[ Upstream commit 13eb2ab2d3 ]
When trying to delete a table >= 256 using iproute2 the local table
will be deleted.
The table id is specified as a netlink attribute when it needs more then
8 bits and iproute2 then sets the table field to RT_TABLE_UNSPEC (0).
Preconditions to matching the table id in the rule delete code
doesn't seem to take the "table id in netlink attribute" into condition
so the frh_get_table helper function never gets to do its job when
matching against current rule.
Use the helper function twice instead of peaking at the table value directly.
Originally reported at: http://bugs.debian.org/724783
Reported-by: Nicolas HICHER <nhicher@avencall.com>
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When using mark-based routing, sockets returned from accept()
may need to be marked differently depending on the incoming
connection request.
This is the case, for example, if different socket marks identify
different networks: a listening socket may want to accept
connections from all networks, but each connection should be
marked with the network that the request came in on, so that
subsequent packets are sent on the correct network.
This patch adds a sysctl to mark TCP sockets based on the fwmark
of the incoming SYN packet. If enabled, and an unmarked socket
receives a SYN, then the SYN packet's fwmark is written to the
connection's inet_request_sock, and later written back to the
accepted socket when the connection is established. If the
socket already has a nonzero mark, then the behaviour is the same
as it is today, i.e., the listening socket's fwmark is used.
Black-box tested using user-mode linux:
- IPv4/IPv6 SYN+ACK, FIN, etc. packets are routed based on the
mark of the incoming SYN packet.
- The socket returned by accept() is marked with the mark of the
incoming SYN packet.
- Tested with syncookies=1 and syncookies=2.
Change-Id: I26bc1eceefd2c588d73b921865ab70e4645ade57
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Currently, routing lookups used for Path PMTU Discovery in
absence of a socket or on unmarked sockets use a mark of 0.
This causes PMTUD not to work when using routing based on
netfilter fwmark mangling and fwmark ip rules, such as:
iptables -j MARK --set-mark 17
ip rule add fwmark 17 lookup 100
This patch causes these route lookups to use the fwmark from the
received ICMP error when the fwmark_reflect sysctl is enabled.
This allows the administrator to make PMTUD work by configuring
appropriate fwmark rules to mark the inbound ICMP packets.
Black-box tested using user-mode linux by pointing different
fwmarks at routing tables egressing on different interfaces, and
using iptables mangling to mark packets inbound on each interface
with the interface's fwmark. ICMPv4 and ICMPv6 PMTU discovery
work as expected when mark reflection is enabled and fail when
it is disabled.
Change-Id: Id7fefb7ec1ff7f5142fba43db1960b050e0dfaec
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Kernel-originated IP packets that have no user socket associated
with them (e.g., ICMP errors and echo replies, TCP RSTs, etc.)
are emitted with a mark of zero. Add a sysctl to make them have
the same mark as the packet they are replying to.
This allows an administrator that wishes to do so to use
mark-based routing, firewalling, etc. for these replies by
marking the original packets inbound.
Tested using user-mode linux:
- ICMP/ICMPv6 echo replies and errors.
- TCP RST packets (IPv4 and IPv6).
Change-Id: I6873d973196797bcf32e2e91976df647c7e8b85a
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Currently, IPv6 router discovery always puts routes into
RT6_TABLE_MAIN. This causes problems for connection managers
that want to support multiple simultaneous network connections
and want control over which one is used by default (e.g., wifi
and wired).
To work around this connection managers typically take the routes
they prefer and copy them to static routes with low metrics in
the main table. This puts the burden on the connection manager
to watch netlink to see if the routes have changed, delete the
routes when their lifetime expires, etc.
Instead, this patch adds a per-interface sysctl to have the
kernel put autoconf routes into different tables. This allows
each interface to have its own autoconf table, and choosing the
default interface (or using different interfaces at the same
time for different types of traffic) can be done using
appropriate ip rules.
The sysctl behaves as follows:
- = 0: default. Put routes into RT6_TABLE_MAIN as before.
- > 0: manual. Put routes into the specified table.
- < 0: automatic. Add the absolute value of the sysctl to the
device's ifindex, and use that table.
The automatic mode is most useful in conjunction with
net.ipv6.conf.default.accept_ra_rt_table. A connection manager
or distribution could set it to, say, -100 on boot, and
thereafter just use IP rules.
Change-Id: I82d16e3737d9cdfa6489e649e247894d0d60cbb1
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Change-Id: I5a61e0f9f22f193c51b1aafd270fb0642a2e0fab
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 4291086b1f upstream.
The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST. And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.
If we look into tty_insert_flip_string_fixed_flag, there is:
int space = __tty_buffer_request_room(port, goal, flags);
struct tty_buffer *tb = port->buf.tail;
...
memcpy(char_buf_ptr(tb, tb->used), chars, space);
...
tb->used += space;
so the race of the two can result in something like this:
A B
__tty_buffer_request_room
__tty_buffer_request_room
memcpy(buf(tb->used), ...)
tb->used += space;
memcpy(buf(tb->used), ...) ->BOOM
B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.
Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes. This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.
Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.
js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call
References: CVE-2014-0196
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cherry-picked from
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
branch: stable/linux-3.10.y
commit: abb5100737
Change-Id: I81e79fe209f5c7b25cac35189a44286e5a9ddac0
Signed-off-by: JP Abgrall <jpa@google.com>
keyreset now registers a keycombo driver that acts as the old
keyreset driver acted.
Change-Id: I08f5279e3a33b267571b699697f9f54508868983
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Keycombo lets you provide a key up and key down function, and an
optional time delay for key down. The driver will call the key
down function after the specified key combo has been held for the
speicified time delay. After you release the combo, if the key down
has happened, it calls key up.
Change-Id: I6a9a94e96a8f58fadd908fd1dc7944b9102a089f
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Dumps registers and stacktrace into console-ramoops when called
from a watchdog fiq.
Change-Id: Ib6fab5a52f670db18e64214d5e4890e8292a749c
Signed-off-by: Arve Hjønnevåg <arve@android.com>
This allows the output from the register and stack trace code to be
sent elsewhere.
Change-Id: I41bb0d5a25e1b9ca55feef5dbd675818b2f832d5
Signed-off-by: Arve Hjønnevåg <arve@android.com>
We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.
Change-Id: I78176f8184e01226ece12f0eb38760cdcdc1ff87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Integrate several new definitions (not code) that
add additional hid mappings from the HID HUT 1.12
and approved additional requests.
Additions are taken from the commits in the
linux-input upstream: f362e69, 2a4d815, 3b5a7ab,
358f247, 701ba53, d09bbfd, af8036d, 5820e4d, a443255
Change-Id: Id0e1cff5828062009b4f94c987ac91f88f14652e
Signed-off-by: Mathieu Meisser <mmeisser@logitech.com>
Signed-off-by: Olivier Gay <ogay@logitech.com>
Plug a group_info refcount leak in ping_init.
group_info is only needed during initialization and
the code failed to release the reference on exit.
While here move grabbing the reference to a place
where it is actually needed.
Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com>
Signed-off-by: xiaoming wang <xiaoming.wang@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit 118b230225 upstream.
dynamic_dname() is both too much and too little for those - the
output may be well in excess of 64 bytes dynamic_dname() assumes
to be enough (thanks to ashmem feeding really long names to
shmem_file_setup()) and vsnprintf() is an overkill for those
guys.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Colin Cross <ccross@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I70970c6125f377048664eb5bde08f3fae29aa348
Not calling rb_erase() can cause slab corruption, as the rb_first() call
after kfree() in adf_obj_destroy() can return the same node twice unless
it is erased.
This problem was reproduced by unloading a kernel module that used the
adf framework *after* a vsync event was registered. A crash would occur
in rb_first(). (Just loading and immediately unloading the module without
the vsync event worked correctly.)
Change-Id: I9fa7cb5d7519691e38a281439844aa193da13d1b
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
Cc: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Cc: Greg Hackmann <ghackmann@google.com>
Message notifications contains an additional timestamp field in nano seconds.
The expiry time for the timers are modified during suspend/resume.
If timer was supposed to expire while the system is suspended then a
notification is sent when it resumes with the timestamp of the scheduled expiry.
Removes the race condition for multiple work scheduled.
Bug: 13247811
Change-Id: I752c5b00225fe7085482819f975cc0eb5af89bff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Second argument is similar to PR_SET_TIMERSLACK, if non-zero then the
slack is set to that value otherwise sets it to the default for the thread.
Takes PID of the thread as the third argument.
This allows power/performance management software to set timer slack for
other threads according to its policy for the thread (such as when the
thread is designated foreground vs. background activity)
Change-Id: I744d451ff4e60dae69f38f53948ff36c51c14a3f
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
strlcat takes the size of the buffer, not the number of characters
to concatenate. If the size of the device tree command line p is
larger than the CONFIG_CMDLINE string data, then strcat(data, p, l)
will hit a BUG_ON because strlen(data) > l.
Replace the second strlcat with a strncpy plus a manual null
termination.
Also rearrange the code to reduce indent depth to make it more
readable, and replace data with a char *cmdline to avoid extra
casts.
Signed-off-by: Colin Cross <ccross@android.com>
Add fiq_debugger_arm64.c that implements the platform-specific
functions.
Change-Id: I4d8b96777bb8503a93d4eb47bbde8e018740a5bf
Signed-off-by: Colin Cross <ccross@android.com>
Split arm support into a separate .c file that is only built for
CONFIG_ARM.
Change-Id: Iba16f4d51608bf9c3e5c8acefefcd38fead9797c
Signed-off-by: Colin Cross <ccross@android.com>
IRQ mode already passes in a struct pt_regs from get_irq_regs().
FIQ mode passes in something similar but not identical to a
struct pt_regs - FIQ mode stores the spsr of the interrupted mode
in slot 17, while pt_regs expects orig_r0.
Replace the existing mixture of void *regs, unsigned *regs, and
struct pt_regs * const with const struct pt_regs *. Modify
dump_regs not to print the spsr since it won't be there in a
struct pt_regs anyways. Modify dump_allregs to highlight the
mode that was interrupted, making spsr easy to find there.
Change-Id: Ibfe1723d702306c7605fd071737d7be9ee9d8c12
Signed-off-by: Colin Cross <ccross@android.com>
Allow compiling fiq_debugger.c without CONFIG_FIQ_GLUE for
platforms that don't support FIQs.
Change-Id: Iabdfd790d24fa9d47b29d2f850c567af2dcad78f
Signed-off-by: Colin Cross <ccross@android.com>
Rename variables and functions in the global namespace to avoid
future collisions.
Change-Id: Ic23a304b0f794efc94cc6d086fddd63231d99c98
Signed-off-by: Colin Cross <ccross@android.com>
Move fiq_debugger into drivers/staging/android/fiq_debugger/ to
allow for sharing between ARM and ARM64.
Change-Id: I6ca5e8b7e3d000f57da3234260261c5592cef2a8
Signed-off-by: Colin Cross <ccross@android.com>
The cpufreq_interactive_timer gets cancelled and rescheduled
whenever the cpufreq_policy is changed. When the cpufreq policy is
changed at a rate faster than the sampling_rate of the interactive
governor, then the governor misses to change the target frequency
for long duration. The patch removes the need of cancelling the
timers when policy->min is changed.
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
Change-Id: Ibd98d151e1c73b8bd969484583ff98ee9f1135ef
Quirks specify common behaviors that vary slightly among devices, and
which ADF must account for.
The buffer padding quirk captures the way different devices fetch the
last scanline in a buffer: some devices fetch an entire line (including
padding to the pitch) while others only fetch up to the visible width.
ADF's buffer size validation now takes this quirk into account.
Change-Id: I828b13316e27621d8a9efd9d5fffa6ce12a525ff
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Copy the config choice for CONFIG_CMDLINE_EXTEND from
arch/arm/Kconfig, including CONFIG_CMDLINE_FROM_BOOTLOADER
as the default. These will be used by drivers/of/fdt.c.
Change-Id: I8416038498ddf8fc1e99ab06109825eb1492aa7f
Signed-off-by: Colin Cross <ccross@android.com>
The old logic assumes CMDLINE_FROM_BOOTLOADER vs. CMDLINE_FORCE and
ignores CMDLINE_EXTEND. Here's the old logic:
- CONFIG_CMDLINE_FORCE=true
CONFIG_CMDLINE
- dt bootargs=non-empty:
dt bootargs
- dt bootargs=empty, @data is non-empty string
@data is left unchanged
- dt bootargs=empty, @data is empty string
CONFIG_CMDLINE (or "" if that's not defined)
The new logic is now documented in of_fdt.h and is copied here for
reference:
- CONFIG_CMDLINE_FORCE=true
CONFIG_CMDLINE
- CONFIG_CMDLINE_EXTEND=true, @data is non-empty string
@data + dt bootargs (even if dt bootargs are empty)
- CONFIG_CMDLINE_EXTEND=true, @data is empty string
CONFIG_CMDLINE + dt bootargs (even if dt bootargs are empty)
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=non-empty:
dt bootargs
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=empty, @data is non-empty string
@data is left unchanged
- CMDLINE_FROM_BOOTLOADER=true, dt bootargs=empty, @data is empty string
CONFIG_CMDLINE (or "" if that's not defined)
Signed-off-by: Doug Anderson <dianders@chromium.org>
CC: devicetree-discuss@lists.ozlabs.org
CC: Grant Likely <grant.likely@secretlab.ca>
CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: Rob Herring <rob.herring@calxeda.com>
Change-Id: I40ace250847f813358125dfcaa8998fd32cf7ea3
Signed-off-by: Colin Cross <ccross@android.com>
64-bit types in structs create alignment problems when a 32-bit x86
userspace talks to an x86_64 kernel. In most cases the 64-bit types can
be replaced with 32-bit ones, since they're being used for fds and
should have been __s32 in the first place. For adf_vsync_event,
alignment can be enforced by making the timestamp an __aligned_u64.
Change-Id: I87cf73d8f57730bd7bb43ffce6b7b411eb0ff198
Signed-off-by: Greg Hackmann <ghackmann@google.com>
A device's fb_info is shared between clients. fb_release() is called
when each client is released, not just the last one. Since the fbdev
helper needs to release its dma-buf when the last client goes away, it
must keep its own reference count.
fbmem and fbcon hold different locks while calling fb_release(), so
explicit locking is needed.
Change-Id: I42cd659f7633adba7c11f407d4b594bd43305d6a
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Allows a defconfig to set a list of dtbs to concatenate with an
Image.gz to create a Image.gz-dtb.
Change-Id: I0dc3935e57f01b517aa64eda0c27b0101e9ea3b2
Signed-off-by: Alex Ray <aray@google.com>
There are no in-tree users of adf_attachment_allow, but out-of-tree
modules want to use it. It looks like this function should be
EXPORT_SYMBOL.
Change-Id: Iad522dc5d32ac09fec6483bbc317db8ecae12e97
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
On x86, irq_count conflicts with a declaration in
arch/x86/include/asm/processor.h
Change-Id: I3e4fde0ff64ef59ff5ed2adc0ea3a644641ee0b7
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Ensure the array for the wakeup reason IRQs does not overflow.
Change-Id: Iddc57a3aeb1888f39d4e7b004164611803a4d37c
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit b5ea40cdfcf38296535f931a7e5e7bf47b6fad7f)
Make sure the value we are going to return is referenced in order to
avoid warnings from newer GCCs such as:
arch/arm64/include/asm/cmpxchg.h:162:3: warning: value computed is not used [-Wunused-value]
((__typeof__(*(ptr)))__cmpxchg_mb((ptr), \
^
net/netfilter/nf_conntrack_core.c:674:2: note: in expansion of macro ‘cmpxchg’
cmpxchg(&nf_conntrack_hash_rnd, 0, rand);
[Modified to use the current underlying implementation as current
mainline for both cmpxchg() and cmpxchg_local() does -- broonie]
Signed-off-by: Mark Hambleton <mahamble@broadcom.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Make sure offsets don't point to overlapping flat_binder_object
structs.
Change-Id: I425ab0c46fbe2b00ed679c5becf9e8140395eb40
Signed-off-by: Arve Hjønnevåg <arve@android.com>
