1. 01 5月, 2013 7 次提交
  2. 17 4月, 2013 1 次提交
    • E
      audit: allow checking the type of audit message in the user filter · 62062cf8
      Eric Paris 提交于
      When userspace sends messages to the audit system it includes a type.
      We want to be able to filter messages based on that type without have to
      do the all or nothing option currently available on the
      AUDIT_FILTER_TYPE filter list.  Instead we should be able to use the
      AUDIT_FILTER_USER filter list and just use the message type as one part
      of the matching decision.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      62062cf8
  3. 16 4月, 2013 1 次提交
  4. 12 4月, 2013 2 次提交
    • G
      audit: remove duplicate export of audit_enabled · 72199caa
      Gao feng 提交于
      audit_enabled has already been exported in
      include/linux/audit.h. and kernel/audit.h
      includes include/linux/audit.h, no need to
      export aduit_enabled again in kernel/audit.h
      Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      72199caa
    • E
      Audit: do not print error when LSMs disabled · ad395abe
      Eric Paris 提交于
      RHBZ: 785936
      
      If the audit system collects a record about one process sending a signal
      to another process it includes in that collection the 'secid' or 'an int
      used to represet an LSM label.'  If there is no LSM enabled it will
      collect a 0.  The problem is that when we attempt to print that record
      we ask the LSM to convert the secid back to a string.  Since there is no
      LSM it returns EOPNOTSUPP.
      
      Most code in the audit system checks if the secid is 0 and does not
      print LSM info in that case.  The signal information code however forgot
      that check.  Thus users will see a message in syslog indicating that
      converting the sid to string failed.  Add the right check.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      ad395abe
  5. 11 4月, 2013 7 次提交
  6. 09 4月, 2013 4 次提交
  7. 19 2月, 2013 3 次提交
  8. 16 2月, 2013 7 次提交
  9. 15 2月, 2013 3 次提交
  10. 14 2月, 2013 5 次提交
    • T
      omapdrm: fix the dependency to omapdss · 91e83ffd
      Tomi Valkeinen 提交于
      omapdrm uses "select" in Kconfig to enable omapdss. This doesn't work
      correctly, as "select" forces omapdss to be enabled in the config even
      if it normally could not be enabled because of missing Kconfig
      dependencies.
      
      This causes a build break on ARM, when using allyesconfig:
      
      drivers/video/omap2/dss/dss.c: In function 'dss_calc_clock_div':
      drivers/video/omap2/dss/dss.c:572:20: error: 'CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK' undeclared (first use in this function)
      drivers/video/omap2/dss/dss.c:572:20: note: each undeclared identifier is reported only once for each function it appears in
      
      Instead of using select, this patch changes omapdrm to use "depend
      on".
      Signed-off-by: NTomi Valkeinen <tomi.valkeinen@ti.com>
      91e83ffd
    • N
      OMAPDSS: add FEAT_DPI_USES_VDDS_DSI to omap3630_dss_feat_list · eb91e79b
      NeilBrown 提交于
      commit 195e672a
         OMAPDSS: DPI: Remove cpu_is_xxxx checks
      
      made the mistake of assuming that cpu_is_omap34xx() is exclusive of
      other cpu_is_* predicates whereas it includes cpu_is_omap3630().
      
      So on an omap3630, code that was previously enabled by
        if (cpu_is_omap34xx())
      is now disabled as
        dss_has_feature(FEAT_DPI_USES_VDDS_DSI)
      fails.
      
      So add FEAT_DPI_USES_VDDS_DSI to omap3630_dss_feat_list.
      
      Cc: Chandrabhanu Mahapatra <cmahapatra@ti.com>
      Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: NNeilBrown <neilb@suse.de>
      Signed-off-by: NTomi Valkeinen <tomi.valkeinen@ti.com>
      eb91e79b
    • S
      efi: Clear EFI_RUNTIME_SERVICES rather than EFI_BOOT by "noefi" boot parameter · 1de63d60
      Satoru Takeuchi 提交于
      There was a serious problem in samsung-laptop that its platform driver is
      designed to run under BIOS and running under EFI can cause the machine to
      become bricked or can cause Machine Check Exceptions.
      
          Discussion about this problem:
          https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557
          https://bugzilla.kernel.org/show_bug.cgi?id=47121
      
          The patches to fix this problem:
          efi: Make 'efi_enabled' a function to query EFI facilities
          83e68189
      
          samsung-laptop: Disable on EFI hardware
          e0094244
      
      Unfortunately this problem comes back again if users specify "noefi" option.
      This parameter clears EFI_BOOT and that driver continues to run even if running
      under EFI. Refer to the document, this parameter should clear
      EFI_RUNTIME_SERVICES instead.
      
      Documentation/kernel-parameters.txt:
      ===============================================================================
      ...
      	noefi		[X86] Disable EFI runtime services support.
      ...
      ===============================================================================
      
      Documentation/x86/x86_64/uefi.txt:
      ===============================================================================
      ...
      - If some or all EFI runtime services don't work, you can try following
        kernel command line parameters to turn off some or all EFI runtime
        services.
      	noefi		turn off all EFI runtime services
      ...
      ===============================================================================
      Signed-off-by: NSatoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>
      Link: http://lkml.kernel.org/r/511C2C04.2070108@jp.fujitsu.com
      Cc: Matt Fleming <matt.fleming@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NH. Peter Anvin <hpa@linux.intel.com>
      1de63d60
    • C
      xen: remove redundant NULL check before unregister_and_remove_pcpu(). · 4f8c8527
      Cyril Roelandt 提交于
      unregister_and_remove_pcpu on a NULL pointer is a no-op, so the NULL check in
      sync_pcpu can be removed.
      Signed-off-by: NCyril Roelandt <tipecaml@gmail.com>
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      4f8c8527
    • J
      x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS. · 13d2b4d1
      Jan Beulich 提交于
      This fixes CVE-2013-0228 / XSA-42
      
      Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user
      in 32bit PV guest can use to crash the > guest with the panic like this:
      
      -------------
      general protection fault: 0000 [#1] SMP
      last sysfs file: /sys/devices/vbd-51712/block/xvda/dev
      Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
      iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6
      xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4
      mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last
      unloaded: scsi_wait_scan]
      
      Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1
      EIP: 0061:[<c0407462>] EFLAGS: 00010086 CPU: 0
      EIP is at xen_iret+0x12/0x2b
      EAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010
      ESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0
       DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069
      Process r (pid: 1250, ti=eb8d0000 task=c2953550 task.ti=eb8d0000)
      Stack:
       00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000
      Call Trace:
      Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00
      8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40
      10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02
      EIP: [<c0407462>] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0
      general protection fault: 0000 [#2]
      ---[ end trace ab0d29a492dcd330 ]---
      Kernel panic - not syncing: Fatal exception
      Pid: 1250, comm: r Tainted: G      D    ---------------
      2.6.32-356.el6.i686 #1
      Call Trace:
       [<c08476df>] ? panic+0x6e/0x122
       [<c084b63c>] ? oops_end+0xbc/0xd0
       [<c084b260>] ? do_general_protection+0x0/0x210
       [<c084a9b7>] ? error_code+0x73/
      -------------
      
      Petr says: "
       I've analysed the bug and I think that xen_iret() cannot cope with
       mangled DS, in this case zeroed out (null selector/descriptor) by either
       xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT
       entry was invalidated by the reproducer. "
      
      Jan took a look at the preliminary patch and came up a fix that solves
      this problem:
      
      "This code gets called after all registers other than those handled by
      IRET got already restored, hence a null selector in %ds or a non-null
      one that got loaded from a code or read-only data descriptor would
      cause a kernel mode fault (with the potential of crashing the kernel
      as a whole, if panic_on_oops is set)."
      
      The way to fix this is to realize that the we can only relay on the
      registers that IRET restores. The two that are guaranteed are the
      %cs and %ss as they are always fixed GDT selectors. Also they are
      inaccessible from user mode - so they cannot be altered. This is
      the approach taken in this patch.
      
      Another alternative option suggested by Jan would be to relay on
      the subtle realization that using the %ebp or %esp relative references uses
      the %ss segment.  In which case we could switch from using %eax to %ebp and
      would not need the %ss over-rides. That would also require one extra
      instruction to compensate for the one place where the register is used
      as scaled index. However Andrew pointed out that is too subtle and if
      further work was to be done in this code-path it could escape folks attention
      and lead to accidents.
      Reviewed-by: NPetr Matousek <pmatouse@redhat.com>
      Reported-by: NPetr Matousek <pmatouse@redhat.com>
      Reviewed-by: NAndrew Cooper <andrew.cooper3@citrix.com>
      Signed-off-by: NJan Beulich <jbeulich@suse.com>
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      13d2b4d1