)]}' { "log": [ { "commit": "9c69898783a0121399ec078d40d4ccc00e3cb0df", "tree": "7163913d680c3160918a466f92cacb473c2c91ec", "parents": [ "f4a0d5abef14562c37dee5a1d49180f494106230" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sun Oct 16 19:17:48 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Nov 16 14:23:14 2011 -0500" }, "message": "encrypted-keys: module build fixes\n\nEncrypted keys are encrypted/decrypted using either a trusted or\nuser-defined key type, which is referred to as the \u0027master\u0027 key.\nThe master key may be of type trusted iff the trusted key is\nbuiltin or both the trusted key and encrypted keys are built as\nmodules. This patch resolves the build dependency problem.\n\n- Use \"masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS)\" construct\nto encapsulate the above logic. (Suggested by Dimtry Kasatkin.)\n- Fixing the encrypted-keys Makefile, results in a module name change\nfrom encrypted.ko to encrypted-keys.ko.\n- Add module dependency for request_trusted_key() definition\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "f4a0d5abef14562c37dee5a1d49180f494106230", "tree": "be3b35ecaf9a2372fae08ac83d006b21e1c43021", "parents": [ "ff0ff78068dd8a962358dbbdafa9d6f24540d3e5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Oct 24 08:17:42 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Nov 16 14:23:13 2011 -0500" }, "message": "encrypted-keys: fix error return code\n\nFix request_master_key() error return code.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "9f35a33b8d06263a165efe3541d9aa0cdbd70b3b", "tree": "2825d1bf9ea73d22e4cab45bb2cdc021c6e09380", "parents": [ "cfcfc9eca2bcbd26a8e206baeb005b055dbf8e37" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Nov 15 22:09:45 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Nov 15 22:32:38 2011 -0200" }, "message": "KEYS: Fix a NULL pointer deref in the user-defined key type\n\nFix a NULL pointer deref in the user-defined key type whereby updating a\nnegative key into a fully instantiated key will cause an oops to occur\nwhen the code attempts to free the non-existent old payload.\n\nThis results in an oops that looks something like the following:\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000008\n IP: [\u003cffffffff81085fa1\u003e] __call_rcu+0x11/0x13e\n PGD 3391d067 PUD 3894a067 PMD 0\n Oops: 0002 [#1] SMP\n CPU 1\n Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY\n RIP: 0010:[\u003cffffffff81085fa1\u003e] [\u003cffffffff81085fa1\u003e] __call_rcu+0x11/0x13e\n RSP: 0018:ffff88003d591df8 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e\n RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c\n R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538\n R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908\n FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)\n Stack:\n ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50\n ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea\n ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0\n Call Trace:\n [\u003cffffffff810860f0\u003e] call_rcu_sched+0x10/0x12\n [\u003cffffffff8117bfea\u003e] user_update+0x8d/0xa2\n [\u003cffffffff8117723a\u003e] key_create_or_update+0x236/0x270\n [\u003cffffffff811789b1\u003e] sys_add_key+0x123/0x17e\n [\u003cffffffff813b84bb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@redhat.com\u003e\nAcked-by: Steve Dickson \u003csteved@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nCc: stable@kernel.org\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "02473119bc54b0b239c2501064c7a37314347f87", "tree": "e3f0cdfbe4ee67d089ab731f213b2e0f91a3daa1", "parents": [ "50e1499f468fd74c6db95deb2e1e6bfee578ae70" ], "author": { "name": "Andy Shevchenko", "email": "andriy.shevchenko@linux.intel.com", "time": "Mon Oct 31 17:12:55 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 31 17:30:56 2011 -0700" }, "message": "security: follow rename pack_hex_byte() to hex_byte_pack()\n\nThere is no functional change.\n\nSigned-off-by: Andy Shevchenko \u003candriy.shevchenko@linux.intel.com\u003e\nCc: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fcf634098c00dd9cd247447368495f0b79be12d1", "tree": "77fc98cd461bd52ba3b14e833d54a115ffbbd7bc", "parents": [ "32ea845d5bafc37b7406bea1aee3005407cb0900" ], "author": { "name": "Christopher Yeoh", "email": "cyeoh@au1.ibm.com", "time": "Mon Oct 31 17:06:39 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Oct 31 17:30:44 2011 -0700" }, "message": "Cross Memory Attach\n\nThe basic idea behind cross memory attach is to allow MPI programs doing\nintra-node communication to do a single copy of the message rather than a\ndouble copy of the message via shared memory.\n\nThe following patch attempts to achieve this by allowing a destination\nprocess, given an address and size from a source process, to copy memory\ndirectly from the source process into its own address space via a system\ncall. There is also a symmetrical ability to copy from the current\nprocess\u0027s address space into a destination process\u0027s address space.\n\n- Use of /proc/pid/mem has been considered, but there are issues with\n using it:\n - Does not allow for specifying iovecs for both src and dest, assuming\n preadv or pwritev was implemented either the area read from or\n written to would need to be contiguous.\n - Currently mem_read allows only processes who are currently\n ptrace\u0027ing the target and are still able to ptrace the target to read\n from the target. This check could possibly be moved to the open call,\n but its not clear exactly what race this restriction is stopping\n (reason appears to have been lost)\n - Having to send the fd of /proc/self/mem via SCM_RIGHTS on unix\n domain socket is a bit ugly from a userspace point of view,\n especially when you may have hundreds if not (eventually) thousands\n of processes that all need to do this with each other\n - Doesn\u0027t allow for some future use of the interface we would like to\n consider adding in the future (see below)\n - Interestingly reading from /proc/pid/mem currently actually\n involves two copies! (But this could be fixed pretty easily)\n\nAs mentioned previously use of vmsplice instead was considered, but has\nproblems. Since you need the reader and writer working co-operatively if\nthe pipe is not drained then you block. Which requires some wrapping to\ndo non blocking on the send side or polling on the receive. In all to all\ncommunication it requires ordering otherwise you can deadlock. And in the\nexample of many MPI tasks writing to one MPI task vmsplice serialises the\ncopying.\n\nThere are some cases of MPI collectives where even a single copy interface\ndoes not get us the performance gain we could. For example in an\nMPI_Reduce rather than copy the data from the source we would like to\ninstead use it directly in a mathops (say the reduce is doing a sum) as\nthis would save us doing a copy. We don\u0027t need to keep a copy of the data\nfrom the source. I haven\u0027t implemented this, but I think this interface\ncould in the future do all this through the use of the flags - eg could\nspecify the math operation and type and the kernel rather than just\ncopying the data would apply the specified operation between the source\nand destination and store it in the destination.\n\nAlthough we don\u0027t have a \"second user\" of the interface (though I\u0027ve had\nsome nibbles from people who may be interested in using it for intra\nprocess messaging which is not MPI). This interface is something which\nhardware vendors are already doing for their custom drivers to implement\nfast local communication. And so in addition to this being useful for\nOpenMPI it would mean the driver maintainers don\u0027t have to fix things up\nwhen the mm changes.\n\nThere was some discussion about how much faster a true zero copy would\ngo. Here\u0027s a link back to the email with some testing I did on that:\n\nhttp://marc.info/?l\u003dlinux-mm\u0026m\u003d130105930902915\u0026w\u003d2\n\nThere is a basic man page for the proposed interface here:\n\nhttp://ozlabs.org/~cyeoh/cma/process_vm_readv.txt\n\nThis has been implemented for x86 and powerpc, other architecture should\nmainly (I think) just need to add syscall numbers for the process_vm_readv\nand process_vm_writev. There are 32 bit compatibility versions for\n64-bit kernels.\n\nFor arch maintainers there are some simple tests to be able to quickly\nverify that the syscalls are working correctly here:\n\nhttp://ozlabs.org/~cyeoh/cma/cma-test-20110718.tgz\n\nSigned-off-by: Chris Yeoh \u003cyeohc@au1.ibm.com\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: \"H. Peter Anvin\" \u003chpa@zytor.com\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Paul Mackerras \u003cpaulus@samba.org\u003e\nCc: Benjamin Herrenschmidt \u003cbenh@kernel.crashing.org\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003clinux-man@vger.kernel.org\u003e\nCc: \u003clinux-arch@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "2b3ff6319e2312656fbefe0209bef02d58b6836a", "tree": "43041b8a5e6fe31dadf2ad682d73fa873476b952", "parents": [ "2684bf7f29cfb13ef2c60f3b3a53ee47d0db7022" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 11:23:55 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 23:26:44 2011 -0400" }, "message": "encrypted-keys: check hex2bin result\n\nFor each hex2bin call in encrypted keys, check that the ascii hex string\nis valid. On failure, return -EINVAL.\n\nChangelog v1:\n- hex2bin now returns an int\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nAcked-by: Andy Shevchenko \u003candy.shevchenko@gmail.com\u003e\n" }, { "commit": "2684bf7f29cfb13ef2c60f3b3a53ee47d0db7022", "tree": "bbdc0709c643e58a22443ab086c6e4aa80329e17", "parents": [ "b78049831ffed65f0b4e61f69df14f3ab17922cb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 11:23:52 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Sep 20 23:26:05 2011 -0400" }, "message": "trusted-keys: check hex2bin result\n\nFor each hex2bin call in trusted keys, check that the ascii hex string is\nvalid. On failure, return -EINVAL.\n\nChangelog v1:\n- hex2bin now returns an int\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nAcked-by: Andy Shevchenko \u003candy.shevchenko@gmail.com\u003e\n" }, { "commit": "cc100551b4d92f47abebfa7c7918b2be71263b4a", "tree": "d603f15ff5ef28efd5f818817aca036045ac8a8b", "parents": [ "8de6ac7f58a22fdab399fbe97763e465ea49c735" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Thu Sep 15 17:07:15 2011 +1000" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Sep 15 17:37:24 2011 -0400" }, "message": "encrypted-keys: IS_ERR need include/err.h\n\nFixes this build error:\n\nsecurity/keys/encrypted-keys/masterkey_trusted.c: In function \u0027request_trusted_key\u0027:\nsecurity/keys/encrypted-keys/masterkey_trusted.c:35:2: error: implicit declaration of function \u0027IS_ERR\u0027\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "982e617a313b57abee3bcfa53381c356d00fd64a", "tree": "ba23ab206aaff2331bca116cebd11ad4ef580c32", "parents": [ "61cf45d0199041df1a8ba334b6bf4a3a13b7f904" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sat Aug 27 22:21:26 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:23:49 2011 -0400" }, "message": "encrypted-keys: remove trusted-keys dependency\n\nEncrypted keys are decrypted/encrypted using either a trusted-key or,\nfor those systems without a TPM, a user-defined key. This patch\nremoves the trusted-keys and TCG_TPM dependencies.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "61cf45d0199041df1a8ba334b6bf4a3a13b7f904", "tree": "b287399eb3704b766d2ba3d9a36de0bb57f70139", "parents": [ "a8f7640963ada66c412314c3559c11ff6946c1a5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:06:00 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:22:26 2011 -0400" }, "message": "encrypted-keys: create encrypted-keys directory\n\nMove all files associated with encrypted keys to keys/encrypted-keys.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "0c061b5707ab84ebfe8f18f1c9c3110ae5cd6073", "tree": "cb6e83458126f3cc9ef9f5504937c8445f790b0f", "parents": [ "d199798bdf969873f78d48140600ff0a98a87e69" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:36 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:37 2011 +1000" }, "message": "KEYS: Correctly destroy key payloads when their keytype is removed\n\nunregister_key_type() has code to mark a key as dead and make it unavailable in\none loop and then destroy all those unavailable key payloads in the next loop.\nHowever, the loop to mark keys dead renders the key undetectable to the second\nloop by changing the key type pointer also.\n\nFix this by the following means:\n\n (1) The key code has two garbage collectors: one deletes unreferenced keys and\n the other alters keyrings to delete links to old dead, revoked and expired\n keys. They can end up holding each other up as both want to scan the key\n serial tree under spinlock. Combine these into a single routine.\n\n (2) Move the dead key marking, dead link removal and dead key removal into the\n garbage collector as a three phase process running over the three cycles\n of the normal garbage collection procedure. This is tracked by the\n KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.\n\n unregister_key_type() then just unlinks the key type from the list, wakes\n up the garbage collector and waits for the third phase to complete.\n\n (3) Downgrade the key types sem in unregister_key_type() once it has deleted\n the key type from the list so that it doesn\u0027t block the keyctl() syscall.\n\n (4) Dead keys that cannot be simply removed in the third phase have their\n payloads destroyed with the key\u0027s semaphore write-locked to prevent\n interference by the keyctl() syscall. There should be no in-kernel users\n of dead keys of that type by the point of unregistration, though keyctl()\n may be holding a reference.\n\n (5) Only perform timer recalculation in the GC if the timer actually expired.\n If it didn\u0027t, we\u0027ll get another cycle when it goes off - and if the key\n that actually triggered it has been removed, it\u0027s not a problem.\n\n (6) Only garbage collect link if the timer expired or if we\u0027re doing dead key\n clean up phase 2.\n\n (7) As only key_garbage_collector() is permitted to use rb_erase() on the key\n serial tree, it doesn\u0027t need to revalidate its cursor after dropping the\n spinlock as the node the cursor points to must still exist in the tree.\n\n (8) Drop the spinlock in the GC if there is contention on it or if we need to\n reschedule. After dealing with that, get the spinlock again and resume\n scanning.\n\nThis has been tested in the following ways:\n\n (1) Run the keyutils testsuite against it.\n\n (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:\n\n Load the rxrpc_s key type:\n\n\t# insmod /tmp/af-rxrpc.ko\n\t# insmod /tmp/rxkad.ko\n\n Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):\n\n\t# /tmp/listen \u0026\n\t[1] 8173\n\n Find the key:\n\n\t# grep rxrpc_s /proc/keys\n\t091086e1 I--Q-- 1 perm 39390000 0 0 rxrpc_s 52:2\n\n Link it to a session keyring, preferably one with a higher serial number:\n\n\t# keyctl link 0x20e36251 @s\n\n Kill the process (the key should remain as it\u0027s linked to another place):\n\n\t# fg\n\t/tmp/listen\n\t^C\n\n Remove the key type:\n\n\trmmod rxkad\n\trmmod af-rxrpc\n\n This can be made a more effective test by altering the following part of\n the patch:\n\n\tif (unlikely(gc_state \u0026 KEY_GC_REAPING_DEAD_2)) {\n\t\t/* Make sure everyone revalidates their keys if we marked a\n\t\t * bunch as being dead and make sure all keyring ex-payloads\n\t\t * are destroyed.\n\t\t */\n\t\tkdebug(\"dead sync\");\n\t\tsynchronize_rcu();\n\n To call synchronize_rcu() in GC phase 1 instead. That causes that the\n keyring\u0027s old payload content to hang around longer until it\u0027s RCU\n destroyed - which usually happens after GC phase 3 is complete. This\n allows the destroy_dead_key branch to be tested.\n\nReported-by: Benjamin Coddington \u003cbcodding@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d199798bdf969873f78d48140600ff0a98a87e69", "tree": "fb0fbfe0eda27054eae9c9efe0240ace297c3661", "parents": [ "b072e9bc2fe9aeff4e104e80e479160349f474a9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:28 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: The dead key link reaper should be non-reentrant\n\nThe dead key link reaper should be non-reentrant as it relies on global state\nto keep track of where it\u0027s got to when it returns to the work queue manager to\ngive it some air.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b072e9bc2fe9aeff4e104e80e479160349f474a9", "tree": "4f243698284aace64f4b5c9e5b9bee107c10e13b", "parents": [ "8bc16deabce7649e480e94b648c88d4e90c34352" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:20 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: Make the key reaper non-reentrant\n\nMake the key reaper non-reentrant by sticking it on the appropriate system work\nqueue when we queue it. This will allow it to have global state and drop\nlocks. It should probably be non-reentrant already as it may spend a long time\nholding the key serial spinlock, and so multiple entrants can spend long\nperiods of time just sitting there spinning, waiting to get the lock.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bc16deabce7649e480e94b648c88d4e90c34352", "tree": "d9e28a921375e7448801b0b89ff43a7e0d2e61ff", "parents": [ "012146d0728f85f7a5c7c36fb84bba33e2760507" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:11 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: Move the unreferenced key reaper to the keys garbage collector file\n\nMove the unreferenced key reaper function to the keys garbage collector file\nas that\u0027s a more appropriate place with the dead key link reaper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6d528b082294f0ddabd6368297546a2c0b67d4fe", "tree": "268bf5dbd454c689947c51867bf5b77e21c97eae", "parents": [ "3ecf1b4f347210e39b156177e5b8a26ff8d00279" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:51 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:34 2011 +1000" }, "message": "KEYS: __key_link() should use the RCU deref wrapper for keyring payloads\n\n__key_link() should use the RCU deref wrapper rcu_dereference_locked_keyring()\nfor accessing keyring payloads rather than calling rcu_dereference_protected()\ndirectly.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3ecf1b4f347210e39b156177e5b8a26ff8d00279", "tree": "ba3cf0155e5dd29c4963e6a8895d7262e0ef13d5", "parents": [ "995995378f996a8aa1cf4e4ddc0f79fbfd45496f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:43 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:34 2011 +1000" }, "message": "KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set\n\nThe keyctl call:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)\n\nshould create a session keyring if the process doesn\u0027t have one of its own\nbecause the create flag argument is set - rather than subscribing to and\nreturning the user-session keyring as:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)\n\nwill do.\n\nThis can be tested by commenting out pam_keyinit in the /etc/pam.d files and\nrunning the following program a couple of times in a row:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\tint main(int argc, char *argv[])\n\t{\n\t\tkey_serial_t uk, usk, sk, nsk;\n\t\tuk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);\n\t\tusk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);\n\t\tsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);\n\t\tnsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);\n\t\tprintf(\"keys: %08x %08x %08x %08x\\n\", uk, usk, sk, nsk);\n\t\treturn 0;\n\t}\n\nWithout this patch, I see:\n\n\tkeys: 3975ddc7 119c0c66 119c0c66 119c0c66\n\tkeys: 3975ddc7 119c0c66 119c0c66 119c0c66\n\nWith this patch, I see:\n\n\tkeys: 2cb4997b 34112878 34112878 17db2ce3\n\tkeys: 2cb4997b 34112878 34112878 39f3c73e\n\nAs can be seen, the session keyring starts off the same as the user-session\nkeyring each time, but with the patch a new session keyring is created when\nthe create flag is set.\n\nReported-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "995995378f996a8aa1cf4e4ddc0f79fbfd45496f", "tree": "ddc0c1305767e683535120361a5f5848b7ae3803", "parents": [ "c5532b09bf40c398f2acfdd8f100c796d1d3f881" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:08:33 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:33 2011 +1000" }, "message": "KEYS: If install_session_keyring() is given a keyring, it should install it\n\nIf install_session_keyring() is given a keyring, it should install it rather\nthan just creating a new one anyway. This was accidentally broken in:\n\n\tcommit d84f4f992cbd76e8f39c488cf0c5d123843923b1\n\tAuthor: David Howells \u003cdhowells@redhat.com\u003e\n\tDate: Fri Nov 14 10:39:23 2008 +1100\n\tSubject: CRED: Inaugurate COW credentials\n\nThe impact of that commit is that pam_keyinit no longer works correctly if\n\u0027force\u0027 isn\u0027t specified against a login process. This is because:\n\n\tkeyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)\n\nnow always creates a new session keyring and thus the check whether the session\nkeyring and the user-session keyring are the same is always false. This leads\npam_keyinit to conclude that a session keyring is installed and it shouldn\u0027t be\nrevoked by pam_keyinit here if \u0027revoke\u0027 is specified.\n\nAny system that specifies \u0027force\u0027 against pam_keyinit in the PAM configuration\nfiles for login methods (login, ssh, su -l, kdm, etc.) is not affected since\nthat bypasses the broken check and forces the creation of a new session keyring\nanyway (for which the revoke flag is not cleared) - and any subsequent call to\npam_keyinit really does have a session keyring already installed, and so the\ncheck works correctly there.\n\nReverting to the previous behaviour will cause the kernel to subscribe the\nprocess to the user-session keyring as its session keyring if it doesn\u0027t have a\nsession keyring of its own. pam_keyinit will detect this and install a new\nsession keyring anyway (and won\u0027t clear the revert flag).\n\nThis can be tested by commenting out pam_keyinit in the /etc/pam.d files and\nrunning the following program a couple of times in a row:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\tint main(int argc, char *argv[])\n\t{\n\t\tkey_serial_t uk, usk, sk;\n\t\tuk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);\n\t\tusk \u003d keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);\n\t\tsk \u003d keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);\n\t\tprintf(\"keys: %08x %08x %08x\\n\", uk, usk, sk);\n\t\treturn 0;\n\t}\n\nWithout the patch, I see:\n\n\tkeys: 3884e281 24c4dfcf 22825f8e\n\tkeys: 3884e281 24c4dfcf 068772be\n\nWith the patch, I see:\n\n\tkeys: 26be9c83 0e755ce0 0e755ce0\n\tkeys: 26be9c83 0e755ce0 0e755ce0\n\nAs can be seen, with the patch, the session keyring is the same as the\nuser-session keyring each time; without the patch a new session keyring is\ngenerated each time.\n\nReported-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Greg Wettstein \u003cgreg@enjellic.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "95b6886526bb510b8370b625a49bc0ab3b8ff10f", "tree": "2862606224820d200be12d2092dcd26df1654b80", "parents": [ "22712200e175e0df5c7f9edfe6c6bf5c94c23b83", "29412f0f6a19e34336368f13eab848091c343952" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jul 27 19:26:38 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jul 27 19:26:38 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (54 commits)\n tpm_nsc: Fix bug when loading multiple TPM drivers\n tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP block\n tpm: Fix compilation warning when CONFIG_PNP is not defined\n TOMOYO: Update kernel-doc.\n tpm: Fix a typo\n tpm_tis: Probing function for Intel iTPM bug\n tpm_tis: Fix the probing for interrupts\n tpm_tis: Delay ACPI S3 suspend while the TPM is busy\n tpm_tis: Re-enable interrupts upon (S3) resume\n tpm: Fix display of data in pubek sysfs entry\n tpm_tis: Add timeouts sysfs entry\n tpm: Adjust interface timeouts if they are too small\n tpm: Use interface timeouts returned from the TPM\n tpm_tis: Introduce durations sysfs entry\n tpm: Adjust the durations if they are too small\n tpm: Use durations returned from TPM\n TOMOYO: Enable conditional ACL.\n TOMOYO: Allow using argv[]/envp[] of execve() as conditions.\n TOMOYO: Allow using executable\u0027s realpath and symlink\u0027s target as conditions.\n TOMOYO: Allow using owner/group etc. of file objects as conditions.\n ...\n\nFix up trivial conflict in security/tomoyo/realpath.c\n" }, { "commit": "b7e9c223be8ce335e30f2cf6ba588e6a4092275c", "tree": "2d1e3b75606abc18df7ad65e51ac3f90cd68b38d", "parents": [ "c172d82500a6cf3c32d1e650722a1055d72ce858", "e3bbfa78bab125f58b831b5f7f45b5a305091d72" ], "author": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Mon Jul 11 14:15:48 2011 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Mon Jul 11 14:15:55 2011 +0200" }, "message": "Merge branch \u0027master\u0027 into for-next\n\nSync with Linus\u0027 tree to be able to apply pending patches that\nare based on newer code already present upstream.\n" }, { "commit": "d8bf4ca9ca9576548628344c9725edd3786e90b1", "tree": "df338f50a5af6bc3651bd863b79fa91e6b1e9e20", "parents": [ "eb032b9837a958e21ca000358a5bde5e17192ddb" ], "author": { "name": "Michal Hocko", "email": "mhocko@suse.cz", "time": "Fri Jul 08 14:39:41 2011 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Fri Jul 08 22:21:58 2011 +0200" }, "message": "rcu: treewide: Do not use rcu_read_lock_held when calling rcu_dereference_check\n\nSince ca5ecddf (rcu: define __rcu address space modifier for sparse)\nrcu_dereference_check use rcu_read_lock_held as a part of condition\nautomatically so callers do not have to do that as well.\n\nSigned-off-by: Michal Hocko \u003cmhocko@suse.cz\u003e\nAcked-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "5b944a71a192977c1c018bbcfa0c52dca48e2368", "tree": "9f234c4a93bb28890ad086c846d2bf0b35f7f7ae", "parents": [ "0e4ae0e0dec634b2ae53ac57d14141b140467dbe", "c017d0d1351f916c0ced3f358afc491fdcf490b4" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 30 18:43:56 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 30 18:43:56 2011 +1000" }, "message": "Merge branch \u0027linus\u0027 into next\n" }, { "commit": "79a73d188726b473ca3bf483244bc96096831905", "tree": "787ba050c91981cae2524b1e95e415424b067e64", "parents": [ "f8f8527103a264b5e4ab2ce5c1743b28f3219d90" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:44 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:11:17 2011 -0400" }, "message": "encrypted-keys: add ecryptfs format support\n\nThe \u0027encrypted\u0027 key type defines its own payload format which contains a\nsymmetric key randomly generated that cannot be used directly to mount\nan eCryptfs filesystem, because it expects an authentication token\nstructure.\n\nThis patch introduces the new format \u0027ecryptfs\u0027 that allows to store an\nauthentication token structure inside the encrypted key payload containing\na randomly generated symmetric key, as the same for the format \u0027default\u0027.\n\nMore details about the usage of encrypted keys with the eCryptfs\nfilesystem can be found in the file \u0027Documentation/keys-ecryptfs.txt\u0027.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "4e561d388feff18e4b798cef6a1a84a2cc7f20c2", "tree": "9208588c7d0e5e75766dd2c98e960840fdc8681e", "parents": [ "7103dff0e598cd634767f17a2958302c515700ca" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:42 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:10:45 2011 -0400" }, "message": "encrypted-keys: add key format support\n\nThis patch introduces a new parameter, called \u0027format\u0027, that defines the\nformat of data stored by encrypted keys. The \u0027default\u0027 format identifies\nencrypted keys containing only the symmetric key, while other formats can\nbe defined to support additional information. The \u0027format\u0027 parameter is\nwritten in the datablob produced by commands \u0027keyctl print\u0027 or\n\u0027keyctl pipe\u0027 and is integrity protected by the HMAC.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "7103dff0e598cd634767f17a2958302c515700ca", "tree": "cbbacf38aee2ecd3ad6d004307197186dd35ab73", "parents": [ "08fa2aa54e72ddde8076cc77126bace8d4780e0f" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:41 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:10:34 2011 -0400" }, "message": "encrypted-keys: added additional debug messages\n\nSome debug messages have been added in the function datablob_parse() in\norder to better identify errors returned when dealing with \u0027encrypted\u0027\nkeys.\n\nChangelog from version v4:\n- made the debug messages more understandable \n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "08fa2aa54e72ddde8076cc77126bace8d4780e0f", "tree": "5ced9b831123e37b6e91367ed5f56e4acd095a0c", "parents": [ "f91c2c5cfa2950a20265b45bcc13e49ed9e49aac" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:40 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:08:52 2011 -0400" }, "message": "encrypted-keys: fixed valid_master_desc() function description\n\nValid key type prefixes for the parameter \u0027key-type\u0027 are: \u0027trusted\u0027 and\n\u0027user\u0027.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "f91c2c5cfa2950a20265b45bcc13e49ed9e49aac", "tree": "f5ed8f02cc44dfe9274440c8cdcd50b4345621e6", "parents": [ "4d67431f80b1b822f0286afc9123ee453eac7334" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Jun 27 13:45:39 2011 +0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jun 27 09:08:39 2011 -0400" }, "message": "encrypted_keys: avoid dumping the master key if the request fails\n\nDo not dump the master key if an error is encountered during the request.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nAcked-by: Gianluca Ramunno \u003cramunno@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "b1d7dd80aadb9042e83f9778b484a2f92e0b04d4", "tree": "33044314f0a058724e9ee912cca6fe55c2284cf1", "parents": [ "35052cffe0081904f3362c05818db900dd9dc7de" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jun 21 14:32:05 2011 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jun 21 18:31:45 2011 -0700" }, "message": "KEYS: Fix error handling in construct_key_and_link()\n\nFix error handling in construct_key_and_link().\n\nIf construct_alloc_key() returns an error, it shouldn\u0027t pass out through\nthe normal path as the key_serial() called by the kleave() statement\nwill oops when it gets an error code in the pointer:\n\n BUG: unable to handle kernel paging request at ffffffffffffff84\n IP: [\u003cffffffff8120b401\u003e] request_key_and_link+0x4d7/0x52f\n ..\n Call Trace:\n [\u003cffffffff8120b52c\u003e] request_key+0x41/0x75\n [\u003cffffffffa00ed6e8\u003e] cifs_get_spnego_key+0x206/0x226 [cifs]\n [\u003cffffffffa00eb0c9\u003e] CIFS_SessSetup+0x511/0x1234 [cifs]\n [\u003cffffffffa00d9799\u003e] cifs_setup_session+0x90/0x1ae [cifs]\n [\u003cffffffffa00d9c02\u003e] cifs_get_smb_ses+0x34b/0x40f [cifs]\n [\u003cffffffffa00d9e05\u003e] cifs_mount+0x13f/0x504 [cifs]\n [\u003cffffffffa00caabb\u003e] cifs_do_mount+0xc4/0x672 [cifs]\n [\u003cffffffff8113ae8c\u003e] mount_fs+0x69/0x155\n [\u003cffffffff8114ff0e\u003e] vfs_kern_mount+0x63/0xa0\n [\u003cffffffff81150be2\u003e] do_kern_mount+0x4d/0xdf\n [\u003cffffffff81152278\u003e] do_mount+0x63c/0x69f\n [\u003cffffffff8115255c\u003e] sys_mount+0x88/0xc2\n [\u003cffffffff814fbdc2\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "879669961b11e7f40b518784863a259f735a72bf", "tree": "9bff5392e365caf656c9dd9be38f7471c182278c", "parents": [ "eb96c925152fc289311e5d7e956b919e9b60ab53" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 17 11:25:59 2011 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jun 17 09:40:48 2011 -0700" }, "message": "KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring\n\n____call_usermodehelper() now erases any credentials set by the\nsubprocess_inf::init() function. The problem is that commit\n17f60a7da150 (\"capabilites: allow the application of capability limits\nto usermode helpers\") creates and commits new credentials with\nprepare_kernel_cred() after the call to the init() function. This wipes\nall keyrings after umh_keys_init() is called.\n\nThe best way to deal with this is to put the init() call just prior to\nthe commit_creds() call, and pass the cred pointer to init(). That\nmeans that umh_keys_init() and suchlike can modify the credentials\n_before_ they are published and potentially in use by the rest of the\nsystem.\n\nThis prevents request_key() from working as it is prevented from passing\nthe session keyring it set up with the authorisation token to\n/sbin/request-key, and so the latter can\u0027t assume the authority to\ninstantiate the key. This causes the in-kernel DNS resolver to fail\nwith ENOKEY unconditionally.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4d67431f80b1b822f0286afc9123ee453eac7334", "tree": "47ae7c273186e49a49440f95d0655cc538e2b829", "parents": [ "2ce9738bac1b386f46e8478fd2c263460e7c2b09" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 13 22:33:52 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 14 15:03:29 2011 +1000" }, "message": "KEYS: Don\u0027t return EAGAIN to keyctl_assume_authority()\n\nDon\u0027t return EAGAIN to keyctl_assume_authority() to indicate that a key could\nnot be found (ENOKEY is only returned if a negative key is found). Instead\nreturn ENOKEY in both cases.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e52e713ec30a31e9a4663d9aebbaae5ec07466a6", "tree": "68f9680577ae68f3972a5ed73afed5d1c2794310", "parents": [ "bdf7cf1c83872a0586ce4c4da6889103cc36dbd3", "2f3e4af471e38e0658e701973238ae4b5e50fcd6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 27 10:25:02 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri May 27 10:25:02 2011 -0700" }, "message": "Merge branch \u0027docs-move\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs\n\n* \u0027docs-move\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/rdunlap/linux-docs:\n Create Documentation/security/, move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/, add Documentation/security/00-INDEX, and update all occurrences of Documentation/\u003cmoved_file\u003e to Documentation/security/\u003cmoved_file\u003e.\n" }, { "commit": "f7285b5d631fd6096b11c6af0058ed3a2b30ef4e", "tree": "956fff16b2327818eae72cfe47cf2260986e2fd2", "parents": [ "b7c2f036284452627d793af981877817b37d4351" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Thu May 26 15:25:05 2011 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 26 13:49:19 2011 -0700" }, "message": "Set cred-\u003euser_ns in key_replace_session_keyring\n\nSince this cred was not created with copy_creds(), it needs to get\ninitialized. Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);\ncan lead to a NULL deref. Thanks to Robert for finding this.\n\nBut introduced by commit 47a150edc2a (\"Cache user_ns in struct cred\").\n\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nReported-by: Robert Święcki \u003crobert@swiecki.net\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nCc: stable@kernel.org (2.6.39)\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "434d42cfd05a7cc452457a81d2029540cba12150", "tree": "3a6b9b7f9ff2e1b7409dd66c15242b2a75aa4422", "parents": [ "d762f4383100c2a87b1a3f2d678cd3b5425655b4", "12a5a2621b1ee14d32beca35304d7c6076a58815" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 22:55:24 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 22:55:24 2011 +1000" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "d410fa4ef99112386de5f218dd7df7b4fca910b4", "tree": "e29fbc3f6d27b20d73d8feb4ed73f6767f2e18fe", "parents": [ "61c4f2c81c61f73549928dfd9f3e8f26aa36a8cf" ], "author": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu May 19 15:59:38 2011 -0700" }, "committer": { "name": "Randy Dunlap", "email": "randy.dunlap@oracle.com", "time": "Thu May 19 15:59:38 2011 -0700" }, "message": "Create Documentation/security/,\nmove LSM-, credentials-, and keys-related files from Documentation/\n to Documentation/security/,\nadd Documentation/security/00-INDEX, and\nupdate all occurrences of Documentation/\u003cmoved_file\u003e\n to Documentation/security/\u003cmoved_file\u003e.\n" }, { "commit": "3acb458c32293405cf68985b7b3ac5dc0a5e7929", "tree": "2943bc04adaedf25377c954087c7277118a4aae1", "parents": [ "75ef0368d182785c7c5c06ac11081e31257a313e" ], "author": { "name": "Lai Jiangshan", "email": "laijs@cn.fujitsu.com", "time": "Fri Mar 18 12:11:07 2011 +0800" }, "committer": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Sat May 07 22:50:54 2011 -0700" }, "message": "security,rcu: convert call_rcu(user_update_rcu_disposal) to kfree_rcu()\n\nThe rcu callback user_update_rcu_disposal() just calls a kfree(),\nso we use kfree_rcu() instead of the call_rcu(user_update_rcu_disposal).\n\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Josh Triplett \u003cjosh@joshtriplett.org\u003e\n" }, { "commit": "4aab1e896a0a9d57420ff2867caa5a369123d8cb", "tree": "92212870353a9493c10fb46a0dd9b6ce27230012", "parents": [ "78b7280cce23293f7570ad52c1ffe1485c6d9669" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Mar 11 17:57:33 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 17 11:59:49 2011 +1100" }, "message": "KEYS: Make request_key() and co. return an error for a negative key\n\nMake request_key() and co. return an error for a negative or rejected key. If\nthe key was simply negated, then return ENOKEY, otherwise return the error\nwith which it was rejected.\n\nWithout this patch, the following command returns a key number (with the latest\nkeyutils):\n\n\t[root@andromeda ~]# keyctl request2 user debug:foo rejected @s\n\t586569904\n\nTrying to print the key merely gets you a permission denied error:\n\n\t[root@andromeda ~]# keyctl print 586569904\n\tkeyctl_read_alloc: Permission denied\n\nDoing another request_key() call does get you the error, as long as it hasn\u0027t\nexpired yet:\n\n\t[root@andromeda ~]# keyctl request user debug:foo\n\trequest_key: Key was rejected by service\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "78b7280cce23293f7570ad52c1ffe1485c6d9669", "tree": "f3051c5fe69cb41e88f9470dead8534dda3e94e0", "parents": [ "c151694b2c48d956ac8c8c59c6927f89cc29ef70" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Mar 11 17:57:23 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Mar 17 11:59:32 2011 +1100" }, "message": "KEYS: Improve /proc/keys\n\nImprove /proc/keys by:\n\n (1) Don\u0027t attempt to summarise the payload of a negated key. It won\u0027t have\n one. To this end, a helper function - key_is_instantiated() has been\n added that allows the caller to find out whether the key is positively\n instantiated (as opposed to being uninstantiated or negatively\n instantiated).\n\n (2) Do show keys that are negative, expired or revoked rather than hiding\n them. This requires an override flag (no_state_check) to be passed to\n search_my_process_keyrings() and keyring_search_aux() to suppress this\n check.\n\n Without this, keys that are possessed by the caller, but only grant\n permissions to the caller if possessed are skipped as the possession check\n fails.\n\n Keys that are visible due to user, group or other checks are visible with\n or without this patch.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee009e4a0d4555ed522a631bae9896399674f064", "tree": "ee309fb4a98d9e7792cec99935c2d33652b3f440", "parents": [ "fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:06:20 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:22 2011 +1100" }, "message": "KEYS: Add an iovec version of KEYCTL_INSTANTIATE\n\nAdd a keyctl op (KEYCTL_INSTANTIATE_IOV) that is like KEYCTL_INSTANTIATE, but\ntakes an iovec array and concatenates the data in-kernel into one buffer.\nSince the KEYCTL_INSTANTIATE copies the data anyway, this isn\u0027t too much of a\nproblem.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c", "tree": "ce83bfd1f0b1a7d4b9521bdb3d6afef1bff1d4f2", "parents": [ "b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:06:09 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:18 2011 +1100" }, "message": "KEYS: Add a new keyctl op to reject a key with a specified error code\n\nAdd a new keyctl op to reject a key with a specified error code. This works\nmuch the same as negating a key, and so keyctl_negate_key() is made a special\ncase of keyctl_reject_key(). The difference is that keyctl_negate_key()\nselects ENOKEY as the error to be reported.\n\nTypically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or\nEKEYREJECTED, but this is not mandatory.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24", "tree": "0f58a92c2616b3663f88935290d32a4c90d57025", "parents": [ "633e804e89464d3875e59de1959a53f9041d3094" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:05:59 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:15 2011 +1100" }, "message": "KEYS: Add a key type op to permit the key description to be vetted\n\nAdd a key type operation to permit the key type to vet the description of a new\nkey that key_alloc() is about to allocate. The operation may reject the\ndescription if it wishes with an error of its choosing. If it does this, the\nkey will not be allocated.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "633e804e89464d3875e59de1959a53f9041d3094", "tree": "0a2464267c5f7a4e8166771fdc88e181a5b6219a", "parents": [ "1cc26bada9f6807814806db2f0d78792eecdac71" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Mar 07 15:05:51 2011 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:17:11 2011 +1100" }, "message": "KEYS: Add an RCU payload dereference macro\n\nAdd an RCU payload dereference macro as this seems to be a common piece of code\namongst key types that use RCU referenced payloads.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ceb73c12047b8d543570b23353e7848eb7c540a1", "tree": "a637dc88d418be1b705a66bea375af955bd14e22", "parents": [ "f5c66d70ac2a9016a7ad481bd37e39afd7dd7369" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 25 16:34:28 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jan 26 08:58:20 2011 +1000" }, "message": "KEYS: Fix __key_link_end() quota fixup on error\n\nFix __key_link_end()\u0027s attempt to fix up the quota if an error occurs.\n\nThere are two erroneous cases: Firstly, we always decrease the quota if\nthe preallocated replacement keyring needs cleaning up, irrespective of\nwhether or not we should (we may have replaced a pointer rather than\nadding another pointer).\n\nSecondly, we never clean up the quota if we added a pointer without the\nkeyring storage being extended (we allocate multiple pointers at a time,\neven if we\u0027re not going to use them all immediately).\n\nWe handle this by setting the bottom bit of the preallocation pointer in\n__key_link_begin() to indicate that the quota needs fixing up, which is\nthen passed to __key_link() (which clears the whole thing) and\n__key_link_end().\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5403110943a2dcf1f96416d7a412a8b46895facd", "tree": "48e3501e71511200c911315b8bdffde4788d357d", "parents": [ "7f3c68bee977ab872827e44de017216736fe21d7" ], "author": { "name": "Jesper Juhl", "email": "jj@chaosbits.net", "time": "Sun Jan 23 22:40:42 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:59:58 2011 +1100" }, "message": "trusted keys: Fix a memory leak in trusted_update().\n\nOne failure path in security/keys/trusted.c::trusted_update() does\nnot free \u0027new_p\u0027 while the others do. This patch makes sure we also free\nit in the remaining path (if datablob_parse() returns different from\nOpt_update).\n\nSigned-off-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9703449347603289cac0bd04e574ac2e777275d", "tree": "287d7d8cccfad36f238d826f87e474afb8db424d", "parents": [ "4b174b6d281f5c87234fc65bafc02877f565c5cf" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 18 09:07:12 2011 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:27:57 2011 +1100" }, "message": "encrypted-keys: rename encrypted_defined files to encrypted\n\nRename encrypted_defined.c and encrypted_defined.h files to encrypted.c and\nencrypted.h, respectively. Based on request from David Howells.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b174b6d281f5c87234fc65bafc02877f565c5cf", "tree": "5c1f0519d2f4d642ac9ecec9a180019fe980958e", "parents": [ "1bae4ce27c9c90344f23c65ea6966c50ffeae2f5" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 18 09:07:11 2011 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:14:22 2011 +1100" }, "message": "trusted-keys: rename trusted_defined files to trusted\n\nRename trusted_defined.c and trusted_defined.h files to trusted.c and\ntrusted.h, respectively. Based on request from David Howells.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "973c9f4f49ca96a53bcf6384c4c59ccd26c33906", "tree": "e3535a43c1e5cb5f0c06c040f58bc25c9b869fd1", "parents": [ "a8b17ed019bd40d3bfa20439d9c36a99f9be9180" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 20 16:38:33 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 21 14:59:30 2011 -0800" }, "message": "KEYS: Fix up comments in key management code\n\nFix up comments in the key management code. No functional changes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a8b17ed019bd40d3bfa20439d9c36a99f9be9180", "tree": "beb3b08575aa01c7ebb24939b678d533b1f59adf", "parents": [ "9093ba53b7f26dbb5210de1157769e59e34bbe23" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 20 16:38:27 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 21 14:59:29 2011 -0800" }, "message": "KEYS: Do some style cleanup in the key management code.\n\nDo a bit of a style clean up in the key management code. No functional\nchanges.\n\nDone using:\n\n perl -p -i -e \u0027s!^/[*]*/\\n!!\u0027 security/keys/*.c\n perl -p -i -e \u0027s!} /[*] end [a-z0-9_]*[(][)] [*]/\\n!}\\n!\u0027 security/keys/*.c\n sed -i -s -e \": next\" -e N -e \u0027s/^\\n[}]$/}/\u0027 -e t -e P -e \u0027s/^.*\\n//\u0027 -e \"b next\" security/keys/*.c\n\nTo remove /*****/ lines, remove comments on the closing brace of a\nfunction to name the function and remove blank lines before the closing\nbrace of a function.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "154a96bfcd53b8e5020718c64769e542c44788b9", "tree": "2fc7a4c8992fb4222a6fb47f22907a94da48eebd", "parents": [ "0e7491f685cbc962f2ef977f7b5f8ed0b3100e88" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:27:27 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:59 2011 +1100" }, "message": "trusted-keys: avoid scattring va_end()\n\nWe can avoid scattering va_end() within the\n\n va_start();\n for (;;) {\n\n }\n va_end();\n\nloop, assuming that crypto_shash_init()/crypto_shash_update() return 0 on\nsuccess and negative value otherwise.\n\nMake TSS_authhmac()/TSS_checkhmac1()/TSS_checkhmac2() similar to TSS_rawhmac()\nby removing \"va_end()/goto\" from the loop.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0e7491f685cbc962f2ef977f7b5f8ed0b3100e88", "tree": "44d27bf6f64b974eb8d177316c3fd77f66324b13", "parents": [ "35576eab390df313095306e2a8216134910e7014" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:25:34 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:56 2011 +1100" }, "message": "trusted-keys: check for NULL before using it\n\nTSS_rawhmac() checks for data !\u003d NULL before using it.\nWe should do the same thing for TSS_authhmac().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "35576eab390df313095306e2a8216134910e7014", "tree": "c35b52f6797ce69091c3e3bc596783f45e19496a", "parents": [ "40c1001792de63e0f90e977eb05393fd71f78692" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Jan 17 09:22:47 2011 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 19 09:53:53 2011 +1100" }, "message": "trusted-keys: another free memory bugfix\n\nTSS_rawhmac() forgot to call va_end()/kfree() when data \u003d\u003d NULL and\nforgot to call va_end() when crypto_shash_update() \u003c 0.\nFix these bugs by escaping from the loop using \"break\"\n(rather than \"return\"/\"goto\") in order to make sure that\nva_end()/kfree() are always called.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Jesper Juhl \u003cjj@chaosbits.net\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "40c1001792de63e0f90e977eb05393fd71f78692", "tree": "7172e92ccefd8f4b8ee42401901ddab5bec687b5", "parents": [ "581548db3b3c0f6e25b500329eb02e3c72e7acbe" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 20 12:37:18 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jan 14 10:27:46 2011 +1100" }, "message": "trusted-keys: free memory bugfix\n\nAdd missing kfree(td) in tpm_seal() before the return, freeing\ntd on error paths as well.\n\nReported-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Serge Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "tree": "98a3741b4d4b27a48b3c7ea9babe331e539416a8", "parents": [ "d03a5d888fb688c832d470b749acc5ed38e0bc1d", "0c21e3aaf6ae85bee804a325aa29c325209180fd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/smack/smack_lsm.c\n\nVerified and added fix by Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nOk\u0027d by Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3fc5e98d8cf85e0d77fc597b49e9268dff67400e", "tree": "acd7c7a2579f945ff856bd570988f48f652f93c1", "parents": [ "44658a11f312fb9217674cb90b1a11cbe17fd18d" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Dec 22 16:24:13 2010 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Dec 23 15:31:48 2010 -0800" }, "message": "KEYS: Don\u0027t call up_write() if __key_link_begin() returns an error\n\nIn construct_alloc_key(), up_write() is called in the error path if\n__key_link_begin() fails, but this is incorrect as __key_link_begin() only\nreturns with the nominated keyring locked if it returns successfully.\n\nWithout this patch, you might see the following in dmesg:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t[ BUG: bad unlock balance detected! ]\n\t-------------------------------------\n\tmount.cifs/5769 is trying to release lock (\u0026key-\u003esem) at:\n\t[\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\tbut there are no more locks to release!\n\n\tother info that might help us debug this:\n\t3 locks held by mount.cifs/5769:\n\t #0: (\u0026type-\u003es_umount_key#41/1){+.+.+.}, at: [\u003cffffffff81131321\u003e] sget+0x278/0x3e7\n\t #1: (\u0026ret_buf-\u003esession_mutex){+.+.+.}, at: [\u003cffffffffa0258e59\u003e] cifs_get_smb_ses+0x35a/0x443 [cifs]\n\t #2: (root_key_user.cons_lock){+.+.+.}, at: [\u003cffffffff81201000\u003e] request_key_and_link+0x10a/0x3fc\n\n\tstack backtrace:\n\tPid: 5769, comm: mount.cifs Not tainted 2.6.37-rc6+ #1\n\tCall Trace:\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81081601\u003e] print_unlock_inbalance_bug+0xca/0xd5\n\t [\u003cffffffff81083248\u003e] lock_release_non_nested+0xc1/0x263\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81201159\u003e] ? request_key_and_link+0x263/0x3fc\n\t [\u003cffffffff81083567\u003e] lock_release+0x17d/0x1a4\n\t [\u003cffffffff81073f45\u003e] up_write+0x23/0x3b\n\t [\u003cffffffff81201159\u003e] request_key_and_link+0x263/0x3fc\n\t [\u003cffffffffa026fe9e\u003e] ? cifs_get_spnego_key+0x61/0x21f [cifs]\n\t [\u003cffffffff812013c5\u003e] request_key+0x41/0x74\n\t [\u003cffffffffa027003d\u003e] cifs_get_spnego_key+0x200/0x21f [cifs]\n\t [\u003cffffffffa026e296\u003e] CIFS_SessSetup+0x55d/0x1273 [cifs]\n\t [\u003cffffffffa02589e1\u003e] cifs_setup_session+0x90/0x1ae [cifs]\n\t [\u003cffffffffa0258e7e\u003e] cifs_get_smb_ses+0x37f/0x443 [cifs]\n\t [\u003cffffffffa025a9e3\u003e] cifs_mount+0x1aa1/0x23f3 [cifs]\n\t [\u003cffffffff8111fd94\u003e] ? alloc_debug_processing+0xdb/0x120\n\t [\u003cffffffffa027002c\u003e] ? cifs_get_spnego_key+0x1ef/0x21f [cifs]\n\t [\u003cffffffffa024cc71\u003e] cifs_do_mount+0x165/0x2b3 [cifs]\n\t [\u003cffffffff81130e72\u003e] vfs_kern_mount+0xaf/0x1dc\n\t [\u003cffffffff81131007\u003e] do_kern_mount+0x4d/0xef\n\t [\u003cffffffff811483b9\u003e] do_mount+0x6f4/0x733\n\t [\u003cffffffff8114861f\u003e] sys_mount+0x88/0xc2\n\t [\u003cffffffff8100ac42\u003e] system_call_fastpath+0x16/0x1b\n\nReported-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-and-Tested-by: Jeff Layton \u003cjlayton@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3b1826cebe1d534ec05417a29b9a9f82651a5cb5", "tree": "38fc352e647df90c86a0b03722eff8f66b7eb607", "parents": [ "1f35065a9e2573427ce3fd6c4a40b355c2ddfb92" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:13 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:34 2010 +0530" }, "message": "encrypted-keys: style and other cleanup\n\nCleanup based on David Howells suggestions:\n- use static const char arrays instead of #define\n- rename init_sdesc to alloc_sdesc\n- convert \u0027unsigned int\u0027 definitions to \u0027size_t\u0027\n- revert remaining \u0027const unsigned int\u0027 definitions to \u0027unsigned int\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1f35065a9e2573427ce3fd6c4a40b355c2ddfb92", "tree": "9ee6990e21b34dda09efc625a8bca4fa6c4e5d67", "parents": [ "1bdbb4024c309e470711b434a24fb356fc92edea" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:12 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:32 2010 +0530" }, "message": "encrypted-keys: verify datablob size before converting to binary\n\nVerify the hex ascii datablob length is correct before converting the IV,\nencrypted data, and HMAC to binary.\n\nReported-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1bdbb4024c309e470711b434a24fb356fc92edea", "tree": "129f4136a53e0133fcdff81065f2e15fb4aac374", "parents": [ "bc5e0af0b36b6cc9de301074426c279fc9b72675" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:11 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:27 2010 +0530" }, "message": "trusted-keys: kzalloc and other cleanup\n\nCleanup based on David Howells suggestions:\n- replace kzalloc, where possible, with kmalloc\n- revert \u0027const unsigned int\u0027 definitions to \u0027unsigned int\u0027\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "bc5e0af0b36b6cc9de301074426c279fc9b72675", "tree": "116b20ec3e81f4a956ecf0fde2dfba11d43117dc", "parents": [ "38ef4c2e437d11b5922723504b62824e96761459" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 13 16:53:10 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 15 12:14:25 2010 +0530" }, "message": "trusted-keys: additional TSS return code and other error handling\n\nPreviously not all TSS return codes were tested, as they were all eventually\ncaught by the TPM. Now all returns are tested and handled immediately.\n\nThis patch also fixes memory leaks in error and non-error paths.\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge E. Hallyn \u003cserge@hallyn.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "93ae86e759299718c611bc543b9b1633bf32905a", "tree": "e8b054d9df2c2f9e935d656d5eb25c7c6231c940", "parents": [ "b4e0d5f0791bd6dd12a1c1edea0340969c7c1f90" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Nov 29 16:20:04 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 30 09:20:27 2010 +1100" }, "message": "keys: add missing include file for trusted and encrypted keys\n\nThis patch fixes the linux-next powerpc build errors as reported by\nStephen Rothwell.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nTested-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7e70cb4978507cf31d76b90e4cfb4c28cad87f0c", "tree": "c5df493eef8d30dcb40d647b0528970eb4a391c6", "parents": [ "d00a1c72f7f4661212299e6cb132dfa58030bcdb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 23 18:55:35 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:55:29 2010 +1100" }, "message": "keys: add new key-type encrypted\n\nDefine a new kernel key-type called \u0027encrypted\u0027. Encrypted keys are kernel\ngenerated random numbers, which are encrypted/decrypted with a \u0027trusted\u0027\nsymmetric key. Encrypted keys are created/encrypted/decrypted in the kernel.\nUserspace only ever sees/stores encrypted blobs.\n\nChangelog:\n- bug fix: replaced master-key rcu based locking with semaphore\n (reported by David Howells)\n- Removed memset of crypto_shash_digest() digest output\n- Replaced verification of \u0027key-type:key-desc\u0027 using strcspn(), with\n one based on string constants.\n- Moved documentation to Documentation/keys-trusted-encrypted.txt\n- Replace hash with shash (based on comments by David Howells)\n- Make lengths/counts size_t where possible (based on comments by David Howells)\n Could not convert most lengths, as crypto expects \u0027unsigned int\u0027\n (size_t: on 32 bit is defined as unsigned int, but on 64 bit is unsigned long)\n- Add \u0027const\u0027 where possible (based on comments by David Howells)\n- allocate derived_buf dynamically to support arbitrary length master key\n (fixed by Roberto Sassu)\n- wait until late_initcall for crypto libraries to be registered\n- cleanup security/Kconfig\n- Add missing \u0027update\u0027 keyword (reported/fixed by Roberto Sassu)\n- Free epayload on failure to create key (reported/fixed by Roberto Sassu)\n- Increase the data size limit (requested by Roberto Sassu)\n- Crypto return codes are always 0 on success and negative on failure,\n remove unnecessary tests.\n- Replaced kzalloc() with kmalloc()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nReviewed-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d00a1c72f7f4661212299e6cb132dfa58030bcdb", "tree": "2c873e461f42bbf3aea03b7b2e59cea8f941d841", "parents": [ "c749ba912e87ccebd674ae24b97462176c63732e" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 23 17:50:34 2010 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:55:25 2010 +1100" }, "message": "keys: add new trusted key-type\n\nDefine a new kernel key-type called \u0027trusted\u0027. Trusted keys are random\nnumber symmetric keys, generated and RSA-sealed by the TPM. The TPM\nonly unseals the keys, if the boot PCRs and other criteria match.\nUserspace can only ever see encrypted blobs.\n\nBased on suggestions by Jason Gunthorpe, several new options have been\nadded to support additional usages.\n\nThe new options are:\nmigratable\u003d designates that the key may/may not ever be updated\n (resealed under a new key, new pcrinfo or new auth.)\n\npcrlock\u003dn extends the designated PCR \u0027n\u0027 with a random value,\n so that a key sealed to that PCR may not be unsealed\n again until after a reboot.\n\nkeyhandle\u003d specifies the sealing/unsealing key handle.\n\nkeyauth\u003d specifies the sealing/unsealing key auth.\n\nblobauth\u003d specifies the sealed data auth.\n\nImplementation of a kernel reserved locality for trusted keys will be\ninvestigated for a possible future extension.\n\nChangelog:\n- Updated and added examples to Documentation/keys-trusted-encrypted.txt\n- Moved generic TPM constants to include/linux/tpm_command.h\n (David Howell\u0027s suggestion.)\n- trusted_defined.c: replaced kzalloc with kmalloc, added pcrlock failure\n error handling, added const qualifiers where appropriate.\n- moved to late_initcall\n- updated from hash to shash (suggestion by David Howells)\n- reduced worst stack usage (tpm_seal) from 530 to 312 bytes\n- moved documentation to Documentation directory (suggestion by David Howells)\n- all the other code cleanups suggested by David Howells\n- Add pcrlock CAP_SYS_ADMIN dependency (based on comment by Jason Gunthorpe)\n- New options: migratable, pcrlock, keyhandle, keyauth, blobauth (based on\n discussions with Jason Gunthorpe)\n- Free payload on failure to create key(reported/fixed by Roberto Sassu)\n- Updated Kconfig and other descriptions (based on Serge Hallyn\u0027s suggestion)\n- Replaced kzalloc() with kmalloc() (reported by Serge Hallyn)\n\nSigned-off-by: David Safford \u003csafford@watson.ibm.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "27d6379894be4a81984da4d48002196a83939ca9", "tree": "1d5a7338b0fc66ba4c0b799eb60df44b8f0fc08a", "parents": [ "765aaafe38050790301e89745b991dbdf3dded4c" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Oct 28 13:16:13 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 28 09:02:15 2010 -0700" }, "message": "Fix install_process_keyring error handling\n\nFix an incorrect error check that returns 1 for error instead of the\nexpected error code.\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3d96406c7da1ed5811ea52a3b0905f4f0e295376", "tree": "051e3a0ab6b0c9d9ac12b88fd244ff09766f8f50", "parents": [ "9d1ac65a9698513d00e5608d93fca0c53f536c14" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 10 09:59:51 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Sep 10 07:30:00 2010 -0700" }, "message": "KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring\n\nFix a bug in keyctl_session_to_parent() whereby it tries to check the ownership\nof the parent process\u0027s session keyring whether or not the parent has a session\nkeyring [CVE-2010-2960].\n\nThis results in the following oops:\n\n BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0\n IP: [\u003cffffffff811ae4dd\u003e] keyctl_session_to_parent+0x251/0x443\n ...\n Call Trace:\n [\u003cffffffff811ae2f3\u003e] ? keyctl_session_to_parent+0x67/0x443\n [\u003cffffffff8109d286\u003e] ? __do_fault+0x24b/0x3d0\n [\u003cffffffff811af98c\u003e] sys_keyctl+0xb4/0xb8\n [\u003cffffffff81001eab\u003e] system_call_fastpath+0x16/0x1b\n\nif the parent process has no session keyring.\n\nIf the system is using pam_keyinit then it mostly protected against this as all\nprocesses derived from a login will have inherited the session keyring created\nby pam_keyinit during the log in procedure.\n\nTo test this, pam_keyinit calls need to be commented out in /etc/pam.d/.\n\nReported-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "9d1ac65a9698513d00e5608d93fca0c53f536c14", "tree": "859809638bdf52f56b6b3890bedefcc1bae89b32", "parents": [ "ff3cb3fec3c5bbb5110e652bbdd410bc99a47e9f" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Sep 10 09:59:46 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Sep 10 07:30:00 2010 -0700" }, "message": "KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()\n\nThere\u0027s an protected access to the parent process\u0027s credentials in the middle\nof keyctl_session_to_parent(). This results in the following RCU warning:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ INFO: suspicious rcu_dereference_check() usage. ]\n ---------------------------------------------------\n security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!\n\n other info that might help us debug this:\n\n rcu_scheduler_active \u003d 1, debug_locks \u003d 0\n 1 lock held by keyctl-session-/2137:\n #0: (tasklist_lock){.+.+..}, at: [\u003cffffffff811ae2ec\u003e] keyctl_session_to_parent+0x60/0x236\n\n stack backtrace:\n Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1\n Call Trace:\n [\u003cffffffff8105606a\u003e] lockdep_rcu_dereference+0xaa/0xb3\n [\u003cffffffff811ae379\u003e] keyctl_session_to_parent+0xed/0x236\n [\u003cffffffff811af77e\u003e] sys_keyctl+0xb4/0xb6\n [\u003cffffffff81001eab\u003e] system_call_fastpath+0x16/0x1b\n\nThe code should take the RCU read lock to make sure the parents credentials\ndon\u0027t go away, even though it\u0027s holding a spinlock and has IRQ disabled.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "12fdff3fc2483f906ae6404a6e8dcf2550310b6f", "tree": "a79fb1365fce7c7529655a8802d6d6bf8509b374", "parents": [ "1490cf5f0cb07dd49cdab4bceb769d7f711d7ca6" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Aug 12 16:54:57 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Aug 12 09:51:35 2010 -0700" }, "message": "Add a dummy printk function for the maintenance of unused printks\n\nAdd a dummy printk function for the maintenance of unused printks through gcc\nformat checking, and also so that side-effect checking is maintained too.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1e456a124353a753e9d1fadfbf5cd459c2f197ae", "tree": "4977d4fa275faafc0ba99a635d4c853a1f0df2a1", "parents": [ "fc1caf6eafb30ea185720e29f7f5eccca61ecd60" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Aug 06 16:08:27 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Aug 06 09:17:02 2010 -0700" }, "message": "KEYS: request_key() should return -ENOKEY if the constructed key is negative\n\nrequest_key() should return -ENOKEY if the key it constructs has been\nnegatively instantiated.\n\nWithout this, request_key() can return an unusable key to its caller,\nand if the caller then does key_validate() that won\u0027t catch the problem.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5ad18a0d59ba9e65b3c8b2b489fd23bc6b3daf94", "tree": "9de21bbe321012bd8e51d9d8ed09b81785cfcbec", "parents": [ "94fd8405ea62bd2d4a40f3013e8e6935b6643235" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Wed Jun 30 10:39:11 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:56 2010 +1000" }, "message": "KEYS: Reinstate lost passing of process keyring ID in call_sbin_request_key()\n\nIn commit bb952bb98a7e479262c7eb25d5592545a3af147d there was the accidental\ndeletion of a statement from call_sbin_request_key() to render the process\nkeyring ID to a text string so that it can be passed to /sbin/request-key.\n\nWith gcc 4.6.0 this causes the following warning:\n\n CC security/keys/request_key.o\nsecurity/keys/request_key.c: In function \u0027call_sbin_request_key\u0027:\nsecurity/keys/request_key.c:102:15: warning: variable \u0027prkey\u0027 set but not used\n\nThis patch reinstates that statement.\n\nWithout this statement, /sbin/request-key will get some random rubbish from the\nstack as that parameter.\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "94fd8405ea62bd2d4a40f3013e8e6935b6643235", "tree": "14bff044866db418ec7f84944fc80998df851a99", "parents": [ "0849e3ba53c3ef603dffa9758a73e07ed186a937" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Jun 28 14:05:04 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:56 2010 +1000" }, "message": "KEYS: Use the variable \u0027key\u0027 in keyctl_describe_key()\n\nkeyctl_describe_key() turns the key reference it gets into a usable key pointer\nand assigns that to a variable called \u0027key\u0027, which it then ignores in favour of\nrecomputing the key pointer each time it needs it. Make it use the precomputed\npointer instead.\n\nWithout this patch, gcc 4.6 reports that the variable key is set but not used:\n\n\tbuilding with gcc 4.6 I\u0027m getting a warning message:\n\t CC security/keys/keyctl.o\n\tsecurity/keys/keyctl.c: In function \u0027keyctl_describe_key\u0027:\n\tsecurity/keys/keyctl.c:472:14: warning: variable \u0027key\u0027 set but not used\n\nReported-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "927942aabbbe506bf9bc70a16dc5460ecc64c148", "tree": "2c53ccb405bd4afb03ff9f7acab892fafc7e9b0f", "parents": [ "9156235b3427d6f01c5c95022f72f381f07583f5" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 11 17:31:10 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:27 2010 +1000" }, "message": "KEYS: Make /proc/keys check to see if a key is possessed before security check\n\nMake /proc/keys check to see if the calling process possesses each key before\nperforming the security check. The possession check can be skipped if the key\ndoesn\u0027t have the possessor-view permission bit set.\n\nThis causes the keys a process possesses to show up in /proc/keys, even if they\ndon\u0027t have matching user/group/other view permissions.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9156235b3427d6f01c5c95022f72f381f07583f5", "tree": "16df30be93847e73a3b188b98f9ef2e034d82a90", "parents": [ "57c2590fb7fd38bd52708ff2716a577d0c2b3c5a" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Jun 11 17:31:05 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:27 2010 +1000" }, "message": "KEYS: Authorise keyctl_set_timeout() on a key if we have its authorisation key\n\nAuthorise a process to perform keyctl_set_timeout() on an uninstantiated key if\nthat process has the authorisation key for it.\n\nThis allows the instantiator to set the timeout on a key it is instantiating -\nprovided it does it before instantiating the key.\n\nFor instance, the test upcall script provided with the keyutils package could\nbe modified to set the expiry to an hour hence before instantiating the key:\n\n\t[/usr/share/keyutils/request-key-debug.sh]\n\t if [ \"$3\" !\u003d \"neg\" ]\n\t then\n\t+ keyctl timeout $1 3600\n\t keyctl instantiate $1 \"Debug $3\" $4 || exit 1\n\t else\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4303ef19c6e6d16ea845c04b02b9cf086bcb8ed7", "tree": "83e649d3b9d3583c7576920a0feb08e38a19d1b5", "parents": [ "7e27d6e778cd87b6f2415515d7127eba53fe5d02" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Fri Jun 11 17:30:05 2010 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sun Jun 27 07:02:34 2010 -0700" }, "message": "KEYS: Propagate error code instead of returning -EINVAL\n\nThis is from a Smatch check I\u0027m writing.\n\nstrncpy_from_user() returns -EFAULT on error so the first change just\nsilences a warning but doesn\u0027t change how the code works.\n\nThe other change is a bug fix because install_thread_keyring_to_cred()\ncan return a variety of errors such as -EINVAL, -EEXIST, -ENOMEM or\n-EKEYREVOKED.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dd98acf74762764fbc4382a1d9a244f11a2658cc", "tree": "e194cc516ccc8812a0424dfd2ca1c32bf1052cd4", "parents": [ "5089a9768041206c76fac299ccd82a528c24c254" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:23 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:47 2010 -0700" }, "message": "keyctl_session_to_parent(): use thread_group_empty() to check singlethreadness\n\nNo functional changes.\n\nkeyctl_session_to_parent() is the only user of signal-\u003ecount which needs\nthe correct value. Change it to use thread_group_empty() instead, this\nmust be strictly equivalent under tasklist, and imho looks better.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nAcked-by: Roland McGrath \u003croland@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "685bfd2c48bb3284d31e73ff3151c957d76deda9", "tree": "177210787515f48c0eaad5216bd012f4a2fb2149", "parents": [ "898b374af6f71041bd3bceebe257e564f3f1d458" ], "author": { "name": "Oleg Nesterov", "email": "oleg@redhat.com", "time": "Wed May 26 14:43:00 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 27 09:12:45 2010 -0700" }, "message": "umh: creds: convert call_usermodehelper_keys() to use subprocess_info-\u003einit()\n\ncall_usermodehelper_keys() uses call_usermodehelper_setkeys() to change\nsubprocess_info-\u003ecred in advance. Now that we have info-\u003einit() we can\nchange this code to set tgcred-\u003esession_keyring in context of execing\nkernel thread.\n\nNote: since currently call_usermodehelper_keys() is never called with\nUMH_NO_WAIT, call_usermodehelper_keys()-\u003ekey_get() and umh_keys_cleanup()\nare not really needed, we could rely on install_session_keyring_to_cred()\nwhich does key_get() on success.\n\nSigned-off-by: Oleg Nesterov \u003coleg@redhat.com\u003e\nAcked-by: Neil Horman \u003cnhorman@tuxdriver.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4be929be34f9bdeffa40d815d32d7d60d2c7f03b", "tree": "4d2c6e2b8ef766e565e2e050ee151de2e02081d3", "parents": [ "940370fc86b920b51a34217a1facc3e9e97c2456" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon May 24 14:33:03 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 25 08:07:02 2010 -0700" }, "message": "kernel-wide: replace USHORT_MAX, SHORT_MAX and SHORT_MIN with USHRT_MAX, SHRT_MAX and SHRT_MIN\n\n- C99 knows about USHRT_MAX/SHRT_MAX/SHRT_MIN, not\n USHORT_MAX/SHORT_MAX/SHORT_MIN.\n\n- Make SHRT_MIN of type s16, not int, for consistency.\n\n[akpm@linux-foundation.org: fix drivers/dma/timb_dma.c]\n[akpm@linux-foundation.org: fix security/keys/keyring.c]\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nAcked-by: WANG Cong \u003cxiyou.wangcong@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4d09ec0f705cf88a12add029c058b53f288cfaa2", "tree": "d756921f5391953295404ccf3ba570ddaaca404f", "parents": [ "c80901f2755c582e3096e6708028a8daca59e6e2" ], "author": { "name": "Dan Carpenter", "email": "error27@gmail.com", "time": "Mon May 17 14:42:35 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 18 08:50:55 2010 +1000" }, "message": "KEYS: Return more accurate error codes\n\nWe were using the wrong variable here so the error codes weren\u0027t being returned\nproperly. The original code returns -ENOKEY.\n\nSigned-off-by: Dan Carpenter \u003cerror27@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f70e2e06196ad4c1c762037da2f75354f6c16b81", "tree": "9632a1e655efb684c87f8c7be6d091fbb1a430e7", "parents": [ "043b4d40f53131c5f72eca2a46555fe35328a930" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:39 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 22:25:02 2010 +1000" }, "message": "KEYS: Do preallocation for __key_link()\n\nDo preallocation for __key_link() so that the various callers in request_key.c\ncan deal with any errors from this source before attempting to construct a key.\nThis allows them to assume that the actual linkage step is guaranteed to be\nsuccessful.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "043b4d40f53131c5f72eca2a46555fe35328a930", "tree": "02a40eeb688f7ed9730e26a22f39ad7e04378de2", "parents": [ "292823814261e085cdcef06b6b691e6c2563fbd4", "722154e4cacf015161efe60009ae9be23d492296" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 22:21:04 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 22:21:04 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/keys/keyring.c\n\nResolved conflict with whitespace fix in find_keyring_by_name()\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2b9e4688fad8867b6e918610f396af3ab9246898", "tree": "c0146493e6ea4dff7b51259de1d7e83729a26c94", "parents": [ "553d603c8fce8cf727eb26e4bf6b9549cd4623f1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:34 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:55 2010 +1000" }, "message": "KEYS: Better handling of errors from construct_alloc_key()\n\nErrors from construct_alloc_key() shouldn\u0027t just be ignored in the way they are\nby construct_key_and_link(). The only error that can be ignored so is\nEINPROGRESS as that is used to indicate that we\u0027ve found a key and don\u0027t need\nto construct one.\n\nWe don\u0027t, however, handle ENOMEM, EDQUOT or EACCES to indicate allocation\nfailures of one sort or another.\n\nReported-by: Vegard Nossum \u003cvegard.nossum@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "553d603c8fce8cf727eb26e4bf6b9549cd4623f1", "tree": "137d9976ac663371d5f4f9ccf59ef4fb1ea9bc88", "parents": [ "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:28 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:52 2010 +1000" }, "message": "KEYS: keyring_serialise_link_sem is only needed for keyring-\u003ekeyring links\n\nkeyring_serialise_link_sem is only needed for keyring-\u003ekeyring links as it\u0027s\nused to prevent cycle detection from being avoided by parallel keyring\nadditions.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09", "tree": "81b1a2305d16c873371b65c5a863c0268036cefe", "parents": [ "4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6", "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "896903c2f5f79f029388f033a00c3b813bc91201", "tree": "f679108ab3c9cda3f5e1f6240afccc6ee3984406", "parents": [ "f0641cba7729e5e14f82d2eedc398103f5fa31b1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:23 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 23:50:24 2010 +1000" }, "message": "KEYS: call_sbin_request_key() must write lock keyrings before modifying them\n\ncall_sbin_request_key() creates a keyring and then attempts to insert a link to\nthe authorisation key into that keyring, but does so without holding a write\nlock on the keyring semaphore.\n\nIt will normally get away with this because it hasn\u0027t told anyone that the\nkeyring exists yet. The new keyring, however, has had its serial number\npublished, which means it can be accessed directly by that handle.\n\nThis was found by a previous patch that adds RCU lockdep checks to the code\nthat reads the keyring payload pointer, which includes a check that the keyring\nsemaphore is actually locked.\n\nWithout this patch, the following command:\n\n\tkeyctl request2 user b a @s\n\nwill provoke the following lockdep warning is displayed in dmesg:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\t[ INFO: suspicious rcu_dereference_check() usage. ]\n\t---------------------------------------------------\n\tsecurity/keys/keyring.c:727 invoked rcu_dereference_check() without protection!\n\n\tother info that might help us debug this:\n\n\trcu_scheduler_active \u003d 1, debug_locks \u003d 0\n\t2 locks held by keyctl/2076:\n\t #0: (key_types_sem){.+.+.+}, at: [\u003cffffffff811a5b29\u003e] key_type_lookup+0x1c/0x71\n\t #1: (keyring_serialise_link_sem){+.+.+.}, at: [\u003cffffffff811a6d1e\u003e] __key_link+0x4d/0x3c5\n\n\tstack backtrace:\n\tPid: 2076, comm: keyctl Not tainted 2.6.34-rc6-cachefs #54\n\tCall Trace:\n\t [\u003cffffffff81051fdc\u003e] lockdep_rcu_dereference+0xaa/0xb2\n\t [\u003cffffffff811a6d1e\u003e] ? __key_link+0x4d/0x3c5\n\t [\u003cffffffff811a6e6f\u003e] __key_link+0x19e/0x3c5\n\t [\u003cffffffff811a5952\u003e] ? __key_instantiate_and_link+0xb1/0xdc\n\t [\u003cffffffff811a59bf\u003e] ? key_instantiate_and_link+0x42/0x5f\n\t [\u003cffffffff811aa0dc\u003e] call_sbin_request_key+0xe7/0x33b\n\t [\u003cffffffff8139376a\u003e] ? mutex_unlock+0x9/0xb\n\t [\u003cffffffff811a5952\u003e] ? __key_instantiate_and_link+0xb1/0xdc\n\t [\u003cffffffff811a59bf\u003e] ? key_instantiate_and_link+0x42/0x5f\n\t [\u003cffffffff811aa6fa\u003e] ? request_key_auth_new+0x1c2/0x23c\n\t [\u003cffffffff810aaf15\u003e] ? cache_alloc_debugcheck_after+0x108/0x173\n\t [\u003cffffffff811a9d00\u003e] ? request_key_and_link+0x146/0x300\n\t [\u003cffffffff810ac568\u003e] ? kmem_cache_alloc+0xe1/0x118\n\t [\u003cffffffff811a9e45\u003e] request_key_and_link+0x28b/0x300\n\t [\u003cffffffff811a89ac\u003e] sys_request_key+0xf7/0x14a\n\t [\u003cffffffff81052c0b\u003e] ? trace_hardirqs_on_caller+0x10c/0x130\n\t [\u003cffffffff81394fb9\u003e] ? trace_hardirqs_on_thunk+0x3a/0x3f\n\t [\u003cffffffff81001eeb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f0641cba7729e5e14f82d2eedc398103f5fa31b1", "tree": "578cc4ea4686528eb587f3df7fbd908e1819fe66", "parents": [ "cea7daa3589d6b550546a8c8963599f7c1a3ae5c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:18 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 23:50:12 2010 +1000" }, "message": "KEYS: Use RCU dereference wrappers in keyring key type code\n\nThe keyring key type code should use RCU dereference wrappers, even when it\nholds the keyring\u0027s key semaphore.\n\nReported-by: Vegard Nossum \u003cvegard.nossum@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cea7daa3589d6b550546a8c8963599f7c1a3ae5c", "tree": "6d3a0bd38756f03b85f50273c64c26f0b6027143", "parents": [ "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "Toshiyuki Okajima", "email": "toshi.okajima@jp.fujitsu.com", "time": "Fri Apr 30 14:32:13 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 23:49:10 2010 +1000" }, "message": "KEYS: find_keyring_by_name() can gain access to a freed keyring\n\nfind_keyring_by_name() can gain access to a keyring that has had its reference\ncount reduced to zero, and is thus ready to be freed. This then allows the\ndead keyring to be brought back into use whilst it is being destroyed.\n\nThe following timeline illustrates the process:\n\n|(cleaner) (user)\n|\n| free_user(user) sys_keyctl()\n| | |\n| key_put(user-\u003esession_keyring) keyctl_get_keyring_ID()\n| ||\t//\u003d\u003e keyring-\u003eusage \u003d 0 |\n| |schedule_work(\u0026key_cleanup_task) lookup_user_key()\n| || |\n| kmem_cache_free(,user) |\n| . |[KEY_SPEC_USER_KEYRING]\n| . install_user_keyrings()\n| . ||\n| key_cleanup() [\u003c\u003d worker_thread()] ||\n| | ||\n| [spin_lock(\u0026key_serial_lock)] |[mutex_lock(\u0026key_user_keyr..mutex)]\n| | ||\n| atomic_read() \u003d\u003d 0 ||\n| |{ rb_ease(\u0026key-\u003eserial_node,) } ||\n| | ||\n| [spin_unlock(\u0026key_serial_lock)] |find_keyring_by_name()\n| | |||\n| keyring_destroy(keyring) ||[read_lock(\u0026keyring_name_lock)]\n| || |||\n| |[write_lock(\u0026keyring_name_lock)] ||atomic_inc(\u0026keyring-\u003eusage)\n| |. ||| *** GET freeing keyring ***\n| |. ||[read_unlock(\u0026keyring_name_lock)]\n| || ||\n| |list_del() |[mutex_unlock(\u0026key_user_k..mutex)]\n| || |\n| |[write_unlock(\u0026keyring_name_lock)] ** INVALID keyring is returned **\n| | .\n| kmem_cache_free(,keyring) .\n| .\n| atomic_dec(\u0026keyring-\u003eusage)\nv *** DESTROYED ***\nTIME\n\nIf CONFIG_SLUB_DEBUG\u003dy then we may see the following message generated:\n\n\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\tBUG key_jar: Poison overwritten\n\t-----------------------------------------------------------------------------\n\n\tINFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b\n\tINFO: Allocated in key_alloc+0x10b/0x35f age\u003d25 cpu\u003d1 pid\u003d5086\n\tINFO: Freed in key_cleanup+0xd0/0xd5 age\u003d12 cpu\u003d1 pid\u003d10\n\tINFO: Slab 0xffffea000592cb90 objects\u003d16 used\u003d2 fp\u003d0xffff880197a7e200 flags\u003d0x200000000000c3\n\tINFO: Object 0xffff880197a7e200 @offset\u003d512 fp\u003d0xffff880197a7e300\n\n\tBytes b4 0xffff880197a7e1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ\n\t Object 0xffff880197a7e200: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk\n\nAlternatively, we may see a system panic happen, such as:\n\n\tBUG: unable to handle kernel NULL pointer dereference at 0000000000000001\n\tIP: [\u003cffffffff810e61a3\u003e] kmem_cache_alloc+0x5b/0xe9\n\tPGD 6b2b4067 PUD 6a80d067 PMD 0\n\tOops: 0000 [#1] SMP\n\tlast sysfs file: /sys/kernel/kexec_crash_loaded\n\tCPU 1\n\t...\n\tPid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY\n\tRIP: 0010:[\u003cffffffff810e61a3\u003e] [\u003cffffffff810e61a3\u003e] kmem_cache_alloc+0x5b/0xe9\n\tRSP: 0018:ffff88006af3bd98 EFLAGS: 00010002\n\tRAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b\n\tRDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430\n\tRBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000\n\tR10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0\n\tR13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce\n\tFS: 00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000\n\tCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\tCR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0\n\tDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n\tDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n\tProcess su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0)\n\tStack:\n\t 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001\n\t 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce\n\t 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3\n\tCall Trace:\n\t [\u003cffffffff810f20ce\u003e] ? get_empty_filp+0x70/0x12f\n\t [\u003cffffffff810face3\u003e] ? do_filp_open+0x145/0x590\n\t [\u003cffffffff810ce208\u003e] ? tlb_finish_mmu+0x2a/0x33\n\t [\u003cffffffff810ce43c\u003e] ? unmap_region+0xd3/0xe2\n\t [\u003cffffffff810e4393\u003e] ? virt_to_head_page+0x9/0x2d\n\t [\u003cffffffff81103916\u003e] ? alloc_fd+0x69/0x10e\n\t [\u003cffffffff810ef4ed\u003e] ? do_sys_open+0x56/0xfc\n\t [\u003cffffffff81008a02\u003e] ? system_call_fastpath+0x16/0x1b\n\tCode: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 \u003c48\u003e 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef\n\tRIP [\u003cffffffff810e61a3\u003e] kmem_cache_alloc+0x5b/0xe9\n\nThis problem is that find_keyring_by_name does not confirm that the keyring is\nvalid before accepting it.\n\nSkipping keyrings that have been reduced to a zero count seems the way to go.\nTo this end, use atomic_inc_not_zero() to increment the usage count and skip\nthe candidate keyring if that returns false.\n\nThe following script _may_ cause the bug to happen, but there\u0027s no guarantee\nas the window of opportunity is small:\n\n\t#!/bin/sh\n\tLOOP\u003d100000\n\tUSER\u003ddummy_user\n\t/bin/su -c \"exit;\" $USER || { /usr/sbin/adduser -m $USER; add\u003d1; }\n\tfor ((i\u003d0; i\u003cLOOP; i++))\n\tdo\n\t\t/bin/su -c \"echo \u0027$i\u0027 \u003e /dev/null\" $USER\n\tdone\n\t(( add \u003d\u003d 1 )) \u0026\u0026 /usr/sbin/userdel -r $USER\n\texit\n\nNote that the nominated user must not be in use.\n\nAn alternative way of testing this may be:\n\n\tfor ((i\u003d0; i\u003c100000; i++))\n\tdo\n\t\tkeyctl session foo /bin/true || break\n\tdone \u003e\u0026/dev/null\n\nas that uses a keyring named \"foo\" rather than relying on the user and\nuser-session named keyrings.\n\nReported-by: Toshiyuki Okajima \u003ctoshi.okajima@jp.fujitsu.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Toshiyuki Okajima \u003ctoshi.okajima@jp.fujitsu.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cf8304e8f380903de3a15dc6ebd551c9e6cf1a21", "tree": "fe94f3ebb044b5026b1062631b2d89e77c8b674e", "parents": [ "d9a9b4aeea334e7912ce3d878d7f5cc6fdf1ffe4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue May 04 14:16:10 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 11:39:23 2010 +1000" }, "message": "KEYS: Fix RCU handling in key_gc_keyring()\n\nkey_gc_keyring() needs to either hold the RCU read lock or hold the keyring\nsemaphore if it\u0027s going to scan the keyring\u0027s list. Given that it only needs\nto read the key list, and it\u0027s doing so under a spinlock, the RCU read lock is\nthe thing to use.\n\nFurthermore, the RCU check added in e7b0a61b7929632d36cf052d9e2820ef0a9c1bfe is\nincorrect as holding the spinlock on key_serial_lock is not grounds for\nassuming a keyring\u0027s pointer list can be read safely. Instead, a simple\nrcu_dereference() inside of the previously mentioned RCU read lock is what we\nwant.\n\nReported-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: \"Paul E. McKenney\" \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d9a9b4aeea334e7912ce3d878d7f5cc6fdf1ffe4", "tree": "cf822ea9020aec6bd54d986231097983680c8ede", "parents": [ "a66f6375bdeb64d7a56c532bda7c006358845820" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 30 14:32:08 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 11:38:52 2010 +1000" }, "message": "KEYS: Fix an RCU warning in the reading of user keys\n\nFix an RCU warning in the reading of user keys:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: suspicious rcu_dereference_check() usage. ]\n---------------------------------------------------\nsecurity/keys/user_defined.c:202 invoked rcu_dereference_check() without protection!\n\nother info that might help us debug this:\n\nrcu_scheduler_active \u003d 1, debug_locks \u003d 0\n1 lock held by keyctl/3637:\n #0: (\u0026key-\u003esem){+++++.}, at: [\u003cffffffff811a80ae\u003e] keyctl_read_key+0x9c/0xcf\n\nstack backtrace:\nPid: 3637, comm: keyctl Not tainted 2.6.34-rc5-cachefs #18\nCall Trace:\n [\u003cffffffff81051f6c\u003e] lockdep_rcu_dereference+0xaa/0xb2\n [\u003cffffffff811aa55f\u003e] user_read+0x47/0x91\n [\u003cffffffff811a80be\u003e] keyctl_read_key+0xac/0xcf\n [\u003cffffffff811a8a06\u003e] sys_keyctl+0x75/0xb7\n [\u003cffffffff81001eeb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1600f9def09de07c5dbeb539e978fa73880690dd", "tree": "a8fa5c0891c68740543425d139414fec3d38b26e", "parents": [ "11e39d993dc693e0bfc5521d367b2494cb3bcd38", "b59ec78cdcc57e02bc3dddfa7134a2f0fd15c34d" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 27 16:26:46 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 27 16:26:46 2010 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:\n keys: don\u0027t need to use RCU in keyring_read() as semaphore is held\n" }, { "commit": "03449cd9eaa4fa3a7faa4a59474bafe2e90bd143", "tree": "f0f8b573553e0ac436b06b3f7853033a46b90a8e", "parents": [ "a2cb9aeb3c9b2475955cec328487484034f414e4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 27 13:13:08 2010 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 27 16:26:03 2010 -0700" }, "message": "keys: the request_key() syscall should link an existing key to the dest keyring\n\nThe request_key() system call and request_key_and_link() should make a\nlink from an existing key to the destination keyring (if supplied), not\njust from a new key to the destination keyring.\n\nThis can be tested by:\n\n\tring\u003d`keyctl newring fred @s`\n\tkeyctl request2 user debug:a a\n\tkeyctl request user debug:a $ring\n\tkeyctl list $ring\n\nIf it says:\n\n\tkeyring is empty\n\nthen it didn\u0027t work. If it shows something like:\n\n\t1 key in keyring:\n\t1070462727: --alswrv 0 0 user: debug:a\n\nthen it did.\n\nrequest_key() system call is meant to recursively search all your keyrings for\nthe key you desire, and, optionally, if it doesn\u0027t exist, call out to userspace\nto create one for you.\n\nIf request_key() finds or creates a key, it should, optionally, create a link\nto that key from the destination keyring specified.\n\nTherefore, if, after a successful call to request_key() with a desination\nkeyring specified, you see the destination keyring empty, the code didn\u0027t work\ncorrectly.\n\nIf you see the found key in the keyring, then it did - which is what the patch\nis required for.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b59ec78cdcc57e02bc3dddfa7134a2f0fd15c34d", "tree": "60ba3c907d4d83873bce5eb645ae8bd9415399b8", "parents": [ "b91ce4d14a21fc04d165be30319541e0f9204f15" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Apr 27 14:05:11 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 28 08:37:15 2010 +1000" }, "message": "keys: don\u0027t need to use RCU in keyring_read() as semaphore is held\n\nkeyring_read() doesn\u0027t need to use rcu_dereference() to access the keyring\npayload as the caller holds the key semaphore to prevent modifications\nfrom happening whilst the data is read out.\n\nThis should solve the following warning:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[ INFO: suspicious rcu_dereference_check() usage. ]\n---------------------------------------------------\nsecurity/keys/keyring.c:204 invoked rcu_dereference_check() without protection!\n\nother info that might help us debug this:\n\nrcu_scheduler_active \u003d 1, debug_locks \u003d 0\n1 lock held by keyctl/2144:\n #0: (\u0026key-\u003esem){+++++.}, at: [\u003cffffffff81177f7c\u003e] keyctl_read_key+0x9c/0xcf\n\nstack backtrace:\nPid: 2144, comm: keyctl Not tainted 2.6.34-rc2-cachefs #113\nCall Trace:\n [\u003cffffffff8105121f\u003e] lockdep_rcu_dereference+0xaa/0xb2\n [\u003cffffffff811762d5\u003e] keyring_read+0x4d/0xe7\n [\u003cffffffff81177f8c\u003e] keyctl_read_key+0xac/0xcf\n [\u003cffffffff811788d4\u003e] sys_keyctl+0x75/0xb9\n [\u003cffffffff81001eeb\u003e] system_call_fastpath+0x16/0x1b\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "93b4a44f3ad69520d605aace3f3486b8eb754b96", "tree": "8eb946db950ccc6aee1d00b226739f44141dd310", "parents": [ "ccdb40048b2972f10bdc944913c0e0ee26b5d1f2" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Apr 23 13:18:00 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Apr 24 11:31:25 2010 -0700" }, "message": "keys: fix an RCU warning\n\nFix the following RCU warning:\n\n \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n [ INFO: suspicious rcu_dereference_check() usage. ]\n ---------------------------------------------------\n security/keys/request_key.c:116 invoked rcu_dereference_check() without protection!\n\nThis was caused by doing:\n\n\t[root@andromeda ~]# keyctl newring fred @s\n\t539196288\n\t[root@andromeda ~]# keyctl request2 user a a 539196288\n\trequest_key: Required key not available\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Eric Dumazet \u003ceric.dumazet@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c5b60b5e67af8be4c58d3ffcc36894f69c4fbdc1", "tree": "5ca471fad635ee8d91a24c7b5448dbcad3de74ef", "parents": [ "822cceec7248013821d655545ea45d1c6a9d15b3" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Wed Apr 21 00:02:11 2010 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 23 10:10:23 2010 +1000" }, "message": "security: whitespace coding style fixes\n\nWhitespace coding style fixes.\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3011a344cdcda34cdbcb40c3fb3d1a6e89954abb", "tree": "43db9abc5f96cd8ec31a4a24f0d52dae76680a1c", "parents": [ "6307f8fee295b364716d28686df6e69c2fee751a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 07 15:15:19 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Apr 12 12:19:18 2010 +1000" }, "message": "security: remove dead hook key_session_to_parent\n\nUnused hook. Remove.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "512ea3bc30c0e052a961e1abce8e783f3e28c92a", "tree": "2e50e5bd7d257ec010d9c9d1af87bd61fccead6c", "parents": [ "c43a7523470dc2d9947fa114a0b54317975d4c04" ], "author": { "name": "Chihau Chau", "email": "chihau@gmail.com", "time": "Mon Mar 08 20:11:34 2010 -0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Mar 10 08:46:15 2010 +1100" }, "message": "Security: key: keyring: fix some code style issues\n\nThis fixes to include \u003clinux/uaccess.h\u003e instead \u003casm/uaccess.h\u003e and some\ncode style issues like to put a else sentence below close brace \u0027}\u0027 and\nto replace a tab instead of some space characters.\n\nSigned-off-by: Chihau Chau \u003cchihau@gmail.com\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c8563473c1259f5686ceb918c548c80132089f79", "tree": "45bd8a0cf2fcdbe388acdd2526897bbc59007436", "parents": [ "06b9b72df43800b9ae4e77202c8bf5848c9d6998" ], "author": { "name": "wzt.wzt@gmail.com", "email": "wzt.wzt@gmail.com", "time": "Thu Mar 04 21:26:23 2010 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 05 09:49:02 2010 +1100" }, "message": "Security: Fix some coding styles in security/keys/keyring.c\n\nFix some coding styles in security/keys/keyring.c\n\nSigned-off-by: Zhitong Wang \u003czhitong.wangzt@alibaba-inc.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e7b0a61b7929632d36cf052d9e2820ef0a9c1bfe", "tree": "69dbe6f03abc5a9ef0dea3a2c28921cebcc59a08", "parents": [ "96be753af91fc9d582450a84722f6a6721d218ad" ], "author": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Mon Feb 22 17:04:56 2010 -0800" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu Feb 25 10:34:52 2010 +0100" }, "message": "security: Apply lockdep-based checking to rcu_dereference() uses\n\nApply lockdep-ified RCU primitives to key_gc_keyring() and\nkeyring_destroy().\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: laijs@cn.fujitsu.com\nCc: dipankar@in.ibm.com\nCc: mathieu.desnoyers@polymtl.ca\nCc: josh@joshtriplett.org\nCc: dvhltc@us.ibm.com\nCc: niv@us.ibm.com\nCc: peterz@infradead.org\nCc: rostedt@goodmis.org\nCc: Valdis.Kletnieks@vt.edu\nCc: dhowells@redhat.com\nLKML-Reference: \u003c1266887105-1528-12-git-send-email-paulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "a00ae4d21b2fa9379914f270ffffd8d3bec55430", "tree": "81950b31b2bbd816e5ad119acba46d859de9aceb", "parents": [ "6e1415467614e854fee660ff6648bd10fa976e95" ], "author": { "name": "Geert Uytterhoeven", "email": "geert@linux-m68k.org", "time": "Sun Dec 13 20:21:34 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 17 09:27:59 2009 +1100" }, "message": "Keys: KEYCTL_SESSION_TO_PARENT needs TIF_NOTIFY_RESUME architecture support\n\nAs of commit ee18d64c1f632043a02e6f5ba5e045bb26a5465f (\"KEYS: Add a keyctl to\ninstall a process\u0027s session keyring on its parent [try #6]\"), CONFIG_KEYS\u003dy\nfails to build on architectures that haven\u0027t implemented TIF_NOTIFY_RESUME yet:\n\nsecurity/keys/keyctl.c: In function \u0027keyctl_session_to_parent\u0027:\nsecurity/keys/keyctl.c:1312: error: \u0027TIF_NOTIFY_RESUME\u0027 undeclared (first use in this function)\nsecurity/keys/keyctl.c:1312: error: (Each undeclared identifier is reported only once\nsecurity/keys/keyctl.c:1312: error: for each function it appears in.)\n\nMake KEYCTL_SESSION_TO_PARENT depend on TIF_NOTIFY_RESUME until\nm68k, and xtensa have implemented it.\n\nSigned-off-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\n" }, { "commit": "fa1cc7b5a5c4171dfdcac855428295340ccf87ec", "tree": "eccd00dd480c980a45159e3964038cee255ff9f8", "parents": [ "d4220f987cf473c65a342ca69e3eb13dea919a49" ], "author": { "name": "Roel Kluin", "email": "roel.kluin@gmail.com", "time": "Tue Dec 15 15:05:12 2009 -0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 17 09:23:48 2009 +1100" }, "message": "keys: PTR_ERR return of wrong pointer in keyctl_get_security()\n\nReturn the PTR_ERR of the correct pointer.\n\nSigned-off-by: Roel Kluin \u003croel.kluin@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6d4561110a3e9fa742aeec6717248a491dfb1878", "tree": "689e2abf19940416ce597ba56ed31026ff59bd21", "parents": [ "86926d0096279b9739ceeff40f68d3c33b9119a9" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Mon Nov 16 03:11:48 2009 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Nov 18 08:37:40 2009 -0800" }, "message": "sysctl: Drop \u0026 in front of every proc_handler.\n\nFor consistency drop \u0026 in front of every proc_handler. Explicity\ntaking the address is unnecessary and it prevents optimizations\nlike stubbing the proc_handlers to NULL.\n\nCc: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nCc: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: Joe Perches \u003cjoe@perches.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "5cdb35557d022f8dc51b532b5cd1a8e9ed7bcdb7", "tree": "f2d947dd3d0302b23ef7dc515f0ff4841e5a5b87", "parents": [ "56992309ccbe71f4321ddd50ee2f76f91b412c1a" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Apr 03 05:08:03 2009 -0700" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Thu Nov 12 02:04:56 2009 -0800" }, "message": "sysctl security/keys: Remove dead binary sysctl support\n\nNow that sys_sysctl is a generic wrapper around /proc/sys .ctl_name\nand .strategy members of sysctl tables are dead code. Remove them.\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "21279cfa107af07ef985539ac0de2152b9cba5f5", "tree": "a31f1447e0246316c00b26fb599c1595301bb4b5", "parents": [ "37a08b13eba6ce3b42df30b2a5ca3a9845f429ec" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Oct 15 10:14:35 2009 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 15 15:19:58 2009 -0700" }, "message": "KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases\n\nThe destination keyring specified to request_key() and co. is made available to\nthe process that instantiates the key (the slave process started by\n/sbin/request-key typically). This is passed in the request_key_auth struct as\nthe dest_keyring member.\n\nkeyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()\nto get the keyring to attach the newly constructed key to at the end of\ninstantiation. This may be given a specific keyring into which a link will be\nmade later, or it may be asked to find the keyring passed to request_key(). In\nthe former case, it returns a keyring with the refcount incremented by\nlookup_user_key(); in the latter case, it returns the keyring from the\nrequest_key_auth struct - and does _not_ increment the refcount.\n\nThe latter case will eventually result in an oops when the keyring prematurely\nruns out of references and gets destroyed. The effect may take some time to\nshow up as the key is destroyed lazily.\n\nTo fix this, the keyring returned by get_instantiation_keyring() must always\nhave its refcount incremented, no matter where it comes from.\n\nThis can be tested by setting /etc/request-key.conf to:\n\n#OP\tTYPE\tDESCRIPTION\tCALLOUT INFO\tPROGRAM ARG1 ARG2 ARG3 ...\n#\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\t\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ncreate *\ttest:*\t\t*\t\t|/bin/false %u %g %d %{user:_display}\nnegate\t*\t*\t\t*\t\t/bin/keyctl negate %k 10 @u\n\nand then doing:\n\n\tkeyctl add user _display aaaaaaaa @u\n while keyctl request2 user test:x test:x @u \u0026\u0026\n keyctl list @u;\n do\n keyctl request2 user test:x test:x @u;\n sleep 31;\n keyctl list @u;\n done\n\nwhich will oops eventually. Changing the negate line to have @u rather than\n%S at the end is important as that forces the latter case by passing a special\nkeyring ID rather than an actual keyring ID.\n\nReported-by: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nTested-by: Alexander Zangerl \u003caz@bond.edu.au\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "606531c316d30e9639473a6da09ee917125ab467", "tree": "b83f3d8d82597401bdee6a451facaa5c2de006d1", "parents": [ "0afd9056f1b43c9fcbfdf933b263d72023d382fe" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 16 15:54:14 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 23 11:03:47 2009 -0700" }, "message": "KEYS: Have the garbage collector set its timer for live expired keys\n\nThe key garbage collector sets a timer to start a new collection cycle at the\npoint the earliest key to expire should be considered garbage. However, it\ncurrently only does this if the key it is considering hasn\u0027t yet expired.\n\nIf the key being considering has expired, but hasn\u0027t yet reached the collection\ntime then it is ignored, and won\u0027t be collected until some other key provokes a\nround of collection.\n\nMake the garbage collector set the timer for the earliest key that hasn\u0027t yet\npassed its collection time, rather than the earliest key that hasn\u0027t yet\nexpired.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c08ef808ef24df32e25fbd949fe5310172f3c408", "tree": "12bae6fd48e1cdcc1b792c221376c727d9472cc6", "parents": [ "5c84342a3e147a23752276650340801c237d0e56" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Sep 14 17:26:13 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 15 09:11:02 2009 +1000" }, "message": "KEYS: Fix garbage collector\n\nFix a number of problems with the new key garbage collector:\n\n (1) A rogue semicolon in keyring_gc() was causing the initial count of dead\n keys to be miscalculated.\n\n (2) A missing return in keyring_gc() meant that under certain circumstances,\n the keyring semaphore would be unlocked twice.\n\n (3) The key serial tree iterator (key_garbage_collector()) part of the garbage\n collector has been modified to:\n\n (a) Complete each scan of the keyrings before setting the new timer.\n\n (b) Only set the new timer for keys that have yet to expire. This means\n that the new timer is now calculated correctly, and the gc doesn\u0027t\n get into a loop continually scanning for keys that have expired, and\n preventing other things from happening, like RCU cleaning up the old\n keyring contents.\n\n (c) Perform an extra scan if any keys were garbage collected in this one\n \t as a key might become garbage during a scan, and (b) could mean we\n \t don\u0027t set the timer again.\n\n (4) Made key_schedule_gc() take the time at which to do a collection run,\n rather than the time at which the key expires. This means the collection\n of dead keys (key type unregistered) can happen immediately.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "5c84342a3e147a23752276650340801c237d0e56" }