Commits on Nov 24, 2014
  1. Merge remote-tracking branch 'google/android-tegra3-grouper-3.1-lolli…

    …pop-release' into kk_mr2
    committed Nov 24, 2014
Commits on Aug 15, 2014
  1. @lcolitti

    Handle 'sk' being NULL in UID-based routing.

    [android-3.4 commit 0836a0c191f580ed69254e0b287cdce58481e978]
    Bug: 15413527
    Bug: 16175826
    Change-Id: If33bebb7b52c0ebfa8dac2452607bce0c2b0faa0
    Signed-off-by: Sreeram Ramachandran <>
    Signed-off-by: Lorenzo Colitti <>
    Sreeram Ramachandran committed with lcolitti Jul 8, 2014
  2. @lcolitti

    net: core: Support UID-based routing.

    [android-3.4 commit 0b428749ce5969bc06c73855e360141b4e7126e8]
    This contains the following commits:
    1. 0149763 net: core: Add a UID range to fib rules.
    2. 1650474 net: core: Use the socket UID in routing lookups.
    3. 0b16771 net: ipv4: Add the UID to the route cache.
    4. ee058f1 net: core: Add a RTA_UID attribute to routes.
        This is so that userspace can do per-UID route lookups.
    Bug: 15413527
    Bug: 16175826
    Change-Id: I1285474c6734614d3bda6f61d88dfe89a4af7892
    Signed-off-by: Lorenzo Colitti <>
    lcolitti committed Mar 31, 2014
  3. @trofi @lcolitti

    um: add missing declaration of 'getrlimit()' and friends

    commit fdfa4c952844fce881df8c76de9c7180cbe913ab upstream.
    arch/um/os-Linux/start_up.c: In function 'check_coredump_limit':
    arch/um/os-Linux/start_up.c:338:16: error: storage size of 'lim' isn't known
    arch/um/os-Linux/start_up.c:339:2: error: implicit declaration of function 'getrlimit' [-Werror=implicit-function-declaration]
    Change-Id: I360f4c66269e9295addf724d4c2ebf0e493c5fad
    Signed-off-by: Sergei Trofimovich <>
    CC: Jeff Dike <>
    CC: Richard Weinberger <>
    CC: Al Viro <>
    Signed-off-by: Richard Weinberger <>
    Signed-off-by: Greg Kroah-Hartman <>
    trofi committed with lcolitti Dec 29, 2012
Commits on Aug 5, 2014
  1. Revert "HACK, DO NOT SHIP: Debug unmounting issue"

    This reverts commit 3ed3cdb.
    JP Abgrall committed Aug 5, 2014
  2. HACK, DO NOT SHIP: Debug unmounting issue

    This adds extra debugging around unmount which is failing for
    Bug: 15445160
    Change-Id: I509cc4f506ff39198fc215dbc6e10657ebf6e359
    Signed-off-by: JP Abgrall <>
    JP Abgrall committed Aug 5, 2014
Commits on Jul 29, 2014
  1. @stephensmalley

    Enable setting security contexts on rootfs inodes.

    rootfs (ramfs) can support setting of security contexts
    by userspace due to the vfs fallback behavior of calling
    the security module to set the in-core inode state
    for security.* attributes when the filesystem does not
    provide an xattr handler.  No xattr handler required
    as the inodes are pinned in memory and have no backing
    This is useful in allowing early userspace to label individual
    files within a rootfs while still providing a policy-defined
    default via genfs.
    Signed-off-by: Stephen Smalley <>
    stephensmalley committed with Ed Tam May 10, 2013
  2. @jwrdegoede

    cgroup: Fix use after free of cgrp (cgrp->css_sets)

    Running a 3.4 kernel + Fedora-18 (systemd) userland on my Allwinner A10
    (arm cortex a8), I'm seeing repeated, reproducable list_del list corruption
    errors when build with CONFIG_DEBUG_LIST, and the backtrace always shows
    free_css_set_work as the function making the problematic list_del call.
    I've tracked this doen to a use after free of the cgrp struct, specifically
    of the cgrp->css_sets list_head, which gets cleared by free_css_set_work.
    Since free_css_set_work runs form a workqueue, it is possible for it to not be
    done with clearing the list when the cgrp gets free-ed. To avoid this the code
    adding the links increases cgrp->count, and the freeing code running from the
    workqueue decreases cgrp->count *after* doing list_del, and then if the count
    goes to 0 calls cgroup_wakeup_rmdir_waiter().
    However cgroup_rmdir() is missing a check for cgrp->count != 0, causing it
    to still continue with the rmdir (which leads to the free-ing of the cgrp),
    before free_css_set_work is done. Sometimes the free-ed memory is re-used
    before free_css_set_work gets around to unlinking link->cgrp_link_list,
    triggering the list_del list corruption messages.
    This patch fixes this by properly checking for cgrp->count != 0 and waiting
    for the cgroup_rmdir_waitq in that case.
    Change-Id: I9dbc02a0a75d5dffa1b65d67456e00139dea57c3
    Signed-off-by: Hans de Goede <>
    jwrdegoede committed with Ed Tam Jan 10, 2013
  3. @jwrdegoede

    cgroup: Take css_set_lock from cgroup_css_sets_empty()

    As indicated in the comment above cgroup_css_sets_empty it needs the
    css_set_lock. But neither of the 2 call points have it, so rather then fixing
    the callers just take the lock inside cgroup_css_sets_empty().
    Signed-off-by: Hans de Goede <>
    Change-Id: If7aea71824f6d0e3f2cc6c1ce236c3ae6be2037b
    jwrdegoede committed with Ed Tam Jan 11, 2013
Commits on Jul 16, 2014
  1. @lcolitti

    net: support marking accepting TCP sockets

    When using mark-based routing, sockets returned from accept()
    may need to be marked differently depending on the incoming
    connection request.
    This is the case, for example, if different socket marks identify
    different networks: a listening socket may want to accept
    connections from all networks, but each connection should be
    marked with the network that the request came in on, so that
    subsequent packets are sent on the correct network.
    This patch adds a sysctl to mark TCP sockets based on the fwmark
    of the incoming SYN packet. If enabled, and an unmarked socket
    receives a SYN, then the SYN packet's fwmark is written to the
    connection's inet_request_sock, and later written back to the
    accepted socket when the connection is established.  If the
    socket already has a nonzero mark, then the behaviour is the same
    as it is today, i.e., the listening socket's fwmark is used.
    Black-box tested using user-mode linux:
    - IPv4/IPv6 SYN+ACK, FIN, etc. packets are routed based on the
      mark of the incoming SYN packet.
    - The socket returned by accept() is marked with the mark of the
      incoming SYN packet.
    - Tested with syncookies=1 and syncookies=2.
    [android-3.4 commit 4593f09b1f9939ec6ed2f8d7848def26b98c47ac]
    Change-Id: I5e8c9b989762a93f3eb5a0c1b4df44f62d57f3cb
    Signed-off-by: Lorenzo Colitti <>
    lcolitti committed Mar 26, 2014
  2. @lcolitti

    net: add a sysctl to reflect the fwmark on replies

    Kernel-originated IP packets that have no user socket associated
    with them (e.g., ICMP errors and echo replies, TCP RSTs, etc.)
    are emitted with a mark of zero. Add a sysctl to make them have
    the same mark as the packet they are replying to.
    This allows an administrator that wishes to do so to use
    mark-based routing, firewalling, etc. for these replies by
    marking the original packets inbound.
    Tested using user-mode linux:
     - ICMP/ICMPv6 echo replies and errors.
     - TCP RST packets (IPv4 and IPv6).
    [android-3.4 commit 3356997e1e1b2aa9959f046203e6d0b193bbd7f7]
    Change-Id: If3dfa98be3115ef405366a90bb9514d453629baa
    Signed-off-by: Lorenzo Colitti <>
    lcolitti committed Mar 18, 2014
  3. @lcolitti

    net: ipv6: autoconf routes into per-device tables

    Currently, IPv6 router discovery always puts routes into
    RT6_TABLE_MAIN. This causes problems for connection managers
    that want to support multiple simultaneous network connections
    and want control over which one is used by default (e.g., wifi
    and wired).
    To work around this connection managers typically take the routes
    they prefer and copy them to static routes with low metrics in
    the main table. This puts the burden on the connection manager
    to watch netlink to see if the routes have changed, delete the
    routes when their lifetime expires, etc.
    Instead, this patch adds a per-interface sysctl to have the
    kernel put autoconf routes into different tables. This allows
    each interface to have its own autoconf table, and choosing the
    default interface (or using different interfaces at the same
    time for different types of traffic) can be done using
    appropriate ip rules.
    The sysctl behaves as follows:
    - = 0: default. Put routes into RT6_TABLE_MAIN as before.
    - > 0: manual. Put routes into the specified table.
    - < 0: automatic. Add the absolute value of the sysctl to the
           device's ifindex, and use that table.
    The automatic mode is most useful in conjunction with
    net.ipv6.conf.default.accept_ra_rt_table. A connection manager
    or distribution could set it to, say, -100 on boot, and
    thereafter just use IP rules.
    [android-3.4 commit 5fe5c512af518d0abbbc0d2fafa8e355f518c2a9]
    Change-Id: I245b9ad56e72cd7b1e6fe8e1aa8c042affeb69a2
    Signed-off-by: Lorenzo Colitti <>
    lcolitti committed Mar 26, 2014
  4. @lcolitti

    net: ipv6: ping: Use socket mark in routing lookup

    [net-next commit bf439b3154ce49d81a79b14f9fab18af99018ae2]
    Change-Id: Id3b8fe1f44f5b990520781e327d5070827ba06fc
    Signed-off-by: Lorenzo Colitti <>
    Signed-off-by: David S. Miller <>
    lcolitti committed Feb 27, 2014
  5. @lcolitti

    ipv6: tcp: fix tcp_v6_conn_request()

    Since linux 2.6.26 (commit c6aefaf : Add IPv6 support to TCP SYN
    cookies), we can drop a SYN packet reusing a TIME_WAIT socket.
    (As a matter of fact we fail to send the SYNACK answer)
    As the client resends its SYN packet after a one second timeout, we
    accept it, because first packet removed the TIME_WAIT socket before
    being dropped.
    This probably explains why nobody ever noticed or complained.
    [net-next commit 4d0fe50c75a547088e4304e5eb5f521514dfae46]
    Change-Id: I1575a5c76dd3a21bb9cdb08aa8f0580d20700c3d
    Reported-by: Jesse Young <>
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Eric Dumazet committed with lcolitti Nov 23, 2011
  6. @lcolitti

    tcp: resets are misrouted

    [ Upstream commit 4c67525849e0b7f4bd4fab2487ec9e43ea52ef29 ]
    After commit e2446eaa ("tcp_v4_send_reset: binding oif to iif in no
    sock case").. tcp resets are always lost, when routing is asymmetric.
    Yes, backing out that patch will result in misrouting of resets for
    dead connections which used interface binding when were alive, but we
    actually cannot do anything here.  What's died that's died and correct
    handling normal unbound connections is obviously a priority.
    Comment to comment:
    > This has few benefits:
    >   1. tcp_v6_send_reset already did that.
    It was done to route resets for IPv6 link local addresses. It was a
    mistake to do so for global addresses. The patch fixes this as well.
    Actually, the problem appears to be even more serious than guaranteed
    loss of resets.  As reported by Sergey Soloviev <>, those
    misrouted resets create a lot of arp traffic and huge amount of
    unresolved arp entires putting down to knees NAT firewalls which use
    asymmetric routing.
    Change-Id: I49311654de05ca97ae370931e4a6e83f6ca3ced7
    Signed-off-by: Alexey Kuznetsov <>
    Signed-off-by: Greg Kroah-Hartman <>
    Alexey Kuznetsov committed with lcolitti Oct 12, 2012
  7. @lcolitti

    tcp_v4_send_reset: binding oif to iif in no sock case

    Binding RST packet outgoing interface to incoming interface
    for tcp v4 when there is no socket associate with it.
    when sk is not NULL, using sk->sk_bound_dev_if instead.
    (suggested by Eric Dumazet).
    This has few benefits:
    1. tcp_v6_send_reset already did that.
    2. This helps tcp connect with SO_BINDTODEVICE set. When
    connection is lost, we still able to sending out RST using
    same interface.
    3. we are sending reply, it is most likely to be succeed
    if iif is used
    [android-3.4 commit e2446eaab5585555a38ea0df4e01ff313dbb4ac9]
    Change-Id: I44eed2e7168eb3586d1ea724a23ecc3492edb9d6
    Signed-off-by: Shawn Lu <>
    Acked-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Shawn Lu committed with lcolitti Feb 4, 2012
Commits on Jul 8, 2014
  1. net: wireless: bcmdhd: Add WIPHY_WOWLAN_ANY support

    Change-Id: I4a9de9ab40f6de2e5ef5830529cfb066d6c75b57
    Signed-off-by: Dmitry Shmidt <>
    Dmitry Shmidt committed Jul 8, 2014
Commits on Jun 16, 2014
  1. prctl: adds the capable(CAP_SYS_NICE) check to PR_SET_TIMERSLACK_PID.

    Adds a capable() check to make sure that arbitary apps do not change the
    timer slack for other apps.
    Bug: 15000427
    Change-Id: I558a2551a0e3579c7f7e7aae54b28aa9d982b209
    Signed-off-by: Ruchi Kandoi <>
    Ruchi Kandoi committed Jun 14, 2014
Commits on Jun 12, 2014
  1. futex: Make lookup_pi_state more robust

    The current implementation of lookup_pi_state has ambigous handling of
    the TID value 0 in the user space futex. We can get into the kernel
    even if the TID value is 0, because either there is a stale waiters
    bit or the owner died bit is set or we are called from the requeue_pi
    path or from user space just for fun.
    The current code avoids an explicit sanity check for pid = 0 in case
    that kernel internal state (waiters) are found for the user space
    address. This can lead to state leakage and worse under some
    Handle the cases explicit:
         Waiter | pi_state | pi->owner | uTID      | uODIED | ?
    [1]  NULL   | ---      | ---       | 0         | 0/1    | Valid
    [2]  NULL   | ---      | ---       | >0        | 0/1    | Valid
    [3]  Found  | NULL     | --        | Any       | 0/1    | Invalid
    [4]  Found  | Found    | NULL      | 0         | 1      | Valid
    [5]  Found  | Found    | NULL      | >0        | 1      | Invalid
    [6]  Found  | Found    | task      | 0         | 1      | Valid
    [7]  Found  | Found    | NULL      | Any       | 0      | Invalid
    [8]  Found  | Found    | task      | ==taskTID | 0/1    | Valid
    [9]  Found  | Found    | task      | 0         | 0      | Invalid
    [10] Found  | Found    | task      | !=taskTID | 0/1    | Invalid
    [1]  Indicates that the kernel can acquire the futex atomically. We
         came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
    [2]  Valid, if TID does not belong to a kernel thread. If no matching
         thread is found then it indicates that the owner TID has died.
    [3]  Invalid. The waiter is queued on a non PI futex
    [4]  Valid state after exit_robust_list(), which sets the user space
    [5]  The user space value got manipulated between exit_robust_list()
         and exit_pi_state_list()
    [6]  Valid state after exit_pi_state_list() which sets the new owner in
         the pi_state but cannot access the user space value.
    [7]  pi_state->owner can only be NULL when the OWNER_DIED bit is set.
    [8]  Owner and user space value match
    [9]  There is no transient state which sets the user space TID to 0
         except exit_robust_list(), but this is indicated by the
         FUTEX_OWNER_DIED bit. See [4]
    [10] There is no transient state which leaves owner and user space
         TID out of sync.
    Backport to 3.13
      conflicts: kernel/futex.c
    Signed-off-by: Thomas Gleixner <>
    Signed-off-by: John Johansen <>
    Cc: Kees Cook <>
    Cc: Will Drewry <>
    Cc: Darren Hart <>
    Thomas Gleixner committed with Ed Tam Jun 3, 2014
  2. futex: Always cleanup owner tid in unlock_pi

    If the owner died bit is set at futex_unlock_pi, we currently do not
    cleanup the user space futex. So the owner TID of the current owner
    (the unlocker) persists. That's observable inconsistant state,
    especially when the ownership of the pi state got transferred.
    Clean it up unconditionally.
    Signed-off-by: Thomas Gleixner <>
    Cc: Kees Cook <>
    Cc: Will Drewry <>
    Cc: Darren Hart <>
    Thomas Gleixner committed with Ed Tam Jun 3, 2014
  3. futex: Validate atomic acquisition in futex_lock_pi_atomic()

    We need to protect the atomic acquisition in the kernel against rogue
    user space which sets the user space futex to 0, so the kernel side
    acquisition succeeds while there is existing state in the kernel
    associated to the real owner.
    Verify whether the futex has waiters associated with kernel state. If
    it has, return -EINVAL. The state is corrupted already, so no point in
    cleaning it up. Subsequent calls will fail as well. Not our problem.
    [ tglx: Use futex_top_waiter() and explain why we do not need to try
      	restoring the already corrupted user space state. ]
    Signed-off-by: Darren Hart <>
    Cc: Kees Cook <>
    Cc: Will Drewry <>
    Signed-off-by: Thomas Gleixner <>
    Thomas Gleixner committed with Ed Tam Jun 3, 2014
  4. futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == u…

    …addr2 in futex_requeue(..., requeue_pi=1)
    If uaddr == uaddr2, then we have broken the rule of only requeueing
    from a non-pi futex to a pi futex with this call. If we attempt this,
    then dangling pointers may be left for rt_waiter resulting in an
    exploitable condition.
    This change brings futex_requeue() into line with
    futex_wait_requeue_pi() which performs the same check as per commit
    6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
    [ tglx: Compare the resulting keys as well, as uaddrs might be
      	different depending on the mapping ]
    Fixes CVE-2014-3153.
    Reported-by: Pinkie Pie
    Signed-off-by: Will Drewry <>
    Signed-off-by: Kees Cook <>
    Signed-off-by: Thomas Gleixner <>
    Thomas Gleixner committed with Ed Tam Jun 3, 2014
Commits on Jun 6, 2014
  1. ARM: nakasi: turn off android logger

    Signed-off-by: Mark Salyzyn <>
    Bug: 15384806
    Change-Id: I623e15d1d7317b4aef58918536b9014fe2527470
    Mark Salyzyn committed Jun 6, 2014
Commits on Jun 4, 2014
Commits on May 19, 2014
  1. @andhe @mkayyash

    net: Fix "ip rule delete table 256"

    [ Upstream commit 13eb2ab2d33c57ebddc57437a7d341995fc9138c ]
    When trying to delete a table >= 256 using iproute2 the local table
    will be deleted.
    The table id is specified as a netlink attribute when it needs more then
    8 bits and iproute2 then sets the table field to RT_TABLE_UNSPEC (0).
    Preconditions to matching the table id in the rule delete code
    doesn't seem to take the "table id in netlink attribute" into condition
    so the frh_get_table helper function never gets to do its job when
    matching against current rule.
    Use the helper function twice instead of peaking at the table value directly.
    Originally reported at:
    Reported-by: Nicolas HICHER <>
    Signed-off-by: Andreas Henriksson <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    andhe committed with mkayyash Nov 7, 2013
Commits on May 14, 2014
  1. netlink: fix possible spoofing from non-root processes

    Non-root user-space processes can send Netlink messages to other
    processes that are well-known for being subscribed to Netlink
    asynchronous notifications. This allows ilegitimate non-root
    process to send forged messages to Netlink subscribers.
    The userspace process usually verifies the legitimate origin in
    two ways:
    a) Socket credentials. If UID != 0, then the message comes from
       some ilegitimate process and the message needs to be dropped.
    b) Netlink portID. In general, portID == 0 means that the origin
       of the messages comes from the kernel. Thus, discarding any
       message not coming from the kernel.
    However, ctnetlink sets the portID in event messages that has
    been triggered by some user-space process, eg. conntrack utility.
    So other processes subscribed to ctnetlink events, eg. conntrackd,
    know that the event was triggered by some user-space action.
    Neither of the two ways to discard ilegitimate messages coming
    from non-root processes can help for ctnetlink.
    This patch adds capability validation in case that dst_pid is set
    in netlink_sendmsg(). This approach is aggressive since existing
    applications using any Netlink bus to deliver messages between
    two user-space processes will break. Note that the exception is
    NETLINK_USERSOCK, since it is reserved for netlink-to-netlink
    userspace communication.
    Still, if anyone wants that his Netlink bus allows netlink-to-netlink
    userspace, then they can set NL_NONROOT_SEND. However, by default,
    I don't think it makes sense to allow to use NETLINK_ROUTE to
    communicate two processes that are sending no matter what information
    that is not related to link/neighbouring/routing. They should be using
    NETLINK_USERSOCK instead for that.
    Signed-off-by: Pablo Neira Ayuso <>
    Signed-off-by: David S. Miller <>
    Pablo Neira Ayuso committed with Ed Tam Aug 23, 2012
Commits on Apr 28, 2014
  1. net: ipv4: current group_info should be put after using.

    Plug a group_info refcount leak in ping_init.
    group_info is only needed during initialization and
    the code failed to release the reference on exit.
    While here move grabbing the reference to a place
    where it is actually needed.
    Signed-off-by: Chuansheng Liu <>
    Signed-off-by: Zhang Dongxing <>
    Signed-off-by: xiaoming wang <>
    Signed-off-by: David S. Miller <>
    Change-Id: I51931e439cce7f19b4179f5828d7355bb3b1dcfa
    JP Abgrall committed with Ed Tam Apr 24, 2014
Commits on Apr 25, 2014
  1. nf: Remove compilation error caused by

    Signed-off-by: Ruchi Kandoi <>
    Ruchi Kandoi committed with Ed Tam Apr 24, 2014
Commits on Apr 24, 2014
  1. nf: IDLETIMER: time-stamp and suspend/resume handling.

    Message notifications contains an additional timestamp field in nano seconds.
    The expiry time for the timers are modified during suspend/resume.
    If timer was supposed to expire while the system is suspended then a
    notification is sent when it resumes with the timestamp of the scheduled expiry.
    Removes the race condition for multiple work scheduled.
    Bug: 13247811
    Change-Id: I752c5b00225fe7085482819f975cc0eb5af89bff
    Signed-off-by: Ruchi Kandoi <>
    Ruchi Kandoi committed with Ed Tam Mar 25, 2014
  2. prctl: adds PR_SET_TIMERSLACK_PID for setting timer slack of an arbit…

    …rary thread.
    Second argument is similar to PR_SET_TIMERSLACK, if non-zero then the
    slack is set to that value otherwise sets it to the default for the thread.
    Takes PID of the thread as the third argument.
    This allows power/performance management software to set timer slack for
    other threads according to its policy for the thread (such as when the
    thread is designated foreground vs. background activity)
    Change-Id: I744d451ff4e60dae69f38f53948ff36c51c14a3f
    Signed-off-by: Ruchi Kandoi <>
    Ruchi Kandoi committed with Ed Tam Apr 18, 2014
  3. Power: Changes the permission to read only for sysfs file

    Change-Id: If25e8e416ee9726996518b58b6551a61dc1591e3
    Signed-off-by: Ruchi Kandoi <>
    Ruchi Kandoi committed Apr 24, 2014
Commits on Mar 16, 2014
  1. defconfig: regen for ksm and f2fs support

    Signed-off-by: Paul Reioux <>
    committed Mar 16, 2014
Commits on Mar 13, 2014
  1. Power: Add an API call to log wakeup reasons

    Change-Id: I18bb8180efdb20fe784c193f9003bb0929f0c9a8
    Signed-off-by: Ruchi Kandoi<>
    Ruchi Kandoi committed with Ed Tam Feb 28, 2014
  2. POWER: fix compile warnings in log_wakeup_reason

    Change I81addaf420f1338255c5d0638b0d244a99d777d1 introduced compile
    warnings, fix these.
    Change-Id: I05482a5335599ab96c0a088a7d175c8d4cf1cf69
    Signed-off-by: Ruchi Kandoi <>
    Ruchi Kandoi committed Feb 21, 2014
  3. Power: add an API to log wakeup reasons

    Add API log_wakeup_reason() and expose it to userspace via sysfs path
    Change-Id: I81addaf420f1338255c5d0638b0d244a99d777d1
    Signed-off-by: Ruchi Kandoi <>
    Ruchi Kandoi committed Feb 19, 2014