Merge branch 'android-4.4-p' of https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998

# By Pavel Skripkin (6) and others
# Via Greg Kroah-Hartman
* android-4.4-p:
  Linux 4.4.278
  sis900: Fix missing pci_disable_device() in probe and remove
  tulip: windbond-840: Fix missing pci_disable_device() in probe and remove
  net: llc: fix skb_over_panic
  mlx4: Fix missing error code in mlx4_load_one()
  tipc: fix sleeping in tipc accept routine
  netfilter: nft_nat: allow to specify layer 4 protocol NAT only
  cfg80211: Fix possible memory leak in function cfg80211_bss_update
  x86/asm: Ensure asm/proto.h can be included stand-alone
  NIU: fix incorrect error return, missed in previous revert
  can: esd_usb2: fix memory leak
  can: ems_usb: fix memory leak
  can: usb_8dev: fix memory leak
  ocfs2: issue zeroout to EOF blocks
  ocfs2: fix zero out valid data
  ARM: ensure the signal page contains defined contents
  lib/string.c: add multibyte memset functions
  ARM: dts: versatile: Fix up interrupt controller node names
  hfs: add lock nesting notation to hfs_find_init
  hfs: fix high memory mapping in hfs_bnode_read
  hfs: add missing clean-up in hfs_fill_super
  sctp: move 198 addresses from unusable to private scope
  net/802/garp: fix memleak in garp_request_join()
  net/802/mrp: fix memleak in mrp_request_join()
  workqueue: fix UAF in pwq_unbound_release_workfn()
  af_unix: fix garbage collect vs MSG_PEEK
  net: split out functions related to registering inflight socket files
  Linux 4.4.277
  btrfs: compression: don't try to compress if we don't have enough pages
  iio: accel: bma180: Fix BMA25x bandwidth register values
  iio: accel: bma180: Use explicit member assignment
  net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear
  media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
  tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.
  USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
  USB: serial: cp210x: fix comments for GE CS1000
  USB: serial: option: add support for u-blox LARA-R6 family
  usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop()
  usb: max-3421: Prevent corruption of freed memory
  USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS
  usb: hub: Disable USB 3 device initiated lpm if exit latency is too high
  KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
  xhci: Fix lost USB 2 remote wake
  ALSA: sb: Fix potential ABBA deadlock in CSP driver
  s390/ftrace: fix ftrace_update_ftrace_func implementation
  proc: Avoid mixing integer types in mem_rw()
  Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem"
  scsi: target: Fix protect handling in WRITE SAME(32)
  scsi: iscsi: Fix iface sysfs attr detection
  netrom: Decrease sock refcount when sock timers expire
  net: decnet: Fix sleeping inside in af_decnet
  net: fix uninit-value in caif_seqpkt_sendmsg
  s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1]
  perf probe-file: Delete namelist in del_events() on the error path
  perf test bpf: Free obj_buf
  igb: Check if num of q_vectors is smaller than max before array access
  iavf: Fix an error handling path in 'iavf_probe()'
  ipv6: tcp: drop silly ICMPv6 packet too big messages
  tcp: annotate data races around tp->mtu_info
  net: validate lwtstate->data before returning from skb_tunnel_info()
  net: ti: fix UAF in tlan_remove_one
  net: moxa: fix UAF in moxart_mac_probe
  net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
  net: ipv6: fix return value of ip6_skb_dst_mtu
  x86/fpu: Make init_fpstate correct with optimized XSAVE
  Revert "memory: fsl_ifc: fix leak of IO mapping on probe failure"
  sched/fair: Fix CFS bandwidth hrtimer expiry type
  scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8
  kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set
  thermal/core: Correct function name thermal_zone_device_unregister()
  ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info
  ARM: dts: imx6: phyFLEX: Fix UART hardware flow control
  ARM: dts: BCM63xx: Fix NAND nodes names
  ARM: brcmstb: dts: fix NAND nodes names

Change-Id: Id59b93b8704270f45923f262facbadde4c486a15

1 files changed, 161 insertions, 0 deletions

diff --git a/net/unix/scm.c b/net/unix/scm.c
new file mode 100644
index 000000000000..df8f636ab1d8
--- /dev/null
+++ b/net/unix/scm.c
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <linux/socket.h>
+#include <linux/net.h>
+#include <linux/fs.h>
+#include <net/af_unix.h>
+#include <net/scm.h>
+#include <linux/init.h>
+
+#include "scm.h"
+
+unsigned int unix_tot_inflight;
+EXPORT_SYMBOL(unix_tot_inflight);
+
+LIST_HEAD(gc_inflight_list);
+EXPORT_SYMBOL(gc_inflight_list);
+
+DEFINE_SPINLOCK(unix_gc_lock);
+EXPORT_SYMBOL(unix_gc_lock);
+
+struct sock *unix_get_socket(struct file *filp)
+{
+	struct sock *u_sock = NULL;
+	struct inode *inode = file_inode(filp);
+
+	/* Socket ? */
+	if (S_ISSOCK(inode->i_mode) && !(filp->f_mode & FMODE_PATH)) {
+		struct socket *sock = SOCKET_I(inode);
+		struct sock *s = sock->sk;
+
+		/* PF_UNIX ? */
+		if (s && sock->ops && sock->ops->family == PF_UNIX)
+			u_sock = s;
+	}
+	return u_sock;
+}
+EXPORT_SYMBOL(unix_get_socket);
+
+/* Keep the number of times in flight count for the file
+ * descriptor if it is for an AF_UNIX socket.
+ */
+void unix_inflight(struct user_struct *user, struct file *fp)
+{
+	struct sock *s = unix_get_socket(fp);
+
+	spin_lock(&unix_gc_lock);
+
+	if (s) {
+		struct unix_sock *u = unix_sk(s);
+
+		if (atomic_long_inc_return(&u->inflight) == 1) {
+			BUG_ON(!list_empty(&u->link));
+			list_add_tail(&u->link, &gc_inflight_list);
+		} else {
+			BUG_ON(list_empty(&u->link));
+		}
+		unix_tot_inflight++;
+	}
+	user->unix_inflight++;
+	spin_unlock(&unix_gc_lock);
+}
+
+void unix_notinflight(struct user_struct *user, struct file *fp)
+{
+	struct sock *s = unix_get_socket(fp);
+
+	spin_lock(&unix_gc_lock);
+
+	if (s) {
+		struct unix_sock *u = unix_sk(s);
+
+		BUG_ON(!atomic_long_read(&u->inflight));
+		BUG_ON(list_empty(&u->link));
+
+		if (atomic_long_dec_and_test(&u->inflight))
+			list_del_init(&u->link);
+		unix_tot_inflight--;
+	}
+	user->unix_inflight--;
+	spin_unlock(&unix_gc_lock);
+}
+
+/*
+ * The "user->unix_inflight" variable is protected by the garbage
+ * collection lock, and we just read it locklessly here. If you go
+ * over the limit, there might be a tiny race in actually noticing
+ * it across threads. Tough.
+ */
+static inline bool too_many_unix_fds(struct task_struct *p)
+{
+	struct user_struct *user = current_user();
+
+	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
+		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+	return false;
+}
+
+#define MAX_RECURSION_LEVEL 4
+
+int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+{
+	int i;
+	unsigned char max_level = 0;
+
+	if (too_many_unix_fds(current))
+		return -ETOOMANYREFS;
+
+	for (i = scm->fp->count - 1; i >= 0; i--) {
+		struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+
+		if (sk)
+			max_level = max(max_level,
+					unix_sk(sk)->recursion_level);
+	}
+	if (unlikely(max_level > MAX_RECURSION_LEVEL))
+		return -ETOOMANYREFS;
+
+	/*
+	 * Need to duplicate file references for the sake of garbage
+	 * collection.  Otherwise a socket in the fps might become a
+	 * candidate for GC while the skb is not yet queued.
+	 */
+	UNIXCB(skb).fp = scm_fp_dup(scm->fp);
+	if (!UNIXCB(skb).fp)
+		return -ENOMEM;
+
+	for (i = scm->fp->count - 1; i >= 0; i--)
+		unix_inflight(scm->fp->user, scm->fp->fp[i]);
+	return max_level;
+}
+EXPORT_SYMBOL(unix_attach_fds);
+
+void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+{
+	int i;
+
+	scm->fp = UNIXCB(skb).fp;
+	UNIXCB(skb).fp = NULL;
+
+	for (i = scm->fp->count-1; i >= 0; i--)
+		unix_notinflight(scm->fp->user, scm->fp->fp[i]);
+}
+EXPORT_SYMBOL(unix_detach_fds);
+
+void unix_destruct_scm(struct sk_buff *skb)
+{
+	struct scm_cookie scm;
+
+	memset(&scm, 0, sizeof(scm));
+	scm.pid  = UNIXCB(skb).pid;
+	if (UNIXCB(skb).fp)
+		unix_detach_fds(&scm, skb);
+
+	/* Alas, it calls VFS */
+	/* So fscking what? fput() had been SMP-safe since the last Summer */
+	scm_destroy(&scm);
+	sock_wfree(skb);
+}
+EXPORT_SYMBOL(unix_destruct_scm);