1. 05 Apr, 2013 1 commit
  2. 03 Mar, 2013 1 commit
    • Eric W. Biederman's avatar
      fs: Limit sys_mount to only request filesystem modules. · 7f78e035
      Eric W. Biederman authored
      
      
      Modify the request_module to prefix the file system type with "fs-"
      and add aliases to all of the filesystems that can be built as modules
      to match.
      
      A common practice is to build all of the kernel code and leave code
      that is not commonly needed as modules, with the result that many
      users are exposed to any bug anywhere in the kernel.
      
      Looking for filesystems with a fs- prefix limits the pool of possible
      modules that can be loaded by mount to just filesystems trivially
      making things safer with no real cost.
      
      Using aliases means user space can control the policy of which
      filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
      with blacklist and alias directives.  Allowing simple, safe,
      well understood work-arounds to known problematic software.
      
      This also addresses a rare but unfortunate problem where the filesystem
      name is not the same as it's module name and module auto-loading
      would not work.  While writing this patch I saw a handful of such
      cases.  The most significant being autofs that lives in the module
      autofs4.
      
      This is relevant to user namespaces because we can reach the request
      module in get_fs_type() without having any special permissions, and
      people get uncomfortable when a user specified string (in this case
      the filesystem type) goes all of the way to request_module.
      
      After having looked at this issue I don't think there is any
      particular reason to perform any filtering or permission checks beyond
      making it clear in the module request that we want a filesystem
      module.  The common pattern in the kernel is to call request_module()
      without regards to the users permissions.  In general all a filesystem
      module does once loaded is call register_filesystem() and go to sleep.
      Which means there is not much attack surface exposed by loading a
      filesytem module unless the filesystem is mounted.  In a user
      namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
      which most filesystems do not set today.
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarKees Cook <keescook@google.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      7f78e035
  3. 09 Oct, 2012 2 commits
    • David Woodhouse's avatar
      mtd: Disable mtdchar mmap on MMU systems · f5cf8f07
      David Woodhouse authored
      
      
      This code was broken because it assumed that all MTD devices were map-based.
      Disable it for now, until it can be fixed properly for the next merge window.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      f5cf8f07
    • Konstantin Khlebnikov's avatar
      mm: kill vma flag VM_RESERVED and mm->reserved_vm counter · 314e51b9
      Konstantin Khlebnikov authored
      
      
      A long time ago, in v2.4, VM_RESERVED kept swapout process off VMA,
      currently it lost original meaning but still has some effects:
      
       | effect                 | alternative flags
      -+------------------------+---------------------------------------------
      1| account as reserved_vm | VM_IO
      2| skip in core dump      | VM_IO, VM_DONTDUMP
      3| do not merge or expand | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
      4| do not mlock           | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
      
      This patch removes reserved_vm counter from mm_struct.  Seems like nobody
      cares about it, it does not exported into userspace directly, it only
      reduces total_vm showed in proc.
      
      Thus VM_RESERVED can be replaced with VM_IO or pair VM_DONTEXPAND | VM_DONTDUMP.
      
      remap_pfn_range() and io_remap_pfn_range() set VM_IO|VM_DONTEXPAND|VM_DONTDUMP.
      remap_vmalloc_range() set VM_DONTEXPAND | VM_DONTDUMP.
      
      [akpm@linux-foundation.org: drivers/vfio/pci/vfio_pci.c fixup]
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@openvz.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Carsten Otte <cotte@de.ibm.com>
      Cc: Chris Metcalf <cmetcalf@tilera.com>
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: Jason Baron <jbaron@redhat.com>
      Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
      Cc: Matt Helsley <matthltc@us.ibm.com>
      Cc: Nick Piggin <npiggin@kernel.dk>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Robert Richter <robert.richter@amd.com>
      Cc: Suresh Siddha <suresh.b.siddha@intel.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Venkatesh Pallipadi <venki@google.com>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      314e51b9
  4. 28 Sep, 2012 1 commit
    • Linus Torvalds's avatar
      mtdchar: fix offset overflow detection · 9c603e53
      Linus Torvalds authored
      
      
      Sasha Levin has been running trinity in a KVM tools guest, and was able
      to trigger the BUG_ON() at arch/x86/mm/pat.c:279 (verifying the range of
      the memory type).  The call trace showed that it was mtdchar_mmap() that
      created an invalid remap_pfn_range().
      
      The problem is that mtdchar_mmap() does various really odd and subtle
      things with the vma page offset etc, and uses the wrong types (and the
      wrong overflow) detection for it.
      
      For example, the page offset may well be 32-bit on a 32-bit
      architecture, but after shifting it up by PAGE_SHIFT, we need to use a
      potentially 64-bit resource_size_t to correctly hold the full value.
      
      Also, we need to check that the vma length plus offset doesn't overflow
      before we check that it is smaller than the length of the mtdmap region.
      
      This fixes things up and tries to make the code a bit easier to read.
      Reported-and-tested-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Acked-by: default avatarSuresh Siddha <suresh.b.siddha@intel.com>
      Acked-by: default avatarArtem Bityutskiy <dedekind1@gmail.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: linux-mtd@lists.infradead.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9c603e53
  5. 07 May, 2012 1 commit
    • Will Newton's avatar
      mtd: fix oops in dataflash driver · 7a84477c
      Will Newton authored
      
      
      I'm seeing an oops in mtd_dataflash.c with Linux 3.3. What appears to
      be happening is that otp_select_filemode calls mtd_read_fact_prot_reg
      with -1 for offset and length and a NULL buffer to test if OTP
      operations are supported. This finds its way down to otp_read in
      mtd_dataflash.c and causes an oops when memcpying the returned data
      into the NULL buf.
      
      None of the checks in otp_read catches the negative length and offset.
      Changing the length of the dummy read to 0 prevents the oops.
      
      Cc: stable@kernel.org [3.3+]
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      7a84477c
  6. 08 Apr, 2012 1 commit
  7. 31 Mar, 2012 1 commit
  8. 26 Mar, 2012 1 commit
    • Artem Bityutskiy's avatar
      mtd: add leading underscore to all mtd functions · 3c3c10bb
      Artem Bityutskiy authored
      
      
      This patch renames all MTD functions by adding a "_" prefix:
      
      mtd->erase -> mtd->_erase
      mtd->read_oob -> mtd->_read_oob
      ...
      
      The reason is that we are re-working the MTD API and from now on it is
      an error to use MTD function pointers directly - we have a corresponding
      API call for every pointer. By adding a leading "_" we achieve the following:
      
      1. Make sure we convert every direct pointer users
      2. A leading "_" suggests that this interface is internal and it becomes
         less likely that people will use them directly
      3. Make sure all the out-of-tree modules stop compiling and the owners
         spot the big API change and amend them.
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      3c3c10bb
  9. 23 Mar, 2012 1 commit
  10. 09 Jan, 2012 30 commits