firefly-linux-kernel-4.4.55.git
10 years agoandroid: base-cfg: disable LOGGER
Mark Salyzyn [Fri, 6 Jun 2014 19:06:42 +0000 (12:06 -0700)]
android: base-cfg: disable LOGGER

Bug: 15384806
Change-Id: If8d324ffdb4ebd56e5d68876f8e229547e20eaf4
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
10 years agonet: Fix "ip rule delete table 256"
Andreas Henriksson [Thu, 7 Nov 2013 17:26:38 +0000 (18:26 +0100)]
net: Fix "ip rule delete table 256"

[ Upstream commit 13eb2ab2d33c57ebddc57437a7d341995fc9138c ]

When trying to delete a table >= 256 using iproute2 the local table
will be deleted.
The table id is specified as a netlink attribute when it needs more then
8 bits and iproute2 then sets the table field to RT_TABLE_UNSPEC (0).
Preconditions to matching the table id in the rule delete code
doesn't seem to take the "table id in netlink attribute" into condition
so the frh_get_table helper function never gets to do its job when
matching against current rule.
Use the helper function twice instead of peaking at the table value directly.

Originally reported at: http://bugs.debian.org/724783

Reported-by: Nicolas HICHER <nhicher@avencall.com>
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agonet: support marking accepting TCP sockets
Lorenzo Colitti [Wed, 26 Mar 2014 04:03:12 +0000 (13:03 +0900)]
net: support marking accepting TCP sockets

When using mark-based routing, sockets returned from accept()
may need to be marked differently depending on the incoming
connection request.

This is the case, for example, if different socket marks identify
different networks: a listening socket may want to accept
connections from all networks, but each connection should be
marked with the network that the request came in on, so that
subsequent packets are sent on the correct network.

This patch adds a sysctl to mark TCP sockets based on the fwmark
of the incoming SYN packet. If enabled, and an unmarked socket
receives a SYN, then the SYN packet's fwmark is written to the
connection's inet_request_sock, and later written back to the
accepted socket when the connection is established.  If the
socket already has a nonzero mark, then the behaviour is the same
as it is today, i.e., the listening socket's fwmark is used.

Black-box tested using user-mode linux:

- IPv4/IPv6 SYN+ACK, FIN, etc. packets are routed based on the
  mark of the incoming SYN packet.
- The socket returned by accept() is marked with the mark of the
  incoming SYN packet.
- Tested with syncookies=1 and syncookies=2.

Change-Id: I26bc1eceefd2c588d73b921865ab70e4645ade57
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
10 years agonet: Use fwmark reflection in PMTU discovery.
Lorenzo Colitti [Sat, 10 May 2014 02:56:37 +0000 (11:56 +0900)]
net: Use fwmark reflection in PMTU discovery.

Currently, routing lookups used for Path PMTU Discovery in
absence of a socket or on unmarked sockets use a mark of 0.
This causes PMTUD not to work when using routing based on
netfilter fwmark mangling and fwmark ip rules, such as:

  iptables -j MARK --set-mark 17
  ip rule add fwmark 17 lookup 100

This patch causes these route lookups to use the fwmark from the
received ICMP error when the fwmark_reflect sysctl is enabled.
This allows the administrator to make PMTUD work by configuring
appropriate fwmark rules to mark the inbound ICMP packets.

Black-box tested using user-mode linux by pointing different
fwmarks at routing tables egressing on different interfaces, and
using iptables mangling to mark packets inbound on each interface
with the interface's fwmark. ICMPv4 and ICMPv6 PMTU discovery
work as expected when mark reflection is enabled and fail when
it is disabled.

Change-Id: Id7fefb7ec1ff7f5142fba43db1960b050e0dfaec
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
10 years agonet: add a sysctl to reflect the fwmark on replies
Lorenzo Colitti [Tue, 18 Mar 2014 11:52:27 +0000 (20:52 +0900)]
net: add a sysctl to reflect the fwmark on replies

Kernel-originated IP packets that have no user socket associated
with them (e.g., ICMP errors and echo replies, TCP RSTs, etc.)
are emitted with a mark of zero. Add a sysctl to make them have
the same mark as the packet they are replying to.

This allows an administrator that wishes to do so to use
mark-based routing, firewalling, etc. for these replies by
marking the original packets inbound.

Tested using user-mode linux:
 - ICMP/ICMPv6 echo replies and errors.
 - TCP RST packets (IPv4 and IPv6).

Change-Id: I6873d973196797bcf32e2e91976df647c7e8b85a
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
10 years agonet: ipv6: autoconf routes into per-device tables
Lorenzo Colitti [Wed, 26 Mar 2014 10:35:41 +0000 (19:35 +0900)]
net: ipv6: autoconf routes into per-device tables

Currently, IPv6 router discovery always puts routes into
RT6_TABLE_MAIN. This causes problems for connection managers
that want to support multiple simultaneous network connections
and want control over which one is used by default (e.g., wifi
and wired).

To work around this connection managers typically take the routes
they prefer and copy them to static routes with low metrics in
the main table. This puts the burden on the connection manager
to watch netlink to see if the routes have changed, delete the
routes when their lifetime expires, etc.

Instead, this patch adds a per-interface sysctl to have the
kernel put autoconf routes into different tables. This allows
each interface to have its own autoconf table, and choosing the
default interface (or using different interfaces at the same
time for different types of traffic) can be done using
appropriate ip rules.

The sysctl behaves as follows:

- = 0: default. Put routes into RT6_TABLE_MAIN as before.
- > 0: manual. Put routes into the specified table.
- < 0: automatic. Add the absolute value of the sysctl to the
       device's ifindex, and use that table.

The automatic mode is most useful in conjunction with
net.ipv6.conf.default.accept_ra_rt_table. A connection manager
or distribution could set it to, say, -100 on boot, and
thereafter just use IP rules.

Change-Id: I82d16e3737d9cdfa6489e649e247894d0d60cbb1
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
10 years agonet: ipv6: ping: Use socket mark in routing lookup
Lorenzo Colitti [Thu, 27 Feb 2014 04:38:26 +0000 (13:38 +0900)]
net: ipv6: ping: Use socket mark in routing lookup

Change-Id: I5a61e0f9f22f193c51b1aafd270fb0642a2e0fab
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agon_tty: Fix n_tty_write crash when echoing in raw mode
Peter Hurley [Wed, 14 May 2014 03:07:33 +0000 (20:07 -0700)]
n_tty: Fix n_tty_write crash when echoing in raw mode

commit 4291086b1f081b869c6d79e5b7441633dc3ace00 upstream.

The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST.  And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.

If we look into tty_insert_flip_string_fixed_flag, there is:
  int space = __tty_buffer_request_room(port, goal, flags);
  struct tty_buffer *tb = port->buf.tail;
  ...
  memcpy(char_buf_ptr(tb, tb->used), chars, space);
  ...
  tb->used += space;

so the race of the two can result in something like this:
              A                                B
__tty_buffer_request_room
                                  __tty_buffer_request_room
memcpy(buf(tb->used), ...)
tb->used += space;
                                  memcpy(buf(tb->used), ...) ->BOOM

B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.

Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes.  This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.

Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.

js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call

References: CVE-2014-0196
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cherry-picked from
 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
branch: stable/linux-3.10.y
commit: abb5100737bba3f82b5514350fea89ca361ac66c

Change-Id: I81e79fe209f5c7b25cac35189a44286e5a9ddac0
Signed-off-by: JP Abgrall <jpa@google.com>
10 years agoinput: Changed keyreset to act as a wrapper for keycombo.
Daniel Rosenberg [Wed, 7 May 2014 21:17:47 +0000 (14:17 -0700)]
input: Changed keyreset to act as a wrapper for keycombo.

keyreset now registers a keycombo driver that acts as the old
keyreset driver acted.

Change-Id: I08f5279e3a33b267571b699697f9f54508868983
Signed-off-by: Daniel Rosenberg <drosen@google.com>
10 years agoinput: add keycombo, a general key combo driver.
Daniel Rosenberg [Wed, 7 May 2014 23:52:10 +0000 (16:52 -0700)]
input: add keycombo, a general key combo driver.

Keycombo lets you provide a key up and key down function, and an
optional time delay for key down. The driver will call the key
down function after the specified key combo has been held for the
speicified time delay. After you release the combo, if the key down
has happened, it calls key up.

Change-Id: I6a9a94e96a8f58fadd908fd1dc7944b9102a089f
Signed-off-by: Daniel Rosenberg <drosen@google.com>
10 years agofiq_debugger: Add fiq_watchdog_triggered api
Arve Hjønnevåg [Sat, 3 May 2014 03:31:07 +0000 (20:31 -0700)]
fiq_debugger: Add fiq_watchdog_triggered api

Dumps registers and stacktrace into console-ramoops when called
from a watchdog fiq.

Change-Id: Ib6fab5a52f670db18e64214d5e4890e8292a749c
Signed-off-by: Arve Hjønnevåg <arve@android.com>
10 years agopstore/ram: Add ramoops_console_write_buf api
Arve Hjønnevåg [Sat, 3 May 2014 03:23:21 +0000 (20:23 -0700)]
pstore/ram: Add ramoops_console_write_buf api

Allow writing into the ramoops console buffer.

Change-Id: Iff0d69b562e4dae33ea7f8d19412227bebb17e47
Signed-off-by: Arve Hjønnevåg <arve@android.com>
10 years agofiq_debugger: Call fiq_debugger_printf through a function pointer from cpu specific...
Arve Hjønnevåg [Sat, 3 May 2014 02:52:54 +0000 (19:52 -0700)]
fiq_debugger: Call fiq_debugger_printf through a function pointer from cpu specific code

This allows the output from the register and stack trace code to be
sent elsewhere.

Change-Id: I41bb0d5a25e1b9ca55feef5dbd675818b2f832d5
Signed-off-by: Arve Hjønnevåg <arve@android.com>
10 years agovideo: adf: fbdev: add stubs for kernels without ADF_FBDEV
Greg Hackmann [Tue, 29 Apr 2014 18:18:45 +0000 (11:18 -0700)]
video: adf: fbdev: add stubs for kernels without ADF_FBDEV

Change-Id: I42e087cddc29f6b93749791606e80dbd3e6f59ce
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agovideo: adf: memblock: map buffer for dma
Greg Hackmann [Tue, 29 Apr 2014 00:00:44 +0000 (17:00 -0700)]
video: adf: memblock: map buffer for dma

Change-Id: I4df13c8b45b57fd0594b5e7bf351a4da33a8cb11
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agoselinux: Report permissive mode in avc: denied messages.
Stephen Smalley [Tue, 29 Apr 2014 18:29:04 +0000 (11:29 -0700)]
selinux: Report permissive mode in avc: denied messages.

We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.

Change-Id: I78176f8184e01226ece12f0eb38760cdcdc1ff87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
10 years agoHID: add missing hid usages mappings
Mathieu Meisser [Fri, 11 Apr 2014 15:42:19 +0000 (17:42 +0200)]
HID: add missing hid usages mappings

Integrate several new definitions (not code) that
add additional hid mappings from the HID HUT 1.12
and approved additional requests.

Additions are taken from the commits in the
linux-input upstream: f362e692a4d8153b5a7ab,
358f247701ba53d09bbfdaf8036d5820e4da443255

Change-Id: Id0e1cff5828062009b4f94c987ac91f88f14652e
Signed-off-by: Mathieu Meisser <mmeisser@logitech.com>
Signed-off-by: Olivier Gay <ogay@logitech.com>
10 years agonet: ipv4: current group_info should be put after using.
Wang, Xiaoming [Mon, 14 Apr 2014 16:30:45 +0000 (12:30 -0400)]
net: ipv4: current group_info should be put after using.

Plug a group_info refcount leak in ping_init.
group_info is only needed during initialization and
the code failed to release the reference on exit.
While here move grabbing the reference to a place
where it is actually needed.

Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>
Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoPower: Changes the permission to read only for sysfs file
Ruchi Kandoi [Thu, 24 Apr 2014 21:31:57 +0000 (14:31 -0700)]
Power: Changes the permission to read only for sysfs file
/sys/kernel/wakeup_reasons/last_resume_reason

Change-Id: I8ac568a7cb58c31decd379195de517ff3c6f9c65
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agonf: Remove compilation error caused by
Ruchi Kandoi [Thu, 24 Apr 2014 21:07:53 +0000 (14:07 -0700)]
nf: Remove compilation error caused by
e8430cbed3ef15fdb1ac26cfd020e010aa5f1c35

Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agocope with potentially long ->d_dname() output for shmem/hugetlb
Al Viro [Sat, 24 Aug 2013 16:08:17 +0000 (12:08 -0400)]
cope with potentially long ->d_dname() output for shmem/hugetlb

commit 118b23022512eb2f41ce42db70dc0568d00be4ba upstream.

dynamic_dname() is both too much and too little for those - the
output may be well in excess of 64 bytes dynamic_dname() assumes
to be enough (thanks to ashmem feeding really long names to
shmem_file_setup()) and vsnprintf() is an overkill for those
guys.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Colin Cross <ccross@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I70970c6125f377048664eb5bde08f3fae29aa348

10 years agovideo: adf: use rb_erase in adf_obj_destroy.
Alistair Strachan [Mon, 21 Apr 2014 20:09:23 +0000 (13:09 -0700)]
video: adf: use rb_erase in adf_obj_destroy.

Not calling rb_erase() can cause slab corruption, as the rb_first() call
after kfree() in adf_obj_destroy() can return the same node twice unless
it is erased.

This problem was reproduced by unloading a kernel module that used the
adf framework *after* a vsync event was registered. A crash would occur
in rb_first(). (Just loading and immediately unloading the module without
the vsync event worked correctly.)

Change-Id: I9fa7cb5d7519691e38a281439844aa193da13d1b
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Cc: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Cc: Greg Hackmann <ghackmann@google.com>
10 years agonf: IDLETIMER: time-stamp and suspend/resume handling.
Ruchi Kandoi [Tue, 25 Mar 2014 23:43:28 +0000 (16:43 -0700)]
nf: IDLETIMER: time-stamp and suspend/resume handling.

Message notifications contains an additional timestamp field in nano seconds.
The expiry time for the timers are modified during suspend/resume.
If timer was supposed to expire while the system is suspended then a
notification is sent when it resumes with the timestamp of the scheduled expiry.

Removes the race condition for multiple work scheduled.

Bug: 13247811

Change-Id: I752c5b00225fe7085482819f975cc0eb5af89bff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agoprctl: adds PR_SET_TIMERSLACK_PID for setting timer slack of an arbitrary thread.
Ruchi Kandoi [Fri, 18 Apr 2014 21:07:28 +0000 (14:07 -0700)]
prctl: adds PR_SET_TIMERSLACK_PID for setting timer slack of an arbitrary thread.

Second argument is similar to PR_SET_TIMERSLACK, if non-zero then the
slack is set to that value otherwise sets it to the default for the thread.

Takes PID of the thread as the third argument.

This allows power/performance management software to set timer slack for
other threads according to its policy for the thread (such as when the
thread is designated foreground vs. background activity)

Change-Id: I744d451ff4e60dae69f38f53948ff36c51c14a3f
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agoof: fix CONFIG_CMDLINE_EXTEND
Colin Cross [Thu, 7 Mar 2013 03:10:29 +0000 (19:10 -0800)]
of: fix CONFIG_CMDLINE_EXTEND

strlcat takes the size of the buffer, not the number of characters
to concatenate.  If the size of the device tree command line p is
larger than the CONFIG_CMDLINE string data, then strcat(data, p, l)
will hit a BUG_ON because strlen(data) > l.

Replace the second strlcat with a strncpy plus a manual null
termination.

Also rearrange the code to reduce indent depth to make it more
readable, and replace data with a char *cmdline to avoid extra
casts.

Signed-off-by: Colin Cross <ccross@android.com>
10 years agofiq_debugger: add ARM64 support
Colin Cross [Thu, 3 Apr 2014 01:49:39 +0000 (18:49 -0700)]
fiq_debugger: add ARM64 support

Add fiq_debugger_arm64.c that implements the platform-specific
functions.

Change-Id: I4d8b96777bb8503a93d4eb47bbde8e018740a5bf
Signed-off-by: Colin Cross <ccross@android.com>
10 years agofiq_debugger: split arm support into fiq_debugger_arm.c
Colin Cross [Thu, 3 Apr 2014 01:42:13 +0000 (18:42 -0700)]
fiq_debugger: split arm support into fiq_debugger_arm.c

Split arm support into a separate .c file that is only built for
CONFIG_ARM.

Change-Id: Iba16f4d51608bf9c3e5c8acefefcd38fead9797c
Signed-off-by: Colin Cross <ccross@android.com>
10 years agofiq_debugger: use pt_regs for registers
Colin Cross [Sat, 5 Apr 2014 00:05:19 +0000 (17:05 -0700)]
fiq_debugger: use pt_regs for registers

IRQ mode already passes in a struct pt_regs from get_irq_regs().
FIQ mode passes in something similar but not identical to a
struct pt_regs - FIQ mode stores the spsr of the interrupted mode
in slot 17, while pt_regs expects orig_r0.

Replace the existing mixture of void *regs, unsigned *regs, and
struct pt_regs * const with const struct pt_regs *.  Modify
dump_regs not to print the spsr since it won't be there in a
struct pt_regs anyways.  Modify dump_allregs to highlight the
mode that was interrupted, making spsr easy to find there.

Change-Id: Ibfe1723d702306c7605fd071737d7be9ee9d8c12
Signed-off-by: Colin Cross <ccross@android.com>
10 years agofiq_debugger: allow compiling without CONFIG_FIQ_GLUE
Colin Cross [Thu, 3 Apr 2014 01:37:29 +0000 (18:37 -0700)]
fiq_debugger: allow compiling without CONFIG_FIQ_GLUE

Allow compiling fiq_debugger.c without CONFIG_FIQ_GLUE for
platforms that don't support FIQs.

Change-Id: Iabdfd790d24fa9d47b29d2f850c567af2dcad78f
Signed-off-by: Colin Cross <ccross@android.com>
10 years agofiq_debugger: rename debug->fiq_debugger
Colin Cross [Sat, 5 Apr 2014 05:58:23 +0000 (22:58 -0700)]
fiq_debugger: rename debug->fiq_debugger

Rename variables and functions in the global namespace to avoid
future collisions.

Change-Id: Ic23a304b0f794efc94cc6d086fddd63231d99c98
Signed-off-by: Colin Cross <ccross@android.com>
10 years agofiq_debugger: move into drivers/staging/android/fiq_debugger/
Colin Cross [Thu, 3 Apr 2014 01:30:04 +0000 (18:30 -0700)]
fiq_debugger: move into drivers/staging/android/fiq_debugger/

Move fiq_debugger into drivers/staging/android/fiq_debugger/ to
allow for sharing between ARM and ARM64.

Change-Id: I6ca5e8b7e3d000f57da3234260261c5592cef2a8
Signed-off-by: Colin Cross <ccross@android.com>
10 years agocpufreq: interactive: remove compilation error from commit
Ruchi Kandoi [Wed, 9 Apr 2014 23:47:59 +0000 (16:47 -0700)]
cpufreq: interactive: remove compilation error from commit
49cc72365fb7ee87762a7ccc6a32ef68627216c5

Change-Id: I068b18281d03ac879ef64d8ff36ed43367293767
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agocpufreq: interactive: turn boost_pulse off on boost off
Ruchi Kandoi [Thu, 3 Apr 2014 22:39:23 +0000 (15:39 -0700)]
cpufreq: interactive: turn boost_pulse off on boost off

Change-Id: I36fe217fa047d68ea90e78b12c7db4537ea8010b
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agocpufreq: interactive: restructure CPUFREQ_GOV_LIMITS
Badhri Jagan Sridharan [Tue, 8 Apr 2014 01:26:30 +0000 (18:26 -0700)]
cpufreq: interactive: restructure CPUFREQ_GOV_LIMITS

The cpufreq_interactive_timer gets cancelled and rescheduled
whenever the cpufreq_policy is changed. When the cpufreq policy is
changed at a rate faster than the sampling_rate of the interactive
governor, then the governor misses to change the target frequency
for long duration. The patch removes the need of cancelling the
timers when policy->min is changed.

Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: Ibd98d151e1c73b8bd969484583ff98ee9f1135ef

10 years agovideo: adf: adf_memblock_export symbol should be exported
Greg Hackmann [Tue, 8 Apr 2014 20:07:29 +0000 (13:07 -0700)]
video: adf: adf_memblock_export symbol should be exported

Change-Id: I228db28da885b47b6fa9fc7e4001663797d24f49
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agovideo: adf: add buffer padding quirk
Greg Hackmann [Tue, 8 Apr 2014 19:36:41 +0000 (12:36 -0700)]
video: adf: add buffer padding quirk

Quirks specify common behaviors that vary slightly among devices, and
which ADF must account for.

The buffer padding quirk captures the way different devices fetch the
last scanline in a buffer: some devices fetch an entire line (including
padding to the pitch) while others only fetch up to the visible width.
ADF's buffer size validation now takes this quirk into account.

Change-Id: I828b13316e27621d8a9efd9d5fffa6ce12a525ff
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agovideo: adf: document adf_format_validate_yuv's origin
Greg Hackmann [Tue, 8 Apr 2014 19:25:12 +0000 (12:25 -0700)]
video: adf: document adf_format_validate_yuv's origin

Change-Id: I929045a96a56bdb2c915be92b8ef11b560f3ab79
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agoARM64: copy CONFIG_CMDLINE_EXTEND from ARM
Colin Cross [Thu, 3 Apr 2014 01:02:15 +0000 (18:02 -0700)]
ARM64: copy CONFIG_CMDLINE_EXTEND from ARM

Copy the config choice for CONFIG_CMDLINE_EXTEND from
arch/arm/Kconfig, including CONFIG_CMDLINE_FROM_BOOTLOADER
as the default.  These will be used by drivers/of/fdt.c.

Change-Id: I8416038498ddf8fc1e99ab06109825eb1492aa7f
Signed-off-by: Colin Cross <ccross@android.com>
10 years agoof: Support CONFIG_CMDLINE_EXTEND config option
Doug Anderson [Fri, 3 Feb 2012 06:58:28 +0000 (22:58 -0800)]
of: Support CONFIG_CMDLINE_EXTEND config option

The old logic assumes CMDLINE_FROM_BOOTLOADER vs. CMDLINE_FORCE and
ignores CMDLINE_EXTEND.  Here's the old logic:

- CONFIG_CMDLINE_FORCE=true
    CONFIG_CMDLINE
- dt bootargs=non-empty:
    dt bootargs
- dt bootargs=empty, @data is non-empty string
    @data is left unchanged
- dt bootargs=empty, @data is empty string
    CONFIG_CMDLINE (or "" if that's not defined)

The new logic is now documented in of_fdt.h and is copied here for
reference:

- CONFIG_CMDLINE_FORCE=true
    CONFIG_CMDLINE
- CONFIG_CMDLINE_EXTEND=true, @data is non-empty string
    @data + dt bootargs (even if dt bootargs are empty)
- CONFIG_CMDLINE_EXTEND=true, @data is empty string
    CONFIG_CMDLINE + dt bootargs (even if dt bootargs are empty)
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=non-empty:
    dt bootargs
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=empty, @data is non-empty string
    @data is left unchanged
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=empty, @data is empty string
    CONFIG_CMDLINE (or "" if that's not defined)

Signed-off-by: Doug Anderson <dianders@chromium.org>
CC: devicetree-discuss@lists.ozlabs.org
CC: Grant Likely <grant.likely@secretlab.ca>
CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: Rob Herring <rob.herring@calxeda.com>
Change-Id: I40ace250847f813358125dfcaa8998fd32cf7ea3
Signed-off-by: Colin Cross <ccross@android.com>
10 years agovideo: adf: ensure consistent alignment on userspace facing structs
Greg Hackmann [Wed, 26 Mar 2014 23:43:23 +0000 (16:43 -0700)]
video: adf: ensure consistent alignment on userspace facing structs

64-bit types in structs create alignment problems when a 32-bit x86
userspace talks to an x86_64 kernel.  In most cases the 64-bit types can
be replaced with 32-bit ones, since they're being used for fds and
should have been __s32 in the first place.  For adf_vsync_event,
alignment can be enforced by making the timestamp an __aligned_u64.

Change-Id: I87cf73d8f57730bd7bb43ffce6b7b411eb0ff198
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agovideo: adf: replace fbdev helper's open flag with refcount
Greg Hackmann [Mon, 24 Mar 2014 23:45:43 +0000 (16:45 -0700)]
video: adf: replace fbdev helper's open flag with refcount

A device's fb_info is shared between clients.  fb_release() is called
when each client is released, not just the last one.  Since the fbdev
helper needs to release its dma-buf when the last client goes away, it
must keep its own reference count.

fbmem and fbcon hold different locks while calling fb_release(), so
explicit locking is needed.

Change-Id: I42cd659f7633adba7c11f407d4b594bd43305d6a
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agoARM64: add option to build Image.gz/dtb combo
Alex Ray [Mon, 17 Mar 2014 20:44:01 +0000 (13:44 -0700)]
ARM64: add option to build Image.gz/dtb combo

Allows a defconfig to set a list of dtbs to concatenate with an
Image.gz to create a Image.gz-dtb.

Change-Id: I0dc3935e57f01b517aa64eda0c27b0101e9ea3b2
Signed-off-by: Alex Ray <aray@google.com>
10 years agostaging: android: Fix typo in staging/android
Masanari Iida [Sun, 23 Jun 2013 14:47:15 +0000 (23:47 +0900)]
staging: android: Fix typo in staging/android

Fix "with with" in debug message.

Issue: ABIT-21
Change-Id: Icd0b195524f4c77272276991a1e8a00aecef65c9
Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Qiming Shi <qiming.shi@intel.com>
Signed-off-by: Jun Tian <jun.j.tian@intel.com>
10 years agovideo: adf: export the adf_attachment_allow symbol to modules.
Alistair Strachan [Tue, 11 Mar 2014 00:00:25 +0000 (17:00 -0700)]
video: adf: export the adf_attachment_allow symbol to modules.

There are no in-tree users of adf_attachment_allow, but out-of-tree
modules want to use it. It looks like this function should be
EXPORT_SYMBOL.

Change-Id: Iad522dc5d32ac09fec6483bbc317db8ecae12e97
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
10 years agopower: wakeup_reason: rename irq_count to irqcount
Greg Hackmann [Mon, 10 Mar 2014 21:21:30 +0000 (14:21 -0700)]
power: wakeup_reason: rename irq_count to irqcount

On x86, irq_count conflicts with a declaration in
arch/x86/include/asm/processor.h

Change-Id: I3e4fde0ff64ef59ff5ed2adc0ea3a644641ee0b7
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agoPower: Add guard condition for maximum wakeup reasons
Ruchi Kandoi [Fri, 7 Mar 2014 20:54:30 +0000 (12:54 -0800)]
Power: Add guard condition for maximum wakeup reasons

Ensure the array for the wakeup reason IRQs does not overflow.

Change-Id: Iddc57a3aeb1888f39d4e7b004164611803a4d37c
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit b5ea40cdfcf38296535f931a7e5e7bf47b6fad7f)

10 years agoandroid: base-cfg: enable DM_VERITY (used for secureboot)
JP Abgrall [Fri, 28 Feb 2014 03:38:14 +0000 (19:38 -0800)]
android: base-cfg: enable DM_VERITY (used for secureboot)

Change-Id: I68d769f97ffa76bb45e65d34a96dd7f558c02d08
Signed-off-by: JP Abgrall <jpa@google.com>
10 years agoarm64: cmpxchg: update macros to prevent warnings
Mark Hambleton [Tue, 3 Dec 2013 19:19:12 +0000 (19:19 +0000)]
arm64: cmpxchg: update macros to prevent warnings

Make sure the value we are going to return is referenced in order to
avoid warnings from newer GCCs such as:

arch/arm64/include/asm/cmpxchg.h:162:3: warning: value computed is not used [-Wunused-value]
  ((__typeof__(*(ptr)))__cmpxchg_mb((ptr),   \
   ^
net/netfilter/nf_conntrack_core.c:674:2: note: in expansion of macro ‘cmpxchg’
  cmpxchg(&nf_conntrack_hash_rnd, 0, rand);

[Modified to use the current underlying implementation as current
mainline for both cmpxchg() and cmpxchg_local() does -- broonie]

Signed-off-by: Mark Hambleton <mahamble@broadcom.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
10 years agodrivers: usb: gadget: 64-bit related type fixes
Greg Hackmann [Mon, 24 Feb 2014 18:19:13 +0000 (10:19 -0800)]
drivers: usb: gadget: 64-bit related type fixes

Change-Id: I2f9b12e1e0cdfe64ffe20db78d319a6221821184
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agonetfilter: xt_qtaguid: 64-bit warning fixes
Greg Hackmann [Mon, 24 Feb 2014 17:39:46 +0000 (09:39 -0800)]
netfilter: xt_qtaguid: 64-bit warning fixes

Change-Id: I2adc517c0c51050ed601992fa0ea4de8f1449414
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agoStaging: android: binder: More offset validation.
Arve Hjønnevåg [Fri, 14 Feb 2014 04:25:06 +0000 (20:25 -0800)]
Staging: android: binder: More offset validation.

Make sure offsets don't point to overlapping flat_binder_object
structs.

Change-Id: I425ab0c46fbe2b00ed679c5becf9e8140395eb40
Signed-off-by: Arve Hjønnevåg <arve@android.com>
10 years agoPOWER: fix compile warnings in log_wakeup_reason
Ruchi Kandoi [Fri, 21 Feb 2014 03:47:38 +0000 (19:47 -0800)]
POWER: fix compile warnings in log_wakeup_reason

Change I81addaf420f1338255c5d0638b0d244a99d777d1 introduced compile
warnings, fix these.

Change-Id: I05482a5335599ab96c0a088a7d175c8d4cf1cf69
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agoPower: add an API to log wakeup reasons
Ruchi Kandoi [Wed, 19 Feb 2014 23:30:47 +0000 (15:30 -0800)]
Power: add an API to log wakeup reasons

Add API log_wakeup_reason() and expose it to userspace via sysfs path
/sys/kernel/wakeup_reasons/last_resume_reason

Change-Id: I81addaf420f1338255c5d0638b0d244a99d777d1
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
10 years agoandroid: configs: add systrace support to recommended configs
Rom Lemarchand [Thu, 20 Feb 2014 02:01:37 +0000 (18:01 -0800)]
android: configs: add systrace support to recommended configs

Change-Id: I4a6e88f47803e88b0ce2d913be4aeb299ca858b4
Signed-off-by: Rom Lemarchand <romlem@android.com>
10 years agovideo: adf: use %zu when printing size_t
Greg Hackmann [Fri, 14 Feb 2014 23:35:38 +0000 (15:35 -0800)]
video: adf: use %zu when printing size_t

Change-Id: I9cf7ebc368bad0a83db9e5aa370feadf117b21c0
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agovideo: adf: fix compat ioctls calling ioctl with wrong cmd
Greg Hackmann [Fri, 14 Feb 2014 23:38:49 +0000 (15:38 -0800)]
video: adf: fix compat ioctls calling ioctl with wrong cmd

Change-Id: Icdbac3edd123b3114103dc138a60e6955006cda4
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agovideo: adf: use ADF_IOCTL_TYPE in compat ioctl definitions
Greg Hackmann [Fri, 14 Feb 2014 23:39:52 +0000 (15:39 -0800)]
video: adf: use ADF_IOCTL_TYPE in compat ioctl definitions

Change-Id: I7451a282d9d972c9957568b366c164b67b4b47e8
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agoStaging: android: binder: Fix death notifications
Arve Hjønnevåg [Sat, 8 Feb 2014 01:46:21 +0000 (17:46 -0800)]
Staging: android: binder: Fix death notifications

The change (008fa749e0fe5b2fffd20b7fe4891bb80d072c6a) that moved the
node release code to a separate function broke death notifications in
some cases. When it encountered a reference without a death
notification request, it would skip looking at the remaining
references, and therefore fail to send death notifications for them.

Change-Id: I12083a50709ccc30ba11a5f4d9eeb5f0ff4471c6
Signed-off-by: Arve Hjønnevåg <arve@android.com>
10 years agofix false disconnect due to a signal sent to the reading process
keunyoung [Wed, 29 Jan 2014 20:41:50 +0000 (12:41 -0800)]
fix false disconnect due to a signal sent to the reading process

- In the current implementation, when a signal is sent to the reading process,
  read is cancelled by calling usb_ep_dequeue, which lead into calling
  acc_complete_out with ECONNRESET, but the current logic treats it as
  disconnection, which makes the device inaccessible until cable is actually
  disconnected.
- The fix calls disconnect only when ESHUTDOWN error is passed.
- If data has already arrived while trying cancelling, the data is marked
  as available, and it will be read out on the next read. This is necessary
  as USB bulk is assumed to guarantee no data loss.

Signed-off-by: keunyoung <keunyoung@google.com>
10 years agocpufreq: don't leave stale policy pointer in cdbs->cur_policy
Jacob Shin [Thu, 27 Jun 2013 20:02:12 +0000 (22:02 +0200)]
cpufreq: don't leave stale policy pointer in cdbs->cur_policy

Clear ->cur_policy when stopping a governor, or the ->cur_policy
pointer may be stale on systems with have_governor_per_policy when a
new policy is allocated due to CPU hotplug offline/online.

[rjw: Changelog]
Suggested-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Jacob Shin <jacob.shin@amd.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
10 years agocpufreq: governors: Move get_governor_parent_kobj() to cpufreq.c
Viresh Kumar [Thu, 16 May 2013 05:09:57 +0000 (05:09 +0000)]
cpufreq: governors: Move get_governor_parent_kobj() to cpufreq.c

get_governor_parent_kobj() can be used by any governor, generic
cpufreq governors or platform specific ones and so must be present in
cpufreq.c instead of cpufreq_governor.c.

This patch moves it to cpufreq.c. This also adds
EXPORT_SYMBOL_GPL(get_governor_parent_kobj) so that modules can use
this function too.

Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
10 years agocpufreq: Add EXPORT_SYMBOL_GPL for have_governor_per_policy
Viresh Kumar [Thu, 16 May 2013 05:09:56 +0000 (05:09 +0000)]
cpufreq: Add EXPORT_SYMBOL_GPL for have_governor_per_policy

This patch adds: EXPORT_SYMBOL_GPL(have_governor_per_policy), so that
this routine can be used by modules too.

Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
10 years agotcp: add a sysctl to config the tcp_default_init_rwnd
JP Abgrall [Sat, 8 Feb 2014 02:40:10 +0000 (18:40 -0800)]
tcp: add a sysctl to config the tcp_default_init_rwnd

The default initial rwnd is hardcoded to 10.

Now we allow it to be controlled via
  /proc/sys/net/ipv4/tcp_default_init_rwnd
which limits the values from 3 to 100

This is somewhat needed because ipv6 routes are
autoconfigured by the kernel.

See "An Argument for Increasing TCP's Initial Congestion Window"
in https://developers.google.com/speed/articles/tcp_initcwnd_paper.pdf

Change-Id: I386b2a9d62de0ebe05c1ebe1b4bd91b314af5c54
Signed-off-by: JP Abgrall <jpa@google.com>
Conflicts:
net/ipv4/sysctl_net_ipv4.c
net/ipv4/tcp_input.c

10 years agoSELinux: Fix kernel BUG on empty security contexts.
Stephen Smalley [Thu, 30 Jan 2014 16:26:59 +0000 (11:26 -0500)]
SELinux: Fix kernel BUG on empty security contexts.

Setting an empty security context (length=0) on a file will
lead to incorrectly dereferencing the type and other fields
of the security context structure, yielding a kernel BUG.
As a zero-length security context is never valid, just reject
all such security contexts whether coming from userspace
via setxattr or coming from the filesystem upon a getxattr
request by SELinux.

Setting a security context value (empty or otherwise) unknown to
SELinux in the first place is only possible for a root process
(CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only
if the corresponding SELinux mac_admin permission is also granted
to the domain by policy.  In Fedora policies, this is only allowed for
specific domains such as livecd for setting down security contexts
that are not defined in the build host policy.

[On Android, this can only be set by root/CAP_MAC_ADMIN processes,
and if running SELinux in enforcing mode, only if mac_admin permission
is granted in policy.  In Android 4.4, this would only be allowed for
root/CAP_MAC_ADMIN processes that are also in unconfined domains. In current
AOSP master, mac_admin is not allowed for any domains except the recovery
console which has a legitimate need for it.  The other potential vector
is mounting a maliciously crafted filesystem for which SELinux fetches
xattrs (e.g. an ext4 filesystem on a SDcard).  However, the end result is
only a local denial-of-service (DOS) due to kernel BUG.  This fix is
queued for 3.14.]

Reproducer:
su
setenforce 0
touch foo
setfattr -n security.selinux foo

Caveat:
Relabeling or removing foo after doing the above may not be possible
without booting with SELinux disabled.  Any subsequent access to foo
after doing the above will also trigger the BUG.

BUG output from Matthew Thode:
[  473.893141] ------------[ cut here ]------------
[  473.962110] kernel BUG at security/selinux/ss/services.c:654!
[  473.995314] invalid opcode: 0000 [#6] SMP
[  474.027196] Modules linked in:
[  474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G      D   I
3.13.0-grsec #1
[  474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0
07/29/10
[  474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti:
ffff8805f50cd488
[  474.183707] RIP: 0010:[<ffffffff814681c7>]  [<ffffffff814681c7>]
context_struct_compute_av+0xce/0x308
[  474.219954] RSP: 0018:ffff8805c0ac3c38  EFLAGS: 00010246
[  474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX:
0000000000000100
[  474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI:
ffff8805e8aaa000
[  474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09:
0000000000000006
[  474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12:
0000000000000006
[  474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15:
0000000000000000
[  474.453816] FS:  00007f2e75220800(0000) GS:ffff88061fc00000(0000)
knlGS:0000000000000000
[  474.489254] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4:
00000000000207f0
[  474.556058] Stack:
[  474.584325]  ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98
ffff8805f1190a40
[  474.618913]  ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990
ffff8805e8aac860
[  474.653955]  ffff8805c0ac3cb8 000700068113833a ffff880606c75060
ffff8805c0ac3d94
[  474.690461] Call Trace:
[  474.723779]  [<ffffffff811b549b>] ? lookup_fast+0x1cd/0x22a
[  474.778049]  [<ffffffff81468824>] security_compute_av+0xf4/0x20b
[  474.811398]  [<ffffffff8196f419>] avc_compute_av+0x2a/0x179
[  474.843813]  [<ffffffff8145727b>] avc_has_perm+0x45/0xf4
[  474.875694]  [<ffffffff81457d0e>] inode_has_perm+0x2a/0x31
[  474.907370]  [<ffffffff81457e76>] selinux_inode_getattr+0x3c/0x3e
[  474.938726]  [<ffffffff81455cf6>] security_inode_getattr+0x1b/0x22
[  474.970036]  [<ffffffff811b057d>] vfs_getattr+0x19/0x2d
[  475.000618]  [<ffffffff811b05e5>] vfs_fstatat+0x54/0x91
[  475.030402]  [<ffffffff811b063b>] vfs_lstat+0x19/0x1b
[  475.061097]  [<ffffffff811b077e>] SyS_newlstat+0x15/0x30
[  475.094595]  [<ffffffff8113c5c1>] ? __audit_syscall_entry+0xa1/0xc3
[  475.148405]  [<ffffffff8197791e>] system_call_fastpath+0x16/0x1b
[  475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48
8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7
75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8
[  475.255884] RIP  [<ffffffff814681c7>]
context_struct_compute_av+0xce/0x308
[  475.296120]  RSP <ffff8805c0ac3c38>
[  475.328734] ---[ end trace f076482e9d754adc ]---

[sds:  commit message edited to note Android implications and
to generate a unique Change-Id for gerrit]

Change-Id: I4d5389f0cfa72b5f59dada45081fa47e03805413
Reported-by: Matthew Thode <mthode@mthode.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
10 years agoARM: tegra: flounder: stick to 32bit binder for now.
JP Abgrall [Wed, 5 Feb 2014 20:29:34 +0000 (12:29 -0800)]
ARM: tegra: flounder: stick to 32bit binder for now.

Signed-off-by: JP Abgrall <jpa@google.com>
10 years agonetfilter: xt_IDLETIMER: Revert to retain the kernel API format.
Ashish Sharma [Wed, 5 Feb 2014 01:50:50 +0000 (01:50 +0000)]
netfilter: xt_IDLETIMER: Revert to retain the kernel API format.

Reverted Change-Id: Iaeca5dd2d7878c0733923ae03309a2a7b86979ca

Change-Id: I0e0a4f60ec14330d8d8d1c5a508fa058d9919e07
Signed-off-by: Ashish Sharma <ashishsharma@google.com>
(cherry picked from commit e0a4e5b0e808d718dd9af500c5754118fc3935db)

10 years agoSELinux: Fix possible NULL pointer dereference in selinux_inode_permission()
Steven Rostedt [Fri, 10 Jan 2014 02:46:34 +0000 (21:46 -0500)]
SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()

commit 3dc91d4338d698ce77832985f9cb183d8eeaf6be upstream.

While running stress tests on adding and deleting ftrace instances I hit
this bug:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
  IP: selinux_inode_permission+0x85/0x160
  PGD 63681067 PUD 7ddbe067 PMD 0
  Oops: 0000 [#1] PREEMPT
  CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20
  Hardware name:                  /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006
  task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000
  RIP: 0010:[<ffffffff812d8bc5>]  [<ffffffff812d8bc5>] selinux_inode_permission+0x85/0x160
  RSP: 0018:ffff88007ddb1c48  EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840
  RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000
  RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54
  R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000
  R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000
  FS:  00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
  CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0
  Call Trace:
    security_inode_permission+0x1c/0x30
    __inode_permission+0x41/0xa0
    inode_permission+0x18/0x50
    link_path_walk+0x66/0x920
    path_openat+0xa6/0x6c0
    do_filp_open+0x43/0xa0
    do_sys_open+0x146/0x240
    SyS_open+0x1e/0x20
    system_call_fastpath+0x16/0x1b
  Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff
  RIP  selinux_inode_permission+0x85/0x160
  CR2: 0000000000000020

Investigating, I found that the inode->i_security was NULL, and the
dereference of it caused the oops.

in selinux_inode_permission():

isec = inode->i_security;

rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);

Note, the crash came from stressing the deletion and reading of debugfs
files.  I was not able to recreate this via normal files.  But I'm not
sure they are safe.  It may just be that the race window is much harder
to hit.

What seems to have happened (and what I have traced), is the file is
being opened at the same time the file or directory is being deleted.
As the dentry and inode locks are not held during the path walk, nor is
the inodes ref counts being incremented, there is nothing saving these
structures from being discarded except for an rcu_read_lock().

The rcu_read_lock() protects against freeing of the inode, but it does
not protect freeing of the inode_security_struct.  Now if the freeing of
the i_security happens with a call_rcu(), and the i_security field of
the inode is not changed (it gets freed as the inode gets freed) then
there will be no issue here.  (Linus Torvalds suggested not setting the
field to NULL such that we do not need to check if it is NULL in the
permission check).

Note, this is a hack, but it fixes the problem at hand.  A real fix is
to restructure the destroy_inode() to call all the destructor handlers
from the RCU callback.  But that is a major job to do, and requires a
lot of work.  For now, we just band-aid this bug with this fix (it
works), and work on a more maintainable solution in the future.

Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home
Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoStaging: android: binder: Support concurrent 32 bit and 64 bit processes.
Arve Hjønnevåg [Tue, 28 Jan 2014 03:18:47 +0000 (19:18 -0800)]
Staging: android: binder: Support concurrent 32 bit and 64 bit processes.

Add binder_size_t and binder_uintptr_t that is used instead of size_t and
void __user * in the user-space interface.

Use 64 bit pointers on all systems unless CONFIG_ANDROID_BINDER_IPC_32BIT
is set (which enables the old protocol on 32 bit systems).

Change BINDER_CURRENT_PROTOCOL_VERSION to 8 if
CONFIG_ANDROID_BINDER_IPC_32BIT is not set.

Add compat ioctl.

Change-Id: Ifbbde0209da0050011bcab34c547a4c30d6e8c49
Signed-off-by: Arve Hjønnevåg <arve@android.com>
10 years agostaging: android: binder: fix ABI for 64bit Android
Serban Constantinescu [Wed, 15 Jan 2014 11:28:36 +0000 (11:28 +0000)]
staging: android: binder: fix ABI for 64bit Android

This patch fixes the ABI for 64bit Android userspace.
BC_REQUEST_DEATH_NOTIFICATION and BC_CLEAR_DEATH_NOTIFICATION claim
to be using struct binder_ptr_cookie, but they are using a 32bit handle
and a pointer.

On 32bit systems the payload size is the same as the size of struct
binder_ptr_cookie, however for 64bit systems this will differ. This
patch adds struct binder_handle_cookie that fixes this issue for 64bit
Android.

Since there are no 64bit users of this interface that we know of this
change should not affect any existing systems.

Change-Id: I8909cbc50aad48ccf371270bad6f69ff242a8c22
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
10 years agostaging: android: binder: fix binder interface for 64bit compat layer
Serban Constantinescu [Thu, 4 Jul 2013 09:54:48 +0000 (10:54 +0100)]
staging: android: binder: fix binder interface for 64bit compat layer

The changes in this patch will fix the binder interface for use on 64bit
machines and stand as the base of the 64bit compat support. The changes
apply to the structures that are passed between the kernel and
userspace.

Most of the  changes applied mirror the change to struct binder_version
where there is no need for a 64bit wide protocol_version(on 64bit
machines). The change inlines with the existing 32bit userspace(the
structure has the same size) and simplifies the compat layer such that
the same handler can service the BINDER_VERSION ioctl.

Other changes make use of kernel types as well as user-exportable ones
and fix format specifier issues.

The changes do not affect existing 32bit ABI.

Change-Id: Icccc8d47c302930cc61cddc5749b4cc74dc84117
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agostaging: android: binder: replace types with portable ones
Serban Constantinescu [Thu, 4 Jul 2013 09:54:47 +0000 (10:54 +0100)]
staging: android: binder: replace types with portable ones

Since this driver is meant to be used on different types of processors
and a portable driver should specify the size a variable expects to be
this patch changes the types used throughout the binder interface.

We use "userspace" types since this header will be exported and used by
the Android filesystem.

The patch does not change in any way the functionality of the binder driver.

Change-Id: Ib26daab8bc44b92d4a09badc8ecb64d37ee8773b
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agostaging: android: binder: fix alignment issues
Serban Constantinescu [Thu, 4 Jul 2013 09:54:46 +0000 (10:54 +0100)]
staging: android: binder: fix alignment issues

The Android userspace aligns the data written to the binder buffers to
4bytes. Thus for 32bit platforms or 64bit platforms running an 32bit
Android userspace we can have a buffer looking like this:

platform    buffer(binder_cmd   pointer)      size
32/32                 32b         32b          8B
64/32                 32b         64b          12B
64/64                 32b         64b          12B

Thus the kernel needs to check that the buffer size is aligned to 4bytes
not to (void *) that will be 8bytes on 64bit machines.

The change does not affect existing 32bit ABI.

Change-Id: I7535f07301519623ea6334f525d312d687407ed4
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agostaging: android: binder: fix BC_FREE_BUFFER ioctl declaration
Serban Constantinescu [Thu, 4 Jul 2013 09:54:45 +0000 (10:54 +0100)]
staging: android: binder: fix BC_FREE_BUFFER ioctl declaration

BinderDriverCommands mirror the ioctl usage. Thus the size of the
structure passed through the interface should be used to generate the
ioctl No.

The change reflects the type being passed from the user space-a pointer
to a binder_buffer. This change should not affect the existing 32bit
user space since BC_FREE_BUFFER is computed as:

   #define _IOW(type,nr,size)         \
      ((type) << _IOC_TYPESHIFT) |    \
      ((nr)   << _IOC_NRSHIFT) |      \
      ((size) << _IOC_SIZESHIFT))

and for a 32bit compiler BC_FREE_BUFFER will have the same computed
value. This change will also ease our work in differentiating
BC_FREE_BUFFER from COMPAT_BC_FREE_BUFFER.

The change does not affect existing 32bit ABI.

Change-Id: I2e0ae87bc4e913225a8eb2912913f7e3617cb575
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agostaging: android: binder: fix BINDER_SET_MAX_THREADS declaration
Serban Constantinescu [Thu, 4 Jul 2013 09:54:44 +0000 (10:54 +0100)]
staging: android: binder: fix BINDER_SET_MAX_THREADS declaration

This change will fix the BINDER_SET_MAX_THREADS ioctl to use __u32
instead of size_t for setting the max threads. Thus using the same
handler for 32 and 64bit kernels.

This value is stored internally in struct binder_proc and set to 15
on open_binder() in the libbinder API(thus no need for a 64bit size_t
on 64bit platforms).

The change does not affect existing 32bit ABI.

Change-Id: Ibdfe10a70d475a91c247dc36e9cfd74a259d50e4
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agostaging: android: binder: modify struct binder_write_read to use size_t
Serban Constantinescu [Thu, 4 Jul 2013 09:54:43 +0000 (10:54 +0100)]
staging: android: binder: modify struct binder_write_read to use size_t

This change mirrors the userspace operation where struct binder_write_read
members that specify the buffer size and consumed size are size_t elements.

The patch also fixes the binder_thread_write() and binder_thread_read()
functions prototypes to conform with the definition of binder_write_read.

The changes do not affect existing 32bit ABI.

Change-Id: I987246d507b9c5e4627c62a1da971d11869ac5a0
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
10 years agoFix aarch64 build issue with ION
John Stultz [Fri, 31 Jan 2014 19:22:18 +0000 (11:22 -0800)]
Fix aarch64 build issue with ION

In trying to build ION for aarch64, I came across the following build error:

In file included from /home/jstultz/projects/linux/linaro.android/arch/arm64/include/asm/page.h:39:0,
                 from drivers/staging/android/ion/ion_system_heap.c:17:
/home/jstultz/projects/linux/linaro.android/arch/arm64/include/asm/pgtable-3level-types.h:19:1: error: unknown type name u64
 typedef u64 pteval_t;
 ^
/home/jstultz/projects/linux/linaro.android/arch/arm64/include/asm/pgtable-3level-types.h:20:1: error: unknown type name u64
 typedef u64 pmdval_t;
 ^
...

The problem is asm/page.h doesn't include anything that defines u64, so
add an asm/types.h include to the pgtable-3level-types.h to match upstream
and avoid the issue.

Change-Id: I3f098bf666761ac6b316389a46d37cc449c342d6
Signed-off-by: John Stultz <john.stultz@linaro.org>
10 years agoping: prevent NULL pointer dereference on write to msg_name
Hannes Frederic Sowa [Mon, 18 Nov 2013 06:07:45 +0000 (07:07 +0100)]
ping: prevent NULL pointer dereference on write to msg_name

A plain read() on a socket does set msg->msg_name to NULL. So check for
NULL pointer first.

[Backport of net-next cf970c002d270c36202bd5b9c2804d3097a52da0]

Bug: 12780426
Change-Id: I3df76aca2fa56478b9a33c404f7b1f0940475ef7
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
10 years agonet: ipv6: add missing lock in ping_v6_sendmsg
Lorenzo Colitti [Wed, 3 Jul 2013 15:52:49 +0000 (00:52 +0900)]
net: ipv6: add missing lock in ping_v6_sendmsg

[net-next commit a1bdc45580fc19e968b32ad27cd7e476a4aa58f6]

Bug: 12800827
Change-Id: I93d897e5043dc89bc99f111c89ef4f8b1fa1885d
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: ipv6: fix wrong ping_v6_sendmsg return value
Lorenzo Colitti [Wed, 3 Jul 2013 15:12:40 +0000 (00:12 +0900)]
net: ipv6: fix wrong ping_v6_sendmsg return value

[net-next commit fbfe80c890a1dc521d0b629b870e32fcffff0da5]

ping_v6_sendmsg currently returns 0 on success. It should return
the number of bytes written instead.

Bug: 12800827
Change-Id: I7ed17dc61afbb68a84908e67e44db976ec812bad
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoping: always initialize ->sin6_scope_id and ->sin6_flowinfo
Cong Wang [Sun, 2 Jun 2013 22:43:52 +0000 (22:43 +0000)]
ping: always initialize ->sin6_scope_id and ->sin6_flowinfo

[net-next commit c26d6b46da3ee86fa8a864347331e5513ca84c2b]

If we don't need scope id, we should initialize it to zero.
Same for ->sin6_flowinfo.

Bug: 12800827
Change-Id: Ic19792cee3f5dc30237562cf48e6bdf49817c96e
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: ipv6: Add IPv6 support to the ping socket.
Lorenzo Colitti [Wed, 22 May 2013 20:17:31 +0000 (20:17 +0000)]
net: ipv6: Add IPv6 support to the ping socket.

[net-next commit 6d0bfe22611602f36617bc7aa2ffa1bbb2f54c67]

This adds the ability to send ICMPv6 echo requests without a
raw socket. The equivalent ability for ICMPv4 was added in
2011.

Instead of having separate code paths for IPv4 and IPv6, make
most of the code in net/ipv4/ping.c dual-stack and only add a
few IPv6-specific bits (like the protocol definition) to a new
net/ipv6/ping.c. Hopefully this will reduce divergence and/or
duplication of bugs in the future.

Caveats:

- Setting options via ancillary data (e.g., using IPV6_PKTINFO
  to specify the outgoing interface) is not yet supported.
- There are no separate security settings for IPv4 and IPv6;
  everything is controlled by /proc/net/ipv4/ping_group_range.
- The proc interface does not yet display IPv6 ping sockets
  properly.

Tested with a patched copy of ping6 and using raw socket calls.
Compiles and works with all of CONFIG_IPV6={n,m,y}.

Bug: 12800827
Change-Id: I718cd9931823873ab44df22e8a66e12d6a0a6eb1
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agostaging: ion: Build fix for compat_ion.c
John Stultz [Wed, 29 Jan 2014 21:00:51 +0000 (13:00 -0800)]
staging: ion: Build fix for compat_ion.c

compat_get_ion_handle_data is missing a declaration for
the return value.

This patch simply adds it, so things build.

Change-Id: I1a72a3c56975dc614322a63852f2a6554f2be107
Signed-off-by: John Stultz <john.stultz@linaro.org>
10 years agoion: Fix ION_IOC_FREE compat ioctl
Laura Abbott [Tue, 28 Jan 2014 23:39:48 +0000 (15:39 -0800)]
ion: Fix ION_IOC_FREE compat ioctl

The compat ioctl for ION_IOC_FREE currently passes allocation data
instead of the free data. Correct this.

Change-Id: I5108a1937104b8368426f7695b4a2df416036a87
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
10 years agoandroid: configs: update 3.10 options
Rom Lemarchand [Tue, 28 Jan 2014 18:23:19 +0000 (10:23 -0800)]
android: configs: update 3.10 options

Change-Id: Ifbda55e570a22ace98d7d74b057ba21a597e0826

10 years agoandroid: configs: Add CONFIG_NETFILTER_XT_TARGET_IDLETIMER
Ashish Sharma [Thu, 16 Jan 2014 00:47:16 +0000 (16:47 -0800)]
android: configs: Add CONFIG_NETFILTER_XT_TARGET_IDLETIMER

Signed-off-by: Ashish Sharma <ashishsharma@google.com>
(cherry picked from commit 5621df1091c7e103bca6cdd1dbecf4333efad4e7)

Change-Id: I3104266fa648fc024fee45f1ce9800142898baf7

10 years agocpufreq: interactive: fix NULL pointer dereference at sysfs ops
Minsung Kim [Sun, 19 Jan 2014 05:32:42 +0000 (14:32 +0900)]
cpufreq: interactive: fix NULL pointer dereference at sysfs ops

sysfs ops for target_loads and above_hispeed_delay can be called before
initializing tunables at CPUFREQ_GOV_POLICY_INIT. Create sysfs entries after
initialization.

Change-Id: I50356198d7629731c0d32a3066d61fe8354e0001
Signed-off-by: Minsung Kim <ms925.kim@samsung.com>
10 years agovideo: adf: define constants for device-custom ioctls
Greg Hackmann [Mon, 13 Jan 2014 23:24:24 +0000 (15:24 -0800)]
video: adf: define constants for device-custom ioctls

Device-custom ADF ioctls can use type ADF_IOCTL_TYPE and
nr >= ADF_IOCTL_NR_CUSTOM

Change-Id: Ia8270973df5100e996ca0e021ede60e54b9af72a
Signed-off-by: Greg Hackmann <ghackmann@google.com>
10 years agoarm64: documentation: tighten up tagged pointer documentation
Will Deacon [Tue, 17 Sep 2013 10:46:23 +0000 (11:46 +0100)]
arm64: documentation: tighten up tagged pointer documentation

Commit d50240a5f6ce ("arm64: mm: permit use of tagged pointers at EL0")
added support for tagged pointers in userspace, but the corresponding
update to Documentation/ contained some imprecise statements.

This patch fixes up some minor ambiguities in the text, hopefully making
it more clear about exactly what the kernel expects from user virtual
addresses.

Change-Id: I7df342e01d5253ccacb3847449940892768d7e07
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
10 years agoarm64: mm: permit use of tagged pointers at EL0
Will Deacon [Wed, 12 Jun 2013 15:28:04 +0000 (16:28 +0100)]
arm64: mm: permit use of tagged pointers at EL0

TCR.TBI0 can be used to cause hardware address translation to ignore the
top byte of userspace virtual addresses. Whilst not especially useful in
standard C programs, this can be used by JITs to `tag' pointers with
various pieces of metadata.

This patch enables this bit for AArch64 Linux, and adds a new file to
Documentation/arm64/ which describes some potential caveats when using
tagged virtual addresses.

Change-Id: I4c025d026144c69a2259b6562e46176f95b4e110
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
10 years agoandroid: configs: add IPV6 ROUTE INFO
JP Abgrall [Tue, 7 Jan 2014 22:25:28 +0000 (14:25 -0800)]
android: configs: add IPV6 ROUTE INFO

Change-Id: I54cba86bce703647c4be8eee5592d55374ad02ef
Signed-off-by: JP Abgrall <jpa@google.com>
(cherry picked from commit 5e35d662616142d308ce24c9d552e469f60d8695)

10 years agocpufreq: interactive: fix compiling warnings
Chih-Wei Huang [Tue, 24 Dec 2013 09:51:55 +0000 (17:51 +0800)]
cpufreq: interactive: fix compiling warnings

The gcc warns like:

  cpufreq_interactive.c:745:6: warning: operation on 'ret' may be undefined [-Wsequence-point]

It was introduced by commit cf0fad49d17cb8273ce555dd5b7afab67d7923bf.

Since sprintf(...) just return 1 (one character) in this case, ret should not changed.
Just discarding the result of sprintf(...) leads to the result that
the committer of cf0fad49d17cb8273ce555dd5b7afab67d7923bf wants.

Change-Id: Ifed1cef6d6a31c3ed23dad03a567b3b9eddf3a57
Signed-off-by: Chih-Wei Huang <cwhuang@android-x86.org>
10 years agoandroid: configs: add TIMER_STATS back, helps with sysrq t.
JP Abgrall [Fri, 27 Dec 2013 23:20:32 +0000 (15:20 -0800)]
android: configs: add TIMER_STATS back, helps with sysrq t.

Change-Id: I8fe033090e38523152225dcfb7a1828f530a0757
Signed-off-by: JP Abgrall <jpa@google.com>
(cherry picked from commit 7aee29d6482954ac9fecae3ce8a90b6759158107)

10 years agoion: fix overflow and list bugs in system heap
Colin Cross [Fri, 20 Dec 2013 02:37:49 +0000 (18:37 -0800)]
ion: fix overflow and list bugs in system heap

Fix a few bugs in ion_system_heap:

Initialize the list node in the info block.

Don't store size_remaining in a signed long, allocating >2GB
could overflow, resulting in a call to sg_alloc_table with
nents=0 which panics.  alloc_largest_available will never
return a block larger than size_remanining, so it can never
go negative.

Limit a single allocation to half of all memory.  Prevents a
large allocation from taking down the whole system.

Change-Id: I7fcbd7e1d5b4d482d7612d80b6c9e8e24466f1d8
Signed-off-by: Colin Cross <ccross@android.com>
10 years agoion: Add private buffer flag to skip page pooling on free
Mitchel Humpherys [Tue, 6 Aug 2013 22:08:23 +0000 (15:08 -0700)]
ion: Add private buffer flag to skip page pooling on free

Currently, when we free a buffer it might actually just go back into a
heap-specific page pool rather than going back to the system. This poses
a problem because sometimes (like when we're running a shrinker in low
memory conditions) we need to force the memory associated with the
buffer to truly be relinquished to the system rather than just going
back into a page pool.

There isn't a use case for this flag by Ion clients, so make it a
private flag. The main use case right now is to provide a mechanism for
the deferred free code to force stale buffers to bypass page pooling.

Change-Id: I724f89cc037083fe8576784363caa18a34e8705a
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
10 years agogpu: ion: make sure all clients are exposed in debugfs
Mitchel Humpherys [Mon, 7 Oct 2013 16:24:29 +0000 (09:24 -0700)]
gpu: ion: make sure all clients are exposed in debugfs

Currently, if multiple Ion clients are created with the same name, only
the first one shows up in debugfs. Rectify this by adding a
monotonically-increasing serial number to the debug names of Ion
clients.

Change-Id: I000e45055d5029c7bccd88c36b238736929da3a5
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
10 years agoion: store a copy of the client name on client creation
Mitchel Humpherys [Thu, 19 Dec 2013 06:10:07 +0000 (22:10 -0800)]
ion: store a copy of the client name on client creation

Currently, we copy the pointer passed in to ion_client_create without
making a copy of the string itself. This approach is problematic since
it relies on the client keeping the name string in working order.

Change-Id: I62d79c7539b2c857a5a625339d49c9c892e8622d
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
10 years agogpu: ion: Fix debugfs handling of multiple kernel clients
Laura Abbott [Mon, 5 Dec 2011 23:32:36 +0000 (15:32 -0800)]
gpu: ion: Fix debugfs handling of multiple kernel clients

Currently, Ion registers all debugfs entries for clients
via pid. If there are multiple kernel clients, this means
the debugfs entry only gets created for the first one. Fix
this by creating debugfs entries by name always. When
creating user clients, specify the name via the pid.

Change-Id: I00cbb284d1c53b3362bb7be9c0275620a9fac167
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
10 years agogpu: ion: create separate heap and client debugfs directories
Mitchel Humpherys [Thu, 29 Aug 2013 22:28:58 +0000 (15:28 -0700)]
gpu: ion: create separate heap and client debugfs directories

It can be slightly annoying to figure out which files under the ion
debugfs directory are heap debug files and which ones are client debug
files. Create separate subdirectories under ion to hold the different
types of debug files.

Change-Id: Ic773ab619ef94b9b4d0f3794def9d37645c7c212
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
10 years agoion: move shrinker out of heaps
Colin Cross [Fri, 13 Dec 2013 01:50:35 +0000 (17:50 -0800)]
ion: move shrinker out of heaps

Every heap that uses deferred frees is going to need a shrinker
to shrink the freelist under memory pressure.  Rather than
requiring each heap to implement a shrinker, automatically
register a shrinker if the deferred free flag is set.
The system heap also needs to shrink its page pools, so add
a shrink function to the heap ops that will be called after
shrinking the freelists.

Change-Id: Icda722d683426fadb8ddd1c8e9499264ab682c57
Signed-off-by: Colin Cross <ccross@android.com>
10 years agoion_test: Add compat_ioctl support (v2)
John Stultz [Thu, 19 Dec 2013 23:56:23 +0000 (15:56 -0800)]
ion_test: Add compat_ioctl support (v2)

Prior to subitting this, Colin reworked the compat_ioctl support
for the ion_test driver, moving the structure to be the same size
on both 32 and 64 bit architectures.

Two small things were left out. The compat_ioctl ptr assignment,
and the fact that despite having uniform sized types in the
structure, the structure pads out to different sizes on different
arches.

This patch resolves this issue by adding a padding entry after
the write flag, and adding the compat_ioctl ptr.

Changes in v2:
- Add a padding int rather then making write a u64

Cc: Colin Cross <ccross@android.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>