| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cpu_power has been added to keep track of amount of power each task is
consuming. cpu_power is updated whenever stime and utime are updated for
a task. power is computed by taking into account the frequency at which
the current core was running and the current for cpu actively
running at hat frequency.
Bug: 21498425
Change-Id: Ic535941e7b339aab5cae9081a34049daeb44b248
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Git-commit: 94877641f6b6ea17aa335729f548eb5647db3e3e
Git-repo: https://android.googlesource.com/kernel/msm/
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sched_get_nr_running_avg() returns average nr_running and nr_iowait
task count since it was last invoked. Fix several bugs in their
calculation.
* sched_update_nr_prod() needs to consider that nr_running count can
change by more than 1 when CFS_BANDWIDTH feature is used
* sched_get_nr_running_avg() needs to sum up nr_iowait count across
all cpus, rather than just one
* sched_get_nr_running_avg() could race with sched_update_nr_prod(),
as a result of which it could use curr_time which is behind a cpu's
'last_time' value. That would lead to erroneous calculation of
average nr_running or nr_iowait.
While at it, fix also a bug in BUG_ON() check in
sched_update_nr_prod() function and remove unnecessary nr_running
argument to sched_update_nr_prod() function.
Change-Id: I46737614737292fae0d7204c4648fb9b862f65b2
Signed-off-by: Srivatsa Vaddagiri <vatsa@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Each time a task wakes up, scheduler evaluates its load and notifies
governor if the resulting frequency of destination CPU is larger than
a threshold. However, some governor wakes up a separate task that
handles frequency change, which again calls wake_up_process().
This is dangerous because if the task being woken up meets the
threshold and ends up being moved around, there is a potential for
endless recursive notifications.
Introduce a new API for waking up a task without triggering
frequency notification.
Change-Id: I24261af81b7dc410c7fb01eaa90920b8d66fbd2a
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
|
| |
|
|
|
|
|
| |
Add trace events for core control module.
Change-Id: I36da5381709f81ef1ba82025cd9cf8610edef3fc
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Extend sched_get_nr_running_avg() API to return average nr_big_tasks,
in addition to average nr_running and average nr_io_wait tasks. Also
add a new trace point to record values returned by
sched_get_nr_running_avg() API.
Change-Id: Id3591e6d04da8db484b4d1cb9d95dba075f5ab9a
Signed-off-by: Srivatsa Vaddagiri <vatsa@codeaurora.org>
[rameezmustafa@codeaurora.org: Resolve trivial merge conflicts]
Signed-off-by: Syed Rameez Mustafa <rameezmustafa@codeaurora.org>
|
| |
|
|
|
|
|
|
| |
Add support functions for core control driver. Also introduce
Kconfig for enabling core_ctl.
Change-Id: Ic127b6ed7d9450338883b13d9c42abfe49ff8b35
Signed-off-by: Bryan Huntsman <bryanh@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current mainline has copies propagated to *all* nodes, then
tears down the copies we made for nodes that do not contain
counterparts of the desired mountpoint. That sets the right
propagation graph for the copies (at teardown time we move
the slaves of removed node to a surviving peer or directly
to master), but we end up paying a fairly steep price in
useless allocations. It's fairly easy to create a situation
where N calls of mount(2) create exactly N bindings, with
O(N^2) vfsmounts allocated and freed in process.
Fortunately, it is possible to avoid those allocations/freeings.
The trick is to create copies in the right order and find which
one would've eventually become a master with the current algorithm.
It turns out to be possible in O(nodes getting propagation) time
and with no extra allocations at all.
One part is that we need to make sure that eventual master will be
created before its slaves, so we need to walk the propagation
tree in a different order - by peer groups. And iterate through
the peers before dealing with the next group.
Another thing is finding the (earlier) copy that will be a master
of one we are about to create; to do that we are (temporary) marking
the masters of mountpoints we are attaching the copies to.
Either we are in a peer of the last mountpoint we'd dealt with,
or we have the following situation: we are attaching to mountpoint M,
the last copy S_0 had been attached to M_0 and there are sequences
S_0...S_n, M_0...M_n such that S_{i+1} is a master of S_{i},
S_{i} mounted on M{i} and we need to create a slave of the first S_{k}
such that M is getting propagation from M_{k}. It means that the master
of M_{k} will be among the sequence of masters of M. On the
other hand, the nearest marked node in that sequence will either
be the master of M_{k} or the master of M_{k-1} (the latter -
in the case if M_{k-1} is a slave of something M gets propagation
from, but in a wrong peer group).
So we go through the sequence of masters of M until we find
a marked one (P). Let N be the one before it. Then we go through
the sequence of masters of S_0 until we find one (say, S) mounted
on a node D that has P as master and check if D is a peer of N.
If it is, S will be the master of new copy, if not - the master of S
will be.
That's it for the hard part; the rest is fairly simple. Iterator
is in next_group(), handling of one prospective mountpoint is
propagate_one().
It seems to survive all tests and gives a noticably better performance
than the current mainline for setups that are seriously using shared
subtrees.
Change-Id: I45648e8a405544f768c5956711bdbdf509e2705a
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
| |
|
|
|
|
|
|
| |
Change-Id: I75fcba66a9839c3be8dc11ced25105c87ac4ee65
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Git-commit: b2497fc3057ae27db9aa29579f16ae5afb6d6d08
Git-repo: https://android.googlesource.com/kernel/common.git
Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New method - ->iterate(file, ctx). That's the replacement for ->readdir();
it takes callback from ctx->actor, uses ctx->pos instead of file->f_pos and
calls dir_emit(ctx, ...) instead of filldir(data, ...). It does *not*
update file->f_pos (or look at it, for that matter); iterate_dir() does the
update.
Note that dir_emit() takes the offset from ctx->pos (and eventually
filldir_t will lose that argument).
Change-Id: I24c029f536689d809e804c6f742a5f28070e4a2e
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Git-commit: 83fd542759010949ac7d9638b615fac1bb9744e1
Git-repo: https://android.googlesource.com/kernel/common.git
Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iterate_dir(): new helper, replacing vfs_readdir().
struct dir_context: contains the readdir callback (and will get more stuff
in it), embedded into whatever data that callback wants to deal with;
eventually, we'll be passing it to ->readdir() replacement instead of
(data,filldir) pair.
Change-Id: I2285e5832093a0bbd7dd42b5e4cf26d62703c34e
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Git-commit: c301a0e047e401d41b26db1009d08e088ae2365a
Git-repo: https://android.googlesource.com/kernel/common.git
Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
| |
This allows filesystems to use their mount private data to
influence the permssions they use in setattr2. It has
been separated into a new call to avoid disrupting current
setattr users.
Change-Id: I19959038309284448f1b7f232d579674ef546385
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now we pass the vfsmount when mounting and remounting.
This allows the filesystem to actually set up the mount
specific data, although we can't quite do anything with
it yet. show_options is expanded to include data that
lives with the mount.
To avoid changing existing filesystems, these have
been added as new vfs functions.
Change-Id: If80670bfad9f287abb8ac22457e1b034c9697097
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This starts to add private data associated directly
to mount points. The intent is to give filesystems
a sense of where they have come from, as a means of
letting a filesystem take different actions based on
this information.
Change-Id: Ie769d7b3bb2f5972afe05c1bf16cf88c91647ab2
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Allows FUSE to report to inotify that it is acting
as a layered filesystem. The userspace component
returns a string representing the location of the
underlying file. If the string cannot be resolved
into a path, the top level path is returned instead.
bug: 23904372
Change-Id: Iabdca0bbedfbff59e9c820c58636a68ef9683d9f
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
| |
|
|
|
|
|
|
|
|
| |
This allows filesystems to use their mount private data to
influence the permssions they return in permission2. It has
been separated into a new call to avoid disrupting current
permission users.
Change-Id: I9d416e3b8b6eca84ef3e336bd2af89ddd51df6ca
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
| |
|
|
|
|
| |
bug: 23904372
Change-Id: I4a686d64b6de37decf60019be1718e1d820193e6
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
| |
|
|
|
|
| |
This reverts commit c58e6f11aa1253ebf301721acb21228b846b8975.
Change-Id: I02101b0061e2e6f1c9c5fd5c46cb04f539a63c29
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.
CRs-Fixed: 1090007
Bug: 32720522
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Yang Guang <guyang@codeaurora.org>
|
| |\
| |
| |
| |
| |
| |
| |
| | |
https://android.googlesource.com/kernel/msm into HEAD
Android 7.1.1 Release 0.31 (N4F26P,seed)
Change-Id: I8d0feb72827ef1a65a50d486e151c19a2e6f4927
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add whitelist support for listener to send modified resp to TZ;
also add whitelist support for kernel client; and change the method
to check whitelist feature
Change-Id: I53750526aec9f9cba9a97c000dfbfec165b3e2f1
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Bug: 29083830
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
qseecom_send_modfd_cmd converts ION buffer's virtual address to
scatter gather(SG) list and then sends them to TA by populating
SG list into message buffer. As the physical memory address in
SG list is used directly by TA, this allows a malicious TA to
access/corrupt arbitrary physical memory and may lead to the
process gaining kernel/root privileges. Thus, make changes to
have the QSEEComm driver passing a list of whitelist buffers
that is allowed to be mapped by TA, and the QSEE kernel, in turn,
should add checks to the register_shared_buffer syscall to make
sure the shared buffers an application is mapping falls within
one of these whitelist buffers
CRs-fixed: 1021945
Change-Id: I776ead0030cad167afcf41ab985db7151a42d126
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Bug: 29083830
Change-Id: Id45cf38a74ab70e2adc9156552c005f58dffd922
|
| | |
| |
| |
| |
| |
| | |
This reverts commit d83c9659985c3b22959a2a83564f6a4ff9b8a7c7.
Change-Id: I5ca1dd52a272406899f9221495507115c28366a2
|
| | |
| |
| |
| |
| |
| | |
This reverts commit cc817c777cbd43bcccf994695d5426b897adcd0c.
Change-Id: Id8a1e93c5c1f6892c2efd38e99e59aba27c53d30
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Add whitelist support for listener to send modified resp to TZ;
also add whitelist support for kernel client; and change the method
to check whitelist feature.
Change-Id: I0030b0008d6224cda3fdc1f80308a7e9bcfe4405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Bug: 29083830
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
qseecom_send_modfd_cmd converts ION buffer's virtual address to
scatter gather(SG) list and then sends them to TA by populating
SG list into message buffer. As the physical memory address in
SG list is used directly by TA, this allows a malicious TA to
access/corrupt arbitrary physical memory and may lead to the
process gaining kernel/root privileges. Thus, make changes to
have the QSEEComm driver passing a list of whitelist buffers
that is allowed to be mapped by TA, and the QSEE kernel, in turn,
should add checks to the register_shared_buffer syscall to make
sure the shared buffers an application is mapping falls within
one of these whitelist buffers.
CRs-fixed: 1021945
Change-Id: I776ead0030cad167afcf41ab985db7151a42d126
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Bug: 29083830
Change-Id: Ic865239ba71315a81a5a96d9d54b3ef71dfe42d1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Implement Samsung's FMODE_NONMAPPABLE flag from
sdcardfs version 2.1.4 as we hit a BUG on ext4:
[ 49.655037]@0 Kernel BUG at ffffffc0001deeec [verbose debug info unavailable]
[ 49.655045]@0 Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 49.655052]@0 Modules linked in:
[ 49.655061]@0 CPU: 0 PID: 283 Comm: kworker/u8:7 Tainted: G W 3.18.20-perf-g3be2054-00086-ga8307fb #1
[ 49.655070]@0 Hardware name: Qualcomm Technologies, Inc. MSM 8996 v3 + PMI8996 MTP (DT)
[ 49.655077]@0 Workqueue: writeback bdi_writeback_workfn (flush-8:0)
[ 49.655096]@0 task: ffffffc174ba8b00 ti: ffffffc174bb4000 task.ti: ffffffc174bb4000
[ 49.655108]@0 PC is at mpage_prepare_extent_to_map+0x198/0x218
[ 49.655116]@0 LR is at mpage_prepare_extent_to_map+0x110/0x218
[ 49.655121]@0 pc : [<ffffffc0001deeec>] lr : [<ffffffc0001dee64>] pstate: 60000145
[ 49.655126]@0 sp : ffffffc174bb7800
[ 49.655130]@0 x29: ffffffc174bb7800 x28: ffffffc174bb7880
[ 49.655140]@0 x27: 000000000000000d x26: ffffffc1245505e8
[ 49.655149]@0 x25: 0000000000000000 x24: 0000000000003400
[ 49.655160]@0 x23: ffffffffffffffff x22: 0000000000000000
[ 49.655172]@0 x21: ffffffc174bb7888 x20: ffffffc174bb79e0
[ 49.655182]@0 x19: ffffffbdc4ee7b80 x18: 0000007f92872000
[ 49.655191]@0 x17: 0000007f959b6424 x16: ffffffc00016d1ac
[ 49.655201]@0 x15: 0000007f9285d158 x14: ffffffc1734796e8
[ 49.655210]@0 x13: ffffffbdc1ffa4c0 x12: ffffffbdc4ee7b80
[ 49.655220]@0 x11: 0000000000000100 x10: 0000000000000000
[ 49.655229]@0 x9 : 0000000000000000 x8 : ffffffc0b444e210
[ 49.655237]@0 x7 : 0000000000000000 x6 : ffffffc0b444e1e0
[ 49.655246]@0 x5 : 0000000000000000 x4 : 0000000000000001
[ 49.655254]@0 x3 : 0000000000000000 x2 : 400000000002003d
[ 49.655263]@0 x1 : ffffffbdc4ee7b80 x0 : 400000000002003d
[ 49.655271]@0
[ 49.656502]@0 Process kworker/u8:7 (pid: 283, stack limit = 0xffffffc174bb4058)
[ 49.656509]@0 Call trace:
[ 49.656514]@0 [<ffffffc0001deeec>] mpage_prepare_extent_to_map+0x198/0x218
[ 49.656526]@0 [<ffffffc0001e28d0>] ext4_writepages+0x270/0xa58
[ 49.656533]@0 [<ffffffc00012982c>] do_writepages+0x24/0x40
[ 49.656541]@0 [<ffffffc000180160>] __writeback_single_inode+0x40/0x114
[ 49.656549]@0 [<ffffffc000180e50>] writeback_sb_inodes+0x1dc/0x34c
[ 49.656555]@0 [<ffffffc00018103c>] __writeback_inodes_wb+0x7c/0xc4
[ 49.656560]@0 [<ffffffc000181224>] wb_writeback+0x110/0x1a8
[ 49.656565]@0 [<ffffffc000181344>] wb_check_old_data_flush+0x88/0x98
[ 49.656571]@0 [<ffffffc00018156c>] bdi_writeback_workfn+0xf4/0x1fc
[ 49.656576]@0 [<ffffffc0000b14f8>] process_one_work+0x1e0/0x300
[ 49.656585]@0 [<ffffffc0000b1e14>] worker_thread+0x318/0x438
[ 49.656590]@0 [<ffffffc0000b5da0>] kthread+0xe0/0xec
[ 49.656598]@0 Code: f9400260 f9400a63 1ad92063 37580040 (e7f001f2)
[ 49.656604]@0 ---[ end trace cbed09f772fd630d ]---
Conflicts:
include/linux/fs.h
mm/mmap.c
Change-Id: I931da7cb3841db1f130dba298a7d256b6f02d1bc
|
| |\|
| |
| |
| |
| |
| | |
https://android.googlesource.com/kernel/msm into cm-14.1
Change-Id: I535707379d360c4c4724ae3e329388a2fc72ef87
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: I42e448ecacad4781b460c4c989026307169ba1b5
Bug: 32141528
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When moving a group_leader perf event from a software-context
to a hardware-context, there's a race in checking and
updating that context. The existing locking solution
doesn't work; note that it tries to grab a lock inside
the group_leader's context object, which you can only
get at by going through a pointer that should be protected
from these races. To avoid that problem, and to produce
a simple solution, we can just use a lock per group_leader
to protect all checks on the group_leader's context.
The new lock is grabbed and released when no context locks
are held.
Bug: 30955111
Bug: 31095224
Change-Id: If37124c100ca6f4aa962559fba3bd5dbbec8e052
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the capability for a process that has CAP_NET_ADMIN on
a socket to see the socket mark in socket dumps.
Commit a52e95abf772 ("net: diag: allow socket bytecode filters to
match socket marks") recently gave privileged processes the
ability to filter socket dumps based on mark. This patch is
complementary: it ensures that the mark is also passed to
userspace in the socket's netlink attributes. It is useful for
tools like ss which display information about sockets.
[backport of net-next d545caca827b65aab557a9e9dcdcf1e5a3823c2d]
Change-Id: I0c9708aae5ab8dfa296b8a1e6aecceb2a382415a
Tested: https://android-review.googlesource.com/270210
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements SOCK_DESTROY for UDP sockets similar to what was done
for TCP with commit c1e64e298b8ca ("net: diag: Support destroying TCP
sockets.") A process with a UDP socket targeted for destroy is awakened
and recvmsg fails with ECONNABORTED.
[backport of net-next 5d77dca82839ef016a93ad7acd7058b14d967752]
Change-Id: I84e71e774c859002f98dcdb5e0ca01f35227a44c
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows a privileged process to filter by socket mark when
dumping sockets via INET_DIAG_BY_FAMILY. This is useful on
systems that use mark-based routing such as Android.
The ability to filter socket marks requires CAP_NET_ADMIN, which
is consistent with other privileged operations allowed by the
SOCK_DIAG interface such as the ability to destroy sockets and
the ability to inspect BPF filters attached to packet sockets.
[backport of net-next a52e95abf772b43c9226e9a72d3c1353903ba96f]
Change-Id: Ic02caf628a71007cc7c48c9da220b4088f5aa4f4
Tested: https://android-review.googlesource.com/261350
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support to inet_diag facility to filter sockets based on device
index. If an interface index is in the filter only sockets bound
to that index (sk_bound_dev_if) are returned.
[backport of net-next 637c841dd7a5f9bd97b75cbe90b526fa1a52e530]
Change-Id: Ib430cfb44f1b3b1a771a561247ee9140737e52fd
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
Bug: 28751152
CRs-Fixed: 1064411
Change-Id: I54c28a8942cf1a6a47a4e8272f3159b35d753ead
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use dynamic array allocation instead of static array to
prevent stack overflow.
User-supplied number of bytes may result in integer overflow.
To fix this we check that the num_byte isn't above 8K size.
Bug: 30559423
CRs-Fixed: 1060554
Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit bb1fceca22492109be12640d49f5ea5a544c6bb4)
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I58bb02d6e4e399612e8580b9e02d11e661df82f5
Bug: 31183296
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A new v4l2 control V4L2_CID_MPEG_VIDC_VIDEO_VPE_CSC is added,
to allow v4l2 driver client to enable setting of color space
coefficients to firmware.
Change-Id: Ib434f3e45f3ee8bb265be7b402da3ef16e682dbe
Signed-off-by: Arun Menon <avmenon@codeaurora.org>
Signed-off-by: Pradosh Das <prados@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When clients specify color space information, venus HW
should embed it in the bit stream. This helps to
regenerate original colors when decoded by decoder.
When decoder detects the color space VUI, Venus fills
the corresponding extradata.
CRs-Fixed: 1026204
Change-Id: Ie9523558c23a8edc7a7ee058937658dd87ef5b16
Signed-off-by: Praneeth Paladugu <ppaladug@codeaurora.org>
Signed-off-by: Pradosh Das <prados@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The change extend the support in video driver
to enable few SEI extradata. Also update the
extradata menu V4L2 control with all the
available list of extradata.
CRs-Fixed: 1007521
Change-Id: I6d060afb48aca34c2bb54221c5babc0ac55aff7c
Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Signed-off-by: Pradosh Das <prados@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the capability for a process that has CAP_NET_ADMIN on
a socket to see the socket mark in socket dumps.
Commit a52e95abf772 ("net: diag: allow socket bytecode filters to
match socket marks") recently gave privileged processes the
ability to filter socket dumps based on mark. This patch is
complementary: it ensures that the mark is also passed to
userspace in the socket's netlink attributes. It is useful for
tools like ss which display information about sockets.
[backport of net-next d545caca827b65aab557a9e9dcdcf1e5a3823c2d]
Change-Id: I0c9708aae5ab8dfa296b8a1e6aecceb2a382415a
Tested: https://android-review.googlesource.com/270210
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements SOCK_DESTROY for UDP sockets similar to what was done
for TCP with commit c1e64e298b8ca ("net: diag: Support destroying TCP
sockets.") A process with a UDP socket targeted for destroy is awakened
and recvmsg fails with ECONNABORTED.
[backport of net-next 5d77dca82839ef016a93ad7acd7058b14d967752]
Change-Id: I84e71e774c859002f98dcdb5e0ca01f35227a44c
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows a privileged process to filter by socket mark when
dumping sockets via INET_DIAG_BY_FAMILY. This is useful on
systems that use mark-based routing such as Android.
The ability to filter socket marks requires CAP_NET_ADMIN, which
is consistent with other privileged operations allowed by the
SOCK_DIAG interface such as the ability to destroy sockets and
the ability to inspect BPF filters attached to packet sockets.
[backport of net-next a52e95abf772b43c9226e9a72d3c1353903ba96f]
Change-Id: Ic02caf628a71007cc7c48c9da220b4088f5aa4f4
Tested: https://android-review.googlesource.com/261350
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support to inet_diag facility to filter sockets based on device
index. If an interface index is in the filter only sockets bound
to that index (sk_bound_dev_if) are returned.
[backport of net-next 637c841dd7a5f9bd97b75cbe90b526fa1a52e530]
Change-Id: Ib430cfb44f1b3b1a771a561247ee9140737e52fd
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
Bug: 28751152
CRs-Fixed: 1064411
Change-Id: I54c28a8942cf1a6a47a4e8272f3159b35d753ead
Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use dynamic array allocation instead of static array to
prevent stack overflow.
User-supplied number of bytes may result in integer overflow.
To fix this we check that the num_byte isn't above 8K size.
Bug: 30559423
CRs-Fixed: 1060554
Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit bb1fceca22492109be12640d49f5ea5a544c6bb4)
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I58bb02d6e4e399612e8580b9e02d11e661df82f5
Bug: 31183296
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://android.googlesource.com/kernel/msm into cm-14.0
616a355 Remove unneeded .a files for ft8716 driver by Robb Glasser · 4 weeks ago android-msm-seed-3.10-nougat android-7.0.0_r0.21
79abacc Revert "Revert "add new tp driver and lcd driver"" by Robb Glasser · 4 weeks ago
1e6834e Revert "add new tp driver and lcd driver" by Robb Glasser · 5 weeks ago
aac1b45 net: ipv6: Fix ping to link-local addresses. by Lorenzo Colitti · 8 weeks ago
7c1b6fb ipv6: fix endianness error in icmpv6_err by Hannes Frederic Sowa · 4 months ago
37734ea add new tp driver and lcd driver by yanghong1 · 7 weeks ago
1f38892 ANDROID: binder: Add strong ref checks by Arve Hjønnevåg · 9 weeks ago
56934a5 ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct by Arve Hjønnevåg · 8 weeks ago
c9a7674 ASoC: msm: qdsp6v2: Add size check in audio cal ioctl by vivek mehta · 3 months ago
1742f13 UPSTREAM: arm64: perf: reject groups spanning multiple HW PMUs by Suzuki K. Poulose · 1 year, 7 months ago
7dc0b6d binder: prevent kptr leak by using %pK format specifier by Ariel Yin · 7 weeks ago
bd49595 BACKPORT: Bluetooth: Fix potential NULL dereference in RFCOMM bind callback by Jaganath Kanakkassery · 1 year, 5 months ago
59cdc27 qcacld-2.0: Remove the support for iw_set_priv ioctl by Ariel Yin · 7 weeks ago
df5503f qseecom: validate the inputs of __qseecom_send_modfd_resp by Ariel Yin · 7 weeks ago
f71e28c input: synaptics: allocate heap memory for temp buf by Ariel Yin · 6 weeks ago
90ac992 msm: camera: sensor: Fix use after free condition by Ariel Yin · 7 weeks ago
25c9ecb arm64: dma-mapping: always clear allocated buffers by Ariel Yin · 7 weeks ago
9df7240 wlan: Remove the support for setwpaie ioctl by Ariel Yin · 7 weeks ago
b0a00a2 BACKPORT: tcp: make challenge acks less predictable by Eric Dumazet · 3 months ago
9ec7e19 msm: crypto: Fix integer overflow check in qcedev driver by Biswajit Paul · 10 weeks ago
48052f2 msm: mdss: Fix to validate data copied from user space by Naseer Ahmed · 9 weeks ago
31e62b1 msm: camera: restructure data handling to be more robust by Ariel Yin · 7 weeks ago
9cbae20 ASoC: msm-lsm-client: free lsm client data in msm_lsm_close by Ariel Yin · 7 weeks ago
364625b staging: android: Change %p to %pK in debug messages by Ariel Yin · 7 weeks ago
5458c42 misc: qcom: qdsp6v2: Add missing initialization by vivek mehta · 8 weeks ago
1e84157 wlan: fix buffer overflow in linkspeed ioctl by Ariel Yin · 7 weeks ago
00c1b70 msm: mdss: Correct block id check for mdss_mdp_misr_table by Ariel Yin · 7 weeks ago
21c7f58 qcacld-2.0: Resolve buffer overflow issue while processing GET_CFG IOCTL by Hanumantha Reddy Pothula · 6 months ago
40ab0c1 wcnss: Avoid user buffer overloading for write cal data by Ariel Yin · 7 weeks ago
49082cb UPSTREAM: net: Fix use after free in the recvmmsg exit path by Arnaldo Carvalho de Melo · 7 months ago
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently lsm client data is deallocated when q6lsm_open() fails
which can cause memory corruption if lsm client data is accessed
after freed. Fix this issue by deallocating the client data only
in msm_lsm_close().
Bug: 30142668
Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
Signed-off-by: vivek mehta <mvivek@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Codec specific metadata is sent only for first stream in gapless
playback. This causes incorrect configuration to be set for second
stream and distortions are observed due to framedrops in adsp.
Add support to send codec specific format during start of
next stream in gapless using set_next_track_param.
Change-Id: Ieec6b2afedec156e47873efcad9b3571160b0a29
Signed-off-by: Chaithanya Krishna Bacharaju <chaithan@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
MDSS currently has fixed maximum bandwidth enabled in DT file.
But there are scenarios where this maximum bandwidth support
can change to enhance performance. Based on scenarios such as
camera use, or flip involved declare the max bandwidth for
usecase in DT and change accordingly based on the usecase.
Change-Id: Icc85d75d7a60fe6f934a1fbd9d5077b620b2993d
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
|
