- Apr 25, 2017
-
-
Hareesh Gundu authored
Robust context attempts to perform a rendering that takes too long whether due to an infinite loop in a shader or even just a rendering operation that takes too long on the given hardware. This type of attempts can result into GPU faults. Robust context expect driver to replay IB instead skip IB and if it fails on replay context has to be invalidated. KGSL_CONTEXT_INVALIDATE_ON_FAULT flag allows draw context to execute only replay policy on GPU fault recovery instead of going to default recovery policy. User space has to set this flag during the context creation. Bug: 34887800 Change-Id: If42dc5afc7d5ed1226b73ae5abfa2648d7acf2c3 Signed-off-by:Hareesh Gundu <hareeshg@codeaurora.org>
-
Daniel Rosenberg authored
This reverts commit 60df9f12992bc067216078ae756066c5d7c74d87. This change caused issues for sdcardfs on top of vfat Signed-off-by:Daniel Rosenberg <drosen@google.com> Bug: 37231161 Change-Id: Ie56a91fda582af27921cc1a9de7ae19a9a988f2a
-
Daniel Rosenberg authored
Not all filesystems support changing the owner of a file. We shouldn't complain if it doesn't happen. Signed-off-by: -
Daniel Rosenberg authored
For file based encryption, ext4 explicitly does not create negative dentries for encrypted files. If you force one over it, the decrypted file will be hidden until the cache is cleared. Instead, just fail out. Signed-off-by: -
Daniel Rosenberg authored
Adapted from wrapfs commit 8c49eaa0sb9c ("Wrapfs: ->iget fixes") Change where we igrab/iput to ensure we always hold a valid lower_inode. Return ENOMEM (not EACCES) if iget5_locked returns NULL. Signed-off-by:Erez Zadok <ezk@cs.sunysb.edu> Signed-off-by:
-
Daniel Rosenberg authored
Change-Id: Ieb955dd26493da26a458bc20fbbe75bca32b094f Signed-off-by: -
Jerry Zhang authored
epfile->error is a QC extension. It needs to be guarded from being null to work safely with the no_disconnect patch. Bug: 37423404 Change-Id: I3142a03ef3296b928aa36c54a5397afbe30798b7 Signed-off-by:Jerry Zhang <zhangjerry@google.com>
-
Subhani Shaik authored
When IE whitelisting is enabled, only probe requests from INFRA STA during scan should contain selective IEs, but in current code, probe requests of P2P scans are also containing selective IEs which is bug. To fix this, invoke IE whitelisting only for INFRA STA. Change-Id: Icd2984013b3f29714b1e852389110ef2257be94b Bug: 37214129 Signed-off-by:Subhani Shaik <subhanis@codeaurora.org>
-
Daniel Rosenberg authored
Instead of relying on a copy hack, pass the lower file as private data. This lets the kernel find the vma mapping for pages used by the file, allowing pages used by mapping to be reclaimed. This is adapted from following esdfs patches commit 0647e638d: ("esdfs: store lower file in vm_file for mmap") commit 064850866: ("esdfs: keep a counter for mmaped file") Change-Id: I75b74d1e5061db1b8c13be38d184e118c0851a1a Signed-off-by: -
Daniel Rosenberg authored
Signed-off-by: -
Daniel Rosenberg authored
adapted from wrapfs commit 9671770ff8b9 ("Wrapfs: use d_splice_alias") Refactor interpose code to allow lookup to use d_splice_alias. Signed-off-by: -
Daniel Rosenberg authored
Adapted from wrapfs commit 1d1d23a47baa ("Wrapfs: fix ->llseek to update upper and lower offsets") Fixes bug: xfstests generic/257. f_pos consistently is required by and only by dir_ops->wrapfs_readdir, main_ops is not affected. Signed-off-by:Mengyang Li <li.mengyang@stonybrook.edu> Signed-off-by:
-
Daniel Rosenberg authored
Adapted from wrapfs commit fbc9c6f83ea6 ("Wrapfs: copy lower inode attributes in ->ioctl") commit e97d8e26cc9e ("Wrapfs: use file_inode helper") Some ioctls (e.g., EXT2_IOC_SETFLAGS) can change inode attributes, so copy them from lower inode. Signed-off-by: -
Daniel Rosenberg authored
Adapted from wrapfs commit 5be6de9ecf02 ("Wrapfs: use vm_munmap in ->mmap") commit 2c9f6014a8bb ("Wrapfs: remove unnecessary call to vm_unmap in ->mmap") Code is unnecessary and causes deadlocks in newer kernels. Signed-off-by: -
Subhani Shaik authored
wlan host driver upgrade to 4.4.23.018. Signed-off-by: -
Subhani Shaik authored
If there is a mismatch in channel number present in BD and Beacon/probe response, corresponding BSSID entry is not added in scan cache. This can result in reconnection failure. If the entry is not present then add this entry even in case of mismatch. Bug: 36494510 Change-Id: Id8c45ff88731288144fe39f5da56748f403dfdb7 Signed-off-by:
-
- Apr 11, 2017
-
-
Maciej Żenczykowski authored
This implements: https://tools.ietf.org/html/rfc7559 Backoff is performed according to RFC3315 section 14: https://tools.ietf.org/html/rfc3315#section-14 We allow setting /proc/sys/net/ipv6/conf/*/router_solicitations to a negative value meaning an unlimited number of retransmits, and we make this the new default (inline with the RFC). We also add a new setting: /proc/sys/net/ipv6/conf/*/router_solicitation_max_interval defaulting to 1 hour (per RFC recommendation). Signed-off-by:
Maciej Żenczykowski <maze@google.com> Acked-by:
Erik Kline <ek@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> (cherry picked from commit bd11f074 in DaveM's net-next/master, should make Linus' tree in 4.9-rc1) Change-Id: Ia32cdc5c61481893ef8040734e014bf2229fc39e
-
- Apr 07, 2017
-
-
Robert Baldyga authored
Since we can compose gadgets from many functions, there is the problem related to gadget breakage while FunctionFS daemon being closed. FFS function is userspace code so there is no way to know when it will close files (it doesn't matter what is the reason of this situation, it can be daemon logic, program breakage, process kill or any other). So when we have another function in gadget which, for example, sends some amount of data, does some software update or implements some real-time functionality, we may want to keep the gadget connected despite FFS function is no longer functional. We can't just remove one of functions from gadget since it has been enumerated, so the only way to keep entire gadget working is to make broken FFS function deactivated but still visible to host. For this purpose this patch introduces "no_disconnect" mode. It can be enabled by setting mount option "no_disconnect=1", and results with defering function disconnect to the moment of reopen ep0 file or filesystem unmount. After closing all endpoint files, FunctionFS is set to state FFS_DEACTIVATED. When ffs->state == FFS_DEACTIVATED: - function is still bound and visible to host, - setup requests are automatically stalled, - transfers on other endpoints are refused, - epfiles, except ep0, are deleted from the filesystem, - opening ep0 causes the function to be closed, and then FunctionFS is ready for descriptors and string write, - altsetting change causes the function to be closed - we want to keep function alive until another functions are potentialy used, altsetting change means that another configuration is being selected or USB cable was unplugged, which indicates that we don't need to stay longer in FFS_DEACTIVATED state - unmounting of the FunctionFS instance causes the function to be closed. Tested-by:
David Cohen <david.a.cohen@linux.intel.com> Acked-by:
Michal Nazarewicz <mina86@mina86.com> Signed-off-by:
Robert Baldyga <r.baldyga@samsung.com> Signed-off-by:
Felipe Balbi <balbi@ti.com> Bug: 36801389 Bug: 34873000 Change-Id: I950dc11f21048c34af640cb3ab81873d2a6730a9 Signed-off-by:
-
Joel Scherpelz authored
This commit adds a new sysctl accept_ra_rt_info_min_plen that defines the minimum acceptable prefix length of Route Information Options. The new sysctl is intended to be used together with accept_ra_rt_info_max_plen to configure a range of acceptable prefix lengths. It is useful to prevent misconfigurations from unintentionally blackholing too much of the IPv6 address space (e.g., home routers announcing RIOs for fc00::/7, which is incorrect). Backport of net-next commit bbea124b ("net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs.") [lorenzo@google.com: fixed conflicts in include/uapi/linux/ipv6.h] Bug: 33333670 Test: net_test passes Signed-off-by:
Joel Scherpelz <jscherpelz@google.com> Acked-by:
Lorenzo Colitti <lorenzo@google.com> Signed-off-by:
-
- Apr 05, 2017
-
-
Subhani Shaik authored
As part of the dual driver support radio id is enabled in the wlan driver. Adjust the firmware log nl structure to include the radio id. The radio id is always zero. All the other dual driver changes are not included into this branch. Change-Id: I7b28440780b20c5a0b4248f93a7a95ad3faf0b6f Bug: 32775496 Signed-off-by:
Srinivas Girigowda <sgirigow@codeaurora.org>
-
- Apr 03, 2017
-
-
Anson Jacob authored
Accessory connected to Android Device requires Zero Length Packet (ZLP) to be written when data transferred out from the Android device are multiples of wMaxPacketSize (64bytes (Full-Speed) / 512bytes (High-Speed)) to end the transfer. cherry-pick: f8fe2735daaf662876d1333075991997c04d5359 (https://android-review.googlesource.com/#/c/99100/ ) Bug: 36821730 Change-Id: Ib2c2c0ab98ef9afa10e74a720142deca5c0ed476 Signed-off-by:
Anson Jacob <ansonkuzhumbil@gmail.com>
-
- Mar 30, 2017
-
-
Jann Horn authored
Before this patch, a process with some permissive seccomp filter that was applied by root without NO_NEW_PRIVS was able to add more filters to itself without setting NO_NEW_PRIVS by setting the new filter from a throwaway thread with NO_NEW_PRIVS. Signed-off-by:
Jann Horn <jann@thejh.net> Cc: stable@vger.kernel.org Signed-off-by:
Kees Cook <keescook@chromium.org> Bug: 36656103 (cherry-picked from commit 103502a3) Signed-off-by:
Paul Lawrence <paullawrence@google.com> Change-Id: I5abd7daab9172f1dfd53e11706b7c7f331f2f4f1
-
- Mar 28, 2017
-
-
Daniel Rosenberg authored
Signed-off-by: -
Daniel Rosenberg authored
Signed-off-by: -
Daniel Rosenberg authored
Switch from deprecated simple_strtoul to kstrout Signed-off-by: -
Daniel Rosenberg authored
Signed-off-by: -
Daniel Rosenberg authored
As pointed out by checkpatch, these functions already handle null inputs, so the checks are not needed. Signed-off-by: -
Daniel Rosenberg authored
Signed-off-by: -
Daniel Rosenberg authored
This fixes various spacing and bracket related issues pointed out by checkpatch. Signed-off-by: -
Daniel Rosenberg authored
Signed-off-by: -
Chenbo Feng authored
When DDEBUG is enabled, the prdebug_full_state() function will try to recursively aquire the spinlock of sock_tag_list and causing deadlock. A check statement is added before it aquire the spinlock to differentiate the behavior depend on the caller of the function. Bug: 36559739 Test: Compile and run test under system/extra/test/iptables/ Change-Id: Ie3397fbaa207e14fe214d47aaf5e8ca1f4a712ee Signed-off-by:Chenbo Feng <fengc@google.com> (cherry picked from commit 8cb8a69b83bd577b97e8247aec866e651c5b96f5)
-
- Mar 24, 2017
-
-
Ecco Park authored
May 2017.3 Bug: 36138302
-
Ecco Park authored
May 2017.3 Bug: 36138302
-
Andy Whitcroft authored
When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate the user supplied replay_esn to ensure that the size is valid and to ensure that the replay_window size is within the allocated buffer. However later it is possible to update this replay_esn via a XFRM_MSG_NEWAE call. There we again validate the size of the supplied buffer matches the existing state and if so inject the contents. We do not at this point check that the replay_window is within the allocated memory. This leads to out-of-bounds reads and writes triggered by netlink packets. This leads to memory corruption and the potential for priviledge escalation. We already attempt to validate the incoming replay information in xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user is not trying to change the size of the replay state buffer which includes the replay_esn. It however does not check the replay_window remains within that buffer. Add validation of the contained replay_window. Additionally Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to wrapping issues. To ensure we are correctly ensuring that the two ESN structures are the same size compare both the overall size as reported by xfrm_replay_state_esn_len() and the internal length are the same. CVE-2017-7184 ZDI-CAN-4586 Bug: 36565222 Signed-off-by:
Andy Whitcroft <apw@canonical.com> Reviewed-by:
Tyler Hicks <tyhicks@canonical.com> Reviewed-by:
John Johansen <john.johansen@canonical.com> Reviewed-by:
-
- Mar 23, 2017
-
-
Patrick Tjin authored
Change-Id: I4ad09e1cd9d7b8605db52620c0501c4035bba2c6 Signed-off-by:Patrick Tjin <pattjin@google.com>
-
Patrick Tjin authored
Change-Id: Ia3761566ce3381c56189c0fd7f24417510ecb97b Signed-off-by:
-
- Mar 21, 2017
-
-
Ecco Park authored
May 2017.2 Bug:36138302
-
Ecco Park authored
May 2017.2 Bug: 36138302
-
Ecco Park authored
Merge branch 'android-msm-bullhead-3.10-nyc-mr1-security-next' into android-msm-bullhead-3.10-nyc-mr1 May 2017.1 Bug: 36138302
-
Todd Kjos authored
The binder allocator assumes that the thread that called binder_open will never die for the lifetime of that proc. That thread is normally the group_leader, however it may not be. Use the group_leader instead of current. Bug: 35707103 Test: Created test case to open with temporary thread Change-Id: Id693f74b3591f3524a8c6e9508e70f3e5a80c588 Signed-off-by:Todd Kjos <tkjos@google.com>
-
