Implement a sysctl file that disables module-loading system-wide since
there is no longer a viable way to remove CAP_SYS_MODULE after the system
bounding capability set was removed in 2.6.25.

Value can only be set to "1", and is tested only if standard capability
checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
should allow administrators a one-way method to block module loading
after initial boot-time module loading has finished.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

This patch enables applications to handle permissive domain correctly.

Since the v2.6.26 kernel, SELinux has supported an idea of permissive
domain which allows certain processes to work as if permissive mode,
even if the global setting is enforcing mode.
However, we don't have an application program interface to inform
what domains are permissive one, and what domains are not.
It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
and so on) cannot handle permissive domain correctly.

This patch add the sixth field (flags) on the reply of the /selinux/access
interface which is used to make an access control decision from userspace.
If the first bit of the flags field is positive, it means the required
access control decision is on permissive domain, so application should
allow any required actions, as the kernel doing.

This patch also has a side benefit. The av_decision.flags is set at
context_struct_compute_av(). It enables to check required permissions
without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
--
 security/selinux/avc.c              |    2 +-
 security/selinux/include/security.h |    4 +++-
 security/selinux/selinuxfs.c        |    4 ++--
 security/selinux/ss/services.c      |   30 +++++-------------------------
 4 files changed, 11 insertions(+), 29 deletions(-)
Signed-off-by: James Morris <jmorris@namei.org>

* 'futexes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  futex: remove the pointer math from double_unlock_hb, fix
  futex: remove the pointer math from double_unlock_hb
  futex: clean up fault logic
  futex: unlock before returning -EFAULT
  futex: use current->time_slack_ns for rt tasks too
  futex: add double_unlock_hb()
  futex: additional (get|put)_futex_key() fixes
  futex: update futex commentary

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  smack: Add a new '-CIPSO' option to the network address label configuration
  netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections
  lsm: Remove the socket_post_accept() hook
  selinux: Remove the "compat_net" compatibility code
  netlabel: Label incoming TCP connections correctly in SELinux
  lsm: Relocate the IPv4 security_inet_conn_request() hooks
  TOMOYO: Fix a typo.
  smack: convert smack to standard linux lists

Annotate struct fs_struct's usage count to indicate the restrictions upon it.
It may not be incremented, except by clone(CLONE_FS), as this affects the
check in check_unsafe_exec() in fs/exec.c.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

check_unsafe_exec() also notes whether the fs_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/cwd and /proc/<pid>/root lookups make transient
use of get_fs_struct(), which also raises that sharing count.

This might occasionally cause a setuid program not to change euid,
in the same way as happened with files->count (check_unsafe_exec
also looks at sighand->count, but /proc doesn't raise that one).

We'd prefer exec not to unshare fs_struct: so fix this in procfs,
replacing get_fs_struct() by get_fs_path(), which does path_get
while still holding task_lock, instead of raising fs->count.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
___

 fs/proc/base.c |   50 +++++++++++++++--------------------------------
 1 file changed, 16 insertions(+), 34 deletions(-)
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Joe Malicki reports that setuid sometimes doesn't: very rarely,
a setuid root program does not get root euid; and, by the way,
they have a health check running lsof every few minutes.

Right, check_unsafe_exec() notes whether the files_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/fd and /proc/<pid>/fdinfo lookups make transient
use of get_files_struct(), which also raises that sharing count.

There's a rather simple fix for this: exec's check on files->count
has been redundant ever since 2.6.1 made it unshare_files() (except
while compat_do_execve() omitted to do so) - just remove that check.

[Note to -stable: this patch will not apply before 2.6.29: earlier
releases should just remove the files->count line from unsafe_exec().]
Reported-by: Joe Malicki <jmalicki@metacarta.com>
Narrowed-down-by: Michael Itz <mitz@metacarta.com>
Tested-by: Joe Malicki <jmalicki@metacarta.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

2.6.26's commit fd8328be
"sanitize handling of shared descriptor tables in failing execve()"
moved the unshare_files() from flush_old_exec() and several binfmts
to the head of do_execve(); but forgot to make the same change to
compat_do_execve(), leaving a CLONE_FILES files_struct shared across
exec from a 32-bit process on a 64-bit kernel.

It's arguable whether the files_struct really ought to be unshared
across exec; but 2.6.1 made that so to stop the loading binary's fd
leaking into other threads, and a 32-bit process on a 64-bit kernel
ought to behave in the same way as 32 on 32 and 64 on 64.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* 'i2c-for-linus' of git://jdelvare.pck.nerim.net/jdelvare-2.6:
  i2c-core: Some style cleanups
  i2c-piix4: Add support for the Broadcom HT1100 chipset
  i2c-piix4: Add support to SB800 SMBus changes
  i2c-pca-platform: Use defaults if no platform_data given
  i2c-algo-pca: Use timeout for checking the state machine
  i2c-algo-pca: Rework waiting for a free bus
  i2c-algo-pca: Add PCA9665 support
  i2c: Adapt debug macros for KERN_* constants
  i2c-davinci: Fix timeout handling
  i2c: Adapter timeout is in jiffies
  i2c: Set a default timeout value for all adapters
  i2c: Add missing KERN_* constants to printks
  i2c-algo-pcf: Handle timeout correctly
  i2c-algo-pcf: Style cleanups
  eeprom/at24: Remove EXPERIMENTAL
  i2c-nforce2: Add support for MCP67, MCP73, MCP78S and MCP79
  i2c: Clarify which clients are auto-removed
  i2c: Let checkpatch shout on users of the legacy model
  i2c: Document the different ways to instantiate i2c devices

* 'devel' of master.kernel.org:/home/rmk/linux-2.6-arm: (422 commits)
  [ARM] 5435/1: fix compile warning in sanity_check_meminfo()
  [ARM] 5434/1: ARM: OMAP: Fix mailbox compile for 24xx
  [ARM] pxa: fix the bad assumption that PCMCIA sockets always start with 0
  [ARM] pxa: fix Colibri PXA300 and PXA320 LCD backlight pins
  imxfb: Fix TFT mode
  i.MX21/27: remove ifdef CONFIG_FB_IMX
  imxfb: add clock support
  mxc: add arch_reset() function
  clkdev: add possibility to get a clock based on the device name
  i.MX1: remove fb support from mach-imx
  [ARM] pxa: build arch/arm/plat-pxa/mfp.c only when PXA3xx or ARCH_MMP defined
  Gemini: Add support for Teltonika RUT100
  Gemini: gpiolib based GPIO support v2
  MAINTAINERS: add myself as Gemini architecture maintainer
  ARM: Add Gemini architecture v3
  [ARM] OMAP: Fix compile for omap2_init_common_hw()
  MAINTAINERS: Add myself as Faraday ARM core variant maintainer
  ARM: Add support for FA526 v2
  [ARM] acorn,ebsa110,footbridge,integrator,sa1100: Convert asm/io.h to linux/io.h
  [ARM] collie: fix two minor formatting nits
  ...

* git://git.kernel.org/pub/scm/linux/kernel/git/arjan/linux-2.6-async-for-30:
  fastboot: remove duplicate unpack_to_rootfs()
  ide/net: flip the order of SATA and network init
  async: remove the temporary (2.6.29) "async is off by default" code

Fix up conflicts in init/initramfs.c manually

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/blackfin-2.6:
  Blackfin arch: be less noisy when gets a gpio conflict after kernel has booted
  Blackfin arch: add RSI's definitions to bf514 and bf516
  Blackfin arch: add link-time asserts to make sure on-chip regions dont overflow
  Blackfin arch: sport spi needs 6 gpio pins
  Blackfin arch: add sport-spi related resource stuff to board file
  Blackfin arch: Blacklist Hibernate (PM_SUSPEND_MEM) on BF561 as well
  Blackfin arch: Privide BF537-STAMP platform data of ADP5520 Multifunction driver
  Blackfin arch: enable the platfrom PATA driver with CF Cards
  Blackfin arch: clean up sports header file
  Blackfin arch: convert BF5{18,27,48}_FAMILY to CONFIG_BF{51,52,54}x
  Blackfin arch: bf51x processors also have 8 timers
  Blackfin arch: add a check to make sure only Blackfin GPIOs may generate IRQs
  Blackfin arch: update default kernel configuration
  Blackfin arch: include linux headers that this one uses definitions from fro sport drivers

Merge branch 'percpu-cpumask-x86-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip

* 'percpu-cpumask-x86-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (682 commits)
  percpu: fix spurious alignment WARN in legacy SMP percpu allocator
  percpu: generalize embedding first chunk setup helper
  percpu: more flexibility for @dyn_size of pcpu_setup_first_chunk()
  percpu: make x86 addr <-> pcpu ptr conversion macros generic
  linker script: define __per_cpu_load on all SMP capable archs
  x86: UV: remove uv_flush_tlb_others() WARN_ON
  percpu: finer grained locking to break deadlock and allow atomic free
  percpu: move fully free chunk reclamation into a work
  percpu: move chunk area map extension out of area allocation
  percpu: replace pcpu_realloc() with pcpu_mem_alloc() and pcpu_mem_free()
  x86, percpu: setup reserved percpu area for x86_64
  percpu, module: implement reserved allocation and use it for module percpu variables
  percpu: add an indirection ptr for chunk page map access
  x86: make embedding percpu allocator return excessive free space
  percpu: use negative for auto for pcpu_setup_first_chunk() arguments
  percpu: improve first chunk initial area map handling
  percpu: cosmetic renames in pcpu_setup_first_chunk()
  percpu: clean up percpu constants
  x86: un-__init fill_pud/pmd/pte
  x86: remove vestigial fix_ioremap prototypes
  ...

Manually merge conflicts in arch/ia64/kernel/irq_ia64.c

Some lines over 80. 
The printk(KERN_ERR ... ) should be dev_err.
And some blankspace should be deleted.
Signed-off-by: Zhenwen Xu <helight.xu@gmail.com>
Signed-off-by: Jean Delvare <khlai@linux-fr.org>

Add support for the Broadcom HT1100 LD chipset (SMBus function.)
Signed-off-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Add support for the AMD SB800 Family series of products.
Major changes include the changes to addressing the SMBus registers at different
location from the locations in the previous compatible parts from AMD such as
SB400/SB600/SB700. For SB800, the main features and register definitions of
SMBus and other interfaces are still compatible with the previous products with
the only change being in how to access the internal registers for these blocks.
Signed-off-by: Shane Huang <shane.huang@amd.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

We now timeout also if the state machine does not change within the
given time. For that, the driver-specific completion-functions are
extended to return true or false depending on the timeout. This then
gets checked in the algorithm.
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Waiting for a free bus now accepts the timeout value in jiffies and does
proper checking using time_before.
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

Add support for the PCA9665 I2C controller.
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

According to kerneljanitors todo list all printk calls (beginning
a new line) should have an according KERN_* constant.
Those are the changes to the debug macros in the i2c subsystem
to meet this requirement. Also changing no-debug statements
to raw printks again.
Signed-off-by: Frank Seidel <frank@f-seidel.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Tested-by: Wolfram Sang <w.sang@pengutronix.de>

Properly set the adapter timeout value in jiffies, and then use that
value in the driver, rather than a hard-coded constant.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Tested-by: Troy Kisky <troy.kisky@boundarydevices.com>
Cc: Kevin Hilman <khilman@mvista.com>

i2c_adapter.timeout is in jiffies. Fix all drivers which thought
otherwise. It didn't really matter as long as the value was only used
inside the driver, but soon i2c-core will use it too so it must have
the proper unit.

Note: for the i2c-mpc driver, this fixes a bug in polling mode.
Timeout would trigger after 1 jiffy, which is most probably not what
the author wanted.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Clifford Wolf <clifford@clifford.at>
Acked-by: Sean MacLennan <smaclennan@pikatech.com>
Cc: Stefan Roese <sr@denx.de>
Acked-by: Lennert Buytenhek <kernel@wantstofly.org>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Grant Likely <grant.likely@secretlab.ca>
Acked-by: Mark A. Greer <mgreer@mvista.com>

Setting a default timeout value on a per-algo basis doesn't make any
sense. Move the default value setting to i2c-core. Individual adapter
drivers can specify a different (non-zero) value if they wish.

Also express the timeout value in a way which results in the same
duration regarless of the value of HZ.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Wolfram Sang <w.sang@pengutronix.de>

According to kerneljanitors todo list all printk calls (beginning
a new line) should have an according KERN_* constant.
Those are the missing pieces here for the i2c subsystem.
Signed-off-by: Frank Seidel <frank@f-seidel.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

With a postfix decrement these timeouts reach -1 rather than 0, but after the
loop it is tested whether they have become 0.

As pointed out by Jean Delvare, the msg_num should be tested before the timeout.
With the current order, you could exit with a timeout error while all the
messages were successfully transferred.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Eric Brower <ebrower@gmail.com>

cleanup whitespace, fix comments and remove the unused STUB_I2C.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Eric Brower <ebrower@gmail.com>

This driver has been widely used since inclusion and no problems have
been reported.
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Cc: David Brownell <david-b@pacbell.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>

The MCP78S and MCP79 appear to be compatible with the previous nForce
chips as far as the SMBus controller is concerned. The MCP67 and MCP73
were not tested yet but I'd be very surprised if they weren't
compatible too.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Oleg Ryjkov <olegr@olegr.ca>
Cc: Malcolm Lalkaka <mlalkaka@gmail.com>
Cc: Zbigniew Luszpinski <zbiggy@o2.pl>

The automatic removal of i2c clients only affects the clients which
were created automatically in the first place. Add a comment saying
that to avoid any confusion.
Signed-off-by: Jean Delvare <khali@linux-fr.org>

As suggested by Mauro Carvalho Chehab.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>

On popular demand, here comes some documentation about how to
instantiate i2c devices in the new (standard) i2c device driver
binding model.

I have also clarified how the class bitfield lets driver authors
control which buses are probed in the auto-detect case, and warned
more loudly against the abuse of this method.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Michael Lawnick <nospam_lawnick@gmx.de>
Acked-by: Hans Verkuil <hverkuil@xs4all.nl>

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
  [IA64] Fix kstat_this_cpu build breakage

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6: (119 commits)
  [SCSI] scsi_dh_rdac: Retry for NOT_READY check condition
  [SCSI] mpt2sas: make global symbols unique
  [SCSI] sd: Make revalidate less chatty
  [SCSI] sd: Try READ CAPACITY 16 first for SBC-2 devices
  [SCSI] sd: Refactor sd_read_capacity()
  [SCSI] mpt2sas v00.100.11.15
  [SCSI] mpt2sas: add MPT2SAS_MINOR(221) to miscdevice.h
  [SCSI] ch: Add scsi type modalias
  [SCSI] 3w-9xxx: add power management support
  [SCSI] bsg: add linux/types.h include to bsg.h
  [SCSI] cxgb3i: fix function descriptions
  [SCSI] libiscsi: fix possbile null ptr session command cleanup
  [SCSI] iscsi class: remove host no argument from session creation callout
  [SCSI] libiscsi: pass session failure a session struct
  [SCSI] iscsi lib: remove qdepth param from iscsi host allocation
  [SCSI] iscsi lib: have lib create work queue for transmitting IO
  [SCSI] iscsi class: fix lock dep warning on logout
  [SCSI] libiscsi: don't cap queue depth in iscsi modules
  [SCSI] iscsi_tcp: replace scsi_debug/tcp_debug logging with iscsi conn logging
  [SCSI] libiscsi_tcp: replace tcp_debug/scsi_debug logging with session/conn logging
  ...

Conflicts:
	arch/arm/include/asm/elf.h
	arch/arm/kernel/module.c

Conflicts:
	sound/soc/pxa/pxa2xx-i2s.c

Compiling recent 2.6.29-rc kernels for ARM gives me the following warning:

arch/arm/mm/mmu.c: In function 'sanity_check_meminfo':
arch/arm/mm/mmu.c:697: warning: comparison between pointer and integer

This is because commit 3fd9825c
"[ARM] 5402/1: fix a case of wrap-around in sanity_check_meminfo()"
in 2.6.29-rc5-git4 added a comparison of a pointer with PAGE_OFFSET,
which is an integer.

Fixed by casting PAGE_OFFSET to void *.
Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
Acked-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

we check if initrd is initramfs first and then do the real unpack. The check
isn't required, we can directly do unpack.  If the initrd isn't an
initramfs, we can remove the garbage.  In my laptop, this saves 0.1s boot
time.

This patch penalizes non-initramfs initrd case, but nowadays, initramfs is
the most widely used method for initrds.
Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Acked-by: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

this patch flips the order in which sata and network drivers are initialized.

SATA probing takes quite a bit of time, and with the asynchronous infrastructure
other drivers that run after it can execute in parallel. Network drivers do tend
to take some real time talking to the hardware, so running these later is
a good thing (the sata probe then runs concurrent)

This saves about 15% of my kernels boot time.

Both Dave and Jeff acked this patch and suggested it should go via the async
tree.
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Jeff Garzik <jeff@garzik.org>