FIX: Allwinner H3 kernel: local privileges escalation to root (sun8i)

brandy/u-boot-2011.09/Makefile

@@ -460,15 +460,15 @@ $(obj)u-boot-$(TARGET).bin:	$(obj)u-boot.bin
 		@cp $(obj)u-boot.bin         $(obj)u-boot-$(CONFIG_TARGET_NAME).bin
 		@if [ -z "$(findstring _nor, $(CONFIG_TARGET_NAME))" ]; then \
 			if [ -z "$(findstring $(OTA_TEST_NAME), $(SUNXI_MODE))" ]; then \
-				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/u-boot-$(CONFIG_TARGET_NAME).bin; \
+				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/u-boot-$(CONFIG_TARGET_NAME).bin; \
 			else \
-				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/u-boot-$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
+				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/u-boot-$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
 			fi \
 		else	\
 			if [ -z "$(findstring $(OTA_TEST_NAME), $(SUNXI_MODE))" ]; then \
-				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../tools/pack/chips/$(CONFIG_PLATFORM_NAME)/bin/u-boot-spinor-$(CONFIG_PLATFORM_NAME).bin; \
+				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../chips/$(CONFIG_PLATFORM_NAME)/bin/u-boot-spinor-$(CONFIG_PLATFORM_NAME).bin; \
 			else \
-				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../tools/pack/chips/$(CONFIG_PLATFORM_NAME)/bin/u-boot-spinor-$(CONFIG_PLATFORM_NAME)-$(SUNXI_MODE).bin; \
+				cp -v $(obj)u-boot-$(CONFIG_TARGET_NAME).bin  $(TOPDIR)/../../chips/$(CONFIG_PLATFORM_NAME)/bin/u-boot-spinor-$(CONFIG_PLATFORM_NAME)-$(SUNXI_MODE).bin; \
 			fi \
 		fi
 
@@ -495,41 +495,41 @@ spl_lib: $(TIMESTAMP_FILE) $(VERSION_FILE) depend
 fes:    spl_lib depend
 		$(MAKE) -C sunxi_spl/fes_init all
 		@$(TOPDIR)/tools/gen_check_sum sunxi_spl/fes_init/fes1.bin fes1_$(CONFIG_TARGET_NAME).bin > /dev/null
-		@cp -v fes1_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/fes1_$(CONFIG_TARGET_NAME).bin
+		@cp -v fes1_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/fes1_$(CONFIG_TARGET_NAME).bin
 
 boot0:  spl_lib depend
 		$(MAKE) -C sunxi_spl/boot0 all
 ifdef CONFIG_STORAGE_MEDIA_NAND
 		@$(TOPDIR)/tools/gen_check_sum sunxi_spl/boot0/boot0_nand.bin boot0_nand_$(TARGET).bin > /dev/null
 		@if [ -z "$(findstring $(OTA_TEST_NAME), $(SUNXI_MODE))" ]; then \
-			cp -v boot0_nand_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/boot0_nand_$(CONFIG_TARGET_NAME).bin; \
+			cp -v boot0_nand_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/boot0_nand_$(CONFIG_TARGET_NAME).bin; \
 		else \
-			cp -v boot0_nand_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/boot0_nand_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
+			cp -v boot0_nand_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/boot0_nand_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
 		fi
 endif
 ifdef CONFIG_STORAGE_MEDIA_MMC
 		@$(TOPDIR)/tools/gen_check_sum sunxi_spl/boot0/boot0_sdcard.bin boot0_sdcard_$(TARGET).bin > /dev/null
 		@if [ -z "$(findstring $(OTA_TEST_NAME), $(SUNXI_MODE))" ]; then \
-			cp -v boot0_sdcard_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/boot0_sdcard_$(CONFIG_TARGET_NAME).bin; \
+			cp -v boot0_sdcard_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/boot0_sdcard_$(CONFIG_TARGET_NAME).bin; \
 		else \
-			cp -v boot0_sdcard_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/boot0_sdcard_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
+			cp -v boot0_sdcard_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/boot0_sdcard_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
 		fi
 endif
 ifdef CONFIG_STORAGE_MEDIA_SPINOR
 		@$(TOPDIR)/tools/gen_check_sum sunxi_spl/boot0/boot0_spinor.bin boot0_spinor_$(TARGET).bin > /dev/null
 		@if [ -z "$(findstring $(OTA_TEST_NAME), $(SUNXI_MODE))" ]; then \
-			cp -v boot0_spinor_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/boot0_spinor_$(CONFIG_TARGET_NAME).bin; \
+			cp -v boot0_spinor_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/boot0_spinor_$(CONFIG_TARGET_NAME).bin; \
 		else \
-			cp -v boot0_spinor_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/boot0_spinor_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
+			cp -v boot0_spinor_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/boot0_spinor_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
 		fi
 endif
 sboot:  spl_lib depend
 		$(MAKE) -C sunxi_spl/sbrom all
 		@$(TOPDIR)/tools/gen_check_sum sunxi_spl/sbrom/sboot.bin sboot_$(CONFIG_TARGET_NAME).bin > /dev/null
 		@if [ -z "$(findstring $(OTA_TEST_NAME), $(SUNXI_MODE))" ]; then \
-			cp -v sboot_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/sboot_$(CONFIG_TARGET_NAME).bin; \
+			cp -v sboot_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/sboot_$(CONFIG_TARGET_NAME).bin; \
 		else \
-			cp -v sboot_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../tools/pack/chips/$(CONFIG_TARGET_NAME)/bin/sboot_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
+			cp -v sboot_$(CONFIG_TARGET_NAME).bin $(TOPDIR)/../../chips/$(CONFIG_TARGET_NAME)/bin/sboot_$(CONFIG_TARGET_NAME)-$(SUNXI_MODE).bin; \
 		fi
 
 ifeq ($(CONFIG_SUNXI_SECURE_SYSTEM),y)

linux-3.4/arch/arm/mach-sunxi/Makefile

@@ -49,7 +49,7 @@ obj-y += sunxi-headsmp.o sunxi-platsmp.o
 obj-$(CONFIG_HOTPLUG_CPU) += sunxi-hotplug.o
 endif
 
-obj-y += sys_config.o sunxi_dump_reg.o sunxi-chip.o sunxi_sram.o sunxi-debug.o
+obj-y += sys_config.o sunxi_dump_reg.o sunxi-chip.o sunxi_sram.o
 
 obj-$(CONFIG_SUNXI_TRUSTZONE) += firmware.o
 obj-$(CONFIG_SUNXI_TRUSTZONE) += sunxi-smc.o

linux-3.4/arch/arm/mach-sunxi/power/brom/Makefile

@@ -5,7 +5,7 @@ targets := resumes.elf
 
 #use "-Os" flags.
 #Don't use "-O2" flags.
-KBUILD_CFLAGS := -g -c -nostdlib -march=armv7-a -marm -fno-unwind-tables -fno-asynchronous-unwind-tables -mlittle-endian -O2 --min_array_alignment=4 --no_unaligned_access
+KBUILD_CFLAGS := -g -c -nostdlib -march=armv7-a -marm -fno-unwind-tables -fno-asynchronous-unwind-tables -mlittle-endian -O2 -mno-unaligned-access 
 
 #Include the cur dir.
 KBUILD_CPPFLAGS += -I.

linux-3.4/arch/arm/mach-sunxi/power/brom/resumes.h

@@ -62,15 +62,15 @@ typedef unsigned int          __u32;
 typedef struct _Resume_file_head
 {
 	__u32  jump_instruction;   // one intruction jumping to real code
-	__u8   magic[8];           // ="eGON.BT0" or "eGON.BT1",  not C-style string.
+	__u8   magic[8] __attribute__ ((aligned (4)));           // ="eGON.BT0" or "eGON.BT1",  not C-style string.
 	__u32  check_sum;          // generated by PC
 	__u32  length;             // generated by PC
 	__u32  pub_head_size;      // the size of resume_file_head_t
-	__u8   pub_head_vsn[4];    // the version of resume_file_head_t
-	__u8   file_head_vsn[4];   // the version of resume0_file_head_t or resume1_file_head_t
-	__u8   Resume_vsn[4];      // Resume version
-	__u8   eGON_vsn[4];        // eGON version
-	__u8   platform[8];        // platform information
+	__u8   pub_head_vsn[4] __attribute__ ((aligned (4)));    // the version of resume_file_head_t
+	__u8   file_head_vsn[4] __attribute__ ((aligned (4)));   // the version of resume0_file_head_t or resume1_file_head_t
+	__u8   Resume_vsn[4] __attribute__ ((aligned (4)));      // Resume version
+	__u8   eGON_vsn[4] __attribute__ ((aligned (4)));        // eGON version
+	__u8   platform[8] __attribute__ ((aligned (4))); 
 }resume_file_head_t;
 
 extern const resume_file_head_t  resume_head;

linux-3.4/drivers/gpu/ion/ion_cma_heap.c

@@ -48,7 +48,7 @@ struct ion_cma_buffer_info {
 struct page *dma_alloc_from_contiguous(struct device *dev,
 				int count, unsigned int align);
 void __dma_clear_buffer(struct page *page, size_t size);
-inline pgprot_t __get_dma_pgprot(struct dma_attrs *attrs, pgprot_t prot);
+pgprot_t __get_dma_pgprot(struct dma_attrs *attrs, pgprot_t prot);
 void *__dma_alloc_remap(struct page *page, size_t size, gfp_t gfp,
 				pgprot_t prot, const void *caller);
 void __dma_remap(struct page *page, size_t size, pgprot_t prot);

linux-3.4/drivers/staging/zsmalloc/Kconfig

@@ -1,5 +1,6 @@
 config ZSMALLOC
-	tristate "Memory allocator for compressed pages"
+ 	bool "Memory allocator for compressed pages"
+	depends on MMU
 	default n
 	help
 	  zsmalloc is a slab-based memory allocator designed to store