If verity tree itself is sufficiently corrupted in addition to data
blocks, it's possible for error correction to end up in a deep recursive
error correction loop that eventually causes a kernel panic as follows:
[ 14.728962] [<ffffffc0008c1a14>] verity_fec_decode+0xa8/0x138
[ 14.734691] [<ffffffc0008c3ee0>] verity_verify_level+0x11c/0x180
[ 14.740681] [<ffffffc0008c482c>] verity_hash_for_block+0x88/0xe0
[ 14.746671] [<ffffffc0008c1508>] fec_decode_rsb+0x318/0x75c
[ 14.752226] [<ffffffc0008c1a14>] verity_fec_decode+0xa8/0x138
[ 14.757956] [<ffffffc0008c3ee0>] verity_verify_level+0x11c/0x180
[ 14.763944] [<ffffffc0008c482c>] verity_hash_for_block+0x88/0xe0
This change limits the recursion to a reasonable level during a single
I/O operation.
Bug: 28943429
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Change-Id: I0a7ebff331d259c59a5e03c81918cc1613c3a766
(cherry picked from commit f4b9e40597e73942d2286a73463c55f26f61bfa7)
Add:
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
to android-base.cfg
The kernel.perf_event_paranoid sysctl is set to 3 by default.
No unprivileged use of the perf_event_open syscall will be
permitted unless it is changed.
Bug: 29054680
Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
https://lkml.org/lkml/2016/1/11/587
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bug: 29054680
Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
perf_event_paranoid was only documented in source code and a perf error
message. Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.
perf_cpu_time_max_percent was already documented but missing from the
list at the top, so add it there.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Bug: 29054680
Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
Compilers may engage the improbability drive when encountering shifts
by a distance that is a multiple of the size of the operand type. Since
the required bounds check is very simple here, we can get rid of all the
fuzzy masking, shifting and comparing, and use the documented bounds
directly.
Change-Id: Ibc1b73f4a630bc182deb6edfa7458b5e29ba9577
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
The test whether a movz instruction with a signed immediate should be
turned into a movn instruction (i.e., when the immediate is negative)
is flawed, since the value of imm is always positive. Also, the
subsequent bounds check is incorrect since the limit update never
executes, due to the fact that the imm_type comparison will always be
false for negative signed immediates.
Let's fix this by performing the sign test on sval directly, and
replacing the bounds check with a simple comparison against U16_MAX.
Change-Id: I9ad3d8bfd91e5fdc6434b1be6c3062dfec193176
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[will: tidied up use of sval, renamed MOVK enum value to MOVKZ]
Signed-off-by: Will Deacon <will.deacon@arm.com>
This reverts commit 97312429c2.
Drop AOSP's "armv6 dcc tty driver" in favor of upstream DCC driver for
ARMv6/v7 16c63f8ea4 (drivers: char: hvc: add arm JTAG DCC console
support) and for ARMv8 4cad4c57e0 (ARM64: TTY: hvc_dcc: Add support
for ARM64 dcc).
Change-Id: I0ca651ef2d854fff03cee070524fe1e3971b6d8f
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
This reverts commit dfc1d4be88.
Drop AOSP's "armv6 dcc tty driver" in favor of upstream DCC driver for
ARMv6/v7 16c63f8ea4 (drivers: char: hvc: add arm JTAG DCC console
support) and for ARMv8 4cad4c57e0 (ARM64: TTY: hvc_dcc: Add support
for ARM64 dcc).
Change-Id: I8110a4fd649b8ac1ec9bfac00255c1214135e4b2
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
(This cherry-picks b4201cc4fc6e1c57d6d306b1f787865043d60129 upstream)
This fixes:
net/mac80211/mesh_hwmp.c:603:26: warning: ‘target_metric’ may be used uninitialized in this function
target_metric is only consumed when reply = true so no bug exists here,
but not all versions of gcc realize it. Initialize to 0 to remove the
warning.
Change-Id: I13923fda9d314f48196c29e4354133dfe01f5abd
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[jstultz: Cherry-picked to android-4.4]
Signed-off-by: John Stultz <john.stultz@linaro.org>
(cherry pick from commit 5c17c861a357e9458001f021a7afa7aab9937439)
ioctl(TIOCGETD) retrieves the line discipline id directly from the
ldisc because the line discipline id (c_line) in termios is untrustworthy;
userspace may have set termios via ioctl(TCSETS*) without actually
changing the line discipline via ioctl(TIOCSETD).
However, directly accessing the current ldisc via tty->ldisc is
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
is changing via ioctl(TIOCSETD) or hangup.
Wait for the line discipline reference (just like read() or write())
to retrieve the "current" line discipline id.
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 28409131
Change-Id: I6774bd883a2e48bbe020486c72c42fb410e3f98a
This reverts commit e1b5d10389.
This patch fixed the aosp commit ad86cc8ad6 (drivers: power:
Add watchdog timer to catch drivers which lockup during suspend.),
which we dropped in Change Id Ic72a87432e27844155467817600adc6cf0c2209c,
so we no longer need this fix. A part of this patch is already reverted
in above mentioned Change Id.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Upstream commit 8eec1020f0 (cpufreq: create cpu/cpufreq at boot time)
make sure that cpufreq sysfs entry get created at boot time, and there
is no need to create/destroy it on need basis anymore.
So drop deprecated cpufreq_{get,put}_global_kobject function calls which
otherwise result in following compilation errors:
drivers/cpufreq/cpufreq_interactive.c: In function 'cpufreq_governor_interactive':
drivers/cpufreq/cpufreq_interactive.c:1187:4: error: implicit declaration of function 'cpufreq_get_global_kobject' [-Werror=implicit-function-declaration]
WARN_ON(cpufreq_get_global_kobject());
^
drivers/cpufreq/cpufreq_interactive.c:1197:5: error: implicit declaration of function 'cpufreq_put_global_kobject'[-Werror=implicit-function-declaration]
cpufreq_put_global_kobject();
^
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
This reverts commit bc68f6c4ef.
This build fix broke the Interactive Gov at runtime with duplicate sysfs
entry warnings at boot time. We no longer need to this create/destroy
cpufreq sysfs entry at run time on need basis thanks to upstream commit
8eec1020f0 (cpufreq: create cpu/cpufreq at boot time) which creates it
at boot time. Hence drop this build fix.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
In an issue very similar to 4e461c777e (xt_qtaguid: Fix panic
caused by synack processing), we were seeing panics on occasion
in testing.
In this case, it was the same issue, but caused by a different
call path, as the sk being returned from qtaguid_find_sk() was
not a full socket. Resulting in the sk->sk_socket deref to fail.
This patch adds an extra check to ensure the sk being retuned
is a full socket, and if not it returns NULL.
Reported-by: Milosz Wasilewski <milosz.wasilewski@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
This change allows to use same kernel image with
different console options for uart and fiq_debugger.
If fiq_debugger.disable will be set to 1/y/Y,
fiq_debugger will not be initialized.
Change-Id: I71fda54f5f863d13b1437b1f909e52dd375d002d
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
The PR_DUMPABLE flag causes the pid related paths of the
proc file system to be owned by ROOT. The implementation
of pthread_set/getname_np however needs access to
/proc/<pid>/task/<tid>/comm.
If PR_DUMPABLE is false this implementation is locked out.
This patch installs a special permission function for
the file "comm" that grants read and write access to
all threads of the same group regardless of the ownership
of the inode. For all other threads the function falls back
to the generic inode permission check.
Signed-off-by: Janis Danisevskis <jdanis@google.com>
When you configure (set it up) a STA interface, the driver
install a multicast filter. This is normal behavior, when
one application subscribe to multicast address the filter
is updated. When Access Point interface is configured, there
is no filter installation and the "filter update" path is
disabled in the driver.
The problem happens when you switch an interface from STA
type to AP type. The filter is installed but there are no
means to update it.
Change-Id: Ied22323af831575303abd548574918baa9852dd0
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
fiq_debugger is taking over uart, so it is necessary to disable
original uart in DT file. It can be done manually or by overlay.
Change-Id: I9f50ec15b0e22e602d73b9f745fc8666f8925d09
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This reverts commit 5b42ae3eda.
This recereated arch/arm/include/asm/mach/mmc.h include file has
no active user in android-4.x kernels. Also all the necessary bits
are already moved to include/linux/amba/mmci.h.
6ef297f86b (ARM: 5720/1: Move MMCI header to amba include dir)
Change-Id: Ibf258b355d17f54f49b777a8f6e0089e9b59a3a5
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
This reverts commit 541632275e.
mmc_platform_data (or arch/arm/include/asm/mach/mmc.h in general)
has no active user in android-4.x kernels. Also all the necessary
bits are already moved to include/linux/amba/mmci.h.
6ef297f86b (ARM: 5720/1: Move MMCI header to amba include dir)
Change-Id: Iff384eb527327bf88543408e0257241c1fd99a43
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
If CONFIG_DUAL_ROLE_USB_INTF is disabled but the exported functions
are referenced, the build will result in warnings such as:
In file included from include/linux/usb/class-dual-role.h:112:13:
warning: ‘dual_role_instance_changed’ defined but not used
[-Wunused-function]
These stub functions should be static inline.
Change-Id: I5a9ef58dca32306fac5a4c7f28cdaa36fa8ae078
Signed-off-by: Jack Pham <jackp@codeaurora.org>
(cherry picked from commit 2d152dbb0743526b21d6bbefe097f874c027f860)
(cherry picked from commit 8ad66cafaa10e6ba94ff79a8dbc2cc437c6bfe93)
This reverts commit 91fa97e1e5.
This patch is no longer valid. There are no users for this status irq and
callback in android-4.x. The Qcom platform (mach-msm/qsd8x50, HTC Dream..)
and SDCC controller (msm_sdcc) using this status IRQ and callback are
dropped from mainline sometime back.
27842bb18b00 (mmc: Remove msm_sdcc driver)
c0c89fafa2 (ARM: Remove mach-msm and associated ARM architecture code)
Change-Id: Ia38e42a06dc184395f79c1ec1d306bf9775704d5
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Here is just the quick fix for tracefs with selinux.
just add tracefs to the list of whitelisted filesystem
types in selinux_is_sblabel_mnt(), but the right fix would be to
generalize this logic as described in the last item on the todo list,
https://bitbucket.org/seandroid/wiki/wiki/ToDo
Change-Id: I2aa803ccffbcd2802a7287514da7648e6b364157
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
This reverts commit 0840b80cb9.
This patch is already upstreamed in v4.4, commit
658d4aed59 (HID: hid-multitouch: Filter collections by application usage.),
and further fixed/cleaned up afterwards in commits
c2ef8f21ea (HID: multitouch: add support for trackpads),
76f5902aeb (HID: hid-multitouch: Simplify setup and frame synchronization) et al.
By having this duplicate patch in AOSP we are doing redundant
checks for Touchscreen and Touchpad devices.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
In upstream commit ca6fb06518
(tcp: attach SYNACK messages to request sockets instead of
listener)
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ca6fb0651883
The building of synack messages was changed, which made it so
the skb->sk points to a casted request_sock. This is problematic,
as there is no sk_socket in a request_sock. So when the qtaguid_mt
function tries to access the sk->sk_socket, it accesses uninitialized
memory.
After looking at how other netfilter implementations handle this,
I realized there was a skb_to_full_sk() helper added, which the
xt_qtaguid code isn't yet using.
This patch adds its use, and resovles panics seen when accessing
uninitialzed memory when processing synack packets.
Reported-by: YongQin Liu <yongquin.liu@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Kernel panic when type "cat /sys/kernel/debug/shrinker"
Unable to handle kernel paging request at virtual address 0af37d40
pgd = d4dec000
[0af37d40] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[<c0bb8f24>] (_raw_spin_lock) from [<c020aa08>] (list_lru_count_one+0x14/0x28)
[<c020aa08>] (list_lru_count_one) from [<c02309a8>] (super_cache_count+0x40/0xa0)
[<c02309a8>] (super_cache_count) from [<c01f6ab0>] (debug_shrinker_show+0x50/0x90)
[<c01f6ab0>] (debug_shrinker_show) from [<c024fa5c>] (seq_read+0x1ec/0x48c)
[<c024fa5c>] (seq_read) from [<c022e8f8>] (__vfs_read+0x20/0xd0)
[<c022e8f8>] (__vfs_read) from [<c022f0d0>] (vfs_read+0x7c/0x104)
[<c022f0d0>] (vfs_read) from [<c022f974>] (SyS_read+0x44/0x9c)
[<c022f974>] (SyS_read) from [<c0107580>] (ret_fast_syscall+0x0/0x3c)
Code: e1a04000 e3a00001 ebd66b39 f594f000 (e1943f9f)
---[ end trace 60c74014a63a9688 ]---
Kernel panic - not syncing: Fatal exception
shrink_control.nid is used but not initialzed, same for
shrink_control.memcg.
This reverts commit b0e7a582b2.
Change-Id: I108de88fa4baaef99a53c4e4c6a1d8c4b4804157
Reported-by: Xiaowen Liu <xiaowen.liu@freescale.com>
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This reverts commit 78d36d2111.
Drop this duplicate patch. This patch is already upstreamed in v4.4. Commits
5c73fceb8c (SELinux: Enable setting security contexts on rootfs inodes.),
12f348b9dc (SELinux: rename SE_SBLABELSUPP to SBLABEL_MNT), and
b43e725d8d (SELinux: use a helper function to determine seclabel),
for reference.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
This reverts commit 43e1b4f528.
This patch is part of code which is already upstreamed in v4.4. Commits
5c73fceb8c (SELinux: Enable setting security contexts on rootfs inodes.),
12f348b9dc (SELinux: rename SE_SBLABELSUPP to SBLABEL_MNT), and
b43e725d8d (SELinux: use a helper function to determine seclabel).
for reference.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Allows FUSE to report to inotify that it is acting
as a layered filesystem. The userspace component
returns a string representing the location of the
underlying file. If the string cannot be resolved
into a path, the top level path is returned instead.
bug: 23904372
Change-Id: Iabdca0bbedfbff59e9c820c58636a68ef9683d9f
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Update seq_printf() usage in xt_qtaguid to align
with changes from mainline commit 6798a8caaf
"fs/seq_file: convert int seq_vprint/seq_printf/etc...
returns to void".
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
This reverts commit 5c7566a29b.
This patch revert some changes in net/netfilter/xt_qtaguid.c as well.
I'll submit another patch to restore those changes.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
This reverts commit 8d3a6c1538.
This series of patches revert AOSP UID_STAT and NET_ACTIVITY_STATS drivers.
I could not find any meaningful usage of these interfaces in AOSP master.
UID_STAT driver expose "/proc/uid_stat/*" interfaces but it is only
used in AOSP master as in what appears be an out of date bandwidth
test in frameworks/base and in somewhat recent battery utils test
in external/chromium-trace project.
NET_ACTIVITY_STATS driver expose "/proc/net/stat/activity" interface
but I can not track its usage anywhere in AOSP at all.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
