Android-x86
Fork
Spenden

  • R/O
  • HTTP
  • SSH
  • HTTPS

kernel: Liste der Commits

kernel


RSS
Rev. Zeit Autor
d8064e1 kernel-4.9 2019-06-14 17:07:48 Chih-Wei Huang

Merge remote-tracking branch 'aosp/android-4.9' into kernel-4.9

Conflicts:
arch/x86/kernel/signal.c

0c1ee05 2019-06-14 16:58:23 Chih-Wei Huang

efi/libstub: remove duplicate nokaslr

The same patch was applied twice (8fca3c364 and e3111d522).

Change-Id: I2f3284d294326ec7736303374769640a1e022878
Signed-off-by: Chih-Wei Huang <cwhuang@android-x86.org>

0a8a3e5 2019-06-14 07:04:14 Joel Fernandes

BACKPORT: Add support for BPF_FUNC_probe_read_str

Downstream kernel is missing support for this. It is needed by I/O
readahead project to read strings from kernel memory on Pixel v4.9. Add
support for the same.

Bug: 135210418

Change-Id: I37895b395d3fd2637f1d69e111c4a6e2b8c0327a
Signed-off-by: Joel Fernandes <joelaf@google.com>

eeb7e76 kernel-4.19 2019-06-13 11:31:48 Chih-Wei Huang

Android-x86: update defconfig for the 8.1-r2 release

d408a6f 2019-06-13 01:09:18 Chih-Wei Huang

Merge remote-tracking branch 'aosp/android-4.19' into kernel-4.19

Conflicts:
arch/x86/kernel/signal.c

9ec9344 2019-06-13 01:06:19 JP Abgrall

ANDROID: netfilter: xt_qtaguid: add qtaguid matching module

This module allows tracking stats at the socket level for given UIDs.
It replaces xt_owner.
If the --uid-owner is not specified, it will just count stats based on
who the skb belongs to. This will even happen on incoming skbs as it
looks into the skb via xt_socket magic to see who owns it.
If an skb is lost, it will be assigned to uid=0.

To control what sockets of what UIDs are tagged by what, one uses:
echo t $sock_fd $accounting_tag $the_billed_uid \
> /proc/net/xt_qtaguid/ctrl
So whenever an skb belongs to a sock_fd, it will be accounted against
$the_billed_uid
and matching stats will show up under the uid with the given
$accounting_tag.

Because the number of allocations for the stats structs is not that big:
~500 apps * 32 per app
we'll just do it atomic. This avoids walking lists many times, and
the fancy worker thread handling. Slabs will grow when needed later.

It use netdevice and inetaddr notifications instead of hooks in the core dev
code to track when a device comes and goes. This removes the need for
exposed iface_stat.h.

Put procfs dirs in /proc/net/xt_qtaguid/
ctrl
stats
iface_stat/<iface>/...
The uid stats are obtainable in ./stats.

Change-Id: I01af4fd91c8de651668d3decb76d9bdc1e343919
Signed-off-by: JP Abgrall <jpa@google.com>

[AmitP: Folded following android-4.9 commit changes into this patch
e5d798684a71 ("ANDROID: netfilter: qtaguid: initialize a local var to keep compiler happy")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: netfilter: xt_qtaguid: fix ipv6 protocol lookup

When updating the stats for a given uid it would incorrectly assume
IPV4 and pick up the wrong protocol when IPV6.

Change-Id: Iea4a635012b4123bf7aa93809011b7b2040bb3d5
Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: start tracking iface rx/tx at low level

qtaguid tracks the device stats by monitoring when it goes up and down,
then it gets the dev_stats().
But devs don't correctly report stats (either they don't count headers
symmetrically between rx/tx, or they count internal control messages).

Now qtaguid counts the rx/tx bytes/packets during raw:prerouting and
mangle:postrouting (nat is not available in ipv6).

The results are in
/proc/net/xt_qtaguid/iface_stat_fmt
which outputs a format line (bash expansion):
ifname total_skb_{rx,tx}_{bytes,packets}

Added event counters for pre/post handling.
Added extra ctrl_*() pid/uid debugging.

Change-Id: Id84345d544ad1dd5f63e3842cab229e71d339297
Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: report only uid tags to non-privileged processes

In the past, a process could only see its own stats (uid-based summary,
and details).
Now we allow any process to see other UIDs uid-based stats, but still
hide the detailed stats.

Change-Id: I7666961ed244ac1d9359c339b048799e5db9facc
Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: fix error exit that would keep a spinlock.

qtudev_open() could return with a uid_tag_data_tree_lock held
when an kzalloc(..., GFP_ATOMIC) would fail.
Very unlikely to get triggered AND survive the mayhem of running out of mem.

Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: Don't BUG_ON if create_if_tag_stat fails

If create_if_tag_stat fails to allocate memory (GFP_ATOMIC) the
following will happen:

qtaguid: iface_stat: tag stat alloc failed
...
kernel BUG at xt_qtaguid.c:1482!

Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>

ANDROID: netfilter: xt_qtaguid: remove AID_* dependency for access control

qtaguid limits what can be done with /ctrl and /stats based on group
membership.
This changes removes AID_NET_BW_STATS and AID_NET_BW_ACCT, and picks
up the groups from the gid of the matching proc entry files.

Signed-off-by: JP Abgrall <jpa@google.com>
Change-Id: I42e477adde78a12ed5eb58fbc0b277cdaadb6f94

ANDROID: netfilter: xt_qtaguid: extend iface stat to report protocols

In the past the iface_stat_fmt would only show global bytes/packets
for the skb-based numbers.
For stall detection in userspace, distinguishing tcp vs other protocols
makes it easier.
Now we report
ifname total_skb_rx_bytes total_skb_rx_packets total_skb_tx_bytes
total_skb_tx_packets {rx,tx}_{tcp,udp,ohter}_{bytes,packets}

Bug: 6818637
Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: Allow tracking loopback

In the past it would always ignore interfaces with loopback addresses.
Now we just treat them like any other.
This also helps with writing tests that check for the presence
of the qtaguid module.

Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: rate limit some of the printks

Some of the printks are in the packet handling path.
We now ratelimit the very unlikely errors to avoid
kmsg spamming.

Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: 3.10 fixes

Stop using obsolete procfs api.

Signed-off-by: Arve Hjønnevåg <arve@android.com>

[AmitP: Folded following android-4.9 commit changes into this patch
564729173b12 ("netfilter: xt_qtaguid: fix memory leak in seq_file handlers")
85a2eb5b48fc ("ANDROID: netfilter: xt_qtaguid: 64-bit warning fixes")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: netfilter: xt_qtaguid: fix bad tcp_time_wait sock handling

Since (41063e9 ipv4: Early TCP socket demux), skb's can have an sk which
is not a struct sock but the smaller struct inet_timewait_sock without an
sk->sk_socket. Now we bypass sk_state == TCP_TIME_WAIT

Signed-off-by: JP Abgrall <jpa@google.com>

ANDROID: netfilter: xt_qtaguid: Fix boot panic

We need the change below because of mainline commit 351638e7de (net: pass
info struct via netdevice notifier). Otherwise we panic.

Change-Id: I7daf7513a733933fdcbaeebea7f8191f8b6a0432
Signed-off-by: John Stultz <john.stultz@linaro.org>

ANDROID: netfilter: xt_qtaguid/xt_socket: Build fixups

Fix up build kuid/kguid build issues in netfilter code.

Also re-add the xt_socket_get/put_sk interfaces needed by xt_qtaguid.

Change-Id: I7027fb840e109785bddffe8ea717b8d018b26d82
Signed-off-by: John Stultz <john.stultz@linaro.org>

[AmitP: Folded following android-4.9 commit changes into this patch
da5ea99a74f2 ("ANDROID: netfilter: xt_qtaguid: fix seq_printf type mismatch warning")
070eff8f023c ("ANDROID: netfilter: xt_qtaguid: fix broken uid/gid range check")]
2879b6ec24ee ("ANDROID: xt_qtaguid: use sock_gen_put() instead of xt_socket_put_sk()")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: netfilter: xt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket

It prevents a kernel panic when accessing sk->sk_socket fields due to NULLing sk->sk_socket when sock_orphan is called through
sk_common_release.

Change-Id: I4aa46b4e2d8600e4d4ef8dcdd363aa4e6e5f8433
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
(cherry picked from commit cdea0ebcb8bcfe57688f6cb692b49e550ebd9796)
Signed-off-by: John Stultz <john.stultz@linaro.org>

ANDROID: netfilter: xt_qtaguid: xt_socket: build fixes

Add missing header <linux/miscdevice.h> and use
xt_socket_lookup_slow_v* instead of xt_socket_get*_sk
in xt_qtaguid.c.

Fix xt_socket_lookup_slow_v* functions in xt_socket.c
and declare them in xt_socket.h

Change-Id: I55819b2d4ffa82a2be20995c87d28fb5cc77b5ba
Signed-off-by: John Stultz <john.stultz@linaro.org>

[AmitP: Upstream commit 8db4c5be88f6 ("netfilter: move socket lookup
infrastructure to nf_socket_ipv{4,6}.c")] moved socket lookup
to nf_socket_ipv{4,6}.c, hence use nf_sk_lookup_slow_v[4|6]()
instead of obsolete xt_socket_lookup_slow_v[4|6]().

Also folded following android-4.9 commit changes into this patch
7de1bb86dc5a ("ANDROID: netfilter: xt_qtaguid/socket: build fixes for 4.4")
5b5ab94817f9 ("ANDROID: netfilter: xt_qtaguid: seq_printf fixes")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: netfilter: xt_qtaguid: fix a race condition in if_tag_stat_update

Miss a lock protection in if_tag_stat_update while doing get_iface_entry. So if
one CPU is doing iface_stat_create while another CPU is doing if_tag_stat_update,
race will happened.

Change-Id: Ib8d98e542f4e385685499f5b7bb7354f08654a75
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>

ANDROID: netfilter: xt_qtaguid: Fix panic caused by synack processing

In upstream commit ca6fb06518836ef9b65dc0aac02ff97704d52a05
(tcp: attach SYNACK messages to request sockets instead of
listener)
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ca6fb0651883

The building of synack messages was changed, which made it so
the skb->sk points to a casted request_sock. This is problematic,
as there is no sk_socket in a request_sock. So when the qtaguid_mt
function tries to access the sk->sk_socket, it accesses uninitialized
memory.

After looking at how other netfilter implementations handle this,
I realized there was a skb_to_full_sk() helper added, which the
xt_qtaguid code isn't yet using.

This patch adds its use, and resovles panics seen when accessing
uninitialzed memory when processing synack packets.

Reported-by: YongQin Liu <yongquin.liu@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>

ANDROID: netfilter: xt_qtaguid: Fix panic caused by processing non-full socket.

In an issue very similar to 4e461c777e3 (xt_qtaguid: Fix panic
caused by synack processing), we were seeing panics on occasion
in testing.

In this case, it was the same issue, but caused by a different
call path, as the sk being returned from qtaguid_find_sk() was
not a full socket. Resulting in the sk->sk_socket deref to fail.

This patch adds an extra check to ensure the sk being retuned
is a full socket, and if not it returns NULL.

Reported-by: Milosz Wasilewski <milosz.wasilewski@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>

ANDROID: netfilter: xt_qtaguid: Don't show empty tag stats for unprivileged uids

BUG: 27577101
BUG: 27532522
Change-Id: Ibee3c5d224f139b9312a40acb203e87aa7060797
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>

ANDROID: netfilter: xt_qtaguid: fix the deadlock when enable DDEBUG

When DDEBUG is enabled, the prdebug_full_state() function will try to
recursively aquire the spinlock of sock_tag_list and causing deadlock. A
check statement is added before it aquire the spinlock to differentiate
the behavior depend on the caller of the function.

Bug: 36559739
Test: Compile and run test under system/extra/test/iptables/
Change-Id: Ie3397fbaa207e14fe214d47aaf5e8ca1f4a712ee
Signed-off-by: Chenbo Feng <fengc@google.com>
(cherry picked from commit f0faedd6b468777f3bb5834f97100794d562c8b7)

ANDROID: netfilter: xt_qtaguid: don't check if embedded arrays are NULL

clang warns about four NULL pointer checks:

net/netfilter/xt_qtaguid.c:973:11: warning: address of array 'ifa->ifa_label' will always evaluate to 'true' [-Wpointer-bool-conversion]
net/netfilter/xt_qtaguid.c:974:13: warning: address of array 'ifa->ifa_label' will always evaluate to 'true' [-Wpointer-bool-conversion]
net/netfilter/xt_qtaguid.c:1212:31: warning: address of array 'el_dev->name' will always evaluate to 'true' [-Wpointer-bool-conversion]
net/netfilter/xt_qtaguid.c:1640:31: warning: address of array 'el_dev->name' will always evaluate to 'true' [-Wpointer-bool-conversion]

Both of these fields are embedded char[16] arrays rather than pointers,
so they can never be NULL.

Change-Id: I748ff6dd11569e5596a9d5cecdf9c334847e7307
Signed-off-by: Greg Hackmann <ghackmann@google.com>

ANDROID: netfilter: xt_qtaguid: Add untag hacks to inet_release function

To prevent protential risk of memory leak caused by closing socket with
out untag it from qtaguid module, the qtaguid module now do not hold any
socket file reference count. Instead, it will increase the sk_refcnt of
the sk struct to prevent a reuse of the socket pointer. And when a socket
is released. It will delete the tag if the socket is previously tagged so
no more resources is held by xt_qtaguid moudle. A flag is added to the untag
process to prevent possible kernel crash caused by fail to delete
corresponding socket_tag_entry list.
Bug: 36374484
Test: compile and run test under system/extra/test/iptables,
run cts -m CtsNetTestCases -t android.net.cts.SocketRefCntTest

Signed-off-by: Chenbo Feng <fengc@google.com>
Change-Id: Iea7c3bf0c59b9774a5114af905b2405f6bc9ee52

ANDROID: netfilter: xt_qtaguid: handle properly request sockets

To match rules related to uid/gid for syn recv packets
we need to get the full socket from request_sock struct.

Bug: 63917742
Change-Id: I03acb2251319fd800d0e36a6dde30fc1fbb7d1b0
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>

ANDROID: netfilter: xt_qtaguid: fix handling for cases where tunnels are used.

* fix skb->dev vs par->in/out
When there is some forwarding going on, it introduces extra state
around devs associated with xt_action_param->in/out and sk_buff->dev.
E.g.
par->in and par->out are both set, or
skb->dev and par->out are both set (and different)
This would lead qtaguid to make the wrong assumption about the
direction and update the wrong device stats.
Now we rely more on par->in/out.

* Fix handling when qtaguid is used as "owner"
When qtaguid is used as an owner module, and sk_socket->file is
not there (happens when tunnels are involved), it would
incorrectly do a tag stats update.

* Correct debug messages.

Bug: 11687690
Change-Id: I2b1ff8bd7131969ce9e25f8291d83a6280b3ba7f
CRs-Fixed: 747810
Signed-off-by: JP Abgrall <jpa@google.com>
Git-commit: 2b71479d6f5fe8f33b335f713380f72037244395
Git-repo: https://www.codeaurora.org/cgit/quic/la/kernel/mediatek
[imaund@codeaurora.org: Resolved trivial context conflicts.]
Signed-off-by: Ian Maund <imaund@codeaurora.org>
[bflowers@codeaurora.org: Resolved merge conflicts]
Signed-off-by: Bryse Flowers <bflowers@codeaurora.org>
Signed-off-by: Chenbo Feng <fengc@google.com>

ANDROID: netfilter: xt_qtaguid: Use sk_uid to replace uid get from socket file

Retrieve socket uid from the sk_uid field added to struct sk instead of
read it from sk->socket->file. It prevent the packet been dropped when
the socket file doesn't exist.

Bug: 37524657
Signed-off-by: Chenbo Feng <fengc@google.com>
Change-Id: Ic58239c1f9aa7e0eb1d4d1c09d40b845fd4e8e57

ANDROID: netfilter: xt_qtaguid: Fix 4.14 compilation

struct xt_action_param was changed:
in, out, family and hooknum were moved to
struct nf_hook_state *state
in, out, pf and hook
Replace atomic_read() with refcount_read()

Change-Id: If463bf84db08fe382baa825ca7818cab2150b60d
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

ANDROID: qtaguid: Fix the UAF probelm with tag_ref_tree

When multiple threads is trying to tag/delete the same socket at the
same time, there is a chance the tag_ref_entry of the target socket to
be null before the uid_tag_data entry is freed. It is caused by the
ctrl_cmd_tag function where it doesn't correctly grab the spinlocks
when tagging a socket.

Signed-off-by: Chenbo Feng <fengc@google.com>
Bug: 65853158
Change-Id: I5d89885918054cf835370a52bff2d693362ac5f0

ANDROID: xt_qtaguid: Remove unnecessary null checks to device's name

'name' will never be NULL since it isn't a plain pointer but an array
of char values.

../net/netfilter/xt_qtaguid.c:1195:27: warning: address of array
'(*el_dev)->name' will always evaluate to 'true'
[-Wpointer-bool-conversion]
if (unlikely(!(*el_dev)->name)) {
~~~~~~~~~~~~^~~~

Change-Id: If3b25f17829b43e8a639193fb9cd04ae45947200
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
(cherry picked from android-4.4 commit 207b579e3db6fd0cb6fe40ba3e929635ad748d89)
Signed-off-by: Chenbo Feng <fengc@google.com>

2bd8593 2019-06-13 01:05:33 Robert Love

ANDROID: net: Paranoid network.

With CONFIG_ANDROID_PARANOID_NETWORK, require specific uids/gids to instantiate
network sockets.

Signed-off-by: Robert Love <rlove@google.com>

paranoid networking: Use in_egroup_p() to check group membership

The previous group_search() caused trouble for partners with module builds.
in_egroup_p() is also cleaner.

Signed-off-by: Nick Pelly <npelly@google.com>

Fix 2.6.29 build.

Signed-off-by: Arve Hjønnevåg <arve@android.com>

net: Fix compilation of the IPv6 module

Fix compilation of the IPv6 module -- current->euid does not exist anymore,
current_euid() is what needs to be used.

Signed-off-by: Steinar H. Gunderson <sesse@google.com>

net: bluetooth: Remove the AID_NET_BT* gid numbers

Removed bluetooth checks for AID_NET_BT and AID_NET_BT_ADMIN
which are not useful anymore.
This is in preparation for getting rid of all the AID_* gids.

Change-Id: I879d7181f07532784499ef152288d12a03ab6354
Signed-off-by: JP Abgrall <jpa@google.com>

[AmitP: Folded following android-4.9 commit changes into this patch
a2624d7b9d73 ("ANDROID: Add android_aid.h")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

ANDROID: net: paranoid: security: Add AID_NET_RAW and AID_NET_ADMIN capability check in cap_capable().

Signed-off-by: Chia-chi Yeh <chiachi@android.com>

ANDROID: net: paranoid: Replace AID_NET_RAW checks with capable(CAP_NET_RAW).

Signed-off-by: Chia-chi Yeh <chiachi@android.com>

ANDROID: net: paranoid: Only NET_ADMIN is allowed to fully control TUN interfaces.

Signed-off-by: Chia-chi Yeh <chiachi@android.com>

ANDROID: net: paranoid: security: Add proper checks for Android specific capability checks

Commit b641072 ("security: Add AID_NET_RAW and AID_NET_ADMIN capability
check in cap_capable().") introduces additional checks for AID_NET_xxx
macros. Since the header file including those macros are conditionally
included, the checks should also be conditionally executed.

Change-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b
Signed-off-by: Tushar Behera <tushar.behera@linaro.org>
Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>

ANDROID: net: paranoid: commoncap: Begin to warn users of implicit PARANOID_NETWORK capability grants

CAP_NET_ADMIN and CAP_NET_RAW are implicity granted to the "special"
Android groups net_admin and net_raw.

This is a byproduct of the init system not being able to specify
capabilities back in the day, but has now been resolved and .rc files
can explictly specify the capabilities to be granted to a service.

Thus, we should start to remove this implict capability grant, and the
first step is to warn when a process doesn't have explicit capablity
but is a member of the implicitly granted group, when that capability
is checked.

This will allow for the PARANOID_NETWORK checks in commoncap.c to
be totally removed in a future kernel.

Change-Id: I6dac90e23608b6dba14a8f2049ba29ae56cb7ae4
Signed-off-by: John Stultz <john.stultz@linaro.org>

c776aaf 2019-06-13 01:05:17 lambdadroid

ANDROID: drm/i915: Avoid resetting brightness if set to minimum (v2)

Right now, the brightness is reset to maximum if it was set to
minimum before the backlight was disabled. This looks bad when
turning the screen back on because it will actually fade down
instead of fade up when a lower brightness is set.

Just keep the brightness as-is after turning backlight on so
userspace can directly set the correct brightness value.

v2: Keep check but reset brightness only if below minimum.

c2f7c82 2019-06-13 01:04:55 lambdadroid

drm/i915: Change maximum brightness for CRC PWM to 255

The Crystalcove (CRC) PMIC PWM driver supports 255 levels.
Currently, these are mapped to a percentage, making it impossible
to choose all available brightness levels. Change the maximum
brightness level to 255 so all available levels can be used.

fbc4d87 2019-06-13 01:02:00 Stephan Gerhold

UPSTREAM: Bluetooth: btbcm: Add default address for BCM2076B1

BCM2076B1 appears to use 20:76:A0:00:56:79 as default address.
This address is used by at least 5 devices with the AMPAK AP6476
module and is also suspicious because it starts with the chip name
2076 (followed by a different revision A0 for some reason).

Add it to the list of default addresses and leave it up to the
user to configure a valid one.

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 300926b138eb30ce1763d1d10604230d4d38d64a)

422ae35 2019-06-13 01:01:50 Stephan Gerhold

UPSTREAM: Bluetooth: btbcm: Add entry for BCM2076B1 UART Bluetooth

Add the device ID for the BT/FM/GPS combo chip BCM2076 (rev B1)
used in the AMPAK AP6476 WiFi/BT/FM/GPS module.

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
(cherry picked from commit 039287aa9f7247f27ecae70a6e4aefa43f431d6b)

7bb53a1 2019-06-13 01:00:50 Stephan Gerhold

UPSTREAM: ASoC: Intel: bytcr_rt5640: Add quirks for ASUS MeMO Pad 7 (ME176C)

Add quirks to select the correct input map, jack-detect options
and channel map to make sound work on the ASUS MeMO Pad 7 (ME176C).

Note: Although sound works out of the box, jack detection currently
requires overriding the ACPI DSDT table. This is necessary because
the rt5640 ACPI device (10EC5640) has the wrong GPIO listed as
interrupt (one of the Bluetooth GPIOs).
The correct GPIO is GPO2 0x0004 (listed as the first GPIO in the
Intel(R) Audio Machine Driver - AMCR0F28 device).

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
(cherry picked from commit 51a13e401a83ef37aa98c049c2c30bba885676c2)

1a3a068 2019-06-13 00:59:33 Stephan Gerhold

UPSTREAM: ASoC: Intel: sst: Fallback to BYT-CR if IRQ 5 is missing

Some devices detected as BYT-T by the PMIC-type based detection
have only a single IRQ listed in the 80860F28 ACPI device. This
causes -ENXIO later when attempting to get the IRQ at index 5.
It turns out these devices behave more like BYT-CR devices,
and using the IRQ at index 0 makes sound work correctly.

This patch adds a fallback for these devices to is_byt_cr():
If there is no IRQ resource at index 5, treating the device
as BYT-T is guaranteed to fail later, so we can safely treat
these devices as BYT-CR without breaking any working device.

Link: http://mailman.alsa-project.org/pipermail/alsa-devel/2018-December/143176.html
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
(cherry picked from commit fee15714552dbf420264da6f88dd813b8502592b)

3352f5b 2019-06-13 00:56:41 Stephan Gerhold

UPSTREAM: ASoC: Intel: sst: Simplify is_byt_cr()

is_byt_cr() and its usage can be simplified by returning the bool
directly, instead of through a pointer. This works because the
return value is just treated as bytcr = false and is not used
otherwise.

This patch also removes the extra check of
IS_ENABLED(CONFIG_IOSF_MBI) in favor of checking
iosf_mbi_available() directly. The header already takes care
of returning false if the config option is not enabled.

No functional change.

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
(cherry picked from commit b97205ef95efddee018061dfee14c995be08dde3)

303de8b 2019-06-13 00:56:39 Stephan Gerhold

UPSTREAM: iio: magnetometer: ak8975: Add the "AKM9911" ACPI HID

This HID is used on the ASUS MeMO Pad 7 (ME176C) tablet.

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
(cherry picked from commit 0a9ff2a13b4637dec6ec61e5cec30dbb598a8b8d)

2cbe518 2019-06-13 00:56:36 Stephan Gerhold

UPSTREAM: iio: accel: kxcjk-1013: Add the "KXJ2109" ACPI HID

This HID is used on the ASUS MeMO Pad 7 (ME176C) tablet.

Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
(cherry picked from commit b911b0ab0d89d8488ae0d21db121907dcacef6ad)

97ca43b 2019-06-13 00:53:20 Ville Syrjälä

UPSTREAM: platform/x86: Fix config space access for intel_atomisp2_pm

We lose even config space access when we power gate the ISP
via the PUNIT. That makes lspci & co. produce gibberish.

To fix that let's try to implement actual runtime pm hooks
and inform the pci core that the device always goes to
D3cold. That will cause the pci core to resume the device
before attempting config space access.

This introduces another annoyance though. We get the
following error every time we try to resume the device:
intel_atomisp2_pm 0000:00:03.0: Refused to change power state, currently in D3

The reason being that the pci core tries to put the device
back into D0 via the standard PCI PM mechanism before
calling the driver resume hook. To fix this properly
we'd need to infiltrate the platform pm hooks (could
turn ugly real fast), or use pm domains (which don't
seem to exist on x86), or some extra early resume
hook for the driver (which doesn't exist either).
So maybe we just choose to live with the error?

Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Darren Hart <dvhart@infradead.org>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
(cherry picked from commit 6a31061833a52a79c99221b6251db08cf377470e)

17a8c14 2019-06-13 00:53:18 Ville Syrjälä

UPSTREAM: platform/x86: Add the VLV ISP PCI ID to atomisp2_pm

If the ISP is exposed as a PCI device VLV machines need the
same treatment as CHV machines to power gate the ISP. Otherwise
s0ix will not work.

Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Darren Hart <dvhart@infradead.org>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
(cherry picked from commit 8a7d7141528ad67e465bc6afacc6a3144d1fe320)

4831266 2019-06-13 00:53:13 Todd Kjos

UPSTREAM: binder: check for overflow when alloc for security context

commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream.

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.

Bug: 130571081
Change-Id: I03fa4c879895fe4f768d880f87dce329423bfb9a
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

b8f2f4b 2019-06-12 07:47:28 Todd Kjos

UPSTREAM: binder: check for overflow when alloc for security context

commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream.

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.

Bug: 130571081
Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

e53fcdd 2019-06-12 02:00:38 Todd Kjos

BACKPORT: binder: fix race between munmap() and direct reclaim

commit 5cec2d2e5839f9c0fec319c523a911e0a7fd299f upstream.

An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.

If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().

The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and skip zap_page_range() if it has changed
to NULL.

Bug: 120025196
Change-Id: I2f3284d294326ec7736303374769640a1e028783
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Todd Kjos <tkjos@google.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

6ccab84 2019-06-11 20:54:30 Greg Kroah-Hartman

This is the 4.9.181 stable release
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlz/gPoACgkQONu9yGCS
aT7Hmw//VuPPksf6knKTYI4iJzlwVUAovkkxUVfb2iuj9nEipRp+KocWeGCBBBEf
kirRIhQqhMRq8z21sfw6CSJvfAmWbWKOwrm47v4EcCCmklbFKW6CyV5lILXbavNr
myQCn6dia9UOSPSUKodscrFeqVELnrH2UUODE4KgDMsI6SN3uRiBVws+hvfJlkhA
4svLCn5gZ1VTUt+f2OVikNzDnLlcrF80WbeSwxxmTKwblyS5Spc2q3PQz4HVs27A
B+3VvzAKj/y4vCWntbMPfKCmmQ67Qkiwrh9J0VinXOnf3bPmL2rxGrmZqeDec2z1
fPonQL0Jhf6SGoIP4bbvpefnNA9xffSkvvF2kfk2QphdRoww2W2ELU6BYu/c9Tde
ulJjGCJruiUcU91GinMCU3aNPoXhCnyhdG3g9A+U2DOHD68+XcogSshDNPvVvY6C
Pz1P7Uak+FIxPEYhwUVBt5s5yvwgqWz3AVMMxF5beB5sMU78CUWY5Je+7ue/r2AA
Np4Zt3QuJw03vnNELPyK/tlyUJxDUbjjskPHJrPztNkHI9LEhrHBnwjBl7I8jVlU
H2pCToC9HcAXuCOkYV5QPbYl0xbTv0gqcDZ8ArjTaV/DefUBPrRxvA5gH+Zgfw0D
bGWTIDUfGgDPJ+05yp8bu19f150BQ7m00Ho1J6yxDD3Xhm61DDE=
=NUA4
-----END PGP SIGNATURE-----

Merge 4.9.181 into android-4.9

Changes in 4.9.181
ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
llc: fix skb leak in llc_build_and_send_ui_pkt()
net: fec: fix the clk mismatch in failed_reset path
net-gro: fix use-after-free read in napi_gro_frags()
net: stmmac: fix reset gpio free missing
usbnet: fix kernel crash after disconnect
tipc: Avoid copying bytes beyond the supplied data
bnxt_en: Fix aggregation buffer leak under OOM condition.
ipv4/igmp: fix another memory leak in igmpv3_del_delrec()
ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST
net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT
net: mvneta: Fix err code path of probe
net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
crypto: vmx - ghash: do nosimd fallback manually
xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
Revert "tipc: fix modprobe tipc failed after switch order of device registration"
tipc: fix modprobe tipc failed after switch order of device registration
sparc64: Fix regression in non-hypervisor TLB flush xcall
include/linux/bitops.h: sanitize rotate primitives
xhci: update bounce buffer with correct sg num
xhci: Use %zu for printing size_t type
xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
usb: xhci: avoid null pointer deref when bos field is NULL
usbip: usbip_host: fix BUG: sleeping function called from invalid context
usbip: usbip_host: fix stub_dev lock context imbalance regression
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
USB: sisusbvga: fix oops in error path of sisusb_probe
USB: Add LPM quirk for Surface Dock GigE adapter
USB: rio500: refuse more than one device at a time
USB: rio500: fix memory leak in close after disconnect
media: usb: siano: Fix general protection fault in smsusb
media: usb: siano: Fix false-positive "uninitialized variable" warning
media: smsusb: better handle optional alignment
scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
Btrfs: fix race updating log root item during fsync
powerpc/perf: Fix MMCRA corruption by bhrb_filter
ALSA: hda/realtek - Set default power save node to 0
drm/nouveau/i2c: Disable i2c bus access after ->fini()
tty: serial: msm_serial: Fix XON/XOFF
tty: max310x: Fix external crystal register setup
memcg: make it work on sparse non-0-node systems
kernel/signal.c: trace_signal_deliver when signal_group_exit
docs: Fix conf.py for Sphinx 2.0
staging: vc04_services: prevent integer overflow in create_pagelist()
CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
gcc-plugins: Fix build failures under Darwin host
drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set
brcmfmac: add length checks in scheduled scan result handler
brcmfmac: assure SSID length from firmware is limited
brcmfmac: add subtype check for event handling in data path
binder: Replace "%p" with "%pK" for stable
binder: replace "%p" with "%pK"
fs: prevent page refcount overflow in pipe_buf_get
mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
mm, gup: ensure real head page is ref-counted when using hugepages
mm: prevent get_user_pages() from overflowing page refcount
mm: make page ref count overflow check tighter and more explicit
Revert "x86/build: Move _etext to actual end of .text"
efi/libstub: Unify command line param parsing
media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
ethtool: fix potential userspace buffer overflow
neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
net: rds: fix memory leak in rds_ib_flush_mr_pool
pktgen: do not sleep with the thread lock held.
ipv6: fix EFAULT on sendto with icmpv6 and hdrincl
ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
Revert "fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")"
Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied"
rcu: locking and unlocking need to always be at least barriers
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
fuse: fallocate: fix return with locked inode
x86/power: Fix 'nosmt' vs hibernation triple fault during resume
MIPS: pistachio: Build uImage.gz by default
Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"
genwqe: Prevent an integer overflow in the ioctl
drm/gma500/cdv: Check vbt config bits when detecting lvds panels
drm/radeon: prefer lower reference dividers
drm/i915: Fix I915_EXEC_RING_MASK
TTY: serial_core, add ->install
fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
fuse: Add FOPEN_STREAM to use stream_open()
ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
ethtool: check the return value of get_regs_len
Linux 4.9.181

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

be7c1cb 2019-06-11 19:38:58 Greg Kroah-Hartman

This is the 4.19.50 stable release
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlz/gIkACgkQONu9yGCS
aT5OhA/9Fkm+5JmZGIS+zA8QCOHGRwX4ttO67yKxZUmHWp5kOEmPAEWFcf4zLeSB
T7cpYfeW0YG7lOb53CLCVfXxOI+gVzOrhNC/Hk9Xerph6izew/oon3f6v125nrSE
INZiYsFL0S5uCbA+wh0P6KVyq05SP01l1Et2q9mlIOp58mGhQadWF58eqw6V6rwn
64NJyV1fwXXpnsiuCoy5E0Og9aSctlr+LCFCXaXnQU7WJXfXKBmUHNWRdfZnH+n7
29OnC4oAyZ7aFRvP7iUS8hFxXvnVsHw1HDdRr1Ton0uFuiVGUkQ3oRjoVjPyTBwO
M9Y+tViuCXEtH6KwiMMRKHHsIOZa2VguX8PO9cdr1Kl7kCMrkxGqk9YPOT/bDzrZ
N69Lr7aZk3vxJtXPAhsoryKN0a0t5glOZD0CYTIoDsQHBMg0RfjKg8k4I2It7UMY
blT8j4gNX17Ij240dbvJkD444mPBipk3wPXMrNkFvFAqT064cCQza7cbuXx5dpue
NkgamI5tCyzTUap0jiQ4FP00RN7Vbfh3rZSXLqaeOo0oA8x228+NjkDrrM2pGsGI
UFrXaphrwKSpvieuk2g2s/kzyJuOBWOk5mXf8jy8zR+NaLamdeI071PhqCmSVsm0
4AuDaJGLiBnqX90N09EJ819F6vSUe3MULfZLC9rjISzh7aOI9Pk=
=IPNo
-----END PGP SIGNATURE-----

Merge 4.19.50 into android-4.19

Changes in 4.19.50
ethtool: fix potential userspace buffer overflow
Fix memory leak in sctp_process_init
ipv4: not do cache for local delivery if bc_forwarding is enabled
ipv6: fix the check before getting the cookie in rt6_get_cookie
neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
net: ethernet: ti: cpsw_ethtool: fix ethtool ring param set
net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
net: mvpp2: Use strscpy to handle stat strings
net: rds: fix memory leak in rds_ib_flush_mr_pool
net: sfp: read eeprom in maximum 16 byte increments
net/tls: replace the sleeping lock around RX resync with a bit lock
packet: unconditionally free po->rollover
pktgen: do not sleep with the thread lock held.
Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied"
ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
ipv6: fix EFAULT on sendto with icmpv6 and hdrincl
mtd: spinand: macronix: Fix ECC Status Read
rcu: locking and unlocking need to always be at least barriers
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake a waiter
NFSv4.1: Fix bug only first CB_NOTIFY_LOCK is handled
fuse: fallocate: fix return with locked inode
pstore: Remove needless lock during console writes
pstore: Convert buf_lock to semaphore
pstore: Set tfm to NULL on free_buf_for_compression
pstore/ram: Run without kernel crash dump region
x86/power: Fix 'nosmt' vs hibernation triple fault during resume
x86/insn-eval: Fix use-after-free access to LDT entry
i2c: xiic: Add max_read_len quirk
s390/mm: fix address space detection in exception handling
xen-blkfront: switch kcalloc to kvcalloc for large array allocation
MIPS: Bounds check virt_addr_valid
MIPS: pistachio: Build uImage.gz by default
Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"
genwqe: Prevent an integer overflow in the ioctl
test_firmware: Use correct snprintf() limit
drm/gma500/cdv: Check vbt config bits when detecting lvds panels
drm/msm: fix fb references in async update
drm: add non-desktop quirk for Valve HMDs
drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)
drm: add non-desktop quirks to Sensics and OSVR headsets.
drm/amdgpu/psp: move psp version specific function pointers to early_init
drm/radeon: prefer lower reference dividers
drm/amdgpu: remove ATPX_DGPU_REQ_POWER_FOR_DISPLAYS check when hotplug-in
drm/i915: Fix I915_EXEC_RING_MASK
drm/i915/fbc: disable framebuffer compression on GeminiLake
drm/i915: Maintain consistent documentation subsection ordering
drm: don't block fb changes for async plane updates
drm/i915/gvt: Initialize intel_gvt_gtt_entry in stack
TTY: serial_core, add ->install
ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
ethtool: check the return value of get_regs_len
Linux 4.19.50

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

3ffb240 2019-06-11 19:22:50 Greg Kroah-Hartman

Linux 4.9.181

b9d3bd8 2019-06-11 19:22:49 Yunsheng Lin

ethtool: check the return value of get_regs_len

commit f9fc54d313fab2834f44f516459cdc8ac91d797f upstream.

The return type for get_regs_len in struct ethtool_ops is int,
the hns3 driver may return error when failing to get the regs
len by sending cmd to firmware.

Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

8474fc0 2019-06-11 19:22:49 David Ahern

ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled

commit 9b3040a6aafd7898ece7fc7efcbca71e42aa8069 upstream.

Define __ipv4_neigh_lookup_noref to return NULL when CONFIG_INET is disabled.

Fixes: 4b2a2bfeb3f0 ("neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

cfd8d2e 2019-06-11 19:22:49 Kirill Smelkov

fuse: Add FOPEN_STREAM to use stream_open()

commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream.

Starting from commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per
POSIX") files opened even via nonseekable_open gate read and write via lock
and do not allow them to be run simultaneously. This can create read vs
write deadlock if a filesystem is trying to implement a socket-like file
which is intended to be simultaneously used for both read and write from
filesystem client. See commit 10dce8af3422 ("fs: stream_open - opener for
stream-like files so that read and write can run simultaneously without
deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock
on writes to /proc/xen/xenbus") for a similar deadlock example on
/proc/xen/xenbus.

To avoid such deadlock it was tempting to adjust fuse_finish_open to use
stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags,
but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
and in particular GVFS which actually uses offset in its read and write
handlers

https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481

so if we would do such a change it will break a real user.

Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the
opened handler is having stream-like semantics; does not use file position
and thus the kernel is free to issue simultaneous read and write request on
opened file handle.

This patch together with stream_open() should be added to stable kernels
starting from v3.14+. This will allow to patch OSSPD and other FUSE
filesystems that provide stream-like files to return FOPEN_STREAM |
FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all
kernel versions. This should work because fuse_finish_open ignores unknown
open flags returned from a filesystem and so passing FOPEN_STREAM to a
kernel that is not aware of this flag cannot hurt. In turn the kernel that
is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE
is sufficient to implement streams without read vs write deadlock.

Cc: stable@vger.kernel.org # v3.14+
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


9c829b6 2019-06-11 19:22:49 Kirill Smelkov

fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock

commit 10dce8af34226d90fa56746a934f8da5dcdba3df upstream.

Commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX") added
locking for file.f_pos access and in particular made concurrent read and
write not possible - now both those functions take f_pos lock for the
whole run, and so if e.g. a read is blocked waiting for data, write will
deadlock waiting for that read to complete.

This caused regression for stream-like files where previously read and
write could run simultaneously, but after that patch could not do so
anymore. See e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes
to /proc/xen/xenbus") which fixes such regression for particular case of
/proc/xen/xenbus.

The patch that added f_pos lock in 2014 did so to guarantee POSIX thread
safety for read/write/lseek and added the locking to file descriptors of
all regular files. In 2014 that thread-safety problem was not new as it
was already discussed earlier in 2006.

However even though 2006'th version of Linus's patch was adding f_pos
locking "only for files that are marked seekable with FMODE_LSEEK (thus
avoiding the stream-like objects like pipes and sockets)", the 2014
version - the one that actually made it into the tree as 9c225f2655e3 -
is doing so irregardless of whether a file is seekable or not.

See

https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/
https://lwn.net/Articles/180387
https://lwn.net/Articles/180396

for historic context.

The reason that it did so is, probably, that there are many files that
are marked non-seekable, but e.g. their read implementation actually
depends on knowing current position to correctly handle the read. Some
examples:

kernel/power/user.c snapshot_read
fs/debugfs/file.c u32_array_read
fs/fuse/control.c fuse_conn_waiting_read + ...
drivers/hwmon/asus_atk0110.c atk_debugfs_ggrp_read
arch/s390/hypfs/inode.c hypfs_read_iter
...

Despite that, many nonseekable_open users implement read and write with
pure stream semantics - they don't depend on passed ppos at all. And for
those cases where read could wait for something inside, it creates a
situation similar to xenbus - the write could be never made to go until
read is done, and read is waiting for some, potentially external, event,
for potentially unbounded time -> deadlock.

Besides xenbus, there are 14 such places in the kernel that I've found
with semantic patch (see below):

drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write()
drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write()
drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write()
drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write()
net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write()
drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write()
drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write()
drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write()
net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write()
drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write()
drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write()
drivers/input/misc/uinput.c:400:1-17: ERROR: uinput_fops: .read() can deadlock .write()
drivers/infiniband/core/user_mad.c:985:7-23: ERROR: umad_fops: .read() can deadlock .write()
drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write()

In addition to the cases above another regression caused by f_pos
locking is that now FUSE filesystems that implement open with
FOPEN_NONSEEKABLE flag, can no longer implement bidirectional
stream-like files - for the same reason as above e.g. read can deadlock
write locking on file.f_pos in the kernel.

FUSE's FOPEN_NONSEEKABLE was added in 2008 in a7c1b990f715 ("fuse:
implement nonseekable open") to support OSSPD. OSSPD implements /dev/dsp
in userspace with FOPEN_NONSEEKABLE flag, with corresponding read and
write routines not depending on current position at all, and with both
read and write being potentially blocking operations:

See

https://github.com/libfuse/osspd
https://lwn.net/Articles/308445

https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1406
https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1438-L1477
https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1479-L1510

Corresponding libfuse example/test also describes FOPEN_NONSEEKABLE as
"somewhat pipe-like files ..." with read handler not using offset.
However that test implements only read without write and cannot exercise
the deadlock scenario:

https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L124-L131
https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L146-L163
https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L209-L216

I've actually hit the read vs write deadlock for real while implementing
my FUSE filesystem where there is /head/watch file, for which open
creates separate bidirectional socket-like stream in between filesystem
and its user with both read and write being later performed
simultaneously. And there it is semantically not easy to split the
stream into two separate read-only and write-only channels:

https://lab.nexedi.com/kirr/wendelin.core/blob/f13aa600/wcfs/wcfs.go#L88-169

Let's fix this regression. The plan is:

1. We can't change nonseekable_open to include &~FMODE_ATOMIC_POS -
doing so would break many in-kernel nonseekable_open users which
actually use ppos in read/write handlers.

2. Add stream_open() to kernel to open stream-like non-seekable file
descriptors. Read and write on such file descriptors would never use
nor change ppos. And with that property on stream-like files read and
write will be running without taking f_pos lock - i.e. read and write
could be running simultaneously.

3. With semantic patch search and convert to stream_open all in-kernel
nonseekable_open users for which read and write actually do not
depend on ppos and where there is no other methods in file_operations
which assume @offset access.

4. Add FOPEN_STREAM to fs/fuse/ and open in-kernel file-descriptors via
steam_open if that bit is present in filesystem open reply.

It was tempting to change fs/fuse/ open handler to use stream_open
instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but
grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
and in particular GVFS which actually uses offset in its read and
write handlers

https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481

so if we would do such a change it will break a real user.

5. Add stream_open and FOPEN_STREAM handling to stable kernels starting
from v3.14+ (the kernel where 9c225f2655 first appeared).

This will allow to patch OSSPD and other FUSE filesystems that
provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE
in their open handler and this way avoid the deadlock on all kernel
versions. This should work because fs/fuse/ ignores unknown open
flags returned from a filesystem and so passing FOPEN_STREAM to a
kernel that is not aware of this flag cannot hurt. In turn the kernel
that is not aware of FOPEN_STREAM will be < v3.14 where just
FOPEN_NONSEEKABLE is sufficient to implement streams without read vs
write deadlock.

This patch adds stream_open, converts /proc/xen/xenbus to it and adds
semantic patch to automatically locate in-kernel places that are either
required to be converted due to read vs write deadlock, or that are just
safe to be converted because read and write do not use ppos and there
are no other funky methods in file_operations.

Regarding semantic patch I've verified each generated change manually -
that it is correct to convert - and each other nonseekable_open instance
left - that it is either not correct to convert there, or that it is not
converted due to current stream_open.cocci limitations.

The script also does not convert files that should be valid to convert,
but that currently have .llseek = noop_llseek or generic_file_llseek for
unknown reason despite file being opened with nonseekable_open (e.g.
drivers/input/mousedev.c)

Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Yongzhi Pan <panyongzhi@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Nikolaus Rath <Nikolaus@rath.org>
Cc: Han-Wen Nienhuys <hanwen@google.com>
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


abad73a 2019-06-11 19:22:49 Jiri Slaby

TTY: serial_core, add ->install

commit 4cdd17ba1dff20ffc99fdbd2e6f0201fc7fe67df upstream.

We need to compute the uart state only on the first open. This is
usually what is done in the ->install hook. serial_core used to do this
in ->open on every open. So move it to ->install.

As a side effect, it ensures the state is set properly in the window
after tty_init_dev is called, but before uart_open. This fixes a bunch
of races between tty_open and flush_to_ldisc we were dealing with
recently.

One of such bugs was attempted to fix in commit fedb5760648a (serial:
fix race between flush_to_ldisc and tty_open), but it only took care of
a couple of functions (uart_start and uart_unthrottle). I was able to
reproduce the crash on a SLE system, but in uart_write_room which is
also called from flush_to_ldisc via process_echoes. I was *unable* to
reproduce the bug locally. It is due to having this patch in my queue
since 2012!

general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 1 PID: 5 Comm: kworker/u4:0 Tainted: G L 4.12.14-396-default #1 SLE15-SP1 (unreleased)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014
Workqueue: events_unbound flush_to_ldisc
task: ffff8800427d8040 task.stack: ffff8800427f0000
RIP: 0010:uart_write_room+0xc4/0x590
RSP: 0018:ffff8800427f7088 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000002f RSI: 00000000000000ee RDI: ffff88003888bd90
RBP: ffffffffb9545850 R08: 0000000000000001 R09: 0000000000000400
R10: ffff8800427d825c R11: 000000000000006e R12: 1ffff100084fee12
R13: ffffc900004c5000 R14: ffff88003888bb28 R15: 0000000000000178
FS: 0000000000000000(0000) GS:ffff880043300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561da0794148 CR3: 000000000ebf4000 CR4: 00000000000006e0
Call Trace:
tty_write_room+0x6d/0xc0
__process_echoes+0x55/0x870
n_tty_receive_buf_common+0x105e/0x26d0
tty_ldisc_receive_buf+0xb7/0x1c0
tty_port_default_receive_buf+0x107/0x180
flush_to_ldisc+0x35d/0x5c0
...

0 in rbx means tty->driver_data is NULL in uart_write_room. 0x178 is
tried to be dereferenced (0x178 >> 3 is 0x2f in rdx) at
uart_write_room+0xc4. 0x178 is exactly (struct uart_state *)NULL->refcount
used in uart_port_lock from uart_write_room.

So revert the upstream commit here as my local patch should fix the
whole family.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Li RongQing <lirongqing@baidu.com>
Cc: Wang Li <wangli39@baidu.com>
Cc: Zhang Yu <zhangyu31@baidu.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

8ad6a53 2019-06-11 19:22:49 Chris Wilson

drm/i915: Fix I915_EXEC_RING_MASK

commit d90c06d57027203f73021bb7ddb30b800d65c636 upstream.

This was supposed to be a mask of all known rings, but it is being used
by execbuffer to filter out invalid rings, and so is instead mapping high
unused values onto valid rings. Instead of a mask of all known rings,
we need it to be the mask of all possible rings.

Fixes: 549f7365820a ("drm/i915: Enable SandyBridge blitter ring")
Fixes: de1add360522 ("drm/i915: Decouple execbuf uAPI from internal implementation")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: <stable@vger.kernel.org> # v4.6+
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190301140404.26690-21-chris@chris-wilson.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Show on old repository browser