There is no way to limit the capabilities of usermodehelpers. This problem
reared its head recently when someone complained that any user with
cap_net_admin was able to load arbitrary kernel modules, even though the user
didn't have cap_sys_module.  The reason is because the actual load is done by
a usermode helper and those always have the full cap set.  This patch addes new
sysctls which allow us to bound the permissions of usermode helpers.

/proc/sys/kernel/usermodehelper/bset
/proc/sys/kernel/usermodehelper/inheritable

You must have CAP_SYS_MODULE  and CAP_SETPCAP to change these (changes are
&= ONLY).  When the kernel launches a usermodehelper it will do so with these
as the bset and pI.

-v2:	make globals static
	create spinlock to protect globals

-v3:	require both CAP_SETPCAP and CAP_SYS_MODULE
-v4:	fix the typo s/CAP_SET_PCAP/CAP_SETPCAP/ because I didn't commit
Signed-off-by: NEric Paris <eparis@redhat.com>
No-objection-from: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: NDavid Howells <dhowells@redhat.com>
Acked-by: NSerge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: NAndrew G. Morgan <morgan@kernel.org>
Signed-off-by: NJames Morris <jmorris@namei.org>

When memory used for policy exceeds the quota, tomoyo_memory_ok() return false.
In this case, tomoyo_commit_ok() must call kfree() before returning NULL.
This bug exists since 2.6.35.
Signed-off-by: NXiaochen Wang <wangxiaochen0@gmail.com>
Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: NJames Morris <jmorris@namei.org>

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc: (26 commits)
  mmc: SDHI should depend on SUPERH || ARCH_SHMOBILE
  mmc: tmio_mmc: Move some defines into a shared header
  mmc: tmio: support aggressive clock gating
  mmc: tmio: fix power-mode interpretation
  mmc: tmio: remove work-around for unmasked SDIO interrupts
  sh: fix SDHI IO address-range
  ARM: mach-shmobile: fix SDHI IO address-range
  mmc: tmio: only access registers above 0xff, if available
  mfd: remove now redundant sh_mobile_sdhi.h header
  sh: convert boards to use linux/mmc/sh_mobile_sdhi.h
  ARM: mach-shmobile: convert boards to use linux/mmc/sh_mobile_sdhi.h
  mmc: tmio: convert the SDHI MMC driver from MFD to a platform driver
  sh: ecovec: use the CONFIG_MMC_TMIO symbols instead of MFD
  mmc: tmio: split core functionality, DMA and MFD glue
  mmc: tmio: use PIO for short transfers
  mmc: tmio-mmc: Improve DMA stability on sh-mobile
  mmc: fix mmc_app_send_scr() for dma transfer
  mmc: sdhci-esdhc: enable esdhc on imx53
  mmc: sdhci-esdhc: use writel/readl as general APIs
  mmc: sdhci: add the abort CMDTYPE bits definition
  ...

* 'frv' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-2.6-frv:
  FRV: Use generic show_interrupts()
  FRV: Convert genirq namespace
  frv: Select GENERIC_HARDIRQS_NO_DEPRECATED
  frv: Convert cpu irq_chip to new functions
  frv: Convert mb93493 irq_chip to new functions
  frv: Convert mb93093 irq_chip to new function
  frv: Convert mb93091 irq_chip to new functions
  frv: Fix typo from __do_IRQ overhaul
  frv: Remove stale irq_chip.end
  FRV: Do some cleanups
  FRV: Missing node arg in alloc_thread_info_node() macro
  NOMMU: implement access_remote_vm
  NOMMU: support SMP dynamic percpu_alloc
  NOMMU: percpu should use is_vmalloc_addr().

* 'stable/bug-fixes-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen: Use new irq_move functions
  xen: Convert genirq namespace
  xen: fix p2m section mismatches
  xen/p2m: Allocate p2m tracking pages on override
  xen-gntdev: unlock on error path in gntdev_mmap()
  xen-gntdev: return -EFAULT on copy_to_user failure

* git://git.kernel.org/pub/scm/linux/kernel/git/wim/linux-2.6-watchdog:
  watchdog: softdog.c: enhancement to optionally invoke panic instead of reboot on timer expiry
  watchdog: fix nv_tco section mismatch
  watchdog: sp5100_tco.c: Check if firmware has set correct value in tcobase.
  watchdog: Convert release_resource to release_region/release_mem_region
  watchdog: s3c2410_wdt.c: Convert release_resource to release_region/release_mem_region

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
  amd64_edac: Fix potential memleak

Merge branch 'irq-final-for-linus-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'irq-final-for-linus-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (111 commits)
  gpio: ab8500: Mark broken
  genirq: Remove move_*irq leftovers
  genirq: Remove compat code
  drivers: Final irq namespace conversion
  mn10300: Use generic show_interrupts()
  mn10300: Cleanup irq_desc access
  mn10300: Convert genirq namespace
  frv: Use generic show_interrupts()
  frv: Convert genirq namespace
  frv: Select GENERIC_HARDIRQS_NO_DEPRECATED
  frv: Convert cpu irq_chip to new functions
  frv: Convert mb93493 irq_chip to new functions
  frv: Convert mb93093 irq_chip to new function
  frv: Convert mb93091 irq_chip to new functions
  frv: Fix typo from __do_IRQ overhaul
  frv: Remove stale irq_chip.end
  m68k: Convert irq function namespace
  xen: Use new irq_move functions
  xen: Cleanup genirq namespace
  unicore32: Use generic show_interrupts()
  ...

This patch fixes information leakage to the userspace by initializing
the data buffer to zero.
Reported-by: NPeter Huewe <huewe.external@infineon.com>
Signed-off-by: NPeter Huewe <huewe.external@infineon.com>
Signed-off-by: NMarcel Selhorst <m.selhorst@sirrix.com>
[ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
  deeper problems than a simple multiplication can fix.   - Linus ]
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

We check the pointers together but at least one of them could be invalid
due to failed allocation. Since we cannot continue if either of the two
allocations has failed, exit early by freeing them both.

Cc: <stable@kernel.org> # 38.x
Reported-by: NMauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: NBorislav Petkov <borislav.petkov@amd.com>

Fix the incorrect use of igrab() inside the i_lock in NFS and Ceph‥

If we are already holding the i_lock, we have a reference to the
inode so we can safely use ihold() to gain an extra reference. This
avoids hangs due to lock recursion on the i_lock now that the
inode_lock is gone and igrab() uses the i_lock itself.
Signed-off-by: NDave Chinner <dchinner@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: Ryan Mallon <ryan@bluewatersys.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (30 commits)
  xfrm: Restrict extended sequence numbers to esp
  xfrm: Check for esn buffer len in xfrm_new_ae
  xfrm: Assign esn pointers when cloning a state
  xfrm: Move the test on replay window size into the replay check functions
  netdev: bfin_mac: document TE setting in RMII modes
  drivers net: Fix declaration ordering in inline functions.
  cxgb3: Apply interrupt coalescing settings to all queues
  net: Always allocate at least 16 skb frags regardless of page size
  ipv4: Don't ip_rt_put() an error pointer in RAW sockets.
  net: fix ethtool->set_flags not intended -EINVAL return value
  mlx4_en: Fix loss of promiscuity
  tg3: Fix inline keyword usage
  tg3: use <linux/io.h> and <linux/uaccess.h> instead <asm/io.h> and <asm/uaccess.h>
  net: use CHECKSUM_NONE instead of magic number
  Net / jme: Do not use legacy PCI power management
  myri10ge: small rx_done refactoring
  bridge: notify applications if address of bridge device changes
  ipv4: Fix IP timestamp option (IPOPT_TS_PRESPEC) handling in ip_options_echo()
  can: c_can: Fix tx_bytes accounting
  can: c_can_platform: fix irq check in probe
  ...

These functions take irq_data as an argument and avoid a redundant
lookup in the sparse irq case.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Converted with coccinelle.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Acked-by: NIan Campbell <ian.campbell@citrix.com>
Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Fix section mismatch warnings:
set_phys_range_identity() is called by __init xen_set_identity(),
so also mark set_phys_range_identity() as __init.
then:
__early_alloc_p2m() is called set_phys_range_identity(), so also mark
__early_alloc_p2m() as __init.

WARNING: arch/x86/built-in.o(.text+0x7856): Section mismatch in reference from the function __early_alloc_p2m() to the function .init.text:extend_brk()
The function __early_alloc_p2m() references
the function __init extend_brk().
This is often because __early_alloc_p2m lacks a __init
annotation or the annotation of extend_brk is wrong.

WARNING: arch/x86/built-in.o(.text+0x7967): Section mismatch in reference from the function set_phys_range_identity() to the function .init.text:extend_brk()
The function set_phys_range_identity() references
the function __init extend_brk().
This is often because set_phys_range_identity lacks a __init
annotation or the annotation of extend_brk is wrong.

[v2: Per Stephen Hemming recommonedation made __early_alloc_p2m static]
Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Convert to new function names.  Converted with coccinelle.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

All chips converted
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Compiles way better.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

irq_chip.end got obsolete with the removal of __do_IRQ().

irq-mb93093.c even lacks an implementation, but nobody noticed that
it's broken since commit 88d6e1 in 2006.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

1. frv doesn't support SMP, remove the useless SMP bits.

2. frv has its own alloc_task_struct, so define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
   (I am not sure if frv should use generic alloc_task_struct().)
Signed-off-by: NWANG Cong <amwang@redhat.com>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

There are two alloc_thread_info_node() macros defined (one for debugging and
one for normal).  The commit that changed them most recently:

	commit b6a84016
	Author: Eric Dumazet <eric.dumazet@gmail.com>
	Date:   Tue Mar 22 16:30:42 2011 -0700
	Subject: mm: NUMA aware alloc_thread_info_node()

didn't add the node argument into the macro argument list for the normal macro.
This results in the following error:

kernel/fork.c:267:39: error: macro "alloc_thread_info_node" passed 2 arguments, but takes just 1
kernel/fork.c: In function 'dup_task_struct':
kernel/fork.c:267: error: 'alloc_thread_info_node' undeclared (first use in this function)
kernel/fork.c:267: error: (Each undeclared identifier is reported only once
kernel/fork.c:267: error: for each function it appears in.)
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Recent vm changes brought in a new function which the core procfs code
utilizes.  So implement it for nommu systems too to avoid link failures.
Signed-off-by: NMike Frysinger <vapier@gentoo.org>
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Tested-by: NSimon Horman <horms@verge.net.au>
Tested-by: NIthamar Adema <ithamar.adema@team-embedded.nl>
Acked-by: NGreg Ungerer <gerg@uclinux.org>

This driver is broken in several aspects.

 1) old style irq_chip functions. Sigh

 2) Abuse of the unlock callback. That's not supposed to be a state
    machine for evrything and some more.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

All users converted to new interface.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

Scripted with coccinelle.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

The migration needs only access to irq_data.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

Convert to new function names. Converted with coccinelle.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

Convert to new function names. Converted with coccinelle.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>

All chips converted
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Cc: David Howells <dhowells@redhat.com>
LKML-Reference: <20110206192106.601290592@linutronix.de>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>