<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/include, branch v2.6.37.4</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/include?h=v2.6.37.4</id>
<link rel='self' href='https://git.amat.us/linux/atom/include?h=v2.6.37.4'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2011-03-14T21:17:37Z</updated>
<entry>
<title>net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules</title>
<updated>2011-03-14T21:17:37Z</updated>
<author>
<name>Vasiliy Kulikov</name>
<email>segoon@openwall.com</email>
</author>
<published>2011-03-01T21:33:13Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=8767008a7160188deb1e653d5dcaa630b16234b9'/>
<id>urn:sha1:8767008a7160188deb1e653d5dcaa630b16234b9</id>
<content type='text'>
commit 8909c9ad8ff03611c9c96c9a92656213e4bb495b upstream.

Since a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c any process with
CAP_NET_ADMIN may load any module from /lib/modules/.  This doesn't mean
that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are
limited to /lib/modules/**.  However, CAP_NET_ADMIN capability shouldn't
allow anybody load any module not related to networking.

This patch restricts an ability of autoloading modules to netdev modules
with explicit aliases.  This fixes CVE-2011-1019.

Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior
of loading netdev modules by name (without any prefix) for processes
with CAP_SYS_MODULE to maintain the compatibility with network scripts
that use autoloading netdev modules by aliases like "eth0", "wlan0".

Currently there are only three users of the feature in the upstream
kernel: ipip, ip_gre and sit.

    root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) --
    root@albatros:~# grep Cap /proc/$$/status
    CapInh:	0000000000000000
    CapPrm:	fffffff800001000
    CapEff:	fffffff800001000
    CapBnd:	fffffff800001000
    root@albatros:~# modprobe xfs
    FATAL: Error inserting xfs
    (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted
    root@albatros:~# lsmod | grep xfs
    root@albatros:~# ifconfig xfs
    xfs: error fetching interface information: Device not found
    root@albatros:~# lsmod | grep xfs
    root@albatros:~# lsmod | grep sit
    root@albatros:~# ifconfig sit
    sit: error fetching interface information: Device not found
    root@albatros:~# lsmod | grep sit
    root@albatros:~# ifconfig sit0
    sit0      Link encap:IPv6-in-IPv4
	      NOARP  MTU:1480  Metric:1

    root@albatros:~# lsmod | grep sit
    sit                    10457  0
    tunnel4                 2957  1 sit

For CAP_SYS_MODULE module loading is still relaxed:

    root@albatros:~# grep Cap /proc/$$/status
    CapInh:	0000000000000000
    CapPrm:	ffffffffffffffff
    CapEff:	ffffffffffffffff
    CapBnd:	ffffffffffffffff
    root@albatros:~# ifconfig xfs
    xfs: error fetching interface information: Device not found
    root@albatros:~# lsmod | grep xfs
    xfs                   745319  0

Reference: https://lkml.org/lkml/2011/2/24/203

Signed-off-by: Vasiliy Kulikov &lt;segoon@openwall.com&gt;
Signed-off-by: Michael Tokarev &lt;mjt@tls.msk.ru&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Acked-by: Kees Cook &lt;kees.cook@canonical.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>RxRPC: Fix v1 keys</title>
<updated>2011-03-14T21:17:33Z</updated>
<author>
<name>Anton Blanchard</name>
<email>anton@au1.ibm.com</email>
</author>
<published>2011-02-28T03:27:53Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=5f7d5448e9d9b8f7edd354289a4acc0852a7178d'/>
<id>urn:sha1:5f7d5448e9d9b8f7edd354289a4acc0852a7178d</id>
<content type='text'>
commit f009918a1c1bbf8607b8aab3959876913a30193a upstream.

commit 339412841d7 (RxRPC: Allow key payloads to be passed in XDR form)
broke klog for me. I notice the v1 key struct had a kif_version field
added:

-struct rxkad_key {
-       u16     security_index;         /* RxRPC header security index */
-       u16     ticket_len;             /* length of ticket[] */
-       u32     expiry;                 /* time at which expires */
-       u32     kvno;                   /* key version number */
-       u8      session_key[8];         /* DES session key */
-       u8      ticket[0];              /* the encrypted ticket */
-};

+struct rxrpc_key_data_v1 {
+       u32             kif_version;            /* 1 */
+       u16             security_index;
+       u16             ticket_length;
+       u32             expiry;                 /* time_t */
+       u32             kvno;
+       u8              session_key[8];
+       u8              ticket[0];
+};

However the code in rxrpc_instantiate strips it away:

	data += sizeof(kver);
	datalen -= sizeof(kver);

Removing kif_version fixes my problem.

Signed-off-by: Anton Blanchard &lt;anton@samba.org&gt;
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>block: add @force_kblockd to __blk_run_queue()</title>
<updated>2011-03-07T23:05:23Z</updated>
<author>
<name>Tejun Heo</name>
<email>tj@kernel.org</email>
</author>
<published>2011-03-02T13:48:05Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=02d63a7def32bb4a58ea6e24f0edfce0aa653aaa'/>
<id>urn:sha1:02d63a7def32bb4a58ea6e24f0edfce0aa653aaa</id>
<content type='text'>
commit 1654e7411a1ad4999fe7890ef51d2a2bbb1fcf76 upstream.

__blk_run_queue() automatically either calls q-&gt;request_fn() directly
or schedules kblockd depending on whether the function is recursed.
blk-flush implementation needs to be able to explicitly choose
kblockd.  Add @force_kblockd.

All the current users are converted to specify %false for the
parameter and this patch doesn't introduce any behavior change.

stable: This is prerequisite for fixing ide oops caused by the new
        blk-flush implementation.

Signed-off-by: Tejun Heo &lt;tj@kernel.org&gt;
Cc: Jan Beulich &lt;JBeulich@novell.com&gt;
Cc: James Bottomley &lt;James.Bottomley@HansenPartnership.com&gt;
Signed-off-by: Jens Axboe &lt;jaxboe@fusionio.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>blk-throttle: Do not use kblockd workqueue for throtl work</title>
<updated>2011-03-07T23:05:23Z</updated>
<author>
<name>Vivek Goyal</name>
<email>vgoyal@redhat.com</email>
</author>
<published>2011-03-01T18:40:54Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e815788988678cd443b7f77603602d09e5a0da86'/>
<id>urn:sha1:e815788988678cd443b7f77603602d09e5a0da86</id>
<content type='text'>
commit 450adcbe518ab3a3953d8475309525d22de77cba upstream.

o Dominik Klein reported a system hang issue while doing some blkio
  throttling testing.

  https://lkml.org/lkml/2011/2/24/173

o Some tracing revealed that CFQ was not dispatching any more jobs as
  queue unplug was not happening. And queue unplug was not happening
  because unplug work was not being called as there was one throttling
  work on same cpu which as not finished yet. And throttling work had not
  finished as it was tyring to dispatch a bio to CFQ but all the request
  descriptors were consume to it was put to sleep.

o So basically it is a cyclic dependecny between CFQ unplug work and
  throtl dispatch work. Tejun suggested that use separate workqueue for
  such cases.

o This patch uses a separate workqueue for throttle related work and
  does not rely on kblockd workqueue anymore.

Reported-by: Dominik Klein &lt;dk@in-telegence.net&gt;
Signed-off-by: Vivek Goyal &lt;vgoyal@redhat.com&gt;
Acked-by: Tejun Heo &lt;tj@kernel.org&gt;
Signed-off-by: Jens Axboe &lt;jaxboe@fusionio.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>mm: vmstat: use a single setter function and callback for adjusting percpu thresholds</title>
<updated>2011-03-07T23:05:21Z</updated>
<author>
<name>Mel Gorman</name>
<email>mel@csn.ul.ie</email>
</author>
<published>2011-01-13T23:45:43Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=776be4763c7ece9b738c5a61bec68bc05b1b2d1c'/>
<id>urn:sha1:776be4763c7ece9b738c5a61bec68bc05b1b2d1c</id>
<content type='text'>
commit b44129b30652c8771db2265939bb8b463724043d upstream.

reduce_pgdat_percpu_threshold() and restore_pgdat_percpu_threshold() exist
to adjust the per-cpu vmstat thresholds while kswapd is awake to avoid
errors due to counter drift.  The functions duplicate some code so this
patch replaces them with a single set_pgdat_percpu_threshold() that takes
a callback function to calculate the desired threshold as a parameter.

[akpm@linux-foundation.org: readability tweak]
[kosaki.motohiro@jp.fujitsu.com: set_pgdat_percpu_threshold(): don't use for_each_online_cpu]
Signed-off-by: Mel Gorman &lt;mel@csn.ul.ie&gt;
Reviewed-by: Christoph Lameter &lt;cl@linux.com&gt;
Reviewed-by: KAMEZAWA Hiroyuki &lt;kamezawa.hiroyu@jp.fujitsu.com&gt;
Signed-off-by: KOSAKI Motohiro &lt;kosaki.motohiro@jp.fujitsu.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>drm: fix unsigned vs signed comparison issue in modeset ctl ioctl.</title>
<updated>2011-03-07T23:05:17Z</updated>
<author>
<name>Dave Airlie</name>
<email>airlied@redhat.com</email>
</author>
<published>2011-02-23T22:35:06Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=deca27950a4fcf88963d99e3b926c0e78ab4e5df'/>
<id>urn:sha1:deca27950a4fcf88963d99e3b926c0e78ab4e5df</id>
<content type='text'>
commit 1922756124ddd53846877416d92ba4a802bc658f upstream.

This fixes CVE-2011-1013.

Reported-by: Matthiew Herrb (OpenBSD X.org team)
Signed-off-by: Dave Airlie &lt;airlied@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>PM: Make ACPI wakeup from S5 work again when CONFIG_PM_SLEEP is unset</title>
<updated>2011-03-07T23:05:12Z</updated>
<author>
<name>Rafael J. Wysocki</name>
<email>rjw@sisk.pl</email>
</author>
<published>2011-02-24T10:10:01Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=dfa89fb5845c0b6d73650a488864be0f7cf83e92'/>
<id>urn:sha1:dfa89fb5845c0b6d73650a488864be0f7cf83e92</id>
<content type='text'>
commit 805bdaec1a44155db35f6ee5410d6bbc365324a8 upstream.

Commit 074037e (PM / Wakeup: Introduce wakeup source objects and
event statistics (v3)) caused ACPI wakeup to only work if
CONFIG_PM_SLEEP is set, but it also worked for CONFIG_PM_SLEEP unset
before.  This can be fixed by making device_set_wakeup_enable(),
device_init_wakeup() and device_may_wakeup() work in the same way
as before commit 074037e when CONFIG_PM_SLEEP is unset.

Reported-and-tested-by: Justin Maggard &lt;jmaggard10@gmail.com&gt;
Signed-off-by: Rafael J. Wysocki &lt;rjw@sisk.pl&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>Fix over-zealous flush_disk when changing device size.</title>
<updated>2011-03-07T23:05:12Z</updated>
<author>
<name>NeilBrown</name>
<email>neilb@suse.de</email>
</author>
<published>2011-02-24T06:25:47Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=645557910671f18c97ce78fd7d3949a1c3927486'/>
<id>urn:sha1:645557910671f18c97ce78fd7d3949a1c3927486</id>
<content type='text'>
commit 93b270f76e7ef3b81001576860c2701931cdc78b upstream.

There are two cases when we call flush_disk.
In one, the device has disappeared (check_disk_change) so any
data will hold becomes irrelevant.
In the oter, the device has changed size (check_disk_size_change)
so data we hold may be irrelevant.

In both cases it makes sense to discard any 'clean' buffers,
so they will be read back from the device if needed.

In the former case it makes sense to discard 'dirty' buffers
as there will never be anywhere safe to write the data.  In the
second case it *does*not* make sense to discard dirty buffers
as that will lead to file system corruption when you simply enlarge
the containing devices.

flush_disk calls __invalidate_devices.
__invalidate_device calls both invalidate_inodes and invalidate_bdev.

invalidate_inodes *does* discard I_DIRTY inodes and this does lead
to fs corruption.

invalidate_bev *does*not* discard dirty pages, but I don't really care
about that at present.

So this patch adds a flag to __invalidate_device (calling it
__invalidate_device2) to indicate whether dirty buffers should be
killed, and this is passed to invalidate_inodes which can choose to
skip dirty inodes.

flusk_disk then passes true from check_disk_change and false from
check_disk_size_change.

dm avoids tripping over this problem by calling i_size_write directly
rathher than using check_disk_size_change.

md does use check_disk_size_change and so is affected.

This regression was introduced by commit 608aeef17a which causes
check_disk_size_change to call flush_disk, so it is suitable for any
kernel since 2.6.27.

Acked-by: Jeff Moyer &lt;jmoyer@redhat.com&gt;
Cc: Andrew Patterson &lt;andrew.patterson@hp.com&gt;
Cc: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: NeilBrown &lt;neilb@suse.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>mm: prevent concurrent unmap_mapping_range() on the same inode</title>
<updated>2011-03-07T23:05:08Z</updated>
<author>
<name>Miklos Szeredi</name>
<email>mszeredi@suse.cz</email>
</author>
<published>2011-02-23T12:49:47Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e98b9902196dd0bd598fae9b3bdbfda57a9e352b'/>
<id>urn:sha1:e98b9902196dd0bd598fae9b3bdbfda57a9e352b</id>
<content type='text'>
commit 2aa15890f3c191326678f1bd68af61ec6b8753ec upstream.

Michael Leun reported that running parallel opens on a fuse filesystem
can trigger a "kernel BUG at mm/truncate.c:475"

Gurudas Pai reported the same bug on NFS.

The reason is, unmap_mapping_range() is not prepared for more than
one concurrent invocation per inode.  For example:

  thread1: going through a big range, stops in the middle of a vma and
     stores the restart address in vm_truncate_count.

  thread2: comes in with a small (e.g. single page) unmap request on
     the same vma, somewhere before restart_address, finds that the
     vma was already unmapped up to the restart address and happily
     returns without doing anything.

Another scenario would be two big unmap requests, both having to
restart the unmapping and each one setting vm_truncate_count to its
own value.  This could go on forever without any of them being able to
finish.

Truncate and hole punching already serialize with i_mutex.  Other
callers of unmap_mapping_range() do not, and it's difficult to get
i_mutex protection for all callers.  In particular -&gt;d_revalidate(),
which calls invalidate_inode_pages2_range() in fuse, may be called
with or without i_mutex.

This patch adds a new mutex to 'struct address_space' to prevent
running multiple concurrent unmap_mapping_range() on the same mapping.

[ We'll hopefully get rid of all this with the upcoming mm
  preemptibility series by Peter Zijlstra, the "mm: Remove i_mmap_mutex
  lockbreak" patch in particular.  But that is for 2.6.39 ]

Signed-off-by: Miklos Szeredi &lt;mszeredi@suse.cz&gt;
Reported-by: Michael Leun &lt;lkml20101129@newton.leun.net&gt;
Reported-by: Gurudas Pai &lt;gurudas.pai@oracle.com&gt;
Tested-by: Gurudas Pai &lt;gurudas.pai@oracle.com&gt;
Acked-by: Hugh Dickins &lt;hughd@google.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>pcmcia: re-enable Zoomed Video support</title>
<updated>2011-02-24T22:54:39Z</updated>
<author>
<name>Dominik Brodowski</name>
<email>linux@dominikbrodowski.net</email>
</author>
<published>2011-02-19T11:35:15Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=74347222f2effb0efffa7e39e9f5edb8681aa64e'/>
<id>urn:sha1:74347222f2effb0efffa7e39e9f5edb8681aa64e</id>
<content type='text'>
commit 33619f0d3ff715a2a5499520967d526ad931d70d upstream.

Allow drivers to enable Zoomed Video support. Currently, this is only
used by out-of-tree drivers (L64020 DVB driver in particular).

Signed-off-by: Dominik Brodowski &lt;linux@dominikbrodowski.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
