1. 15 Dec, 2009 9 commits
    • J. Bruce Fields's avatar
      nfsd: enable V4ROOT exports · 3d8986c7
      J. Bruce Fields authored
      With the v4root option now enforced everywhere it should be, it is safe
      to advertise support for it to mountd.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      3d8986c7
    • J. Bruce Fields's avatar
      nfsd: make V4ROOT exports read-only · 774b1478
      J. Bruce Fields authored
      I can't see any use for writeable V4ROOT exports.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      774b1478
    • Steve Dickson's avatar
      nfsd: restrict filehandles accepted in V4ROOT case · 03a816b4
      Steve Dickson authored
      On V4ROOT exports, only accept filehandles that are the *root* of some
      export.  This allows mountd to allow or deny access to individual
      directories and symlinks on the pseudofilesystem.
      
      Note that the checks in readdir and lookup are not enough, since a
      malicious host with access to the network could guess filehandles that
      they weren't able to obtain through lookup or readdir.
      Signed-off-by: default avatarSteve Dickson <steved@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      03a816b4
    • J. Bruce Fields's avatar
      nfsd: allow exports of symlinks · f2ca7153
      J. Bruce Fields authored
      We want to allow exports of symlinks, to allow mountd to communicate to
      the kernel which symlinks lead to exports, and hence which symlinks need
      to be visible on the pseudofilesystem.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      f2ca7153
    • J. Bruce Fields's avatar
      nfsd: filter readdir results in V4ROOT case · 3227fa41
      J. Bruce Fields authored
      As with lookup, we treat every boject as a mountpoint and pretend it
      doesn't exist if it isn't exported.
      
      The preexisting code here is confusing, but I haven't yet figured out
      how to make it clearer.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      3227fa41
    • J. Bruce Fields's avatar
      nfsd: filter lookup results in V4ROOT case · 82ead7fe
      J. Bruce Fields authored
      We treat every object as a mountpoint and pretend it doesn't exist if
      it isn't exported.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      82ead7fe
    • J. Bruce Fields's avatar
      nfsd4: don't continue "under" mounts in V4ROOT case · 3b6cee7b
      J. Bruce Fields authored
      If /A/mount/point/ has filesystem "B" mounted on top of it, and if "A"
      is exported, but not "B", then the nfs server has always returned to the
      client a filehandle for the mountpoint, instead of for the root of "B",
      allowing the client to see the subtree of "A" that would otherwise be
      hidden by B.
      
      Disable this behavior in the case of V4ROOT exports; we implement the
      path restrictions of V4ROOT exports by treating *every* directory as if
      it were a mountpoint, and allowing traversal *only* if the new directory
      is exported.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      3b6cee7b
    • Steve Dickson's avatar
      nfsd: introduce export flag for v4 pseudoroot · eb4c86c6
      Steve Dickson authored
      NFSv4 differs from v2 and v3 in that it presents a single unified
      filesystem tree, whereas v2 and v3 exported multiple filesystem (whose
      roots could be found using a separate mount protocol).
      
      Our original NFSv4 server implementation asked the administrator to
      designate a single filesystem as the NFSv4 root, then to mount
      filesystems they wished to export underneath.  (Often using bind mounts
      of already-existing filesystems.)
      
      This was conceptually simple, and allowed easy implementation, but
      created a serious obstacle to upgrading between v2/v3: since the paths
      to v4 filesystems were different, administrators would have to adjust
      all the paths in client-side mount commands when switching to v4.
      
      Various workarounds are possible.  For example, the administrator could
      export "/" and designate it as the v4 root.  However, the security risks
      of that approach are obvious, and in any case we shouldn't be requiring
      the administrator to take extra steps to fix this problem; instead, the
      server should present consistent paths across different versions by
      default.
      
      These patches take a modified version of that approach: we provide a new
      export option which exports only a subset of a filesystem.  With this
      flag, it becomes safe for mountd to export "/" by default, with no need
      for additional configuration.
      
      We begin just by defining the new flag.
      Signed-off-by: default avatarSteve Dickson <steved@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      eb4c86c6
    • J. Bruce Fields's avatar
      nfsd: let "insecure" flag vary by pseudoflavor · 12045a6e
      J. Bruce Fields authored
      This was an oversight; it should be among the export flags that can be
      allowed to vary by pseudoflavor.  This allows an administrator to (for
      example) allow auth_sys mounts only from low ports, but allow auth_krb5
      mounts to use any port.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      12045a6e
  2. 14 Dec, 2009 14 commits
  3. 25 Nov, 2009 1 commit
    • J. Bruce Fields's avatar
      nfsd: simplify fh_verify access checks · 864f0f61
      J. Bruce Fields authored
      All nfsd security depends on the security checks in fh_verify, and
      especially on nfsd_setuser().
      
      It therefore bothers me that the nfsd_setuser call may be made from
      three different places, depending on whether the filehandle has already
      been mapped to a dentry, and on whether subtreechecking is in force.
      
      Instead, make an unconditional call in fh_verify(), so it's trivial to
      verify that the call always occurs.
      
      That leaves us with a redundant nfsd_setuser() call in the subtreecheck
      case--it needs the correct user set earlier in order to check execute
      permissions on the path to this filehandle--but I'm willing to accept
      that minor inefficiency in the subtreecheck case in return for more
      straightforward permission checking.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      864f0f61
  4. 23 Nov, 2009 2 commits
  5. 19 Nov, 2009 9 commits
  6. 18 Nov, 2009 5 commits
    • Linus Torvalds's avatar
      Merge branch 'omap-fixes-for-linus' of... · d22966d0
      Linus Torvalds authored
      Merge branch 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6
      
      * 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
        OMAP: cs should be positive in gpmc_cs_free()
        omap: fix unlikely(x) < y
        omap3: clock: Fixed dpll3_m2x2 rate calculation
        omap3: clock: Fix the DPLL freqsel computations
        omap: Fix keymap for zoom2 according to matrix keypad framwork
      d22966d0
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 · 70b172b2
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
        ASoC: tlv320aic23 fix rate selection
        ASoC: OMAP3 Pandora: update for TWL4030 codec changes
        ASoC: Modifying the license string GPLv2 for OMAP3 EVM
        ALSA: hda - Fix quirk for VAIO type G
        ALSA: usb - Quirk to disable master volume control in PCM2702
      70b172b2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 486bfe5c
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
        cxgb3: fix premature page unmap
        ibm_newemac: Fix EMACx_TRTR[TRT] bit shifts
        vlan: Fix register_vlan_dev() error path
        gro: Fix illegal merging of trailer trash
        sungem: Fix Serdes detection.
        net: fix mdio section mismatch warning
        ppp: fix BUG on non-linear SKB (multilink receive)
        ixgbe: Fixing EEH handler to handle more than one error
        net: Fix the rollback test in dev_change_name()
        Revert "isdn: isdn_ppp: Use SKB list facilities instead of home-grown implementation."
        TI Davinci EMAC : Fix Console Hang when bringing the interface down
        smsc911x: Fix Console Hang when bringing the interface down.
        mISDN: fix error return in HFCmulti_init()
        forcedeth: mac address fix
        r6040: fix version printing
        Bluetooth: Fix regression with L2CAP configuration in Basic Mode
        Bluetooth: Select Basic Mode as default for SOCK_SEQPACKET
        Bluetooth: Set general bonding security for ACL by default
        r8169: Fix receive buffer length when MTU is between 1515 and 1536
        can: add the missing netlink get_xstats_size callback
        ...
      486bfe5c
    • Mimi Zohar's avatar
      ima: replace GFP_KERNEL with GFP_NOFS · c09c59e6
      Mimi Zohar authored
      While running fsstress tests on the NFSv4 mounted ext3 and ext4
      filesystem, the following call trace was generated on the nfs
      server machine.
      
      Replace GFP_KERNEL with GFP_NOFS in ima_iint_insert() to avoid a
      potential deadlock.
      
           =================================
          [ INFO: inconsistent lock state ]
          2.6.31-31.el6.x86_64 #1
          ---------------------------------
          inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-W} usage.
          kswapd2/75 [HC0[0]:SC0[0]:HE1:SE1] takes:
           (jbd2_handle){+.+.?.}, at: [<ffffffff811edd5e>] jbd2_journal_start+0xfe/0x13f
          {RECLAIM_FS-ON-W} state was registered at:
            [<ffffffff81091e40>] mark_held_locks+0x65/0x99
            [<ffffffff81091f31>] lockdep_trace_alloc+0xbd/0xf5
            [<ffffffff81126fdd>] kmem_cache_alloc+0x40/0x185
            [<ffffffff812344d7>] ima_iint_insert+0x3d/0xf1
            [<ffffffff812345b0>] ima_inode_alloc+0x25/0x44
            [<ffffffff811484ac>] inode_init_always+0xec/0x271
            [<ffffffff81148682>] alloc_inode+0x51/0xa1
            [<ffffffff81148700>] new_inode+0x2e/0x94
            [<ffffffff811b2f08>] ext4_new_inode+0xb8/0xdc9
            [<ffffffff811be611>] ext4_create+0xcf/0x175
            [<ffffffff8113e2cd>] vfs_create+0x82/0xb8
            [<ffffffff8113f337>] do_filp_open+0x32c/0x9ee
            [<ffffffff811309b9>] do_sys_open+0x6c/0x12c
            [<ffffffff81130adc>] sys_open+0x2e/0x44
            [<ffffffff81011e42>] system_call_fastpath+0x16/0x1b
            [<ffffffffffffffff>] 0xffffffffffffffff
          irq event stamp: 90371
          hardirqs last  enabled at (90371): [<ffffffff8112708d>]
          kmem_cache_alloc+0xf0/0x185
          hardirqs last disabled at (90370): [<ffffffff81127026>]
          kmem_cache_alloc+0x89/0x185
          softirqs last  enabled at (89492): [<ffffffff81068ecf>]
          __do_softirq+0x1bf/0x1eb
          softirqs last disabled at (89477): [<ffffffff8101312c>] call_softirq+0x1c/0x30
      
          other info that might help us debug this:
          2 locks held by kswapd2/75:
           #0:  (shrinker_rwsem){++++..}, at: [<ffffffff810f98ba>] shrink_slab+0x44/0x177
           #1:  (&type->s_umount_key#25){++++..}, at: [<ffffffff811450ba>]
      Reported-by: default avatarMuni P. Beerakam <mbeeraka@in.ibm.com>
      Reported-by: default avatarAmit K. Arora <amitarora@in.ibm.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c09c59e6
    • Roel Kluin's avatar
      OMAP: cs should be positive in gpmc_cs_free() · e7fdc605
      Roel Kluin authored
      The index `cs' is signed, test whether it is negative before we release
      gpmc_cs_mem[cs].
      Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
      Cc: Russell King <rmk@arm.linux.org.uk>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      e7fdc605