* 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] Audit Filter Performance
[PATCH] Rework of IPC auditing
[PATCH] More user space subject labels
[PATCH] Reworked patch for labels on user space messages
[PATCH] change lspp ipc auditing
[PATCH] audit inode patch
[PATCH] support for context based audit filtering, part 2
[PATCH] support for context based audit filtering
[PATCH] no need to wank with task_lock() and pinning task down in audit_syscall_exit()
[PATCH] drop task argument of audit_syscall_{entry,exit}
[PATCH] drop gfp_mask in audit_log_exit()
[PATCH] move call of audit_free() into do_exit()
[PATCH] sockaddr patch
[PATCH] deal with deadlocks in audit_free()
When iptables userspace adds an ipt_standard_target, it calculates the size
of the entire entry as:
sizeof(struct ipt_entry) + XT_ALIGN(sizeof(struct ipt_standard_target))
ipt_standard_target looks like this:
struct xt_standard_target
{
struct xt_entry_target target;
int verdict;
};
xt_entry_target contains a pointer, so when compiled for 64 bit the
structure gets an extra 4 byte of padding at the end. On 32 bit
architectures where iptables aligns to 8 byte it will also have 4
byte padding at the end because it is only 36 bytes large.
The compat_ipt_standard_fn in the kernel adjusts the offsets by
sizeof(struct ipt_standard_target) - sizeof(struct compat_ipt_standard_target),
which will always result in 4, even if the structure from userspace
was already padded to a multiple of 8. On x86 this works out by
accident because userspace only aligns to 4, on all other
architectures this is broken and causes incorrect adjustments to
the size and following offsets.
Thanks to Linus for lots of debugging help and testing.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* 'splice' of git://brick.kernel.dk/data/git/linux-2.6-block:
[PATCH] vmsplice: allow user to pass in gift pages
[PATCH] pipe: enable atomic copying of pipe data to/from user space
[PATCH] splice: call handle_ra_miss() on failure to lookup page
[PATCH] Add ->splice_read/splice_write to def_blk_fops
[PATCH] pipe: introduce ->pin() buffer operation
[PATCH] splice: fix bugs in pipe_to_file()
[PATCH] splice: fix bugs with stealing regular pipe pages
Add an nid member to the spu structure, and store the numa id of the spu there
on creation.
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Change of_node_to_nid() to traverse the device tree, looking for a numa id.
Cell uses this to assign ids to SPUs, which are children of the CPU node.
Existing users of of_node_to_nid() are altered to use of_node_to_nid_single(),
which doesn't do the traversal.
Export an attach_sysdev_to_node() function, allowing system devices (eg.
SPUs) to link themselves into the numa topology in sysfs.
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
If SPLICE_F_GIFT is set, the user is basically giving this pages away to
the kernel. That means we can steal them for eg page cache uses instead
of copying it.
The data must be properly page aligned and also a multiple of the page size
in length.
Signed-off-by: Jens Axboe <axboe@suse.de>
The pipe ->map() method uses kmap() to virtually map the pages, which
is both slow and has known scalability issues on SMP. This patch enables
atomic copying of pipe pages, by pre-faulting data and using kmap_atomic()
instead.
lmbench bw_pipe and lat_pipe measurements agree this is a Good Thing. Here
are results from that on a UP machine with highmem (1.5GiB of RAM), running
first a UP kernel, SMP kernel, and SMP kernel patched.
Vanilla-UP:
Pipe bandwidth: 1622.28 MB/sec
Pipe bandwidth: 1610.59 MB/sec
Pipe bandwidth: 1608.30 MB/sec
Pipe latency: 7.3275 microseconds
Pipe latency: 7.2995 microseconds
Pipe latency: 7.3097 microseconds
Vanilla-SMP:
Pipe bandwidth: 1382.19 MB/sec
Pipe bandwidth: 1317.27 MB/sec
Pipe bandwidth: 1355.61 MB/sec
Pipe latency: 9.6402 microseconds
Pipe latency: 9.6696 microseconds
Pipe latency: 9.6153 microseconds
Patched-SMP:
Pipe bandwidth: 1578.70 MB/sec
Pipe bandwidth: 1579.95 MB/sec
Pipe bandwidth: 1578.63 MB/sec
Pipe latency: 9.1654 microseconds
Pipe latency: 9.2266 microseconds
Pipe latency: 9.1527 microseconds
Signed-off-by: Jens Axboe <axboe@suse.de>
The ->map() function is really expensive on highmem machines right now,
since it has to use the slower kmap() instead of kmap_atomic(). Splice
rarely needs to access the virtual address of a page, so it's a waste
of time doing it.
Introduce ->pin() to take over the responsibility of making sure the
page data is valid. ->map() is then reduced to just kmap(). That way we
can also share a most of the pipe buffer ops between pipe.c and splice.c
Signed-off-by: Jens Axboe <axboe@suse.de>
Found by Oleg Nesterov <oleg@tv-sign.ru>, fixed by me.
- Only allow full pages to go to the page cache.
- Check page != buf->page instead of using PIPE_BUF_FLAG_STOLEN.
- Remember to clear 'stolen' if add_to_page_cache() fails.
And as a cleanup on that:
- Make the bottom fall-through logic a little less convoluted. Also make
the steal path hold an extra reference to the page, so we don't have
to differentiate between stolen and non-stolen at the end.
Signed-off-by: Jens Axboe <axboe@suse.de>
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[TG3]: Update version and reldate
[TG3]: Fix bug in nvram write
[TG3]: Add reset_phy parameter to chip reset functions
[TG3]: Reset chip when changing MAC address
[TG3]: Add phy workaround
[TG3]: Call netif_carrier_off() during phy reset
[IPV6]: Fix race in route selection.
[XFRM]: fix incorrect xfrm_policy_afinfo_lock use
[XFRM]: fix incorrect xfrm_state_afinfo_lock use
[TCP]: Fix unlikely usage in tcp_transmit_skb()
[XFRM]: fix softirq-unsafe xfrm typemap->lock use
[IPSEC]: Fix IP ID selection
[NET]: use hlist_unhashed()
[IPV4]: inet_init() -> fs_initcall
[NETLINK]: cleanup unused macro in net/netlink/af_netlink.c
[PKT_SCHED] netem: fix loss
[X25]: fix for spinlock recurse and spinlock lockup with timer handler
* git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: make EVIOCGSND return meaningful data
Input: ressurect EVIOCGREP and EVIOCSREP
Input: psmouse - fix new device detection logic
Input: move input_device_id to mod_devicetable.h
Input: allow using several chords for braille
Input: allow passing NULL to input_free_device()
Input: spitzkbd - fix the reversed Address and Calender keys
Input: ads7846 - improve filtering for thumb press accuracy
Input: ads7846 - report 0 pressure value along with pen up event
Input: ads7846 - handle IRQs that were latched during disabled IRQs
Input: ads7846 - miscellaneous fixes
Input: ads7846 - use msleep() instead of udelay() in suspend
Input: ads7846 - debouncing and rudimentary sample filtering
Input: ads7846 - power down ADC a bit later
Input: ads7846 - add pen_down sysfs attribute
Input: wistron - add support for Fujitsu N3510
Input: wistron - add signature for Amilo M7400
* git://git.kernel.org/pub/scm/linux/kernel/git/perex/alsa: (22 commits)
[ALSA] via82xx - Use DXS_SRC as default for VIA8235/8237/8251 chips
[ALSA] hda-codec - Add model entry for ASUS Z62F
[ALSA] PCMCIA sound devices shouldn't depend on ISA
[ALSA] hda-codec - Fix capture from line-in on VAIO SZ/FE laptops
[ALSA] Fix Oops at rmmod with CONFIG_SND_VERBOSE_PROCFS=n
[ALSA] PCM core - introduce CONFIG_SND_PCM_XRUN_DEBUG
[ALSA] adding __devinitdata to pci_device_id
[ALSA] add __devinitdata to all pci_device_id
[ALSA] hda-codec - Add codec id for AD1988B codec chip
[ALSA] hda-codec - Add model entry for ASUS M9 laptop
[ALSA] pcxhr - Fix a compiler warning on 64bit architectures
[ALSA] via82xx: tweak VT8251 workaround
[ALSA] intel8x0 - Disable ALI5455 SPDIF-input
[ALSA] via82xx: add support for VIA VT8251 (AC'97)
[ALSA] Fix typos and add information about Jack support to Audiophile-Usb.txt
[ALSA] Fix double free in error path of miro driver
[ALSA] hda-codec - Add entry for Epox EP-5LDA+ GLi
[ALSA] sound/pci/: remove duplicate #include's
[ALSA] hda-codec - Use model 'hp' for all HP laptops with AD1981HD
[ALSA] continue on IS_ERR from platform device registration
...
1) The audit_ipc_perms() function has been split into two different
functions:
- audit_ipc_obj()
- audit_ipc_set_perm()
There's a key shift here... The audit_ipc_obj() collects the uid, gid,
mode, and SElinux context label of the current ipc object. This
audit_ipc_obj() hook is now found in several places. Most notably, it
is hooked in ipcperms(), which is called in various places around the
ipc code permforming a MAC check. Additionally there are several places
where *checkid() is used to validate that an operation is being
performed on a valid object while not necessarily having a nearby
ipcperms() call. In these locations, audit_ipc_obj() is called to
ensure that the information is captured by the audit system.
The audit_set_new_perm() function is called any time the permissions on
the ipc object changes. In this case, the NEW permissions are recorded
(and note that an audit_ipc_obj() call exists just a few lines before
each instance).
2) Support for an AUDIT_IPC_SET_PERM audit message type. This allows
for separate auxiliary audit records for normal operations on an IPC
object and permissions changes. Note that the same struct
audit_aux_data_ipcctl is used and populated, however there are separate
audit_log_format statements based on the type of the message. Finally,
the AUDIT_IPC block of code in audit_free_aux() was extended to handle
aux messages of this new type. No more mem leaks I hope ;-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Hi,
The patch below builds upon the patch sent earlier and adds subject label to
all audit events generated via the netlink interface. It also cleans up a few
other minor things.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
The below patch should be applied after the inode and ipc sid patches.
This patch is a reworking of Tim's patch that has been updated to match
the inode and ipc patches since its similar.
[updated:
> Stephen Smalley also wanted to change a variable from isec to tsec in the
> user sid patch. ]
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Hi,
The patch below converts IPC auditing to collect sid's and convert to context
string only if it needs to output an audit record. This patch depends on the
inode audit change patch already being applied.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Previously, we were gathering the context instead of the sid. Now in this patch,
we gather just the sid and convert to context only if an audit event is being
output.
This patch brings the performance hit from 146% down to 23%
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
The following patch provides selinux interfaces that will allow the audit
system to perform filtering based on the process context (user, role, type,
sensitivity, and clearance). These interfaces will allow the selinux
module to perform efficient matches based on lower level selinux constructs,
rather than relying on context retrievals and string comparisons within
the audit module. It also allows for dominance checks on the mls portion
of the contexts that are impossible with only string comparisons.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Patch from Deepak Saxena
This patch allows for the addition of IXP4xx systems that do not make
use of the PCI interface by moving the CONFIG_PCI symbol selection to
be platform-specific instead of for all of IXP4xx. If at least one machine
with PCI support is built, the PCI code will be compiled in, but when
building !PCI, this will drastically shrink the kernel size.
Signed-off-by: Deepak Saxena <dsaxena@plexity.net>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Patch from Markus Gutschke
In order to prevent gcc from making incorrect optimizations, all asm()
statements that define system calls should report memory as
clobbered. Recent versions of the headers for i386 have been changed
accordingly, but the ARM headers are still defective.
This patch fixes the bug tracked at
http://bugzilla.kernel.org/show_bug.cgi?id=6205
Signed-off-by: Markus Gutschke <markus@google.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
