1. 11 Sep, 2009 1 commit
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of... · f6f79190
      Linus Torvalds authored
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (57 commits)
        binfmt_elf: fix PT_INTERP bss handling
        TPM: Fixup boot probe timeout for tpm_tis driver
        sysfs: Add labeling support for sysfs
        LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information.
        VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx.
        KEYS: Add missing linux/tracehook.h #inclusions
        KEYS: Fix default security_session_to_parent()
        Security/SELinux: includecheck fix kernel/sysctl.c
        KEYS: security_cred_alloc_blank() should return int under all circumstances
        IMA: open new file for read
        KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]
        KEYS: Extend TIF_NOTIFY_RESUME to (almost) all architectures [try #6]
        KEYS: Do some whitespace cleanups [try #6]
        KEYS: Make /proc/keys use keyid not numread as file position [try #6]
        KEYS: Add garbage collection for dead, revoked and expired keys. [try #6]
        KEYS: Flag dead keys to induce EKEYREVOKED [try #6]
        KEYS: Allow keyctl_revoke() on keys that have SETATTR but not WRITE perm [try #6]
        KEYS: Deal with dead-type keys appropriately [try #6]
        CRED: Add some configurable debugging [try #6]
        selinux: Support for the new TUN LSM hooks
        ...
      f6f79190
  2. 10 Sep, 2009 9 commits
    • James Morris's avatar
      Merge branch 'next' into for-linus · a3c8b973
      James Morris authored
      a3c8b973
    • Geert Uytterhoeven's avatar
      md: Fix "strchr" [drivers/md/dm-log-userspace.ko] undefined! · 0d03d59d
      Geert Uytterhoeven authored
      Commit b8313b6d ("dm log: remove incorrect
      field from userspace table output") added a call to strstr() with a
      single-character "needle" string parameter.
      
      Unfortunately some versions of gcc replace such calls to strstr() by calls
      to strchr() behind our back.  This causes linking errors if strchr() is
      defined as an inline function in <asm/string.h> (e.g. on m68k):
      
      | WARNING: "strchr" [drivers/md/dm-log-userspace.ko] undefined!
      
      Avoid this by explicitly calling strchr() instead.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0d03d59d
    • Roland McGrath's avatar
      binfmt_elf: fix PT_INTERP bss handling · 9f0ab4a3
      Roland McGrath authored
      In fs/binfmt_elf.c, load_elf_interp() calls padzero() for .bss even if
      the PT_LOAD has no PROT_WRITE and no .bss.  This generates EFAULT.
      
      Here is a small test case.  (Yes, there are other, useful PT_INTERP
      which have only .text and no .data/.bss.)
      
      	----- ptinterp.S
      	_start: .globl _start
      		 nop
      		 int3
      	-----
      	$ gcc -m32 -nostartfiles -nostdlib -o ptinterp ptinterp.S
      	$ gcc -m32 -Wl,--dynamic-linker=ptinterp -o hello hello.c
      	$ ./hello
      	Segmentation fault  # during execve() itself
      
      	After applying the patch:
      	$ ./hello
      	Trace trap  # user-mode execution after execve() finishes
      
      If the ELF headers are actually self-inconsistent, then dying is fine.
      But having no PROT_WRITE segment is perfectly normal and correct if
      there is no segment with p_memsz > p_filesz (i.e. bss).  John Reiser
      suggested checking for PROT_WRITE in the bss logic.  I think it makes
      most sense to simply apply the bss logic only when there is bss.
      
      This patch looks less trivial than it is due to some reindentation.
      It just moves the "if (last_bss > elf_bss) {" test up to include the
      partial-page bss logic as well as the more-pages bss logic.
      Reported-by: default avatarJohn Reiser <jreiser@bitwagon.com>
      Signed-off-by: default avatarRoland McGrath <roland@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      9f0ab4a3
    • Jason Gunthorpe's avatar
      TPM: Fixup boot probe timeout for tpm_tis driver · ec579358
      Jason Gunthorpe authored
      When probing the device in tpm_tis_init the call request_locality
      uses timeout_a, which wasn't being initalized until after
      request_locality. This results in request_locality falsely timing
      out if the chip is still starting. Move the initialization to before
      request_locality.
      
      This probably only matters for embedded cases (ie mine), a BIOS likely
      gets the TPM into a state where this code path isn't necessary.
      Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Acked-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ec579358
    • Linus Torvalds's avatar
      Merge branch 'lookup-permissions-cleanup' · 526b6780
      Linus Torvalds authored
      * lookup-permissions-cleanup:
        jffs2/jfs/xfs: switch over to 'check_acl' rather than 'permission()'
        ext[234]: move over to 'check_acl' permission model
        shmfs: use 'check_acl' instead of 'permission'
        Make 'check_acl()' a first-class filesystem op
        Simplify exec_permission_lite(), part 3
        Simplify exec_permission_lite() further
        Simplify exec_permission_lite() logic
        Do not call 'ima_path_check()' for each path component
      526b6780
    • Roland McGrath's avatar
      binfmt_elf: fix PT_INTERP bss handling · 752015d1
      Roland McGrath authored
      In fs/binfmt_elf.c, load_elf_interp() calls padzero() for .bss even if
      the PT_LOAD has no PROT_WRITE and no .bss.  This generates EFAULT.
      
      Here is a small test case.  (Yes, there are other, useful PT_INTERP
      which have only .text and no .data/.bss.)
      
      	----- ptinterp.S
      	_start: .globl _start
      		 nop
      		 int3
      	-----
      	$ gcc -m32 -nostartfiles -nostdlib -o ptinterp ptinterp.S
      	$ gcc -m32 -Wl,--dynamic-linker=ptinterp -o hello hello.c
      	$ ./hello
      	Segmentation fault  # during execve() itself
      
      	After applying the patch:
      	$ ./hello
      	Trace trap  # user-mode execution after execve() finishes
      
      If the ELF headers are actually self-inconsistent, then dying is fine.
      But having no PROT_WRITE segment is perfectly normal and correct if
      there is no segment with p_memsz > p_filesz (i.e. bss).  John Reiser
      suggested checking for PROT_WRITE in the bss logic.  I think it makes
      most sense to simply apply the bss logic only when there is bss.
      
      This patch looks less trivial than it is due to some reindentation.
      It just moves the "if (last_bss > elf_bss) {" test up to include the
      partial-page bss logic as well as the more-pages bss logic.
      Reported-by: default avatarJohn Reiser <jreiser@bitwagon.com>
      Signed-off-by: default avatarRoland McGrath <roland@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      752015d1
    • David P. Quigley's avatar
      sysfs: Add labeling support for sysfs · ddd29ec6
      David P. Quigley authored
      This patch adds a setxattr handler to the file, directory, and symlink
      inode_operations structures for sysfs. The patch uses hooks introduced in the
      previous patch to handle the getting and setting of security information for
      the sysfs inodes. As was suggested by Eric Biederman the struct iattr in the
      sysfs_dirent structure has been replaced by a structure which contains the
      iattr, secdata and secdata length to allow the changes to persist in the event
      that the inode representing the sysfs_dirent is evicted. Because sysfs only
      stores this information when a change is made all the optional data is moved
      into one dynamically allocated field.
      
      This patch addresses an issue where SELinux was denying virtd access to the PCI
      configuration entries in sysfs. The lack of setxattr handlers for sysfs
      required that a single label be assigned to all entries in sysfs. Granting virtd
      access to every entry in sysfs is not an acceptable solution so fine grained
      labeling of sysfs is required such that individual entries can be labeled
      appropriately.
      
      [sds:  Fixed compile-time warnings, coding style, and setting of inode security init flags.]
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Signed-off-by: default avatarStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ddd29ec6
    • David P. Quigley's avatar
      LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. · 1ee65e37
      David P. Quigley authored
      This patch introduces three new hooks. The inode_getsecctx hook is used to get
      all relevant information from an LSM about an inode. The inode_setsecctx is
      used to set both the in-core and on-disk state for the inode based on a context
      derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
      LSM of a change for the in-core state of the inode in question. These hooks are
      for use in the labeled NFS code and addresses concerns of how to set security
      on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
      explanation of the reason for these hooks is pasted below.
      
      Quote Stephen Smalley
      
      inode_setsecctx:  Change the security context of an inode.  Updates the
      in core security context managed by the security module and invokes the
      fs code as needed (via __vfs_setxattr_noperm) to update any backing
      xattrs that represent the context.  Example usage:  NFS server invokes
      this hook to change the security context in its incore inode and on the
      backing file system to a value provided by the client on a SETATTR
      operation.
      
      inode_notifysecctx:  Notify the security module of what the security
      context of an inode should be.  Initializes the incore security context
      managed by the security module for this inode.  Example usage:  NFS
      client invokes this hook to initialize the security context in its
      incore inode to the value provided by the server for the file when the
      server returned the file's attributes to the client.
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      1ee65e37
    • David P. Quigley's avatar
      VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx. · b1ab7e4b
      David P. Quigley authored
      This factors out the part of the vfs_setxattr function that performs the
      setting of the xattr and its notification. This is needed so the SELinux
      implementation of inode_setsecctx can handle the setting of the xattr while
      maintaining the proper separation of layers.
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b1ab7e4b
  3. 09 Sep, 2009 4 commits
    • Linus Torvalds's avatar
      Linux 2.6.31 · 74fca6a4
      Linus Torvalds authored
      74fca6a4
    • Ed Cashin's avatar
      aoe: allocate unused request_queue for sysfs · 7135a71b
      Ed Cashin authored
      Andy Whitcroft reported an oops in aoe triggered by use of an
      incorrectly initialised request_queue object:
      
        [ 2645.959090] kobject '<NULL>' (ffff880059ca22c0): tried to add
      		an uninitialized object, something is seriously wrong.
        [ 2645.959104] Pid: 6, comm: events/0 Not tainted 2.6.31-5-generic #24-Ubuntu
        [ 2645.959107] Call Trace:
        [ 2645.959139] [<ffffffff8126ca2f>] kobject_add+0x5f/0x70
        [ 2645.959151] [<ffffffff8125b4ab>] blk_register_queue+0x8b/0xf0
        [ 2645.959155] [<ffffffff8126043f>] add_disk+0x8f/0x160
        [ 2645.959161] [<ffffffffa01673c4>] aoeblk_gdalloc+0x164/0x1c0 [aoe]
      
      The request queue of an aoe device is not used but can be allocated in
      code that does not sleep.
      
      Bruno bisected this regression down to
      
        cd43e26f
      
        block: Expose stacked device queues in sysfs
      
      "This seems to generate /sys/block/$device/queue and its contents for
       everyone who is using queues, not just for those queues that have a
       non-NULL queue->request_fn."
      
      Addresses http://bugs.launchpad.net/bugs/410198
      Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13942
      
      Note that embedding a queue inside another object has always been
      an illegal construct, since the queues are reference counted and
      must persist until the last reference is dropped. So aoe was
      always buggy in this respect (Jens).
      Signed-off-by: default avatarEd Cashin <ecashin@coraid.com>
      Cc: Andy Whitcroft <apw@canonical.com>
      Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
      Cc: Bruno Premont <bonbons@linux-vserver.org>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
      7135a71b
    • David Howells's avatar
      KEYS: Add missing linux/tracehook.h #inclusions · 733e5e4b
      David Howells authored
      Add #inclusions of linux/tracehook.h to those arch files that had the tracehook
      call for TIF_NOTIFY_RESUME added when support for that flag was added to that
      arch.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      733e5e4b
    • Linus Torvalds's avatar
      i915: disable interrupts before tearing down GEM state · e6890f6f
      Linus Torvalds authored
      Reinette Chatre reports a frozen system (with blinking keyboard LEDs)
      when switching from graphics mode to the text console, or when
      suspending (which does the same thing). With netconsole, the oops
      turned out to be
      
      	BUG: unable to handle kernel NULL pointer dereference at 0000000000000084
      	IP: [<ffffffffa03ecaab>] i915_driver_irq_handler+0x26b/0xd20 [i915]
      
      and it's due to the i915_gem.c code doing drm_irq_uninstall() after
      having done i915_gem_idle(). And the i915_gem_idle() path will do
      
        i915_gem_idle() ->
          i915_gem_cleanup_ringbuffer() ->
            i915_gem_cleanup_hws() ->
              dev_priv->hw_status_page = NULL;
      
      but if an i915 interrupt comes in after this stage, it may want to
      access that hw_status_page, and gets the above NULL pointer dereference.
      
      And since the NULL pointer dereference happens from within an interrupt,
      and with the screen still in graphics mode, the common end result is
      simply a silently hung machine.
      
      Fix it by simply uninstalling the irq handler before idling rather than
      after. Fixes
      
          http://bugzilla.kernel.org/show_bug.cgi?id=13819Reported-and-tested-by: default avatarReinette Chatre <reinette.chatre@intel.com>
      Acked-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e6890f6f
  4. 08 Sep, 2009 9 commits
  5. 07 Sep, 2009 10 commits
  6. 06 Sep, 2009 1 commit
    • David S. Miller's avatar
      gianfar: Fix build. · d9d8e041
      David S. Miller authored
      Reported by Michael Guntsche <mike@it-loops.com>
      
      --------------------
      Commit
      38bddf04 gianfar: gfar_remove needs to call unregister_netdev()
      
      breaks the build of the gianfar driver because "dev" is undefined in
      this function. To quickly test rc9 I changed this to priv->ndev but I do
      not know if this is the correct one.
      --------------------
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d9d8e041
  7. 05 Sep, 2009 6 commits