In fsnotify_open() ensure that FMODE_NONOTIFY is never set by userspace.
Also always call fsnotify_parent and fsnotify.
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Signed-off-by: Eric Paris <eparis@redhat.com>
In fanotify_read() return -ERESTARTSYS instead of -EINTR to
make read() restartable across signals (BSD semantic).
Signed-off-by: Eric Paris <eparis@redhat.com>
Reorder struct fsnotfiy_mark to remove 8 bytes of alignment padding on 64
bit builds. Shrinks fsnotfiy_mark to 128 bytes allowing more objects per
slab in its kmem_cache and reduces the number of cachelines needed for
each structure.
Signed-off-by: Richard Kennedy <richard@rsk.demon.co.uk>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
fs/notify/fanotify/fanotify_user.c: In function 'fanotify_release':
fs/notify/fanotify/fanotify_user.c:375: warning: unused variable 'lre'
fs/notify/fanotify/fanotify_user.c:375: warning: unused variable 're'
this is really ugly.
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
The comments for FAN_CLOSE_WRITE and FAN_CLOSE_NOWRITE do not match
FS_CLOSE_WRITE and FS_CLOSE_NOWRITE, respectively. WRITE is for
writable files while NOWRITE is for non-writable files.
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
If fanotify sets a new bit in the ignored mask it will cause the generic
fsnotify layer to recalculate the real mask. This is stupid since we
didn't change that part.
Signed-off-by: Eric Paris <eparis@redhat.com>
fanotify has a very limited number of events it sends on directories. The
usefulness of these events is yet to be seen and still we send them. This
is particularly painful for mount marks where one might receive many of
these useless events. As such this patch will drop events on IS_DIR()
inodes unless they were explictly requested with FAN_ON_DIR.
This means that a mark on a directory without FAN_EVENT_ON_CHILD or
FAN_ON_DIR is meaningless and will result in no events ever (although it
will still be allowed since detecting it is hard)
Signed-off-by: Eric Paris <eparis@redhat.com>
The _IN_ in the naming is reserved for flags only used by inotify. Since I
am about to use this flag for fanotify rename it to be generic like the
rest.
Signed-off-by: Eric Paris <eparis@redhat.com>
fanotify_should_send_event has a test to see if an object is a file or
directory and does not send an event otherwise. The problem is that the
test is actually checking if the object with a mark is a file or directory,
not if the object the event happened on is a file or directory. We should
check the latter.
Signed-off-by: Eric Paris <eparis@redhat.com>
fanotify currently has no limit on the number of listeners a given user can
have open. This patch limits the total number of listeners per user to
128. This is the same as the inotify default limit.
Signed-off-by: Eric Paris <eparis@redhat.com>
Some fanotify groups, especially those like AV scanners, will need to place
lots of marks, particularly ignore marks. Since ignore marks do not pin
inodes in cache and are cleared if the inode is removed from core (usually
under memory pressure) we expose an interface for listeners, with
CAP_SYS_ADMIN, to override the maximum number of marks and be allowed to
set and 'unlimited' number of marks. Programs which make use of this
feature will be able to OOM a machine.
Signed-off-by: Eric Paris <eparis@redhat.com>
There is currently no limit on the number of marks a given fanotify group
can have. Since fanotify is gated on CAP_SYS_ADMIN this was not seen as
a serious DoS threat. This patch implements a default of 8192, the same as
inotify to work towards removing the CAP_SYS_ADMIN gating and eliminating
the default DoS'able status.
Signed-off-by: Eric Paris <eparis@redhat.com>
fanotify has a defualt max queue depth. This patch allows processes which
explicitly request it to have an 'unlimited' queue depth. These processes
need to be very careful to make sure they cannot fall far enough behind
that they OOM the box. Thus this flag is gated on CAP_SYS_ADMIN.
Signed-off-by: Eric Paris <eparis@redhat.com>
Currently fanotify has no maximum queue depth. Since fanotify is
CAP_SYS_ADMIN only this does not pose a normal user DoS issue, but it
certianly is possible that an fanotify listener which can't keep up could
OOM the box. This patch implements a default 16k depth. This is the same
default depth used by inotify, but given fanotify's better queue merging in
many situations this queue will contain many additional useful events by
comparison.
Signed-off-by: Eric Paris <eparis@redhat.com>
fanotify will clear ignore marks if a task changes the contents of an
inode. The problem is with the races around when userspace finishes
checking a file and when that result is actually attached to the inode.
This race was described as such:
Consider the following scenario with hostile processes A and B, and
victim process C:
1. Process A opens new file for writing. File check request is generated.
2. File check is performed in userspace. Check result is "file has no malware".
3. The "permit" response is delivered to kernel space.
4. File ignored mark set.
5. Process A writes dummy bytes to the file. File ignored flags are cleared.
6. Process B opens the same file for reading. File check request is generated.
7. File check is performed in userspace. Check result is "file has no malware".
8. Process A writes malware bytes to the file. There is no cached response yet.
9. The "permit" response is delivered to kernel space and is cached in fanotify.
10. File ignored mark set.
11. Now any process C will be permitted to open the malware file.
There is a race between steps 8 and 10
While fanotify makes no strong guarantees about systems with hostile
processes there is no reason we cannot harden against this race. We do
that by simply ignoring any ignore marks if the inode has open writers (aka
i_writecount > 0). (We actually do not ignore ignore marks if the
FAN_MARK_SURV_MODIFY flag is set)
Reported-by: Vasily Novikov <vasily.novikov@kaspersky.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
fanotify is supposed to be able to flush all marks. This is mostly useful
for the AV community to flush all cached decisions on a security policy
change. This functionality has existed in the kernel but wasn't correctly
exposed to userspace.
Signed-off-by: Eric Paris <eparis@redhat.com>
fsnotify perm events do not call fsnotify parent. That means you cannot
register a perm event on a directory and enforce permissions on all inodes in
that directory. This patch fixes that situation.
Signed-off-by: Eric Paris <eparis@redhat.com>
When fsnotify groups return errors they are ignored. For permissions
events these should be passed back up the stack, but for most events these
should continue to be ignored.
Signed-off-by: Eric Paris <eparis@redhat.com>
Currently the userspace struct exposed by fanotify uses
__attribute__((packed)) to make sure that alignment works on multiarch
platforms. Since this causes a severe performance penalty on some
platforms we are going to switch to using explicit alignment notation on
the 64bit values so we don't have to use 'packed'
Signed-off-by: Eric Paris <eparis@redhat.com>
The fanotify listeners needs to be able to specify what types of operations
they are going to perform so they can be ordered appropriately between other
listeners doing other types of operations. They need this to be able to make
sure that things like hierarchichal storage managers will get access to inodes
before processes which need the data. This patch defines 3 possible uses
which groups must indicate in the fanotify_init() flags.
FAN_CLASS_PRE_CONTENT
FAN_CLASS_CONTENT
FAN_CLASS_NOTIF
Groups will receive notification in that order. The order between 2 groups in
the same class is undeterministic.
FAN_CLASS_PRE_CONTENT is intended to be used by listeners which need access to
the inode before they are certain that the inode contains it's final data. A
hierarchical storage manager should choose to use this class.
FAN_CLASS_CONTENT is intended to be used by listeners which need access to the
inode after it contains its intended contents. This would be the appropriate
level for an AV solution or document control system.
FAN_CLASS_NOTIF is intended for normal async notification about access, much the
same as inotify and dnotify. Syncronous permissions events are not permitted
at this class.
Signed-off-by: Eric Paris <eparis@redhat.com>
fanotify needs to be able to specify that some groups get events before
others. They use this idea to make sure that a hierarchical storage
manager gets access to files before programs which actually use them. This
is purely infrastructure. Everything will have a priority of 0, but the
infrastructure will exist for it to be non-zero.
Signed-off-by: Eric Paris <eparis@redhat.com>
We disabled the ability to build fanotify in commit 7c5347733d.
This reverts that commit and allows people to build fanotify.
Signed-off-by: Eric Paris <eparis@redhat.com>
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: (68 commits)
hwmon: (it87) Add support for the IT8721F/IT8758E
hwmon: (it87) Move conversion functions
hwmon: Remove many EXPERIMENTAL flags
hwmon: (lm85) Add support for ADT7468 high-frequency PWM mode
hwmon: (lm85) Document the ADT7468 as supported
hwmon: (lm85) Fix ADT7468 frequency table
hwmon: I2C addresses are constant
Move ams driver to macintosh
hwmon: (pcf8591) Don't attempt to detect devices
hwmon: (pcf8591) Register as a hwmon device
hwmon: (w83795) Use standard attributes for chassis intrusion
hwmon: (w83795) Exclude fan control feature by default
hwmon: (w83795) Add myself as co-author and maintainer
hwmon: (w83795) More style cleanups
hwmon: (w83795) Fix LSB reading of voltage limits
hwmon: (w83795) Use dev_get_drvdata() where possible
hwmon: (w83795) Delay reading pwm config registers
hwmon: (w83795) Delay reading limit registers
hwmon: (w83795) Move register reads to dedicated functions
hwmon: (w83795) Pack similar register reads
...
* 'linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6: (27 commits)
x86: allocate space within a region top-down
x86: update iomem_resource end based on CPU physical address capabilities
x86/PCI: allocate space from the end of a region, not the beginning
PCI: allocate bus resources from the top down
resources: support allocating space within a region from the top down
resources: handle overflow when aligning start of available area
resources: ensure callback doesn't allocate outside available space
resources: factor out resource_clip() to simplify find_resource()
resources: add a default alignf to simplify find_resource()
x86/PCI: MMCONFIG: fix region end calculation
PCI: Add support for polling PME state on suspended legacy PCI devices
PCI: Export some PCI PM functionality
PCI: fix message typo
PCI: log vendor/device ID always
PCI: update Intel chipset names and defines
PCI: use new ccflags variable in Makefile
PCI: add PCI_MSIX_TABLE/PBA defines
PCI: add PCI vendor id for STmicroelectronics
x86/PCI: irq and pci_ids patch for Intel Patsburg DeviceIDs
PCI: OLPC: Only enable PCI configuration type override on XO-1
...
Add support for the IT8721F/IT8758E. These new chips differ from the
older IT87xxF chips in the following ways:
* ADC LSB is 12 mV instead of 16 mV.
* PWM values are 8-bit instead of 7-bit.
There are other minor changes we don't have to care about in the
driver.
Another change is that we will handle internal voltage scaling in the
driver instead of delegating the work to user-space.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Move conversion functions until after structure defintions. This is
needed for future changes which make use of the structures in the
conversion funtcions.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Remove the dependency on EXPERIMENTAL for all drivers which are in
the kernel tree for a long time, are known to work properly and for
which we have documentation.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Corentin Labbe <corentin.labbe@geomatys.fr>
Cc: Riku Voipio <riku.voipio@iki.fi>
Cc: Juerg Haefliger <juergh@gmail.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
The ADT7468 supports a high-frequency PWM output mode where all PWM
outputs are driven by a 22.5 kHz clock. Add support for this mode, and
document it, as it may surprise the user that setting one PWM output
frequency also affects the other PWM outputs.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
The ADT7468 uses the same frequency table as the ADT7463.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: stable@kernel.org
Cc: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
We can mark normal_i2c const. Almost all drivers do that already, so
fix the 3 remaining ones before they are used as (bad) examples for
new drivers.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: George Joseph <george.joseph@fairview5.com>
Reviewed-by: Guenter Roeck <guenter.roeck@ericsson.com>
The ams driver isn't a hardware monitoring driver, so it shouldn't
live under driver/hwmon. drivers/macintosh seems much more
appropriate, as the driver is only useful on PowerBooks and iBooks.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: Stelian Pop <stelian@popies.net>
Cc: Michael Hanselmann <linux-kernel@hansmi.ch>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Grant Likely <grant.likely@secretlab.ca>
The PCF8591 can't be detected, don't even try. There are plenty of
other means to instantiate i2c devices these days.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Reviewed-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Register PCF8591 devices as hwmon devices. There's little point in
implementing the standard sysfs interface if we don't register it in
a way libsensors will pick it.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Reviewed-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Follow the standard attribute naming for the chassis intrusion
feature. I couldn't test the beeping (my board apparently doesn't do
that) but the alarm works fine.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
The fan control feature of the w83795 driver is insufficiently
reviewed and tested for public consumption at this time, so make it
optional and disabled by default. We will change the default when
review and testing is deemed sufficient. Ultimately the option will
go away.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
I've made so many changes to the w83795 driver that it's only fair to
list myself as a co-author. I'll also maintain the driver for some
time. There's more work needed on the driver for sure.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cleanups suggested by Guenter Roeck, falling into 4 categories:
* Swapping test orders, because if (var == CONSTANT) is much easier to
read than if (CONSTANT == var).
* Simplifying comparisons with 0.
* Dropping unneeded masks.
* Dropping unneeded parentheses and curly braces.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
When we don't need the client pointer, calling dev_get_drvdata() is
more efficient that calling to_i2c_client() and then
i2c_get_clientdata().
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Wait until we need the pwm config register values, instead of
pre-reading them. This saves over 1 second on modprobe on my test
system.
Obviously this time is added when first accessing pwm config
attributes, however not everybody will use them, so it seems unfair
to slow down driver loading (and thus boot) for an optional feature.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Wait until we need the limit register values, instead of pre-reading
them. This saves 544 ms on modprobe on my test system. Obviously this
time is added when first running "sensors" or any other monitoring
application, but I think it is better than slowing down the boot.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Move initial register reads out of probe, to dedicated functions.
This makes the code clearer, and will be needed if we want to delay
calling these functions until they are needed, or want to call them
periodically.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cascaded conditionals are inefficient. Reorder the fields so that
PWM register addresses can be computed more efficiently.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
There is no point in reading registers during initialization if we
will refresh the values in the update function later. This is only
slowing down the driver loading with no benefit, stop doing it.
This change saves 480 ms on driver load on my test system.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
All 3 temperature sensor type sysfs functions (show_temp_mode,
store_temp_mode and show_dts_mode) can be simplified. We don't
create these files when the correponding input isn't in temperature
monitoring mode, so there is no point in handling that case.
Likewise, we don't allow changing inputs from temperature to voltage,
so the code handling this case is dead and can be removed.
Signed-off-by: Jean Delvare <khali@linux-fr.org>