rule delete code
doesn't seem to take the "table id in netlink attribute" into condition
so the frh_get_table helper function never gets to do its job when
matching against current rule.
Use the helper function twice instead of peaking at the table value directly.
Originally reported at: http://bugs.debian.org/724783
Reported-by: Nicolas HICHER <nhicher@avencall.com>
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lorenzo Colitti [Wed, 26 Mar 2014 04:03:12 +0000 (13:03 +0900)]
net: support marking accepting TCP sockets
When using mark-based routing, sockets returned from accept()
may need to be marked differently depending on the incoming
connection request.
This is the case, for example, if different socket marks identify
different networks: a listening socket may want to accept
connections from all networks, but each connection should be
marked with the network that the request came in on, so that
subsequent packets are sent on the correct network.
This patch adds a sysctl to mark TCP sockets based on the fwmark
of the incoming SYN packet. If enabled, and an unmarked socket
receives a SYN, then the SYN packet's fwmark is written to the
connection's inet_request_sock, and later written back to the
accepted socket when the connection is established. If the
socket already has a nonzero mark, then the behaviour is the same
as it is today, i.e., the listening socket's fwmark is used.
Black-box tested using user-mode linux:
- IPv4/IPv6 SYN+ACK, FIN, etc. packets are routed based on the
mark of the incoming SYN packet.
- The socket returned by accept() is marked with the mark of the
incoming SYN packet.
- Tested with syncookies=1 and syncookies=2.
Change-Id: I26bc1eceefd2c588d73b921865ab70e4645ade57
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Lorenzo Colitti [Sat, 10 May 2014 02:56:37 +0000 (11:56 +0900)]
net: Use fwmark reflection in PMTU discovery.
Currently, routing lookups used for Path PMTU Discovery in
absence of a socket or on unmarked sockets use a mark of 0.
This causes PMTUD not to work when using routing based on
netfilter fwmark mangling and fwmark ip rules, such as:
iptables -j MARK --set-mark 17
ip rule add fwmark 17 lookup 100
This patch causes these route lookups to use the fwmark from the
received ICMP error when the fwmark_reflect sysctl is enabled.
This allows the administrator to make PMTUD work by configuring
appropriate fwmark rules to mark the inbound ICMP packets.
Black-box tested using user-mode linux by pointing different
fwmarks at routing tables egressing on different interfaces, and
using iptables mangling to mark packets inbound on each interface
with the interface's fwmark. ICMPv4 and ICMPv6 PMTU discovery
work as expected when mark reflection is enabled and fail when
it is disabled.
Change-Id: Id7fefb7ec1ff7f5142fba43db1960b050e0dfaec
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Lorenzo Colitti [Tue, 18 Mar 2014 11:52:27 +0000 (20:52 +0900)]
net: add a sysctl to reflect the fwmark on replies
Kernel-originated IP packets that have no user socket associated
with them (e.g., ICMP errors and echo replies, TCP RSTs, etc.)
are emitted with a mark of zero. Add a sysctl to make them have
the same mark as the packet they are replying to.
This allows an administrator that wishes to do so to use
mark-based routing, firewalling, etc. for these replies by
marking the original packets inbound.
Tested using user-mode linux:
- ICMP/ICMPv6 echo replies and errors.
- TCP RST packets (IPv4 and IPv6).
Change-Id: I6873d973196797bcf32e2e91976df647c7e8b85a
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Lorenzo Colitti [Wed, 26 Mar 2014 10:35:41 +0000 (19:35 +0900)]
net: ipv6: autoconf routes into per-device tables
Currently, IPv6 router discovery always puts routes into
RT6_TABLE_MAIN. This causes problems for connection managers
that want to support multiple simultaneous network connections
and want control over which one is used by default (e.g., wifi
and wired).
To work around this connection managers typically take the routes
they prefer and copy them to static routes with low metrics in
the main table. This puts the burden on the connection manager
to watch netlink to see if the routes have changed, delete the
routes when their lifetime expires, etc.
Instead, this patch adds a per-interface sysctl to have the
kernel put autoconf routes into different tables. This allows
each interface to have its own autoconf table, and choosing the
default interface (or using different interfaces at the same
time for different types of traffic) can be done using
appropriate ip rules.
The sysctl behaves as follows:
- = 0: default. Put routes into RT6_TABLE_MAIN as before.
- > 0: manual. Put routes into the specified table.
- < 0: automatic. Add the absolute value of the sysctl to the
device's ifindex, and use that table.
The automatic mode is most useful in conjunction with
net.ipv6.conf.default.accept_ra_rt_table. A connection manager
or distribution could set it to, say, -100 on boot, and
thereafter just use IP rules.
Change-Id: I82d16e3737d9cdfa6489e649e247894d0d60cbb1
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Lorenzo Colitti [Thu, 27 Feb 2014 04:38:26 +0000 (13:38 +0900)]
net: ipv6: ping: Use socket mark in routing lookup
Change-Id: I5a61e0f9f22f193c51b1aafd270fb0642a2e0fab
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Peter Hurley [Wed, 14 May 2014 03:07:33 +0000 (20:07 -0700)]
n_tty: Fix n_tty_write crash when echoing in raw mode
commit
4291086b1f081b869c6d79e5b7441633dc3ace00 upstream.
The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST. And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.
If we look into tty_insert_flip_string_fixed_flag, there is:
int space = __tty_buffer_request_room(port, goal, flags);
struct tty_buffer *tb = port->buf.tail;
...
memcpy(char_buf_ptr(tb, tb->used), chars, space);
...
tb->used += space;
so the race of the two can result in something like this:
A B
__tty_buffer_request_room
__tty_buffer_request_room
memcpy(buf(tb->used), ...)
tb->used += space;
memcpy(buf(tb->used), ...) ->BOOM
B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.
Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes. This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.
Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.
js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call
References: CVE-2014-0196
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cherry-picked from
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
branch: stable/linux-3.10.y
commit:
abb5100737bba3f82b5514350fea89ca361ac66c
Change-Id: I81e79fe209f5c7b25cac35189a44286e5a9ddac0
Signed-off-by: JP Abgrall <jpa@google.com>
Daniel Rosenberg [Wed, 7 May 2014 21:17:47 +0000 (14:17 -0700)]
input: Changed keyreset to act as a wrapper for keycombo.
keyreset now registers a keycombo driver that acts as the old
keyreset driver acted.
Change-Id: I08f5279e3a33b267571b699697f9f54508868983
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Daniel Rosenberg [Wed, 7 May 2014 23:52:10 +0000 (16:52 -0700)]
input: add keycombo, a general key combo driver.
Keycombo lets you provide a key up and key down function, and an
optional time delay for key down. The driver will call the key
down function after the specified key combo has been held for the
speicified time delay. After you release the combo, if the key down
has happened, it calls key up.
Change-Id: I6a9a94e96a8f58fadd908fd1dc7944b9102a089f
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Arve Hjønnevåg [Sat, 3 May 2014 03:31:07 +0000 (20:31 -0700)]
fiq_debugger: Add fiq_watchdog_triggered api
Dumps registers and stacktrace into console-ramoops when called
from a watchdog fiq.
Change-Id: Ib6fab5a52f670db18e64214d5e4890e8292a749c
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Arve Hjønnevåg [Sat, 3 May 2014 03:23:21 +0000 (20:23 -0700)]
pstore/ram: Add ramoops_console_write_buf api
Allow writing into the ramoops console buffer.
Change-Id: Iff0d69b562e4dae33ea7f8d19412227bebb17e47
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Arve Hjønnevåg [Sat, 3 May 2014 02:52:54 +0000 (19:52 -0700)]
fiq_debugger: Call fiq_debugger_printf through a function pointer from cpu specific code
This allows the output from the register and stack trace code to be
sent elsewhere.
Change-Id: I41bb0d5a25e1b9ca55feef5dbd675818b2f832d5
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Greg Hackmann [Tue, 29 Apr 2014 18:18:45 +0000 (11:18 -0700)]
video: adf: fbdev: add stubs for kernels without ADF_FBDEV
Change-Id: I42e087cddc29f6b93749791606e80dbd3e6f59ce
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Tue, 29 Apr 2014 00:00:44 +0000 (17:00 -0700)]
video: adf: memblock: map buffer for dma
Change-Id: I4df13c8b45b57fd0594b5e7bf351a4da33a8cb11
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Stephen Smalley [Tue, 29 Apr 2014 18:29:04 +0000 (11:29 -0700)]
selinux: Report permissive mode in avc: denied messages.
We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.
Change-Id: I78176f8184e01226ece12f0eb38760cdcdc1ff87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Mathieu Meisser [Fri, 11 Apr 2014 15:42:19 +0000 (17:42 +0200)]
HID: add missing hid usages mappings
Integrate several new definitions (not code) that
add additional hid mappings from the HID HUT 1.12
and approved additional requests.
Additions are taken from the commits in the
linux-input upstream:
f362e69,
2a4d815,
3b5a7ab,
358f247,
701ba53,
d09bbfd,
af8036d,
5820e4d,
a443255
Change-Id: Id0e1cff5828062009b4f94c987ac91f88f14652e
Signed-off-by: Mathieu Meisser <mmeisser@logitech.com>
Signed-off-by: Olivier Gay <ogay@logitech.com>
Wang, Xiaoming [Mon, 14 Apr 2014 16:30:45 +0000 (12:30 -0400)]
net: ipv4: current group_info should be put after using.
Plug a group_info refcount leak in ping_init.
group_info is only needed during initialization and
the code failed to release the reference on exit.
While here move grabbing the reference to a place
where it is actually needed.
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>
Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ruchi Kandoi [Thu, 24 Apr 2014 21:31:57 +0000 (14:31 -0700)]
Power: Changes the permission to read only for sysfs file
/sys/kernel/wakeup_reasons/last_resume_reason
Change-Id: I8ac568a7cb58c31decd379195de517ff3c6f9c65
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Ruchi Kandoi [Thu, 24 Apr 2014 21:07:53 +0000 (14:07 -0700)]
nf: Remove compilation error caused by
e8430cbed3ef15fdb1ac26cfd020e010aa5f1c35
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Al Viro [Sat, 24 Aug 2013 16:08:17 +0000 (12:08 -0400)]
cope with potentially long ->d_dname() output for shmem/hugetlb
commit
118b23022512eb2f41ce42db70dc0568d00be4ba upstream.
dynamic_dname() is both too much and too little for those - the
output may be well in excess of 64 bytes dynamic_dname() assumes
to be enough (thanks to ashmem feeding really long names to
shmem_file_setup()) and vsnprintf() is an overkill for those
guys.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Colin Cross <ccross@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I70970c6125f377048664eb5bde08f3fae29aa348
Alistair Strachan [Mon, 21 Apr 2014 20:09:23 +0000 (13:09 -0700)]
video: adf: use rb_erase in adf_obj_destroy.
Not calling rb_erase() can cause slab corruption, as the rb_first() call
after kfree() in adf_obj_destroy() can return the same node twice unless
it is erased.
This problem was reproduced by unloading a kernel module that used the
adf framework *after* a vsync event was registered. A crash would occur
in rb_first(). (Just loading and immediately unloading the module without
the vsync event worked correctly.)
Change-Id: I9fa7cb5d7519691e38a281439844aa193da13d1b
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Cc: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Cc: Greg Hackmann <ghackmann@google.com>
Ruchi Kandoi [Tue, 25 Mar 2014 23:43:28 +0000 (16:43 -0700)]
nf: IDLETIMER: time-stamp and suspend/resume handling.
Message notifications contains an additional timestamp field in nano seconds.
The expiry time for the timers are modified during suspend/resume.
If timer was supposed to expire while the system is suspended then a
notification is sent when it resumes with the timestamp of the scheduled expiry.
Removes the race condition for multiple work scheduled.
Bug:
13247811
Change-Id: I752c5b00225fe7085482819f975cc0eb5af89bff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Ruchi Kandoi [Fri, 18 Apr 2014 21:07:28 +0000 (14:07 -0700)]
prctl: adds PR_SET_TIMERSLACK_PID for setting timer slack of an arbitrary thread.
Second argument is similar to PR_SET_TIMERSLACK, if non-zero then the
slack is set to that value otherwise sets it to the default for the thread.
Takes PID of the thread as the third argument.
This allows power/performance management software to set timer slack for
other threads according to its policy for the thread (such as when the
thread is designated foreground vs. background activity)
Change-Id: I744d451ff4e60dae69f38f53948ff36c51c14a3f
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Colin Cross [Thu, 7 Mar 2013 03:10:29 +0000 (19:10 -0800)]
of: fix CONFIG_CMDLINE_EXTEND
strlcat takes the size of the buffer, not the number of characters
to concatenate. If the size of the device tree command line p is
larger than the CONFIG_CMDLINE string data, then strcat(data, p, l)
will hit a BUG_ON because strlen(data) > l.
Replace the second strlcat with a strncpy plus a manual null
termination.
Also rearrange the code to reduce indent depth to make it more
readable, and replace data with a char *cmdline to avoid extra
casts.
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Thu, 3 Apr 2014 01:49:39 +0000 (18:49 -0700)]
fiq_debugger: add ARM64 support
Add fiq_debugger_arm64.c that implements the platform-specific
functions.
Change-Id: I4d8b96777bb8503a93d4eb47bbde8e018740a5bf
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Thu, 3 Apr 2014 01:42:13 +0000 (18:42 -0700)]
fiq_debugger: split arm support into fiq_debugger_arm.c
Split arm support into a separate .c file that is only built for
CONFIG_ARM.
Change-Id: Iba16f4d51608bf9c3e5c8acefefcd38fead9797c
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Sat, 5 Apr 2014 00:05:19 +0000 (17:05 -0700)]
fiq_debugger: use pt_regs for registers
IRQ mode already passes in a struct pt_regs from get_irq_regs().
FIQ mode passes in something similar but not identical to a
struct pt_regs - FIQ mode stores the spsr of the interrupted mode
in slot 17, while pt_regs expects orig_r0.
Replace the existing mixture of void *regs, unsigned *regs, and
struct pt_regs * const with const struct pt_regs *. Modify
dump_regs not to print the spsr since it won't be there in a
struct pt_regs anyways. Modify dump_allregs to highlight the
mode that was interrupted, making spsr easy to find there.
Change-Id: Ibfe1723d702306c7605fd071737d7be9ee9d8c12
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Thu, 3 Apr 2014 01:37:29 +0000 (18:37 -0700)]
fiq_debugger: allow compiling without CONFIG_FIQ_GLUE
Allow compiling fiq_debugger.c without CONFIG_FIQ_GLUE for
platforms that don't support FIQs.
Change-Id: Iabdfd790d24fa9d47b29d2f850c567af2dcad78f
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Sat, 5 Apr 2014 05:58:23 +0000 (22:58 -0700)]
fiq_debugger: rename debug->fiq_debugger
Rename variables and functions in the global namespace to avoid
future collisions.
Change-Id: Ic23a304b0f794efc94cc6d086fddd63231d99c98
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Thu, 3 Apr 2014 01:30:04 +0000 (18:30 -0700)]
fiq_debugger: move into drivers/staging/android/fiq_debugger/
Move fiq_debugger into drivers/staging/android/fiq_debugger/ to
allow for sharing between ARM and ARM64.
Change-Id: I6ca5e8b7e3d000f57da3234260261c5592cef2a8
Signed-off-by: Colin Cross <ccross@android.com>
Ruchi Kandoi [Wed, 9 Apr 2014 23:47:59 +0000 (16:47 -0700)]
cpufreq: interactive: remove compilation error from commit
49cc72365fb7ee87762a7ccc6a32ef68627216c5
Change-Id: I068b18281d03ac879ef64d8ff36ed43367293767
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Ruchi Kandoi [Thu, 3 Apr 2014 22:39:23 +0000 (15:39 -0700)]
cpufreq: interactive: turn boost_pulse off on boost off
Change-Id: I36fe217fa047d68ea90e78b12c7db4537ea8010b
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Badhri Jagan Sridharan [Tue, 8 Apr 2014 01:26:30 +0000 (18:26 -0700)]
cpufreq: interactive: restructure CPUFREQ_GOV_LIMITS
The cpufreq_interactive_timer gets cancelled and rescheduled
whenever the cpufreq_policy is changed. When the cpufreq policy is
changed at a rate faster than the sampling_rate of the interactive
governor, then the governor misses to change the target frequency
for long duration. The patch removes the need of cancelling the
timers when policy->min is changed.
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: Ibd98d151e1c73b8bd969484583ff98ee9f1135ef
Greg Hackmann [Tue, 8 Apr 2014 20:07:29 +0000 (13:07 -0700)]
video: adf: adf_memblock_export symbol should be exported
Change-Id: I228db28da885b47b6fa9fc7e4001663797d24f49
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Tue, 8 Apr 2014 19:36:41 +0000 (12:36 -0700)]
video: adf: add buffer padding quirk
Quirks specify common behaviors that vary slightly among devices, and
which ADF must account for.
The buffer padding quirk captures the way different devices fetch the
last scanline in a buffer: some devices fetch an entire line (including
padding to the pitch) while others only fetch up to the visible width.
ADF's buffer size validation now takes this quirk into account.
Change-Id: I828b13316e27621d8a9efd9d5fffa6ce12a525ff
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Tue, 8 Apr 2014 19:25:12 +0000 (12:25 -0700)]
video: adf: document adf_format_validate_yuv's origin
Change-Id: I929045a96a56bdb2c915be92b8ef11b560f3ab79
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Colin Cross [Thu, 3 Apr 2014 01:02:15 +0000 (18:02 -0700)]
ARM64: copy CONFIG_CMDLINE_EXTEND from ARM
Copy the config choice for CONFIG_CMDLINE_EXTEND from
arch/arm/Kconfig, including CONFIG_CMDLINE_FROM_BOOTLOADER
as the default. These will be used by drivers/of/fdt.c.
Change-Id: I8416038498ddf8fc1e99ab06109825eb1492aa7f
Signed-off-by: Colin Cross <ccross@android.com>
Doug Anderson [Fri, 3 Feb 2012 06:58:28 +0000 (22:58 -0800)]
of: Support CONFIG_CMDLINE_EXTEND config option
The old logic assumes CMDLINE_FROM_BOOTLOADER vs. CMDLINE_FORCE and
ignores CMDLINE_EXTEND. Here's the old logic:
- CONFIG_CMDLINE_FORCE=true
CONFIG_CMDLINE
- dt bootargs=non-empty:
dt bootargs
- dt bootargs=empty, @data is non-empty string
@data is left unchanged
- dt bootargs=empty, @data is empty string
CONFIG_CMDLINE (or "" if that's not defined)
The new logic is now documented in of_fdt.h and is copied here for
reference:
- CONFIG_CMDLINE_FORCE=true
CONFIG_CMDLINE
- CONFIG_CMDLINE_EXTEND=true, @data is non-empty string
@data + dt bootargs (even if dt bootargs are empty)
- CONFIG_CMDLINE_EXTEND=true, @data is empty string
CONFIG_CMDLINE + dt bootargs (even if dt bootargs are empty)
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=non-empty:
dt bootargs
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=empty, @data is non-empty string
@data is left unchanged
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=empty, @data is empty string
CONFIG_CMDLINE (or "" if that's not defined)
Signed-off-by: Doug Anderson <dianders@chromium.org>
CC: devicetree-discuss@lists.ozlabs.org
CC: Grant Likely <grant.likely@secretlab.ca>
CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: Rob Herring <rob.herring@calxeda.com>
Change-Id: I40ace250847f813358125dfcaa8998fd32cf7ea3
Signed-off-by: Colin Cross <ccross@android.com>
Greg Hackmann [Wed, 26 Mar 2014 23:43:23 +0000 (16:43 -0700)]
video: adf: ensure consistent alignment on userspace facing structs
64-bit types in structs create alignment problems when a 32-bit x86
userspace talks to an x86_64 kernel. In most cases the 64-bit types can
be replaced with 32-bit ones, since they're being used for fds and
should have been __s32 in the first place. For adf_vsync_event,
alignment can be enforced by making the timestamp an __aligned_u64.
Change-Id: I87cf73d8f57730bd7bb43ffce6b7b411eb0ff198
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Mon, 24 Mar 2014 23:45:43 +0000 (16:45 -0700)]
video: adf: replace fbdev helper's open flag with refcount
A device's fb_info is shared between clients. fb_release() is called
when each client is released, not just the last one. Since the fbdev
helper needs to release its dma-buf when the last client goes away, it
must keep its own reference count.
fbmem and fbcon hold different locks while calling fb_release(), so
explicit locking is needed.
Change-Id: I42cd659f7633adba7c11f407d4b594bd43305d6a
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Alex Ray [Mon, 17 Mar 2014 20:44:01 +0000 (13:44 -0700)]
ARM64: add option to build Image.gz/dtb combo
Allows a defconfig to set a list of dtbs to concatenate with an
Image.gz to create a Image.gz-dtb.
Change-Id: I0dc3935e57f01b517aa64eda0c27b0101e9ea3b2
Signed-off-by: Alex Ray <aray@google.com>
Masanari Iida [Sun, 23 Jun 2013 14:47:15 +0000 (23:47 +0900)]
staging: android: Fix typo in staging/android
Fix "with with" in debug message.
Issue: ABIT-21
Change-Id: Icd0b195524f4c77272276991a1e8a00aecef65c9
Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Qiming Shi <qiming.shi@intel.com>
Signed-off-by: Jun Tian <jun.j.tian@intel.com>
Alistair Strachan [Tue, 11 Mar 2014 00:00:25 +0000 (17:00 -0700)]
video: adf: export the adf_attachment_allow symbol to modules.
There are no in-tree users of adf_attachment_allow, but out-of-tree
modules want to use it. It looks like this function should be
EXPORT_SYMBOL.
Change-Id: Iad522dc5d32ac09fec6483bbc317db8ecae12e97
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Greg Hackmann [Mon, 10 Mar 2014 21:21:30 +0000 (14:21 -0700)]
power: wakeup_reason: rename irq_count to irqcount
On x86, irq_count conflicts with a declaration in
arch/x86/include/asm/processor.h
Change-Id: I3e4fde0ff64ef59ff5ed2adc0ea3a644641ee0b7
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Ruchi Kandoi [Fri, 7 Mar 2014 20:54:30 +0000 (12:54 -0800)]
Power: Add guard condition for maximum wakeup reasons
Ensure the array for the wakeup reason IRQs does not overflow.
Change-Id: Iddc57a3aeb1888f39d4e7b004164611803a4d37c
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit
b5ea40cdfcf38296535f931a7e5e7bf47b6fad7f)
JP Abgrall [Fri, 28 Feb 2014 03:38:14 +0000 (19:38 -0800)]
android: base-cfg: enable DM_VERITY (used for secureboot)
Change-Id: I68d769f97ffa76bb45e65d34a96dd7f558c02d08
Signed-off-by: JP Abgrall <jpa@google.com>
Mark Hambleton [Tue, 3 Dec 2013 19:19:12 +0000 (19:19 +0000)]
arm64: cmpxchg: update macros to prevent warnings
Make sure the value we are going to return is referenced in order to
avoid warnings from newer GCCs such as:
arch/arm64/include/asm/cmpxchg.h:162:3: warning: value computed is not used [-Wunused-value]
((__typeof__(*(ptr)))__cmpxchg_mb((ptr), \
^
net/netfilter/nf_conntrack_core.c:674:2: note: in expansion of macro ‘cmpxchg’
cmpxchg(&nf_conntrack_hash_rnd, 0, rand);
[Modified to use the current underlying implementation as current
mainline for both cmpxchg() and cmpxchg_local() does -- broonie]
Signed-off-by: Mark Hambleton <mahamble@broadcom.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Greg Hackmann [Mon, 24 Feb 2014 18:19:13 +0000 (10:19 -0800)]
drivers: usb: gadget: 64-bit related type fixes
Change-Id: I2f9b12e1e0cdfe64ffe20db78d319a6221821184
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Mon, 24 Feb 2014 17:39:46 +0000 (09:39 -0800)]
netfilter: xt_qtaguid: 64-bit warning fixes
Change-Id: I2adc517c0c51050ed601992fa0ea4de8f1449414
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Arve Hjønnevåg [Fri, 14 Feb 2014 04:25:06 +0000 (20:25 -0800)]
Staging: android: binder: More offset validation.
Make sure offsets don't point to overlapping flat_binder_object
structs.
Change-Id: I425ab0c46fbe2b00ed679c5becf9e8140395eb40
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Ruchi Kandoi [Fri, 21 Feb 2014 03:47:38 +0000 (19:47 -0800)]
POWER: fix compile warnings in log_wakeup_reason
Change I81addaf420f1338255c5d0638b0d244a99d777d1 introduced compile
warnings, fix these.
Change-Id: I05482a5335599ab96c0a088a7d175c8d4cf1cf69
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Ruchi Kandoi [Wed, 19 Feb 2014 23:30:47 +0000 (15:30 -0800)]
Power: add an API to log wakeup reasons
Add API log_wakeup_reason() and expose it to userspace via sysfs path
/sys/kernel/wakeup_reasons/last_resume_reason
Change-Id: I81addaf420f1338255c5d0638b0d244a99d777d1
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Rom Lemarchand [Thu, 20 Feb 2014 02:01:37 +0000 (18:01 -0800)]
android: configs: add systrace support to recommended configs
Change-Id: I4a6e88f47803e88b0ce2d913be4aeb299ca858b4
Signed-off-by: Rom Lemarchand <romlem@android.com>
Greg Hackmann [Fri, 14 Feb 2014 23:35:38 +0000 (15:35 -0800)]
video: adf: use %zu when printing size_t
Change-Id: I9cf7ebc368bad0a83db9e5aa370feadf117b21c0
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Fri, 14 Feb 2014 23:38:49 +0000 (15:38 -0800)]
video: adf: fix compat ioctls calling ioctl with wrong cmd
Change-Id: Icdbac3edd123b3114103dc138a60e6955006cda4
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Greg Hackmann [Fri, 14 Feb 2014 23:39:52 +0000 (15:39 -0800)]
video: adf: use ADF_IOCTL_TYPE in compat ioctl definitions
Change-Id: I7451a282d9d972c9957568b366c164b67b4b47e8
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Arve Hjønnevåg [Sat, 8 Feb 2014 01:46:21 +0000 (17:46 -0800)]
Staging: android: binder: Fix death notifications
The change (
008fa749e0fe5b2fffd20b7fe4891bb80d072c6a) that moved the
node release code to a separate function broke death notifications in
some cases. When it encountered a reference without a death
notification request, it would skip looking at the remaining
references, and therefore fail to send death notifications for them.
Change-Id: I12083a50709ccc30ba11a5f4d9eeb5f0ff4471c6
Signed-off-by: Arve Hjønnevåg <arve@android.com>
keunyoung [Wed, 29 Jan 2014 20:41:50 +0000 (12:41 -0800)]
fix false disconnect due to a signal sent to the reading process
- In the current implementation, when a signal is sent to the reading process,
read is cancelled by calling usb_ep_dequeue, which lead into calling
acc_complete_out with ECONNRESET, but the current logic treats it as
disconnection, which makes the device inaccessible until cable is actually
disconnected.
- The fix calls disconnect only when ESHUTDOWN error is passed.
- If data has already arrived while trying cancelling, the data is marked
as available, and it will be read out on the next read. This is necessary
as USB bulk is assumed to guarantee no data loss.
Signed-off-by: keunyoung <keunyoung@google.com>