Oleg Nesterov [Mon, 9 Apr 2012 19:03:50 +0000 (21:03 +0200)]
cred: copy_process() should clear child->replacement_session_keyring
commit
79549c6dfda0603dba9a70a53467ce62d9335c33 upstream.
keyctl_session_to_parent(task) sets ->replacement_session_keyring,
it should be processed and cleared by key_replace_session_keyring().
However, this task can fork before it notices TIF_NOTIFY_RESUME and
the new child gets the bogus ->replacement_session_keyring copied by
dup_task_struct(). This is obviously wrong and, if nothing else, this
leads to put_cred(already_freed_cred).
change copy_creds() to clear this member. If copy_process() fails
before this point the wrong ->replacement_session_keyring doesn't
matter, exit_creds() won't be called.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Fri, 4 May 2012 19:09:39 +0000 (12:09 -0700)]
hfsplus: Fix potential buffer overflows
commit
6f24f892871acc47b40dd594c63606a17c714f77 upstream.
Commit
ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem. But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.
Reported-by: Timo Warns <warns@pre-sense.de>
Acked-by: WANG Cong <amwang@redhat.com>
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Miklos Szeredi <mszeredi@suse.cz>
Cc: Sage Weil <sage@newdream.net>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jason Wang [Wed, 30 May 2012 21:18:10 +0000 (21:18 +0000)]
net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
[ Upstream commit
cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc ]
We need to validate the number of pages consumed by data_len, otherwise frags
array could be overflowed by userspace. So this patch validate data_len and
return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrea Arcangeli [Wed, 21 Mar 2012 23:33:42 +0000 (16:33 -0700)]
mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
commit
1a5a9906d4e8d1976b701f889d8f35d54b928f25 upstream.
In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode. In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.
It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds). The race is only with
the huge pagefaults that can convert a pmd_none() into a
pmd_trans_huge().
Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously. This is
probably why it wasn't common to run into this. For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.
Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a
pmd_trans_huge()).
The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value. Even if the real pmd is changing under the
value we hold on the stack, we don't care. If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained
above).
All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd. The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds). I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and
pmd_none_or_clear_bad).
if (pmd_trans_huge(*pmd)) {
if (next-addr != HPAGE_PMD_SIZE) {
VM_BUG_ON(!rwsem_is_locked(&tlb->mm->mmap_sem));
split_huge_page_pmd(vma->vm_mm, pmd);
} else if (zap_huge_pmd(tlb, vma, pmd, addr))
continue;
/* fall through */
}
if (pmd_none_or_clear_bad(pmd))
Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.
The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.
====== start quote =======
mapcount 0 page_mapcount 1
kernel BUG at mm/huge_memory.c:1384!
At some point prior to the panic, a "bad pmd ..." message similar to the
following is logged on the console:
mm/memory.c:145: bad pmd
ffff8800376e1f98(
80000000314000e7).
The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
the page's PMD table entry.
143 void pmd_clear_bad(pmd_t *pmd)
144 {
-> 145 pmd_ERROR(*pmd);
146 pmd_clear(pmd);
147 }
After the PMD table entry has been cleared, there is an inconsistency
between the actual number of PMD table entries that are mapping the page
and the page's map count (_mapcount field in struct page). When the page
is subsequently reclaimed, __split_huge_page() detects this inconsistency.
1381 if (mapcount != page_mapcount(page))
1382 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
1383 mapcount, page_mapcount(page));
-> 1384 BUG_ON(mapcount != page_mapcount(page));
The root cause of the problem is a race of two threads in a multithreaded
process. Thread B incurs a page fault on a virtual address that has never
been accessed (PMD entry is zero) while Thread A is executing an madvise()
system call on a virtual address within the same 2 MB (huge page) range.
virtual address space
.---------------------.
| |
| |
.-|---------------------|
| | |
| | |<-- B(fault)
| | |
2 MB | |/////////////////////|-.
huge < |/////////////////////| > A(range)
page | |/////////////////////|-'
| | |
| | |
'-|---------------------|
| |
| |
'---------------------'
- Thread A is executing an madvise(..., MADV_DONTNEED) system call
on the virtual address range "A(range)" shown in the picture.
sys_madvise
// Acquire the semaphore in shared mode.
down_read(¤t->mm->mmap_sem)
...
madvise_vma
switch (behavior)
case MADV_DONTNEED:
madvise_dontneed
zap_page_range
unmap_vmas
unmap_page_range
zap_pud_range
zap_pmd_range
//
// Assume that this huge page has never been accessed.
// I.e. content of the PMD entry is zero (not mapped).
//
if (pmd_trans_huge(*pmd)) {
// We don't get here due to the above assumption.
}
//
// Assume that Thread B incurred a page fault and
.---------> // sneaks in here as shown below.
| //
| if (pmd_none_or_clear_bad(pmd))
| {
| if (unlikely(pmd_bad(*pmd)))
| pmd_clear_bad
| {
| pmd_ERROR
| // Log "bad pmd ..." message here.
| pmd_clear
| // Clear the page's PMD entry.
| // Thread B incremented the map count
| // in page_add_new_anon_rmap(), but
| // now the page is no longer mapped
| // by a PMD entry (-> inconsistency).
| }
| }
|
v
- Thread B is handling a page fault on virtual address "B(fault)" shown
in the picture.
...
do_page_fault
__do_page_fault
// Acquire the semaphore in shared mode.
down_read_trylock(&mm->mmap_sem)
...
handle_mm_fault
if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
// We get here due to the above assumption (PMD entry is zero).
do_huge_pmd_anonymous_page
alloc_hugepage_vma
// Allocate a new transparent huge page here.
...
__do_huge_pmd_anonymous_page
...
spin_lock(&mm->page_table_lock)
...
page_add_new_anon_rmap
// Here we increment the page's map count (starts at -1).
atomic_set(&page->_mapcount, 0)
set_pmd_at
// Here we set the page's PMD entry which will be cleared
// when Thread A calls pmd_clear_bad().
...
spin_unlock(&mm->page_table_lock)
The mmap_sem does not prevent the race because both threads are acquiring
it in shared mode (down_read). Thread B holds the page_table_lock while
the page's map count and PMD table entry are updated. However, Thread A
does not synchronize on that lock.
====== end quote =======
[akpm@linux-foundation.org: checkpatch fixes]
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Jones <davej@redhat.com>
Acked-by: Larry Woodman <lwoodman@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Paris [Tue, 17 Apr 2012 20:26:54 +0000 (16:26 -0400)]
fcaps: clear the same personality flags as suid when fcaps are used
commit
d52fc5dde171f030170a6cb78034d166b13c9445 upstream.
If a process increases permissions using fcaps all of the dangerous
personality flags which are cleared for suid apps should also be cleared.
Thus programs given priviledge with fcaps will continue to have address space
randomization enabled even if the parent tried to disable it to make it
easier to attack.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jeff Layton [Thu, 23 Feb 2012 14:37:45 +0000 (09:37 -0500)]
cifs: fix dentry refcount leak when opening a FIFO on lookup
commit
5bccda0ebc7c0331b81ac47d39e4b920b198b2cd upstream.
The cifs code will attempt to open files on lookup under certain
circumstances. What happens though if we find that the file we opened
was actually a FIFO or other special file?
Currently, the open filehandle just ends up being leaked leading to
a dentry refcount mismatch and oops on umount. Fix this by having the
code close the filehandle on the server if it turns out not to be a
regular file. While we're at it, change this spaghetti if statement
into a switch too.
Reported-by: CAI Qian <caiqian@redhat.com>
Tested-by: CAI Qian <caiqian@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
H. Peter Anvin [Fri, 2 Mar 2012 18:43:49 +0000 (10:43 -0800)]
regset: Return -EFAULT, not -EIO, on host-side memory fault
commit
5189fa19a4b2b4c3bec37c3a019d446148827717 upstream.
There is only one error code to return for a bad user-space buffer
pointer passed to a system call in the same address space as the
system call is executed, and that is EFAULT. Furthermore, the
low-level access routines, which catch most of the faults, return
EFAULT already.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
H. Peter Anvin [Fri, 2 Mar 2012 18:43:48 +0000 (10:43 -0800)]
regset: Prevent null pointer reference on readonly regsets
commit
c8e252586f8d5de906385d8cf6385fee289a825e upstream.
The regset common infrastructure assumed that regsets would always
have .get and .set methods, but not necessarily .active methods.
Unfortunately people have since written regsets without .set methods.
Rather than putting in stub functions everywhere, handle regsets with
null .get or .set methods explicitly.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ben Hutchings [Mon, 9 Jan 2012 22:06:46 +0000 (14:06 -0800)]
igmp: Avoid zero delay when receiving odd mixture of IGMP queries
commit
a8c1f65c79cbbb2f7da782d4c9d15639a9b94b27 upstream.
Commit
5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP
behavior on v3 query during v2-compatibility mode') added yet another
case for query parsing, which can result in max_delay = 0. Substitute
a value of 1, as in the usual v3 case.
Reported-by: Simon McVittie <smcv@debian.org>
References: http://bugs.debian.org/654876
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Vorontsov [Fri, 24 Feb 2012 01:14:46 +0000 (05:14 +0400)]
mm: memcg: Correct unregistring of events attached to the same eventfd
commit
371528caec553785c37f73fa3926ea0de84f986f upstream.
There is an issue when memcg unregisters events that were attached to
the same eventfd:
- On the first call mem_cgroup_usage_unregister_event() removes all
events attached to a given eventfd, and if there were no events left,
thresholds->primary would become NULL;
- Since there were several events registered, cgroups core will call
mem_cgroup_usage_unregister_event() again, but now kernel will oops,
as the function doesn't expect that threshold->primary may be NULL.
That's a good question whether mem_cgroup_usage_unregister_event()
should actually remove all events in one go, but nowadays it can't
do any better as cftype->unregister_event callback doesn't pass
any private event-associated cookie. So, let's fix the issue by
simply checking for threshold->primary.
FWIW, w/o the patch the following oops may be observed:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000004
IP: [<
ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
Pid: 574, comm: kworker/0:2 Not tainted 3.3.0-rc4+ #9 Bochs Bochs
RIP: 0010:[<
ffffffff810be32c>] [<
ffffffff810be32c>] mem_cgroup_usage_unregister_event+0x9c/0x1f0
RSP: 0018:
ffff88001d0b9d60 EFLAGS:
00010246
Process kworker/0:2 (pid: 574, threadinfo
ffff88001d0b8000, task
ffff88001de91cc0)
Call Trace:
[<
ffffffff8107092b>] cgroup_event_remove+0x2b/0x60
[<
ffffffff8103db94>] process_one_work+0x174/0x450
[<
ffffffff8103e413>] worker_thread+0x123/0x2d0
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Sandeen [Mon, 20 Feb 2012 22:53:01 +0000 (17:53 -0500)]
jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
commit
15291164b22a357cb211b618adfef4fa82fc0de3 upstream.
journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
state ala discard_buffer(), but does not touch _Delay or _Unwritten as
discard_buffer() does.
This can be problematic in some areas of the ext4 code which assume
that if they have found a buffer marked unwritten or delay, then it's
a live one. Perhaps those spots should check whether it is mapped
as well, but if jbd2 is going to tear down a buffer, let's really
tear it down completely.
Without this I get some fsx failures on sub-page-block filesystems
up until v3.2, at which point
4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
and
189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
away, because buried within that large change is some more flag
clearing. I still think it's worth doing in jbd2, since
->invalidatepage leads here directly, and it's the right place
to clear away these flags.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Wed, 23 Nov 2011 06:12:01 +0000 (01:12 -0500)]
drm: integer overflow in drm_mode_dirtyfb_ioctl()
commit
a5cd335165e31db9dbab636fd29895d41da55dd2 upstream.
There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips. The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.
Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Xi Wang [Mon, 23 Apr 2012 08:06:42 +0000 (04:06 -0400)]
drm/i915: fix integer overflow in i915_gem_do_execbuffer()
commit
44afb3a04391a74309d16180d1e4f8386fdfa745 upstream.
On 32-bit systems, a large args->num_cliprects from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit
432e58ed ("drm/i915: Avoid
allocation for execbuffer object list").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Mon, 23 Apr 2012 08:06:41 +0000 (04:06 -0400)]
drm/i915: fix integer overflow in i915_gem_execbuffer2()
commit
ed8cd3b2cd61004cab85380c52b1817aca1ca49b upstream.
On 32-bit systems, a large args->buffer_count from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit
8408c282 ("drm/i915:
First try a normal large kmalloc for the temporary exec buffers").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Avi Kivity [Mon, 5 Mar 2012 12:23:29 +0000 (14:23 +0200)]
KVM: Ensure all vcpus are consistent with in-kernel irqchip settings
(cherry picked from commit
3e515705a1f46beb1c942bb8043c16f8ac7b1e9e)
If some vcpus are created before KVM_CREATE_IRQCHIP, then
irqchip_in_kernel() and vcpu->arch.apic will be inconsistent, leading
to potential NULL pointer dereferences.
Fix by:
- ensuring that no vcpus are installed when KVM_CREATE_IRQCHIP is called
- ensuring that a vcpu has an apic if it is installed after KVM_CREATE_IRQCHIP
This is somewhat long winded because vcpu->arch.apic is created without
kvm->lock held.
Based on earlier patch by Michael Ellerman.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alex Williamson [Fri, 27 Apr 2012 21:54:08 +0000 (16:54 -0500)]
KVM: unmap pages from the iommu when slots are removed
commit
32f6daad4651a748a58a3ab6da0611862175722f upstream.
We've been adding new mappings, but not destroying old mappings.
This can lead to a page leak as pages are pinned using
get_user_pages, but only unpinned with put_page if they still
exist in the memslots list on vm shutdown. A memslot that is
destroyed while an iommu domain is enabled for the guest will
therefore result in an elevated page reference count that is
never cleared.
Additionally, without this fix, the iommu is only programmed
with the first translation for a gpa. This can result in
peer-to-peer errors if a mapping is destroyed and replaced by a
new mapping at the same gpa as the iommu will still be pointing
to the original, pinned memory address.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
David Gibson [Wed, 21 Mar 2012 23:34:12 +0000 (16:34 -0700)]
hugepages: fix use after free bug in "quota" handling
commit
90481622d75715bfcb68501280a917dbfe516029 upstream.
hugetlbfs_{get,put}_quota() are badly named. They don't interact with the
general quota handling code, and they don't much resemble its behaviour.
Rather than being about maintaining limits on on-disk block usage by
particular users, they are instead about maintaining limits on in-memory
page usage (including anonymous MAP_PRIVATE copied-on-write pages)
associated with a particular hugetlbfs filesystem instance.
Worse, they work by having callbacks to the hugetlbfs filesystem code from
the low-level page handling code, in particular from free_huge_page().
This is a layering violation of itself, but more importantly, if the
kernel does a get_user_pages() on hugepages (which can happen from KVM
amongst others), then the free_huge_page() can be delayed until after the
associated inode has already been freed. If an unmount occurs at the
wrong time, even the hugetlbfs superblock where the "quota" limits are
stored may have been freed.
Andrew Barry proposed a patch to fix this by having hugepages, instead of
storing a pointer to their address_space and reaching the superblock from
there, had the hugepages store pointers directly to the superblock,
bumping the reference count as appropriate to avoid it being freed.
Andrew Morton rejected that version, however, on the grounds that it made
the existing layering violation worse.
This is a reworked version of Andrew's patch, which removes the extra, and
some of the existing, layering violation. It works by introducing the
concept of a hugepage "subpool" at the lower hugepage mm layer - that is a
finite logical pool of hugepages to allocate from. hugetlbfs now creates
a subpool for each filesystem instance with a page limit set, and a
pointer to the subpool gets added to each allocated hugepage, instead of
the address_space pointer used now. The subpool has its own lifetime and
is only freed once all pages in it _and_ all other references to it (i.e.
superblocks) are gone.
subpools are optional - a NULL subpool pointer is taken by the code to
mean that no subpool limits are in effect.
Previous discussion of this bug found in: "Fix refcounting in hugetlbfs
quota handling.". See: https://lkml.org/lkml/2011/8/11/28 or
http://marc.info/?l=linux-mm&m=
126928970510627&w=1
v2: Fixed a bug spotted by Hillf Danton, and removed the extra parameter to
alloc_huge_page() - since it already takes the vma, it is not necessary.
Signed-off-by: Andrew Barry <abarry@cray.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Cc: Hugh Dickins <hughd@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2: adjust context to apply after commit
c50ac050811d6485616a193eb0f37bfbd191cc89 'hugetlb: fix resv_map leak in
error path', backported in 3.2.20]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Dave Hansen [Tue, 29 May 2012 22:06:46 +0000 (15:06 -0700)]
hugetlb: fix resv_map leak in error path
commit
c50ac050811d6485616a193eb0f37bfbd191cc89 and
4523e1458566a0e8ecfaff90f380dd23acc44d27 upstream.
When called for anonymous (non-shared) mappings, hugetlb_reserve_pages()
does a resv_map_alloc(). It depends on code in hugetlbfs's
vm_ops->close() to release that allocation.
However, in the mmap() failure path, we do a plain unmap_region() without
the remove_vma() which actually calls vm_ops->close().
This is a decent fix. This leak could get reintroduced if new code (say,
after hugetlb_reserve_pages() in hugetlbfs_file_mmap()) decides to return
an error. But, I think it would have to unroll the reservation anyway.
Christoph's test case:
http://marc.info/?l=linux-mm&m=
133728900729735
This patch applies to 3.4 and later. A version for earlier kernels is at
https://lkml.org/lkml/2012/5/22/418.
Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Acked-by: Mel Gorman <mel@csn.ul.ie>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reported-by: Christoph Lameter <cl@linux.com>
Tested-by: Christoph Lameter <cl@linux.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Tue, 10 Jan 2012 16:51:10 +0000 (11:51 -0500)]
ext4: fix undefined behavior in ext4_fill_flex_info()
commit
d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.
Commit
503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.
sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex < 2) { ... }
This patch fixes two potential issues in the previous commit.
1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount. That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.
2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways. Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex == 0 || groups_per_flex == 1) {
We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original. GCC keeps the check, but
there is no guarantee that future versions will do the same.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Al Viro [Fri, 9 Dec 2011 04:20:45 +0000 (23:20 -0500)]
procfs: fix a vfsmount longterm reference leak
kern_mount() doesn't pair with plain mntput()...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tim Chen [Tue, 19 Jul 2011 16:32:38 +0000 (09:32 -0700)]
VFS : mount lock scalability for internal mounts
For a number of file systems that don't have a mount point (e.g. sockfs
and pipefs), they are not marked as long term. Therefore in
mntput_no_expire, all locks in vfs_mount lock are taken instead of just
local cpu's lock to aggregate reference counts when we release
reference to file objects. In fact, only local lock need to have been
taken to update ref counts as these file systems are in no danger of
going away until we are ready to unregister them.
The attached patch marks file systems using kern_mount without
mount point as long term. The contentions of vfs_mount lock
is now eliminated. Before un-registering such file system,
kern_unmount should be called to remove the long term flag and
make the mount point ready to be freed.
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Stephan Bärwolf [Thu, 12 Jan 2012 15:43:04 +0000 (16:43 +0100)]
KVM: x86: fix missing checks in syscall emulation
commit
c2226fc9e87ba3da060e47333657cd6616652b84 upstream.
On hosts without this patch, 32bit guests will crash (and 64bit guests
may behave in a wrong way) for example by simply executing following
nasm-demo-application:
[bits 32]
global _start
SECTION .text
_start: syscall
(I tested it with winxp and linux - both always crashed)
Disassembly of section .text:
00000000 <_start>:
0: 0f 05 syscall
The reason seems a missing "invalid opcode"-trap (int6) for the
syscall opcode "0f05", which is not available on Intel CPUs
within non-longmodes, as also on some AMD CPUs within legacy-mode.
(depending on CPU vendor, MSR_EFER and cpuid)
Because previous mentioned OSs may not engage corresponding
syscall target-registers (STAR, LSTAR, CSTAR), they remain
NULL and (non trapping) syscalls are leading to multiple
faults and finally crashs.
Depending on the architecture (AMD or Intel) pretended by
guests, various checks according to vendor's documentation
are implemented to overcome the current issue and behave
like the CPUs physical counterparts.
[mtosatti: cleanup/beautify code]
Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Xi Wang [Mon, 12 Dec 2011 21:55:52 +0000 (21:55 +0000)]
xfs: fix acl count validation in xfs_acl_from_disk()
commit
093019cf1b18dd31b2c3b77acce4e000e2cbc9ce upstream.
Commit
fa8b18ed didn't prevent the integer overflow and possible
memory corruption. "count" can go negative and bypass the check.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Christoph Hellwig [Tue, 6 Dec 2011 21:21:05 +0000 (16:21 -0500)]
xfs: validate acl count
commit
fa8b18edd752a8b4e9d1ee2cd615b82c93cf8bba upstream.
This prevents in-memory corruption and possible panics if the on-disk
ACL is badly corrupted.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Acked-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Markus Lehtonen [Thu, 7 Feb 2013 10:29:59 +0000 (12:29 +0200)]
Fix net/Makefile
Remove nonexistent entries, to allow 'make mrproper'.
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Wed, 3 Apr 2013 11:18:02 +0000 (14:18 +0300)]
Update changelog
Change-Id: Iff435b688caa6cc80ef02a2caaaf7497a9c23cf9
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Austin Zhang [Tue, 5 Mar 2013 09:35:04 +0000 (17:35 +0800)]
Enable 'perf' tool for performance tunning.
Change-Id: I2ebe9b101b71926c1ed36ef5890bb4b2efc22cdb
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Elena Reshetova [Tue, 5 Feb 2013 13:25:59 +0000 (15:25 +0200)]
Enable security hardening options in kernel
Change-Id:Id10b561335ad8f01519a621001059fc817dc4ef6
Markus Lehtonen [Mon, 4 Mar 2013 14:16:20 +0000 (16:16 +0200)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Marko Ollonen [Wed, 23 Jan 2013 15:00:55 +0000 (17:00 +0200)]
camera: keep exposure from previous frame in still image mode change.
Marko Ollonen [Wed, 23 Jan 2013 07:39:35 +0000 (09:39 +0200)]
camera: exposure value query to mt9e013
Nicolas Bertrand [Thu, 7 Feb 2013 16:57:12 +0000 (17:57 +0100)]
n_gsm: Remove unused include
Li Peng [Tue, 29 Jan 2013 06:49:28 +0000 (14:49 +0800)]
pvr: enable bc_video driver
Change-Id: I62216f7310c6c457593ce8a5b5e4110e124f6644
Signed-off-by: Li Peng <peng.li@intel.com>
Arron Wang [Wed, 23 Jan 2013 06:46:22 +0000 (14:46 +0800)]
wl12xx: build two wireless tools calibrate and wlan_prov
Change-Id: Ieb6082039cd31798d78962ab292175cd89e56ef0
Markus Lehtonen [Wed, 5 Dec 2012 14:34:46 +0000 (23:34 +0900)]
Merge "Support usb mode framework in Tizen"
Chengwei Yang [Wed, 5 Dec 2012 09:34:23 +0000 (17:34 +0800)]
Support usb mode framework in Tizen
So far, we have a forked usb-server for PR3 to make sure the usb mode
framework works on PR3. However, we'd like to patch kernel now rather
than maintain another forked package.
This is the correct way because there maybe no way to work out without
patch kernel in future. So it's better to patch one rather than two.
Change-Id: I3ac4052c288b2a647fe560f42308872d1de2741f
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Arron Wang [Thu, 22 Nov 2012 07:08:50 +0000 (15:08 +0800)]
config: Enable NFC p2p support
Change-Id: Icef6b4de2a9d6c735bc7186cbb621192fdd96637
Signed-off-by: Arron Wang <arron.wang@intel.com>
Arron Wang [Thu, 22 Nov 2012 07:07:52 +0000 (15:07 +0800)]
NFC: Backport upstream latest NFC code
Change-Id: Icdf455992d8fb88596038a6b6ac1823436480a06
Signed-off-by: Arron Wang <arron.wang@intel.com>
Chengwei Yang [Mon, 29 Oct 2012 06:25:16 +0000 (14:25 +0800)]
Disable console output on screen
Change-Id: I9c559abc6b2270611c9ded3ef6ba338f4bdeaf93
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Markus Lehtonen [Thu, 25 Oct 2012 11:35:39 +0000 (14:35 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Thu, 25 Oct 2012 11:27:22 +0000 (14:27 +0300)]
Merge branch 'devel'
Wang, Yong [Thu, 25 Oct 2012 08:43:15 +0000 (01:43 -0700)]
Merge "gfx: delay gfx h/w resume if early_suspend flag is true" into devel
Li Peng [Thu, 25 Oct 2012 02:31:18 +0000 (10:31 +0800)]
gfx: delay gfx h/w resume if early_suspend flag is true
Here early_suspend means we trigger gfx suspend at screen off,
which is gfx_runtime_suspend, and there are two points that we
can resume gfx back: gfx_resume() and gfx_runtime_resume().
The two functions looks same but in reality delay gfx resume to
gfx_runtime_resume() works better than gfx_resume(), because we
see some cases that screen can't resume back from gfx_resume().
Change-Id: I133a035cae0202f913ba918f798859fff0b920c0
Signed-off-by: Li Peng <peng.li@intel.com>
Yong Wang [Wed, 24 Oct 2012 00:42:00 +0000 (08:42 +0800)]
atomisp: do not do full release if more video pipes are on use
The bug (TZSP-3288) is more or less easily reproducible on systems with
udev-like software. The helper (v4l_id) is run in parallel for all /dev/videoX
nodes twice with only purpose of checking capabilities:
->open("/dev/videoX")
->ioctl(VIDIOC_QUERYCAP)
->release("/dev/videoX")
The atomisp_open() call does two stages init of the internal structures. In
case of 1st opened node it does full (stage 1 + stage 2) init. Otherwise it is
a fast path (stage 1 only).
However, atomisp_release() does a fast path for non-main pipes as well. This
triggers the unbalanced power management calls:
->open
-> stage 1
-> stage 2
-> pm_runtime_get_sync
->release
-> stage 1
-> is_main? -> (no) -> fast path
The patch is a rough approach to fix this. Any better solution is welcome.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Tested-by: Yong Wang <yong.y.wang@intel.com>
Markus Lehtonen [Tue, 23 Oct 2012 14:52:01 +0000 (17:52 +0300)]
packaging: rename spec and changelog files
To reflect the new RPM package name
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Mon, 22 Oct 2012 12:00:46 +0000 (15:00 +0300)]
Rename package to kernel-mfld-blackbay
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Markus Lehtonen [Mon, 22 Oct 2012 11:36:51 +0000 (14:36 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Lehtonen, Markus [Mon, 22 Oct 2012 11:10:47 +0000 (04:10 -0700)]
Merge changes I24aa0ada,I1ea490fa,Icd2c967a,I141a80e4,I31cad4f6,Ib1e59c1f,I6153487e,I30dc58a5,I674745c3,I93f8da0c,Ic54db980,I9ca287ac,I153caac1,I9b40a8f1 into devel
* changes:
Smack: setprocattr memory leak fix
Smack: implement revoking all rules for a subject label
Smack: remove task_wait() hook.
smack: off by one error
Smack: don't show empty rules when /smack/load or /smack/load2 is read
Smack: user access check bounds
Smack: onlycap limits on CAP_MAC_ADMIN
Smack: fix smack_new_inode bogosities
split ->file_mmap() into ->mmap_addr()/->mmap_file()
split cap_mmap_addr() out of cap_file_mmap()
SELinux: rename dentry_open to file_open
Smack: allow for significantly longer Smack labels v4
gfp flags for security_inode_alloc()?
Smack: recursive tramsmute
Yan Zhang [Mon, 22 Oct 2012 06:55:43 +0000 (14:55 +0800)]
Enable TOPAZ power management; Remove useless files(lnc_*) for mrst
Casey Schaufler [Wed, 22 Aug 2012 18:44:03 +0000 (11:44 -0700)]
Smack: setprocattr memory leak fix
The data structure allocations being done in prepare_creds
are duplicated in smack_setprocattr. This results in the
structure allocated in prepare_creds being orphaned and
never freed. The duplicate code is removed from
smack_setprocattr.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Rafal Krypa [Wed, 11 Jul 2012 15:49:30 +0000 (17:49 +0200)]
Smack: implement revoking all rules for a subject label
Add /smack/revoke-subject special file. Writing a SMACK label to this file will
set the access to '-' for all access rules with that subject label.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Casey Schaufler [Fri, 10 Aug 2012 00:46:38 +0000 (17:46 -0700)]
Smack: remove task_wait() hook.
On 12/20/2011 11:20 PM, Jarkko Sakkinen wrote:
> Allow SIGCHLD to be passed to child process without
> explicit policy. This will help to keep the access
> control policy simple and easily maintainable with
> complex applications that require use of multiple
> security contexts. It will also help to keep them
> as isolated as possible.
>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
I have a slightly different version that applies to the
current smack-next tree.
Allow SIGCHLD to be passed to child process without
explicit policy. This will help to keep the access
control policy simple and easily maintainable with
complex applications that require use of multiple
security contexts. It will also help to keep them
as isolated as possible.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
security/smack/smack_lsm.c | 37 ++++++++-----------------------------
1 files changed, 8 insertions(+), 29 deletions(-)
Alan Cox [Thu, 26 Jul 2012 21:47:11 +0000 (14:47 -0700)]
smack: off by one error
Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0
In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)
will put 65 bytes into subject.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Rafal Krypa [Mon, 9 Jul 2012 17:36:34 +0000 (19:36 +0200)]
Smack: don't show empty rules when /smack/load or /smack/load2 is read
This patch removes empty rules (i.e. with access set to '-') from the
rule list presented to user space.
Smack by design never removes labels nor rules from its lists. Access
for a rule may be set to '-' to effectively disable it. Such rules would
show up in the listing generated when /smack/load or /smack/load2 is
read. This may cause clutter if many rules were disabled.
As a rule with access set to '-' is equivalent to no rule at all, they
may be safely hidden from the listing.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 19 Jun 2012 02:01:36 +0000 (19:01 -0700)]
Smack: user access check bounds
Some of the bounds checking used on the /smack/access
interface was lost when support for long labels was
added. No kernel access checks are affected, however
this is a case where /smack/access could be used
incorrectly and fail to detect the error. This patch
reintroduces the original checks.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Tue, 5 Jun 2012 22:28:30 +0000 (15:28 -0700)]
Smack: onlycap limits on CAP_MAC_ADMIN
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.
This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Thu, 24 May 2012 00:46:58 +0000 (17:46 -0700)]
Smack: fix smack_new_inode bogosities
In January of 2012 Al Viro pointed out three bits of code that
he titled "new_inode_smack bogosities". This patch repairs these
errors.
1. smack_sb_kern_mount() included a NULL check that is impossible.
The check and NULL case are removed.
2. smack_kb_kern_mount() included pointless locking. The locking is
removed. Since this is the only place that lock was used the lock
is removed from the superblock_smack structure.
3. smk_fill_super() incorrectly and unnecessarily set the Smack label
for the smackfs root inode. The assignment has been removed.
Targeted for git://gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Al Viro [Wed, 30 May 2012 17:30:51 +0000 (13:30 -0400)]
split ->file_mmap() into ->mmap_addr()/->mmap_file()
... i.e. file-dependent and address-dependent checks.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 30 May 2012 17:11:37 +0000 (13:11 -0400)]
split cap_mmap_addr() out of cap_file_mmap()
... switch callers.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Eric Paris [Wed, 4 Apr 2012 17:45:40 +0000 (13:45 -0400)]
SELinux: rename dentry_open to file_open
dentry_open takes a file, rename it to file_open
Signed-off-by: Eric Paris <eparis@redhat.com>
Conflicts:
security/tomoyo/tomoyo.c
Casey Schaufler [Sun, 6 May 2012 22:22:02 +0000 (15:22 -0700)]
Smack: allow for significantly longer Smack labels v4
V4 updated to current linux-security#next
Targeted for git://gitorious.org/smack-next/kernel.git
Modern application runtime environments like to use
naming schemes that are structured and generated without
human intervention. Even though the Smack limit of 23
characters for a label name is perfectly rational for
human use there have been complaints that the limit is
a problem in environments where names are composed from
a set or sources, including vendor, author, distribution
channel and application name. Names like
softwarehouse-pgwodehouse-coolappstore-mellowmuskrats
are becoming harder to avoid. This patch introduces long
label support in Smack. Labels are now limited to 255
characters instead of the old 23.
The primary reason for limiting the labels to 23 characters
was so they could be directly contained in CIPSO category sets.
This is still done were possible, but for labels that are too
large a mapping is required. This is perfectly safe for communication
that stays "on the box" and doesn't require much coordination
between boxes beyond what would have been required to keep label
names consistent.
The bulk of this patch is in smackfs, adding and updating
administrative interfaces. Because existing APIs can't be
changed new ones that do much the same things as old ones
have been introduced.
The Smack specific CIPSO data representation has been removed
and replaced with the data format used by netlabel. The CIPSO
header is now computed when a label is imported rather than
on use. This results in improved IP performance. The smack
label is now allocated separately from the containing structure,
allowing for larger strings.
Four new /smack interfaces have been introduced as four
of the old interfaces strictly required labels be specified
in fixed length arrays.
The access interface is supplemented with the check interface:
access "Subject Object rwxat"
access2 "Subject Object rwaxt"
The load interface is supplemented with the rules interface:
load "Subject Object rwxat"
load2 "Subject Object rwaxt"
The load-self interface is supplemented with the self-rules interface:
load-self "Subject Object rwxat"
load-self2 "Subject Object rwaxt"
The cipso interface is supplemented with the wire interface:
cipso "Subject lvl cnt c1 c2 ..."
cipso2 "Subject lvl cnt c1 c2 ..."
The old interfaces are maintained for compatibility.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Tetsuo Handa [Thu, 29 Mar 2012 07:19:05 +0000 (16:19 +0900)]
gfp flags for security_inode_alloc()?
Dave Chinner wrote:
> Yes, because you have no idea what the calling context is except
> for the fact that is from somewhere inside filesystem code and the
> filesystem could be holding locks. Therefore, GFP_NOFS is really the
> only really safe way to allocate memory here.
I see. Thank you.
I'm not sure, but can call trace happen where somewhere inside network
filesystem or stackable filesystem code with locks held invokes operations that
involves GFP_KENREL memory allocation outside that filesystem?
----------
[PATCH] SMACK: Fix incorrect GFP_KERNEL usage.
new_inode_smack() which can be called from smack_inode_alloc_security() needs
to use GFP_NOFS like SELinux's inode_alloc_security() does, for
security_inode_alloc() is called from inode_init_always() and
inode_init_always() is called from xfs_inode_alloc() which is using GFP_NOFS.
smack_inode_init_security() needs to use GFP_NOFS like
selinux_inode_init_security() does, for initxattrs() callback function (e.g.
btrfs_initxattrs()) which is called from security_inode_init_security() is
using GFP_NOFS.
smack_audit_rule_match() needs to use GFP_ATOMIC, for
security_audit_rule_match() can be called from audit_filter_user_rules() and
audit_filter_user_rules() is called from audit_filter_user() with RCU read lock
held.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>
Casey Schaufler [Wed, 14 Mar 2012 02:14:19 +0000 (19:14 -0700)]
Smack: recursive tramsmute
The transmuting directory feature of Smack requires that
the transmuting attribute be explicitly set in all cases.
It seems the users of this facility would expect that the
transmuting attribute be inherited by subdirectories that
are created in a transmuting directory. This does not seem
to add any additional complexity to the understanding of
how the system works.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Markus Lehtonen [Wed, 17 Oct 2012 10:14:42 +0000 (13:14 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Li Peng [Mon, 15 Oct 2012 15:16:08 +0000 (23:16 +0800)]
gfx: enable runtime power management
In DPMS off, current implementation simply turn off the panel and call PMU
to cut power supply of gfx h/w, but app in userspace may still want to access
gfx h/w after screen off, that will cause system hang.
enable gfx runtime PM will make sure gfx device can be suspended or resumed
based on device access demand so that above hang case will not happen.
Change-Id: I492aaac7313908165377fd539467b479af44baa0
Signed-off-by: Li Peng <peng.li@intel.com>
Chengwei Yang [Wed, 17 Oct 2012 03:06:38 +0000 (11:06 +0800)]
Change adb protocol to sdb protocol
Currently, we have a forked sdbd for our kernel so there was no need to
patch our kernel.
However, the forked sdbd will be merged to upstream sdbd and to make it
compatible with adb in userspace cost a large effort.
So the better way is patch our kernel to adopt sdb protocol, on the
other hand, no patch needed to sdbd user space server and client.
Change-Id: I4b3f426d33b2c8fdb5042f9cd60a7b1226c92eb1
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Markus Lehtonen [Wed, 10 Oct 2012 08:10:28 +0000 (11:10 +0300)]
Merge branch 'bb-2.0_beta' into bb-devel
Li Peng [Thu, 27 Sep 2012 07:26:08 +0000 (15:26 +0800)]
remove mac802154 and openvswitch from net/Makefile
They don't exist in kernel tree and it fixes error in "make mrproper"
Signed-off-by: Li Peng <peng.li@intel.com>
Markus Lehtonen [Thu, 27 Sep 2012 05:21:19 +0000 (08:21 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Chengwei Yang [Wed, 26 Sep 2012 04:28:00 +0000 (12:28 +0800)]
Export usb connection status
There are several components depends on kernel export usb connection
status correctly. First, system-server check usb status by calling OEM
interface to launch usb-server; second, usb-server does the usb mode
setting work and launch syspopup. In addition, setting usb mode from UI
depends on usb-server too.
This also fix TZSP-3142.
Change-Id: I430e588069a807b195cb364846d1a6421cafff14
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Markus Lehtonen [Wed, 26 Sep 2012 06:45:59 +0000 (09:45 +0300)]
Merge remote-tracking branch 'tzg/2.0_beta' into bb-devel
Yong Wang [Wed, 19 Sep 2012 07:58:13 +0000 (15:58 +0800)]
Update changelog
Signed-off-by: Yong Wang <yong.y.wang@intel.com>
Yong Wang [Wed, 19 Sep 2012 07:55:01 +0000 (15:55 +0800)]
hwmon/lis3dh: add screen on/off notifier callback
Add screen on/off notifier callback so that accelerometer
sensor can be enabled/disabled upon screen on/off operations
as it behaves on Android.
Signed-off-by: Yong Wang <yong.y.wang@intel.com>
Yong Wang [Wed, 19 Sep 2012 07:54:02 +0000 (15:54 +0800)]
atmel_mxt_ts: remove redundant mutex
DRM core guarantees that gfx driver's dpms callback is
not reentrant. Therefore the screen on/off notifier is
guaranteed to be non-reentrant too. No need to use another
mutex to protect what has already been protected.
Signed-off-by: Yong Wang <yong.y.wang@intel.com>
Zhu, Peter [Mon, 17 Sep 2012 15:33:58 +0000 (08:33 -0700)]
Merge "Update changelog" into 2.0_beta
Markus Lehtonen [Mon, 17 Sep 2012 11:39:46 +0000 (14:39 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Zhu, Peter [Mon, 17 Sep 2012 10:58:05 +0000 (03:58 -0700)]
Merge "Fix 1080p H264 failure with rotation (90/180/270), enlarge GTT video mapped memory from 128Mb to 136Mb" into 2.0_beta
Yan Zhang [Fri, 14 Sep 2012 10:03:42 +0000 (18:03 +0800)]
Fix 1080p H264 failure with rotation (90/180/270), enlarge GTT video mapped memory from 128Mb to 136Mb
Markus Lehtonen [Fri, 7 Sep 2012 11:43:02 +0000 (14:43 +0300)]
atomisp: fix a possible null pointer dereference
Fix kernel oops in case isp->main_format is not initialized.
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Li Peng [Wed, 12 Sep 2012 06:30:00 +0000 (14:30 +0800)]
Merge branch 'master' into 2.0_beta
Markus Lehtonen [Fri, 7 Sep 2012 11:43:02 +0000 (14:43 +0300)]
atomisp: fix a possible null pointer dereference
Fix kernel oops in case isp->main_format is not initialized.
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Li Peng [Fri, 31 Aug 2012 08:06:54 +0000 (16:06 +0800)]
update changelog
Change-Id: Iaf38810c938e449359c49c9013cf02bf80847b8c
Li, Peng [Fri, 31 Aug 2012 07:55:24 +0000 (00:55 -0700)]
Merge "Update changelog"
Li Peng [Fri, 31 Aug 2012 07:58:22 +0000 (15:58 +0800)]
Merge branch 'devel'
Li Peng [Tue, 28 Aug 2012 07:01:37 +0000 (15:01 +0800)]
boot parameter: set consoleblank to zero
add consoleblank=0 to kernel boot parameter, so console won't blank
if timeout
Signed-off-by: Li Peng <peng.li@intel.com>
Li Peng [Mon, 27 Aug 2012 14:02:21 +0000 (22:02 +0800)]
config: disable HDMI config option
Disable CONFIG_MDFD_HDMI and CONFIG_MDFD_HDMI_REDRIDGE, as we are not ready
for HDMI support
Signed-off-by: Li Peng <peng.li@intel.com>
Markus Lehtonen [Wed, 29 Aug 2012 09:24:06 +0000 (12:24 +0300)]
Update changelog
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Chengwei Yang [Wed, 29 Aug 2012 05:19:37 +0000 (13:19 +0800)]
Enable slp lowmem module and autofs
Update tizen_bb_defconfig and tizen_rr_defconfig with
* Enable slp lowmem module
* Enbale autofs makes systemd happy, systemd use autofs to implement
automount
Change-Id: Ia856023b74917e460a8f39d2623e7016f7d75bb6
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Lehtonen, Markus [Tue, 28 Aug 2012 15:01:01 +0000 (08:01 -0700)]
Merge "Fix incorrect calculation of number of task" into devel
Lehtonen, Markus [Tue, 28 Aug 2012 14:59:34 +0000 (07:59 -0700)]
Merge "Lowmem: port from slp kernel" into devel
Lehtonen, Markus [Mon, 27 Aug 2012 10:46:07 +0000 (03:46 -0700)]
Merge "[HACK-MUST-REVERT]Added charger event only environment for user space usage" into devel
Li Peng [Mon, 27 Aug 2012 02:14:04 +0000 (10:14 +0800)]
Update changelog
Li Peng [Mon, 27 Aug 2012 02:10:03 +0000 (10:10 +0800)]
Merge branch 'devel'
Austin Zhang [Fri, 24 Aug 2012 08:36:48 +0000 (16:36 +0800)]
[HACK-MUST-REVERT]Added charger event only environment for user
space usage
Added charger event only enviroment so that udev rule can identify
charger-only event happened, so that sys_event will not send out
charger related notification up to heynoti under those case of only
voltage or other events happened.
After we have perfect solution in user space notification framework,
this HACK should be reverted.
Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Yan Zhang [Wed, 15 Aug 2012 08:37:50 +0000 (16:37 +0800)]
Update video driver to MCG's latest code: 1)Topza support 2)Error conceal 3)Context update & HDMI API 4)Bug fix
Signed-off-by: Yan Zhang <yan.y.zhang@intel.com>
Li Peng [Fri, 17 Aug 2012 06:44:16 +0000 (14:44 +0800)]
Revert " Update video driver to MCG's latest code:"
This reverts commit
4f3cc0332f7ea9be864e4d49d652b80baf28249c.
should first go into devel branch
Yan Zhang [Wed, 15 Aug 2012 08:37:50 +0000 (16:37 +0800)]
Update video driver to MCG's latest code:
1)Topza support
2)Error conceal
3)Context update & HDMI API
4)Bug fix
Chengwei Yang [Tue, 14 Aug 2012 03:19:55 +0000 (11:19 +0800)]
Fix incorrect calculation of number of task
Change-Id: Icea513818bffde0b901b99548604a2ecfaa88013
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Chengwei Yang [Tue, 14 Aug 2012 00:20:06 +0000 (08:20 +0800)]
Lowmem: port from slp kernel
Port lsp lowmem code to PR3, only did a little changes. That is change
rss in task_rss_t to long and use atomic_long_read to get atomic_long_t
value.
Change-Id: I21fb684a0b1e86d5ece3a5b294c9f64075d8079d
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Yin, Kangkai [Tue, 14 Aug 2012 03:40:45 +0000 (20:40 -0700)]
Revert "Lowmem: port from slp kernel"
This reverts commit
923fb82117ba9baf50aef46d80f675dd12742e8c
projects / platform / kernel / kernel-mfld-blackbay.git / log