1. 10 Dec, 2013 1 commit
  2. 02 Dec, 2013 5 commits
    • Eric Paris's avatar
      security: shmem: implement kernel private shmem inodes · c7277090
      Eric Paris authored
      We have a problem where the big_key key storage implementation uses a
      shmem backed inode to hold the key contents.  Because of this detail of
      implementation LSM checks are being done between processes trying to
      read the keys and the tmpfs backed inode.  The LSM checks are already
      being handled on the key interface level and should not be enforced at
      the inode level (since the inode is an implementation detail, not a
      part of the security model)
      
      This patch implements a new function shmem_kernel_file_setup() which
      returns the equivalent to shmem_file_setup() only the underlying inode
      has S_PRIVATE set.  This means that all LSM checks for the inode in
      question are skipped.  It should only be used for kernel internal
      operations where the inode is not exposed to userspace without proper
      LSM checking.  It is possible that some other users of
      shmem_file_setup() should use the new interface, but this has not been
      explored.
      
      Reproducing this bug is a little bit difficult.  The steps I used on
      Fedora are:
      
       (1) Turn off selinux enforcing:
      
      	setenforce 0
      
       (2) Create a huge key
      
      	k=`dd if=/dev/zero bs=8192 count=1 | keyctl padd big_key test-key @s`
      
       (3) Access the key in another context:
      
      	runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $k >/dev/null
      
       (4) Examine the audit logs:
      
      	ausearch -m AVC -i --subject httpd_t | audit2allow
      
      If the last command's output includes a line that looks like:
      
      	allow httpd_t user_tmpfs_t:file { open read };
      
      There was an inode check between httpd and the tmpfs filesystem.  With
      this patch no such denial will be seen.  (NOTE! you should clear your
      audit log if you have tested for this previously)
      
      (Please return you box to enforcing)
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Hugh Dickins <hughd@google.com>
      cc: linux-mm@kvack.org
      c7277090
    • David Howells's avatar
      KEYS: Fix searching of nested keyrings · 9c5e45df
      David Howells authored
      If a keyring contains more than 16 keyrings (the capacity of a single node in
      the associative array) then those keyrings are split over multiple nodes
      arranged as a tree.
      
      If search_nested_keyrings() is called to search the keyring then it will
      attempt to manually walk over just the 0 branch of the associative array tree
      where all the keyring links are stored.  This works provided the key is found
      before the algorithm steps from one node containing keyrings to a child node
      or if there are sufficiently few keyring links that the keyrings are all in
      one node.
      
      However, if the algorithm does need to step from a node to a child node, it
      doesn't change the node pointer unless a shortcut also gets transited.  This
      means that the algorithm will keep scanning the same node over and over again
      without terminating and without returning.
      
      To fix this, move the internal-pointer-to-node translation from inside the
      shortcut transit handler so that it applies it to node arrival as well.
      
      This can be tested by:
      
      	r=`keyctl newring sandbox @s`
      	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
      	for ((i=0; i<=16; i++)); do keyctl add user a$i a %:ring$i; done
      	for ((i=0; i<=16; i++)); do keyctl search $r user a$i; done
      	for ((i=17; i<=20; i++)); do keyctl search $r user a$i; done
      
      The searches should all complete successfully (or with an error for 17-20),
      but instead one or more of them will hang.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarStephen Gallagher <sgallagh@redhat.com>
      9c5e45df
    • David Howells's avatar
      KEYS: Fix multiple key add into associative array · 23fd78d7
      David Howells authored
      If sufficient keys (or keyrings) are added into a keyring such that a node in
      the associative array's tree overflows (each node has a capacity N, currently
      16) and such that all N+1 keys have the same index key segment for that level
      of the tree (the level'th nibble of the index key), then assoc_array_insert()
      calls ops->diff_objects() to indicate at which bit position the two index keys
      vary.
      
      However, __key_link_begin() passes a NULL object to assoc_array_insert() with
      the intention of supplying the correct pointer later before we commit the
      change.  This means that keyring_diff_objects() is given a NULL pointer as one
      of its arguments which it does not expect.  This results in an oops like the
      attached.
      
      With the previous patch to fix the keyring hash function, this can be forced
      much more easily by creating a keyring and only adding keyrings to it.  Add any
      other sort of key and a different insertion path is taken - all 16+1 objects
      must want to cluster in the same node slot.
      
      This can be tested by:
      
      	r=`keyctl newring sandbox @s`
      	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
      
      This should work fine, but oopses when the 17th keyring is added.
      
      Since ops->diff_objects() is always called with the first pointer pointing to
      the object to be inserted (ie. the NULL pointer), we can fix the problem by
      changing the to-be-inserted object pointer to point to the index key passed
      into assoc_array_insert() instead.
      
      Whilst we're at it, we also switch the arguments so that they are the same as
      for ->compare_object().
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
      IP: [<ffffffff81191ee4>] hash_key_type_and_desc+0x18/0xb0
      ...
      RIP: 0010:[<ffffffff81191ee4>] hash_key_type_and_desc+0x18/0xb0
      ...
      Call Trace:
       [<ffffffff81191f9d>] keyring_diff_objects+0x21/0xd2
       [<ffffffff811f09ef>] assoc_array_insert+0x3b6/0x908
       [<ffffffff811929a7>] __key_link_begin+0x78/0xe5
       [<ffffffff81191a2e>] key_create_or_update+0x17d/0x36a
       [<ffffffff81192e0a>] SyS_add_key+0x123/0x183
       [<ffffffff81400ddb>] tracesys+0xdd/0xe2
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarStephen Gallagher <sgallagh@redhat.com>
      23fd78d7
    • David Howells's avatar
      KEYS: Fix the keyring hash function · d54e58b7
      David Howells authored
      The keyring hash function (used by the associative array) is supposed to clear
      the bottommost nibble of the index key (where the hash value resides) for
      keyrings and make sure it is non-zero for non-keyrings.  This is done to make
      keyrings cluster together on one branch of the tree separately to other keys.
      
      Unfortunately, the wrong mask is used, so only the bottom two bits are
      examined and cleared and not the whole bottom nibble.  This means that keys
      and keyrings can still be successfully searched for under most circumstances
      as the hash is consistent in its miscalculation, but if a keyring's
      associative array bottom node gets filled up then approx 75% of the keyrings
      will not be put into the 0 branch.
      
      The consequence of this is that a key in a keyring linked to by another
      keyring, ie.
      
      	keyring A -> keyring B -> key
      
      may not be found if the search starts at keyring A and then descends into
      keyring B because search_nested_keyrings() only searches up the 0 branch (as it
      "knows" all keyrings must be there and not elsewhere in the tree).
      
      The fix is to use the right mask.
      
      This can be tested with:
      
      	r=`keyctl newring sandbox @s`
      	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
      	for ((i=0; i<=16; i++)); do keyctl add user a$i a %:ring$i; done
      	for ((i=0; i<=16; i++)); do keyctl search $r user a$i; done
      
      This creates a sandbox keyring, then creates 17 keyrings therein (labelled
      ring0..ring16).  This causes the root node of the sandbox's associative array
      to overflow and for the tree to have extra nodes inserted.
      
      Each keyring then is given a user key (labelled aN for ringN) for us to search
      for.
      
      We then search for the user keys we added, starting from the sandbox.  If
      working correctly, it should return the same ordered list of key IDs as
      for...keyctl add... did.  Without this patch, it reports ENOKEY "Required key
      not available" for some of the keys.  Just which keys get this depends as the
      kernel pointer to the key type forms part of the hash function.
      Reported-by: default avatarNalin Dahyabhai <nalin@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarStephen Gallagher <sgallagh@redhat.com>
      d54e58b7
    • David Howells's avatar
      KEYS: Pre-clear struct key on allocation · 2480f57f
      David Howells authored
      The second word of key->payload does not get initialised in key_alloc(), but
      the big_key type is relying on it having been cleared.  The problem comes when
      big_key fails to instantiate a large key and doesn't then set the payload.  The
      big_key_destroy() op is called from the garbage collector and this assumes that
      the dentry pointer stored in the second word will be NULL if instantiation did
      not complete.
      
      Therefore just pre-clear the entire struct key on allocation rather than trying
      to be clever and only initialising to 0 only those bits that aren't otherwise
      initialised.
      
      The lack of initialisation can lead to a bug report like the following if
      big_key failed to initialise its file:
      
      	general protection fault: 0000 [#1] SMP
      	Modules linked in: ...
      	CPU: 0 PID: 51 Comm: kworker/0:1 Not tainted 3.10.0-53.el7.x86_64 #1
      	Hardware name: Dell Inc. PowerEdge 1955/0HC513, BIOS 1.4.4 12/09/2008
      	Workqueue: events key_garbage_collector
      	task: ffff8801294f5680 ti: ffff8801296e2000 task.ti: ffff8801296e2000
      	RIP: 0010:[<ffffffff811b4a51>] dput+0x21/0x2d0
      	...
      	Call Trace:
      	 [<ffffffff811a7b06>] path_put+0x16/0x30
      	 [<ffffffff81235604>] big_key_destroy+0x44/0x60
      	 [<ffffffff8122dc4b>] key_gc_unused_keys.constprop.2+0x5b/0xe0
      	 [<ffffffff8122df2f>] key_garbage_collector+0x1df/0x3c0
      	 [<ffffffff8107759b>] process_one_work+0x17b/0x460
      	 [<ffffffff8107834b>] worker_thread+0x11b/0x400
      	 [<ffffffff81078230>] ? rescuer_thread+0x3e0/0x3e0
      	 [<ffffffff8107eb00>] kthread+0xc0/0xd0
      	 [<ffffffff8107ea40>] ? kthread_create_on_node+0x110/0x110
      	 [<ffffffff815c4bec>] ret_from_fork+0x7c/0xb0
      	 [<ffffffff8107ea40>] ? kthread_create_on_node+0x110/0x110
      Reported-by: default avatarPatrik Kis <pkis@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarStephen Gallagher <sgallagh@redhat.com>
      2480f57f
  3. 30 Nov, 2013 1 commit
  4. 29 Nov, 2013 13 commits
    • Linus Torvalds's avatar
      Linux 3.13-rc2 · dc1ccc48
      Linus Torvalds authored
      dc1ccc48
    • Linus Torvalds's avatar
      Merge tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64 · d5ff835f
      Linus Torvalds authored
      Pull ARM64 fixes from Catalin Marinas:
       - Remove preempt_count modifications in the arm64 IRQ handling code
         since that's already dealt with in generic irq_enter/irq_exit
       - PTE_PROT_NONE bit moved higher up to avoid overlapping with the
         hardware bits (for PROT_NONE mappings which are pte_present)
       - Big-endian fixes for ptrace support
       - Asynchronous aborts unmasking while in the kernel
       - pgprot_writecombine() change to create Normal NonCacheable memory
         rather than Device GRE
      
      * tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
        arm64: Move PTE_PROT_NONE higher up
        arm64: Use Normal NonCacheable memory for writecombine
        arm64: debug: make aarch32 bkpt checking endian clean
        arm64: ptrace: fix compat registes get/set to be endian clean
        arm64: Unmask asynchronous aborts when in kernel mode
        arm64: dts: Reserve the memory used for secondary CPU release address
        arm64: let the core code deal with preempt_count
      d5ff835f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 033dbbde
      Linus Torvalds authored
      Pull s390 updates from Martin Schwidefsky:
       "One performance improvement and a few bug fixes.  Two of the fixes
        deal with the clock related problems we have seen on recent kernels"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/mm: handle asce-type exceptions as normal page fault
        s390,time: revert direct ktime path for s390 clockevent device
        s390/time,vdso: convert to the new update_vsyscall interface
        s390/uaccess: add missing page table walk range check
        s390/mm: optimize copy_page
        s390/dasd: validate request size before building CCW/TCW request
        s390/signal: always restore saved runtime instrumentation psw bit
      033dbbde
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · dc418f6e
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Some easy but needed fixes for i2c drivers since rc1"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: bcm2835: Linking platform nodes to adapter nodes
        i2c: omap: raw read and write endian fix
        i2c: i2c-bcm-kona: Fix module build
        i2c: i2c-diolan-u2c: different usb endpoints for DLN-2-U2C
        i2c: bcm-kona: remove duplicated include
        i2c: davinci: raw read and write endian fix
      dc418f6e
    • Linus Torvalds's avatar
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · 7224b31b
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "This contains one important fix.  The NUMA support added a while back
        broke ordering guarantees on ordered workqueues.  It was enforced by
        having single frontend interface with @max_active == 1 but the NUMA
        support puts multiple interfaces on unbound workqueues on NUMA
        machines thus breaking the ordered guarantee.  This is fixed by
        disabling NUMA support on ordered workqueues.
      
        The above and a couple other patches were sitting in for-3.12-fixes
        but I forgot to push that out, so they ended up waiting a bit too
        long.  My aplogies.
      
        Other fixes are minor"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: fix pool ID allocation leakage and remove BUILD_BUG_ON() in init_workqueues
        workqueue: fix comment typo for __queue_work()
        workqueue: fix ordered workqueues in NUMA setups
        workqueue: swap set_cpus_allowed_ptr() and PF_NO_SETAFFINITY
      7224b31b
    • Linus Torvalds's avatar
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · de92a058
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
       "libata device removal path was removing parent device node before its
        child, which is mostly harmless but triggers warning after recent
        sysfs changes.  Rafael's patch fixes the order.
      
        Other than that, minor controller-specific fixes and device ID
        additions"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ATA: Fix port removal ordering
        ahci: add Marvell 9230 to the AHCI PCI device list
        ata: fix acpi_bus_get_device() return value check
        pata_arasan_cf: add missing clk_disable_unprepare() on error path
        ahci: add support for IBM Akebono platform device
      de92a058
    • Linus Torvalds's avatar
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 2855987d
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "Fixes for three issues.
      
         - cgroup destruction path could swamp system_wq possibly leading to
           deadlock.  This actually seems to happen in the wild with memcg
           because memcg destruction path adds nested dependency on system_wq.
      
           Resolved by isolating cgroup destruction work items on its
           dedicated workqueue.
      
         - Possible locking context deadlock through seqcount reported by
           lockdep
      
         - Memory leak under certain conditions"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: fix cgroup_subsys_state leak for seq_files
        cpuset: Fix memory allocator deadlock
        cgroup: use a dedicated workqueue for cgroup destruction
      2855987d
    • Linus Torvalds's avatar
      Merge tag 'sound-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · b8495995
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Quite a few HD-Audio fixes, a WUSB audio fix and a fix for FireWire
        audio.  The HD-audio part contains a couple of fixes for the generic
        parser, and these are the only intrusive fixes.  The rest are mostly
        device-specific fixes"
      
      * tag 'sound-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Add LFE chmap to ASUS ET2700
        ALSA: hda - Initialize missing bass speaker pin for ASUS AIO ET2700
        ALSA: hda - limit mic boost on Asus UX31[A,E]
        ALSA: hda - Check leaf nodes to find aamix amps
        ALSA: hda - Fix hp-mic mode without VREF bits
        ALSA: hda - Create Headhpone Mic Jack Mode when really needed
        ALSA: usb: use multiple packets per urb for Wireless USB inbound audio
        ALSA: hda - Enable mute/mic-mute LEDs for more Thinkpads with Conexant codec
        ALSA: hda - Drop bus->avoid_link_reset flag
        ALSA: hda/realtek - Set pcbeep amp for ALC668
        ALSA: hda/realtek - Add support of ALC231 codec
        ALSA: firewire-lib: fix wrong value for FDF field as an empty packet
      b8495995
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · b01537bf
      Linus Torvalds authored
      Pull vfs dentry reference count fix from Al Viro.
      
      This fixes a possible inode_permission NULL pointer dereference (and
      other problems) that were due to the root dentry count being decremented
      too much.  In commit 48a066e7 ("RCU'd vfsmounts") the placement of
      clearing the LOOKUP_RCU bit changed, and we then returned failure of
      incrementing the lockref on the parent dentry with LOOKUP_RCU cleared.
      
      But that meant we needed to go through the same cleanup routines that
      the later failures did wrt LOOKUP_ROOT and nd->root.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fix bogus path_put() of nd->root after some unlazy_walk() failures
      b01537bf
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 282c183b
      Linus Torvalds authored
      Pull drm qxl leak fix from Dave Airlie:
       "As usual 5 mins after I send a trivial pull fix I find a real bug!
      
        This fixes a memory leak and I'd like to get it into stable queue
        asap"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/qxl: fix memory leak in release list handling
      282c183b
    • Catalin Marinas's avatar
      arm64: Move PTE_PROT_NONE higher up · 3676f9ef
      Catalin Marinas authored
      PTE_PROT_NONE means that a pte is present but does not have any
      read/write attributes. However, setting the memory type like
      pgprot_writecombine() is allowed and such bits overlap with
      PTE_PROT_NONE. This causes mmap/munmap issues in drivers that change the
      vma->vm_pg_prot on PROT_NONE mappings.
      
      This patch reverts the PTE_FILE/PTE_PROT_NONE shift in commit
      59911ca4 (ARM64: mm: Move PTE_PROT_NONE bit) and moves PTE_PROT_NONE
      together with the other software bits.
      Signed-off-by: default avatarSteve Capper <steve.capper@linaro.org>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarSteve Capper <steve.capper@linaro.org>
      Cc: <stable@vger.kernel.org> # 3.11+
      3676f9ef
    • Catalin Marinas's avatar
      arm64: Use Normal NonCacheable memory for writecombine · 4f00130b
      Catalin Marinas authored
      This provides better performance compared to Device GRE and also allows
      unaligned accesses. Such memory is intended to be used with standard RAM
      (e.g. framebuffers) and not I/O.
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      4f00130b
    • Al Viro's avatar
      fix bogus path_put() of nd->root after some unlazy_walk() failures · d870b4a1
      Al Viro authored
      Failure to grab reference to parent dentry should go through the
      same cleanup as nd->seq mismatch.  As it is, we might end up with
      caller thinking it needs to path_put() nd->root, with obvious
      nasty results once we'd hit that bug enough times to drive the
      refcount of root dentry all the way to zero...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d870b4a1
  5. 28 Nov, 2013 20 commits