Merge android-4.4-p.194 (2b29211) into msm-4.4

* refs/heads/tmp-2b29211
  Revert "ANDROID: regression introduced override_creds=off"
  ANDROID: regression introduced override_creds=off
  Fix fallout from changes to bootparam_utils.h
  ANDROID: sched: Disallow WALT with CFS bandwidth control
  ANDROID: fiq_debugger: remove
  ANDROID: arm64: fix leftover RWX when using CONFIG_UNMAP_KERNEL_AT_EL0
  ANDROID: fix kernelci build-break in lowmemorykiller
  ANDROID: Avoid taking multiple locks in handle_lmk_event
  UPSTREAM: net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier
  ANDROID: fix binder change in merge of 4.4.183
  Fix overlayfs build break
  binder: binder: fix possible UAF when freeing buffer
  ANDROID: Revert "f2fs: avoid out-of-range memory access"
  ANDROID: overlayfs: Fix a regression in commit b24be4acd
  ANDROID: enable CONFIG_RTC_DRV_TEST on cuttlefish
  ANDROID: xfrm: remove in_compat_syscall() checks
  BACKPORT: binder: Set end of SG buffer area properly.
  UPSTREAM: binder: check for overflow when alloc for security context
  BACKPORT: binder: fix race between munmap() and direct reclaim
  ANDROID: cuttlefish 4.4: enable CONFIG_CRYPTO_AES_NI_INTEL=y
  ANDROID: cuttlefish_defconfig: Disable DEVTMPFS
  ANDROID: cuttlefish_defconfig: Enable CONFIG_CPUSETS and CONFIG_CGROUP_SCHEDTUNE
  ANDROID: cuttlefish_defconfig: Drop dead CRYPTO options
  UPSTREAM: virtio: new feature to detect IOMMU device quirk
  UPSTREAM: vring: Use the DMA API on Xen
  UPSTREAM: virtio_ring: Support DMA APIs
  UPSTREAM: vring: Introduce vring_use_dma_api()
  ANDROID: cuttlefish_defconfig: L2TP/PPTP to OLAC/OPNS
  ANDROID: cuttlefish_defconfig: Enable DEBUG_SET_MODULE_RONX
  ANDROID: Fix cuttlefish redundant vsock connection.
  ANDROID: cuttlefish_defconfig: Enable CONFIG_RTC_HCTOSYS
  ANDROID: Move from clang r349610 to r353983c.
  Make arm64 serial port config compatible with crosvm
  UPSTREAM: virt_wifi: Remove REGULATORY_WIPHY_SELF_MANAGED
  ANDROID: cuttlefish_defconfig: Add support for AC97 audio
  ANDROID: Move from clang r346389b to r349610.
  ANDROID: cuttlefish_defconfig: Enable vsock options
  UPSTREAM: vhost/vsock: fix reset orphans race with close timeout
  UPSTREAM: vhost/vsock: fix use-after-free in network stack callers
  UPSTREAM: vhost: correctly check the iova range when waking virtqueue
  UPSTREAM: vhost: synchronize IOTLB message with dev cleanup
  UPSTREAM: vhost: fix info leak due to uninitialized memory
  UPSTREAM: vhost: fix vhost_vq_access_ok() log check
  UPSTREAM: vhost: validate log when IOTLB is enabled
  UPSTREAM: vhost_net: add missing lock nesting notation
  UPSTREAM: vhost: use mutex_lock_nested() in vhost_dev_lock_vqs()
  UPSTREAM: vhost/vsock: fix uninitialized vhost_vsock->guest_cid
  UPSTREAM: vhost_net: correctly check tx avail during rx busy polling
  UPSTREAM: vsock: use new wait API for vsock_stream_sendmsg()
  UPSTREAM: vsock: cancel packets when failing to connect
  UPSTREAM: vhost-vsock: add pkt cancel capability
  UPSTREAM: vsock: track pkt owner vsock
  UPSTREAM: vhost: fix initialization for vq->is_le
  UPSTREAM: vhost/vsock: handle vhost_vq_init_access() error
  UPSTREAM: vsock: lookup and setup guest_cid inside vhost_vsock_lock
  UPSTREAM: vhost-vsock: fix orphan connection reset
  UPSTREAM: vsock/virtio: fix src/dst cid format
  UPSTREAM: VSOCK: Don't dec ack backlog twice for rejected connections
  UPSTREAM: vhost/vsock: drop space available check for TX vq
  UPSTREAM: virtio-vsock: fix include guard typo
  UPSTREAM: vhost/vsock: fix vhost virtio_vsock_pkt use-after-free
  UPSTREAM: VSOCK: Use kvfree()
  BACKPORT: vhost: split out vringh Kconfig
  UPSTREAM: vhost: drop vringh dependency
  UPSTREAM: vhost: drop vringh dependency
  UPSTREAM: vhost: detect 32 bit integer wrap around
  UPSTREAM: VSOCK: Add Makefile and Kconfig
  UPSTREAM: VSOCK: Introduce vhost_vsock.ko
  UPSTREAM: VSOCK: Introduce virtio_transport.ko
  BACKPORT: VSOCK: Introduce virtio_vsock_common.ko
  UPSTREAM: VSOCK: defer sock removal to transports
  UPSTREAM: VSOCK: transport-specific vsock_transport functions
  UPSTREAM: vsock: make listener child lock ordering explicit
  UPSTREAM: vhost: new device IOTLB API
  BACKPORT: vhost: convert pre sorted vhost memory array to interval tree
  UPSTREAM: vhost: introduce vhost memory accessors
  UPSTREAM: vhost_net: stop polling socket during rx processing
  UPSTREAM: VSOCK: constify vsock_transport structure
  UPSTREAM: vhost: lockless enqueuing
  UPSTREAM: vhost: simplify work flushing
  UPSTREAM: VSOCK: Only check error on skb_recv_datagram when skb is NULL
  BACKPORT: AF_VSOCK: Shrink the area influenced by prepare_to_wait
  UPSTREAM: vhost_net: basic polling support
  UPSTREAM: vhost: introduce vhost_vq_avail_empty()
  UPSTREAM: vhost: introduce vhost_has_work()
  UPSTREAM: vhost: rename vhost_init_used()
  UPSTREAM: vhost: rename cross-endian helpers
  UPSTREAM: vhost: fix error path in vhost_init_used()
  UPSTREAM: virtio: make find_vqs() checkpatch.pl-friendly
  UPSTREAM: net: move napi_hash[] into read mostly section
  ANDROID: cuttlefish_defconfig: Enable VIRTIO_INPUT
  ANDROID: cuttlefish_defconfig: Enable VIRT_WIFI
  FROMGIT, BACKPORT: mac80211-next: rtnetlink wifi simulation device
  ANDROID: Move from clang r328903 to r346389b.
  ANDROID: arm64 defconfig / build config for cuttlefish
  ANDROID: Communicates LMK events to userland where they can be logged
  Fix merge issue with 4.4.178
  Fix merge issue with 4.4.177
  FROMGIT: binder: create node flag to request sender's security context
  ion: Disable ION_HEAP_TYPE_SYSTEM_CONTIG
  ANDROID: uid_sys_stats: Copy task_struct comm field to bigger buffer
  UPSTREAM: binder: fix race that allows malicious free of live buffer
  Makefile: Tidy up 4.4.165 merge
  ANDROID: sdcardfs: Change current->fs under lock
  ANDROID: sdcardfs: Don't use OVERRIDE_CRED macro
  arm64/vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW
  ANDROID: arm64: mm: fix 4.4.154 merge
  Fix backport of "tcp: detect malicious patterns in tcp_collapse_ofo_queue()"
  tcp: detect malicious patterns in tcp_collapse_ofo_queue()
  tcp: avoid collapses in tcp_prune_queue() if possible

Conflicts:
	Makefile
	arch/arm64/configs/cuttlefish_defconfig
	arch/arm64/include/asm/cpufeature.h
	arch/x86/configs/x86_64_cuttlefish_defconfig
	arch/x86/include/asm/uaccess_32.h
	drivers/net/wireless/virt_wifi.c
	drivers/staging/android/lowmemorykiller.c
	fs/f2fs/checkpoint.c
	fs/f2fs/data.c
	fs/f2fs/dir.c
	fs/f2fs/f2fs.h
	fs/f2fs/file.c
	fs/f2fs/inline.c
	fs/f2fs/inode.c
	fs/f2fs/node.c
	fs/f2fs/recovery.c
	fs/f2fs/segment.c
	fs/f2fs/segment.h
	fs/f2fs/super.c
	fs/squashfs/block.c
	include/linux/f2fs_fs.h
	include/linux/msm_mdp.h
	include/uapi/linux/android/binder.h
	include/uapi/linux/virtio_ids.h
	kernel/cpu.c

Change-Id: I3d8da865a81161d356b11f84344c27e172c3add3
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
This commit is contained in:
Srinivasarao P 2019-10-22 11:47:34 +05:30
commit 520bc0d2f2
7 changed files with 47 additions and 21 deletions

View file

@ -78,7 +78,6 @@ CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_NET_IPGRE_DEMUX=y
CONFIG_NET_IPVTI=y
CONFIG_INET_ESP=y
# CONFIG_INET_XFRM_MODE_BEET is not set
@ -170,7 +169,6 @@ CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_REJECT=y
CONFIG_IP6_NF_MANGLE=y
CONFIG_IP6_NF_RAW=y
CONFIG_L2TP=y
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_HTB=y
CONFIG_NET_CLS_U32=y
@ -216,8 +214,8 @@ CONFIG_PPP=y
CONFIG_PPP_BSDCOMP=y
CONFIG_PPP_DEFLATE=y
CONFIG_PPP_MPPE=y
CONFIG_PPTP=y
CONFIG_PPPOL2TP=y
CONFIG_PPPOLAC=y
CONFIG_PPPOPNS=y
CONFIG_USB_USBNET=y
# CONFIG_USB_NET_AX8817X is not set
# CONFIG_USB_NET_AX88179_178A is not set
@ -414,6 +412,5 @@ CONFIG_HARDENED_USERCOPY=y
CONFIG_SECURITY_SELINUX=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_LZ4=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_XZ_DEC=y

View file

@ -505,7 +505,7 @@ static int __init map_entry_trampoline(void)
{
extern char __entry_tramp_text_start[];
pgprot_t prot = PAGE_KERNEL_EXEC;
pgprot_t prot = PAGE_KERNEL_ROX;
phys_addr_t pa_start = __pa_symbol(__entry_tramp_text_start);
/* The trampoline is always mapped and can therefore be global */

View file

@ -13,10 +13,13 @@ CONFIG_IKCONFIG_PROC=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_DEBUG=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CPUSETS=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_SCHEDTUNE=y
CONFIG_CGROUP_SCHED=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_NAMESPACES=y
CONFIG_SCHED_TUNE=y
CONFIG_BLK_DEV_INITRD=y
# CONFIG_RD_LZ4 is not set
CONFIG_KALLSYMS_ALL=y
@ -462,6 +465,7 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_LZ4=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_AES_NI_INTEL=y
CONFIG_ASYMMETRIC_KEY_TYPE=y
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
CONFIG_X509_CERTIFICATE_PARSER=y

View file

@ -528,7 +528,8 @@ struct binder_priority {
* @requested_threads_started: number binder threads started
* (protected by @inner_lock)
* @tmp_ref: temporary reference to indicate proc is in use
* (protected by @inner_lock)
* (atomic since @proc->inner_lock cannot
* always be acquired)
* @default_priority: default scheduler priority
* (invariant after initialized)
* @debugfs_entry: debugfs node
@ -562,7 +563,7 @@ struct binder_proc {
int max_threads;
int requested_threads;
int requested_threads_started;
int tmp_ref;
atomic_t tmp_ref;
struct binder_priority default_priority;
struct dentry *debugfs_entry;
struct binder_alloc alloc;
@ -2053,9 +2054,9 @@ static void binder_thread_dec_tmpref(struct binder_thread *thread)
static void binder_proc_dec_tmpref(struct binder_proc *proc)
{
binder_inner_proc_lock(proc);
proc->tmp_ref--;
atomic_dec(&proc->tmp_ref);
if (proc->is_dead && RB_EMPTY_ROOT(&proc->threads) &&
!proc->tmp_ref) {
!atomic_read(&proc->tmp_ref)) {
binder_inner_proc_unlock(proc);
binder_free_proc(proc);
return;
@ -2117,8 +2118,26 @@ static struct binder_thread *binder_get_txn_from_and_acq_inner(
static void binder_free_transaction(struct binder_transaction *t)
{
if (t->buffer)
t->buffer->transaction = NULL;
struct binder_proc *target_proc;
spin_lock(&t->lock);
target_proc = t->to_proc;
if (target_proc) {
atomic_inc(&target_proc->tmp_ref);
spin_unlock(&t->lock);
binder_inner_proc_lock(target_proc);
if (t->buffer)
t->buffer->transaction = NULL;
binder_inner_proc_unlock(target_proc);
binder_proc_dec_tmpref(target_proc);
} else {
/*
* If the transaction has no target_proc, then
* t->buffer->transaction * has already been cleared.
*/
spin_unlock(&t->lock);
}
kfree(t);
binder_stats_deleted(BINDER_STAT_TRANSACTION);
}
@ -2871,7 +2890,7 @@ static struct binder_node *binder_get_node_refs_for_txn(
target_node = node;
binder_inc_node_nilocked(node, 1, 0, NULL);
binder_inc_node_tmpref_ilocked(node);
node->proc->tmp_ref++;
atomic_inc(&node->proc->tmp_ref);
*procp = node->proc;
} else
*error = BR_DEAD_REPLY;
@ -2967,7 +2986,7 @@ static void binder_transaction(struct binder_proc *proc,
goto err_dead_binder;
}
target_proc = target_thread->proc;
target_proc->tmp_ref++;
atomic_inc(&target_proc->tmp_ref);
binder_inner_proc_unlock(target_thread->proc);
} else {
if (tr->target.handle) {
@ -3700,10 +3719,12 @@ static int binder_thread_write(struct binder_proc *proc,
buffer->debug_id,
buffer->transaction ? "active" : "finished");
binder_inner_proc_lock(proc);
if (buffer->transaction) {
buffer->transaction->buffer = NULL;
buffer->transaction = NULL;
}
binder_inner_proc_unlock(proc);
if (buffer->async_transaction && buffer->target_node) {
struct binder_node *buf_node;
struct binder_work *w;
@ -4565,7 +4586,7 @@ static int binder_thread_release(struct binder_proc *proc,
* The corresponding dec is when we actually
* free the thread in binder_free_thread()
*/
proc->tmp_ref++;
atomic_inc(&proc->tmp_ref);
/*
* take a ref on this thread to ensure it
* survives while we are releasing it
@ -5060,6 +5081,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
return -ENOMEM;
spin_lock_init(&proc->inner_lock);
spin_lock_init(&proc->outer_lock);
atomic_set(&proc->tmp_ref, 0);
get_task_struct(current->group_leader);
proc->tsk = current->group_leader;
mutex_init(&proc->files_lock);
@ -5239,7 +5261,7 @@ static void binder_deferred_release(struct binder_proc *proc)
* Make sure proc stays alive after we
* remove all the threads
*/
proc->tmp_ref++;
atomic_inc(&proc->tmp_ref);
proc->is_dead = true;
threads = 0;

View file

@ -52,6 +52,7 @@
#include <linux/circ_buf.h>
#include <linux/proc_fs.h>
#include <linux/slab.h>
#include <linux/poll.h>
#define CREATE_TRACE_POINTS
#include <trace/events/almk.h>

View file

@ -3524,11 +3524,6 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi)
seg_i = CURSEG_I(sbi, i);
segno = le32_to_cpu(ckpt->cur_data_segno[i]);
blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]);
if (blk_off > ENTRIES_IN_SUM) {
f2fs_bug_on(sbi, 1);
f2fs_put_page(page, 1);
return -EFAULT;
}
seg_i->next_segno = segno;
reset_curseg(sbi, i, 0);
seg_i->alloc_type = ckpt->alloc_type[i];

View file

@ -2562,6 +2562,12 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
return -EFSCORRUPTED;
}
if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) {
f2fs_info(sbi, "Invalid segment count (%u)",
le32_to_cpu(raw_super->segment_count));
return 1;
}
/* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */
if (sanity_check_area_boundary(sbi, bh))
return -EFSCORRUPTED;
@ -2677,6 +2683,7 @@ int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi)
sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize);
nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize);
log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 ||
nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) {