(cherry pick from commit b9a532277938798b53178d5a66af6e2915cb27cf)
As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
having initialized the IPC object state. Yes, we initialize the IPC
object in a locked state, but with all the lockless RCU lookup work,
that IPC object lock no longer means that the state cannot be seen.
We already did this for the IPC semaphore code (see commit e8577d1f0329:
"ipc/sem.c: fully initialize sem_array before making it visible") but we
clearly forgot about msg and shm.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 24551430
Change-Id: Ic7b980a6f2a79eb3c04fc43b6531c396645af1db
Conflicts:
ipc/msg.c
ipc/shm.c
(cherry pick from commit e8577d1f0329d4842e8302e289fb2c22156abef4)
ipc_addid() makes a new ipc identifier visible to everyone. New objects
start as locked, so that the caller can complete the initialization
after the call. Within struct sem_array, at least sma->sem_base and
sma->sem_nsems are accessed without any locks, therefore this approach
doesn't work.
Thus: Move the ipc_addid() to the end of the initialization.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Reported-by: Rik van Riel <riel@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Acked-by: Rafael Aquini <aquini@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 24551430
Change-Id: I36a8cc2281dfd68e9a399695f1d7e7b038e105d0
(cherry pick from commit 12ac3efe74f888a13cb4df88b38bb01e8034dea8)
This patch implements the AES key schedule generation using ARMv8
Crypto Instructions. It replaces the table based C implementation
in aes_generic.ko, which means we can drop the dependency on that
module.
Tested-by: Steve Capper <steve.capper@linaro.org>
Acked-by: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 23181629
Description from commit 45cac65b0f
("readahead: fault retry breaks mmap file read random detection")
.fault now can retry. The retry can break state machine of .fault. In
filemap_fault, if page is miss, ra->mmap_miss is increased. In the second
try, since the page is in page cache now, ra->mmap_miss is decreased. And
these are done in one fault, so we can't detect random mmap file access.
Add a new flag to indicate .fault is tried once. In the second try, skip
ra->mmap_miss decreasing. The filemap_fault state machine is ok with it.
I only tested x86, didn't test other archs, but looks the change for other
archs is obvious, but who knows :)
< snip >
Yup, arm64 needs this too! Random read improves by 250%, sequential
read improves by 40%, and random write by 400% to an eMMC device with
dm crypto wrapped around it.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Signed-off-by: Riley Andrews <riandrews@android.com>
Cc: Shaohua Li <shli@kernel.org>
Cc: Shaohua Li <shaohua.li@fusionio.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Bug: 23181629
Bug: 23385923
Change-Id: Ia4de1199164d6b5d4430f5518daf2aa5a71a4059
Conflicts:
arch/arm64/mm/fault.c
Add a missing ";" after EXPORT_SYMBOL() otherwise we run
into following build error if Kernel Modules are supported:
----------
CC drivers/usb/phy/class-dual-role.o
drivers/usb/phy/class-dual-role.c:91:1: error: expected ',' or ';' before 'int'
int dual_role_get_property(struct dual_role_phy_instance *dual_role,
^
make[3]: *** [drivers/usb/phy/class-dual-role.o] Error 1
----------
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
(cherry picked from commit 9ff158f4c245c2fecb1489a4aae62ca67c0846a1)
Change-Id: I7ec77584b3a753448ddc50a74204a20f4636f8a4
This CL adds a new class to monitor and change
dual role usb ports from userspace. The usb
phy drivers can register to the dual_role_usb
class and expose the capabilities of the ports.
The phy drivers can decide on whether a specific
attribute can be changed from userspace by
choosing to implement the appropriate callback.
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Bug: 21615151
Change-Id: I121b4a94437972b5abe8f781e3007efa8531978
Move the poison pointer offset to 0xdead000000000000, a
recognized value that is not mappable by user-space exploits.
Change-Id: I1ddae985f2fc28ca1366747169d4ca91801a9d31
Signed-off-by: Thierry Strudel <tstrudel@google.com>
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
include/trace/events/filemap.h: In function 'ftrace_raw_output_mm_filemap_find_page_cache_miss':
include/trace/ftrace.h:232:9: error: format '%lu' expects argument of type 'long unsigned int', but argument 5 has type 'size_t' [-Werror=format=]
Change-Id: Ic2d76f18fc8802cf1e2246f96d84a06d267a30ad
Signed-off-by: Jin Qian <jinqian@google.com>
This change fixes a problem where reboot on Android panics the kernel
almost every time when file systems are mounted over loop devices.
Android reboot command does:
- sync
- echo u > /proc/sysrq-trigger
- syscall_reboot
The problem is with sysrq emergency remount R/O trying to remount-ro
in wrong order.
since /data is re-mounted ro before loop devices, loop device
remount-ro fails to flush the journal and panics the kernel:
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs (loop0): previous I/O error to superblock detected
loop: Write error at byte offset 0, length 4096.
Buffer I/O error on device loop0, logical block 0
lost page write due to I/O error on loop0
Kernel panic - not syncing: EXT4-fs panic from previous error
The fix is quite simple. In do_emergency_remount(), use
list_for_each_entry_reverse() on sb list instead of list_for_each_entry().
It makes a lot of sense to umount the file systems in reverse order in
which they were added to sb list.
Change-Id: I4370e39b5873bd16ade5d5f9ddb2704beb02a2bb
Signed-off-by: Amir Goldstein <amir@cellrox.com>
Acked-by: Oren Laadan <orenl@cellrox.com>
This patch includes two trace events on generic_perform_write and
do_generic_file_read to check on the address_space mapping for the
pages to be accessed by the request.
Change-Id: Ib319b9b2c971b9e5c76645be6cfd995ef9465d77
Signed-off-by: Daniel Campello <campello@google.com>
Conflicts:
include/linux/pagemap.h
Per RFC 6724, section 4, "Candidate Source Addresses":
It is RECOMMENDED that the candidate source addresses be the set
of unicast addresses assigned to the interface that will be used
to send to the destination (the "outgoing" interface).
Add a sysctl to enable this behaviour.
Signed-off-by: Erik Kline <ek@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Simplified back-port of net-next 3985e8a3611a93bb36789f65db862e5700aab65e]
Bug: 19470192
Bug: 21832279
Bug: 22464419
Change-Id: Ib74ef945dcabe64215064f15ee1660b6524d65ce
Conflicts:
include/linux/ipv6.h
include/uapi/linux/ipv6.h
net/ipv6/addrconf.c
Userspace after mounting configfs may continue to
use configfs if usb_gadget supports configfs. For this
userspace just relies on the presence of /config/usb_gadget.
As USB drivers don't full support configfs but rather rely on
android gadget, hence remove compilation of usb configfs so that
usb_gadget node doesn't appear in /config and userspace can
fallback to android gadget.
Change-Id: Ic59adfacd3972fd54608f916c98478525b9a9286
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
Change-Id: I98bd08d84d6ff2a8cd79989be25c5ae48b61c667
CRs-Fixed: 1001092
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
CRs-Fixed: 1001092
Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
There are few cases where the count argument passed by the user
space is not validated, which can potentially lead to out of bounds
or overflow issues. In some cases, kernel might copy more data than
what is requested. Add necessary checks to avoid such cases.
Change-Id: Ifa42fbd475665a0ca581c907ce5432584ea0e7ed
Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2)
This fixes CVE-2016-0728.
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.
This can be tested with the following program:
#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>
int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}
for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}
return 0;
}
If, after the program has run, there something like the following line in
/proc/keys:
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Change-Id: Ic3db0461d08011e432bf3a6a784dd62b764558e3
Git-commit: ba8bb5774ca7b1acc314c98638cf678ce0beb19a
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Add check to avoid out of bound access.
Check return value of get_user api.
CRs-Fixed: 997025
Change-Id: Ibbace116ac206007fa1928555838285304737737
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
Remove the buspm module from msm_bus since it adds
no functionality to the bus bandwidth aggregation
driver. It is a loadable module used for profiling
purposes.
Change-Id: Ia0d21eb7e48d3cb2a74d4fae5ee4fb2fd449ea9f
Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
If user tries to send SMD data more than the driver
buffer can handle then fail the same and print
error message. This smd_write is exposed to userspace
through ioctl using a misc device.
Change-Id: Ie8a1c1c0799cd10cef512ad6b1e1e95001dd43b2
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
Check for the exact number of planes that we advertised to the client
rather than the worst-case checks.
Change-Id: Ibaf705367db98beb0e01bb2c3087126cf2ba73e8
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
For user memory of type KGSL_USER_MEM_TYPE_ADDR mapped to GPU driver
verify permissions and map GPU permissions same as CPU permissions.
If elevated permissions are requested return an error to prevent
privilege escalation. Without this check user could map readonly
memory into GPU driver as readwrite and gain elevated privilege.
Write permissions check is currently inverted causing readonly
user pages to be mapped as readwrite in GPU driver. Fix this
check to map readonly pages as readonly.
CRs-Fixed: 988993
Change-Id: I0e097d7e4e4c414c0849e33bcc61a26fb94291ad
Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
User input data is passed in from userspace through debugfs interface
of supply lm core to validate supply lm core functionality. Ensure
user buffer size is not greater than expected stack buffer size
to avoid out of bounds array accesses.
Change-Id: I5a93774855241b50895c5e2b3ff939e4c33a0185
Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
This patch enables hardware device features such as
NETIF_F_SG NETIF_F_GSO NETIF_F_GSO_UDP_TUNNEL
NETIF_F_GSO_UDP_TUNNEL_CSUM. This patch also ensures
to skip padding(to align length to word boundaries)
for outgoing non linear skbs.
This patch also adds a new ioctl interface
RMNET_IOCTL_GET_SG_SUPPORT to query the physical
network devices for Scatter Gather support.
Change-Id: I9788d75c249ab2dac5b598dad131c0692ed84e4d
Acked-by: Abhishek Chauhan <abchauha@qti.qualcomm.com>
Signed-off-by: Ravinder Konka <rkonka@codeaurora.org>
(cherry picked from commit commit f3bef67992e8698897b584616535803887c4a73e)
commit fa1aa143ac4a ("selinux: extended permissions for ioctls")
introduced a bug into the handling of conditional rules, skipping the
processing entirely when the caller does not provide an extended
permissions (xperms) structure. Access checks from userspace using
/sys/fs/selinux/access do not include such a structure since that
interface does not presently expose extended permission information.
As a result, conditional rules were being ignored entirely on userspace
access requests, producing denials when access was allowed by
conditional rules in the policy. Fix the bug by only skipping
computation of extended permissions in this situation, not the entire
conditional rules processing.
Change-Id: I24f39e3907d0b00a4194e15a4472e8d859508fa9
Reported-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fixed long lines in patch description]
Cc: stable@vger.kernel.org # 4.3
Signed-off-by: Paul Moore <pmoore@redhat.com>
Git-commit: bd8d3dd3ae35f283f3b76e47b9762225c9f7d46c
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
NOT intended for new Android devices - this commit is unnecessary
for a target device that does not have a previous M variant.
DO NOT upstream. Android only.
Motivation:
This commit mitigates a mismatch between selinux kernel and
selinux userspace. The selinux ioctl white-listing binary policy
format that was accepted into Android M differs slightly from what
was later accepted into the upstream kernel. This leaves Android
master branch kernels incompatible with Android M releases. This
patch restores backwards compatibility. This is important because:
1. kernels may be updated on a different cycle than the rest of the
OS e.g. security patching.
2. Android M bringup may still be ongoing for some devices. The
same kernel should work for both M and master.
Backwards compatibility is achieved by checking for an Android M
policy characteristic during initial policy read and converting to
upstream policy format. The inverse conversion is done for policy
write as required for CTS testing.
Bug: 22846070
Change-Id: I2f1ee2eee402f37cf3c9df9f9e03c1b9ddec1929
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Git-commit: ef632d47376aa04e9adb96193d9faa6628a03e72
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
(cherry picked from commit fa1aa143ac4a682c7f5fd52a3cf05f5a6fe44a0a)
Add extended permissions logic to selinux. Extended permissions
provides additional permissions in 256 bit increments. Extend the
generic ioctl permission check to use the extended permissions for
per-command filtering. Source/target/class sets including the ioctl
permission may additionally include a set of commands. Example:
allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
representing commonly granted sets of ioctl commands.
When ioctl commands are omitted only the permissions are checked.
This feature is intended to provide finer granularity for the ioctl
permission that may be too imprecise. For example, the same driver
may use ioctls to provide important and benign functionality such as
driver version or socket type as well as dangerous capabilities such
as debugging features, read/write/execute to physical memory or
access to sensitive data. Per-command filtering provides a mechanism
to reduce the attack surface of the kernel, and limit applications
to the subset of commands required.
The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
change.
The extended permissions logic is deliberately generic to allow
components to be reused e.g. netlink filters
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I7c6bdc0362657b47aa1388936c5a1300bc5c0b42
Git-commit: 05b7da58527ef14001fe2b6e8de6b01d895d4429
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
(cherry pick from commit 83d4a806ae46397f606de7376b831524bd3a21e5)
Commit f01e1af445 ("selinux: don't pass in NULL avd to avc_has_perm_noaudit")
made this pointer reassignment unnecessary. Avd should continue to reference
the stack-based copy.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I8fcba45a5acc4de862bd5b3f07bf4980f67133c4
Git-commit: b1b3844449d596e5f25f591d89611c7e57d32610
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
This reverts commit ba733f9857b966459316d0cd33b8da2e22f62d7d.
Change-Id: Ie4d3e904160195dafd93a59a25d56b1449e8fc86
Signed-off-by: Aravind Asam <aasam@codeaurora.org>
This reverts commit e623b152f30f6f1204919315df37244d69e5d55e.
Change-Id: I8e8903786da86cbe4206c18f817fbb54db229472
Signed-off-by: Aravind Asam <aasam@codeaurora.org>
Use the ATTR_FILE attribute to distinguish between truncate()
and ftruncate() system calls. The two other cases where
do_truncate is called with a filp (and therefore ATTR_FILE is set)
are for coredump files and for open(O_TRUNC). In both of those cases
the open permission has already been checked during file open and
therefore does not need to be repeated.
Commit 95dbf73931 ("SELinux: check OPEN on truncate calls")
fixed a major issue where domains were allowed to truncate files
without the open permission. However, it introduced a new bug where
a domain with the write permission can no longer ftruncate files
without the open permission, even when they receive an already open
file.
(cherry picked from commit b21800f304392ee5d20f411c37470183cc779f11)
Bug: 22567870
Change-Id: I2525a0e244c8d635b2d0c1f966071edbb365a43a
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Git-commit: e9e500827b871459306974c32a0b6398375ce7d5
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: David Ng <dave@codeaurora.org>
Signed-off-by: Aravind Asam <aasam@codeaurora.org>
a malicious app can open a perf event with constraint_duplicate
bit set, disable the event, and close the fd. On closing the fd,
the perf_release() modification causes the kernel to clean up
the event as if it still were enabled, leading to the event
being removed from a list twice.
CRs-Fixed: 977563
Change-Id: I5fbec3722407d2f3d0ff0d9f7097c5889e31fd62
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Offlock is only used to synchronize esd status check and
ctl stop (intfs and cmd stop), and hence not required
during fps update.
Change-Id: I8354baa422290280acd8d3c75a5387df97700e20
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
Linus Torvalds
Manfred Spraul
Martijn Coenen
Ard Biesheuvel
Riley Andrews
Mark Salyzyn
Amit Pundir
Badhri Jagan Sridharan
Jeff Vander Stoep
Jin Qian
Amir Goldstein
Mark Salyzyn
Daniel Campello
Ruchi Kandoi
Ecco Park
Dmitry Shmidt
Erik Kline
Manu Gautam
Suman Mukherjee
Linux Build Service Account
Veera Sundaram Sankaran
Yevgeny Pats
Ashish Jain
Kiran Gunda
Deva Ramasubramanian
Tarun Karra
Manaf Meethalavalappu Pallikunhi
Ravinder Konka
Stephen Smalley
Aravind Asam
Srinivasarao P
Jayant Shekhar