1. 16 Jul, 2009 4 commits
    • Oleg Nesterov's avatar
      kernel: is_current_single_threaded: don't use ->mmap_sem · 967cc537
      Oleg Nesterov authored
      is_current_single_threaded() can safely miss a freshly forked CLONE_VM
      task, but in this case it must not miss its parent. That is why we take
      mm->mmap_sem for writing to make sure a thread/task with the same ->mm
      can't pass exit_mm() and disappear.
      
      However we can avoid ->mmap_sem and rely on rcu/barriers:
      
      	- if we do not see the exiting parent on thread/process list
      	  we see the result of list_del_rcu(), in this case we must
      	  also see the result of list_add_rcu() which does wmb().
      
      	- if we do see the parent but its ->mm == NULL, we need rmb()
      	  to make sure we can't miss the child.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      967cc537
    • Oleg Nesterov's avatar
      kernel: rename is_single_threaded(task) to current_is_single_threaded(void) · 5bb459bb
      Oleg Nesterov authored
      - is_single_threaded(task) is not safe unless task == current,
        we can't use task->signal or task->mm.
      
      - it doesn't make sense unless task == current, the task can
        fork right after the check.
      
      Rename it to current_is_single_threaded() and kill the argument.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5bb459bb
    • Oleg Nesterov's avatar
      kernel: fix is_single_threaded · d2e3ee9b
      Oleg Nesterov authored
      - Fix the comment, is_single_threaded(p) actually means that nobody shares
        ->mm with p.
      
        I think this helper should be renamed, and it should not have arguments.
        With or without this patch it must not be used unless p == current,
        otherwise we can't safely use p->signal or p->mm.
      
      - "if (atomic_read(&p->signal->count) != 1)" is not right when we have a
        zombie group leader, use signal->live instead.
      
      - Add PF_KTHREAD check to skip kernel threads which may borrow p->mm,
        otherwise we can return the wrong "false".
      
      - Use for_each_process() instead of do_each_thread(), all threads must use
        the same ->mm.
      
      - Use down_write(mm->mmap_sem) + rcu_read_lock() instead of tasklist_lock
        to iterate over the process list. If there is another CLONE_VM process
        it can't pass exit_mm() which takes the same mm->mmap_sem. We can miss
        a freshly forked CLONE_VM task, but this doesn't matter because we must
        see its parent and return false.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Roland McGrath <roland@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      d2e3ee9b
    • Sten Spans's avatar
      security: fix security_file_lock cmd argument · 713c0ecd
      Sten Spans authored
      Pass posix-translated lock operations to security_file_lock
      when invoked via sys_flock.
      Signed-off-by: default avatarSten Spans <Sten_Spans@genua.de>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      713c0ecd
  2. 13 Jul, 2009 2 commits
  3. 12 Jul, 2009 7 commits
    • Julien Tinnes's avatar
      personality handling: fix PER_CLEAR_ON_SETID for security reasons · b3a633c8
      Julien Tinnes authored
      We have found that the current PER_CLEAR_ON_SETID mask on Linux
      doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
      
      The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
      
      We believe it is important to add MMAP_PAGE_ZERO, because by using
      this personality it is possible to have the first page mapped inside a
      process running as setuid root. This could be used in those scenarios:
      
      - Exploiting a NULL pointer dereference issue in a setuid root binary
      - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
      running a setuid binary that would drop privileges before giving us
      control back (for instance by loading a user-supplied library), we
      could get the first page mapped in a process we control. By further
      using mremap and mprotect on this mapping, we can then completely
      bypass the mmap_min_addr restrictions.
      
      Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
      since on x86 32bits it will in practice disable most of the address
      space layout randomization (only the stack will remain randomized).
      Signed-off-by: default avatarJulien Tinnes <jt@cr0.org>
      Signed-off-by: default avatarTavis Ormandy <taviso@sdf.lonestar.org>
      Acked-by: default avatarChristoph Hellwig <hch@infradead.org>
      Acked-by: default avatarKees Cook <kees.cook@canonical.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b3a633c8
    • Thomas Liu's avatar
      SELinux: Convert avc_audit to use lsm_audit.h · 8113a8d8
      Thomas Liu authored
      Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
      for better maintainability and for less code duplication.
      
       - changed selinux to use common_audit_data instead of
         avc_audit_data
       - eliminated code in avc.c and used code from lsm_audit.h instead.
      
      I have tested to make sure that the avcs look the same before and
      after this patch.
      Signed-off-by: default avatarThomas Liu <tliu@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      8113a8d8
    • Linus Torvalds's avatar
      Merge branch 'kmemleak' of git://linux-arm.org/linux-2.6 · 7638d532
      Linus Torvalds authored
      * 'kmemleak' of git://linux-arm.org/linux-2.6:
        kmemleak: Remove alloc_bootmem annotations introduced in the past
        kmemleak: Add callbacks to the bootmem allocator
        kmemleak: Allow partial freeing of memory blocks
        kmemleak: Trace the kmalloc_large* functions in slub
        kmemleak: Scan objects allocated during a scanning episode
        kmemleak: Do not acquire scan_mutex in kmemleak_open()
        kmemleak: Remove the reported leaks number limitation
        kmemleak: Add more cond_resched() calls in the scanning thread
        kmemleak: Renice the scanning thread to +10
      7638d532
    • Artem Bityutskiy's avatar
      AFS: Fix compilation warning · dd0d9a46
      Artem Bityutskiy authored
      Fix the following warning:
      
        fs/afs/dir.c: In function 'afs_d_revalidate':
        fs/afs/dir.c:567: warning: 'fid.vnode' may be used uninitialized in this function
        fs/afs/dir.c:567: warning: 'fid.unique' may be used uninitialized in this function
      
      by marking the 'fid' variable as an uninitialized_var.  The problem is
      that gcc doesn't always manage to work out that fid is always set on the
      path through the function that uses it.
      
      Cc: linux-afs@lists.infradead.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dd0d9a46
    • Alexey Dobriyan's avatar
      headers: smp_lock.h redux · 405f5571
      Alexey Dobriyan authored
      * Remove smp_lock.h from files which don't need it (including some headers!)
      * Add smp_lock.h to files which do need it
      * Make smp_lock.h include conditional in hardirq.h
        It's needed only for one kernel_locked() usage which is under CONFIG_PREEMPT
      
        This will make hardirq.h inclusion cheaper for every PREEMPT=n config
        (which includes allmodconfig/allyesconfig, BTW)
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      405f5571
    • Julien Tinnes's avatar
      personality: fix PER_CLEAR_ON_SETID · f9fabcb5
      Julien Tinnes authored
      We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
      include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
      
      The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
      
      We believe it is important to add MMAP_PAGE_ZERO, because by using this
      personality it is possible to have the first page mapped inside a
      process running as setuid root.  This could be used in those scenarios:
      
       - Exploiting a NULL pointer dereference issue in a setuid root binary
       - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
         running a setuid binary that would drop privileges before giving us
         control back (for instance by loading a user-supplied library), we
         could get the first page mapped in a process we control.  By further
         using mremap and mprotect on this mapping, we can then completely
         bypass the mmap_min_addr restrictions.
      
      Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
      since on x86 32bits it will in practice disable most of the address
      space layout randomization (only the stack will remain randomized).
      Signed-off-by: default avatarJulien Tinnes <jt@cr0.org>
      Signed-off-by: default avatarTavis Ormandy <taviso@sdf.lonestar.org>
      Cc: stable@kernel.org
      Acked-by: default avatarChristoph Hellwig <hch@infradead.org>
      Acked-by: default avatarKees Cook <kees@ubuntu.com>
      Acked-by: default avatarEugene Teo <eugene@redhat.com>
      [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f9fabcb5
    • Linus Torvalds's avatar
      Don't use '-fwrapv' compiler option: it's buggy in gcc-4.1.x · a137802e
      Linus Torvalds authored
      This causes kernel images that don't run init to completion with certain
      broken gcc versions.
      
      This fixes kernel bugzilla entry:
      	http://bugzilla.kernel.org/show_bug.cgi?id=13012
      
      I suspect the gcc problem is this:
      	http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28230
      
      Fix the problem by using the -fno-strict-overflow flag instead, which
      not only does not exist in the known-to-be-broken versions of gcc (it
      was introduced later than fwrapv), but seems to be much less disturbing
      to gcc too: the difference in the generated code by -fno-strict-overflow
      are smaller (compared to using neither flag) than when using -fwrapv.
      Reported-by: default avatarBarry K. Nathan <barryn@pobox.com>
      Pushed-by: default avatarFrans Pop <elendil@planet.nl>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a137802e
  4. 11 Jul, 2009 19 commits
  5. 10 Jul, 2009 8 commits