Tudor Ambarus [Fri, 29 Apr 2016 14:48:08 +0000 (17:48 +0300)]
lib: asn1_decoder - add MODULE_LICENSE("GPL")
A kernel taint results when loading the rsa_generic module:
root@(none):~# modprobe rsa_generic
asn1_decoder: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
"Tainting" of the kernel is (usually) a way of indicating that
a proprietary module has been inserted, which is not the case here.
Signed-off-by: Tudor Ambarus <tudor-dan.ambarus@nxp.com>
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 11 May 2016 13:31:55 +0000 (14:31 +0100)]
KEYS: The PKCS#7 test key type should use the secondary keyring
The PKCS#7 test key type should use the secondary keyring instead of the
built-in keyring if available as the source of trustworthy keys.
Signed-off-by: David Howells <dhowells@redhat.com>
James Morris [Thu, 5 May 2016 23:31:34 +0000 (09:31 +1000)]
Merge branch 'stable-4.7' of git://git.infradead.org/users/pcmoore/selinux into next
James Morris [Thu, 5 May 2016 23:29:00 +0000 (09:29 +1000)]
Merge tag 'keys-next-
20160505' of git://git./linux/kernel/git/dhowells/linux-fs into next
Sasha Levin [Wed, 4 May 2016 14:18:15 +0000 (10:18 -0400)]
Yama: use atomic allocations when reporting
Access reporting often happens from atomic contexes. Avoid
lockups when allocating memory for command lines.
Fixes:
8a56038c2ae ("Yama: consolidate error reporting")
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Mickaël Salaün [Thu, 24 Mar 2016 01:46:33 +0000 (02:46 +0100)]
seccomp: Fix comment typo
Drop accidentally repeated word in comment.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
David Howells [Wed, 4 May 2016 16:20:20 +0000 (17:20 +0100)]
Merge branch 'keys-trust' into keys-next
Here's a set of patches that changes how certificates/keys are determined
to be trusted. That's currently a two-step process:
(1) Up until recently, when an X.509 certificate was parsed - no matter
the source - it was judged against the keys in .system_keyring,
assuming those keys to be trusted if they have KEY_FLAG_TRUSTED set
upon them.
This has just been changed such that any key in the .ima_mok keyring,
if configured, may also be used to judge the trustworthiness of a new
certificate, whether or not the .ima_mok keyring is meant to be
consulted for whatever process is being undertaken.
If a certificate is determined to be trustworthy, KEY_FLAG_TRUSTED
will be set upon a key it is loaded into (if it is loaded into one),
no matter what the key is going to be loaded for.
(2) If an X.509 certificate is loaded into a key, then that key - if
KEY_FLAG_TRUSTED gets set upon it - can be linked into any keyring
with KEY_FLAG_TRUSTED_ONLY set upon it. This was meant to be the
system keyring only, but has been extended to various IMA keyrings.
A user can at will link any key marked KEY_FLAG_TRUSTED into any
keyring marked KEY_FLAG_TRUSTED_ONLY if the relevant permissions masks
permit it.
These patches change that:
(1) Trust becomes a matter of consulting the ring of trusted keys supplied
when the trust is evaluated only.
(2) Every keyring can be supplied with its own manager function to
restrict what may be added to that keyring. This is called whenever a
key is to be linked into the keyring to guard against a key being
created in one keyring and then linked across.
This function is supplied with the keyring and the key type and
payload[*] of the key being linked in for use in its evaluation. It
is permitted to use other data also, such as the contents of other
keyrings such as the system keyrings.
[*] The type and payload are supplied instead of a key because as an
optimisation this function may be called whilst creating a key and
so may reject the proposed key between preparse and allocation.
(3) A default manager function is provided that permits keys to be
restricted to only asymmetric keys that are vouched for by the
contents of the system keyring.
A second manager function is provided that just rejects with EPERM.
(4) A key allocation flag, KEY_ALLOC_BYPASS_RESTRICTION, is made available
so that the kernel can initialise keyrings with keys that form the
root of the trust relationship.
(5) KEY_FLAG_TRUSTED and KEY_FLAG_TRUSTED_ONLY are removed, along with
key_preparsed_payload::trusted.
This change also makes it possible in future for userspace to create a private
set of trusted keys and then to have it sealed by setting a manager function
where the private set is wholly independent of the kernel's trust
relationships.
Further changes in the set involve extracting certain IMA special keyrings
and making them generally global:
(*) .system_keyring is renamed to .builtin_trusted_keys and remains read
only. It carries only keys built in to the kernel. It may be where
UEFI keys should be loaded - though that could better be the new
secondary keyring (see below) or a separate UEFI keyring.
(*) An optional secondary system keyring (called .secondary_trusted_keys)
is added to replace the IMA MOK keyring.
(*) Keys can be added to the secondary keyring by root if the keys can
be vouched for by either ring of system keys.
(*) Module signing and kexec only use .builtin_trusted_keys and do not use
the new secondary keyring.
(*) Config option SYSTEM_TRUSTED_KEYS now depends on ASYMMETRIC_KEY_TYPE as
that's the only type currently permitted on the system keyrings.
(*) A new config option, IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,
is provided to allow keys to be added to IMA keyrings, subject to the
restriction that such keys are validly signed by a key already in the
system keyrings.
If this option is enabled, but secondary keyrings aren't, additions to
the IMA keyrings will be restricted to signatures verifiable by keys in
the builtin system keyring only.
Signed-off-by: David Howells <dhowells@redhat.com>
Mimi Zohar [Tue, 1 Mar 2016 00:52:05 +0000 (19:52 -0500)]
ima: add support for creating files using the mknodat syscall
Commit
3034a14 "ima: pass 'opened' flag to identify newly created files"
stopped identifying empty files as new files. However new empty files
can be created using the mknodat syscall. On systems with IMA-appraisal
enabled, these empty files are not labeled with security.ima extended
attributes properly, preventing them from subsequently being opened in
order to write the file data contents. This patch defines a new hook
named ima_post_path_mknod() to mark these empty files, created using
mknodat, as new in order to allow the file data contents to be written.
In addition, files with security.ima xattrs containing a file signature
are considered "immutable" and can not be modified. The file contents
need to be written, before signing the file. This patch relaxes this
requirement for new files, allowing the file signature to be written
before the file contents.
Changelog:
- defer identifying files with signatures stored as security.ima
(based on Dmitry Rozhkov's comments)
- removing tests (eg. dentry, dentry->d_inode, inode->i_size == 0)
(based on Al's review)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Al Viro <<viro@zeniv.linux.org.uk>
Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Mimi Zohar [Mon, 29 Feb 2016 13:30:12 +0000 (08:30 -0500)]
ima: fix ima_inode_post_setattr
Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
With this patch, changing the file timestamp will not remove the
file signature on new files.
Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Dmitry Kasatkin [Sun, 26 Oct 2014 10:42:07 +0000 (12:42 +0200)]
vfs: forbid write access when reading a file into memory
This patch is based on top of the "vfs: support for a common kernel file
loader" patch set. In general when the kernel is reading a file into
memory it does not want anything else writing to it.
The kernel currently only forbids write access to a file being executed.
This patch extends this locking to files being read by the kernel.
Changelog:
- moved function to kernel_read_file() - Mimi
- updated patch description - Mimi
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: Luis R. Rodriguez <mcgrof@kernel.org>
Acked-by: Kees Cook <keescook@chromium.org>
Kees Cook [Thu, 21 Apr 2016 19:53:29 +0000 (12:53 -0700)]
fs: fix over-zealous use of "const"
When I was fixing up const recommendations from checkpatch.pl, I went
overboard. This fixes the warning (during a W=1 build):
include/linux/fs.h:2627:74: warning: type qualifiers ignored on function return type [-Wignored-qualifiers]
static inline const char * const kernel_read_file_id_str(enum kernel_read_file_id id)
Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Stephen Smalley [Fri, 8 Apr 2016 17:55:03 +0000 (13:55 -0400)]
selinux: apply execstack check on thread stacks
The execstack check was only being applied on the main
process stack. Thread stacks allocated via mmap were
only subject to the execmem permission check. Augment
the check to apply to the current thread stack as well.
Note that this does NOT prevent making a different thread's
stack executable.
Suggested-by: Nick Kralevich <nnk@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Stephen Smalley [Fri, 8 Apr 2016 17:52:00 +0000 (13:52 -0400)]
selinux: distinguish non-init user namespace capability checks
Distinguish capability checks against a target associated
with the init user namespace versus capability checks against
a target associated with a non-init user namespace by defining
and using separate security classes for the latter.
This is needed to support e.g. Chrome usage of user namespaces
for the Chrome sandbox without needing to allow Chrome to also
exercise capabilities on targets in the init user namespace.
Suggested-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Kees Cook [Wed, 20 Apr 2016 22:46:28 +0000 (15:46 -0700)]
LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Mimi Zohar [Wed, 20 Apr 2016 22:46:27 +0000 (15:46 -0700)]
fs: define a string representation of the kernel_read_file_id enumeration
A string representation of the kernel_read_file_id enumeration is
needed for displaying messages (eg. pr_info, auditing) that can be
used by multiple LSMs and the integrity subsystem. To simplify
keeping the list of strings up to date with the enumeration, this
patch defines two new preprocessing macros named __fid_enumify and
__fid_stringify to create the enumeration and an array of strings.
kernel_read_file_id_str() returns a string based on the enumeration.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
[kees: removed removal of my old version, constified pointer values]
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Kees Cook [Wed, 20 Apr 2016 22:46:26 +0000 (15:46 -0700)]
Yama: consolidate error reporting
Use a common error reporting function for Yama violation reports, and give
more detail into the process command lines.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Kees Cook [Wed, 20 Apr 2016 22:46:25 +0000 (15:46 -0700)]
string_helpers: add kstrdup_quotable_file
Allocate a NULL-terminated file path with special characters escaped,
safe for logging.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Kees Cook [Wed, 20 Apr 2016 22:46:24 +0000 (15:46 -0700)]
string_helpers: add kstrdup_quotable_cmdline
Provide an escaped (but readable: no inter-argument NULLs) commandline
safe for logging.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Kees Cook [Wed, 20 Apr 2016 22:46:23 +0000 (15:46 -0700)]
string_helpers: add kstrdup_quotable
Handle allocating and escaping a string safe for logging.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Paul Moore [Mon, 18 Apr 2016 20:41:38 +0000 (16:41 -0400)]
selinux: check ss_initialized before revalidating an inode label
There is no point in trying to revalidate an inode's security label if
the security server is not yet initialized.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Paul Moore [Mon, 4 Apr 2016 18:14:42 +0000 (14:14 -0400)]
selinux: delay inode label lookup as long as possible
Since looking up an inode's label can result in revalidation, delay
the lookup as long as possible to limit the performance impact.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Paul Moore [Tue, 19 Apr 2016 20:36:28 +0000 (16:36 -0400)]
selinux: don't revalidate an inode's label when explicitly setting it
There is no point in attempting to revalidate an inode's security
label when we are in the process of setting it.
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Prarit Bhargava [Thu, 14 Apr 2016 14:40:57 +0000 (10:40 -0400)]
selinux: Change bool variable name to index.
security_get_bool_value(int bool) argument "bool" conflicts with
in-kernel macros such as BUILD_BUG(). This patch changes this to
index which isn't a type.
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Andrew Perepechko <anserper@ya.ru>
Cc: Jeff Vander Stoep <jeffv@google.com>
Cc: selinux@tycho.nsa.gov
Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <pmoore@redhat.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: David Howells <dhowells@redhat.com>
[PM: wrapped description for checkpatch.pl, use "selinux:..." as subj]
Signed-off-by: Paul Moore <paul@paul-moore.com>
David Howells [Tue, 12 Apr 2016 19:10:19 +0000 (20:10 +0100)]
Merge branch 'keys-sig' into keys-next
These commits do the following:
(1) Retain a signature in an asymmetric-type key and associate with it the
identifiers that will match a key that can be used to verify it.
(2) Differentiate an X.509 cert that cannot be used versus one that cannot
be verified due to unavailable crypto. This is noted in the
structures involved.
(3) Determination of the self-signedness of an X.509 cert is improved to
include checks on the subject/issuer names and the key
algorithm/signature algorithm types.
(4) Self-signed X.509 certificates are consistency checked early on if the
appropriate crypto is available.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Tue, 12 Apr 2016 19:09:34 +0000 (20:09 +0100)]
Merge branch 'keys-misc' into keys-next
Miscellaneous keyrings changes.
Signed-off-by: David Howells <dhowells@redhat.com>
Mat Martineau [Tue, 12 Apr 2016 18:54:58 +0000 (19:54 +0100)]
KEYS: Add KEYCTL_DH_COMPUTE command
This adds userspace access to Diffie-Hellman computations through a
new keyctl() syscall command to calculate shared secrets or public
keys using input parameters stored in the keyring.
Input key ids are provided in a struct due to the current 5-arg limit
for the keyctl syscall. Only user keys are supported in order to avoid
exposing the content of logon or encrypted keys.
The output is written to the provided buffer, based on the assumption
that the values are only needed in userspace.
Future support for other types of key derivation would involve a new
command, like KEYCTL_ECDH_COMPUTE.
Once Diffie-Hellman support is included in the crypto API, this code
can be converted to use the crypto API to take advantage of possible
hardware acceleration and reduce redundant code.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Kirill Marinushkin [Tue, 12 Apr 2016 18:54:58 +0000 (19:54 +0100)]
Security: Keys: Big keys stored encrypted
Solved TODO task: big keys saved to shmem file are now stored encrypted.
The encryption key is randomly generated and saved to payload[big_key_data].
Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Tue, 12 Apr 2016 18:54:58 +0000 (19:54 +0100)]
KEYS: user_update should use copy of payload made during preparsing
The payload preparsing routine for user keys makes a copy of the payload
provided by the caller and stashes it in the key_preparsed_payload struct for
->instantiate() or ->update() to use. However, ->update() takes another copy
of this to attach to the keyring. ->update() should be using this directly
and clearing the pointer in the preparse data.
Signed-off-by: David Howells <dhowells@redhat.com>
Andreas Ziegler [Tue, 12 Apr 2016 18:54:58 +0000 (19:54 +0100)]
security: integrity: Remove select to deleted option PUBLIC_KEY_ALGO_RSA
Commit
d43de6c780a8 ("akcipher: Move the RSA DER encoding check to
the crypto layer") removed the Kconfig option PUBLIC_KEY_ALGO_RSA,
but forgot to remove a 'select' to this option in the definition of
INTEGRITY_ASYMMETRIC_KEYS.
Let's remove the select, as it's ineffective now.
Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de>
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Thu, 7 Apr 2016 08:45:23 +0000 (09:45 +0100)]
IMA: Use the the system trusted keyrings instead of .ima_mok
Add a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
that, when enabled, allows keys to be added to the IMA keyrings by
userspace - with the restriction that each must be signed by a key in the
system trusted keyrings.
EPERM will be returned if this option is disabled, ENOKEY will be returned if
no authoritative key can be found and EKEYREJECTED will be returned if the
signature doesn't match. Other errors such as ENOPKG may also be returned.
If this new option is enabled, the builtin system keyring is searched, as is
the secondary system keyring if that is also enabled. Intermediate keys
between the builtin system keyring and the key being added can be added to
the secondary keyring (which replaces .ima_mok) to form a trust chain -
provided they are also validly signed by a key in one of the trusted keyrings.
The .ima_mok keyring is then removed and the IMA blacklist keyring gets its
own config option (IMA_BLACKLIST_KEYRING).
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
David Howells [Wed, 6 Apr 2016 15:14:27 +0000 (16:14 +0100)]
certs: Add a secondary system keyring that can be added to dynamically
Add a secondary system keyring that can be added to by root whilst the
system is running - provided the key being added is vouched for by a key
built into the kernel or already added to the secondary keyring.
Rename .system_keyring to .builtin_trusted_keys to distinguish it more
obviously from the new keyring (called .secondary_trusted_keys).
The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING.
If the secondary keyring is enabled, a link is created from that to
.builtin_trusted_keys so that the the latter will automatically be searched
too if the secondary keyring is searched.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:26 +0000 (16:14 +0100)]
KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED
Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED as they're no longer
meaningful. Also we can drop the trusted flag from the preparse structure.
Given this, we no longer need to pass the key flags through to
restrict_link().
Further, we can now get rid of keyring_restrict_trusted_only() also.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:26 +0000 (16:14 +0100)]
KEYS: Move the point of trust determination to __key_link()
Move the point at which a key is determined to be trustworthy to
__key_link() so that we use the contents of the keyring being linked in to
to determine whether the key being linked in is trusted or not.
What is 'trusted' then becomes a matter of what's in the keyring.
Currently, the test is done when the key is parsed, but given that at that
point we can only sensibly refer to the contents of the system trusted
keyring, we can only use that as the basis for working out the
trustworthiness of a new key.
With this change, a trusted keyring is a set of keys that once the
trusted-only flag is set cannot be added to except by verification through
one of the contained keys.
Further, adding a key into a trusted keyring, whilst it might grant
trustworthiness in the context of that keyring, does not automatically
grant trustworthiness in the context of a second keyring to which it could
be secondarily linked.
To accomplish this, the authentication data associated with the key source
must now be retained. For an X.509 cert, this means the contents of the
AuthorityKeyIdentifier and the signature data.
If system keyrings are disabled then restrict_link_by_builtin_trusted()
resolves to restrict_link_reject(). The integrity digital signature code
still works correctly with this as it was previously using
KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
is no system keyring against which trust can be determined.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:26 +0000 (16:14 +0100)]
KEYS: Make the system trusted keyring depend on the asymmetric key type
Make the system trusted keyring depend on the asymmetric key type as
there's not a lot of point having it if you can't then load asymmetric keys
onto it.
This requires the ASYMMETRIC_KEY_TYPE to be made a bool, not a tristate, as
the Kconfig language doesn't then correctly force ASYMMETRIC_KEY_TYPE to
'y' rather than 'm' if SYSTEM_TRUSTED_KEYRING is 'y'.
Making SYSTEM_TRUSTED_KEYRING *select* ASYMMETRIC_KEY_TYPE instead doesn't
work as the Kconfig interpreter then wrongly complains about dependency
loops.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:26 +0000 (16:14 +0100)]
X.509: Move the trust validation code out to its own file
Move the X.509 trust validation code out to its own file so that it can be
generalised.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:25 +0000 (16:14 +0100)]
X.509: Use verify_signature() if we have a struct key * to use
We should call verify_signature() rather than directly calling
public_key_verify_signature() if we have a struct key to use as we
shouldn't be poking around in the private data of the key struct as that's
subtype dependent.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:25 +0000 (16:14 +0100)]
KEYS: Generalise x509_request_asymmetric_key()
Generalise x509_request_asymmetric_key(). It doesn't really have any
dependencies on X.509 features as it uses generalised IDs and the
public_key structs that contain data extracted from X.509.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:25 +0000 (16:14 +0100)]
KEYS: Move x509_request_asymmetric_key() to asymmetric_type.c
Move x509_request_asymmetric_key() to asymmetric_type.c so that it can be
generalised.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:24 +0000 (16:14 +0100)]
KEYS: Add a facility to restrict new links into a keyring
Add a facility whereby proposed new links to be added to a keyring can be
vetted, permitting them to be rejected if necessary. This can be used to
block public keys from which the signature cannot be verified or for which
the signature verification fails. It could also be used to provide
blacklisting.
This affects operations like add_key(), KEYCTL_LINK and KEYCTL_INSTANTIATE.
To this end:
(1) A function pointer is added to the key struct that, if set, points to
the vetting function. This is called as:
int (*restrict_link)(struct key *keyring,
const struct key_type *key_type,
unsigned long key_flags,
const union key_payload *key_payload),
where 'keyring' will be the keyring being added to, key_type and
key_payload will describe the key being added and key_flags[*] can be
AND'ed with KEY_FLAG_TRUSTED.
[*] This parameter will be removed in a later patch when
KEY_FLAG_TRUSTED is removed.
The function should return 0 to allow the link to take place or an
error (typically -ENOKEY, -ENOPKG or -EKEYREJECTED) to reject the
link.
The pointer should not be set directly, but rather should be set
through keyring_alloc().
Note that if called during add_key(), preparse is called before this
method, but a key isn't actually allocated until after this function
is called.
(2) KEY_ALLOC_BYPASS_RESTRICTION is added. This can be passed to
key_create_or_update() or key_instantiate_and_link() to bypass the
restriction check.
(3) KEY_FLAG_TRUSTED_ONLY is removed. The entire contents of a keyring
with this restriction emplaced can be considered 'trustworthy' by
virtue of being in the keyring when that keyring is consulted.
(4) key_alloc() and keyring_alloc() take an extra argument that will be
used to set restrict_link in the new key. This ensures that the
pointer is set before the key is published, thus preventing a window
of unrestrictedness. Normally this argument will be NULL.
(5) As a temporary affair, keyring_restrict_trusted_only() is added. It
should be passed to keyring_alloc() as the extra argument instead of
setting KEY_FLAG_TRUSTED_ONLY on a keyring. This will be replaced in
a later patch with functions that look in the appropriate places for
authoritative keys.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Paolo Abeni [Fri, 8 Apr 2016 10:20:30 +0000 (12:20 +0200)]
security: drop the unused hook skb_owned_by
The skb_owned_by hook was added with the commit
ca10b9e9a8ca
("selinux: add a skb_owned_by() hook") and later removed
when said commit was reverted.
Later on, when switching to list of hooks, a field named
'skb_owned_by' was included into the security_hook_head struct,
but without any users nor caller.
This commit removes the said left-over field.
Fixes:
b1d9e6b0646d ("LSM: Switch to lists of hooks")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <pmoore@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
David Howells [Wed, 6 Apr 2016 15:14:24 +0000 (16:14 +0100)]
PKCS#7: Make trust determination dependent on contents of trust keyring
Make the determination of the trustworthiness of a key dependent on whether
a key that can verify it is present in the supplied ring of trusted keys
rather than whether or not the verifying key has KEY_FLAG_TRUSTED set.
verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust
chain cannot be verified.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:14:24 +0000 (16:14 +0100)]
KEYS: Generalise system_verify_data() to provide access to internal content
Generalise system_verify_data() to provide access to internal content
through a callback. This allows all the PKCS#7 stuff to be hidden inside
this function and removed from the PE file parser and the PKCS#7 test key.
If external content is not required, NULL should be passed as data to the
function. If the callback is not required, that can be set to NULL.
The function is now called verify_pkcs7_signature() to contrast with
verify_pefile_signature() and the definitions of both have been moved into
linux/verification.h along with the key_being_used_for enum.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:13:34 +0000 (16:13 +0100)]
X.509: Fix self-signed determination
There's a bug in the code determining whether a certificate is self-signed
or not: if they have neither AKID nor SKID then we just assume that the
cert is self-signed, which may not be true.
Fix this by checking that the raw subject name matches the raw issuer name
and that the public key algorithm for the key and signature are both the
same in addition to requiring that the AKID bits match.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:13:34 +0000 (16:13 +0100)]
X.509: Extract signature digest and make self-signed cert checks earlier
Extract the signature digest for an X.509 certificate earlier, at the end
of x509_cert_parse() rather than leaving it to the callers thereof since it
has to be called anyway.
Further, immediately after that, check the signature on self-signed
certificates, also rather in the callers of x509_cert_parse().
We note in the x509_certificate struct the following bits of information:
(1) Whether the signature is self-signed (even if we can't check the
signature due to missing crypto).
(2) Whether the key held in the certificate needs unsupported crypto to be
used. We may get a PKCS#7 message with X.509 certs that we can't make
use of - we just ignore them and give ENOPKG at the end it we couldn't
verify anything if at least one of these unusable certs are in the
chain of trust.
(3) Whether the signature held in the certificate needs unsupported crypto
to be checked. We can still use the key held in this certificate,
even if we can't check the signature on it - if it is held in the
system trusted keyring, for instance. We just can't add it to a ring
of trusted keys or follow it further up the chain of trust.
Making these checks earlier allows x509_check_signature() to be removed and
replaced with direct calls to public_key_verify_signature().
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:13:33 +0000 (16:13 +0100)]
PKCS#7: Make the signature a pointer rather than embedding it
Point to the public_key_signature struct from the pkcs7_signed_info struct
rather than embedding it. This makes the code consistent with the X.509
signature handling and makes it possible to have a common cleanup function.
We also save a copy of the digest in the signature without sharing the
memory with the crypto layer metadata.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:13:33 +0000 (16:13 +0100)]
X.509: Retain the key verification data
Retain the key verification data (ie. the struct public_key_signature)
including the digest and the key identifiers.
Note that this means that we need to take a separate copy of the digest in
x509_get_sig_params() rather than lumping it in with the crypto layer data.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:13:33 +0000 (16:13 +0100)]
KEYS: Add identifier pointers to public_key_signature struct
Add key identifier pointers to public_key_signature struct so that they can
be used to retain the identifier of the key to be used to verify the
signature in both PKCS#7 and X.509.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:13:33 +0000 (16:13 +0100)]
KEYS: Allow authentication data to be stored in an asymmetric key
Allow authentication data to be stored in an asymmetric key in the 4th
element of the key payload and provide a way for it to be destroyed.
For the public key subtype, this will be a public_key_signature struct.
Signed-off-by: David Howells <dhowells@redhat.com>
David Howells [Wed, 6 Apr 2016 15:13:33 +0000 (16:13 +0100)]
X.509: Whitespace cleanup
Clean up some whitespace.
Signed-off-by: David Howells <dhowells@redhat.com>
Jeff Vander Stoep [Tue, 5 Apr 2016 20:06:27 +0000 (13:06 -0700)]
selinux: restrict kernel module loading
Utilize existing kernel_read_file hook on kernel module load.
Add module_load permission to the system class.
Enforces restrictions on kernel module origin when calling the
finit_module syscall. The hook checks that source type has
permission module_load for the target type.
Example for finit_module:
allow foo bar_file:system module_load;
Similarly restrictions are enforced on kernel module loading when
calling the init_module syscall. The hook checks that source
type has permission module_load with itself as the target object
because the kernel module is sourced from the calling process.
Example for init_module:
allow foo foo:system module_load;
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
[PM: fixed return value of selinux_kernel_read_file()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Paul Moore [Thu, 31 Mar 2016 01:41:21 +0000 (21:41 -0400)]
selinux: consolidate the ptrace parent lookup code
We lookup the tracing parent in two places, using effectively the
same code, let's consolidate it.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Paul Moore [Mon, 28 Mar 2016 19:16:53 +0000 (15:16 -0400)]
selinux: simply inode label states to INVALID and INITIALIZED
There really is no need for LABEL_MISSING as we really only care if
the inode's label is INVALID or INITIALIZED. Also adjust the
revalidate code to reload the label whenever the label is not
INITIALIZED so we are less sensitive to label state in the future.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Paul Moore [Mon, 28 Mar 2016 19:19:10 +0000 (15:19 -0400)]
selinux: don't revalidate inodes in selinux_socket_getpeersec_dgram()
We don't have to worry about socket inodes being invalidated so
use inode_security_novalidate() to fetch the inode's security blob.
Signed-off-by: Paul Moore <paul@paul-moore.com>
Janak Desai [Mon, 28 Mar 2016 15:09:46 +0000 (11:09 -0400)]
netlabel: fix a problem with netlbl_secattr_catmap_setrng()
We try to be clever and set large chunks of the bitmap at once, when
possible; unfortunately we weren't very clever when we wrote the code
and messed up the if-conditional. Fix this bug and restore proper
operation.
Signed-off-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Linus Torvalds [Sun, 3 Apr 2016 14:09:40 +0000 (09:09 -0500)]
Linux 4.6-rc2
Linus Torvalds [Sun, 3 Apr 2016 12:22:12 +0000 (07:22 -0500)]
Merge branch 'perf-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
"Misc kernel side fixes:
- fix event leak
- fix AMD PMU driver bug
- fix core event handling bug
- fix build bug on certain randconfigs
Plus misc tooling fixes"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf/x86/amd/ibs: Fix pmu::stop() nesting
perf/core: Don't leak event in the syscall error path
perf/core: Fix time tracking bug with multiplexing
perf jit: genelf makes assumptions about endian
perf hists: Fix determination of a callchain node's childlessness
perf tools: Add missing initialization of perf_sample.cpumode in synthesized samples
perf tools: Fix build break on powerpc
perf/x86: Move events_sysfs_show() outside CPU_SUP_INTEL
perf bench: Fix detached tarball building due to missing 'perf bench memcpy' headers
perf tests: Fix tarpkg build test error output redirection
Linus Torvalds [Sun, 3 Apr 2016 12:06:53 +0000 (07:06 -0500)]
Merge branch 'core-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull core kernel fixes from Ingo Molnar:
"This contains the nohz/atomic cleanup/fix for the fetch_or() ugliness
you noted during the original nohz pull request, plus there's also
misc fixes:
- fix liblockdep build bug
- fix uapi header build bug
- print more lockdep hash collision info to help debug recent reports
of hash collisions
- update MAINTAINERS email address"
* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
MAINTAINERS: Update my email address
locking/lockdep: Print chain_key collision information
uapi/linux/stddef.h: Provide __always_inline to userspace headers
tools/lib/lockdep: Fix unsupported 'basename -s' in run_tests.sh
locking/atomic, sched: Unexport fetch_or()
timers/nohz: Convert tick dependency mask to atomic_t
locking/atomic: Introduce atomic_fetch_or()
Linus Torvalds [Sun, 3 Apr 2016 12:03:49 +0000 (07:03 -0500)]
v4l2-mc: avoid warning about unused variable
Commit
840f5b0572ea ("media: au0828 disable tuner to demod link in
au0828_media_device_register()") removed all uses of the 'dtv_demod',
but left the variable itself around.
Remove it.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sun, 3 Apr 2016 11:32:28 +0000 (06:32 -0500)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:
"This lot contains:
- Some fixups for the fallout of the topology consolidation which
unearthed AMD/Intel inconsistencies
- Documentation for the x86 topology management
- Support for AMD advanced power management bits
- Two simple cleanups removing duplicated code"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/cpu: Add advanced power management bits
x86/thread_info: Merge two !__ASSEMBLY__ sections
x86/cpufreq: Remove duplicated TDP MSR macro definitions
x86/Documentation: Start documenting x86 topology
x86/cpu: Get rid of compute_unit_id
perf/x86/amd: Cleanup Fam10h NB event constraints
x86/topology: Fix AMD core count
Linus Torvalds [Sat, 2 Apr 2016 23:57:49 +0000 (18:57 -0500)]
Merge tag 'rproc-v4.6-rc1' of git://github.com/andersson/remoteproc
Pull remoteproc fix from Bjorn Andersson:
"Fix incorrect error check in the ST remoteproc driver and advertise
the newly created linux-remoteproc mailing list"
* tag 'rproc-v4.6-rc1' of git://github.com/andersson/remoteproc:
MAINTAINERS: Add mailing list for remote processor subsystems
remoteproc: st: fix check of syscon_regmap_lookup_by_phandle() return value
Linus Torvalds [Sat, 2 Apr 2016 23:48:37 +0000 (18:48 -0500)]
Merge git://git./linux/kernel/git/nab/target-pending
Pull SCSI target fixes from Nicholas Bellinger:
"This includes fixes from HCH for -rc1 configfs default_groups
conversion changes that ended up breaking some iscsi-target
default_groups, along with Sagi's ib_drain_qp() conversion for
iser-target to use the common caller now available to RDMA kernel
consumers in v4.6+ code"
* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
target: add a new add_wwn_groups fabrics method
target: initialize the nacl base CIT begfore init_nodeacl
target: remove ->fabric_cleanup_nodeacl
iser-target: Use ib_drain_qp
Linus Torvalds [Sat, 2 Apr 2016 23:35:05 +0000 (18:35 -0500)]
Convert straggling drivers to new six-argument get_user_pages()
Commit
d4edcf0d5695 ("mm/gup: Switch all callers of get_user_pages() to
not pass tsk/mm") switched get_user_pages() callers to the simpler model
where they no longer pass in the thread and mm pointer. But since then
we've merged changes to a few drivers that re-introduce use of the old
interface. Let's fix them up.
They continued to work fine (thanks to the truly disgusting macros
introduced in commit
cde70140fed8: "mm/gup: Overload get_user_pages()
functions"), but cause unnecessary build noise.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sat, 2 Apr 2016 21:46:56 +0000 (16:46 -0500)]
Merge tag 'configfs-for-linus-2' of git://git.infradead.org/users/hch/configfs
Pull configfs fix from Christoph Hellwig:
"A trivial fix to the recently introduced binary attribute helper
macros"
* tag 'configfs-for-linus-2' of git://git.infradead.org/users/hch/configfs:
configfs: fix CONFIGFS_BIN_ATTR_[RW]O definitions
Linus Torvalds [Sat, 2 Apr 2016 01:03:33 +0000 (20:03 -0500)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Missing device reference in IPSEC input path results in crashes
during device unregistration. From Subash Abhinov Kasiviswanathan.
2) Per-queue ISR register writes not being done properly in macb
driver, from Cyrille Pitchen.
3) Stats accounting bugs in bcmgenet, from Patri Gynther.
4) Lightweight tunnel's TTL and TOS were swapped in netlink dumps, from
Quentin Armitage.
5) SXGBE driver has off-by-one in probe error paths, from Rasmus
Villemoes.
6) Fix race in save/swap/delete options in netfilter ipset, from
Vishwanath Pai.
7) Ageing time of bridge not set properly when not operating over a
switchdev device. Fix from Haishuang Yan.
8) Fix GRO regression wrt nested FOU/GUE based tunnels, from Alexander
Duyck.
9) IPV6 UDP code bumps wrong stats, from Eric Dumazet.
10) FEC driver should only access registers that actually exist on the
given chipset, fix from Fabio Estevam.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
net: mvneta: fix changing MTU when using per-cpu processing
stmmac: fix MDIO settings
Revert "stmmac: Fix 'eth0: No PHY found' regression"
stmmac: fix TX normal DESC
net: mvneta: use cache_line_size() to get cacheline size
net: mvpp2: use cache_line_size() to get cacheline size
net: mvpp2: fix maybe-uninitialized warning
tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter
net: usb: cdc_ncm: adding Telit LE910 V2 mobile broadband card
rtnl: fix msg size calculation in if_nlmsg_size()
fec: Do not access unexisting register in Coldfire
net: mvneta: replace MVNETA_CPU_D_CACHE_LINE_SIZE with L1_CACHE_BYTES
net: mvpp2: replace MVPP2_CPU_D_CACHE_LINE_SIZE with L1_CACHE_BYTES
net: dsa: mv88e6xxx: Clear the PDOWN bit on setup
net: dsa: mv88e6xxx: Introduce _mv88e6xxx_phy_page_{read, write}
bpf: make padding in bpf_tunnel_key explicit
ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates
bnxt_en: Fix ethtool -a reporting.
bnxt_en: Fix typo in bnxt_hwrm_set_pause_common().
bnxt_en: Implement proper firmware message padding.
...
Linus Torvalds [Sat, 2 Apr 2016 00:57:13 +0000 (19:57 -0500)]
Merge tag 'clk-fixes-for-linus' of git://git./linux/kernel/git/clk/linux
Pull clk fixes from Stephen Boyd:
"A handful of const updates for reset ops and a couple fixes to the
newly introduced IPQ4019 clock driver"
* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
clk: qcom: ipq4019: add some fixed clocks for ddrppl and fepll
clk: qcom: ipq4019: switch remaining defines to enums
clk: qcom: Make reset_control_ops const
clk: tegra: Make reset_control_ops const
clk: sunxi: Make reset_control_ops const
clk: atlas7: Make reset_control_ops const
clk: rockchip: Make reset_control_ops const
clk: mmp: Make reset_control_ops const
clk: mediatek: Make reset_control_ops const
Linus Torvalds [Sat, 2 Apr 2016 00:52:10 +0000 (19:52 -0500)]
Merge tag 'pm+acpi-4.6-rc2' of git://git./linux/kernel/git/rafael/linux-pm
Pull power management and ACPI fix from Rafael J. Wysocki:
"Just one fix for a nasty boot failure on some systems based on Intel
Skylake that shipped with broken firmware where enabling
hardware-coordinated P-states management (HWP) causes a faulty
interrupt handler in SMM to be invoked and crash the system (Srinivas
Pandruvada)"
* tag 'pm+acpi-4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI / processor: Request native thermal interrupt handling via _OSC
Linus Torvalds [Sat, 2 Apr 2016 00:31:19 +0000 (19:31 -0500)]
Merge branch 'akpm' (patches from Andrew)
Merge fixes from Andrew Morton:
"11 fixes"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
.mailmap: add Christophe Ricard
Make CONFIG_FHANDLE default y
mm/page_isolation.c: fix the function comments
oom, oom_reaper: do not enqueue task if it is on the oom_reaper_list head
mm/page_isolation: fix tracepoint to mirror check function behavior
mm/rmap: batched invalidations should use existing api
x86/mm: TLB_REMOTE_SEND_IPI should count pages
mm: fix invalid node in alloc_migrate_target()
include/linux/huge_mm.h: return NULL instead of false for pmd_trans_huge_lock()
mm, kasan: fix compilation for CONFIG_SLAB
MAINTAINERS: orangefs mailing list is subscribers-only
Rafael J. Wysocki [Fri, 1 Apr 2016 23:17:36 +0000 (01:17 +0200)]
Merge branch 'acpi-processor'
* acpi-processor:
ACPI / processor: Request native thermal interrupt handling via _OSC
Linus Torvalds [Fri, 1 Apr 2016 23:08:34 +0000 (18:08 -0500)]
Merge branch 'for-linus-4.6' of git://git./linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
"This has a few fixes Dave Sterba had queued up. These are all pretty
small, but since they were tested I decided against waiting for more"
* 'for-linus-4.6' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
btrfs: transaction_kthread() is not freezable
btrfs: cleaner_kthread() doesn't need explicit freeze
btrfs: do not write corrupted metadata blocks to disk
btrfs: csum_tree_block: return proper errno value
Linus Torvalds [Fri, 1 Apr 2016 22:17:32 +0000 (17:17 -0500)]
Merge tag 'for-linus' of git://github.com/martinbrandenburg/linux
Pull OrangeFS fixes from Martin Brandenburg:
"Two bugfixes for OrangeFS.
One is a reference counting bug and the other is a typo in client
minimum version"
* tag 'for-linus' of git://github.com/martinbrandenburg/linux:
orangefs: minimum userspace version is 2.9.3
orangefs: don't put readdir slot twice
Linus Torvalds [Fri, 1 Apr 2016 22:15:51 +0000 (17:15 -0500)]
Merge tag 'arm64-fixes' of git://git./linux/kernel/git/arm64/linux
Pull arm64 fixes from Will Deacon:
- fix oops when patching in alternative sequences on big-endian CPUs
- reconcile asm/perf_event.h after merge window fallout with KVM ARM
- defconfig updates
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64: defconfig: updates for 4.6
arm64: perf: Move PMU register related defines to asm/perf_event.h
arm64: opcodes.h: Add arm big-endian config options before including arm header
Linus Torvalds [Fri, 1 Apr 2016 22:13:23 +0000 (17:13 -0500)]
Merge tag 'sound-4.6-rc2' of git://git./linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"A collection of small fixes:
- a fix in ALSA timer core to avoid possible BUG() trigger
- a fix in ALSA timer core 32bit compat layer
- a few HD-audio quirks for ASUS and HP machines
- AMD HD-audio HDMI controller quirks
- fixes of USB-audio double-free at some error paths
- a fix for memory leak in DICE driver at hotunplug"
* tag 'sound-4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: timer: Use mod_timer() for rearming the system timer
ALSA: hda - fix front mic problem for a HP desktop
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
ALSA: hda: add AMD Polaris-10/11 AZ PCI IDs with proper driver caps
ALSA: dice: fix memory leak when unplugging
ALSA: hda - Apply fix for white noise on Asus N550JV, too
ALSA: hda - Fix white noise on Asus N750JV headphone
ALSA: hda - Asus N750JV external subwoofer fixup
ALSA: timer: fix gparams ioctl compatibility for different architectures
Christophe Ricard [Fri, 1 Apr 2016 21:31:42 +0000 (14:31 -0700)]
.mailmap: add Christophe Ricard
Different computers had different settings in the mail client. Some
contributions appear as Christophe Ricard, others as Christophe RICARD.
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andi Kleen [Fri, 1 Apr 2016 21:31:40 +0000 (14:31 -0700)]
Make CONFIG_FHANDLE default y
Newer Fedora and OpenSUSE didn't boot with my standard configuration.
It took me some time to figure out why, in fact I had to write a script
to try different config options systematically.
The problem is that something (systemd) in dracut depends on
CONFIG_FHANDLE, which adds open by file handle syscalls.
While it is set in defconfigs it is very easy to miss when updating
older configs because it is not default y.
Make it default y and also depend on EXPERT, as dracut use is likely
widespread.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Richard Weinberger <richard.weinberger@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Neil Zhang [Fri, 1 Apr 2016 21:31:37 +0000 (14:31 -0700)]
mm/page_isolation.c: fix the function comments
Commit
fea85cff11de ("mm/page_isolation.c: return last tested pfn rather
than failure indicator") changed the meaning of the return value. Let's
change the function comments as well.
Signed-off-by: Neil Zhang <neilzhang1123@hotmail.com>
Cc: Joonsoo Kim <js1304@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Michal Hocko [Fri, 1 Apr 2016 21:31:34 +0000 (14:31 -0700)]
oom, oom_reaper: do not enqueue task if it is on the oom_reaper_list head
Commit
bb29902a7515 ("oom, oom_reaper: protect oom_reaper_list using
simpler way") has simplified the check for tasks already enqueued for
the oom reaper by checking tsk->oom_reaper_list != NULL. This check is
not sufficient because the tsk might be the head of the queue without
any other tasks queued and then we would simply lockup looping on the
same task. Fix the condition by checking for the head as well.
Fixes:
bb29902a7515 ("oom, oom_reaper: protect oom_reaper_list using simpler way")
Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Lucas Stach [Fri, 1 Apr 2016 21:31:32 +0000 (14:31 -0700)]
mm/page_isolation: fix tracepoint to mirror check function behavior
Page isolation has not failed if the fin pfn extends beyond the end pfn
and test_pages_isolated checks this correctly. Fix the tracepoint to
report the same result as the actual check function.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Joonsoo Kim <js1304@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Nadav Amit [Fri, 1 Apr 2016 21:31:26 +0000 (14:31 -0700)]
mm/rmap: batched invalidations should use existing api
The recently introduced batched invalidations mechanism uses its own
mechanism for shootdown. However, it does wrong accounting of
interrupts (e.g., inc_irq_stat is called for local invalidations),
trace-points (e.g., TLB_REMOTE_SHOOTDOWN for local invalidations) and
may break some platforms as it bypasses the invalidation mechanisms of
Xen and SGI UV.
This patch reuses the existing TLB flushing mechnaisms instead. We use
NULL as mm to indicate a global invalidation is required.
Fixes
72b252aed506b8 ("mm: send one IPI per CPU to TLB flush all entries after unmapping pages")
Signed-off-by: Nadav Amit <namit@vmware.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Nadav Amit [Fri, 1 Apr 2016 21:31:23 +0000 (14:31 -0700)]
x86/mm: TLB_REMOTE_SEND_IPI should count pages
TLB_REMOTE_SEND_IPI was recently introduced, but it counts bytes instead
of pages. In addition, it does not report correctly the case in which
flush_tlb_page flushes a page. Fix it to be consistent with other TLB
counters.
Fixes:
5b74283ab251b9d ("x86, mm: trace when an IPI is about to be sent")
Signed-off-by: Nadav Amit <namit@vmware.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Xishi Qiu [Fri, 1 Apr 2016 21:31:20 +0000 (14:31 -0700)]
mm: fix invalid node in alloc_migrate_target()
It is incorrect to use next_node to find a target node, it will return
MAX_NUMNODES or invalid node. This will lead to crash in buddy system
allocation.
Fixes:
c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Joonsoo Kim <js1304@gmail.com>
Cc: David Rientjes <rientjes@google.com>
Cc: "Laura Abbott" <lauraa@codeaurora.org>
Cc: Hui Zhu <zhuhui@xiaomi.com>
Cc: Wang Xiaoqiang <wangxq10@lzu.edu.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Chen Gang [Fri, 1 Apr 2016 21:31:17 +0000 (14:31 -0700)]
include/linux/huge_mm.h: return NULL instead of false for pmd_trans_huge_lock()
The return value of pmd_trans_huge_lock() is a pointer, not a boolean
value, so use NULL instead of false as the return value.
Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Alexander Potapenko [Fri, 1 Apr 2016 21:31:15 +0000 (14:31 -0700)]
mm, kasan: fix compilation for CONFIG_SLAB
Add the missing argument to set_track().
Fixes:
cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
Signed-off-by: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <adech.fo@gmail.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Konstantin Serebryany <kcc@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Joe Perches [Fri, 1 Apr 2016 21:31:12 +0000 (14:31 -0700)]
MAINTAINERS: orangefs mailing list is subscribers-only
So update MAINTAINERS to say so.
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Marcin Wojtas [Fri, 1 Apr 2016 13:21:18 +0000 (15:21 +0200)]
net: mvneta: fix changing MTU when using per-cpu processing
After enabling per-cpu processing it appeared that under heavy load
changing MTU can result in blocking all port's interrupts and
transmitting data is not possible after the change.
This commit fixes above issue by disabling percpu interrupts for the
time, when TXQs and RXQs are reconfigured.
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 1 Apr 2016 18:38:59 +0000 (14:38 -0400)]
Merge branch 'stmmac-fixes'
Giuseppe Cavallaro says:
====================
stmmac MDIO and normal descr fixes
This patch series is to fix the problems below and recently debugged
in this mailing list:
o to fix a problem for the HW where the normal descriptor
o to fix the mdio registration according to the different
platform configurations
I am resending all the patches again: built on top of net.git repo.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe CAVALLARO [Fri, 1 Apr 2016 07:07:16 +0000 (09:07 +0200)]
stmmac: fix MDIO settings
Initially the phy_bus_name was added to manipulate the
driver name but it was recently just used to manage the
fixed-link and then to take some decision at run-time.
So the patch uses the is_pseudo_fixed_link and removes
the phy_bus_name variable not necessary anymore.
The driver can manage the mdio registration by using phy-handle,
dwmac-mdio and own parameter e.g. snps,phy-addr.
This patch takes care about all these possible configurations
and fixes the mdio registration in case of there is a real
transceiver or a switch (that needs to be managed by using
fixed-link).
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Tested-by: Frank Schäfer <fschaefer.oss@googlemail.com>
Cc: Gabriel Fernandez <gabriel.fernandez@linaro.org>
Cc: Dinh Nguyen <dinh.linux@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Phil Reid <preid@electromag.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe CAVALLARO [Fri, 1 Apr 2016 07:07:15 +0000 (09:07 +0200)]
Revert "stmmac: Fix 'eth0: No PHY found' regression"
This reverts commit
88f8b1bb41c6208f81b6a480244533ded7b59493.
due to problems on GeekBox and Banana Pi M1 board when
connected to a real transceiver instead of a switch via
fixed-link.
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Gabriel Fernandez <gabriel.fernandez@linaro.org>
Cc: Andreas Färber <afaerber@suse.de>
Cc: Frank Schäfer <fschaefer.oss@googlemail.com>
Cc: Dinh Nguyen <dinh.linux@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Giuseppe CAVALLARO [Fri, 1 Apr 2016 07:07:14 +0000 (09:07 +0200)]
stmmac: fix TX normal DESC
This patch fixs a regression raised when test on chips that use
the normal descriptor layout. In fact, no len bits were set for
the TDES1 and no OWN bit inside the TDES0.
Signed-off-by: Giuseppe CAVALLARO <peppe.cavallaro@st.com>
Tested-by: Andreas Färber <afaerber@suse.de>
Cc: Fabrice Gasnier <fabrice.gasnier@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jisheng Zhang [Fri, 1 Apr 2016 09:12:49 +0000 (17:12 +0800)]
net: mvneta: use cache_line_size() to get cacheline size
L1_CACHE_BYTES may not be the real cacheline size, use cache_line_size
to determine the cacheline size in runtime.
Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Suggested-by: Marcin Wojtas <mw@semihalf.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jisheng Zhang [Fri, 1 Apr 2016 09:11:05 +0000 (17:11 +0800)]
net: mvpp2: use cache_line_size() to get cacheline size
L1_CACHE_BYTES may not be the real cacheline size, use cache_line_size
to determine the cacheline size in runtime.
Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Suggested-by: Marcin Wojtas <mw@semihalf.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jisheng Zhang [Thu, 31 Mar 2016 09:01:23 +0000 (17:01 +0800)]
net: mvpp2: fix maybe-uninitialized warning
This is to fix the following maybe-uninitialized warning:
drivers/net/ethernet/marvell/mvpp2.c:6007:18: warning: 'err' may be
used uninitialized in this function [-Wmaybe-uninitialized]
Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Thu, 31 Mar 2016 00:13:18 +0000 (02:13 +0200)]
tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter
Sasha Levin reported a suspicious rcu_dereference_protected() warning
found while fuzzing with trinity that is similar to this one:
[ 52.765684] net/core/filter.c:2262 suspicious rcu_dereference_protected() usage!
[ 52.765688] other info that might help us debug this:
[ 52.765695] rcu_scheduler_active = 1, debug_locks = 1
[ 52.765701] 1 lock held by a.out/1525:
[ 52.765704] #0: (rtnl_mutex){+.+.+.}, at: [<
ffffffff816a64b7>] rtnl_lock+0x17/0x20
[ 52.765721] stack backtrace:
[ 52.765728] CPU: 1 PID: 1525 Comm: a.out Not tainted 4.5.0+ #264
[...]
[ 52.765768] Call Trace:
[ 52.765775] [<
ffffffff813e488d>] dump_stack+0x85/0xc8
[ 52.765784] [<
ffffffff810f2fa5>] lockdep_rcu_suspicious+0xd5/0x110
[ 52.765792] [<
ffffffff816afdc2>] sk_detach_filter+0x82/0x90
[ 52.765801] [<
ffffffffa0883425>] tun_detach_filter+0x35/0x90 [tun]
[ 52.765810] [<
ffffffffa0884ed4>] __tun_chr_ioctl+0x354/0x1130 [tun]
[ 52.765818] [<
ffffffff8136fed0>] ? selinux_file_ioctl+0x130/0x210
[ 52.765827] [<
ffffffffa0885ce3>] tun_chr_ioctl+0x13/0x20 [tun]
[ 52.765834] [<
ffffffff81260ea6>] do_vfs_ioctl+0x96/0x690
[ 52.765843] [<
ffffffff81364af3>] ? security_file_ioctl+0x43/0x60
[ 52.765850] [<
ffffffff81261519>] SyS_ioctl+0x79/0x90
[ 52.765858] [<
ffffffff81003ba2>] do_syscall_64+0x62/0x140
[ 52.765866] [<
ffffffff817d563f>] entry_SYSCALL64_slow_path+0x25/0x25
Same can be triggered with PROVE_RCU (+ PROVE_RCU_REPEATEDLY) enabled
from tun_attach_filter() when user space calls ioctl(tun_fd, TUN{ATTACH,
DETACH}FILTER, ...) for adding/removing a BPF filter on tap devices.
Since the fix in
f91ff5b9ff52 ("net: sk_{detach|attach}_filter() rcu
fixes") sk_attach_filter()/sk_detach_filter() now dereferences the
filter with rcu_dereference_protected(), checking whether socket lock
is held in control path.
Since its introduction in
994051625981 ("tun: socket filter support"),
tap filters are managed under RTNL lock from __tun_chr_ioctl(). Thus the
sock_owned_by_user(sk) doesn't apply in this specific case and therefore
triggers the false positive.
Extend the BPF API with __sk_attach_filter()/__sk_detach_filter() pair
that is used by tap filters and pass in lockdep_rtnl_is_held() for the
rcu_dereference_protected() checks instead.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 1 Apr 2016 12:21:18 +0000 (07:21 -0500)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Nothing too crazy in here: a bunch of AMD fixes/quirks, two msm fixes,
some rockchip fixes, and a udl warning fix, along with one locking fix
for displayport that seems to fix some dodgy monitors"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/udl: Use unlocked gem unreferencing
drm/dp: move hw_mutex up the call stack
drm/amdgpu: Don't move pinned BOs
drm/radeon: Don't move pinned BOs
drm/radeon: add a dpm quirk for all R7 370 parts
drm/radeon: add another R7 370 quirk
drm/rockchip: dw_hdmi: Don't call platform_set_drvdata()
drm/rockchip: vop: Fix vop crtc cleanup
drm/rockchip: dw_hdmi: Call drm_encoder_cleanup() in error path
drm/rockchip: vop: Disable planes when disabling CRTC
drm/rockchip: vop: Don't reject empty modesets
drm/rockchip: cancel pending vblanks on close
drm/rockchip: vop: fix crtc size in plane check
drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5
drm/amd: Beef up ACP Kconfig menu text
drm/msm: fix typo in the !COMMON_CLK case
drm/msm: fix bug after preclose removal
Linus Torvalds [Fri, 1 Apr 2016 12:18:27 +0000 (07:18 -0500)]
Merge tag 'powerpc-4.6-2' of git://git./linux/kernel/git/powerpc/linux
Pull powerpc fixes from Michael Ellerman:
- Fixup preempt underflow with huge pages from Sebastian Siewior
- Fix altivec SPR not being saved from Oliver O'Halloran
- Correct used_vsr comment from Simon Guo
* tag 'powerpc-4.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
powerpc: Correct used_vsr comment
powerpc/process: Fix altivec SPR not being saved
powerpc/mm: Fixup preempt underflow with huge pages
Linus Torvalds [Fri, 1 Apr 2016 12:15:54 +0000 (07:15 -0500)]
Merge branch 'for-linus' of git://git./linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
- A proper fix for the locking issue in the dasd driver
- Wire up the new preadv2 nad pwritev2 system calls
- Add the mark_rodata_ro function and set DEBUG_RODATA=y
- A few more bug fixes.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390: wire up preadv2/pwritev2 syscalls
s390/pci: PCI function group 0 is valid for clp_query_pci_fn
s390/crypto: provide correct file mode at device register.
s390/mm: handle PTE-mapped tail pages in fast gup
s390: add DEBUG_RODATA support
s390: disable postinit-readonly for now
s390/dasd: reorder lcu and device lock
s390/cpum_sf: Fix cpu hotplug notifier transitions
s390/cpum_cf: Fix missing cpu hotplug notifier transition
Takashi Iwai [Fri, 1 Apr 2016 10:28:16 +0000 (12:28 +0200)]
ALSA: timer: Use mod_timer() for rearming the system timer
ALSA system timer backend stops the timer via del_timer() without sync
and leaves del_timer_sync() at the close instead. This is because of
the restriction by the design of ALSA timer: namely, the stop callback
may be called from the timer handler, and calling the sync shall lead
to a hangup. However, this also triggers a kernel BUG() when the
timer is rearmed immediately after stopping without sync:
kernel BUG at kernel/time/timer.c:966!
Call Trace:
<IRQ>
[<
ffffffff8239c94e>] snd_timer_s_start+0x13e/0x1a0
[<
ffffffff8239e1f4>] snd_timer_interrupt+0x504/0xec0
[<
ffffffff8122fca0>] ? debug_check_no_locks_freed+0x290/0x290
[<
ffffffff8239ec64>] snd_timer_s_function+0xb4/0x120
[<
ffffffff81296b72>] call_timer_fn+0x162/0x520
[<
ffffffff81296add>] ? call_timer_fn+0xcd/0x520
[<
ffffffff8239ebb0>] ? snd_timer_interrupt+0xec0/0xec0
....
It's the place where add_timer() checks the pending timer. It's clear
that this may happen after the immediate restart without sync in our
cases.
So, the workaround here is just to use mod_timer() instead of
add_timer(). This looks like a band-aid fix, but it's a right move,
as snd_timer_interrupt() takes care of the continuous rearm of timer.
Reported-by: Jiri Slaby <jslaby@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Heiko Carstens [Mon, 21 Mar 2016 12:48:43 +0000 (13:48 +0100)]
s390: wire up preadv2/pwritev2 syscalls
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Pierre Morel [Wed, 16 Mar 2016 12:56:35 +0000 (13:56 +0100)]
s390/pci: PCI function group 0 is valid for clp_query_pci_fn
The PCI function group 0 is a valid function group,
it is wrong to reject it.
Let's accept PCI function group 0.
Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
Acked-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Masami Hiramatsu [Thu, 31 Mar 2016 13:33:23 +0000 (22:33 +0900)]
MAINTAINERS: Update my email address
Since I moved to Linaro, this old address doesn't work anymore.
I'll use my kernel.org account for upstreaming.
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: acme@redhat.com
Cc: rostedt@goodmis.org
Link: http://lkml.kernel.org/r/1459431203-7438-1-git-send-email-mhiramat@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Hui Wang [Fri, 1 Apr 2016 03:00:15 +0000 (11:00 +0800)]
ALSA: hda - fix front mic problem for a HP desktop
The front mic jack (pink color) can't detect any plug or unplug. After
applying this fix, both detecting function and recording function
work well.
BugLink: https://bugs.launchpad.net/bugs/1564712
Cc: stable@vger.kernel.org
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>