rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of ssh://pkgs.fedoraproject.org/kernel into baytrail

This commit is contained in:
Adam Williamson 2014-07-25 18:56:30 -07:00
parent c72e049493 eac206a78c
commit a107075427
12 changed files with 2357 additions and 1179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Revert-drm-i915-reverse-dp-link-param-selection-pref.patch
View File

@ -1,43 +0,0 @@
Bugzilla: 1117008
Upstream-status: Sent to intel-gfx
From b22370f0cf68e49ddcb3dd7033aba5ff6454dfcc Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Mon, 14 Jul 2014 10:54:20 +1000
Subject: [PATCH] Revert "drm/i915: reverse dp link param selection, prefer
fast over wide again"
This reverts commit 38aecea0ccbb909d635619cba22f1891e589b434.
This breaks Haswell Thinkpad + Lenovo dock in SST mode with a HDMI monitor attached.
Before this we can 1920x1200 mode, after this we only ever get 1024x768, and
a lot of deferring.
This didn't revert clean, but this should be fine.
bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1117008
Cc: stable@vger.kernel.org # v3.15
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
drivers/gpu/drm/i915/intel_dp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
index 2a00cb8..61963d3 100644
--- a/drivers/gpu/drm/i915/intel_dp.c
+++ b/drivers/gpu/drm/i915/intel_dp.c
@@ -833,8 +833,8 @@ intel_dp_compute_config(struct intel_encoder *encoder,
mode_rate = intel_dp_link_required(adjusted_mode->crtc_clock,
bpp);
- for (lane_count = min_lane_count; lane_count <= max_lane_count; lane_count <<= 1) {
- for (clock = min_clock; clock <= max_clock; clock++) {
+ for (clock = min_clock; clock <= max_clock; clock++) {
+ for (lane_count = min_lane_count; lane_count <= max_lane_count; lane_count <<= 1) {
link_clock = drm_dp_bw_code_to_link_rate(bws[clock]);
link_avail = intel_dp_max_data_rate(link_clock,
lane_count);
--
1.9.3

5
config-arm64
View File

@ -106,3 +106,8 @@ CONFIG_RTC_DRV_EFI=y
# dma issues in headers
# CONFIG_PARPORT_PC is not set
# CONFIG_VGA_CONSOLE is not set
CONFIG_PCI_XGENE=y
CONFIG_HOTPLUG_PCI=y
# CONFIG_HOTPLUG_PCI_CPCI is not set
# CONFIG_HOTPLUG_PCI_SHPC is not set

6
config-armv7
View File

@ -316,7 +316,7 @@ CONFIG_OMAP_REMOTEPROC=m
# CONFIG_OMAP_MUX_DEBUG is not set
# CONFIG_VIDEO_OMAP3_DEBUG is not set
# AM33xx
# AM33xx/43xx
CONFIG_SOC_AM33XX=y
CONFIG_SOC_AM43XX=y
CONFIG_AM335X_CONTROL_USB=m
@ -348,8 +348,8 @@ CONFIG_REGULATOR_TI_ABB=m
CONFIG_TI_ADC081C=m
CONFIG_TI_AM335X_ADC=m
CONFIG_PWM_TIPWMSS=y
# CONFIG_GPIO_DAVINCI is not set
# CONFIG_DAVINCI_WATCHDOG is not set
CONFIG_MFD_TPS65218=m
CONFIG_REGULATOR_TPS65218=m
# QCom
CONFIG_ARCH_MSM8X60=y

8
config-generic
View File

@ -1695,13 +1695,13 @@ CONFIG_B43_SDIO=y
CONFIG_B43_BCMA=y
# CONFIG_B43_BCMA_EXTRA is not set
CONFIG_B43_BCMA_PIO=y
# CONFIG_B43_DEBUG is not set
CONFIG_B43_DEBUG=y
CONFIG_B43_PHY_LP=y
CONFIG_B43_PHY_N=y
CONFIG_B43_PHY_HT=y
# CONFIG_B43_FORCE_PIO is not set
CONFIG_B43LEGACY=m
# CONFIG_B43LEGACY_DEBUG is not set
CONFIG_B43LEGACY_DEBUG=y
CONFIG_B43LEGACY_DMA=y
CONFIG_B43LEGACY_PIO=y
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
@ -1718,7 +1718,7 @@ CONFIG_BRCMFMAC_USB=y
# CONFIG_SYSTEMPORT is not set
CONFIG_HERMES=m
CONFIG_HERMES_CACHE_FW_ON_INIT=y
# CONFIG_HERMES_PRISM is not set
CONFIG_HERMES_PRISM=y
CONFIG_NORTEL_HERMES=m
CONFIG_PCI_HERMES=m
CONFIG_PLX_HERMES=m
@ -4644,7 +4644,7 @@ CONFIG_PM_DEBUG=y
# CONFIG_DPM_WATCHDOG is not set # revisit this in debug
CONFIG_PM_TRACE=y
CONFIG_PM_TRACE_RTC=y
# CONFIG_PM_TEST_SUSPEND is not set
CONFIG_PM_TEST_SUSPEND=y
CONFIG_PM_RUNTIME=y
# CONFIG_PM_OPP is not set
# CONFIG_PM_AUTOSLEEP is not set

118
config-nodebug
View File

@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y
CONFIG_SND_DEBUG=y
CONFIG_SND_PCM_XRUN_DEBUG=y
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
CONFIG_DEBUG_ATOMIC_SLEEP=y
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
# CONFIG_DEBUG_RT_MUTEXES is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
# CONFIG_LOCK_TORTURE_TEST is not set
# CONFIG_PROVE_LOCKING is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_PROVE_RCU is not set
CONFIG_DEBUG_MUTEXES=y
CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
CONFIG_DEBUG_RT_MUTEXES=y
CONFIG_DEBUG_LOCK_ALLOC=y
CONFIG_LOCK_TORTURE_TEST=m
CONFIG_PROVE_LOCKING=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_PROVE_RCU=y
# CONFIG_PROVE_RCU_REPEATEDLY is not set
# CONFIG_DEBUG_PER_CPU_MAPS is not set
CONFIG_DEBUG_PER_CPU_MAPS=y
CONFIG_CPUMASK_OFFSTACK=y
# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
# CONFIG_FAULT_INJECTION is not set
# CONFIG_FAILSLAB is not set
# CONFIG_FAIL_PAGE_ALLOC is not set
# CONFIG_FAIL_MAKE_REQUEST is not set
# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
# CONFIG_FAIL_IO_TIMEOUT is not set
# CONFIG_FAIL_MMC_REQUEST is not set
CONFIG_FAULT_INJECTION=y
CONFIG_FAILSLAB=y
CONFIG_FAIL_PAGE_ALLOC=y
CONFIG_FAIL_MAKE_REQUEST=y
CONFIG_FAULT_INJECTION_DEBUG_FS=y
CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
CONFIG_FAIL_IO_TIMEOUT=y
CONFIG_FAIL_MMC_REQUEST=y
# CONFIG_LOCK_STAT is not set
CONFIG_LOCK_STAT=y
# CONFIG_DEBUG_STACK_USAGE is not set
CONFIG_DEBUG_STACK_USAGE=y
# CONFIG_ACPI_DEBUG is not set
CONFIG_ACPI_DEBUG=y
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_PI_LIST is not set
CONFIG_DEBUG_SG=y
CONFIG_DEBUG_PI_LIST=y
# CONFIG_DEBUG_PAGEALLOC is not set
# CONFIG_DEBUG_WRITECOUNT is not set
# CONFIG_DEBUG_OBJECTS is not set
CONFIG_DEBUG_WRITECOUNT=y
CONFIG_DEBUG_OBJECTS=y
# CONFIG_DEBUG_OBJECTS_SELFTEST is not set
# CONFIG_DEBUG_OBJECTS_FREE is not set
# CONFIG_DEBUG_OBJECTS_TIMERS is not set
# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
CONFIG_DEBUG_OBJECTS_FREE=y
CONFIG_DEBUG_OBJECTS_TIMERS=y
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
# CONFIG_X86_PTDUMP is not set
# CONFIG_EFI_PGT_DUMP is not set
CONFIG_X86_PTDUMP=y
CONFIG_EFI_PGT_DUMP=y
# CONFIG_CAN_DEBUG_DEVICES is not set
CONFIG_CAN_DEBUG_DEVICES=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
CONFIG_MODULE_FORCE_UNLOAD=y
# CONFIG_SYSCTL_SYSCALL_CHECK is not set
CONFIG_SYSCTL_SYSCALL_CHECK=y
# CONFIG_DEBUG_NOTIFIERS is not set
CONFIG_DEBUG_NOTIFIERS=y
# CONFIG_DMA_API_DEBUG is not set
CONFIG_DMA_API_DEBUG=y
# CONFIG_MMIOTRACE is not set
CONFIG_MMIOTRACE=y
# CONFIG_DEBUG_CREDENTIALS is not set
CONFIG_DEBUG_CREDENTIALS=y
# off in both production debug and nodebug builds,
# on in rawhide nodebug builds
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
# CONFIG_EXT4_DEBUG is not set
CONFIG_EXT4_DEBUG=y
# CONFIG_XFS_WARN is not set
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
CONFIG_DEBUG_PERF_USE_VMALLOC=y
# CONFIG_JBD2_DEBUG is not set
CONFIG_JBD2_DEBUG=y
# CONFIG_NFSD_FAULT_INJECTION is not set
CONFIG_NFSD_FAULT_INJECTION=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_DEBUG_BLK_CGROUP=y
# CONFIG_DRBD_FAULT_INJECTION is not set
CONFIG_DRBD_FAULT_INJECTION=y
# CONFIG_ATH_DEBUG is not set
# CONFIG_CARL9170_DEBUGFS is not set
# CONFIG_IWLWIFI_DEVICE_TRACING is not set
CONFIG_ATH_DEBUG=y
CONFIG_CARL9170_DEBUGFS=y
CONFIG_IWLWIFI_DEVICE_TRACING=y
# CONFIG_RTLWIFI_DEBUG is not set
# CONFIG_DEBUG_OBJECTS_WORK is not set
CONFIG_DEBUG_OBJECTS_WORK=y
# CONFIG_DMADEVICES_DEBUG is not set
# CONFIG_DMADEVICES_VDEBUG is not set
CONFIG_DMADEVICES_DEBUG=y
CONFIG_DMADEVICES_VDEBUG=y
CONFIG_PM_ADVANCED_DEBUG=y
# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
# CONFIG_QUOTA_DEBUG is not set
CONFIG_CEPH_LIB_PRETTYDEBUG=y
CONFIG_QUOTA_DEBUG=y
CONFIG_PCI_DEFAULT_USE_CRS=y
@ -104,18 +104,18 @@ CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
CONFIG_KDB_CONTINUE_CATASTROPHIC=0
# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
# CONFIG_PERCPU_TEST is not set
# CONFIG_TEST_LIST_SORT is not set
CONFIG_TEST_LIST_SORT=y
# CONFIG_TEST_STRING_HELPERS is not set
# CONFIG_DETECT_HUNG_TASK is not set
CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
# CONFIG_DEBUG_KMEMLEAK is not set
CONFIG_DEBUG_KMEMLEAK=y
CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
# CONFIG_DEBUG_KMEMLEAK_TEST is not set
CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
@ -126,7 +126,7 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
# CONFIG_SPI_DEBUG is not set
# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
CONFIG_X86_DEBUG_STATIC_CPU_HAS=y
# CONFIG_SCHEDSTATS is not set
# CONFIG_LATENCYTOP is not set

2
config-x86-generic
View File

@ -396,7 +396,7 @@ CONFIG_SP5100_TCO=m
# CONFIG_MEMTEST is not set
# CONFIG_DEBUG_TLBFLUSH is not set
# CONFIG_MAXSMP is not set
CONFIG_MAXSMP=y
CONFIG_HP_ILO=m

41
fs-umount-on-symlink-leaks-mnt-count.patch Normal file
View File

@ -0,0 +1,41 @@
Bugzilla: 1122482
Upstream-status: Sent for 3.16
From: Vasily Averin <vvs@openvz.org>
Subject: [PATCH v4] fs: umount on symlink leaks mnt count
Currently umount on symlink blocks following umount:
/vz is separate mount
# ls /vz/ -al | grep test
drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir
lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir
# umount -l /vz/testlink
umount: /vz/testlink: not mounted (expected)
# lsof /vz
# umount /vz
umount: /vz: device is busy. (unexpected)
In this case mountpoint_last() gets an extra refcount on path->mnt
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
fs/namei.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 985c6f3..9eb787e 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2256,9 +2256,10 @@ done:
goto out;
}
path->dentry = dentry;
- path->mnt = mntget(nd->path.mnt);
+ path->mnt = nd->path.mnt;
if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW))
return 1;
+ mntget(path->mnt);
follow_mount(path);
error = 0;
out:
--
1.7.5.4

3096
kernel-arm64.patch
View File

File diff suppressed because it is too large Load Diff

71
kernel.spec
View File

@ -68,9 +68,9 @@ Summary: The Linux kernel
# The next upstream release sublevel (base_sublevel+1)
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
# The rc snapshot level
%define rcrev 5
%define rcrev 6
# The git snapshot level
%define gitrev 0
%define gitrev 2
# Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0
%endif
@ -131,7 +131,7 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
# and 0 for rawhide (all kernels are debug kernels).
# See also 'make debug' and 'make release'.
%define debugbuildsenabled 1
%define debugbuildsenabled 0
# Want to build a vanilla kernel build without any non-upstream patches?
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
@ -637,8 +637,14 @@ Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pa
#rhbz 1021036, submitted upstream
Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
#rhbz 1117008
Patch25111: Revert-drm-i915-reverse-dp-link-param-selection-pref.patch
#rhbz 1117942
Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
#CVE-2014-5045 rhbz 1122472 1122482
Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch
#rhbz 1115120
Patch25120: selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@ -1386,8 +1392,14 @@ ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pat
#rhbz 1021036, submitted upstream
ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
#rhbz 1117008
ApplyPatch Revert-drm-i915-reverse-dp-link-param-selection-pref.patch
#rhbz 1117942
ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
#CVE-2014-5045 rhbz 1122472 1122482
ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch
#rhbz 1115120
ApplyPatch selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
@ -2277,15 +2289,48 @@ fi
#
#
# ___________________________________________________________
# / This branch is for Fedora 21. You probably want to commit \
# _____ ____ _ \ to the F-20 branch instead, or in addition to this one. /
# | ___|___ \/ | -----------------------------------------------------------
# | |_ __) | | \ ^__^
# | _| / __/| | \ (@@)\_______
# |_| |_____|_| (__)\ )\/\
# / This branch is for Fedora 22. You probably want to commit \
# _____ ____ ____ \ to the f21 branch instead, or in addition to this one. /
# | ___|___ \|___ \ -----------------------------------------------------------
# | |_ __) | __) | \ ^__^
# | _| / __/ / __/ \ (@@)\_______
# |_| |_____|_____| (__)\ )\/\
# ||----w |
# || ||
%changelog
* Fri Jul 25 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc6.git2.1
- Linux v3.16-rc6-118-g82e13c71bc65
- Fix selinux sock_graft hook for AF_ALG address family (rhbz 1115120)
* Thu Jul 24 2014 Kyle McMartin <kyle@fedoraproject.org>
- kernel-arm64.patch: update from upstream git.
- arm64: update config-arm64 to include PCI support.
* Thu Jul 24 2014 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2014-5045 vfs: refcount issues during lazy umount on symlink (rhbz 1122471 1122482)
- Fix regression in sched_setparam (rhbz 1117942)
* Tue Jul 22 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.16.0-0.rc6.git1.1
- Linux v3.16-rc6-75-g15ba223
- Reenable debugging options.
* Mon Jul 21 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.16.0-0.rc6.git0.1
- Linux v3.16-rc6
- Disable debugging options.
* Mon Jul 21 2014 Peter Robinson <pbrobinson@fedoraproject.org>
- Minor ARMv7 config update
* Thu Jul 17 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc5.git2.1
- Linux v3.16-rc5-143-gb6603fe574af
* Wed Jul 16 2014 Josh Boyer <jwboyer@fedoraproject.org>
- Enable hermes prism driver (rhbz 1120393)
* Wed Jul 16 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc5.git1.1
- Linux v3.16-rc5-130-g2da294474093
- Reenable debugging options.
* Mon Jul 14 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc5.git0.1
- Linux v3.16-rc5
- Fix i915 regression with external monitors (rhbz 1117008)

68
sched-fix-sched_setparam-policy-1-logic.patch Normal file
View File

@ -0,0 +1,68 @@
Bugzilla: 1117942
Upstream-status: Sent for 3.16 and seen by peterz
The scheduler uses policy=-1 to preserve the current policy state to
implement sched_setparam(). But, as (int) -1 is equals to 0xffffffff,
it's matching the if (policy & SCHED_RESET_ON_FORK) on
_sched_setscheduler(). This match changes the policy value to an
invalid value, breaking the sched_setparam() syscall.
This patch checks policy=-1 before check the SCHED_RESET_ON_FORK flag.
The following program shows the bug:
int main(void)
{
struct sched_param param = {
.sched_priority = 5,
};
sched_setscheduler(0, SCHED_FIFO, &param);
param.sched_priority = 1;
sched_setparam(0, &param);
param.sched_priority = 0;
sched_getparam(0, &param);
if (param.sched_priority != 1)
printf("failed priority setting (found %d instead of 1)\n",
param.sched_priority);
else
printf("priority setting fine\n");
}
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org # 3.14+
Fixes: 7479f3c9cf67 "sched: Move SCHED_RESET_ON_FORK into attr::sched_flags"
Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
---
kernel/sched/core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index bc1638b..0acf96b 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -3558,9 +3558,10 @@ static int _sched_setscheduler(struct task_struct *p, int policy,
};
/*
- * Fixup the legacy SCHED_RESET_ON_FORK hack
+ * Fixup the legacy SCHED_RESET_ON_FORK hack, except if
+ * the policy=-1 was passed by sched_setparam().
*/
- if (policy & SCHED_RESET_ON_FORK) {
+ if ((policy != -1) && (policy & SCHED_RESET_ON_FORK)) {
attr.sched_flags |= SCHED_FLAG_RESET_ON_FORK;
policy &= ~SCHED_RESET_ON_FORK;
attr.sched_policy = policy;
--
1.9.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

75
selinux-4da6daf4d3df5a977e4623963f141a627fd2efce.patch Normal file
View File

@ -0,0 +1,75 @@
Bugzilla: 1115120
Upstream-status: sent for 3.16
From 4da6daf4d3df5a977e4623963f141a627fd2efce Mon Sep 17 00:00:00 2001
From: Paul Moore <pmoore@redhat.com>
Date: Thu, 10 Jul 2014 10:17:48 -0400
Subject: [PATCH] selinux: fix the default socket labeling in sock_graft()
The sock_graft() hook has special handling for AF_INET, AF_INET, and
AF_UNIX sockets as those address families have special hooks which
label the sock before it is attached its associated socket.
Unfortunately, the sock_graft() hook was missing a default approach
to labeling sockets which meant that any other address family which
made use of connections or the accept() syscall would find the
returned socket to be in an "unlabeled" state. This was recently
demonstrated by the kcrypto/AF_ALG subsystem and the newly released
cryptsetup package (cryptsetup v1.6.5 and later).
This patch preserves the special handling in selinux_sock_graft(),
but adds a default behavior - setting the sock's label equal to the
associated socket - which resolves the problem with AF_ALG and
presumably any other address family which makes use of accept().
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <pmoore@redhat.com>
Tested-by: Milan Broz <gmazyland@gmail.com>
---
include/linux/security.h | 5 ++++-
security/selinux/hooks.c | 13 +++++++++++--
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 6478ce3..794be73 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -987,7 +987,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* Retrieve the LSM-specific secid for the sock to enable caching of network
* authorizations.
* @sock_graft:
- * Sets the socket's isec sid to the sock's sid.
+ * This hook is called in response to a newly created sock struct being
+ * grafted onto an existing socket and allows the security module to
+ * perform whatever security attribute management is necessary for both
+ * the sock and socket.
* @inet_conn_request:
* Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
* @inet_csk_clone:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 336f0a0..b3a6754 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4499,9 +4499,18 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
struct sk_security_struct *sksec = sk->sk_security;
- if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
- sk->sk_family == PF_UNIX)
+ switch (sk->sk_family) {
+ case PF_INET:
+ case PF_INET6:
+ case PF_UNIX:
isec->sid = sksec->sid;
+ break;
+ default:
+ /* by default there is no special labeling mechanism for the
+ * sksec label so inherit the label from the parent socket */
+ BUG_ON(sksec->sid != SECINITSID_UNLABELED);
+ sksec->sid = isec->sid;
+ }
sksec->sclass = isec->sclass;
}
--
1.9.3

3
sources
View File

@ -1,3 +1,4 @@
97ca1625bb40368dc41b9a7971549071 linux-3.15.tar.xz
ef8f4db937f521a7e323ec589536ba25 perf-man-3.15.tar.gz
8704867c524f3016a33b17a721334126 patch-3.16-rc5.xz
93fbbc57b86d1373be5bd94b1ee06ddd patch-3.16-rc6.xz
cfbb28625de3f01fcd2c633c6f2a8730 patch-3.16-rc6-git2.xz