- 22 Mar, 2016 1 commit
-
-
Patrick Tjin authored
This reverts commit c97b5c0d, reversing changes made to 6b5cc177 . Change-Id: I2fbf3d21c74ff886640f6ba54d783a8c3d0a75b3 Signed-off-by:
Patrick Tjin <pattjin@google.com>
-
- 17 Mar, 2016 2 commits
-
-
Ben Hutchings authored
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, the first time atomically and the second time not. The second attempt needs to continue from the iovec position, pipe buffer offset and remaining length where the first attempt failed, but currently the pipe buffer offset and remaining length are reset. This will corrupt the piped data (possibly also leading to an information leak between processes) and may also corrupt kernel memory. This was fixed upstream by commits f0d1bec9d58d ("new helper: copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to copy_page_to_iter()"), but those aren't suitable for stable. This fix for older kernel versions was made by Seth Jennings for RHEL and I have extracted it from their update. CVE-2015-1805 Bug: 27275324 Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4 References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855 Signed-off-by:Ben Hutchings <ben@decadent.org.uk> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
-
Patrick Tjin authored
-
- 24 Feb, 2016 1 commit
-
-
Naveen Ramaraj authored
Validate input argument before writing into pmu_constraints_codes array Change-Id: Id68b1d2201ab1af783af2236833b1dc894e08cc7 Signed-off-by:
Kishor PK <kpbhat@codeaurora.org> Signed-off-by:
Naveen Ramaraj <nramaraj@codeaurora.org>
-
- 21 Jan, 2016 1 commit
-
-
Wish Wu authored
Prevent unintended kernel NULL pointer dereferencing. Orignal code: hlist_del_rcu(&event->hlist_entry); Fix: Adding pointer check: if(!hlist_unhashed(&p_event->hlist_entry)) hlist_del_rcu(&p_event->hlist_entry); Bug: 25364034 Change-Id: Ieda6d8f4bb567827fa6c7709e9e729905c6c3882 Signed-off-by:Yuan Lin <yualin@google.com>
-
- 12 Jan, 2016 1 commit
-
-
Kirill A. Shutemov authored
(cherry pick from commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce) As pointed by recent post[1] on exploiting DRAM physical imperfection, /proc/PID/pagemap exposes sensitive information which can be used to do attacks. This disallows anybody without CAP_SYS_ADMIN to read the pagemap. [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [ Eventually we might want to do anything more finegrained, but for now this is the simple model. - Linus ] Change-Id: I26bcfef2a0d4d3d02da4c522b29615d8ec694600 Signed-off-by:
Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by:
Konstantin Khlebnikov <khlebnikov@openvz.org> Acked-by:
Andy Lutomirski <luto@amacapital.net> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Mark Seaborn <mseaborn@chromium.org> Cc: stable@vger.kernel.org Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Mark Salyzyn <salyzyn@google.com> Bug: 26038496
-
- 08 Jan, 2016 1 commit
-
-
Vasily Kulikov authored
Poison pointer values should be small enough to find a room in non-mmap'able/hardly-mmap'able space. E.g. on x86 "poison pointer space" is located starting from 0x0. Given unprivileged users cannot mmap anything below mmap_min_addr, it should be safe to use poison pointers lower than mmap_min_addr. The current poison pointer values of LIST_POISON{1,2} might be too big for mmap_min_addr values equal or less than 1 MB (common case, e.g. Ubuntu uses only 0x10000). There is little point to use such a big value given the "poison pointer space" below 1 MB is not yet exhausted. Changing it to a smaller value solves the problem for small mmap_min_addr setups. The values are suggested by Solar Designer: http://www.openwall.com/lists/oss-security/2015/05/02/6 Bug: 26186802 Change-Id: Ie2121a417b6a43ee6d119c996b5ec2ad6d01a0a7 Signed-off-by:
-
- 23 Oct, 2015 1 commit
-
-
Colin Cross authored
prctl_set_vma_anon_name could attempt to set the name across two vmas at the same time due to a typo, which might corrupt the vma list. Fix it to use tmp instead of end to limit the name setting to a single vma at a time. Change-Id: Ie32d8ddb0fd547efbeedd6528acdab5ca5b308b4 Reported-by:
Jed Davis <jld@mozilla.com> Signed-off-by:
Colin Cross <ccross@android.com>
-
- 22 Oct, 2015 1 commit
-
-
Patrick Tjin authored
Signed-off-by:
-
- 14 Oct, 2015 2 commits
-
-
Patrick Tjin authored
Limit the size of copy to the minimum of what was asked for or the number of results returned to prevent leaking of uninitialized kernel memory to userspace. Bug: 24157888 Signed-off-by: -
Patrick Tjin authored
System V IPCs are not compliant with Android's application lifecycle because allocated resources are not freeable by the low memory killer. This lead to global kernel resource leakage. For example, there is no way to automatically release a SysV semaphore allocated in the kernel when: - a buggy or malicious process exits - a non-buggy and non-malicious process crashes or is explicitly killed. Killing processes automatically to make room for new ones is an important part of Android's application lifecycle implementation. This means that, even assuming only non-buggy and non-malicious code, it is very likely that over time, the kernel global tables used to implement SysV IPCs will fill up. Bug: 24551430 Bug: 22300191 Signed-off-by:
-
- 17 Aug, 2015 1 commit
-
-
Naseer Ahmed authored
These messages may cause watchdog timeout. For the usecases that use the ab or ib greater than max, the max will be taken and if that is not enough, underrun would happen, so this message would not be necessary. Signed-off-by:
Huaibin Yang <huaibiny@codeaurora.org> Signed-off-by:
Naseer Ahmed <naseer@codeaurora.org>
-
- 29 Jul, 2015 2 commits
-
-
Harshdeep Dhatt authored
Increase the wait timeout for context detachment to 30s instead of 10s. Large IB's can take longer than 10s to retire and if a hang happens then recovering from the hang and completing the long IB's will take much longer than 10s, bump this timer to 30s which should be sufficient for the context's commands to retire even if hang happens. Change-Id: I610186473208c574b0bcada0b62a7407ae171d37 Signed-off-by:Harshdeep Dhatt <hdhatt@codeaurora.org>
-
Erik Kline authored
Per RFC 6724, section 4, "Candidate Source Addresses": It is RECOMMENDED that the candidate source addresses be the set of unicast addresses assigned to the interface that will be used to send to the destination (the "outgoing" interface). Add a sysctl to enable this behaviour. Signed-off-by:Erik Kline <ek@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> [Simplified back-port of net-next 3985e8a3611a93bb36789f65db862e5700aab65e] Bug: 19470192 Bug: 21832279 Bug: 22464419 Change-Id: Icd96382f814a6f3ea53f05beb98c266b1929c5a3
-
- 25 Jul, 2015 1 commit
-
-
Thierry Strudel authored
git://codeaurora.org/external/wlan/prima.git 41d7e5b wlan: release 3.2.3.23 11cfab7 wlan: check for sus_res_mcastbcast_filter_valid before resetting Change-Id: I828c6e73eb13ec42447f2069ad20b4576c2c4090 Signed-off-by:
Thierry Strudel <tstrudel@google.com>
-
- 13 Jul, 2015 21 commits
-
-
Eric W. Biederman authored
While testing the pid namespace code I hit this nasty warning. [ 176.262617] ------------[ cut here ]------------ [ 176.263388] WARNING: at /home/eric/projects/linux/linux-userns-devel/kernel/softirq.c:160 local_bh_enable_ip+0x7a/0xa0() [ 176.265145] Hardware name: Bochs [ 176.265677] Modules linked in: [ 176.266341] Pid: 742, comm: bash Not tainted 3.7.0userns+ #18 [ 176.266564] Call Trace: [ 176.266564] [<ffffffff810a539f>] warn_slowpath_common+0x7f/0xc0 [ 176.266564] [<ffffffff810a53fa>] warn_slowpath_null+0x1a/0x20 [ 176.266564] [<ffffffff810ad9ea>] local_bh_enable_ip+0x7a/0xa0 [ 176.266564] [<ffffffff819308c9>] _raw_spin_unlock_bh+0x19/0x20 [ 176.266564] [<ffffffff8123dbda>] proc_free_inum+0x3a/0x50 [ 176.266564] [<ffffffff8111d0dc>] free_pid_ns+0x1c/0x80 [ 176.266564] [<ffffffff8111d195>] put_pid_ns+0x35/0x50 [ 176.266564] [<ffffffff810c608a>] put_pid+0x4a/0x60 [ 176.266564] [<ffffffff8146b177>] tty_ioctl+0x717/0xc10 [ 176.266564] [<ffffffff810aa4d5>] ? wait_consider_task+0x855/0xb90 [ 176.266564] [<ffffffff81086bf9>] ? default_spin_lock_flags+0x9/0x10 [ 176.266564] [<ffffffff810cab0a>] ? remove_wait_queue+0x5a/0x70 [ 176.266564] [<ffffffff811e37e8>] do_vfs_ioctl+0x98/0x550 [ 176.266564] [<ffffffff810b8a0f>] ? recalc_sigpending+0x1f/0x60 [ 176.266564] [<ffffffff810b9127>] ? __set_task_blocked+0x37/0x80 [ 176.266564] [<ffffffff810ab95b>] ? sys_wait4+0xab/0xf0 [ 176.266564] [<ffffffff811e3d31>] sys_ioctl+0x91/0xb0 [ 176.266564] [<ffffffff810a95f0>] ? task_stopped_code+0x50/0x50 [ 176.266564] [<ffffffff81939199>] system_call_fastpath+0x16/0x1b [ 176.266564] ---[ end trace 387af88219ad6143 ]--- It turns out that spin_unlock_bh(proc_inum_lock) is not safe when put_pid is called with another spinlock held and irqs disabled. For now take the easy path and use spin_lock_irqsave(proc_inum_lock) in proc_free_inum and spin_loc_irq in proc_alloc_inum(proc_inum_lock). Signed-off-by:
"Eric W. Biederman" <ebiederm@xmission.com> Bug: 22173056 Backport: commits 0f7aa3c0 to this one are backport of mnt namespace Signed-off-by:
-
Eric W. Biederman authored
Assign a unique proc inode to each namespace, and use that inode number to ensure we only allocate at most one proc inode for every namespace in proc. A single proc inode per namespace allows userspace to test to see if two processes are in the same namespace. This has been a long requested feature and only blocked because a naive implementation would put the id in a global space and would ultimately require having a namespace for the names of namespaces, making migration and certain virtualization tricks impossible. We still don't have per superblock inode numbers for proc, which appears necessary for application unaware checkpoint/restart and migrations (if the application is using namespace file descriptors) but that is now allowd by the design if it becomes important. I have preallocated the ipc and uts initial proc inode numbers so their structures can be statically initialized. Signed-off-by: -
Eric W. Biederman authored
Change the proc namespace files into symlinks so that we won't cache the dentries for the namespace files which can bypass the ptrace_may_access checks. To support the symlinks create an additional namespace inode with it's own set of operations distinct from the proc pid inode and dentry methods as those no longer make sense. Signed-off-by: -
Eric W. Biederman authored
Generalize the proc inode allocation so that it can be used without having to having to create a proc_dir_entry. This will allow namespace file descriptors to remain light weight entitities but still have the same inode number when the backing namespace is the same. Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by:
-
Eric W. Biederman authored
- Add a filesystem flag to mark filesystems that are safe to mount as an unprivileged user. - Add a filesystem flag to mark filesystems that don't need MNT_NODEV when mounted by an unprivileged user. - Relax the permission checks to allow unprivileged users that have CAP_SYS_ADMIN permissions in the user namespace referred to by the current mount namespace to be allowed to mount, unmount, and move filesystems. Acked-by:
"Serge E. Hallyn" <serge@hallyn.com> Signed-off-by:
-
Eric W. Biederman authored
Sharing mount subtress with mount namespaces created by unprivileged users allows unprivileged mounts created by unprivileged users to propagate to mount namespaces controlled by privileged users. Prevent nasty consequences by changing shared subtrees to slave subtress when an unprivileged users creates a new mount namespace. Acked-by:
Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by:
-
Eric W. Biederman authored
This will allow for support for unprivileged mounts in a new user namespace. Acked-by:
-
Eric W. Biederman authored
setns support for the mount namespace is a little tricky as an arbitrary decision must be made about what to set fs->root and fs->pwd to, as there is no expectation of a relationship between the two mount namespaces. Therefore I arbitrarily find the root mount point, and follow every mount on top of it to find the top of the mount stack. Then I set fs->root and fs->pwd to that location. The topmost root of the mount stack seems like a reasonable place to be. Bind mount support for the mount namespace inodes has the possibility of creating circular dependencies between mount namespaces. Circular dependencies can result in loops that prevent mount namespaces from every being freed. I avoid creating those circular dependencies by adding a sequence number to the mount namespace and require all bind mounts be of a younger mount namespace into an older mount namespace. Add a helper function proc_ns_inode so it is possible to detect when we are attempting to bind mound a namespace inode. Acked-by:
-
Al Viro authored
Signed-off-by:Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit 808d4e3cfdcc52b19276175464f6dbca4df13b09)
-
Al Viro authored
normally we deal with lock_mount()/umount races by checking that mountpoint to be is still in our namespace after lock_mount() has been done. However, do_add_mount() skips that check when called with MNT_SHRINKABLE in flags (i.e. from finish_automount()). The reason is that ->mnt_ns may be a temporary namespace created exactly to contain automounts a-la NFS4 referral handling. It's not the namespace of the caller, though, so check_mnt() would fail here. We still need to check that ->mnt_ns is non-NULL in that case, though. Signed-off-by: -
Josef Bacik authored
Btrfs has to make sure we have space to allocate new blocks in order to modify the inode, so updating time can fail. We've gotten around this by having our own file_update_time but this is kind of a pain, and Christoph has indicated he would like to make xfs do something different with atime updates. So introduce ->update_time, where we will deal with i_version an a/m/c time updates and indicate which changes need to be made. The normal version just does what it has always done, updates the time and marks the inode dirty, and then filesystems can choose to do something different. I've gone through all of the users of file_update_time and made them check for errors with the exception of the fault code since it's complicated and I wasn't quite sure what to do there, also Jan is going to be pushing the file time updates into page_mkwrite for those who have it so that should satisfy btrfs and make it not a big deal to check the file_update_time() return code in ...
-
David Howells authored
Add comments describing what the directions "up" and "down" mean and ref count handling to the VFS mount following family of functions. Signed-off-by: Valerie Aurora <vaurora@redhat.com> (Original author) Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
-
David Howells authored
copy_tree() can theoretically fail in a case other than ENOMEM, but always returns NULL which is interpreted by callers as -ENOMEM. Change it to return an explicit error. Also change clone_mnt() for consistency and because union mounts will add new error cases. Thanks to Andreas Gruenbacher <agruen@suse.de> for a bug fix. [AV: folded braino fix by Dan Carpenter] Original-author: Valerie Aurora <vaurora@redhat.com> Signed-off-by:
-
Al Viro authored
don't rely on proc_mounts->m being the first field; container_of() is there for purpose. No need to bother with ->private, while we are at it - the same container_of will do nicely. Signed-off-by: -
Al Viro authored
it's enough to set ->mnt_ns of internal vfsmounts to something distinct from all struct mnt_namespace out there; then we can just use the check for ->mnt_ns != NULL in the fast path of mntput_no_expire() Signed-off-by: -
Al Viro authored
__mnt_make_shortterm() in there undoes the effect of __mnt_make_longterm() we'd done back when we set ->mnt_ns non-NULL; it should not be done to vfsmounts that had never gone through commit_tree() and friends. Kudos to lczerner for catching that one... Cc: stable@vger.kernel.org Signed-off-by: -
Andi Kleen authored
lglocks and brlocks are currently generated with some complicated macros in lglock.h. But there's no reason to not just use common utility functions and put all the data into a common data structure. In preparation, this patch changes the API to look more like normal function calls with pointers, not magic macros. The patch is rather large because I move over all users in one go to keep it bisectable. This impacts the VFS somewhat in terms of lines changed. But no actual behaviour change. [akpm@linux-foundation.org: checkpatch fixes] Signed-off-by:
Andi Kleen <ak@linux.intel.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Rusty Russell <rusty@rustcorp.com.au> Signed-off-by:
-
Andi Kleen authored
lglocks and brlocks are currently generated with some complicated macros in lglock.h. But there's no reason to not just use common utility functions and put all the data into a common data structure. Since there are at least two users it makes sense to share this code in a library. This is also easier maintainable than a macro forest. This will also make it later possible to dynamically allocate lglocks and also use them in modules (this would both still need some additional, but now straightforward, code) [akpm@linux-foundation.org: checkpatch fixes] Signed-off-by:
-
Rusty Russell authored
Optimizing the slow paths adds a lot of complexity. If you need to grab every lock often, you have other problems. Signed-off-by:
Nick Piggin <npiggin@kernel.dk> Signed-off-by:
-
Thierry Strudel authored
This reverts commit 61fc3d0b2f95e232c7e4021b9e15790377efb80b.
-
Thierry Strudel authored
This reverts commit e4aab2e3 . Signed-off-by:
-
- 09 Jul, 2015 2 commits
-
-
Shivaprasad Hongal authored
Add mechanism to store Adaptive width and height values in start and check while resolution_decreased_event with new resolution (width/height). In new resolution, if any width/height is greater than adaptive values, Send PORT_RECONFIG_EVENT BUG:20895249 Change-Id: I03ccc7d13a767240b962e7c6f4aa25566f3c5a7e Signed-off-by:
Manikanta Kanamarlapudi <kmanikan@codeaurora.org> Signed-off-by:
Shivaprasad Hongal <shongal@codeaurora.org>
-
Patrick Tjin authored
BUG=22127026 Signed-off-by:
-
- 06 Jul, 2015 1 commit
-
-
M1cha authored
this bug was introduced with I9493f28c30356a10eccb320e0a2d1a141388af9a Signed-off-by:M1cha <sigmaepsilon92@gmail.com>
-
- 17 Jun, 2015 1 commit
-
-
Jeff Vander Stoep authored
A userspace call to mmap(MAP_LOCKED) may result in the successful locking of memory while also producing a confusing audit log denial. can_do_mlock checks capable and rlimit. If either of these return positive can_do_mlock returns true. The capable check leads to an LSM hook used by apparmour and selinux which produce the audit denial. Reordering so rlimit is checked first eliminates the denial on success, only recording a denial when the lock is unsuccessful as a result of the denial. (cherry picked from e48e8c45925185c02b23ae461671be29c91101d5) Bug: 19590990 Signed-off-by:
Jeff Vander Stoep <jeffv@google.com> Acked-by:
Nick Kralevich <nnk@google.com> Cc: Jeff Vander Stoep <jeffv@google.com> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Cc: Rik van Riel <riel@redhat.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Paul Cassella <cassella@cray.com> Signed-off-by:
-
