1. 14 12月, 2012 3 次提交
    • K
      security: introduce kernel_module_from_file hook · 2e72d51b
      Kees Cook 提交于
      Now that kernel module origins can be reasoned about, provide a hook to
      the LSMs to make policy decisions about the module file. This will let
      Chrome OS enforce that loadable kernel modules can only come from its
      read-only hash-verified root filesystem. Other LSMs can, for example,
      read extended attributes for signatures, etc.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Acked-by: NSerge E. Hallyn <serge.hallyn@canonical.com>
      Acked-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@us.ibm.com>
      Acked-by: NJames Morris <james.l.morris@oracle.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      2e72d51b
    • R
      module: add flags arg to sys_finit_module() · 2f3238ae
      Rusty Russell 提交于
      Thanks to Michael Kerrisk for keeping us honest.  These flags are actually
      useful for eliminating the only case where kmod has to mangle a module's
      internals: for overriding module versioning.
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      Acked-by: NLucas De Marchi <lucas.demarchi@profusion.mobi>
      Acked-by: NKees Cook <keescook@chromium.org>
      2f3238ae
    • K
      module: add syscall to load module from fd · 34e1169d
      Kees Cook 提交于
      As part of the effort to create a stronger boundary between root and
      kernel, Chrome OS wants to be able to enforce that kernel modules are
      being loaded only from our read-only crypto-hash verified (dm_verity)
      root filesystem. Since the init_module syscall hands the kernel a module
      as a memory blob, no reasoning about the origin of the blob can be made.
      
      Earlier proposals for appending signatures to kernel modules would not be
      useful in Chrome OS, since it would involve adding an additional set of
      keys to our kernel and builds for no good reason: we already trust the
      contents of our root filesystem. We don't need to verify those kernel
      modules a second time. Having to do signature checking on module loading
      would slow us down and be redundant. All we need to know is where a
      module is coming from so we can say yes/no to loading it.
      
      If a file descriptor is used as the source of a kernel module, many more
      things can be reasoned about. In Chrome OS's case, we could enforce that
      the module lives on the filesystem we expect it to live on.  In the case
      of IMA (or other LSMs), it would be possible, for example, to examine
      extended attributes that may contain signatures over the contents of
      the module.
      
      This introduces a new syscall (on x86), similar to init_module, that has
      only two arguments. The first argument is used as a file descriptor to
      the module and the second argument is a pointer to the NULL terminated
      string of module arguments.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (merge fixes)
      34e1169d
  2. 03 12月, 2012 2 次提交
    • J
      modsign: add symbol prefix to certificate list · 84ecfd15
      James Hogan 提交于
      Add the arch symbol prefix (if applicable) to the asm definition of
      modsign_certificate_list and modsign_certificate_list_end. This uses the
      recently defined SYMBOL_PREFIX which is derived from
      CONFIG_SYMBOL_PREFIX.
      
      This fixes the build of module signing on the blackfin and metag
      architectures.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Mike Frysinger <vapier@gentoo.org>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      84ecfd15
    • J
      linux/kernel.h: define SYMBOL_PREFIX · cbdbf2ab
      James Hogan 提交于
      Define SYMBOL_PREFIX to be the same as CONFIG_SYMBOL_PREFIX if set by
      the architecture, or "" otherwise. This avoids the need for ugly #ifdefs
      whenever symbols are referenced in asm blocks.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Joe Perches <joe@perches.com>
      Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
      Cc: Jean Delvare <khali@linux-fr.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Mike Frysinger <vapier@gentoo.org>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      cbdbf2ab
  3. 02 12月, 2012 6 次提交
    • L
      Merge branch 'for-3.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · 3c46f3d6
      Linus Torvalds 提交于
      Pull  late workqueue fixes from Tejun Heo:
       "Unfortunately, I have two really late fixes.  One was for a
        long-standing bug and queued for 3.8 but I found out about a
        regression introduced during 3.7-rc1 two days ago, so I'm sending out
        the two fixes together.
      
        The first (long-standing) one is rescuer_thread() entering exit path
        w/ TASK_INTERRUPTIBLE.  It only triggers on workqueue destructions
        which isn't very frequent and the exit path can usually survive being
        called with TASK_INTERRUPT, so it was hidden pretty well.  Apparently,
        if you're reiserfs, this could lead to the exiting kthread sleeping
        indefinitely holding a mutex, which is never good.
      
        The fix is simple - restoring TASK_RUNNING before returning from the
        kthread function.
      
        The second one is introduced by the new mod_delayed_work().
        mod_delayed_work() was missing special case handling for 0 delay.
        Instead of queueing the work item immediately, it queued the timer
        which expires on the closest next tick.  Some users of the new
        function converted from "[__]cancel_delayed_work() +
        queue_delayed_work()" combination became unhappy with the extra delay.
      
        Block unplugging led to noticeably higher number of context switches
        and intel 6250 wireless failed to associate with WPA-Enterprise
        network.  The fix, again, is fairly simple.  The 0 delay special case
        logic from queue_delayed_work_on() should be moved to
        __queue_delayed_work() which is shared by both queue_delayed_work_on()
        and mod_delayed_work_on().
      
        The first one is difficult to trigger and the failure mode for the
        latter isn't completely catastrophic, so missing these two for 3.7
        wouldn't make it a disastrous release, but both bugs are nasty and the
        fixes are fairly safe"
      
      * 'for-3.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: mod_delayed_work_on() shouldn't queue timer on 0 delay
        workqueue: exit rescuer_thread() as TASK_RUNNING
      3c46f3d6
    • T
      workqueue: mod_delayed_work_on() shouldn't queue timer on 0 delay · 8852aac2
      Tejun Heo 提交于
      8376fe22 ("workqueue: implement mod_delayed_work[_on]()")
      implemented mod_delayed_work[_on]() using the improved
      try_to_grab_pending().  The function is later used, among others, to
      replace [__]candel_delayed_work() + queue_delayed_work() combinations.
      
      Unfortunately, a delayed_work item w/ zero @delay is handled slightly
      differently by mod_delayed_work_on() compared to
      queue_delayed_work_on().  The latter skips timer altogether and
      directly queues it using queue_work_on() while the former schedules
      timer which will expire on the closest tick.  This means, when @delay
      is zero, that [__]cancel_delayed_work() + queue_delayed_work_on()
      makes the target item immediately executable while
      mod_delayed_work_on() may induce delay of upto a full tick.
      
      This somewhat subtle difference breaks some of the converted users.
      e.g. block queue plugging uses delayed_work for deferred processing
      and uses mod_delayed_work_on() when the queue needs to be immediately
      unplugged.  The above problem manifested as noticeably higher number
      of context switches under certain circumstances.
      
      The difference in behavior was caused by missing special case handling
      for 0 delay in mod_delayed_work_on() compared to
      queue_delayed_work_on().  Joonsoo Kim posted a patch to add it -
      ("workqueue: optimize mod_delayed_work_on() when @delay == 0")[1].
      The patch was queued for 3.8 but it was described as optimization and
      I missed that it was a correctness issue.
      
      As both queue_delayed_work_on() and mod_delayed_work_on() use
      __queue_delayed_work() for queueing, it seems that the better approach
      is to move the 0 delay special handling to the function instead of
      duplicating it in mod_delayed_work_on().
      
      Fix the problem by moving 0 delay special case handling from
      queue_delayed_work_on() to __queue_delayed_work().  This replaces
      Joonsoo's patch.
      
      [1] http://thread.gmane.org/gmane.linux.kernel/1379011/focus=1379012Signed-off-by: NTejun Heo <tj@kernel.org>
      Reported-and-tested-by: NAnders Kaseorg <andersk@MIT.EDU>
      Reported-and-tested-by: NZlatko Calusic <zlatko.calusic@iskon.hr>
      LKML-Reference: <alpine.DEB.2.00.1211280953350.26602@dr-wily.mit.edu>
      LKML-Reference: <50A78AA9.5040904@iskon.hr>
      Cc: Joonsoo Kim <js1304@gmail.com>
      8852aac2
    • M
      workqueue: exit rescuer_thread() as TASK_RUNNING · 412d32e6
      Mike Galbraith 提交于
      A rescue thread exiting TASK_INTERRUPTIBLE can lead to a task scheduling
      off, never to be seen again.  In the case where this occurred, an exiting
      thread hit reiserfs homebrew conditional resched while holding a mutex,
      bringing the box to its knees.
      
      PID: 18105  TASK: ffff8807fd412180  CPU: 5   COMMAND: "kdmflush"
       #0 [ffff8808157e7670] schedule at ffffffff8143f489
       #1 [ffff8808157e77b8] reiserfs_get_block at ffffffffa038ab2d [reiserfs]
       #2 [ffff8808157e79a8] __block_write_begin at ffffffff8117fb14
       #3 [ffff8808157e7a98] reiserfs_write_begin at ffffffffa0388695 [reiserfs]
       #4 [ffff8808157e7ad8] generic_perform_write at ffffffff810ee9e2
       #5 [ffff8808157e7b58] generic_file_buffered_write at ffffffff810eeb41
       #6 [ffff8808157e7ba8] __generic_file_aio_write at ffffffff810f1a3a
       #7 [ffff8808157e7c58] generic_file_aio_write at ffffffff810f1c88
       #8 [ffff8808157e7cc8] do_sync_write at ffffffff8114f850
       #9 [ffff8808157e7dd8] do_acct_process at ffffffff810a268f
          [exception RIP: kernel_thread_helper]
          RIP: ffffffff8144a5c0  RSP: ffff8808157e7f58  RFLAGS: 00000202
          RAX: 0000000000000000  RBX: 0000000000000000  RCX: 0000000000000000
          RDX: 0000000000000000  RSI: ffffffff8107af60  RDI: ffff8803ee491d18
          RBP: 0000000000000000   R8: 0000000000000000   R9: 0000000000000000
          R10: 0000000000000000  R11: 0000000000000000  R12: 0000000000000000
          R13: 0000000000000000  R14: 0000000000000000  R15: 0000000000000000
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
      Signed-off-by: NMike Galbraith <mgalbraith@suse.de>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: stable@vger.kernel.org
      412d32e6
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 331fee3c
      Linus Torvalds 提交于
      Pull vfs fixes from Al Viro:
       "A bunch of fixes; the last one is this cycle regression, the rest are
        -stable fodder."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fix off-by-one in argument passed by iterate_fd() to callbacks
        lookup_one_len: don't accept . and ..
        cifs: get rid of blind d_drop() in readdir
        nfs_lookup_revalidate(): fix a leak
        don't do blind d_drop() in nfs_prime_dcache()
      331fee3c
    • L
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b3c3a9cf
      Linus Torvalds 提交于
      Pull RCU fix from Ingo Molnar:
       "Fix leaking RCU extended quiescent state, which might trigger warnings
        and mess up the extended quiescent state tracking logic into thinking
        that we are in "RCU user mode" while we aren't."
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        rcu: Fix unrecovered RCU user mode in syscall_trace_leave()
      b3c3a9cf
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 455e987c
      Linus Torvalds 提交于
      Pull perf fixes from Ingo Molnar:
       "This is mostly about unbreaking architectures that took the UAPI
        changes in the v3.7 cycle, plus misc fixes."
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf kvm: Fix building perf kvm on non x86 arches
        perf kvm: Rename perf_kvm to perf_kvm_stat
        perf: Make perf build for x86 with UAPI disintegration applied
        perf powerpc: Use uapi/unistd.h to fix build error
        tools: Pass the target in descend
        tools: Honour the O= flag when tool build called from a higher Makefile
        tools: Define a Makefile function to do subdir processing
        x86: Export asm/{svm.h,vmx.h,perf_regs.h}
        perf tools: Fix strbuf_addf() when the buffer needs to grow
        perf header: Fix numa topology printing
        perf, powerpc: Fix hw breakpoints returning -ENOSPC
      455e987c
  4. 01 12月, 2012 20 次提交
  5. 30 11月, 2012 5 次提交
  6. 29 11月, 2012 4 次提交
    • A
      Merge branch 'v3.7-samsung-fixes-4' of... · 9434d24b
      Arnd Bergmann 提交于
      Merge branch 'v3.7-samsung-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung into fixes
      
      From Kukjin Kim <kgene.kim@samsung.com>:
      
      Samsung fixes for v3.7
      
      * 'v3.7-samsung-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
        ARM: S3C24XX: Fix potential NULL pointer dereference error
      
      This would have been ok to delay to 3.8 according to Kukjin, but since
      it's an obvious bug fix and a potential NULL pointer dereference, it
      seem appropriate for a late 3.7 submission.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      9434d24b
    • O
      remoteproc: fix error path of ->find_vqs · dab55bba
      Ohad Ben-Cohen 提交于
      Eliminate an erroneous invocation of rproc_shutdown inside
      the error path of rproc_virtio_find_vqs.
      Reported-by: NIdo Yariv <ido@wizery.com>
      Signed-off-by: NOhad Ben-Cohen <ohad@wizery.com>
      dab55bba
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e9296e89
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
       "Some more fixes trickled in over the past few days:
      
         1) PIM device names can overflow the IFNAMSIZ buffer unless we
            properly limit the allowed indexes, fix from Eric Dumazet.
      
         2) Under heavy load we can OOPS in icmp reply processing due to an
            unchecked inet_putpeer() call.  Fix from Neal Cardwell.
      
         3) SCTP round trip calculations need to use 64-bit math to avoid
            overflows, fix from Schoch Christian.
      
         4) Fix a memory leak and an error return flub in SCTP and IRDA
            triggerable by userspace.  Fix from Tommi Rantala and found by the
            syscall fuzzer (trinity).
      
         5) MLX4 driver gives bogus size to memcpy() call, fix from Amir
            Vadai.
      
         6) Fix length calculation in VHOST descriptor translation, from
            Michael S Tsirkin.
      
         7) Ambassador ATM driver loops forever while loading firmware, fix
            from Dan Carpenter.
      
         8) Over MTU packets in openvswitch warn about wrong device, fix from
            Jesse Gross.
      
         9) Netfilter IPSET's netlink code can overrun a string buffer because
            it's not properly limited to IFNAMSIZ.  Fix from Florian Westphal.
      
        10) PCAN USB driver sets wrong timestamp in SKB, from Oliver Hartkopp.
      
        11) Make sure the RX ifindex always has a valid value in the CAN BCM
            driver, even if we haven't received a frame yet.  Fix also from
            Oliver Hartkopp."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        team: fix hw_features setup
        atm: forever loop loading ambassador firmware
        vhost: fix length for cross region descriptor
        irda: irttp: fix memory leak in irttp_open_tsap() error path
        net: qmi_wwan: add Huawei E173
        net/mlx4_en: Can set maxrate only for TC0
        sctp: Error in calculation of RTTvar
        sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
        sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
        net: ipmr: limit MRT_TABLE identifiers
        ipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow()
        can: bcm: initialize ifindex for timeouts without previous frame reception
        can: peak_usb: fix hwtstamp assignment
        netfilter: ipset: fix netiface set name overflow
        openvswitch: Store flow key len if ARP opcode is not request or reply.
        openvswitch: Print device when warning about over MTU packets.
      e9296e89
    • A
      02232f8d