Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.18.3 2015-01-16T14:59:57+00:00 2015-01-16T14:59:57+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-01-06T21:00:05+00:00 urn:sha1:c03aed64c4fc9e39e8727920971d889dac14b002 commit fee7e49d45149fba60156f5b59014f764d3e3728 upstream. Jay Foad reports that the address sanitizer test (asan) sometimes gets confused by a stack pointer that ends up being outside the stack vma that is reported by /proc/maps. This happens due to an interaction between RLIMIT_STACK and the guard page: when we do the guard page check, we ignore the potential error from the stack expansion, which effectively results in a missing guard page, since the expected stack expansion won't have been done. And since /proc/maps explicitly ignores the guard page (commit d7824370e263: "mm: fix up some user-visible effects of the stack guard page"), the stack pointer ends up being outside the reported stack area. This is the minimal patch: it just propagates the error. It also effectively makes the guard page part of the stack limit, which in turn measn that the actual real stack is one page less than the stack limit. Let's see if anybody notices. We could teach acct_stack_growth() to allow an extra page for a grow-up/grow-down stack in the rlimit test, but I don't want to add more complexity if it isn't needed. Reported-and-tested-by: Jay Foad <jay.foad@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-16T14:59:57+00:00 Johannes Weiner hannes@cmpxchg.org 2015-01-08T22:32:18+00:00 urn:sha1:a78e877e9a689d8195b2e62d68030c36fd8e7f34 commit 2d6d7f98284648c5ed113fe22a132148950b140f upstream. Tejun, while reviewing the code, spotted the following race condition between the dirtying and truncation of a page: __set_page_dirty_nobuffers() __delete_from_page_cache() if (TestSetPageDirty(page)) page->mapping = NULL if (PageDirty()) dec_zone_page_state(page, NR_FILE_DIRTY); dec_bdi_stat(mapping->backing_dev_info, BDI_RECLAIMABLE); if (page->mapping) account_page_dirtied(page) __inc_zone_page_state(page, NR_FILE_DIRTY); __inc_bdi_stat(mapping->backing_dev_info, BDI_RECLAIMABLE); which results in an imbalance of NR_FILE_DIRTY and BDI_RECLAIMABLE. Dirtiers usually lock out truncation, either by holding the page lock directly, or in case of zap_pte_range(), by pinning the mapcount with the page table lock held. The notable exception to this rule, though, is do_wp_page(), for which this race exists. However, do_wp_page() already waits for a locked page to unlock before setting the dirty bit, in order to prevent a race where clear_page_dirty() misses the page bit in the presence of dirty ptes. Upgrade that wait to a fully locked set_page_dirty() to also cover the situation explained above. Afterwards, the code in set_page_dirty() dealing with a truncation race is no longer needed. Remove it. Reported-by: Tejun Heo <tj@kernel.org> Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-16T14:59:47+00:00 Tony Lindgren tony@atomide.com 2014-09-16T20:50:01+00:00 urn:sha1:c7ba2d79497f0ed0cbc6db32dacf6bdd83d31cbf commit 027bc8b08242c59e19356b4b2c189f2d849ab660 upstream. On some ARMs the memory can be mapped pgprot_noncached() and still be working for atomic operations. As pointed out by Colin Cross <ccross@android.com>, in some cases you do want to use pgprot_noncached() if the SoC supports it to see a debug printk just before a write hanging the system. On ARMs, the atomic operations on strongly ordered memory are implementation defined. So let's provide an optional kernel parameter for configuring pgprot_noncached(), and use pgprot_writecombine() by default. Cc: Arnd Bergmann <arnd@arndb.de> Cc: Rob Herring <robherring2@gmail.com> Cc: Randy Dunlap <rdunlap@infradead.org> Cc: Anton Vorontsov <anton@enomsg.org> Cc: Colin Cross <ccross@android.com> Cc: Olof Johansson <olof@lixom.net> Cc: Russell King <linux@arm.linux.org.uk> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-08T18:30:27+00:00 Richard Guy Briggs rgb@redhat.com 2014-12-23T18:02:04+00:00 urn:sha1:3d7c0c1f6092ae814a5c7190cc382daa3543033a commit 041d7b98ffe59c59fdd639931dea7d74f9aa9a59 upstream. A regression was caused by commit 780a7654cee8: audit: Make testing for a valid loginuid explicit. (which in turn attempted to fix a regression caused by e1760bd) When audit_krule_to_data() fills in the rules to get a listing, there was a missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID. This broke userspace by not returning the same information that was sent and expected. The rule: auditctl -a exit,never -F auid=-1 gives: auditctl -l LIST_RULES: exit,never f24=0 syscall=all when it should give: LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all Tag it so that it is reported the same way it was set. Create a new private flags audit_krule field (pflags) to store it that won't interact with the public one from the API. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-08T18:30:26+00:00 Eric W. Biederman ebiederm@xmission.com 2014-12-02T18:27:26+00:00 urn:sha1:4a7215f13452bf2e8d271b2b9f09fddd990b4c04 commit 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 upstream. - Expose the knob to user space through a proc file /proc/<pid>/setgroups A value of "deny" means the setgroups system call is disabled in the current processes user namespace and can not be enabled in the future in this user namespace. A value of "allow" means the segtoups system call is enabled. - Descendant user namespaces inherit the value of setgroups from their parents. - A proc file is used (instead of a sysctl) as sysctls currently do not allow checking the permissions at open time. - Writing to the proc file is restricted to before the gid_map for the user namespace is set. This ensures that disabling setgroups at a user namespace level will never remove the ability to call setgroups from a process that already has that ability. A process may opt in to the setgroups disable for itself by creating, entering and configuring a user namespace or by calling setns on an existing user namespace with setgroups disabled. Processes without privileges already can not call setgroups so this is a noop. Prodcess with privilege become processes without privilege when entering a user namespace and as with any other path to dropping privilege they would not have the ability to call setgroups. So this remains within the bounds of what is possible without a knob to disable setgroups permanently in a user namespace. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-08T18:30:25+00:00 Eric W. Biederman ebiederm@xmission.com 2014-12-06T00:01:11+00:00 urn:sha1:d5c3ebc43923644c61155b6b71f9b1a36d570343 commit 273d2c67c3e179adb1e74f403d1e9a06e3f841b5 upstream. setgroups is unique in not needing a valid mapping before it can be called, in the case of setgroups(0, NULL) which drops all supplemental groups. The design of the user namespace assumes that CAP_SETGID can not actually be used until a gid mapping is established. Therefore add a helper function to see if the user namespace gid mapping has been established and call that function in the setgroups permission check. This is part of the fix for CVE-2014-8989, being able to drop groups without privilege using user namespaces. Reviewed-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-08T18:30:25+00:00 Eric W. Biederman ebiederm@xmission.com 2014-12-05T23:19:27+00:00 urn:sha1:e726c9a0a24b1381b2714dbeca322ab446fccb4a commit 7ff4d90b4c24a03666f296c3d4878cd39001e81e upstream. Today there are 3 instances of setgroups and due to an oversight their permission checking has diverged. Add a common function so that they may all share the same permission checking code. This corrects the current oversight in the current permission checks and adds a helper to avoid this in the future. A user namespace security fix will update this new helper, shortly. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-12-16T17:39:06+00:00 Al Viro viro@zeniv.linux.org.uk 2014-10-26T23:19:16+00:00 urn:sha1:679829c2e50332832c2e85b12ec851a423ad9892 commit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-11-29T00:08:09+00:00 Linus Torvalds torvalds@linux-foundation.org 2014-11-29T00:08:09+00:00 urn:sha1:88910638717dd195cff1dd1ea74772b159632bba Pull staging/IIO driver fixes from Greg KH: "Here are some staging and IIO driver fixes for 3.18-rc7 that resolve a number of reported issues, and a new device id for a staging wireless driver. All of these have been in linux-next" * tag 'staging-3.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: r8188eu: Add new device ID for DLink GO-USB-N150 staging: r8188eu: Fix scheduling while atomic error introduced in commit fadbe0cd iio: accel: bmc150: set low default thresholds iio: accel: bmc150: Fix iio_event_spec direction iio: accel: bmc150: Send x, y and z motion separately iio: accel: bmc150: Error handling when mode set fails iio: gyro: bmg160: Fix iio_event_spec direction iio: gyro: bmg160: Send x, y and z motion separately iio: gyro: bmg160: Don't let interrupt mode to be open drain iio: gyro: bmg160: Error handling when mode set fails iio: adc: men_z188_adc: Add terminating entry for men_z188_ids iio: accel: kxcjk-1013: Fix kxcjk10013_set_range iio: Fix IIO_EVENT_CODE_EXTRACT_DIR bit mask 2014-11-26T19:06:36+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2014-11-26T19:06:36+00:00 urn:sha1:8bb9b9a006e8b092be3a14530d8f12cb4cb9428b Jonathan writes: Third set of IIO fixes for the 3.18 cycle. Most of these are fairly standard little fixes, a bmc150 and bmg160 patch is to make an ABI change to indicated a specific axis in an event rather than the generic option in the original drivers. As both of these drivers are new in this cycle it would be ideal to push this minor change through even though it isn't strictly a fix. A couple of other 'fixes' change defaults for some settings on these new drivers to more intuitive calues. Looks like some useful feedback has been coming in for this driver since it was applied. * IIO_EVENT_CODE_EXTRACT_DIR bit mask was wrong and has been for a while 0xCF clearly doesn't give a contiguous bitmask. * kxcjk-1013 range setting was failing to mask out the previous value in the register and hence was 'enable only'. * men_z188 device id table wasn't null terminated. * bmg160 and bmc150 both failed to correctly handling an error in mode setting. * bmg160 and bmc150 both had a bug in setting the event direction in the event spec (leads to an attribute name being incorrect) * bmg160 defaulted to an open drain output for the interrupt - as a default this obviously only works with some interrupt chips - hence change the default to push-pull (note this is a new driver so we aren't going to cause any regressions with this change). * bmc150 had an unintuitive default for the rate of change (motion detector) so change it to 0 (new driver so change of default won't cause any regressions).