1. 04 Aug, 2014 5 commits
  2. 01 Aug, 2014 5 commits
    • Eric W. Biederman's avatar
      mnt: Add tests for unprivileged remount cases that have found to be faulty · db181ce0
      Eric W. Biederman authored
      Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
      read-only bind mount read-only in a user namespace the
      MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
      to the remount a read-only mount read-write.
      
      Upon review of the code in remount it was discovered that the code allowed
      nosuid, noexec, and nodev to be cleared.  It was also discovered that
      the code was allowing the per mount atime flags to be changed.
      
      The first naive patch to fix these issues contained the flaw that using
      default atime settings when remounting a filesystem could be disallowed.
      
      To avoid this problems in the future add tests to ensure unprivileged
      remounts are succeeding and failing at the appropriate times.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      db181ce0
    • Eric W. Biederman's avatar
      mnt: Change the default remount atime from relatime to the existing value · ffbc6f0e
      Eric W. Biederman authored
      Since March 2009 the kernel has treated the state that if no
      MS_..ATIME flags are passed then the kernel defaults to relatime.
      
      Defaulting to relatime instead of the existing atime state during a
      remount is silly, and causes problems in practice for people who don't
      specify any MS_...ATIME flags and to get the default filesystem atime
      setting.  Those users may encounter a permission error because the
      default atime setting does not work.
      
      A default that does not work and causes permission problems is
      ridiculous, so preserve the existing value to have a default
      atime setting that is always guaranteed to work.
      
      Using the default atime setting in this way is particularly
      interesting for applications built to run in restricted userspace
      environments without /proc mounted, as the existing atime mount
      options of a filesystem can not be read from /proc/mounts.
      
      In practice this fixes user space that uses the default atime
      setting on remount that are broken by the permission checks
      keeping less privileged users from changing more privileged users
      atime settings.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      ffbc6f0e
    • Eric W. Biederman's avatar
      mnt: Correct permission checks in do_remount · 9566d674
      Eric W. Biederman authored
      While invesgiating the issue where in "mount --bind -oremount,ro ..."
      would result in later "mount --bind -oremount,rw" succeeding even if
      the mount started off locked I realized that there are several
      additional mount flags that should be locked and are not.
      
      In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
      flags in addition to MNT_READONLY should all be locked.  These
      flags are all per superblock, can all be changed with MS_BIND,
      and should not be changable if set by a more privileged user.
      
      The following additions to the current logic are added in this patch.
      - nosuid may not be clearable by a less privileged user.
      - nodev  may not be clearable by a less privielged user.
      - noexec may not be clearable by a less privileged user.
      - atime flags may not be changeable by a less privileged user.
      
      The logic with atime is that always setting atime on access is a
      global policy and backup software and auditing software could break if
      atime bits are not updated (when they are configured to be updated),
      and serious performance degradation could result (DOS attack) if atime
      updates happen when they have been explicitly disabled.  Therefore an
      unprivileged user should not be able to mess with the atime bits set
      by a more privileged user.
      
      The additional restrictions are implemented with the addition of
      MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
      mnt flags.
      
      Taken together these changes and the fixes for MNT_LOCK_READONLY
      should make it safe for an unprivileged user to create a user
      namespace and to call "mount --bind -o remount,... ..." without
      the danger of mount flags being changed maliciously.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      9566d674
    • Eric W. Biederman's avatar
      mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount · 07b64558
      Eric W. Biederman authored
      There are no races as locked mount flags are guaranteed to never change.
      
      Moving the test into do_remount makes it more visible, and ensures all
      filesystem remounts pass the MNT_LOCK_READONLY permission check.  This
      second case is not an issue today as filesystem remounts are guarded
      by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
      mount namespaces, but it could become an issue in the future.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      07b64558
    • Eric W. Biederman's avatar
      mnt: Only change user settable mount flags in remount · a6138db8
      Eric W. Biederman authored
      Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
      read-only bind mount read-only in a user namespace the
      MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
      to the remount a read-only mount read-write.
      
      Correct this by replacing the mask of mount flags to preserve
      with a mask of mount flags that may be changed, and preserve
      all others.   This ensures that any future bugs with this mask and
      remount will fail in an easy to detect way where new mount flags
      simply won't change.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      a6138db8
  3. 30 Jul, 2014 1 commit
    • Eric W. Biederman's avatar
      namespaces: Use task_lock and not rcu to protect nsproxy · 728dba3a
      Eric W. Biederman authored
      The synchronous syncrhonize_rcu in switch_task_namespaces makes setns
      a sufficiently expensive system call that people have complained.
      
      Upon inspect nsproxy no longer needs rcu protection for remote reads.
      remote reads are rare.  So optimize for same process reads and write
      by switching using rask_lock instead.
      
      This yields a simpler to understand lock, and a faster setns system call.
      
      In particular this fixes a performance regression observed
      by Rafael David Tinoco <rafael.tinoco@canonical.com>.
      
      This is effectively a revert of Pavel Emelyanov's commit
      cf7b708c Make access to task's nsproxy lighter
      from 2007.  The race this originialy fixed no longer exists as
      do_notify_parent uses task_active_pid_ns(parent) instead of
      parent->nsproxy.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      728dba3a
  4. 21 Jul, 2014 9 commits
  5. 20 Jul, 2014 4 commits
  6. 19 Jul, 2014 16 commits
    • Eric Sandeen's avatar
      btrfs: test for valid bdev before kobj removal in btrfs_rm_device · 0bfaa9c5
      Eric Sandeen authored
      commit 99994cde btrfs: dev delete should remove sysfs entry
      added a btrfs_kobj_rm_device, which dereferences device->bdev...
      right after we check whether device->bdev might be NULL.
      
      I don't honestly know if it's possible to have a NULL device->bdev
      here, but assuming that it is (given the test), we need to move
      the kobject removal to be under that test.
      
      (Coverity spotted this)
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      0bfaa9c5
    • Liu Bo's avatar
      Btrfs: fix abnormal long waiting in fsync · 98ce2ded
      Liu Bo authored
      xfstests generic/127 detected this problem.
      
      With commit 7fc34a62, now fsync will only flush
      data within the passed range.  This is the cause of the above problem,
      -- btrfs's fsync has a stage called 'sync log' which will wait for all the
      ordered extents it've recorded to finish.
      
      In xfstests/generic/127, with mixed operations such as truncate, fallocate,
      punch hole, and mapwrite, we get some pre-allocated extents, and mapwrite will
      mmap, and then msync.  And I find that msync will wait for quite a long time
      (about 20s in my case), thanks to ftrace, it turns out that the previous
      fallocate calls 'btrfs_wait_ordered_range()' to flush dirty pages, but as the
      range of dirty pages may be larger than 'btrfs_wait_ordered_range()' wants,
      there can be some ordered extents created but not getting corresponding pages
      flushed, then they're left in memory until we fsync which runs into the
      stage 'sync log', and fsync will just wait for the system writeback thread
      to flush those pages and get ordered extents finished, so the latency is
      inevitable.
      
      This adds a flush similar to btrfs_start_ordered_extent() in
      btrfs_wait_logged_extents() to fix that.
      Reviewed-by: default avatarMiao Xie <miaox@cn.fujitsu.com>
      Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      98ce2ded
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d0571909
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "The locking department delivers:
      
         - A rather large and intrusive bundle of fixes to address serious
           performance regressions introduced by the new rwsem / mcs
           technology.  Simpler solutions have been discussed, but they would
           have been ugly bandaids with more risk than doing the right thing.
      
         - Make the rwsem spin on owner technology opt-in for architectures
           and enable it only on the known to work ones.
      
         - A few fixes to the lockdep userspace library"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/rwsem: Add CONFIG_RWSEM_SPIN_ON_OWNER
        locking/mutex: Disable optimistic spinning on some architectures
        locking/rwsem: Reduce the size of struct rw_semaphore
        locking/rwsem: Rename 'activity' to 'count'
        locking/spinlocks/mcs: Micro-optimize osq_unlock()
        locking/spinlocks/mcs: Introduce and use init macro and function for osq locks
        locking/spinlocks/mcs: Convert osq lock to atomic_t to reduce overhead
        locking/spinlocks/mcs: Rename optimistic_spin_queue() to optimistic_spin_node()
        locking/rwsem: Allow conservative optimistic spinning when readers have lock
        tools/liblockdep: Account for bitfield changes in lockdeps lock_acquire
        tools/liblockdep: Remove debug print left over from development
        tools/liblockdep: Fix comparison of a boolean value with a value of 2
      d0571909
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d1743b81
      Linus Torvalds authored
      Pull scheduler fix from Thomas Gleixner:
       "Prevent a possible divide by zero in the debugging code"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched: Fix possible divide by zero in avg_atom() calculation
      d1743b81
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · cb20fd07
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "Three patches addressing shortcomings in the ARM gic interrupt chip
        driver"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip: gic: Fix core ID calculation when topology is read from DT
        irqchip: gic: Add binding probe for ARM GIC400
        irqchip: gic: Add support for cortex a7 compatible string
      cb20fd07
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b495c23c
      Linus Torvalds authored
      Pull timer fix from Thomas Gleixner:
       "A single fix for a long standing issue in the alarm timer subsystem,
        which was noticed recently when people finally started to use alarm
        timers for serious work"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        alarmtimer: Fix bug where relative alarm timers were treated as absolute
      b495c23c
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · da5b99b4
      Linus Torvalds authored
      Pull RCU fixes from Thomas Gleixner:
       "Two RCU patches:
         - Address a serious performance regression on open/close caused by
           commit ac1bea85 ("Make cond_resched() report RCU quiescent
           states")
         - Export RCU debug functions.  Not a regression, but enablement to
           address a serious recursion bug in the sl*b allocators in 3.17"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        rcu: Reduce overhead of cond_resched() checks for RCU
        rcu: Export debug_init_rcu_head() and and debug_init_rcu_head()
      da5b99b4
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · d614cb0b
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A smaller set of fixes this week, and all regression fixes:
         - a handful of issues fixed on at91 with common clock conversion
         - a set of fixes for Marvell mvebu (SMP, coherency, PM)
         - a clock fix for i.MX6Q.
         - ... and a SMP/hotplug fix for Exynos"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: EXYNOS: Fix core ID used by platsmp and hotplug code
        ARM: at91/dt: add missing clocks property to pwm node in sam9x5.dtsi
        ARM: at91/dt: fix usb0 clocks definition in sam9n12 dtsi
        ARM: at91: at91sam9x5: correct typo error for ohci clock
        ARM: clk-imx6q: parent lvds_sel input from upstream clock gates
        ARM: mvebu: Fix coherency bus notifiers by using separate notifiers
        ARM: mvebu: Fix the operand list in the inline asm of armada_370_xp_pmsu_idle_enter
        ARM: mvebu: fix SMP boot for Armada 38x and Armada 375 Z1 in big endian
      d614cb0b
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2014-07-18' of git://anongit.freedesktop.org/drm-intel · e898c791
      Dave Airlie authored
      But in any case nothing really shocking in
      here, 2 reverts, 1 quirk and a regression fix a WARN.
      
      * tag 'drm-intel-fixes-2014-07-18' of git://anongit.freedesktop.org/drm-intel:
        Revert "drm/i915: reverse dp link param selection, prefer fast over wide again"
        drm/i915: Track the primary plane correctly when reassigning planes
        drm/i915: Ignore VBT backlight presence check on HP Chromebook 14
        Revert "drm/i915: Don't set the 8to6 dither flag when not scaling"
      e898c791
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1b9f0efd
      Linus Torvalds authored
      Pull x86 fixes from Peter Anvin:
       "A couple of key fixes and a few less critical ones.  The main ones
        are:
      
         - add a .bss section to the PE/COFF headers when building with EFI
           stub
      
         - invoke the correct paravirt magic when building the espfix page
           tables
      
        Unfortunately both of these areas also have at least one additional
        fix each still in thie pipeline, but which are not yet ready to push"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86: Remove unused variable "polling"
        x86/espfix/xen: Fix allocation of pages for paravirt page tables
        x86/efi: Include a .bss section within the PE/COFF headers
        efi: fdt: Do not report an error during boot if UEFI is not available
        efi/arm64: efistub: remove local copy of linux_banner
      1b9f0efd
    • Linus Torvalds's avatar
      Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband · b579fcca
      Linus Torvalds authored
      Pull infiniband/rdma fixes from Roland Dreier:
       - cxgb4 hardware driver regression fixes
       - mlx5 hardware driver regression fixes
      
      * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
        IB/mlx5: Enable "block multicast loopback" for kernel consumers
        RDMA/cxgb4: Call iwpm_init() only once
        mlx5_core: Fix possible race between mr tree insert/delete
        RDMA/cxgb4: Initialize the device status page
        RDMA/cxgb4: Clean up connection on ARP error
        RDMA/cxgb4: Fix skb_leak in reject_cr()
      b579fcca
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging · cfd1b99b
      Linus Torvalds authored
      Pull hwmon fixes from Guenter Roeck:
       "More fallout from module tests and code inspection.
      
        Fixes to temperature limit write operations in adt7470 driver.  Also,
        dashes are not allowed in hwmon 'name' attributes.  Fix drivers where
        necessary"
      
      * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (adt7470) Fix writes to temperature limit registers
        hwmon: (da9055) Don't use dash in the name attribute
        hwmon: (da9052) Don't use dash in the name attribute
      cfd1b99b
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v3.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 0bae49b2
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
       "A couple of fixes for the Freescale PAMU driver queued up:
      
         - fix PAMU window size check.
         - fix the device domain attach condition.
         - fix the error condition during iommu group"
      
      * tag 'iommu-fixes-v3.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/fsl: Fix the error condition during iommu group
        iommu/fsl: Fix the device domain attach condition.
        iommu/fsl: Fix PAMU window size check.
      0bae49b2
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 084c9cac
      Linus Torvalds authored
      Pull ACPI and power management fixes from Rafael Wysocki:
       "These are a few recent regression fixes, a revert of the ACPI video
        commit I promised, a system resume fix related to request_firmware(),
        an ACPI video quirk for one more Win8-oriented BIOS, an ACPI device
        enumeration documentation update and a few fixes for ARM cpufreq
        drivers.
      
        Specifics:
      
         - Fix for a recently introduced NULL pointer dereference in the core
           system suspend code occuring when platforms without ACPI attempt to
           use the "freeze" sleep state from Zhang Rui.
      
         - Fix for a recently introduced build warning in cpufreq headers from
           Brian W Hart.
      
         - Fix for a 3.13 cpufreq regression related to sysem resume that
           triggers on some systems with multiple CPU clusters from Viresh
           Kumar.
      
         - Fix for a 3.4 regression in request_firmware() resulting in
           WARN_ON()s on some systems during system resume from Takashi Iwai.
      
         - Revert of the ACPI video commit that changed the default value of
           the video.brightness_switch_enabled command line argument to 0 as
           it has been reported to break existing setups.
      
         - ACPI device enumeration documentation update to take recent code
           changes into account and make the documentation match the code
           again from Darren Hart.
      
         - Fixes for the sa1110, imx6q, kirkwood, and cpu0 cpufreq drivers
           from Linus Walleij, Nicolas Del Piano, Quentin Armitage, Viresh
           Kumar.
      
         - New ACPI video blacklist entry for HP ProBook 4540s from Hans de
           Goede"
      
      * tag 'pm+acpi-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: make table sentinel macros unsigned to match use
        cpufreq: move policy kobj to policy->cpu at resume
        cpufreq: cpu0: OPPs can be populated at runtime
        cpufreq: kirkwood: Reinstate cpufreq driver for ARCH_KIRKWOOD
        cpufreq: imx6q: Select PM_OPP
        cpufreq: sa1110: set memory type for h3600
        ACPI / video: Add use_native_backlight quirk for HP ProBook 4540s
        PM / sleep: fix freeze_ops NULL pointer dereferences
        PM / sleep: Fix request_firmware() error at resume
        Revert "ACPI / video: change acpi-video brightness_switch_enabled default to 0"
        ACPI / documentation: Remove reference to acpi_platform_device_ids from enumeration.txt
      084c9cac
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 3e8e2756
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "One nouveau deadlock fix, one qxl irq handling fix, and a set of
        radeon pageflipping changes that fix regressions in pageflipping since
        -rc1 along with a leak and backlight fix.
      
        The pageflipping fixes are a bit bigger than I'd like, but there has
        been a few people focused on testing them"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/radeon: Make classic pageflip completion path less racy.
        drm/radeon: Add missing vblank_put in pageflip ioctl error path.
        drm/radeon: Remove redundant fence unref in pageflip path.
        drm/radeon: Complete page flip even if waiting on the BO fence fails
        drm/radeon: Move pinning the BO back to radeon_crtc_page_flip()
        drm/radeon: Prevent too early kms-pageflips triggered by vblank.
        drm/radeon: set default bl level to something reasonable
        drm/radeon: avoid leaking edid data
        drm/qxl: return IRQ_NONE if it was not our irq
        drm/nouveau/therm: fix a potential deadlock in the therm monitoring code
      3e8e2756
    • Linus Torvalds's avatar
      Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random · b8d2d128
      Linus Torvalds authored
      Pull /dev/random fix from Ted Ts'o:
       "Fix a BUG splat found by trinity"
      
      * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random:
        random: check for increase of entropy_count because of signed conversion
      b8d2d128