1. 05 Feb, 2014 3 commits
    • Stephen Smalley's avatar
      SELinux: Fix kernel BUG on empty security contexts. · 2172fa70
      Stephen Smalley authored
      Setting an empty security context (length=0) on a file will
      lead to incorrectly dereferencing the type and other fields
      of the security context structure, yielding a kernel BUG.
      As a zero-length security context is never valid, just reject
      all such security contexts whether coming from userspace
      via setxattr or coming from the filesystem upon a getxattr
      request by SELinux.
      
      Setting a security context value (empty or otherwise) unknown to
      SELinux in the first place is only possible for a root process
      (CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only
      if the corresponding SELinux mac_admin permission is also granted
      to the domain by policy.  In Fedora policies, this is only allowed for
      specific domains such as livecd for setting down security contexts
      that are not defined in the build host policy.
      
      Reproducer:
      su
      setenforce 0
      touch foo
      setfattr -n security.selinux foo
      
      Caveat:
      Relabeling or removing foo after doing the above may not be possible
      without booting with SELinux disabled.  Any subsequent access to foo
      after doing the above will also trigger the BUG.
      
      BUG output from Matthew Thode:
      [  473.893141] ------------[ cut here ]------------
      [  473.962110] kernel BUG at security/selinux/ss/services.c:654!
      [  473.995314] invalid opcode: 0000 [#6] SMP
      [  474.027196] Modules linked in:
      [  474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G      D   I
      3.13.0-grsec #1
      [  474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0
      07/29/10
      [  474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti:
      ffff8805f50cd488
      [  474.183707] RIP: 0010:[<ffffffff814681c7>]  [<ffffffff814681c7>]
      context_struct_compute_av+0xce/0x308
      [  474.219954] RSP: 0018:ffff8805c0ac3c38  EFLAGS: 00010246
      [  474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX:
      0000000000000100
      [  474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI:
      ffff8805e8aaa000
      [  474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09:
      0000000000000006
      [  474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12:
      0000000000000006
      [  474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15:
      0000000000000000
      [  474.453816] FS:  00007f2e75220800(0000) GS:ffff88061fc00000(0000)
      knlGS:0000000000000000
      [  474.489254] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4:
      00000000000207f0
      [  474.556058] Stack:
      [  474.584325]  ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98
      ffff8805f1190a40
      [  474.618913]  ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990
      ffff8805e8aac860
      [  474.653955]  ffff8805c0ac3cb8 000700068113833a ffff880606c75060
      ffff8805c0ac3d94
      [  474.690461] Call Trace:
      [  474.723779]  [<ffffffff811b549b>] ? lookup_fast+0x1cd/0x22a
      [  474.778049]  [<ffffffff81468824>] security_compute_av+0xf4/0x20b
      [  474.811398]  [<ffffffff8196f419>] avc_compute_av+0x2a/0x179
      [  474.843813]  [<ffffffff8145727b>] avc_has_perm+0x45/0xf4
      [  474.875694]  [<ffffffff81457d0e>] inode_has_perm+0x2a/0x31
      [  474.907370]  [<ffffffff81457e76>] selinux_inode_getattr+0x3c/0x3e
      [  474.938726]  [<ffffffff81455cf6>] security_inode_getattr+0x1b/0x22
      [  474.970036]  [<ffffffff811b057d>] vfs_getattr+0x19/0x2d
      [  475.000618]  [<ffffffff811b05e5>] vfs_fstatat+0x54/0x91
      [  475.030402]  [<ffffffff811b063b>] vfs_lstat+0x19/0x1b
      [  475.061097]  [<ffffffff811b077e>] SyS_newlstat+0x15/0x30
      [  475.094595]  [<ffffffff8113c5c1>] ? __audit_syscall_entry+0xa1/0xc3
      [  475.148405]  [<ffffffff8197791e>] system_call_fastpath+0x16/0x1b
      [  475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48
      8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7
      75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8
      [  475.255884] RIP  [<ffffffff814681c7>]
      context_struct_compute_av+0xce/0x308
      [  475.296120]  RSP <ffff8805c0ac3c38>
      [  475.328734] ---[ end trace f076482e9d754adc ]---
      Reported-by: default avatarMatthew Thode <mthode@mthode.org>
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      2172fa70
    • Paul Moore's avatar
      selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types · 6a96e150
      Paul Moore authored
      The SELinux AF_NETLINK/NETLINK_SOCK_DIAG socket class was missing the
      SOCK_DIAG_BY_FAMILY definition which caused SELINUX_ERR messages when
      the ss tool was run.
      
       # ss
       Netid  State  Recv-Q Send-Q  Local Address:Port   Peer Address:Port
       u_str  ESTAB  0      0                  * 14189             * 14190
       u_str  ESTAB  0      0                  * 14145             * 14144
       u_str  ESTAB  0      0                  * 14151             * 14150
       {...}
       # ausearch -m SELINUX_ERR
       ----
       time->Thu Jan 23 11:11:16 2014
       type=SYSCALL msg=audit(1390493476.445:374):
        arch=c000003e syscall=44 success=yes exit=40
        a0=3 a1=7fff03aa11f0 a2=28 a3=0 items=0 ppid=1852 pid=1895
        auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
        tty=pts0 ses=1 comm="ss" exe="/usr/sbin/ss"
        subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
       type=SELINUX_ERR msg=audit(1390493476.445:374):
        SELinux:  unrecognized netlink message type=20 for sclass=32
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      6a96e150
    • Paul Moore's avatar
      Merge tag 'v3.13' into stable-3.14 · 825e587a
      Paul Moore authored
      Linux 3.13
      
      Conflicts:
      	security/selinux/hooks.c
      
      Trivial merge issue in selinux_inet_conn_request() likely due to me
      including patches that I sent to the stable folks in my next tree
      resulting in the patch hitting twice (I think).  Thankfully it was an
      easy fix this time, but regardless, lesson learned, I will not do that
      again.
      825e587a
  2. 20 Jan, 2014 3 commits
  3. 19 Jan, 2014 1 commit
  4. 18 Jan, 2014 9 commits
    • Rafael J. Wysocki's avatar
      Revert "ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs" · 2b844ba7
      Rafael J. Wysocki authored
      This reverts commit f6308b36 (ACPI: Add BayTrail SoC GPIO and LPSS
      ACPI IDs), because it causes the Alan Cox' ASUS T100TA to "crash and
      burn" during boot if the Baytrail pinctrl driver is compiled in.
      
      Fixes: f6308b36 (ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs)
      Reported-by: default avatarOne Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
      Requested-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      2b844ba7
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 7d0d46da
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) The value choosen for the new SO_MAX_PACING_RATE socket option on
          parisc was very poorly choosen, let's fix it while we still can.
          From Eric Dumazet.
      
       2) Our generic reciprocal divide was found to handle some edge cases
          incorrectly, part of this is encoded into the BPF as deep as the JIT
          engines themselves.  Just use a real divide throughout for now.
          From Eric Dumazet.
      
       3) Because the initial lookup is lockless, the TCP metrics engine can
          end up creating two entries for the same lookup key.  Fix this by
          doing a second lookup under the lock before we actually create the
          new entry.  From Christoph Paasch.
      
       4) Fix scatter-gather list init in usbnet driver, from Bjørn Mork.
      
       5) Fix unintended 32-bit truncation in cxgb4 driver's bit shifting.
          From Dan Carpenter.
      
       6) Netlink socket dumping uses the wrong socket state for timewait
          sockets.  Fix from Neal Cardwell.
      
       7) Fix netlink memory leak in ieee802154_add_iface(), from Christian
          Engelmayer.
      
       8) Multicast forwarding in ipv4 can overflow the per-rule reference
          counts, causing all multicast traffic to cease.  Fix from Hannes
          Frederic Sowa.
      
       9) via-rhine needs to stop all TX queues when it resets the device,
          from Richard Weinberger.
      
      10) Fix RDS per-cpu accesses broken by the this_cpu_* conversions.  From
          Gerald Schaefer.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        s390/bpf,jit: fix 32 bit divisions, use unsigned divide instructions
        parisc: fix SO_MAX_PACING_RATE typo
        ipv6: simplify detection of first operational link-local address on interface
        tcp: metrics: Avoid duplicate entries with the same destination-IP
        net: rds: fix per-cpu helper usage
        e1000e: Fix compilation warning when !CONFIG_PM_SLEEP
        bpf: do not use reciprocal divide
        be2net: add dma_mapping_error() check for dma_map_page()
        bnx2x: Don't release PCI bars on shutdown
        net,via-rhine: Fix tx_timeout handling
        batman-adv: fix batman-adv header overhead calculation
        qlge: Fix vlan netdev features.
        net: avoid reference counter overflows on fib_rules in multicast forwarding
        dm9601: add USB IDs for new dm96xx variants
        MAINTAINERS: add virtio-dev ML for virtio
        ieee802154: Fix memory leak in ieee802154_add_iface()
        net: usbnet: fix SG initialisation
        inet_diag: fix inet_diag_dump_icsk() to use correct state for timewait sockets
        cxgb4: silence shift wrapping static checker warning
      7d0d46da
    • Heiko Carstens's avatar
      s390/bpf,jit: fix 32 bit divisions, use unsigned divide instructions · 3af57f78
      Heiko Carstens authored
      The s390 bpf jit compiler emits the signed divide instructions "dr" and "d"
      for unsigned divisions.
      This can cause problems: the dividend will be zero extended to a 64 bit value
      and the divisor is the 32 bit signed value as specified A or X accumulator,
      even though A and X are supposed to be treated as unsigned values.
      
      The divide instrunctions will generate an exception if the result cannot be
      expressed with a 32 bit signed value.
      This is the case if e.g. the dividend is 0xffffffff and the divisor either 1
      or also 0xffffffff (signed: -1).
      
      To avoid all these issues simply use unsigned divide instructions.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3af57f78
    • Eric Dumazet's avatar
      parisc: fix SO_MAX_PACING_RATE typo · 75b99dbd
      Eric Dumazet authored
      SO_MAX_PACING_RATE definition on parisc got a typo.
      Its not too late to fix it, before 3.13 is official.
      
      Fixes: 62748f32 ("net: introduce SO_MAX_PACING_RATE")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      75b99dbd
    • Hannes Frederic Sowa's avatar
      ipv6: simplify detection of first operational link-local address on interface · 11ffff75
      Hannes Frederic Sowa authored
      In commit 1ec047eb ("ipv6: introduce per-interface counter for
      dad-completed ipv6 addresses") I build the detection of the first
      operational link-local address much to complex. Additionally this code
      now has a race condition.
      
      Replace it with a much simpler variant, which just scans the address
      list when duplicate address detection completes, to check if this is
      the first valid link local address and send RS and MLD reports then.
      
      Fixes: 1ec047eb ("ipv6: introduce per-interface counter for dad-completed ipv6 addresses")
      Reported-by: default avatarJiri Pirko <jiri@resnulli.us>
      Cc: Flavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarFlavio Leitner <fbl@redhat.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      11ffff75
    • Christoph Paasch's avatar
      tcp: metrics: Avoid duplicate entries with the same destination-IP · 77f99ad1
      Christoph Paasch authored
      Because the tcp-metrics is an RCU-list, it may be that two
      soft-interrupts are inside __tcp_get_metrics() for the same
      destination-IP at the same time. If this destination-IP is not yet part of
      the tcp-metrics, both soft-interrupts will end up in tcpm_new and create
      a new entry for this IP.
      So, we will have two tcp-metrics with the same destination-IP in the list.
      
      This patch checks twice __tcp_get_metrics(). First without holding the
      lock, then while holding the lock. The second one is there to confirm
      that the entry has not been added by another soft-irq while waiting for
      the spin-lock.
      
      Fixes: 51c5d0c4 (tcp: Maintain dynamic metrics in local cache.)
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      77f99ad1
    • Gerald Schaefer's avatar
      net: rds: fix per-cpu helper usage · c196403b
      Gerald Schaefer authored
      commit ae4b46e9 "net: rds: use this_cpu_* per-cpu helper" broke per-cpu
      handling for rds. chpfirst is the result of __this_cpu_read(), so it is
      an absolute pointer and not __percpu. Therefore, __this_cpu_write()
      should not operate on chpfirst, but rather on cache->percpu->first, just
      like __this_cpu_read() did before.
      
      Cc: <stable@vger.kernel.org> # 3.8+
      Signed-off-byd Gerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c196403b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 48ba620a
      Linus Torvalds authored
      Pull namespace fixes from Eric Biederman:
       "This is a set of 3 regression fixes.
      
        This fixes /proc/mounts when using "ip netns add <netns>" to display
        the actual mount point.
      
        This fixes a regression in clone that broke lxc-attach.
      
        This fixes a regression in the permission checks for mounting /proc
        that made proc unmountable if binfmt_misc was in use.  Oops.
      
        My apologies for sending this pull request so late.  Al Viro gave
        interesting review comments about the d_path fix that I wanted to
        address in detail before I sent this pull request.  Unfortunately a
        bad round of colds kept from addressing that in detail until today.
        The executive summary of the review was:
      
        Al: Is patching d_path really sufficient?
            The prepend_path, d_path, d_absolute_path, and __d_path family of
            functions is a really mess.
      
        Me: Yes, patching d_path is really sufficient.  Yes, the code is mess.
            No it is not appropriate to rewrite all of d_path for a regression
            that has existed for entirely too long already, when a two line
            change will do"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        vfs: Fix a regression in mounting proc
        fork:  Allow CLONE_PARENT after setns(CLONE_NEWPID)
        vfs: In d_path don't call d_dname on a mount point
      48ba620a
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 8f211b6c
      Linus Torvalds authored
      Pull KVM fix from Paolo Bonzini:
       "Fix for a brown paper bag bug.  Thanks to Drew Jones for noticing"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvm: x86: fix apic_base enable check
      8f211b6c
  5. 17 Jan, 2014 3 commits
  6. 16 Jan, 2014 13 commits
  7. 15 Jan, 2014 8 commits