- May 09, 2017
-
-
Daniel Roseberg authored
If we fail to get top, top is either NULL, or igrab found that we're in the process of freeing that inode, and did not grab it. Either way, we didn't grab it, and have no business putting it. Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 38117720 Change-Id: Ie2f587483b9abb5144263156a443e89bc69b767b
-
- May 02, 2017
-
-
Ghanim Fodi authored
SSR logic is executed during device shutdown. During device shutdown the Linux tasks (processes) are moving to SIGKILL state. If a DMA allocation from the kernel happens in a context of a process in SIGKILL state and page migration is needed, the allocation will fail. Use GFP_ATOMIC allocation flag during SSR. This will utilize the atomic memory pool and will not require page migration. Bug: 36779136 CRs-fixed: 1077811 Change-Id: Ie06b85d1f9d0a230c3d3832b6f0bbcdefc520c1e Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org> Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org> Signed-off-by: Siqi Lin <siqilin@google.com>
-
- Apr 27, 2017
-
-
Daniel Rosenberg authored
We should be calling the lower filesystem's revalidate inside of sdcardfs's revalidate, as wrapfs does. Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 35766959 Change-Id: I939d1c4192fafc1e21678aeab43fe3d588b8e2f4
-
Daniel Rosenberg authored
When setting up the ownership of files on the lower filesystem, ensure that these values are in reasonable ranges for apps. If they aren't, default to AID_MEDIA_RW Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 37516160 Change-Id: I0bec76a61ac72aff0b993ab1ad04be8382178a00
-
Daniel Rosenberg authored
This reverts commit ffa75fdb9c408f49b9622b6d55752ed99ff61488. Turns out we just needed the right hash. Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 37231161 Change-Id: I6a6de7f7df99ad42b20fa062913b219f64020c31
-
Daniel Rosenberg authored
We weren't accounting for FS specific hash functions, causing us to miss negative dentries for any FS that had one. Similar to a patch from esdfs commit 75bd25a9476d ("esdfs: support lower's own hash") Signed-off-by: Daniel Rosenberg <drosen@google.com> Change-Id: I32d1ba304d728e0ca2648cacfb4c2e441ae63608
-
Michael Halcrow authored
When performing orphan cleanup on mount, ext4 may truncate pages. Truncation as currently implemented may require the encryption key for partial zeroing, and the key isn't necessarily available on mount. Since the userspace tools don't perform the partial zeroing operation anyway, let's just skip doing that in the kernel. This patch fixes a BUG_ON() oops. Bug: 35209576 Bug: 37690053 Change-Id: I2527a3f8d2c57d2de5df03fda69ee397f76095d7 Signed-off-by: Michael Halcrow <mhalcrow@google.com> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
-
- Apr 26, 2017
-
-
Jaegeuk Kim authored
As Al pointed, d_revalidate should return RCU lookup before using d_inode. This was originally introduced by: commit 34286d66 ("fs: rcu-walk aware d_revalidate method"). Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Cc: Theodore Ts'o <tytso@mit.edu> Cc: stable <stable@vger.kernel.org> Bug: 29001513 Bug: 37690053 (cherry picked from commit 03a8bb0e) Change-Id: Ib27314728babf4ccdb7b603ac99896b55cb7b9e0
-
- Apr 21, 2017
-
-
Hareesh Gundu authored
Robust context attempts to perform a rendering that takes too long whether due to an infinite loop in a shader or even just a rendering operation that takes too long on the given hardware. This type of attempts can result into GPU faults. Robust context expect driver to replay IB instead skip IB and if it fails on replay context has to be invalidated. KGSL_CONTEXT_INVALIDATE_ON_FAULT flag allows draw context to execute only replay policy on GPU fault recovery instead of going to default recovery policy. User space has to set this flag during the context creation. Bug: 34887800 Change-Id: If42dc5afc7d5ed1226b73ae5abfa2648d7acf2c3 Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
-
- Apr 20, 2017
-
-
Daniel Rosenberg authored
This reverts commit 60df9f12992bc067216078ae756066c5d7c74d87. This change caused issues for sdcardfs on top of vfat Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 37231161 Change-Id: Ie56a91fda582af27921cc1a9de7ae19a9a988f2a
-
- Apr 19, 2017
-
-
Daniel Rosenberg authored
Not all filesystems support changing the owner of a file. We shouldn't complain if it doesn't happen. Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 37488099 Change-Id: I403e44ab7230f176e6df82f6adb4e5c82ce57f33
-
Daniel Rosenberg authored
For file based encryption, ext4 explicitly does not create negative dentries for encrypted files. If you force one over it, the decrypted file will be hidden until the cache is cleared. Instead, just fail out. Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 37231161 Change-Id: Id2a9708dfa75e1c22f89915c529789caadd2ca4b
-
Daniel Rosenberg authored
Adapted from wrapfs commit 8c49eaa0sb9c ("Wrapfs: ->iget fixes") Change where we igrab/iput to ensure we always hold a valid lower_inode. Return ENOMEM (not EACCES) if iget5_locked returns NULL. Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu> Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 35766959 Change-Id: Id8d4e0c0cbc685a0a77685ce73c923e9a3ddc094
-
Daniel Rosenberg authored
Change-Id: Ieb955dd26493da26a458bc20fbbe75bca32b094f Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 37193650
-
- Apr 17, 2017
-
-
Jerry Zhang authored
epfile->error is a QC extension. It needs to be guarded from being null to work safely with the no_disconnect patch. Bug: 37423404 Change-Id: I3142a03ef3296b928aa36c54a5397afbe30798b7 Signed-off-by: Jerry Zhang <zhangjerry@google.com>
-
- Apr 12, 2017
-
-
Subhani Shaik authored
When IE whitelisting is enabled, only probe requests from INFRA STA during scan should contain selective IEs, but in current code, probe requests of P2P scans are also containing selective IEs which is bug. To fix this, invoke IE whitelisting only for INFRA STA. Change-Id: Icd2984013b3f29714b1e852389110ef2257be94b Bug: 37214129 Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
-
Daniel Rosenberg authored
Instead of relying on a copy hack, pass the lower file as private data. This lets the kernel find the vma mapping for pages used by the file, allowing pages used by mapping to be reclaimed. This is adapted from following esdfs patches commit 0647e638d: ("esdfs: store lower file in vm_file for mmap") commit 064850866: ("esdfs: keep a counter for mmaped file") Change-Id: I75b74d1e5061db1b8c13be38d184e118c0851a1a Signed-off-by: Daniel Rosenberg <drosen@google.com>
-
Daniel Rosenberg authored
Signed-off-by: Daniel Rosenberg <drosen@google.com> Change-Id: I958c7c226d4e9265fea8996803e5b004fb33d8ad
-
Daniel Rosenberg authored
adapted from wrapfs commit 9671770ff8b9 ("Wrapfs: use d_splice_alias") Refactor interpose code to allow lookup to use d_splice_alias. Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu> Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 35766959 Change-Id: Icf51db8658202c48456724275b03dc77f73f585b
-
Daniel Rosenberg authored
Adapted from wrapfs commit 1d1d23a47baa ("Wrapfs: fix ->llseek to update upper and lower offsets") Fixes bug: xfstests generic/257. f_pos consistently is required by and only by dir_ops->wrapfs_readdir, main_ops is not affected. Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu> Signed-off-by: Mengyang Li <li.mengyang@stonybrook.edu> Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 35766959 Change-Id: I360a1368ac37ea8966910a58972b81504031d437
-
Daniel Rosenberg authored
Adapted from wrapfs commit fbc9c6f83ea6 ("Wrapfs: copy lower inode attributes in ->ioctl") commit e97d8e26cc9e ("Wrapfs: use file_inode helper") Some ioctls (e.g., EXT2_IOC_SETFLAGS) can change inode attributes, so copy them from lower inode. Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu> Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 35766959 Change-Id: I0f12684b9dbd4088b4a622c7ea9c03087f40e572
-
Daniel Rosenberg authored
Adapted from wrapfs commit 5be6de9ecf02 ("Wrapfs: use vm_munmap in ->mmap") commit 2c9f6014a8bb ("Wrapfs: remove unnecessary call to vm_unmap in ->mmap") Code is unnecessary and causes deadlocks in newer kernels. Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu> Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 35766959 Change-Id: Ia252d60c60799d7e28fc5f1f0f5b5ec2430a2379
-
- Apr 11, 2017
-
-
Subhani Shaik authored
wlan host driver upgrade to 4.4.23.018. Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
-
Subhani Shaik authored
If there is a mismatch in channel number present in BD and Beacon/probe response, corresponding BSSID entry is not added in scan cache. This can result in reconnection failure. If the entry is not present then add this entry even in case of mismatch. Bug: 36494510 Change-Id: Id8c45ff88731288144fe39f5da56748f403dfdb7 Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
-
Nick Desaulniers authored
June 2017.1 Bug: 37156499 Change-Id: I0a6fb21fc83e5f4e417ccb0ba0667ee38f2c1880
-
Maciej Żenczykowski authored
This implements: https://tools.ietf.org/html/rfc7559 Backoff is performed according to RFC3315 section 14: https://tools.ietf.org/html/rfc3315#section-14 We allow setting /proc/sys/net/ipv6/conf/*/router_solicitations to a negative value meaning an unlimited number of retransmits, and we make this the new default (inline with the RFC). We also add a new setting: /proc/sys/net/ipv6/conf/*/router_solicitation_max_interval defaulting to 1 hour (per RFC recommendation). Signed-off-by: Maciej Żenczykowski <maze@google.com> Acked-by: Erik Kline <ek@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit bd11f074 in DaveM's net-next/master, should make Linus' tree in 4.9-rc1) Change-Id: Ia32cdc5c61481893ef8040734e014bf2229fc39e
-
- Apr 10, 2017
-
-
Nick Desaulniers authored
Merge branch msm-lge/android-msm-bullhead-3.10-nyc-mr2-security-next into android-msm-bullhead-3.10-nyc-mr2 June 2017.1 Bug: 37156499
-
Skylar Chang authored
The ipa_ioc_query_intf_rx_props structure comes from the ioctl handler, and it is verified that the size of rx buffer does not exceed the IPA_NUM_PROPS_MAX elements. It is also verified that the "entry->rx" buffer does not exceed IPA_NUM_PROPS_MAX when "entry" is allocated. However, the sizes of the buffer "rx->rx" and the buffer "entry->rx" are not guaranteed to be the same and will lead memory corruption issue. The fix is to add the check before memcpy. Bug: 34026243 Bug: 35048450 Bug: 35047780 Bug: 35047217 Change-Id: Idf5c2d32f47c1a1cffeaa5607193855188893ddb Signed-off-by: Skylar Chang <chiaweic@codeaurora.org> Signed-off-by: Steve Pfetsch <spfetsch@google.com> (am from https://source.codeaurora.org/quic/la/kernel/ msm-3.18/commit/?id=cf0d31bc)
-
Jonathan Solnit authored
If DMA attachment fail during fb_mmap, all ION memory will get free. It is necessary to reset the fbmem and fb_attachemnt pointer to NULL, otherwise during shutdown will perform another free and causing issue. CRs-Fixed: 1090244 Bug: 36251984 Change-Id: If998615655f69d9d867d7655d617083d3d9c03eb Signed-off-by: Benjamin Chan <bkchan@codeaurora.org> Signed-off-by: Jonathan Solnit <jsolnit@google.com>
-
Sureshnaidu Laveti authored
Copying the flash initialization parameters from userspace memory to kernel memory and in turn checking for the validity of the flash initialization parameters pointer sent from userspace. CRs-Fixed: 1091603 Bug: 36251230 Change-Id: I17d57016c254fb6628844a152b0e7d45c0b23b2d Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
-
Andrew Chant authored
Validate the intr_reg_num value returned by touchscreen to ensure no out of bounds access can occur. Bug: 35472278 Signed-off-by: Andrew Chant <achant@google.com> Change-Id: Ib2b5a53034fd1306d29a74ff0f2f698f149fc8c3
-
Walter Yang authored
Add backend user count checking to protect the index boundary. Bug: 33751424 Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd CRs-Fixed: 2009216 Signed-off-by: Walter Yang <yandongy@codeaurora.org> Signed-off-by: Siqi Lin <siqilin@google.com>
-
Rajesh Bondugula authored
i2c_freq_mode in msm_cci_get_clk_rates is populated from userspace. Validate to make sure it has valid values. If a large number is sent from userspace to avoid a buffer over read. Crs-Fixed: 1086833 Bug: 35216793 Change-Id: I237f60dca3e3dbad4e6188bf047cf7ec5163d159 Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-
Zhen Kong authored
Add mutex around qseecom_set_client_mem_param to prevent an ioctl thread modifying and corrupting data which is being processed by another ioctl in the other thread Bug: 34327981 Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893 Signed-off-by: Zhen Kong <zkong@codeaurora.org>
-
Naseer Ahmed authored
The calculation of cursor image size has a potential integer overflow issue. Modifying the validation logic to avoid overflow. Bug: 34125463 Change-Id: If21eff9623d71e11d116741de3a349a95dbc54bd Signed-off-by: Rajkumar Subbiah <rsubbia@codeaurora.org> Signed-off-by: Steve Pfetsch <spfetsch@google.com>
-
Dennis Cagle authored
Issue: Missing bound check when writing into the output array buffer, which can lead to out-of-bound heap write. Fix: Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT macro and size check to the place where the array is accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT. Caller will return -EINVAL for '0'. Bug: 34621613 Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f CRs-Fixed: 2004036 Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org> Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-
Dennis Cagle authored
If two ioctls are triggered with different commands, there is a possibility to access freed confidence level memory. To resolve this acquire lock in ioctl. Also release mutex lock properly in error cases. Bug: 33452365 CRs-Fixed: 1103085 Change-Id: I7d6b2eff21c8297e5f0755a0c141254be32f777d Signed-off-by: Yeleswarapu Nagaradhesh <nagaradh@codeaurora.org> Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
-
Siena Richard authored
Add size check to ensure the payload fits inside the declared payload size to prevent loss of data when copying. CRs-Fixed: 2009224 Signed-off-by: Siena Richard <sienar@codeaurora.org> Change-Id: I4275c626605272941143b54a7b8861b25f8e750a Bug: 31796345 (am from https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=552714ed16b3ff6bf90be99d6d22ce5e6d298ac8 ) Signed-off-by: Yueyao Zhu <yueyao@google.com>
-
- Apr 07, 2017
-
-
Robert Baldyga authored
Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. FFS function is userspace code so there is no way to know when it will close files (it doesn't matter what is the reason of this situation, it can be daemon logic, program breakage, process kill or any other). So when we have another function in gadget which, for example, sends some amount of data, does some software update or implements some real-time functionality, we may want to keep the gadget connected despite FFS function is no longer functional. We can't just remove one of functions from gadget since it has been enumerated, so the only way to keep entire gadget working is to make broken FFS function deactivated but still visible to host. For this purpose this patch introduces "no_disconnect" mode. It can be enabled by setting mount option "no_disconnect=1", and results with defering function disconnect to the moment of reopen ep0 file or filesystem unmount. After closing all endpoint files, FunctionFS is set to state FFS_DEACTIVATED. When ffs->state == FFS_DEACTIVATED: - function is still bound and visible to host, - setup requests are automatically stalled, - transfers on other endpoints are refused, - epfiles, except ep0, are deleted from the filesystem, - opening ep0 causes the function to be closed, and then FunctionFS is ready for descriptors and string write, - altsetting change causes the function to be closed - we want to keep function alive until another functions are potentialy used, altsetting change means that another configuration is being selected or USB cable was unplugged, which indicates that we don't need to stay longer in FFS_DEACTIVATED state - unmounting of the FunctionFS instance causes the function to be closed. Tested-by: David Cohen <david.a.cohen@linux.intel.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Robert Baldyga <r.baldyga@samsung.com> Signed-off-by: Felipe Balbi <balbi@ti.com> Bug: 36801389 Bug: 34873000 Change-Id: I950dc11f21048c34af640cb3ab81873d2a6730a9 Signed-off-by: Jerry Zhang <zhangjerry@google.com>
-
Joel Scherpelz authored
This commit adds a new sysctl accept_ra_rt_info_min_plen that defines the minimum acceptable prefix length of Route Information Options. The new sysctl is intended to be used together with accept_ra_rt_info_max_plen to configure a range of acceptable prefix lengths. It is useful to prevent misconfigurations from unintentionally blackholing too much of the IPv6 address space (e.g., home routers announcing RIOs for fc00::/7, which is incorrect). Backport of net-next commit bbea124b ("net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs.") [lorenzo@google.com: fixed conflicts in include/uapi/linux/ipv6.h] Bug: 33333670 Test: net_test passes Signed-off-by: Joel Scherpelz <jscherpelz@google.com> Acked-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-