firefly-linux-kernel-4.4.55.git
9 years agoipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif
Cong Wang [Tue, 15 Apr 2014 23:25:34 +0000 (16:25 -0700)]
ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif

As suggested by Julian:

Simply, flowi4_iif must not contain 0, it does not
look logical to ignore all ip rules with specified iif.

because in fib_rule_match() we do:

        if (rule->iifindex && (rule->iifindex != fl->flowi_iif))
                goto out;

flowi4_iif should be LOOPBACK_IFINDEX by default.

We need to move LOOPBACK_IFINDEX to include/net/flow.h:

1) It is mostly used by flowi_iif

2) Fix the following compile error if we use it in flow.h
by the patches latter:

In file included from include/linux/netfilter.h:277:0,
                 from include/net/netns/netfilter.h:5,
                 from include/net/net_namespace.h:21,
                 from include/linux/netdevice.h:43,
                 from include/linux/icmpv6.h:12,
                 from include/linux/ipv6.h:61,
                 from include/net/ipv6.h:16,
                 from include/linux/sunrpc/clnt.h:27,
                 from include/linux/nfs_fs.h:30,
                 from init/do_mounts.c:32:
include/net/flow.h: In function ‘flowi4_init_output’:
include/net/flow.h:84:32: error: ‘LOOPBACK_IFINDEX’ undeclared (first use in this function)

[Backport of net-next 6a662719c9868b3d6c7d26b3a085f0cd3cc15e64]

Change-Id: Ib7a0a08d78c03800488afa1b2c170cb70e34cfd9
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Julian Anastasov <ja@ssi.bg>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
9 years agoum: remove dead code
Richard Weinberger [Fri, 19 Jul 2013 09:35:32 +0000 (11:35 +0200)]
um: remove dead code

"me" is not used.

[cherry-pick of upstream 9e82d450531c79b18ab18c9b9645cdd9db31ee98]

Change-Id: Ifc3550184931dddf8feebd6c3137e60b97f6a0f1
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
9 years agoum: siginfo cleanup
Richard Weinberger [Fri, 19 Jul 2013 09:31:36 +0000 (11:31 +0200)]
um: siginfo cleanup

Currently we use both struct siginfo and siginfo_t.
Let's use struct siginfo internally to avoid ongoing
compiler warning. We are allowed to do so because
struct siginfo and siginfo_t are equivalent.

[cherry-pick of upstream 9a8c1359571c5d5e2fbc43cf457a6486b70a70cb]

Change-Id: I564775c9ed515c39ffff7d7d600a85d50291f31d
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
9 years agonet: ipv6: make "ip -6 route get mark xyz" work.
Lorenzo Colitti [Thu, 15 May 2014 23:38:41 +0000 (16:38 -0700)]
net: ipv6: make "ip -6 route get mark xyz" work.

Currently, "ip -6 route get mark xyz" ignores the mark passed in
by userspace. Make it honour the mark, just like IPv4 does.

[net-next commit 2e47b291953c35afa4e20a65475954c1a1b9afe1]

Change-Id: Ief6cd1e1b7e43dc0d008b7e692be62cadc5cc7ca
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoandroid: base-cfg: turn off /dev/mem and /dev/kmem
Mark Salyzyn [Mon, 2 Mar 2015 17:04:10 +0000 (09:04 -0800)]
android: base-cfg: turn off /dev/mem and /dev/kmem

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 19549480
Change-Id: Icd43da8712efab46aa70590311c0fb170a9e124c

9 years agokbuild: make it possible to specify the module output dir
Rom Lemarchand [Fri, 6 Feb 2015 00:07:59 +0000 (16:07 -0800)]
kbuild: make it possible to specify the module output dir

Make modinst_dir user-defined on the command line.

This allows to do things like:
make MODLIB=output/ modinst_dir=. modules_install

to ensure all the .ko are in the output/ directory.

Change-Id: I2bc007eea27ee744d35289e26e4a8ac43ba04151
Signed-off-by: Rom Lemarchand <romlem@android.com>
(cherry picked from commit ae7f28e5aa168a008c153ccff7cc437066d016c3)

9 years agoxt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket
Mohamad Ayyash [Wed, 14 Jan 2015 03:20:44 +0000 (19:20 -0800)]
xt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket

It prevents a kernel panic when accessing sk->sk_socket fields due to NULLing sk->sk_socket when sock_orphan is called through
sk_common_release.

Change-Id: I4aa46b4e2d8600e4d4ef8dcdd363aa4e6e5f8433
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
(cherry picked from commit cdea0ebcb8bcfe57688f6cb692b49e550ebd9796)

9 years agoipv6: clean up anycast when an interface is destroyed
Sabrina Dubroca [Wed, 10 Sep 2014 21:23:02 +0000 (23:23 +0200)]
ipv6: clean up anycast when an interface is destroyed

If we try to rmmod the driver for an interface while sockets with
setsockopt(JOIN_ANYCAST) are alive, some refcounts aren't cleaned up
and we get stuck on:

  unregister_netdevice: waiting for ens3 to become free. Usage count = 1

If we LEAVE_ANYCAST/close everything before rmmod'ing, there is no
problem.

We need to perform a cleanup similar to the one for multicast in
addrconf_ifdown(how == 1).

BUG: 18902601
Change-Id: I6d51aed5755eb5738fcba91950e7773a1c985d2e
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agousb: gadget: check for accessory device before disconnecting HIDs
Amit Pundir [Fri, 16 Jan 2015 00:11:10 +0000 (05:41 +0530)]
usb: gadget: check for accessory device before disconnecting HIDs

While disabling ConfigFS Android gadget, android_disconnect() calls
kill_all_hid_devices(), if CONFIG_USB_CONFIGFS_F_ACC is enabled, to free
the registered HIDs without checking whether the USB accessory device
really exist or not. If USB accessory device doesn't exist then we run into
following kernel panic:
----8<----
[  136.724761] Unable to handle kernel NULL pointer dereference at virtual address 00000064
[  136.724809] pgd = c0204000
[  136.731924] [00000064] *pgd=00000000
[  136.737830] Internal error: Oops: 5 [#1] SMP ARM
[  136.738108] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.18.0-rc4-00400-gf75300e-dirty #76
[  136.742788] task: c0fb19d8 ti: c0fa4000 task.ti: c0fa4000
[  136.750890] PC is at _raw_spin_lock_irqsave+0x24/0x60
[  136.756246] LR is at kill_all_hid_devices+0x24/0x114
---->8----

This patch adds a test to check if USB Accessory device exists before freeing HIDs.

Change-Id: Ie229feaf0de3f4f7a151fcaa9a994e34e15ff73b
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
(cherry picked from commit 32a71bce154cb89a549b9b7d28e8cf03b889d849)

9 years agostaging: android: ashmem: add missing include
Rom Lemarchand [Sat, 24 Jan 2015 23:08:42 +0000 (15:08 -0800)]
staging: android: ashmem: add missing include

Include <linux/types.h> into ashmem.h to ensure referenced types are defined

Signed-off-by: Rom Lemarchand <romlem@android.com>
Change-Id: Iac18ed86dd47296d02a269607b1514724aaa9958

9 years agousb: gadget: android: Save/restore ep0 completion function
Jack Pham [Wed, 19 Feb 2014 06:16:19 +0000 (22:16 -0800)]
usb: gadget: android: Save/restore ep0 completion function

The android_setup() function currently gives the f_accessory
setup function first opportunity to handle control requests
in order to support Android Open Accessory (AOA) hosts. That
function makes use of cdev->req and overrides its completion
function, but not in all cases. Thus, if a later request uses
the same request pointer but doesn't (re)set req->complete it
could result in the wrong completion function being called and
causing invalid memory access.

One way to fix this would be to explicitly set req->complete in
all cases but that might require auditing all function drivers
that have ep0 handling. Instead, note that the composite device
had already initially set cdev->req->complete and simply cache
and restore that pointer at the start of android_setup().

Change-Id: I33bcd17bd20687a349d537d1013b52a2afef6996
Signed-off-by: Jack Pham <jackp@codeaurora.org>
9 years agoselinux: Remove obsolete selinux_audit_data initialization.
Stephen Smalley [Wed, 21 Jan 2015 18:59:39 +0000 (13:59 -0500)]
selinux: Remove obsolete selinux_audit_data initialization.

Commit 899838b25f063a94594b1df6e0100aea1ec57fac eliminated the need
to initialize selinux_audit_data except in the slow path, when it is
handled by slow_avc_audit().  That commit removed all other initializations
of selinux_audit_data but this one remained since the binder security
hooks are not yet upstream (posted them to linux-kernel today).

Change-Id: I735e4500cde23275686cb3208068cbf8dd7bccd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
9 years agoselinux: make the netif cache namespace aware
Paul Moore [Wed, 10 Sep 2014 21:09:57 +0000 (17:09 -0400)]
selinux: make the netif cache namespace aware

While SELinux largely ignores namespaces, for good reason, there are
some places where it needs to at least be aware of namespaces in order
to function correctly.  Network namespaces are one example.  Basic
awareness of network namespaces are necessary in order to match a
network interface's index number to an actual network device.

This patch corrects a problem with network interfaces added to a
non-init namespace, and can be reproduced with the following commands:

 [NOTE: the NetLabel configuration is here only to active the dynamic
        networking controls ]

 # netlabelctl unlbl add default address:0.0.0.0/0 \
   label:system_u:object_r:unlabeled_t:s0
 # netlabelctl unlbl add default address:::/0 \
   label:system_u:object_r:unlabeled_t:s0
 # netlabelctl cipsov4 add pass doi:100 tags:1
 # netlabelctl map add domain:lspp_test_netlabel_t \
   protocol:cipsov4,100

 # ip link add type veth
 # ip netns add myns
 # ip link set veth1 netns myns
 # ip a add dev veth0 10.250.13.100/24
 # ip netns exec myns ip a add dev veth1 10.250.13.101/24
 # ip l set veth0 up
 # ip netns exec myns ip l set veth1 up

 # ping -c 1 10.250.13.101
 # ip netns exec myns ping -c 1 10.250.13.100

Reported-by: Jiri Jaburek <jjaburek@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
9 years agoselinux: correctly label /proc inodes in use before the policy is loaded
Paul Moore [Wed, 19 Mar 2014 20:46:18 +0000 (16:46 -0400)]
selinux: correctly label /proc inodes in use before the policy is loaded

commit f64410ec665479d7b4b77b7519e814253ed0f686 upstream.

This patch is based on an earlier patch by Eric Paris, he describes
the problem below:

  "If an inode is accessed before policy load it will get placed on a
   list of inodes to be initialized after policy load.  After policy
   load we call inode_doinit() which calls inode_doinit_with_dentry()
   on all inodes accessed before policy load.  In the case of inodes
   in procfs that means we'll end up at the bottom where it does:

     /* Default to the fs superblock SID. */
     isec->sid = sbsec->sid;

     if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
             if (opt_dentry) {
                     isec->sclass = inode_mode_to_security_class(...)
                     rc = selinux_proc_get_sid(opt_dentry,
                                               isec->sclass,
                                               &sid);
                     if (rc)
                             goto out_unlock;
                     isec->sid = sid;
             }
     }

   Since opt_dentry is null, we'll never call selinux_proc_get_sid()
   and will leave the inode labeled with the label on the superblock.
   I believe a fix would be to mimic the behavior of xattrs.  Look
   for an alias of the inode.  If it can't be found, just leave the
   inode uninitialized (and pick it up later) if it can be found, we
   should be able to call selinux_proc_get_sid() ..."

On a system exhibiting this problem, you will notice a lot of files in
/proc with the generic "proc_t" type (at least the ones that were
accessed early in the boot), for example:

   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
   system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax

However, with this patch in place we see the expected result:

   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
   system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax

Change-Id: I7742b4b7e53b45e4dd13d99c39553a927aa4a7e9
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Eric Paris <eparis@redhat.com>
9 years agoselinux: fix inode security list corruption
Stephen Smalley [Mon, 6 Oct 2014 20:32:52 +0000 (16:32 -0400)]
selinux: fix inode security list corruption

commit 923190d32de4428afbea5e5773be86bea60a9925 upstream.

sb_finish_set_opts() can race with inode_free_security()
when initializing inode security structures for inodes
created prior to initial policy load or by the filesystem
during ->mount().   This appears to have always been
a possible race, but commit 3dc91d4 ("SELinux:  Fix possible
NULL pointer dereference in selinux_inode_permission()")
made it more evident by immediately reusing the unioned
list/rcu element  of the inode security structure for call_rcu()
upon an inode_free_security().  But the underlying issue
was already present before that commit as a possible use-after-free
of isec.

Shivnandan Kumar reported the list corruption and proposed
a patch to split the list and rcu elements out of the union
as separate fields of the inode_security_struct so that setting
the rcu element would not affect the list element.  However,
this would merely hide the issue and not truly fix the code.

This patch instead moves up the deletion of the list entry
prior to dropping the sbsec->isec_lock initially.  Then,
if the inode is dropped subsequently, there will be no further
references to the isec.

Change-Id: I7c56670bddbb896f159701651758d2e7f739dff8
Reported-by: Shivnandan Kumar <shivnandan.k@samsung.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agoselinux: put the mmap() DAC controls before the MAC controls
Paul Moore [Fri, 28 Feb 2014 12:23:24 +0000 (07:23 -0500)]
selinux: put the mmap() DAC controls before the MAC controls

commit 0909c0ae999c325b9d34c6f4710f40730ae3bc24 upstream.

It turns out that doing the SELinux MAC checks for mmap() before the
DAC checks was causing users and the SELinux policy folks headaches
as users were seeing a lot of SELinux AVC denials for the
memprotect:mmap_zero permission that would have also been denied by
the normal DAC capability checks (CAP_SYS_RAWIO).

Example:

 # cat mmap_test.c
  #include <stdlib.h>
  #include <stdio.h>
  #include <errno.h>
  #include <sys/mman.h>

  int main(int argc, char *argv[])
  {
        int rc;
        void *mem;

        mem = mmap(0x0, 4096,
                   PROT_READ | PROT_WRITE,
                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
        if (mem == MAP_FAILED)
                return errno;
        printf("mem = %p\n", mem);
        munmap(mem, 4096);

        return 0;
  }
 # gcc -g -O0 -o mmap_test mmap_test.c
 # ./mmap_test
 mem = (nil)
 # ausearch -m AVC | grep mmap_zero
 type=AVC msg=audit(...): avc:  denied  { mmap_zero }
   for pid=1025 comm="mmap_test"
   scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   tclass=memprotect

This patch corrects things so that when the above example is run by a
user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as
the DAC capability check fails before the SELinux permission check.

Change-Id: Ic3b2ef30d13c15ca7c60adbd3c3b93ebe251c7bc
Signed-off-by: Paul Moore <pmoore@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
9 years agoselinux: reduce the number of calls to synchronize_net() when flushing caches
Paul Moore [Thu, 26 Jun 2014 18:33:56 +0000 (14:33 -0400)]
selinux: reduce the number of calls to synchronize_net() when flushing caches

commit 615e51fdda6f274e94b1e905fcaf6111e0d9aa20 upstream.

When flushing the AVC, such as during a policy load, the various
network caches are also flushed, with each making a call to
synchronize_net() which has shown to be expensive in some cases.
This patch consolidates the network cache flushes into a single AVC
callback which only calls synchronize_net() once for each AVC cache
flush.

Change-Id: I2a7f020748d1adf2b68246f6ef86d0c871adffb7
Reported-by: Jaejyn Shin <flagon22bass@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
9 years ago[PATCH 5/5] pstore: selinux: add security in-core xattr support for pstore and debugfs
Mark Salyzyn [Wed, 7 Jan 2015 17:27:15 +0000 (09:27 -0800)]
[PATCH 5/5] pstore: selinux: add security in-core xattr support for pstore and debugfs

- add "pstore" and "debugfs" to list of in-core exceptions
- change fstype checks to boolean equation
- change from strncmp to strcmp for checking

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 18917345
Bug: 18935184
Change-Id: Ib648f30ce4b5d6c96f11465836d6fee89bec1c72

9 years agoSELinux: Update policy version to support constraints info
Richard Haines [Tue, 19 Nov 2013 22:34:23 +0000 (17:34 -0500)]
SELinux: Update policy version to support constraints info

Update the policy version (POLICYDB_VERSION_CONSTRAINT_NAMES) to allow
holding of policy source info for constraints.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
9 years ago[PATCH v4 4/5] pstore: add pmsg
Mark Salyzyn [Mon, 8 Dec 2014 23:06:52 +0000 (15:06 -0800)]
[PATCH v4 4/5] pstore: add pmsg

A secured user-space accessible pstore object. Writes
to /dev/pmsg0 are appended to the buffer, on reboot
the persistent contents are available in
/sys/fs/pstore/pmsg-ramoops-[ID].

One possible use is syslogd, or other daemon, can
write messages, then on reboot provides a means to
triage user-space activities leading up to a panic
as a companion to the pstore dmesg or console logs.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
v2: switch from snprintf to scnprintf
v3: split out prz_ok checking into PATCH 3/5
    replace pmsg_lseek with noop_llseek
    use pr_fmt() macro
    make write atomic and use a vmalloc'd bounce buffer
v4: use mutex_lock instead of spin_lock.

Change-Id: I82a2a9a989d7583c5fcb65ff520027dc3a034a4c

9 years ago[PATCH 3/5] pstore: handle zero-sized prz in series
Mark Salyzyn [Mon, 8 Dec 2014 23:06:52 +0000 (15:06 -0800)]
[PATCH 3/5] pstore: handle zero-sized prz in series

Corrects a problem wih ramoops_pstore_read failing to
return the next in a prz series after first zero-sized
entry, not venturing to the next non-zero entry.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Change-Id: Iedce3b94c13917da33be44e1d80811757774c793

9 years ago[PATCH v2 2/5] pstore: remove superfluous memory size check
Mark Salyzyn [Mon, 8 Dec 2014 23:06:52 +0000 (15:06 -0800)]
[PATCH v2 2/5] pstore: remove superfluous memory size check

All previous checks will fail with error if memory size
is not sufficient to register a zone, so this legacy
check has become redundant.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Kees Cook <keescook@chromium.org>
v2: renumber pmsg series dependencies

Change-Id: Ie21c988ae0b1ebb0dafa6c0c0b069e9cfe1e8506

9 years ago[PATCH v4 1/5] pstore: use snprintf
Mark Salyzyn [Mon, 8 Dec 2014 23:06:52 +0000 (15:06 -0800)]
[PATCH v4 1/5] pstore: use snprintf

No guarantees that the names will not exceed the
name buffer with future adjustments.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Joe Perches <joe@perches.com>
v2: switch from snprintf to scnprintf
v3: remove embedded space
v4: renumber pmsg series dependencies

Change-Id: I161fe8cadc967d74e18cc09b7d60b5b398c92c86

9 years agopstore: clarify clearing of _read_cnt in ramoops_context
Liu ShuoX [Mon, 17 Mar 2014 00:24:49 +0000 (11:24 +1100)]
pstore: clarify clearing of _read_cnt in ramoops_context

*_read_cnt in ramoops_context need to be cleared during pstore ->open to
support mutli times getting the records.  The patch added missed
ftrace_read_cnt clearing and removed duplicate clearing in ramoops_probe.

Signed-off-by: Liu ShuoX <shuox.liu@intel.com>
Cc: "Zhang, Yanmin" <yanmin_zhang@linux.intel.com>
Cc: Colin Cross <ccross@android.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Change-Id: I98622b2587ed661884e74a7273cfc92ee99eaae3

9 years agoprctl: make PR_SET_TIMERSLACK_PID pid namespace aware
Micha Kalfon [Tue, 13 Jan 2015 10:12:57 +0000 (12:12 +0200)]
prctl: make PR_SET_TIMERSLACK_PID pid namespace aware

Make PR_SET_TIMERSLACK_PID consider pid namespace and resolve the
target pid in the caller's namespace. Otherwise, calls from pid
namespace other than init would fail or affect the wrong task.

Change-Id: I1da15196abc4096536713ce03714e99d2e63820a
Signed-off-by: Micha Kalfon <micha@cellrox.com>
Acked-by: Oren Laadan <orenl@cellrox.com>
9 years agoprctl: fix misplaced PR_SET_TIMERSLACK_PID case
Micha Kalfon [Tue, 13 Jan 2015 09:47:20 +0000 (11:47 +0200)]
prctl: fix misplaced PR_SET_TIMERSLACK_PID case

The case clause for the PR_SET_TIMERSLACK_PID option was placed inside
the an internal switch statement for PR_MCE_KILL (see commits 37a591d4
and 8ae872f1) . This commit moves it to the right place.

Change-Id: I63251669d7e2f2aa843d1b0900e7df61518c3dea
Signed-off-by: Micha Kalfon <micha@cellrox.com>
Acked-by: Oren Laadan <orenl@cellrox.com>
9 years agoAdd security hooks to binder and implement the hooks for SELinux.
Stephen Smalley [Mon, 5 Nov 2012 13:15:34 +0000 (08:15 -0500)]
Add security hooks to binder and implement the hooks for SELinux.

Add security hooks to the binder and implement the hooks for SELinux.
The security hooks enable security modules such as SELinux to implement
controls over binder IPC.  The security hooks include support for
controlling what process can become the binder context manager
(binder_set_context_mgr), controlling the ability of a process
to invoke a binder transaction/IPC to another process (binder_transaction),
controlling the ability a process to transfer a binder reference to
another process (binder_transfer_binder), and controlling the ability
of a process to transfer an open file to another process (binder_transfer_file).

This support is used by SE Android, http://selinuxproject.org/page/SEAndroid.

Change-Id: I34266b66320b6a3df9ac01833d7f94daf742920e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
9 years agoandroid: binder: Change binder mutex to rtmutex.
Riley Andrews [Sat, 27 Sep 2014 00:36:36 +0000 (17:36 -0700)]
android: binder: Change binder mutex to rtmutex.

Surfaceflinger uses binder heavily to receive/send frames from applications
while compositing the screen. Change the binder mutex to an rt mutex to minimize
instances where high priority surfaceflinger binder work is blocked by lower
priority binder ipc.

Change-Id: If7429040641d6e463f20301ec14f02ecf6b0da36
Signed-off-by: Riley Andrews <riandrews@google.com>
9 years agoandroid: binder: More offset validation.
Arve Hjønnevåg [Fri, 14 Feb 2014 04:25:06 +0000 (20:25 -0800)]
android: binder: More offset validation.

Make sure offsets don't point to overlapping flat_binder_object
structs.

Change-Id: I85c759b9c6395492474b177625dc6b0b289fd6b0
Signed-off-by: Arve Hjønnevåg <arve@android.com>
9 years agoandroid: binder: remove binder.h
Greg Kroah-Hartman [Thu, 16 Oct 2014 13:26:51 +0000 (15:26 +0200)]
android: binder: remove binder.h

binder.h isn't needed to just include a uapi file and set a single
define, so move it into binder.c to save a few lines of code.

Change-Id: Idcd0aba576295bbe0ddf5d18c4b1d1e8efdc8c84
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: android: binder: move to the "real" part of the kernel
Greg Kroah-Hartman [Thu, 16 Oct 2014 12:40:38 +0000 (14:40 +0200)]
staging: android: binder: move to the "real" part of the kernel

The Android binder code has been "stable" for many years now.  No matter
what comes in the future, we are going to have to support this API, so
might as well move it to the "real" part of the kernel as there's no
real work that needs to be done to the existing code.

Change-Id: I36d5c6fc05aff26dd01a227201be18e86c9f9994
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: binder: fix coding style issues
Dmitry Voytik [Mon, 8 Sep 2014 14:16:34 +0000 (18:16 +0400)]
staging: binder: fix coding style issues

Fix coding style issues:
* put braces in all if-else branches;
* limit the length of changed lines to 80 columns.
checkpatch.pl warning count reduces by 3.

Change-Id: I1796588ef0f358780445203c5afa87361ab2bf73
Signed-off-by: Dmitry Voytik <voytikd@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: android: Break up a long line in binder_send_failed_reply
William Panlener [Thu, 4 Sep 2014 03:44:03 +0000 (22:44 -0500)]
staging: android: Break up a long line in binder_send_failed_reply

Kernel coding style. Breaking long lines and strings.

Change-Id: Ie1af1f3bcfef547ab69f873f2e86ee37c8c23caf
Signed-off-by: William Panlener <wpanlener@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: android: fix attribute as suggested by checkpatch
Purnendu Kapadia [Fri, 15 Aug 2014 17:20:30 +0000 (18:20 +0100)]
staging: android: fix attribute as suggested by checkpatch

we should use __packed attribute

Change-Id: I9c74b57799bc6787d54cf6e2563adc96dff666d2
Signed-off-by: Purnendu Kapadia <pro8linux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: android: Clean up else statement from binder_send_failed_reply
Lucas Tanure [Mon, 14 Jul 2014 00:31:05 +0000 (21:31 -0300)]
staging: android: Clean up else statement from binder_send_failed_reply

Kernel coding style. Remove useless else statement after return.

Changes from v1 and v2: Fix warning for mixed declarations and code.
Declaration of "struct binder_transaction *next" made outside of while.

Changes from v3: Removed initialization to NULL for next variable.

Change-Id: I1ec8b512130595b90098126acf562e58eeca8458
Signed-off-by: Lucas Tanure <tanure@linux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: android: binder.c: binder_ioctl() cleanup
Riley Andrews [Mon, 12 Jan 2015 22:01:03 +0000 (14:01 -0800)]
staging: android: binder.c: binder_ioctl() cleanup

binder_ioctl() is quite huge and checkpatch dirty - mostly because of
the amount of code for the BINDER_WRITE_READ and BINDER_SET_CONTEXT_MGR.
Moved that code into the new binder_ioctl_write_read() and
binder_ioctl_set_ctx_mgr()

Change-Id: I9c5cea46a570ca91768e5aa7b11c7178bdbb667d
Signed-off-by: Tair Rzayev <tair.rzayev@gmail.com>
Cc: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: binder: add vm_fault handler
Vinayak Menon [Mon, 2 Jun 2014 12:47:59 +0000 (18:17 +0530)]
staging: binder: add vm_fault handler

An issue was observed when a userspace task exits.
The page which hits error here is the zero page.
In binder mmap, the whole of vma is not mapped.
On a task crash, when debuggerd reads the binder regions,
the unmapped areas fall to do_anonymous_page in handle_pte_fault,
due to the absence of a vm_fault handler. This results in
zero page being mapped. Later in zap_pte_range, vm_normal_page
returns zero page in the case of VM_MIXEDMAP and it results in the
error.

BUG: Bad page map in process mediaserver  pte:9dff379f pmd:9bfbd831
page:c0ed8e60 count:1 mapcount:-1 mapping:  (null) index:0x0
page flags: 0x404(referenced|reserved)
addr:40c3f000 vm_flags:10220051 anon_vma:  (null) mapping:d9fe0764 index:fd
vma->vm_ops->fault:   (null)
vma->vm_file->f_op->mmap: binder_mmap+0x0/0x274
CPU: 0 PID: 1463 Comm: mediaserver Tainted: G        W    3.10.17+ #1
[<c001549c>] (unwind_backtrace+0x0/0x11c) from [<c001200c>] (show_stack+0x10/0x14)
[<c001200c>] (show_stack+0x10/0x14) from [<c0103d78>] (print_bad_pte+0x158/0x190)
[<c0103d78>] (print_bad_pte+0x158/0x190) from [<c01055f0>] (unmap_single_vma+0x2e4/0x598)
[<c01055f0>] (unmap_single_vma+0x2e4/0x598) from [<c010618c>] (unmap_vmas+0x34/0x50)
[<c010618c>] (unmap_vmas+0x34/0x50) from [<c010a9e4>] (exit_mmap+0xc8/0x1e8)
[<c010a9e4>] (exit_mmap+0xc8/0x1e8) from [<c00520f0>] (mmput+0x54/0xd0)
[<c00520f0>] (mmput+0x54/0xd0) from [<c005972c>] (do_exit+0x360/0x990)
[<c005972c>] (do_exit+0x360/0x990) from [<c0059ef0>] (do_group_exit+0x84/0xc0)
[<c0059ef0>] (do_group_exit+0x84/0xc0) from [<c0066de0>] (get_signal_to_deliver+0x4d4/0x548)
[<c0066de0>] (get_signal_to_deliver+0x4d4/0x548) from [<c0011500>] (do_signal+0xa8/0x3b8)

Add a vm_fault handler which returns VM_FAULT_SIGBUS, and prevents the
wrong fallback to do_anonymous_page.

Change-Id: I43c227e489f74f4907f199caf99f571b61883064
Signed-off-by: Vinayak Menon <vinayakm.list@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agoStaging: Android: removed an unnecessary else statement
Karthik Nayak [Sat, 21 Jun 2014 14:53:16 +0000 (20:23 +0530)]
Staging: Android: removed an unnecessary else statement

As per checkpatch warning, removed an unnecessary else statement
proceeding an if statement with a return.

Change-Id: I718d9ece6c8bac128c10ecaf904721410d701b60
Signed-off-by: Karthik Nayak <karthik.188@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: android: binder.c: Use more appropriate functions for euid retrieval
Tair Rzayev [Sat, 31 May 2014 19:43:34 +0000 (22:43 +0300)]
staging: android: binder.c: Use more appropriate functions for euid retrieval

Instead of getting the reference to whole credential structure, use
task_euid() and current_euid() to get it.

Change-Id: Id5b9d0305b5f90023415863e569988023aaae290
Signed-off-by: Tair Rzayev <tair.rzayev@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: binder: fix usage of uninit scalar in binder_transaction()
Christian Engelmayer [Wed, 7 May 2014 19:44:53 +0000 (21:44 +0200)]
staging: binder: fix usage of uninit scalar in binder_transaction()

Fix the error path when a cookie mismatch is detected. In that case the
function jumps to the exit label without setting the uninitialized, local
variable 'return_error'. Detected by Coverity - CID 201453.

Change-Id: I6c960b7d3ad0adb28fad106a9a0b8cb934013987
Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
Acked-by: Arve <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: binder: cleanup dereference of noderef expressions
Jerry Snitselaar [Thu, 1 May 2014 06:58:55 +0000 (23:58 -0700)]
staging: binder: cleanup dereference of noderef expressions

Clean up sparse warnings for cred struct dereference.

Change-Id: I78059976c0488abfe9eb4e9f0b0f8ac10c7ef4f9
Signed-off-by: Jerry Snitselaar <dev@snitselaar.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: android: fix missing a blank line after declarations
Seunghun Lee [Wed, 30 Apr 2014 16:30:23 +0000 (01:30 +0900)]
staging: android: fix missing a blank line after declarations

This patch fixes "Missing a blank line after declarations" warnings.

Change-Id: Iede8a80f003eba36fd1f8d3ec8135d9d35c16ee9
Signed-off-by: Seunghun Lee <waydi1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: binder: add __user annotation in binder.c
Mathieu Maret [Tue, 15 Apr 2014 10:03:05 +0000 (12:03 +0200)]
staging: binder: add __user annotation in binder.c

Add __user to binder_version to correct sparse warning.
Reduce line size to fit to coding style.

Change-Id: I8694fb5a082721c69d1596b2853c5d4899f6536b
Signed-off-by: Mathieu Maret <mathieu.maret@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agostaging: binder: Support concurrent 32 bit and 64 bit processes.
Arve Hjønnevåg [Fri, 21 Feb 2014 22:40:26 +0000 (14:40 -0800)]
staging: binder: Support concurrent 32 bit and 64 bit processes.

For 64bit systems we want to use the same binder interface for 32bit and
64bit processes. Thus the size and the layout of the structures passed
between the kernel and the userspace has to be the same for both 32 and
64bit processes.

This change replaces all the uses of void* and size_t with
binder_uintptr_t and binder_size_t. These are then typedefed to specific
sizes depending on the use of the interface, as follows:
       * __u32 - on legacy 32bit only userspace
       * __u64 - on mixed 32/64bit userspace where all processes use the same
interface.

This change also increments the BINDER_CURRENT_PROTOCOL_VERSION to 8 and
hooks the compat_ioctl entry for the mixed 32/64bit Android userspace.

This patch also provides a CONFIG_ANDROID_BINDER_IPC_32BIT option for
compatability, which if set which enables the old protocol, setting
BINDER_CURRENT_PROTOCOL_VERSION to 7, on 32 bit systems.

Please note that all 64bit kernels will use the 64bit Binder ABI.

Change-Id: If54f075787a6bb261012eb73295eb4f83a8c91c9
Cc: Colin Cross <ccross@android.com>
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Serban Constantinescu <serban.constantinescu@arm.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Arve Hjønnevåg <arve@android.com>
[jstultz: Merged with upstream type changes. Various whitespace fixes
and longer Kconfig description for checkpatch. Included improved commit
message from Serban (with a few tweaks).]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agoStaging: android: add __user annotation in binder.c
Bojan Prtvar [Sun, 1 Sep 2013 18:30:38 +0000 (20:30 +0200)]
Staging: android: add __user annotation in binder.c

This fixes the following sparse error
drivers/staging/android/binder.c:1795:36: error: incompatible types in comparison expression (different address spaces)

Change-Id: I3824cb700d0de0e24c94771b1441e639d7d4d18b
Signed-off-by: Bojan Prtvar <prtvar.b@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agoStaging: android: Mark local functions in binder.c as static
Bojan Prtvar [Mon, 2 Sep 2013 06:18:40 +0000 (08:18 +0200)]
Staging: android: Mark local functions in binder.c as static

This fixes the following sparse warnings
drivers/staging/android/binder.c:1703:5: warning: symbol 'binder_thread_write' was not declared. Should it be static?
drivers/staging/android/binder.c:2058:6: warning: symbol 'binder_stat_br' was not declared. Should it be static?

Change-Id: Ib3fadafe30b5ffa3776270574809823e898caac3
Signed-off-by: Bojan Prtvar <prtvar.b@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
9 years agoRevert "Add security hooks to binder and implement the hooks for SELinux."
Riley Andrews [Mon, 12 Jan 2015 21:52:20 +0000 (13:52 -0800)]
Revert "Add security hooks to binder and implement the hooks for SELinux."

This reverts commit 6e6d8f546c36b161067efa5e0518f56be0200e77.

Change-Id: I8f0dba7c90f2c2d285d14696277e1ec7d48978d3

9 years agoRevert "staging: binder: Change binder mutex to rtmutex."
Riley Andrews [Mon, 12 Jan 2015 21:47:28 +0000 (13:47 -0800)]
Revert "staging: binder: Change binder mutex to rtmutex."

This reverts commit 5d03bd0fdd66d3472386864cf32b4b82dda8d1a5.

9 years agoRevert "Staging: android: binder: Support concurrent 32 bit and 64 bit processes."
Riley Andrews [Sat, 10 Jan 2015 03:10:36 +0000 (19:10 -0800)]
Revert "Staging: android: binder: Support concurrent 32 bit and 64 bit processes."

This reverts commit 2d595dc92ae19b49e4c1ebb1f8e3b461a2d06592.

Change-Id: I1e4e306fa38f851b3044abb8a7c929c298c14812

9 years agoRevert "ARM: tegra: flounder: stick to 32bit binder for now."
Riley Andrews [Sat, 10 Jan 2015 03:10:24 +0000 (19:10 -0800)]
Revert "ARM: tegra: flounder: stick to 32bit binder for now."

This reverts commit 8179b7b7fe7e0ee85f670d109de6d7e3be46b2a9.

Change-Id: Iba8c90cc88b39dd357ecbd7c942469966b53f123

9 years agoRevert "Staging: android: binder: More offset validation."
Riley Andrews [Sat, 10 Jan 2015 03:08:03 +0000 (19:08 -0800)]
Revert "Staging: android: binder: More offset validation."

This reverts commit 3fac2c119f537d4d8fea3f0b9063d72f44857b82.

Change-Id: I8840b43eceff9ef52d9bae2079d22046488a4ec2

9 years agoirq: pm: Remove unused variable
Dmitry Shmidt [Tue, 13 Jan 2015 21:52:49 +0000 (13:52 -0800)]
irq: pm: Remove unused variable

Change-Id: Ie4311b554628af878cd80fd0abc03b2be294f0bf
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
9 years agowlan: Add get_wake_irq functionality
Dmitry Shmidt [Mon, 12 Jan 2015 21:42:05 +0000 (13:42 -0800)]
wlan: Add get_wake_irq functionality

Change-Id: Ic41f06c509b2e625dc9ec4131903db6920c5fd4e
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
9 years agoARM: pull in <asm/simd.h> from asm-generic
Ard Biesheuvel [Fri, 20 Sep 2013 07:57:37 +0000 (09:57 +0200)]
ARM: pull in <asm/simd.h> from asm-generic

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
9 years agoARM: move VFP init to an earlier boot stage
Ard Biesheuvel [Wed, 22 May 2013 08:38:53 +0000 (10:38 +0200)]
ARM: move VFP init to an earlier boot stage

In order to use the NEON unit in the kernel, we should
initialize it a bit earlier in the boot process so NEON users
that like to do a quick benchmark at load time (like the
xor_blocks or RAID-6 code) find the NEON/VFP unit already
enabled.

Replaced late_initcall() with core_initcall().

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
9 years agoARM: 7837/3: fix Thumb-2 bug in AES assembler code
Ard Biesheuvel [Sat, 21 Sep 2013 10:23:50 +0000 (11:23 +0100)]
ARM: 7837/3: fix Thumb-2 bug in AES assembler code

Patch 638591c enabled building the AES assembler code in Thumb2 mode.
However, this code used arithmetic involving PC rather than adr{l}
instructions to generate PC-relative references to the lookup tables,
and this needs to take into account the different PC offset when
running in Thumb mode.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
9 years agoARM: add support for kernel mode NEON
Ard Biesheuvel [Thu, 16 May 2013 09:41:48 +0000 (11:41 +0200)]
ARM: add support for kernel mode NEON

In order to safely support the use of NEON instructions in
kernel mode, some precautions need to be taken:
- the userland context that may be present in the registers (even
  if the NEON/VFP is currently disabled) must be stored under the
  correct task (which may not be 'current' in the UP case),
- to avoid having to keep track of additional vfpstates for the
  kernel side, disallow the use of NEON in interrupt context
  and run with preemption disabled,
- after use, re-enable preemption and re-enable the lazy restore
  machinery by disabling the NEON/VFP unit.

This patch adds the functions kernel_neon_begin() and
kernel_neon_end() which take care of the above. It also adds
the Kconfig symbol KERNEL_MODE_NEON to enable it.

Change-Id: I286f9d414e87568f094b7782762faea46c6d4831
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Chris Fries <cfries@motorola.com>
9 years agoARM: 8120/1: crypto: sha512: add ARM NEON implementation
Jussi Kivilinna [Tue, 29 Jul 2014 16:15:24 +0000 (17:15 +0100)]
ARM: 8120/1: crypto: sha512: add ARM NEON implementation

This patch adds ARM NEON assembly implementation of SHA-512 and SHA-384
algorithms.

tcrypt benchmark results on Cortex-A8, sha512-generic vs sha512-neon-asm:

block-size      bytes/update    old-vs-new
16              16              2.99x
64              16              2.67x
64              64              3.00x
256             16              2.64x
256             64              3.06x
256             256             3.33x
1024            16              2.53x
1024            256             3.39x
1024            1024            3.52x
2048            16              2.50x
2048            256             3.41x
2048            1024            3.54x
2048            2048            3.57x
4096            16              2.49x
4096            256             3.42x
4096            1024            3.56x
4096            4096            3.59x
8192            16              2.48x
8192            256             3.42x
8192            1024            3.56x
8192            4096            3.60x
8192            8192            3.60x

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
9 years agoARM: 8119/1: crypto: sha1: add ARM NEON implementation
Jussi Kivilinna [Tue, 29 Jul 2014 16:14:14 +0000 (17:14 +0100)]
ARM: 8119/1: crypto: sha1: add ARM NEON implementation

This patch adds ARM NEON assembly implementation of SHA-1 algorithm.

tcrypt benchmark results on Cortex-A8, sha1-arm-asm vs sha1-neon-asm:

block-size      bytes/update    old-vs-new
16              16              1.04x
64              16              1.02x
64              64              1.05x
256             16              1.03x
256             64              1.04x
256             256             1.30x
1024            16              1.03x
1024            256             1.36x
1024            1024            1.52x
2048            16              1.03x
2048            256             1.39x
2048            1024            1.55x
2048            2048            1.59x
4096            16              1.03x
4096            256             1.40x
4096            1024            1.57x
4096            4096            1.62x
8192            16              1.03x
8192            256             1.40x
8192            1024            1.58x
8192            4096            1.63x
8192            8192            1.63x

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
9 years agoARM: 8118/1: crypto: sha1/make use of common SHA-1 structures
Jussi Kivilinna [Tue, 29 Jul 2014 16:14:09 +0000 (17:14 +0100)]
ARM: 8118/1: crypto: sha1/make use of common SHA-1 structures

Common SHA-1 structures are defined in <crypto/sha.h> for code sharing.

This patch changes SHA-1/ARM glue code to use these structures.

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
9 years agocrypto: arm-aes - fix encryption of unaligned data
Mikulas Patocka [Fri, 25 Jul 2014 23:42:30 +0000 (19:42 -0400)]
crypto: arm-aes - fix encryption of unaligned data

Fix the same alignment bug as in arm64 - we need to pass residue
unprocessed bytes as the last argument to blkcipher_walk_done.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org # 3.13+
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoCRYPTO: Fix more AES build errors
Russell King [Thu, 2 Jan 2014 17:14:45 +0000 (17:14 +0000)]
CRYPTO: Fix more AES build errors

Building a multi-arch kernel results in:

arch/arm/crypto/built-in.o: In function `aesbs_xts_decrypt':
sha1_glue.c:(.text+0x15c8): undefined reference to `bsaes_xts_decrypt'
arch/arm/crypto/built-in.o: In function `aesbs_xts_encrypt':
sha1_glue.c:(.text+0x1664): undefined reference to `bsaes_xts_encrypt'
arch/arm/crypto/built-in.o: In function `aesbs_ctr_encrypt':
sha1_glue.c:(.text+0x184c): undefined reference to `bsaes_ctr32_encrypt_blocks'
arch/arm/crypto/built-in.o: In function `aesbs_cbc_decrypt':
sha1_glue.c:(.text+0x19b4): undefined reference to `bsaes_cbc_encrypt'

This code is already runtime-conditional on NEON being supported, so
there's no point compiling it out depending on the minimum build
architecture.

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
9 years agoARM: add .gitignore entry for aesbs-core.S
Russell King [Mon, 7 Oct 2013 14:43:53 +0000 (15:43 +0100)]
ARM: add .gitignore entry for aesbs-core.S

This avoids this file being incorrectly added to git.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
9 years agoARM: add support for bit sliced AES using NEON instructions
Ard Biesheuvel [Mon, 16 Sep 2013 16:31:38 +0000 (18:31 +0200)]
ARM: add support for bit sliced AES using NEON instructions

Bit sliced AES gives around 45% speedup on Cortex-A15 for encryption
and around 25% for decryption. This implementation of the AES algorithm
does not rely on any lookup tables so it is believed to be invulnerable
to cache timing attacks.

This algorithm processes up to 8 blocks in parallel in constant time. This
means that it is not usable by chaining modes that are strictly sequential
in nature, such as CBC encryption. CBC decryption, however, can benefit from
this implementation and runs about 25% faster. The other chaining modes
implemented in this module, XTS and CTR, can execute fully in parallel in
both directions.

The core code has been adopted from the OpenSSL project (in collaboration
with the original author, on cc). For ease of maintenance, this version is
identical to the upstream OpenSSL code, i.e., all modifications that were
required to make it suitable for inclusion into the kernel have been made
upstream. The original can be found here:

    http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f6a6130

Note to integrators:
While this implementation is significantly faster than the existing table
based ones (generic or ARM asm), especially in CTR mode, the effects on
power efficiency are unclear as of yet. This code does fundamentally more
work, by calculating values that the table based code obtains by a simple
lookup; only by doing all of that work in a SIMD fashion, it manages to
perform better.

Cc: Andy Polyakov <appro@openssl.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
9 years agoARM: move AES typedefs and function prototypes to separate header
Ard Biesheuvel [Sun, 15 Sep 2013 15:10:43 +0000 (17:10 +0200)]
ARM: move AES typedefs and function prototypes to separate header

Put the struct definitions for AES keys and the asm function prototypes in a
separate header and export the asm functions from the module.
This allows other drivers to use them directly.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
9 years agovideo: adf: fix wrong bitops in adf_modeinfo_to_fb_videomode()
Greg Hackmann [Tue, 16 Dec 2014 23:59:51 +0000 (15:59 -0800)]
video: adf: fix wrong bitops in adf_modeinfo_to_fb_videomode()

Change-Id: I1296153e382c0b66b713a0e7d09665ed5961f13d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
9 years agocpufreq: interactive: only boost tunable affected cpus
Lianwei Wang [Wed, 3 Dec 2014 01:20:50 +0000 (17:20 -0800)]
cpufreq: interactive: only boost tunable affected cpus

It is not correct to boost all the cpus when tunable boost
parameters are changed. It also does not need to boost the
cpus which is already boosted.

Signed-off-by: Lianwei Wang <a22439@motorola.com>
9 years agonet: ipv6: allow choosing optimistic addresses with use_optimistic
Erik Kline [Fri, 5 Dec 2014 10:45:10 +0000 (19:45 +0900)]
net: ipv6: allow choosing optimistic addresses with use_optimistic

The use_optimistic sysctl makes optimistic IPv6 addresses
equivalent to preferred addresses for source address selection
(e.g., when calling connect()), but it does not allow an
application to bind to optimistic addresses. This behaviour is
inconsistent - for example, it doesn't make sense for bind() to
an optimistic address fail with EADDRNOTAVAIL, but connect() to
choose that address outgoing address on the same socket.

Bug: 17769720
Bug: 18609055
Change-Id: I9de0d6c92ac45e29d28e318ac626c71806666f13
Signed-off-by: Erik Kline <ek@google.com>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
9 years agocpufreq: interactive: don't skip waking up speedchange_task if target_freq > policy...
Minsung Kim [Sat, 29 Nov 2014 12:43:53 +0000 (21:43 +0900)]
cpufreq: interactive: don't skip waking up speedchange_task if target_freq > policy->cur

When __cpufreq_driver_target() in speedchange_task failed for some reason, the
policy->cur could be lower than the target_freq. The governor misses to change
the target_freq if the target_freq is equal to the next_freq at the next sample
time.

Added a check to prevent the CPU to stay at the speed that is lower than the
target_freq for long duration.

Change-Id: Ibfdcd193b8280390b8f8374a63218aa31267f310
Signed-off-by: Minsung Kim <ms925.kim@samsung.com>
9 years agoMake suspend abort reason logging depend on CONFIG_PM_SLEEP
Lorenzo Colitti [Thu, 27 Nov 2014 06:12:10 +0000 (15:12 +0900)]
Make suspend abort reason logging depend on CONFIG_PM_SLEEP

This unbreaks the build on architectures such as um that do not
support CONFIG_PM_SLEEP.

Change-Id: Ia846ed0a7fca1d762ececad20748d23610e8544f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
9 years agonet/ping: handle protocol mismatching scenario
Jane Zhou [Mon, 24 Nov 2014 19:44:08 +0000 (11:44 -0800)]
net/ping: handle protocol mismatching scenario

ping_lookup() may return a wrong sock if sk_buff's and sock's protocols
dont' match. For example, sk_buff's protocol is ETH_P_IPV6, but sock's
sk_family is AF_INET, in that case, if sk->sk_bound_dev_if is zero, a wrong
sock will be returned.
the fix is to "continue" the searching, if no matching, return NULL.

[cherry-pick of net 91a0b603469069cdcce4d572b7525ffc9fd352a6]

Bug: 18512516
Change-Id: I520223ce53c0d4e155c37d6b65a03489cc7fd494
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Jane Zhou <a17711@motorola.com>
Signed-off-by: Yiwei Zhao <gbjc64@motorola.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
9 years agoarch: arm64: force -fno-pic
Greg Hackmann [Tue, 2 Dec 2014 00:13:30 +0000 (16:13 -0800)]
arch: arm64: force -fno-pic

The aarch64-linux-android- toolchain enables -fpic by default.  -fpic
isn't needed for the kernel and breaks CONFIG_JUMP_LABEL, so turn it
off.

Change-Id: I685da1dc60e4cf1e9abcfb56e03654675ac02a0c
Signed-off-by: Greg Hackmann <ghackmann@google.com>
9 years agostaging: binder: Change binder mutex to rtmutex.
Riley Andrews [Sat, 27 Sep 2014 00:36:36 +0000 (17:36 -0700)]
staging: binder: Change binder mutex to rtmutex.

Surfaceflinger uses binder heavily to receive/send frames from applications
while compositing the screen. Change the binder mutex to an rt mutex to minimize
instances where high priority surfaceflinger binder work is blocked by lower
priority binder ipc.

Signed-off-by: Riley Andrews <riandrews@google.com>
Change-Id: I086a715267648448f0c5f62b037a3093d1079a79

10 years agomemcg: add permission check
Rom Lemarchand [Fri, 7 Nov 2014 17:42:40 +0000 (09:42 -0800)]
memcg: add permission check

Use the 'allow_attach' handler for the 'mem' cgroup to allow
non-root processes to add arbitrary processes to a 'mem' cgroup
if it has the CAP_SYS_NICE capability set.

Bug: 18260435
Change-Id: If7d37bf90c1544024c4db53351adba6a64966250
Signed-off-by: Rom Lemarchand <romlem@android.com>
10 years agocgroup: refactor allow_attach function into common code
Rom Lemarchand [Fri, 7 Nov 2014 20:48:17 +0000 (12:48 -0800)]
cgroup: refactor allow_attach function into common code

move cpu_cgroup_allow_attach to a common subsys_cgroup_allow_attach.
This allows any process with CAP_SYS_NICE to move tasks across cgroups if
they use this function as their allow_attach handler.

Bug: 18260435
Change-Id: I6bb4933d07e889d0dc39e33b4e71320c34a2c90f
Signed-off-by: Rom Lemarchand <romlem@android.com>
10 years agoALSA: compress: add num_sample_rates in snd_codec_desc
Vinod Koul [Tue, 7 Jan 2014 16:25:42 +0000 (21:55 +0530)]
ALSA: compress: add num_sample_rates in snd_codec_desc

this gives ability to convey the valid values of supported rates in
sample_rates array

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 929559be6d2c494e25bb58b730da4a78c1459e7b)
Signed-off-by: Yuchen Song <yuchens@nvidia.com>
Change-Id: Icfbb6d272a70c0a94719613c00bac18c5a0e3f87

10 years agoALSA: compress: update struct snd_codec_desc for sample rate
Vinod Koul [Sat, 4 Jan 2014 11:29:13 +0000 (16:59 +0530)]
ALSA: compress: update struct snd_codec_desc for sample rate

Now that we don't use SNDRV_PCM_RATE_xxx bit fields for sample rate, we need to
change the description to an array for describing the sample rates supported by
the sink/source

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit b8bab04829ab190f71921d4180bda438ba6124ae)
Signed-off-by: Yuchen Song <yuchens@nvidia.com>
Change-Id: I6c2fa5a5034ec749e9d7a71c49a1108af2416848

10 years agoALSA: compress: update comment for sample rate in snd_codec
Vinod Koul [Sat, 4 Jan 2014 11:29:12 +0000 (16:59 +0530)]
ALSA: compress: update comment for sample rate in snd_codec

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit d9afee6904caa7cf3c7f417f02e765db89d2b5dc)
Signed-off-by: Yuchen Song <yuchens@nvidia.com>
Change-Id: I7608d924613611222766a898a97c856a64c2eb68

10 years agoALSA: compress: remove the sample rate check
Vinod Koul [Sat, 4 Jan 2014 11:29:11 +0000 (16:59 +0530)]
ALSA: compress: remove the sample rate check

commit f0e9c080 - "ALSA: compress: change the way sample rates are sent to
kernel" changed the way sample rates are sent. So now we don't need to check for
PCM_RATE_xxx in kernel

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 2aac06f787940543fb37bfdb982eb99431bc6094)
Signed-off-by: Yuchen Song <yuchens@nvidia.com>
Change-Id: I6448d844fb31097bf33e52c23a7e38d6b089ce69

10 years agoALSA: compress: change the way sample rates are sent to kernel
Vinod Koul [Mon, 16 Dec 2013 09:25:34 +0000 (14:55 +0530)]
ALSA: compress: change the way sample rates are sent to kernel

The usage of SNDRV_RATES is not effective as we can have rates like 12000 or
some other ones used by decoders. This change the usage of this to use the raw
Hz values to be sent to kernel

Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit f0e9c08065dc31210fc4cf313c4ecaa088187dc5)
Signed-off-by: Yuchen Song <yuchens@nvidia.com>
Change-Id: Ia4c67405b9cf9aef9c641bce9b02a994939eae00

10 years agonet: ipv6: Add a sysctl to make optimistic addresses useful candidates
Erik Kline [Tue, 28 Oct 2014 09:11:14 +0000 (18:11 +0900)]
net: ipv6: Add a sysctl to make optimistic addresses useful candidates

Add a sysctl that causes an interface's optimistic addresses
to be considered equivalent to other non-deprecated addresses
for source address selection purposes.  Preferred addresses
will still take precedence over optimistic addresses, subject
to other ranking in the source address selection algorithm.

This is useful where different interfaces are connected to
different networks from different ISPs (e.g., a cell network
and a home wifi network).

The current behaviour complies with RFC 3484/6724, and it
makes sense if the host has only one interface, or has
multiple interfaces on the same network (same or cooperating
administrative domain(s), but not in the multiple distinct
networks case.

For example, if a mobile device has an IPv6 address on an LTE
network and then connects to IPv6-enabled wifi, while the wifi
IPv6 address is undergoing DAD, IPv6 connections will try use
the wifi default route with the LTE IPv6 address, and will get
stuck until they time out.

Also, because optimistic nodes can receive frames, issue
an RTM_NEWADDR as soon as DAD starts (with the IFA_F_OPTIMSTIC
flag appropriately set).  A second RTM_NEWADDR is sent if DAD
completes (the address flags have changed), otherwise an
RTM_DELADDR is sent.

Also: add an entry in ip-sysctl.txt for optimistic_dad.

[cherry-pick of net-next 7fd2561e4ebdd070ebba6d3326c4c5b13942323f]

Signed-off-by: Erik Kline <ek@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 17769720
Change-Id: Ic7e50781c607e1f3a492d9ce7395946efb95c533

10 years agopower: Add check_wakeup_reason() to verify wakeup source irq
Dmitry Shmidt [Fri, 31 Oct 2014 23:05:46 +0000 (16:05 -0700)]
power: Add check_wakeup_reason() to verify wakeup source irq

Wakeup reason is set before driver resume handlers are called.
It is cleared before driver suspend handlers are called, on
PM_SUSPEND_PREPARE.

Change-Id: I04218c9b0c115a7877e8029c73e6679ff82e0aa4
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
10 years agopower: Adds functionality to log the last suspend abort reason.
Ruchi Kandoi [Wed, 29 Oct 2014 17:36:27 +0000 (10:36 -0700)]
power: Adds functionality to log the last suspend abort reason.

Extends the last_resume_reason to log suspend abort reason. The abort
reasons will have "Abort:" appended at the start to distinguish itself
from the resume reason.

Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Change-Id: I3207f1844e3d87c706dfc298fb10e1c648814c5f

10 years agocpufreq: Avoid using global variable total_cpus
Ruchi Kandoi [Tue, 21 Oct 2014 20:55:04 +0000 (13:55 -0700)]
cpufreq: Avoid using global variable total_cpus

The change is to compile on kernels where cpufreq stats are compiled as
a module (CONFIG_CPU_FREQ_STAT=m), because total_cpus is not exported for
module use.

Reported-By: Emilio López <elopez93@gmail.com>
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Change-Id: I4f3c74f0fac5e8d9449655b26bf3b407b0fe4290

10 years agopower: Avoids bogus error messages for the suspend aborts.
Ruchi Kandoi [Wed, 15 Oct 2014 00:43:21 +0000 (17:43 -0700)]
power: Avoids bogus error messages for the suspend aborts.

Avoids printing bogus error message "tasks refusing to freeze", in cases
where pending wakeup source caused the suspend abort.

Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Change-Id: I913ad290f501b31cd536d039834c8d24c6f16928

10 years agoARM: 8087/1: ptrace: reload syscall number after secure_computing() check
Will Deacon [Fri, 27 Jun 2014 16:01:47 +0000 (17:01 +0100)]
ARM: 8087/1: ptrace: reload syscall number after secure_computing() check

On the syscall tracing path, we call out to secure_computing() to allow
seccomp to check the syscall number being attempted. As part of this, a
SIGTRAP may be sent to the tracer and the syscall could be re-written by
a subsequent SET_SYSCALL ptrace request. Unfortunately, this new syscall
is ignored by the current code unless TIF_SYSCALL_TRACE is also set on
the current thread.

This patch slightly reworks the enter path of the syscall tracing code
so that we always reload the syscall number from
current_thread_info()->syscall after the potential ptrace traps.

Acked-by: Kees Cook <keescook@chromium.org>
Tested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
10 years agoARM: add seccomp syscall
Kees Cook [Tue, 10 Jun 2014 22:40:23 +0000 (15:40 -0700)]
ARM: add seccomp syscall

Wires up the new seccomp syscall.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Conflicts:
arch/arm/include/uapi/asm/unistd.h
arch/arm/kernel/calls.S

Signed-off-by: Lee Campbell <leecam@chromium.org>
10 years agoseccomp: fix syscall numbers for x86 and x86_64
Lee Campbell [Wed, 8 Oct 2014 21:40:22 +0000 (14:40 -0700)]
seccomp: fix syscall numbers for x86 and x86_64

Correcting syscall numbers for seccomp

Signed-off-by: Lee Campbell <leecam@chromium.org>
10 years agoseccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock
Guenter Roeck [Mon, 11 Aug 2014 03:50:30 +0000 (20:50 -0700)]
seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock

Current upstream kernel hangs with mips and powerpc targets in
uniprocessor mode if SECCOMP is configured.

Bisect points to commit dbd952127d11 ("seccomp: introduce writer locking").
Turns out that code such as
BUG_ON(!spin_is_locked(&list_lock));
can not be used in uniprocessor mode because spin_is_locked() always
returns false in this configuration, and that assert_spin_locked()
exists for that very purpose and must be used instead.

Fixes: dbd952127d11 ("seccomp: introduce writer locking")
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
10 years agoseccomp: implement SECCOMP_FILTER_FLAG_TSYNC
Kees Cook [Thu, 5 Jun 2014 07:23:17 +0000 (00:23 -0700)]
seccomp: implement SECCOMP_FILTER_FLAG_TSYNC

Applying restrictive seccomp filter programs to large or diverse
codebases often requires handling threads which may be started early in
the process lifetime (e.g., by code that is linked in). While it is
possible to apply permissive programs prior to process start up, it is
difficult to further restrict the kernel ABI to those threads after that
point.

This change adds a new seccomp syscall flag to SECCOMP_SET_MODE_FILTER for
synchronizing thread group seccomp filters at filter installation time.

When calling seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC,
filter) an attempt will be made to synchronize all threads in current's
threadgroup to its new seccomp filter program. This is possible iff all
threads are using a filter that is an ancestor to the filter current is
attempting to synchronize to. NULL filters (where the task is running as
SECCOMP_MODE_NONE) are also treated as ancestors allowing threads to be
transitioned into SECCOMP_MODE_FILTER. If prctrl(PR_SET_NO_NEW_PRIVS,
...) has been set on the calling thread, no_new_privs will be set for
all synchronized threads too. On success, 0 is returned. On failure,
the pid of one of the failing threads will be returned and no filters
will have been applied.

The race conditions against another thread are:
- requesting TSYNC (already handled by sighand lock)
- performing a clone (already handled by sighand lock)
- changing its filter (already handled by sighand lock)
- calling exec (handled by cred_guard_mutex)
The clone case is assisted by the fact that new threads will have their
seccomp state duplicated from their parent before appearing on the tasklist.

Holding cred_guard_mutex means that seccomp filters cannot be assigned
while in the middle of another thread's exec (potentially bypassing
no_new_privs or similar). The call to de_thread() may kill threads waiting
for the mutex.

Changes across threads to the filter pointer includes a barrier.

Based on patches by Will Drewry.

Suggested-by: Julien Tinnes <jln@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
10 years agoseccomp: allow mode setting across threads
Kees Cook [Fri, 27 Jun 2014 22:01:35 +0000 (15:01 -0700)]
seccomp: allow mode setting across threads

This changes the mode setting helper to allow threads to change the
seccomp mode from another thread. We must maintain barriers to keep
TIF_SECCOMP synchronized with the rest of the seccomp state.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Conflicts:
kernel/seccomp.c

10 years agoseccomp: introduce writer locking
Kees Cook [Fri, 27 Jun 2014 22:18:48 +0000 (15:18 -0700)]
seccomp: introduce writer locking

Normally, task_struct.seccomp.filter is only ever read or modified by
the task that owns it (current). This property aids in fast access
during system call filtering as read access is lockless.

Updating the pointer from another task, however, opens up race
conditions. To allow cross-thread filter pointer updates, writes to the
seccomp fields are now protected by the sighand spinlock (which is shared
by all threads in the thread group). Read access remains lockless because
pointer updates themselves are atomic.  However, writes (or cloning)
often entail additional checking (like maximum instruction counts)
which require locking to perform safely.

In the case of cloning threads, the child is invisible to the system
until it enters the task list. To make sure a child can't be cloned from
a thread and left in a prior state, seccomp duplication is additionally
moved under the sighand lock. Then parent and child are certain have
the same seccomp state when they exit the lock.

Based on patches by Will Drewry and David Drysdale.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Conflicts:
kernel/fork.c

10 years agoseccomp: split filter prep from check and apply
Kees Cook [Fri, 27 Jun 2014 22:16:33 +0000 (15:16 -0700)]
seccomp: split filter prep from check and apply

In preparation for adding seccomp locking, move filter creation away
from where it is checked and applied. This will allow for locking where
no memory allocation is happening. The validation, filter attachment,
and seccomp mode setting can all happen under the future locks.

For extreme defensiveness, I've added a BUG_ON check for the calculated
size of the buffer allocation in case BPF_MAXINSN ever changes, which
shouldn't ever happen. The compiler should actually optimize out this
check since the test above it makes it impossible.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Conflicts:
kernel/seccomp.c

10 years agosched: move no_new_privs into new atomic flags
Kees Cook [Wed, 21 May 2014 22:23:46 +0000 (15:23 -0700)]
sched: move no_new_privs into new atomic flags

Since seccomp transitions between threads requires updates to the
no_new_privs flag to be atomic, the flag must be part of an atomic flag
set. This moves the nnp flag into a separate task field, and introduces
accessors.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Conflicts:
kernel/sys.c

10 years agoseccomp: add "seccomp" syscall
Kees Cook [Wed, 25 Jun 2014 23:08:24 +0000 (16:08 -0700)]
seccomp: add "seccomp" syscall

This adds the new "seccomp" syscall with both an "operation" and "flags"
parameter for future expansion. The third argument is a pointer value,
used with the SECCOMP_SET_MODE_FILTER operation. Currently, flags must
be 0. This is functionally equivalent to prctl(PR_SET_SECCOMP, ...).

In addition to the TSYNC flag later in this patch series, there is a
non-zero chance that this syscall could be used for configuring a fixed
argument area for seccomp-tracer-aware processes to pass syscall arguments
in the future. Hence, the use of "seccomp" not simply "seccomp_add_filter"
for this syscall. Additionally, this syscall uses operation, flags,
and user pointer for arguments because strictly passing arguments via
a user pointer would mean seccomp itself would be unable to trivially
filter the seccomp syscall itself.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Conflicts:
arch/x86/syscalls/syscall_32.tbl
arch/x86/syscalls/syscall_64.tbl
include/uapi/asm-generic/unistd.h
kernel/seccomp.c

And fixup of unistd32.h to truly enable sys_secomp.

Change-Id: I95bea02382c52007d22e5e9dc563c7d055c2c83f

10 years agoseccomp: split mode setting routines
Kees Cook [Wed, 25 Jun 2014 22:55:25 +0000 (15:55 -0700)]
seccomp: split mode setting routines

Separates the two mode setting paths to make things more readable with
fewer #ifdefs within function bodies.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
10 years agoseccomp: extract check/assign mode helpers
Kees Cook [Wed, 25 Jun 2014 22:38:02 +0000 (15:38 -0700)]
seccomp: extract check/assign mode helpers

To support splitting mode 1 from mode 2, extract the mode checking and
assignment logic into common functions.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
10 years agoseccomp: create internal mode-setting function
Kees Cook [Wed, 21 May 2014 22:02:11 +0000 (15:02 -0700)]
seccomp: create internal mode-setting function

In preparation for having other callers of the seccomp mode setting
logic, split the prctl entry point away from the core logic that performs
seccomp mode setting.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
10 years agointroduce for_each_thread() to replace the buggy while_each_thread()
Oleg Nesterov [Tue, 21 Jan 2014 23:49:56 +0000 (15:49 -0800)]
introduce for_each_thread() to replace the buggy while_each_thread()

while_each_thread() and next_thread() should die, almost every lockless
usage is wrong.

1. Unless g == current, the lockless while_each_thread() is not safe.

   while_each_thread(g, t) can loop forever if g exits, next_thread()
   can't reach the unhashed thread in this case. Note that this can
   happen even if g is the group leader, it can exec.

2. Even if while_each_thread() itself was correct, people often use
   it wrongly.

   It was never safe to just take rcu_read_lock() and loop unless
   you verify that pid_alive(g) == T, even the first next_thread()
   can point to the already freed/reused memory.

This patch adds signal_struct->thread_head and task->thread_node to
create the normal rcu-safe list with the stable head.  The new
for_each_thread(g, t) helper is always safe under rcu_read_lock() as
long as this task_struct can't go away.

Note: of course it is ugly to have both task_struct->thread_node and the
old task_struct->thread_group, we will kill it later, after we change
the users of while_each_thread() to use for_each_thread().

Perhaps we can kill it even before we convert all users, we can
reimplement next_thread(t) using the new thread_head/thread_node.  But
we can't do this right now because this will lead to subtle behavioural
changes.  For example, do/while_each_thread() always sees at least one
task, while for_each_thread() can do nothing if the whole thread group
has died.  Or thread_group_empty(), currently its semantics is not clear
unless thread_group_leader(p) and we need to audit the callers before we
can change it.

So this patch adds the new interface which has to coexist with the old
one for some time, hopefully the next changes will be more or less
straightforward and the old one will go away soon.

Bug 200004307

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Sergey Dyasly <dserrg@gmail.com>
Tested-by: Sergey Dyasly <dserrg@gmail.com>
Reviewed-by: Sameer Nanda <snanda@chromium.org>
Acked-by: David Rientjes <rientjes@google.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Mandeep Singh Baines <msb@chromium.org>
Cc: "Ma, Xindong" <xindong.ma@intel.com>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: "Tu, Xiaobing" <xiaobing.tu@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 0c740d0afc3bff0a097ad03a1c8df92757516f5c)
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Change-Id: Id689cb1383ceba2561b66188d88258619b68f5c6
Reviewed-on: http://git-master/r/419041
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
10 years agoarch: Introduce smp_load_acquire(), smp_store_release()
Peter Zijlstra [Wed, 6 Nov 2013 13:57:36 +0000 (14:57 +0100)]
arch: Introduce smp_load_acquire(), smp_store_release()

A number of situations currently require the heavyweight smp_mb(),
even though there is no need to order prior stores against later
loads.  Many architectures have much cheaper ways to handle these
situations, but the Linux kernel currently has no portable way
to make use of them.

This commit therefore supplies smp_load_acquire() and
smp_store_release() to remedy this situation.  The new
smp_load_acquire() primitive orders the specified load against
any subsequent reads or writes, while the new smp_store_release()
primitive orders the specifed store against any prior reads or
writes.  These primitives allow array-based circular FIFOs to be
implemented without an smp_mb(), and also allow a theoretical
hole in rcu_assign_pointer() to be closed at no additional
expense on most architectures.

In addition, the RCU experience transitioning from explicit
smp_read_barrier_depends() and smp_wmb() to rcu_dereference()
and rcu_assign_pointer(), respectively resulted in substantial
improvements in readability.  It therefore seems likely that
replacing other explicit barriers with smp_load_acquire() and
smp_store_release() will provide similar benefits.  It appears
that roughly half of the explicit barriers in core kernel code
might be so replaced.

[Changelog by PaulMck]
(cherry picked from commit 47933ad41a86a4a9b50bed7c9b9bd2ba242aac63)

Reviewed-by: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Cc: Michael Ellerman <michael@ellerman.id.au>
Cc: Michael Neuling <mikey@neuling.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Victor Kaplansky <VICTORK@il.ibm.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Link: http://lkml.kernel.org/r/20131213150640.908486364@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>