Merge android-4.14.165 (748d7271) into msm-4.14

and instrumentation of some inherently non-deterministic parts of kernel is

disabled (e.g. scheduler, locking).

Usage

-----

kcov is also able to collect comparison operands from the instrumented code

(this feature currently requires that the kernel is compiled with clang).

Prerequisites

-------------

Configure the kernel with::

        CONFIG_KCOV=y

CONFIG_KCOV requires gcc built on revision 231296 or later.

If the comparison operands need to be collected, set::

	CONFIG_KCOV_ENABLE_COMPARISONS=y

Profiling data will only become accessible once debugfs has been mounted::

        mount -t debugfs none /sys/kernel/debug

The following program demonstrates kcov usage from within a test program:

Coverage collection

-------------------

The following program demonstrates coverage collection from within a test

program using kcov:

.. code-block:: c

    #define KCOV_DISABLE			_IO('c', 101)

    #define COVER_SIZE			(64<<10)

    #define KCOV_TRACE_PC  0

    #define KCOV_TRACE_CMP 1

    int main(int argc, char **argv)

    {

	int fd;

	if ((void*)cover == MAP_FAILED)

		perror("mmap"), exit(1);

	/* Enable coverage collection on the current thread. */

	if (ioctl(fd, KCOV_ENABLE, 0))

	if (ioctl(fd, KCOV_ENABLE, KCOV_TRACE_PC))

		perror("ioctl"), exit(1);

	/* Reset coverage from the tail of the ioctl() call. */

	__atomic_store_n(&cover[0], 0, __ATOMIC_RELAXED);

That is, a parent process opens /sys/kernel/debug/kcov, enables trace mode,

mmaps coverage buffer and then forks child processes in a loop. Child processes

only need to enable coverage (disable happens automatically on thread end).

Comparison operands collection

------------------------------

Comparison operands collection is similar to coverage collection:

.. code-block:: c

    /* Same includes and defines as above. */

    /* Number of 64-bit words per record. */

    #define KCOV_WORDS_PER_CMP 4

    /*

     * The format for the types of collected comparisons.

     *

     * Bit 0 shows whether one of the arguments is a compile-time constant.

     * Bits 1 & 2 contain log2 of the argument size, up to 8 bytes.

     */

    #define KCOV_CMP_CONST          (1 << 0)

    #define KCOV_CMP_SIZE(n)        ((n) << 1)

    #define KCOV_CMP_MASK           KCOV_CMP_SIZE(3)

    int main(int argc, char **argv)

    {

	int fd;

	uint64_t *cover, type, arg1, arg2, is_const, size;

	unsigned long n, i;

	fd = open("/sys/kernel/debug/kcov", O_RDWR);

	if (fd == -1)

		perror("open"), exit(1);

	if (ioctl(fd, KCOV_INIT_TRACE, COVER_SIZE))

		perror("ioctl"), exit(1);

	/*

	* Note that the buffer pointer is of type uint64_t*, because all

	* the comparison operands are promoted to uint64_t.

	*/

	cover = (uint64_t *)mmap(NULL, COVER_SIZE * sizeof(unsigned long),

				     PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

	if ((void*)cover == MAP_FAILED)

		perror("mmap"), exit(1);

	/* Note KCOV_TRACE_CMP instead of KCOV_TRACE_PC. */

	if (ioctl(fd, KCOV_ENABLE, KCOV_TRACE_CMP))

		perror("ioctl"), exit(1);

	__atomic_store_n(&cover[0], 0, __ATOMIC_RELAXED);

	read(-1, NULL, 0);

	/* Read number of comparisons collected. */

	n = __atomic_load_n(&cover[0], __ATOMIC_RELAXED);

	for (i = 0; i < n; i++) {

		type = cover[i * KCOV_WORDS_PER_CMP + 1];

		/* arg1 and arg2 - operands of the comparison. */

		arg1 = cover[i * KCOV_WORDS_PER_CMP + 2];

		arg2 = cover[i * KCOV_WORDS_PER_CMP + 3];

		/* ip - caller address. */

		ip = cover[i * KCOV_WORDS_PER_CMP + 4];

		/* size of the operands. */

		size = 1 << ((type & KCOV_CMP_MASK) >> 1);

		/* is_const - true if either operand is a compile-time constant.*/

		is_const = type & KCOV_CMP_CONST;

		printf("ip: 0x%lx type: 0x%lx, arg1: 0x%lx, arg2: 0x%lx, "

			"size: %lu, %s\n",

			ip, type, arg1, arg2, size,

		is_const ? "const" : "non-const");

	}

	if (ioctl(fd, KCOV_DISABLE, 0))

		perror("ioctl"), exit(1);

	/* Free resources. */

	if (munmap(cover, COVER_SIZE * sizeof(unsigned long)))

		perror("munmap"), exit(1);

	if (close(fd))

		perror("close"), exit(1);

	return 0;

    }

Note that the kcov modes (coverage collection or comparison operands) are

mutually exclusive.

Remote coverage collection

--------------------------

With KCOV_ENABLE coverage is collected only for syscalls that are issued

from the current process. With KCOV_REMOTE_ENABLE it's possible to collect

coverage for arbitrary parts of the kernel code, provided that those parts

are annotated with kcov_remote_start()/kcov_remote_stop().

This allows to collect coverage from two types of kernel background

threads: the global ones, that are spawned during kernel boot in a limited

number of instances (e.g. one USB hub_event() worker thread is spawned per

USB HCD); and the local ones, that are spawned when a user interacts with

some kernel interface (e.g. vhost workers).

To enable collecting coverage from a global background thread, a unique

global handle must be assigned and passed to the corresponding

kcov_remote_start() call. Then a userspace process can pass a list of such

handles to the KCOV_REMOTE_ENABLE ioctl in the handles array field of the

kcov_remote_arg struct. This will attach the used kcov device to the code

sections, that are referenced by those handles.

Since there might be many local background threads spawned from different

userspace processes, we can't use a single global handle per annotation.

Instead, the userspace process passes a non-zero handle through the

common_handle field of the kcov_remote_arg struct. This common handle gets

saved to the kcov_handle field in the current task_struct and needs to be

passed to the newly spawned threads via custom annotations. Those threads

should in turn be annotated with kcov_remote_start()/kcov_remote_stop().

Internally kcov stores handles as u64 integers. The top byte of a handle

is used to denote the id of a subsystem that this handle belongs to, and

the lower 4 bytes are used to denote the id of a thread instance within

that subsystem. A reserved value 0 is used as a subsystem id for common

handles as they don't belong to a particular subsystem. The bytes 4-7 are

currently reserved and must be zero. In the future the number of bytes

used for the subsystem or handle ids might be increased.

When a particular userspace proccess collects coverage by via a common

handle, kcov will collect coverage for each code section that is annotated

to use the common handle obtained as kcov_handle from the current

task_struct. However non common handles allow to collect coverage

selectively from different subsystems.

.. code-block:: c

    struct kcov_remote_arg {

	__u32		trace_mode;

	__u32		area_size;

	__u32		num_handles;

	__aligned_u64	common_handle;

	__aligned_u64	handles[0];

    };

    #define KCOV_INIT_TRACE			_IOR('c', 1, unsigned long)

    #define KCOV_DISABLE			_IO('c', 101)

    #define KCOV_REMOTE_ENABLE		_IOW('c', 102, struct kcov_remote_arg)

    #define COVER_SIZE	(64 << 10)

    #define KCOV_TRACE_PC	0

    #define KCOV_SUBSYSTEM_COMMON	(0x00ull << 56)

    #define KCOV_SUBSYSTEM_USB	(0x01ull << 56)

    #define KCOV_SUBSYSTEM_MASK	(0xffull << 56)

    #define KCOV_INSTANCE_MASK	(0xffffffffull)

    static inline __u64 kcov_remote_handle(__u64 subsys, __u64 inst)

    {

	if (subsys & ~KCOV_SUBSYSTEM_MASK || inst & ~KCOV_INSTANCE_MASK)

		return 0;

	return subsys | inst;

    }

    #define KCOV_COMMON_ID	0x42

    #define KCOV_USB_BUS_NUM	1

    int main(int argc, char **argv)

    {

	int fd;

	unsigned long *cover, n, i;

	struct kcov_remote_arg *arg;

	fd = open("/sys/kernel/debug/kcov", O_RDWR);

	if (fd == -1)

		perror("open"), exit(1);

	if (ioctl(fd, KCOV_INIT_TRACE, COVER_SIZE))

		perror("ioctl"), exit(1);

	cover = (unsigned long*)mmap(NULL, COVER_SIZE * sizeof(unsigned long),

				     PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

	if ((void*)cover == MAP_FAILED)

		perror("mmap"), exit(1);

	/* Enable coverage collection via common handle and from USB bus #1. */

	arg = calloc(1, sizeof(*arg) + sizeof(uint64_t));

	if (!arg)

		perror("calloc"), exit(1);

	arg->trace_mode = KCOV_TRACE_PC;

	arg->area_size = COVER_SIZE;

	arg->num_handles = 1;

	arg->common_handle = kcov_remote_handle(KCOV_SUBSYSTEM_COMMON,

							KCOV_COMMON_ID);

	arg->handles[0] = kcov_remote_handle(KCOV_SUBSYSTEM_USB,

						KCOV_USB_BUS_NUM);

	if (ioctl(fd, KCOV_REMOTE_ENABLE, arg))

		perror("ioctl"), free(arg), exit(1);

	free(arg);

	/*

	 * Here the user needs to trigger execution of a kernel code section

	 * that is either annotated with the common handle, or to trigger some

	 * activity on USB bus #1.

	 */

	sleep(2);

	n = __atomic_load_n(&cover[0], __ATOMIC_RELAXED);

	for (i = 0; i < n; i++)

		printf("0x%lx\n", cover[i + 1]);

	if (ioctl(fd, KCOV_DISABLE, 0))

		perror("ioctl"), exit(1);

	if (munmap(cover, COVER_SIZE * sizeof(unsigned long)))

		perror("munmap"), exit(1);

	if (close(fd))

		perror("close"), exit(1);

	return 0;

    }

the master keys may be wrapped in userspace, e.g. as is done by the

`fscrypt <https://github.com/google/fscrypt>`_ tool.

Including the inode number in the IVs was considered.  However, it was

rejected as it would have prevented ext4 filesystems from being

resized, and by itself still wouldn't have been sufficient to prevent

the same key from being directly reused for both XTS and CTS-CBC.

DIRECT_KEY and per-mode keys

----------------------------

DIRECT_KEY policies

-------------------

The Adiantum encryption mode (see `Encryption modes and usage`_) is

suitable for both contents and filenames encryption, and it accepts

  key derived using the KDF.  Users may use the same master key for

  other v2 encryption policies.

IV_INO_LBLK_64 policies

-----------------------

When FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 is set in the fscrypt policy,

the encryption keys are derived from the master key, encryption mode

number, and filesystem UUID.  This normally results in all files

protected by the same master key sharing a single contents encryption

key and a single filenames encryption key.  To still encrypt different

files' data differently, inode numbers are included in the IVs.

Consequently, shrinking the filesystem may not be allowed.

This format is optimized for use with inline encryption hardware

compliant with the UFS or eMMC standards, which support only 64 IV

bits per I/O request and may have only a small number of keyslots.

Key identifiers

---------------

AES-128-CBC was added only for low-powered embedded devices with

crypto accelerators such as CAAM or CESA that do not support XTS.  To

use AES-128-CBC, CONFIG_CRYPTO_SHA256 (or another SHA-256

implementation) must be enabled so that ESSIV can be used.

use AES-128-CBC, CONFIG_CRYPTO_ESSIV and CONFIG_CRYPTO_SHA256 (or

another SHA-256 implementation) must be enabled so that ESSIV can be

used.

Adiantum is a (primarily) stream cipher-based mode that is fast even

on CPUs without dedicated crypto instructions.  It's also a true

  is encrypted with AES-256 where the AES-256 key is the SHA-256 hash

  of the file's data encryption key.

- In the "direct key" configuration (FSCRYPT_POLICY_FLAG_DIRECT_KEY

  set in the fscrypt_policy), the file's nonce is also appended to the

  IV.  Currently this is only allowed with the Adiantum encryption

  mode.

- With `DIRECT_KEY policies`_, the file's nonce is appended to the IV.

  Currently this is only allowed with the Adiantum encryption mode.

- With `IV_INO_LBLK_64 policies`_, the logical block number is limited

  to 32 bits and is placed in bits 0-31 of the IV.  The inode number

  (which is also limited to 32 bits) is placed in bits 32-63.

Note that because file logical block numbers are included in the IVs,

filesystems must enforce that blocks are never shifted around within

encrypted files, e.g. via "collapse range" or "insert range".

Filenames encryption

--------------------

filenames of up to 255 bytes, the same IV is used for every filename

in a directory.

However, each encrypted directory still uses a unique key; or

alternatively (for the "direct key" configuration) has the file's

nonce included in the IVs.  Thus, IV reuse is limited to within a

single directory.

However, each encrypted directory still uses a unique key, or

alternatively has the file's nonce (for `DIRECT_KEY policies`_) or

inode number (for `IV_INO_LBLK_64 policies`_) included in the IVs.

Thus, IV reuse is limited to within a single directory.

With CTS-CBC, the IV reuse means that when the plaintext filenames

share a common prefix at least as long as the cipher block size (16

  (1) for ``contents_encryption_mode`` and FSCRYPT_MODE_AES_256_CTS

  (4) for ``filenames_encryption_mode``.

- ``flags`` must contain a value from ``<linux/fscrypt.h>`` which

  identifies the amount of NUL-padding to use when encrypting

  filenames.  If unsure, use FSCRYPT_POLICY_FLAGS_PAD_32 (0x3).

  Additionally, if the encryption modes are both

  FSCRYPT_MODE_ADIANTUM, this can contain

  FSCRYPT_POLICY_FLAG_DIRECT_KEY; see `DIRECT_KEY and per-mode keys`_.

- ``flags`` contains optional flags from ``<linux/fscrypt.h>``:

  - FSCRYPT_POLICY_FLAGS_PAD_*: The amount of NUL padding to use when

    encrypting filenames.  If unsure, use FSCRYPT_POLICY_FLAGS_PAD_32

    (0x3).

  - FSCRYPT_POLICY_FLAG_DIRECT_KEY: See `DIRECT_KEY policies`_.

  - FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64: See `IV_INO_LBLK_64

    policies`_.  This is mutually exclusive with DIRECT_KEY and is not

    supported on v1 policies.

- For v2 encryption policies, ``__reserved`` must be zeroed.

context structs also contain a nonce.  The nonce is randomly generated

by the kernel and is used as KDF input or as a tweak to cause

different files to be encrypted differently; see `Per-file keys`_ and

`DIRECT_KEY and per-mode keys`_.

`DIRECT_KEY policies`_.

Data path changes

-----------------

The verity flag is not settable via FS_IOC_SETFLAGS.  You must use

FS_IOC_ENABLE_VERITY instead, since parameters must be provided.

statx

-----

Since Linux v5.5, the statx() system call sets STATX_ATTR_VERITY if

the file has fs-verity enabled.  This can perform better than

FS_IOC_GETFLAGS and FS_IOC_MEASURE_VERITY because it doesn't require

opening the file, and opening verity files can be expensive.

Accessing verity files

======================

ext4

----

ext4 supports fs-verity since Linux TODO and e2fsprogs v1.45.2.

ext4 supports fs-verity since Linux v5.4 and e2fsprogs v1.45.2.

To create verity files on an ext4 filesystem, the filesystem must have

been formatted with ``-O verity`` or had ``tune2fs -O verity`` run on

f2fs

----

f2fs supports fs-verity since Linux TODO and f2fs-tools v1.11.0.

f2fs supports fs-verity since Linux v5.4 and f2fs-tools v1.11.0.

To create verity files on an f2fs filesystem, the filesystem must have

been formatted with ``-O verity``.

# SPDX-License-Identifier: GPL-2.0

VERSION = 4

PATCHLEVEL = 14

SUBLEVEL = 164

SUBLEVEL = 165

EXTRAVERSION =

NAME = Petit Gorille

CFLAGS_GCOV	:= -fprofile-arcs -ftest-coverage \

	$(call cc-option,-fno-tree-loop-im) \

	$(call cc-disable-warning,maybe-uninitialized,)

CFLAGS_KCOV	:= $(call cc-option,-fsanitize-coverage=trace-pc,)

export CFLAGS_GCOV CFLAGS_KCOV

export CFLAGS_GCOV

# Make toolchain changes before including arch/$(SRCARCH)/Makefile to ensure

# ar/cc/ld-* macros return correct values.

	KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO

endif

include scripts/Makefile.kcov

include scripts/Makefile.gcc-plugins

ifdef CONFIG_READABLE_ASM

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y

CONFIG_NETFILTER_XT_MATCH_QUOTA=y

CONFIG_NETFILTER_XT_MATCH_QUOTA2=y

CONFIG_NETFILTER_XT_MATCH_QUOTA2_LOG=y

CONFIG_NETFILTER_XT_MATCH_SOCKET=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

CONFIG_NETFILTER_XT_MATCH_STATISTIC=y

CONFIG_HID_SAMSUNG=y

CONFIG_HID_SONY=y

CONFIG_HID_SPEEDLINK=y

CONFIG_HID_STEAM=y

CONFIG_HID_SUNPLUS=y

CONFIG_HID_GREENASIA=y

CONFIG_GREENASIA_FF=y