Seth Forshee [Wed, 7 Oct 2015 19:49:47 +0000 (14:49 -0500)]
UBUNTU: SAUCE: (namespace) block_dev: Check permissions towards block device inode when mounting
Unprivileged users should not be able to mount block devices when
they lack sufficient privileges towards the block device inode.
Update blkdev_get_by_path() to validate that the user has the
required access to the inode at the specified path. The check
will be skipped for CAP_SYS_ADMIN, so privileged mounts will
continue working as before.
UBUNTU: SAUCE: (namespace) block_dev: Support checking inode permissions in lookup_bdev()
When looking up a block device by path no permission check is
done to verify that the user has access to the block device inode
at the specified path. In some cases it may be necessary to
check permissions towards the inode, such as allowing
unprivileged users to mount block devices in user namespaces.
Add an argument to lookup_bdev() to optionally perform this
permission check. A value of 0 skips the permission check and
behaves the same as before. A non-zero value specifies the mask
of access rights required towards the inode at the specified
path. The check is always skipped if the user has CAP_SYS_ADMIN.
All callers of lookup_bdev() currently pass a mask of 0, so this
patch results in no functional change. Subsequent patches will
add permission checks where appropriate.
Tim Gardner [Thu, 17 Nov 2016 19:18:05 +0000 (12:18 -0700)]
UBUNTU: SAUCE: UEFI: bpf: disable bpf when module security is enabled
BPF carnage - Hi, It looks like CONFIG_BPF_EVENTS needs to be disabled
in secure boot environments since you can read kernel memory (and
hence, the hibernation image signing key) by attaching an eBPF program
to a tracepoint through a perf_event_open() fd which uses bpf_probe_read()
and either bpf_trace_printk() or bpf_probe_write_user(). (Or, rather,
kernel memory _reads_ need to be added to the threat model if a private
key is held in kernel memory.) -Kees -- Kees Cook Nexus Security
Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Conflicts:
kernel/bpf/syscall.c
Ming Lei [Thu, 3 Nov 2016 01:20:01 +0000 (09:20 +0800)]
UBUNTU: SAUCE: hio: splitting bio in the entry of .make_request_fn
BugLink: http://bugs.launchpad.net/bugs/1638700
From v4.3, the incoming bio can be very big[1], and it is
required to split it first in .make_request_fn(), so
we need to do that for hio.c too.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This program is free software; you can redistribute it and/or modify it
under the terms and conditions of the GNU General Public License,
version 2, as published by the Free Software Foundation.
This program is distributed in the hope it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
more details.
Signed-off-by: Kamal Mostafa <kamal@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com> BugLink: http://bugs.launchpad.net/bugs/1635594 Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Rob Nelson [Tue, 17 Nov 2015 23:47:27 +0000 (15:47 -0800)]
UBUNTU: SAUCE: nvme: improve performance for virtual NVMe devices
This change provides a mechanism to reduce the number of MMIO doorbell
writes for the NVMe driver. When running in a virtualized environment
like QEMU, the cost of an MMIO is quite hefy here. The main idea for
the patch is provide the device two memory location locations:
1) to store the doorbell values so they can be lookup without the doorbell
MMIO write
2) to store an event index.
I believe the doorbell value is obvious, the event index not so much.
Similar to the virtio specificaiton, the virtual device can tell the
driver (guest OS) not to write MMIO unless you are writing past this
value.
FYI: doorbell values are written by the nvme driver (guest OS) and the
event index is written by the virtual device (host OS).
The patch implements a new admin command that will communicate where
these two memory locations reside. If the command fails, the nvme
driver will work as before without any optimizations.
Contributions:
Eric Northup <digitaleric@google.com>
Frank Swiderski <fes@google.com>
Ted Tso <tytso@mit.edu>
Keith Busch <keith.busch@intel.com>
Just to give an idea on the performance boost with the vendor
extension: Running fio [1], a stock NVMe driver I get about 200K read
IOPs with my vendor patch I get about 1000K read IOPs. This was
running with a null device i.e. the backing device simply returned
success on every read IO request.
Signed-off-by: Rob Nelson <rlnelson@google.com>
[mlin: port for upstream] Signed-off-by: Ming Lin <mlin@kernel.org>
[koike: updated for current APIs] Signed-off-by: Helen Mae Koike Fornazier <helen.koike@collabora.co.uk>
Conflicts:
drivers/nvme/host/Kconfig
drivers/nvme/host/pci.c
Andy Whitcroft [Wed, 26 Oct 2016 16:47:57 +0000 (17:47 +0100)]
UBUNTU: [Config] switch squashfs to single threaded decode
There is some issue with squashfs decoding when done in a multi-threaded
manner which leads to large memory consumption. Either we have a leak
or more probabally we have pathalogical case leading to horrible internal
fragmentation. For the moment turn it off while it can be investigated.
BugLink: http://bugs.launchpad.net/bugs/1636847 Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Gavin Guo [Wed, 12 Oct 2016 01:13:35 +0000 (09:13 +0800)]
UBUNTU: SAUCE: (no-up) If zone is so small that watermarks are the same, stop zone balance.
BugLink: http://bugs.launchpad.net/bugs/1518457
On an AWS t2.micro instance (Xeon E5-2670, 991MiB of memory).
Occasionally (about once a day), kswapd0 falls into a busy loop and
spins on 100% CPU usage indefinitely. Reject to do the zone balance
when the memory is too small.
Andy Whitcroft [Thu, 6 Oct 2016 13:22:12 +0000 (14:22 +0100)]
UBUNTU: SAUCE: (no-up) include/linux/security.h -- fix syntax error with CONFIG_SECURITYFS=n
commit c2ac27f7a443 ("securityfs: update interface to allow
inode_ops, and setup from vfs") introduced a syntax error
in include/linux/security.h when CONFIG_SECURITYFS is not set.
This is exercised by the zfcpdump-kernel for s390x.
BugLink: http://bugs.launchpad.net/bugs/1630990 Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Colin King <colin.king@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
tries to do the right thing and add a change event at the right
time, but doing so made things actually worse.
The only thing which this patch changes is that i_size and the
capacity are touched multiple times. Both actions do not look
like they could cause a change event being triggered in any way.
Still it does happen and whatever is doing this, it also causes
a partition scan.
So without this change when connecting a file image with qemu-nbd
there was only one change event and no partitions added. However
in some rare cases there were two change events on the main nbd
device and partitions were added.
One thought I had was maybe something like inotify notes the
change to bdev->bd_inode->i_size and triggers the partition
scan when the capacity is already >0. But only changing the
order but not update all variables whenever any of the related
ioctl calls is made is not working. This somehow leave only the
longer time the changes are exposed until nbd sends its own
change event as some sort of explanation.
BugLink: http://bugs.launchpad.net/bugs/1628336 Signed-off-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
John Johansen [Sun, 24 Jul 2016 23:06:14 +0000 (16:06 -0700)]
securityfs: update interface to allow inode_ops, and setup from vfs fns
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Paolo Pisati [Wed, 28 Sep 2016 11:22:25 +0000 (13:22 +0200)]
UBUNTU: [Config] armhf: disable ARCH_ZX
BugLink: http://bugs.launchpad.net/bugs/1628503 Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tim Gardner [Tue, 27 Sep 2016 15:30:06 +0000 (09:30 -0600)]
UBUNTU: [Config] skip Ubuntu-4.8.0-18.20
That version was used during Beta2 testing but was never published
outside of a PPA. However, the tag has been pushed should we ever
want to retrieve it.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1628112 Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Luis Henriques [Fri, 23 Sep 2016 15:39:35 +0000 (16:39 +0100)]
UBUNTU: [Config] CONFIG_GOLDFISH=n
BugLink: http://bugs.launchpad.net/bugs/1627052 Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com>
drivers/built-in.o: In function `qe_usb_clock_set':
drivers/soc/fsl/qe/usb.c:25: undefined reference to `qe_immr'
drivers/soc/fsl/qe/usb.c:25: undefined reference to `qe_immr'
drivers/soc/fsl/qe/usb.c:48: undefined reference to `cmxgcr_lock'
drivers/soc/fsl/qe/usb.c:48: undefined reference to `cmxgcr_lock'
drivers/soc/fsl/qe/usb.c:46: undefined reference to `qe_setbrg'
Makefile:965: recipe for target 'vmlinux' failed
make[2]: *** [vmlinux] Error 1