1. 02 Apr, 2014 1 commit
  2. 31 Mar, 2014 1 commit
    • Eric Paris's avatar
      AUDIT: Allow login in non-init namespaces · 543bc6a1
      Eric Paris authored
      It its possible to configure your PAM stack to refuse login if audit
      messages (about the login) were unable to be sent.  This is common in
      many distros and thus normal configuration of many containers.  The PAM
      modules determine if audit is enabled/disabled in the kernel based on
      the return value from sending an audit message on the netlink socket.
      If userspace gets back ECONNREFUSED it believes audit is disabled in the
      kernel.  If it gets any other error else it refuses to let the login
      proceed.
      
      Just about ever since the introduction of namespaces the kernel audit
      subsystem has returned EPERM if the task sending a message was not in
      the init user or pid namespace.  So many forms of containers have never
      worked if audit was enabled in the kernel.
      
      BUT if the container was not in net_init then the kernel network code
      would send ECONNREFUSED (instead of the audit code sending EPERM).  Thus
      by pure accident/dumb luck/bug if an admin configured the PAM stack to
      reject all logins that didn't talk to audit, but then ran the login
      untility in the non-init_net namespace, it would work!! Clearly this was
      a bug, but it is a bug some people expected.
      
      With the introduction of network namespace support in 3.14-rc1 the two
      bugs stopped cancelling each other out.  Now, containers in the
      non-init_net namespace refused to let users log in (just like PAM was
      configfured!) Obviously some people were not happy that what used to let
      users log in, now didn't!
      
      This fix is kinda hacky.  We return ECONNREFUSED for all non-init
      relevant namespaces.  That means that not only will the old broken
      non-init_net setups continue to work, now the broken non-init_pid or
      non-init_user setups will 'work'.  They don't really work, since audit
      isn't logging things.  But it's what most users want.
      
      In 3.15 we should have patches to support not only the non-init_net
      (3.14) namespace but also the non-init_pid and non-init_user namespace.
      So all will be right in the world.  This just opens the doors wide open
      on 3.14 and hopefully makes users happy, if not the audit system...
      Reported-by: default avatarAndre Tomt <andre@tomt.net>
      Reported-by: default avatarAdam Richter <adam_richter2004@yahoo.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      
      Conflicts:
      	kernel/audit.c
      543bc6a1
  3. 24 Mar, 2014 2 commits
  4. 20 Mar, 2014 19 commits
  5. 07 Mar, 2014 4 commits
  6. 19 Jan, 2014 4 commits
  7. 18 Jan, 2014 1 commit
  8. 17 Jan, 2014 8 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 7d0d46da
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) The value choosen for the new SO_MAX_PACING_RATE socket option on
          parisc was very poorly choosen, let's fix it while we still can.
          From Eric Dumazet.
      
       2) Our generic reciprocal divide was found to handle some edge cases
          incorrectly, part of this is encoded into the BPF as deep as the JIT
          engines themselves.  Just use a real divide throughout for now.
          From Eric Dumazet.
      
       3) Because the initial lookup is lockless, the TCP metrics engine can
          end up creating two entries for the same lookup key.  Fix this by
          doing a second lookup under the lock before we actually create the
          new entry.  From Christoph Paasch.
      
       4) Fix scatter-gather list init in usbnet driver, from Bjørn Mork.
      
       5) Fix unintended 32-bit truncation in cxgb4 driver's bit shifting.
          From Dan Carpenter.
      
       6) Netlink socket dumping uses the wrong socket state for timewait
          sockets.  Fix from Neal Cardwell.
      
       7) Fix netlink memory leak in ieee802154_add_iface(), from Christian
          Engelmayer.
      
       8) Multicast forwarding in ipv4 can overflow the per-rule reference
          counts, causing all multicast traffic to cease.  Fix from Hannes
          Frederic Sowa.
      
       9) via-rhine needs to stop all TX queues when it resets the device,
          from Richard Weinberger.
      
      10) Fix RDS per-cpu accesses broken by the this_cpu_* conversions.  From
          Gerald Schaefer.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        s390/bpf,jit: fix 32 bit divisions, use unsigned divide instructions
        parisc: fix SO_MAX_PACING_RATE typo
        ipv6: simplify detection of first operational link-local address on interface
        tcp: metrics: Avoid duplicate entries with the same destination-IP
        net: rds: fix per-cpu helper usage
        e1000e: Fix compilation warning when !CONFIG_PM_SLEEP
        bpf: do not use reciprocal divide
        be2net: add dma_mapping_error() check for dma_map_page()
        bnx2x: Don't release PCI bars on shutdown
        net,via-rhine: Fix tx_timeout handling
        batman-adv: fix batman-adv header overhead calculation
        qlge: Fix vlan netdev features.
        net: avoid reference counter overflows on fib_rules in multicast forwarding
        dm9601: add USB IDs for new dm96xx variants
        MAINTAINERS: add virtio-dev ML for virtio
        ieee802154: Fix memory leak in ieee802154_add_iface()
        net: usbnet: fix SG initialisation
        inet_diag: fix inet_diag_dump_icsk() to use correct state for timewait sockets
        cxgb4: silence shift wrapping static checker warning
      7d0d46da
    • Heiko Carstens's avatar
      s390/bpf,jit: fix 32 bit divisions, use unsigned divide instructions · 3af57f78
      Heiko Carstens authored
      The s390 bpf jit compiler emits the signed divide instructions "dr" and "d"
      for unsigned divisions.
      This can cause problems: the dividend will be zero extended to a 64 bit value
      and the divisor is the 32 bit signed value as specified A or X accumulator,
      even though A and X are supposed to be treated as unsigned values.
      
      The divide instrunctions will generate an exception if the result cannot be
      expressed with a 32 bit signed value.
      This is the case if e.g. the dividend is 0xffffffff and the divisor either 1
      or also 0xffffffff (signed: -1).
      
      To avoid all these issues simply use unsigned divide instructions.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3af57f78
    • Eric Dumazet's avatar
      parisc: fix SO_MAX_PACING_RATE typo · 75b99dbd
      Eric Dumazet authored
      SO_MAX_PACING_RATE definition on parisc got a typo.
      Its not too late to fix it, before 3.13 is official.
      
      Fixes: 62748f32 ("net: introduce SO_MAX_PACING_RATE")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75b99dbd
    • Hannes Frederic Sowa's avatar
      ipv6: simplify detection of first operational link-local address on interface · 11ffff75
      Hannes Frederic Sowa authored
      In commit 1ec047eb ("ipv6: introduce per-interface counter for
      dad-completed ipv6 addresses") I build the detection of the first
      operational link-local address much to complex. Additionally this code
      now has a race condition.
      
      Replace it with a much simpler variant, which just scans the address
      list when duplicate address detection completes, to check if this is
      the first valid link local address and send RS and MLD reports then.
      
      Fixes: 1ec047eb ("ipv6: introduce per-interface counter for dad-completed ipv6 addresses")
      Reported-by: default avatarJiri Pirko <jiri@resnulli.us>
      Cc: Flavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarFlavio Leitner <fbl@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      11ffff75
    • Christoph Paasch's avatar
      tcp: metrics: Avoid duplicate entries with the same destination-IP · 77f99ad1
      Christoph Paasch authored
      Because the tcp-metrics is an RCU-list, it may be that two
      soft-interrupts are inside __tcp_get_metrics() for the same
      destination-IP at the same time. If this destination-IP is not yet part of
      the tcp-metrics, both soft-interrupts will end up in tcpm_new and create
      a new entry for this IP.
      So, we will have two tcp-metrics with the same destination-IP in the list.
      
      This patch checks twice __tcp_get_metrics(). First without holding the
      lock, then while holding the lock. The second one is there to confirm
      that the entry has not been added by another soft-irq while waiting for
      the spin-lock.
      
      Fixes: 51c5d0c4 (tcp: Maintain dynamic metrics in local cache.)
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      77f99ad1
    • Gerald Schaefer's avatar
      net: rds: fix per-cpu helper usage · c196403b
      Gerald Schaefer authored
      commit ae4b46e9 "net: rds: use this_cpu_* per-cpu helper" broke per-cpu
      handling for rds. chpfirst is the result of __this_cpu_read(), so it is
      an absolute pointer and not __percpu. Therefore, __this_cpu_write()
      should not operate on chpfirst, but rather on cache->percpu->first, just
      like __this_cpu_read() did before.
      
      Cc: <stable@vger.kernel.org> # 3.8+
      Signed-off-byd Gerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c196403b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 48ba620a
      Linus Torvalds authored
      Pull namespace fixes from Eric Biederman:
       "This is a set of 3 regression fixes.
      
        This fixes /proc/mounts when using "ip netns add <netns>" to display
        the actual mount point.
      
        This fixes a regression in clone that broke lxc-attach.
      
        This fixes a regression in the permission checks for mounting /proc
        that made proc unmountable if binfmt_misc was in use.  Oops.
      
        My apologies for sending this pull request so late.  Al Viro gave
        interesting review comments about the d_path fix that I wanted to
        address in detail before I sent this pull request.  Unfortunately a
        bad round of colds kept from addressing that in detail until today.
        The executive summary of the review was:
      
        Al: Is patching d_path really sufficient?
            The prepend_path, d_path, d_absolute_path, and __d_path family of
            functions is a really mess.
      
        Me: Yes, patching d_path is really sufficient.  Yes, the code is mess.
            No it is not appropriate to rewrite all of d_path for a regression
            that has existed for entirely too long already, when a two line
            change will do"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        vfs: Fix a regression in mounting proc
        fork:  Allow CLONE_PARENT after setns(CLONE_NEWPID)
        vfs: In d_path don't call d_dname on a mount point
      48ba620a
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 8f211b6c
      Linus Torvalds authored
      Pull KVM fix from Paolo Bonzini:
       "Fix for a brown paper bag bug.  Thanks to Drew Jones for noticing"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvm: x86: fix apic_base enable check
      8f211b6c