1. 14 Feb, 2007 1 commit
  2. 12 Feb, 2007 3 commits
  3. 11 Feb, 2007 1 commit
  4. 23 Jan, 2007 1 commit
  5. 13 Dec, 2006 1 commit
    • Robert P. J. Day's avatar
      [PATCH] getting rid of all casts of k[cmz]alloc() calls · 5cbded58
      Robert P. J. Day authored
      Run this:
      
      	#!/bin/sh
      	for f in $(grep -Erl "\([^\)]*\) *k[cmz]alloc" *) ; do
      	  echo "De-casting $f..."
      	  perl -pi -e "s/ ?= ?\([^\)]*\) *(k[cmz]alloc) *\(/ = \1\(/" $f
      	done
      
      And then go through and reinstate those cases where code is casting pointers
      to non-pointers.
      
      And then drop a few hunks which conflicted with outstanding work.
      
      Cc: Russell King <rmk@arm.linux.org.uk>, Ian Molton <spyro@f2s.com>
      Cc: Mikael Starvik <starvik@axis.com>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: Roman Zippel <zippel@linux-m68k.org>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Kyle McMartin <kyle@mcmartin.ca>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Greg KH <greg@kroah.com>
      Cc: Jens Axboe <jens.axboe@oracle.com>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Karsten Keil <kkeil@suse.de>
      Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
      Cc: Jeff Garzik <jeff@garzik.org>
      Cc: James Bottomley <James.Bottomley@steeleye.com>
      Cc: Ian Kent <raven@themaw.net>
      Cc: Steven French <sfrench@us.ibm.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: Neil Brown <neilb@cse.unsw.edu.au>
      Cc: Jaroslav Kysela <perex@suse.cz>
      Cc: Takashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      5cbded58
  6. 08 Dec, 2006 1 commit
  7. 07 Dec, 2006 4 commits
  8. 22 Nov, 2006 1 commit
    • David Howells's avatar
      WorkStruct: Pass the work_struct pointer instead of context data · 65f27f38
      David Howells authored
      Pass the work_struct pointer to the work function rather than context data.
      The work function can use container_of() to work out the data.
      
      For the cases where the container of the work_struct may go away the moment the
      pending bit is cleared, it is made possible to defer the release of the
      structure by deferring the clearing of the pending bit.
      
      To make this work, an extra flag is introduced into the management side of the
      work_struct.  This governs auto-release of the structure upon execution.
      
      Ordinarily, the work queue executor would release the work_struct for further
      scheduling or deallocation by clearing the pending bit prior to jumping to the
      work function.  This means that, unless the driver makes some guarantee itself
      that the work_struct won't go away, the work function may not access anything
      else in the work_struct or its container lest they be deallocated..  This is a
      problem if the auxiliary data is taken away (as done by the last patch).
      
      However, if the pending bit is *not* cleared before jumping to the work
      function, then the work function *may* access the work_struct and its container
      with no problems.  But then the work function must itself release the
      work_struct by calling work_release().
      
      In most cases, automatic release is fine, so this is the default.  Special
      initiators exist for the non-auto-release case (ending in _NAR).
      Signed-Off-By: default avatarDavid Howells <dhowells@redhat.com>
      65f27f38
  9. 04 Nov, 2006 1 commit
    • Linus Torvalds's avatar
      Revert unintentional "volatile" changes in ipc/msg.c · 80491eb9
      Linus Torvalds authored
      Commit 5a06a363 ("[PATCH] ipc/msg.c:
      clean up coding style") breaks fakeroot on Alpha (variously hangs or
      oopses), according to a report by Falk Hueffner.
      
      The fact that the code seems to rely on compiler access ordering through
      the use of "volatile" is a pretty certain sign that the code has locking
      problems, and we should fix those properly and then remove the whole
      "volatile" entirely.
      
      But in the meantime, the movement of "volatile" was unintentional, and
      should be reverted.
      
      Cc: Falk Hueffner <falk@debian.org>
      Cc: Andrew Morton <akpm@osdl.org>
      Acked-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      80491eb9
  10. 03 Nov, 2006 1 commit
    • Pavel Emelianov's avatar
      [PATCH] Fix ipc entries removal · c7e12b83
      Pavel Emelianov authored
      Fix two issuses related to ipc_ids->entries freeing.
      
      1. When freeing ipc namespace we need to free entries allocated
         with ipc_init_ids().
      
      2. When removing old entries in grow_ary() ipc_rcu_putref()
         may be called on entries set to &ids->nullentry earlier in
         ipc_init_ids().
         This is almost impossible without namespaces, but with
         them this situation becomes possible.
      
      Found during OpenVZ testing after obvious leaks in beancounters.
      Signed-off-by: default avatarPavel Emelianov <xemul@openvz.org>
      Cc: Kirill Korotaev <dev@openvz.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      c7e12b83
  11. 03 Oct, 2006 2 commits
  12. 02 Oct, 2006 6 commits
  13. 01 Oct, 2006 2 commits
  14. 27 Sep, 2006 2 commits
  15. 31 Jul, 2006 1 commit
  16. 30 Jun, 2006 1 commit
  17. 23 Jun, 2006 3 commits
    • Miklos Szeredi's avatar
      [PATCH] vfs: add lock owner argument to flush operation · 75e1fcc0
      Miklos Szeredi authored
      Pass the POSIX lock owner ID to the flush operation.
      
      This is useful for filesystems which don't want to store any locking state
      in inode->i_flock but want to handle locking/unlocking POSIX locks
      internally.  FUSE is one such filesystem but I think it possible that some
      network filesystems would need this also.
      
      Also add a flag to indicate that a POSIX locking request was generated by
      close(), so filesystems using the above feature won't send an extra locking
      request in this case.
      Signed-off-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      75e1fcc0
    • Hugh Dickins's avatar
      [PATCH] remove unused o_flags from do_shmat · 185606fc
      Hugh Dickins authored
      Remove the unused variable o_flags from do_shmat.
      Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      185606fc
    • David Howells's avatar
      [PATCH] VFS: Permit filesystem to override root dentry on mount · 454e2398
      David Howells authored
      Extend the get_sb() filesystem operation to take an extra argument that
      permits the VFS to pass in the target vfsmount that defines the mountpoint.
      
      The filesystem is then required to manually set the superblock and root dentry
      pointers.  For most filesystems, this should be done with simple_set_mnt()
      which will set the superblock pointer and then set the root dentry to the
      superblock's s_root (as per the old default behaviour).
      
      The get_sb() op now returns an integer as there's now no need to return the
      superblock pointer.
      
      This patch permits a superblock to be implicitly shared amongst several mount
      points, such as can be done with NFS to avoid potential inode aliasing.  In
      such a case, simple_set_mnt() would not be called, and instead the mnt_root
      and mnt_sb would be set directly.
      
      The patch also makes the following changes:
      
       (*) the get_sb_*() convenience functions in the core kernel now take a vfsmount
           pointer argument and return an integer, so most filesystems have to change
           very little.
      
       (*) If one of the convenience function is not used, then get_sb() should
           normally call simple_set_mnt() to instantiate the vfsmount. This will
           always return 0, and so can be tail-called from get_sb().
      
       (*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the
           dcache upon superblock destruction rather than shrink_dcache_anon().
      
           This is required because the superblock may now have multiple trees that
           aren't actually bound to s_root, but that still need to be cleaned up. The
           currently called functions assume that the whole tree is rooted at s_root,
           and that anonymous dentries are not the roots of trees which results in
           dentries being left unculled.
      
           However, with the way NFS superblock sharing are currently set to be
           implemented, these assumptions are violated: the root of the filesystem is
           simply a dummy dentry and inode (the real inode for '/' may well be
           inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries
           with child trees.
      
           [*] Anonymous until discovered from another tree.
      
       (*) The documentation has been adjusted, including the additional bit of
           changing ext2_* into foo_* in the documentation.
      
      [akpm@osdl.org: convert ipath_fs, do other stuff]
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Nathan Scott <nathans@sgi.com>
      Cc: Roland Dreier <rolandd@cisco.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      454e2398
  18. 20 Jun, 2006 2 commits
    • George C. Wilson's avatar
      [PATCH] Audit of POSIX Message Queue Syscalls v.2 · 20ca73bc
      George C. Wilson authored
      This patch adds audit support to POSIX message queues.  It applies cleanly to
      the lspp.b15 branch of Al Viro's git tree.  There are new auxiliary data
      structures, and collection and emission routines in kernel/auditsc.c.  New hooks
      in ipc/mqueue.c collect arguments from the syscalls.
      
      I tested the patch by building the examples from the POSIX MQ library tarball.
      Build them -lrt, not against the old MQ library in the tarball.  Here's the URL:
      http://www.geocities.com/wronski12/posix_ipc/libmqueue-4.41.tar.gz
      Do auditctl -a exit,always -S for mq_open, mq_timedsend, mq_timedreceive,
      mq_notify, mq_getsetattr.  mq_unlink has no new hooks.  Please see the
      corresponding userspace patch to get correct output from auditd for the new
      record types.
      
      [fixes folded]
      Signed-off-by: default avatarGeorge Wilson <ltcgcw@us.ibm.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      20ca73bc
    • Linda Knippers's avatar
      [PATCH] update of IPC audit record cleanup · ac03221a
      Linda Knippers authored
      The following patch addresses most of the issues with the IPC_SET_PERM
      records as described in:
      https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
      and addresses the comments I received on the record field names.
      
      To summarize, I made the following changes:
      
      1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM
         record is emitted in the failure case as well as the success case.
         This matches the behavior in sys_shmctl().  I could simplify the
         code in sys_msgctl() and semctl_down() slightly but it would mean
         that in some error cases we could get an IPC_SET_PERM record
         without an IPC record and that seemed odd.
      
      2. No change to the IPC record type, given no feedback on the backward
         compatibility question.
      
      3. Removed the qbytes field from the IPC record.  It wasn't being
         set and when audit_ipc_obj() is called from ipcperms(), the
         information isn't available.  If we want the information in the IPC
         record, more extensive changes will be necessary.  Since it only
         applies to message queues and it isn't really permission related, it
         doesn't seem worth it.
      
      4. Removed the obj field from the IPC_SET_PERM record.  This means that
         the kern_ipc_perm argument is no longer needed.
      
      5. Removed the spaces and renamed the IPC_SET_PERM field names.  Replaced iuid and
         igid fields with ouid and ogid in the IPC record.
      
      I tested this with the lspp.22 kernel on an x86_64 box.  I believe it
      applies cleanly on the latest kernel.
      
      -- ljk
      Signed-off-by: default avatarLinda Knippers <linda.knippers@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ac03221a
  19. 01 May, 2006 1 commit
    • Steve Grubb's avatar
      [PATCH] Rework of IPC auditing · 073115d6
      Steve Grubb authored
      1) The audit_ipc_perms() function has been split into two different
      functions:
              - audit_ipc_obj()
              - audit_ipc_set_perm()
      
      There's a key shift here...  The audit_ipc_obj() collects the uid, gid,
      mode, and SElinux context label of the current ipc object.  This
      audit_ipc_obj() hook is now found in several places.  Most notably, it
      is hooked in ipcperms(), which is called in various places around the
      ipc code permforming a MAC check.  Additionally there are several places
      where *checkid() is used to validate that an operation is being
      performed on a valid object while not necessarily having a nearby
      ipcperms() call.  In these locations, audit_ipc_obj() is called to
      ensure that the information is captured by the audit system.
      
      The audit_set_new_perm() function is called any time the permissions on
      the ipc object changes.  In this case, the NEW permissions are recorded
      (and note that an audit_ipc_obj() call exists just a few lines before
      each instance).
      
      2) Support for an AUDIT_IPC_SET_PERM audit message type.  This allows
      for separate auxiliary audit records for normal operations on an IPC
      object and permissions changes.  Note that the same struct
      audit_aux_data_ipcctl is used and populated, however there are separate
      audit_log_format statements based on the type of the message.  Finally,
      the AUDIT_IPC block of code in audit_free_aux() was extended to handle
      aux messages of this new type.  No more mem leaks I hope ;-)
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      073115d6
  20. 17 Apr, 2006 2 commits
    • Alexey Kuznetsov's avatar
      [PATCH] IPC: access to unmapped vmalloc area in grow_ary() · a9a5cd5d
      Alexey Kuznetsov authored
      grow_ary() should not copy struct ipc_id_ary (it copies new->p, not
      new). Due to this, memcpy() src pointer could hit unmapped vmalloc page
      when near page boundary.
      
      Found during OpenVZ stress testing
      Signed-off-by: default avatarAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Signed-off-by: default avatarKirill Korotaev <dev@openvz.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      a9a5cd5d
    • Hugh Dickins's avatar
      [PATCH] shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524) · b78b6af6
      Hugh Dickins authored
      I found that all of 2.4 and 2.6 have been letting mprotect give write
      permission to a readonly attachment of shared memory, whether or not IPC
      would give the caller that permission.
      
      SUS says "The behaviour of this function [mprotect] is unspecified if the
      mapping was not established by a call to mmap", but I don't think we can
      interpret that as allowing it to subvert IPC permissions.
      
      I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
      the patch below reproduces that behaviour - mprotect cannot be used to add
      write permission to a shared memory segment attached readonly.
      
      This patch is simple, and I'm sure it's what we should have done in 2.4.0:
      if you want to go on to switch write permission on and off with mprotect,
      just don't attach the segment readonly in the first place.
      
      However, we could have accumulated apps which attach readonly (even though
      they would be permitted to attach read/write), and which subsequently use
      mprotect to switch write permission on and off: it's not unreasonable.
      
      I was going to add a second ipcperms check in do_shmat, to check for
      writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
       But security_ipc_permission might do auditing, and it seems wrong to
      report an attempt for write permission when there has been none.  Or we
      could flag the vma as SHM, note the shmid or shp in vm_private_data, and
      then get mprotect to check.
      
      But the patch below is a lot simpler: I'd rather stick with it, if we can
      convince ourselves somehow that it'll be safe.
      Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      b78b6af6
  21. 02 Apr, 2006 1 commit
  22. 31 Mar, 2006 1 commit
  23. 28 Mar, 2006 1 commit