1. 21 Apr, 2004 19 commits
    • Linus Torvalds's avatar
      Revert fb_ioctl "fix" with extreme prejudice. · a8588521
      Linus Torvalds authored
      As Arjan points out, the patch does exactly the opposite
      of what it was claimed to do.
      
      Andrea: tssk tssk.
      
      Cset exclude: akpm@osdl.org[torvalds]|ChangeSet|20040421144431|15930
      a8588521
    • Andrew Morton's avatar
      [PATCH] loop_set_fd() sendfile check fix · cd546897
      Andrew Morton authored
      From: Yury Umanets <torque@ukrpost.net>
      
      I have found small inconsistency in loop_set_fd().  It checks if
      ->sendfile() is implemented for passed block device file.  But in fact,
      loop back device driver never calls it.  It uses ->sendfile() from backing
      store file.
      cd546897
    • Andrew Morton's avatar
      [PATCH] i386 hugetlb tlb correction · 57a3170c
      Andrew Morton authored
      From: William Lee Irwin III <wli@holomorphy.com>
      
      i386 does hardware interpretation of pagetables, so pte_clear() can't be
      used on present ptes, as it sets the upper half of the hugepte prior to
      setting the lower half (which includes the valid bit).  i.e.  there is a
      window where having a hugepage mapped at 56GB and doing pte_clear() in
      unmap_hugepage_range() allows other threads of the process to see a
      hugepage at 0 in place of the original hugepage at 56GB.
      
      This patch corrects the situation by using ptep_get_and_clear(), which
      clears the lower word of the pte prior to clearing the upper word.
      
      There is another nasty where huge_page_release() needs to wait for TLB
      flushes before returning the hugepages to the free pool, analogous to the
      issue tlb_remove_page() and tlb_flush_mm() repair.
      57a3170c
    • Andrew Morton's avatar
      [PATCH] fb_ioctl() usercopy fix · 5ae4516e
      Andrew Morton authored
      From: Andrea Arcangeli <andrea@suse.de>
      
      Arrange for ioctl(FBIOPUTCMAP) to do copy_to_user() rather than memcpy.
      5ae4516e
    • Andrew Morton's avatar
      [PATCH] i810_dma range check · 87b9e30d
      Andrew Morton authored
      From: Andrea Arcangeli <andrea@suse.de>
      
      Correctly range-check an incoming-from-userspace argument.  Found by the
      Stanford checker.
      87b9e30d
    • Andrew Morton's avatar
      [PATCH] selinux: remove hardcoded policy assumption from get_user_sids() logic · ed328082
      Andrew Morton authored
      From: Stephen Smalley <sds@epoch.ncsc.mil>
      
      This patch removes a hardcoded policy assumption from the get_user_sids logic
      in the SELinux module that was preventing it from returning contexts that had
      the same type as the caller even if the policy allowed such a transition.  The
      assumption is not valid for all policies, and can be handled via policy
      configuration and userspace rather than hardcoding it in the module logic.
      ed328082
    • Andrew Morton's avatar
      [PATCH] selinux: add runtime disable · c59f3ad7
      Andrew Morton authored
      From: Stephen Smalley <sds@epoch.ncsc.mil>
      
      This patch adds a kernel configuration option that enables writing to a new
      selinuxfs node 'disable' that allows SELinux to be disabled at runtime prior
      to initial policy load.  SELinux will then remain disabled until next boot.
      This option is similar to the selinux=0 boot parameter, but is to support
      runtime disabling of SELinux, e.g.  from /sbin/init, for portability across
      platforms where boot parameters are difficult to employ (based on feedback by
      Jeremy Katz).
      c59f3ad7
    • Andrew Morton's avatar
      [PATCH] selinux: change context_to_sid handling for no-policy case · 77782961
      Andrew Morton authored
      From: Stephen Smalley <sds@epoch.ncsc.mil>
      
      This patch changes the behavior of security_context_to_sid in the no-policy
      case so that it simply accepts all contexts and maps them to the kernel SID
      rather than rejecting anything other than an initial SID.  The change avoids
      error conditions when using SELinux in permissive/no-policy mode, so that any
      file contexts left on disk from prior use of SELinux with a policy will not
      cause an error when they are looked up and userspace attempts to set contexts
      can succeed.
      77782961
    • Andrew Morton's avatar
      [PATCH] i4l: add compat ioctl's for CAPI · 014df416
      Andrew Morton authored
      From: Marcel Holtmann <marcel@holtmann.org>
      
      This patch adds the needed compat ioctl's for the CAPI on 64bit platforms.
      014df416
    • Andrew Morton's avatar
      [PATCH] lockfs - dm bits · 82fec55c
      Andrew Morton authored
      From: Christoph Hellwig <hch@lst.de>
      
      This patch makes the device mapper use the new freeze_bdev/thaw_bdev
      interface.  Extracted from Chris Mason's patch.
      82fec55c
    • Andrew Morton's avatar
      [PATCH] lockfs - xfs bits · 46f76939
      Andrew Morton authored
      From: Christoph Hellwig <hch@lst.de>
      
      Remove all the code now in the VFS, make XFS's freeze ioctls use the new
      infastructure and reorganize some code.
      
      This code needs some work so the source files shared with 2.4 aren't
      exposed to the new VFS interfaces directly.  You'll get an update once this
      has been discussed with the other XFS developers and is implemented.  Note
      that the current patch works fine and I wouldn't complain if it gets into
      Linus' tree as-is.
      46f76939
    • Andrew Morton's avatar
      [PATCH] lockfs: reiserfs fix · 472336a4
      Andrew Morton authored
      From: Chris Mason <mason@suse.com>
      
      reiserfs_write_super_lockfs() is supposed to wait for the transaction to
      commit.
      472336a4
    • Andrew Morton's avatar
      [PATCH] lockfs - vfs bits · 137718ec
      Andrew Morton authored
      From: Christoph Hellwig <hch@lst.de>
      
      These are the generic lockfs bits.  Basically it takes the XFS freezing
      statemachine into the VFS.  It's all behind the kernel-doc documented
      freeze_bdev and thaw_bdev interfaces.
      
      Based on an older patch from Chris Mason.
      137718ec
    • Andrew Morton's avatar
      [PATCH] remove amd7xx_tco · 4aa3ba95
      Andrew Morton authored
      From: Zwane Mwaikambo <zwane@linuxpower.ca>
      
      We've had trouble with this driver, it appears to work but the hardware
      never does the final reboot.  I have yet to come across someone with a
      board which works and don't have personal access to one.  So how about
      scrapping the whole thing.
      4aa3ba95
    • Andrew Morton's avatar
      [PATCH] Call populate_rootfs later in boot · d8d03c0f
      Andrew Morton authored
      populate_rootfs() is called rather early - before we've called init_idle().
      
      But populate_rootfs() does file I/O, which involves calls to cond_resched(),
      and downing of semaphores, etc.  If it scheules, the scheduler emits
      scheduling-while-atomic warnings and sometimes oopses.
      
      So run populate_rootfs() later, after the scheduler is all set up.
      d8d03c0f
    • Andrew Morton's avatar
      [PATCH] ext3 avoid writing kernel memory to disk · c13b1e72
      Andrew Morton authored
      From: Marc-Christian Petersen <m.c.p@kernel.linux-systeme.com>
      
      Solar Designer discovered an information leak in the ext3 code of Linux.
      In a worst case an attacker could read sensitive data such as cryptographic
      keys which would otherwise never hit disk media.  Theodore Ts'o developed a
      correction for this.
      c13b1e72
    • Andrew Morton's avatar
      [PATCH] compute_creds race · b7fbe52c
      Andrew Morton authored
      From: Andy Lutomirski <luto@myrealbox.com>
      
      Fixes from me, Olaf Dietsche <olaf+list.linux-kernel@olafdietsche.de>
      
      In fs/exec.c, compute_creds does:
      
      	task_lock(current);
      	if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) {
                       current->mm->dumpable = 0;
      
      		if (must_not_trace_exec(current)
      		    || atomic_read(&current->fs->count) > 1
      		    || atomic_read(&current->files->count) > 1
      		    || atomic_read(&current->sighand->count) > 1) {
      			if(!capable(CAP_SETUID)) {
      				bprm->e_uid = current->uid;
      				bprm->e_gid = current->gid;
      			}
      		}
      	}
      
               current->suid = current->euid = current->fsuid = bprm->e_uid;
               current->sgid = current->egid = current->fsgid = bprm->e_gid;
      
      	task_unlock(current);
      
      	security_bprm_compute_creds(bprm);
      
      I assume the task_lock is to prevent another process (on SMP or preempt)
      from ptracing the execing process between the check and the assignment.  If
      that's the concern then the fact that the lock is dropped before the call
      to security_brpm_compute_creds means that, if security_bprm_compute_creds
      does anything interesting, there's a race.
      
      For my (nearly complete) caps patch, I obviously need to fix this.  But I
      think it may be exploitable now.  Suppose there are two processes, A (the
      malicious code) and B (which uses exec).  B starts out unprivileged (A and
      B have, e.g., uid and euid = 500).
      
      1. A ptraces B.
      
      2. B calls exec on some setuid-root program.
      
      3. in cap_bprm_set_security, B sets bprm->cap_permitted to the full
         set.
      
      4. B gets to compute_creds in exec.c, calls task_lock, and does not
         change its uid.
      
      5. B calls task_unlock.
      
      6. A detaches from B (on preempt or SMP).
      
      7. B gets to task_lock in cap_bprm_compute_creds, changes its
         capabilities, and returns from compute_creds into load_elf_binary.
      
      8. load_elf_binary calls create_elf_tables (line 852 in 2.6.5-mm1),
         which calls cap_bprm_secureexec (through LSM), which returns false (!).
      
      9. exec finishes.
      
      The setuid program is now running with uid=euid=500 but full permitted
      capabilities.  There are two (or three) ways to effectively get local root
      now:
      
      1.  IIRC, linux 2.4 doesn't check capabilities in ptrace, so A could
         just ptrace B again.
      
      2. LD_PRELOAD.
      
      3.  There are probably programs that will misbehave on their own under
         these circumstances.
      
      Is there some reason why this is not doable?
      
      The patch renames bprm_compute_creds to bprm_apply_creds and moves all uid
      logic into the hook, where the test and the resulting modification can both
      happen under task_lock().
      
      This way, out-of-tree LSMs will fail to compile instead of malfunctioning. 
      It should also make life easier for LSMs and will certainly make it easier
      for me to finish the cap patch.
      b7fbe52c
    • Andrew Morton's avatar
      [PATCH] Fix nfsroot option handling · ce0cbde1
      Andrew Morton authored
      From: Trond Myklebust <trond.myklebust@fys.uio.no>
      
      The following patch fixes up a number of bugs in the NFSroot parser
      rewrite from patchset
      trond.myklebust@fys.uio.no|ChangeSet|20040411182341|00938
      
      It also ensures that NFSroot mount options are consistent with the userland
      "mount" program.
      ce0cbde1
    • Ulrich Drepper's avatar
      [PATCH] Add missing __initdata · e7086e68
      Ulrich Drepper authored
      One of the stack size optimizations introduced a new static variable in
      a function marked with __init.  But the variable is not marked
      appropriately and so 1k of data is never freed.
      e7086e68
  2. 20 Apr, 2004 13 commits
    • Linus Torvalds's avatar
      Merge bk://bk.arm.linux.org.uk/linux-2.6-rmk · 171e0205
      Linus Torvalds authored
      into ppc970.osdl.org:/home/torvalds/v2.6/linux
      171e0205
    • Russell King's avatar
      [ARM] Add find_first_bit and find_next_bit. · 7a928ead
      Russell King authored
      7a928ead
    • Linus Torvalds's avatar
      Linux 2.6.6-rc2 · 347f6162
      Linus Torvalds authored
      347f6162
    • Jens Axboe's avatar
      [PATCH] Fix CFQ elevator problem · 28f95425
      Jens Axboe authored
      Remove bogus assert in CFQ and remove merge hints.
      28f95425
    • Andrew Morton's avatar
      [PATCH] MIPS update · 70e2d422
      Andrew Morton authored
      From: Ralf Baechle <ralf@linux-mips.org>
      
      - more work on resurrecting AMD Alchemy platforms
      - cleanup of unnecessary <asm/pgalloc.h> inclusions
      - update default config files
      - cleanup 32-bit compat ioctl code
      - support for Montum Jaguar ATX
      - workarounds for early revs of the RM9000
      - fixes for RM5000 and RM7000 cache handling
      - add support for PMC-Sierra Yosemite eval board
      - further cleanup and bugfixes for SGI IP27
      - make LASAT and VR41xx build and work in 2.6
      - improved SGI IP32 support
      - plenty of small fixes
      70e2d422
    • Andrew Morton's avatar
      [PATCH] MIPS: update documentation files · fb4e0779
      Andrew Morton authored
      From: Ralf Baechle <ralf@linux-mips.org>
      
      The pending changes to the MIPS doc files, more changes needed...
      fb4e0779
    • Andrew Morton's avatar
      [PATCH] MIPS: don't offer SERIAL_DZ on 64-bit DEC · c93def0b
      Andrew Morton authored
      From: Ralf Baechle <ralf@linux-mips.org>
      
      Limit the DZ driver to MIPS32 as the supported hardware is only present in
      R2k/R3k-based systems (unless someone sends Maciej a PMAC-A board for driver
      development).
      c93def0b
    • Andrew Morton's avatar
      [PATCH] remove duplicated COPYING file in fs/hfs/ · d4047c3f
      Andrew Morton authored
      From: Christoph Hellwig <hch@lst.de>
      
      We don't need a copy of COPYING down in fs/hfs.  Roman said he didn't mind,
      so..
      d4047c3f
    • Andrew Morton's avatar
      [PATCH] hlist_add_after() fix · 83de2fa5
      Andrew Morton authored
      From: "Pedro Emanuel M. D. Pinto" <pepinto@student.dei.uc.pt>
      
      This currently-unused function is incorrectly implemented.  Fix.
      83de2fa5
    • Andrew Morton's avatar
      [PATCH] pcnet32.c build fix · 717a2c9c
      Andrew Morton authored
      Remove a duplicated case which recently snuck in there.
      717a2c9c
    • Andrew Morton's avatar
      [PATCH] fix madvise(MADV_DONTNEED) for nonlinear vmas · d614d315
      Andrew Morton authored
      From: Hugh Dickins <hugh@veritas.com>
      
      Jamie points out that madvise(MADV_DONTNEED) should unmap pages from a
      nonlinear area in such a way that the nonlinear offsets are preserved if the
      pages do turn out to be needed later after all, instead of reverting them to
      linearity: needs to pass down a zap_details block.
      
      (But this still leaves mincore unaware of nonlinear vmas: bigger job.)
      d614d315
    • Andrew Morton's avatar
      [PATCH] reiserfs use-after-free fix · e8b338d6
      Andrew Morton authored
      From: Chris Mason <mason@suse.com>
      
      reiserfs-delayed-work started using queue_delayed_work, but did not make sure
      the timer was finished before it freed the work queue structs during unmount. 
      This leads to timer oopsen if you unmount at just the right time.
      e8b338d6
    • Roland McGrath's avatar
      [PATCH] fix for potential deadlock after posix-timers change · f3276a18
      Roland McGrath authored
      Ulrich has been working on the glibc code using posix-timers and
      stressing it more now than it has before.  He ran into an SMP deadlock
      on process exit in the case there are pending queued signals from a
      timer.
      
      The deadlock arises because in the path through exit_itimers, the
      tasklist_lock is already held (for writing).  When a timer is being
      deleted, sigqueue_free will try to take it (for reading) in the case
      where that timer has a pending signal queued on somebody's queue.  This
      patch avoids the problem by making sure the queues are flushed before
      calling exit_itimers, thus ensuring its code path won't try to take
      tasklist_lock.
      f3276a18
  3. 19 Apr, 2004 8 commits