27 Jun, 2006

40 commits

  • This patch removes the devfs code from the fs/partitions/ directory.

    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     
  • This is the first patch in a series of patches that removes devfs
    support from the kernel. This patch removes the core devfs code, and
    its private header file.

    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     
  • * x86-64: (83 commits)
    [PATCH] x86_64: x86_64 stack usage debugging
    [PATCH] x86_64: (resend) x86_64 stack overflow debugging
    [PATCH] x86_64: msi_apic.c build fix
    [PATCH] x86_64: i386/x86-64 Add nmi watchdog support for new Intel CPUs
    [PATCH] x86_64: Avoid broadcasting NMI IPIs
    [PATCH] x86_64: fix apic error on bootup
    [PATCH] x86_64: enlarge window for stack growth
    [PATCH] x86_64: Minor string functions optimizations
    [PATCH] x86_64: Move export symbols to their C functions
    [PATCH] x86_64: Standardize i386/x86_64 handling of NMI_VECTOR
    [PATCH] x86_64: Fix modular pc speaker
    [PATCH] x86_64: remove sys32_ni_syscall()
    [PATCH] x86_64: Do not use -ffunction-sections for modules
    [PATCH] x86_64: Add cpu_relax to apic_wait_icr_idle
    [PATCH] x86_64: adjust kstack_depth_to_print default
    [PATCH] i386/x86-64: adjust /proc/interrupts column headings
    [PATCH] x86_64: Fix race in cpu_local_* on preemptible kernels
    [PATCH] x86_64: Fix fast check in safe_smp_processor_id
    [PATCH] x86_64: x86_64 setup.c - printing cmp related boottime information
    [PATCH] i386/x86-64/ia64: Move polling flag into thread_info_status
    ...

    Manual resolve of trivial conflict in arch/i386/kernel/Makefile

    Linus Torvalds
     
  • Sometimes e.g. with crashme the compat layer warnings can be noisy.
    Add a way to turn them off by gating all output through compat_printk
    that checks a global sysctl. The default is not changed.

    Signed-off-by: Andi Kleen
    Signed-off-by: Linus Torvalds

    Andi Kleen
     
  • * master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
    [SPARC]: Add iomap interfaces.
    [OPENPROM]: Rewrite driver to use in-kernel device tree.
    [OPENPROMFS]: Rewrite using in-kernel device tree and seq_file.
    [SPARC]: Add unique device_node IDs and a ".node" property.
    [SPARC]: Add of_set_property() interface.
    [SPARC64]: Export auxio_register to modules.
    [SPARC64]: Add missing interfaces to dma-mapping.h
    [SPARC64]: Export _PAGE_IE to modules.
    [SPARC64]: Allow floppy driver to build modular.
    [SPARC]: Export x_bus_type to modules.
    [RIOWATCHDOG]: Fix the build.
    [CPWATCHDOG]: Fix the build.
    [PARPORT] sunbpp: Fix typo.
    [MTD] sun_uflash: Port to new EBUS device layer.

    Linus Torvalds
     
  • This patch optimizes zap_threads() for the case when there are no ->mm
    users except the current's thread group. In that case we can avoid
    'for_each_process()' loop.

    It also adds a useful invariant: SIGNAL_GROUP_EXIT (if checked under
    ->siglock) always implies that all threads (except may be current) have
    pending SIGKILL.

    Signed-off-by: Oleg Nesterov
    Cc: Roland McGrath
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • This is a preparation for the next patch. No functional changes.
    Basically, this patch moves '->flags & SIGNAL_GROUP_EXIT' check into
    zap_threads(), and 'complete(vfork_done)' into coredump_wait outside of
    ->mmap_sem protected area.

    Signed-off-by: Oleg Nesterov
    Cc: Roland McGrath
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • This patch removes tasklist_lock from zap_threads().
    This is safe wrt:

    do_exit:
    The caller holds mm->mmap_sem. This means that task which
    shares the same ->mm can't pass exit_mm(), so it can't be
    unhashed from init_task.tasks or ->thread_group lists.

    fork:
    None of sub-threads can fork after zap_process(leader). All
    processes which were created before this point should be
    visible to zap_threads() because copy_process() adds the new
    process to the tail of init_task.tasks list, and ->siglock
    lock/unlock provides a memory barrier.

    de_thread:
    It does list_replace_rcu(&leader->tasks, ¤t->tasks).
    So zap_threads() will see either old or new leader, it does
    not matter. However, it can change p->sighand, so we should
    use lock_task_sighand() in zap_process().

    Signed-off-by: Oleg Nesterov
    Cc: "Eric W. Biederman"
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • With this patch zap_process() sets SIGNAL_GROUP_EXIT while sending SIGKILL to
    the thread group. This means that a TASK_TRACED task

    1. Will be awakened by signal_wake_up(1)

    2. Can't sleep again via ptrace_notify()

    3. Can't go to do_signal_stop() after return
    from ptrace_stop() in get_signal_to_deliver()

    So we can remove all ptrace related stuff from coredump path.

    Signed-off-by: Oleg Nesterov
    Cc: "Eric W. Biederman"
    Cc: Roland McGrath
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • With this patch a thread group is killed atomically under ->siglock. This is
    faster because we can use sigaddset() instead of force_sig_info() and this is
    used in further patches.

    Signed-off-by: Oleg Nesterov
    Cc: "Eric W. Biederman"
    Acked-by: Roland McGrath
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • zap_threads() iterates over all threads to find those ones which share
    current->mm. All threads in the thread group share the same ->mm, so we can
    skip entire thread group if it has another ->mm.

    This patch shifts the killing of thread group into the newly added
    zap_process() function. This looks as unnecessary complication, but it is
    used in further patches.

    Signed-off-by: Oleg Nesterov
    Cc: "Eric W. Biederman"
    Acked-by: Roland McGrath
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • We should keep the value of old_leader->tasks.next in de_thread, otherwise
    we can't do for_each_process/do_each_thread without tasklist_lock held.

    Signed-off-by: Oleg Nesterov
    Cc: "Eric W. Biederman"
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • Below is a patch to add a new /proc/self/attr/sockcreate A process may write a
    context into this interface and all subsequent sockets created will be labeled
    with that context. This is the same idea as the fscreate interface where a
    process can specify the label of a file about to be created. At this time one
    envisioned user of this will be xinetd. It will be able to better label
    sockets for the actual services. At this time all sockets take the label of
    the creating process, so all xinitd sockets would just be labeled the same.

    I tested this by creating a tcp sender and listener. The sender was able to
    write to this new proc file and then create sockets with the specified label.
    I am able to be sure the new label was used since the avc denial messages
    kicked out by the kernel included both the new security permission
    setsockcreate and all the socket denials were for the new label, not the label
    of the running process.

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris
    Cc: Chris Wright
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric Paris
     
  • Try to make next_tid() a bit more readable and deletes unnecessary
    "pid_alive(pos)" check.

    Signed-off-by: Oleg Nesterov
    Cc: "Eric W. Biederman"
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • first_tid:

    /* If nr exceeds the number of threads there is nothing todo */
    if (nr) {
    if (nr >= get_nr_threads(leader))
    goto done;
    }

    This is not reliable: sub-threads can exit after this check, so the
    'for' loop below can overlap and proc_task_readdir() can return an
    already filldir'ed dirents.

    for (; pos && pid_alive(pos); pos = next_thread(pos)) {
    if (--nr > 0)
    continue;

    Off-by-one error, will return 'leader' when nr == 1.

    This patch tries to fix these problems and simplify the code.

    Signed-off-by: Oleg Nesterov
    Cc: "Eric W. Biederman"
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Oleg Nesterov
     
  • This is just like my previous removal of tasklist_lock from first_tgid, and
    next_tgid. It simply had to wait until it was rcu safe to walk the thread
    list.

    This should be the last instance of the tasklist_lock in proc. So user
    processes should not be able to influence the tasklist lock hold times.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • In process of getting proc_fd_access_allowed to work it has developed a few
    warts. In particular the special case that always allows introspection and
    the special case to allow inspection of kernel threads.

    The special case for introspection is needed for /proc/self/mem.

    The special case for kernel threads really should be overridable
    by security modules.

    So consolidate these checks into ptrace.c:may_attach().

    The check to always allow introspection is trivial.

    The check to allow access to kernel threads, and zombies is a little
    trickier. mem_read and mem_write already verify an mm exists so it isn't
    needed twice. proc_fd_access_allowed only doesn't want a check to verify
    task->mm exits, s it prevents all access to kernel threads. So just move
    the task->mm check into ptrace_attach where it is needed for practical
    reasons.

    I did a quick audit and none of the security modules in the kernel seem to
    care if they are passed a task without an mm into security_ptrace. So the
    above move should be safe and it allows security modules to come up with
    more restrictive policy.

    Signed-off-by: Eric W. Biederman
    Cc: Stephen Smalley
    Cc: Chris Wright
    Cc: James Morris
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Since 2.2 we have been doing a chroot check to see if it is appropriate to
    return a read or follow one of these magic symlinks. The chroot check was
    asking a question about the visibility of files to the calling process and
    it was actually checking the destination process, and not the files
    themselves. That test was clearly bogus.

    In my first pass through I simply fixed the test to check the visibility of
    the files themselves. That naive approach to fixing the permissions was
    too strict and resulted in cases where a task could not even see all of
    it's file descriptors.

    What has disturbed me about relaxing this check is that file descriptors
    are per-process private things, and they are occasionaly used a user space
    capability tokens. Looking a little farther into the symlink path on /proc
    I did find userid checks and a check for capability (CAP_DAC_OVERRIDE) so
    there were permissions checking this.

    But I was still concerned about privacy. Besides /proc there is only one
    other way to find out this kind of information, and that is ptrace. ptrace
    has been around for a long time and it has a well established security
    model.

    So after thinking about it I finally realized that the permission checks
    that make sense are the permission checks applied to ptrace_attach. The
    checks are simple per process, and won't cause nasty surprises for people
    coming from less capable unices.

    Unfortunately there is one case that the current ptrace_attach test does
    not cover: Zombies and kernel threads. Single stepping those kinds of
    processes is impossible. Being able to see which file descriptors are open
    on these tasks is important to lsof, fuser and friends. So for these
    special processes I made the rule you can't find out unless you have
    CAP_SYS_PTRACE.

    These proc permission checks should now conform to the principle of least
    surprise. As well as using much less code to implement :)

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • The code doesn't need to sleep to when making this check so I can just do the
    comparison and not worry about the reference counts.

    TODO: While looking at this I realized that my original cleanup did not push
    the permission check far enough down into the stack. The call of
    proc_check_dentry_visible needs to move out of the generic proc
    readlink/follow link code and into the individual get_link instances.
    Otherwise the shared resources checks are not quite correct (shared
    files_struct does not require a shared fs_struct), and there are races with
    unshare.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Incrementally update my proc-dont-lock-task_structs-indefinitely patches so
    that they work with struct pid instead of struct task_ref.

    Mostly this is a straight 1-1 substitution.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Every inode in /proc holds a reference to a struct task_struct. If a
    directory or file is opened and remains open after the the task exits this
    pinning continues. With 8K stacks on a 32bit machine the amount pinned per
    file descriptor is about 10K.

    Normally I would figure a reasonable per user process limit is about 100
    processes. With 80 processes, with a 1000 file descriptors each I can trigger
    the 00M killer on a 32bit kernel, because I have pinned about 800MB of useless
    data.

    This patch replaces the struct task_struct pointer with a pointer to a struct
    task_ref which has a struct task_struct pointer. The so the pinning of dead
    tasks does not happen.

    The code now has to contend with the fact that the task may now exit at any
    time. Which is a little but not muh more complicated.

    With this change it takes about 1000 processes each opening up 1000 file
    descriptors before I can trigger the OOM killer. Much better.

    [mlp@google.com: task_mmu small fixes]
    Signed-off-by: Eric W. Biederman
    Cc: Trond Myklebust
    Cc: Paul Jackson
    Cc: Oleg Nesterov
    Cc: Albert Cahalan
    Signed-off-by: Prasanna Meda
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Currently in /proc at several different places we define buffers to hold a
    process id, or a file descriptor . In most of them we use either a hard coded
    number or a different define. Modify them all to use PROC_NUMBUF, so the code
    has a chance of being maintained.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Like the bug Oleg spotted in first_tid there was also a small off by one
    error in first_tgid, when a seek was done on the /proc directory. This
    fixes that and changes the code structure to make it a little more obvious
    what is going on.

    Signed-off-by: Eric W. Biederman
    Cc: Oleg Nesterov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Since we no longer need the tasklist_lock for get_task_struct the lookup
    methods no longer need the tasklist_lock.

    This just depends on my previous patch that makes get_task_struct() rcu
    safe.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • We don't need the tasklist_lock to safely iterate through processes
    anymore.

    This depends on my previous to task patches that make get_task_struct rcu
    safe, and that make next_task() rcu safe. I haven't gotten
    first_tid/next_tid yet only because next_thread is missing an
    rcu_dereference.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • There are a couple of problems this patch addresses.
    - /proc//task currently does not work correctly if you stop reading
    in the middle of a directory.

    - /proc/ currently requires a full pass through the task list with
    the tasklist lock held, to determine there are no more processes to read.

    - The hand rolled integer to string conversion does not properly running
    out of buffer space.

    - We seem to be batching reading of pids from the tasklist without reason,
    and complicating the logic of the code.

    This patch addresses that by changing how tasks are processed. A
    first_ function is built that handles restarts, and a
    next_ function is built that just advances to the next task.

    first_ when it detects a restart usually uses find_task_by_pid. If
    that doesn't work because there has been a seek on the directory, or we have
    already given a complete directory listing, it first checks the number tasks
    of that type, and only if we are under that count does it walk through all of
    the tasks to find the one we are interested in.

    The code that fills in the directory is simpler because there is only a single
    for loop.

    The hand rolled integer to string conversion is replaced by snprintf which
    should handle the the out of buffer case correctly.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • proc_lookup and task exiting are not synchronized, although some of the
    previous code may have suggested that. Every time before we reuse a dentry
    namei.c calls d_op->derevalidate which prevents us from reusing a stale dcache
    entry. Unfortunately it does not prevent us from returning a stale dcache
    entry. This race has been explicitly plugged in proc_pid_lookup but there is
    nothing to confine it to just that proc lookup function.

    So to prevent the race I call revalidate explictily in all of the proc lookup
    functions after I call d_add, and report an error if the revalidate does not
    succeed.

    Years ago Al Viro did something similar but those changes got lost in the
    churn.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • To keep the dcache from filling up with dead /proc entries we flush them on
    process exit. However over the years that code has gotten hairy with a
    dentry_pointer and a lock in task_struct and misdocumented as a correctness
    feature.

    I have rewritten this code to look and see if we have a corresponding entry in
    the dcache and if so flush it on process exit. This removes the extra fields
    in the task_struct and allows me to trivially handle the case of a
    /proc//task/ entry as well as the current /proc/ entries.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • All of the functions for proc_maps_operations are already defined in
    task_mmu.c so move the operations structure to keep the functionality
    together.

    Since task_nommu.c implements a dummy version of /proc//maps give it a
    simplified version of proc_maps_operations that it can modify to best suit its
    needs.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Use getattr to get an accurate link count when needed. This is cheaper and
    more accurate than trying to derive it by walking the thread list of a
    process.

    Especially as it happens when needed stat instead of at readdir time.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Long ago and far away in 2.2 we started checking to ensure the files we
    displayed in /proc were visible to the current process. It was an
    unsophisticated time and no one was worried about functions full of FIXMES in
    a stable kernel. As time passed the function became sacred and was enshrined
    in the shrine of how things have always been. The fixes came in but only to
    keep the function working no one really remembering or documenting why we did
    things that way.

    The intent and the functionality make a lot of sense. Don't let /proc be an
    access point for files a process can see no other way. The implementation
    however is completely wrong.

    We are currently checking the root directories of the two processes, we are
    not checking the actual file descriptors themselves.

    We are strangely checking with a permission method instead of just when we use
    the data.

    This patch fixes the logic to actually check the file descriptors and make a
    note that implementing a permission method for this part of /proc almost
    certainly indicates a bug in the reasoning.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • The inode operations only exist to support the proc_permission function.
    Currently mem_read and mem_write have all the same permission checks as
    ptrace. The fs check makes no sense in this context, and we can trivially get
    around it by calling ptrace.

    So simply the code by killing the strange weird case.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • First we can access every /proc//task/ directory as /proc/ so
    proc_task_permission is not usefully limiting visibility.

    Second having related filesystems information should have nothing to do with
    process visibility. kill does not implement any checks like that.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • The sole renaming use of proc_inode.type is to discover the file descriptor
    number, so just store the file descriptor number and don't wory about
    processing this field. This removes any /proc limits on the maximum number of
    file descriptors, and clears the path to make the hard coded /proc inode
    numbers go away.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Currently in /proc if the task is dumpable all of files are owned by the tasks
    effective users. Otherwise the files are owned by root. Unless it is the
    /proc// or /proc//task/ directory in that case we always make
    the directory owned by the effective user.

    However the special case for directories is pointless except as a way to read
    the effective user, because the permissions on both of those directories are
    world readable, and executable.

    /proc//status provides a much better way to read a processes effecitve
    userid, so it is silly to try to provide that on the directory.

    So this patch simplifies the code by removing a pointless special case and
    gets us one step closer to being able to remove the hard coded /proc inode
    numbers.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • The removed fields are already set by proc_alloc_inode. Initializing them in
    proc_alloc_inode implies they need it for proper cleanup. At least ei->pde
    was not set on all paths making it look like proc_alloc_inode was buggy. So
    just remove the redundant assignments.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • We already call everything except do_proc_readlink outside of the BKL in
    proc_pid_followlink, and there appears to be nothing in do_proc_readlink that
    needs any special protection.

    So remove this leftover from one of the BKL cleanup efforts.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • Signed-off-by: Eric W. Biederman
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Eric W. Biederman
     
  • I noticed recently that my CONFIG_CRYPTO_MD5 turned into a y again instead
    of m. It turns out that CONFIG_NFSD_V4 is selecting it to be y even though
    I've chosen to compile nfsd as a module.

    In general when we have a bool sitting under a tristate it is better to
    select things you need from the tristate rather than the bool since that
    allows the things you select to be modules.

    The following patch does it for nfsd.

    Signed-off-by: Herbert Xu
    Cc: Neil Brown
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Herbert Xu
     
  • Add the IOCTLs of the Gigaset drivers to compat_ioctl.h in order to make
    them available for 32 bit programs on 64 bit platforms. Please merge.

    Signed-off-by: Hansjoerg Lipp
    Acked-by: Tilman Schmidt
    Cc: Karsten Keil
    Cc: Arnd Bergmann
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Hansjoerg Lipp