Merge branch 'next' into for-linus

6 files changed, 33 insertions, 13 deletions

diff --git a/kernel/cred.c b/kernel/cred.c
index 3a039189d707..1bb4d7e5d616 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -167,7 +167,7 @@ EXPORT_SYMBOL(prepare_creds);
 
 /*
  * Prepare credentials for current to perform an execve()
- * - The caller must hold current->cred_exec_mutex
+ * - The caller must hold current->cred_guard_mutex
  */
 struct cred *prepare_exec_creds(void)
 {
@@ -276,7 +276,7 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
         struct cred *new;
         int ret;
 
-        mutex_init(&p->cred_exec_mutex);
+        mutex_init(&p->cred_guard_mutex);
 
         if (
 #ifdef CONFIG_KEYS
diff --git a/kernel/exit.c b/kernel/exit.c
index abf9cf3b95c6..036e8d740169 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1476,6 +1476,7 @@ static int wait_consider_task(struct task_struct *parent, int ptrace,
                  */
                 if (*notask_error)
                         *notask_error = ret;
+                return 0;
         }
 
         if (likely(!ptrace) && unlikely(p->ptrace)) {
diff --git a/kernel/module.c b/kernel/module.c
index e797812a4d95..cb3887e770e2 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -72,6 +72,9 @@ DEFINE_MUTEX(module_mutex);
 EXPORT_SYMBOL_GPL(module_mutex);
 static LIST_HEAD(modules);
 
+/* Block module loading/unloading? */
+int modules_disabled = 0;
+
 /* Waiting for a module to finish initializing? */
 static DECLARE_WAIT_QUEUE_HEAD(module_wq);
 
@@ -777,7 +780,7 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
         char name[MODULE_NAME_LEN];
         int ret, forced = 0;
 
-        if (!capable(CAP_SYS_MODULE))
+        if (!capable(CAP_SYS_MODULE) || modules_disabled)
                 return -EPERM;
 
         if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
@@ -2336,7 +2339,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
         int ret = 0;
 
         /* Must have permission */
-        if (!capable(CAP_SYS_MODULE))
+        if (!capable(CAP_SYS_MODULE) || modules_disabled)
                 return -EPERM;
 
         /* Only one module load at a time, please */
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 42c317874cfa..43a5a3b0be79 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -185,10 +185,11 @@ int ptrace_attach(struct task_struct *task)
         if (same_thread_group(task, current))
                 goto out;
 
-        /* Protect exec's credential calculations against our interference;
-         * SUID, SGID and LSM creds get determined differently under ptrace.
+        /* Protect the target's credential calculations against our
+         * interference; SUID, SGID and LSM creds get determined differently
+         * under ptrace.
          */
-        retval = mutex_lock_interruptible(&task->cred_exec_mutex);
+        retval = mutex_lock_interruptible(&task->cred_guard_mutex);
         if (retval  < 0)
                 goto out;
 
@@ -232,7 +233,7 @@ repeat:
 bad:
         write_unlock_irqrestore(&tasklist_lock, flags);
         task_unlock(task);
-        mutex_unlock(&task->cred_exec_mutex);
+        mutex_unlock(&task->cred_guard_mutex);
 out:
         return retval;
 }
diff --git a/kernel/signal.c b/kernel/signal.c
index d8034737db4c..d2dd9cf5dcc6 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -249,14 +249,19 @@ void flush_sigqueue(struct sigpending *queue)
 /*
  * Flush all pending signals for a task.
  */
+void __flush_signals(struct task_struct *t)
+{
+        clear_tsk_thread_flag(t, TIF_SIGPENDING);
+        flush_sigqueue(&t->pending);
+        flush_sigqueue(&t->signal->shared_pending);
+}
+
 void flush_signals(struct task_struct *t)
 {
         unsigned long flags;
 
         spin_lock_irqsave(&t->sighand->siglock, flags);
-        clear_tsk_thread_flag(t, TIF_SIGPENDING);
-        flush_sigqueue(&t->pending);
-        flush_sigqueue(&t->signal->shared_pending);
+        __flush_signals(t);
         spin_unlock_irqrestore(&t->sighand->siglock, flags);
 }
 
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 6a463716ecbf..944ba03cae19 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -114,6 +114,7 @@ static int ngroups_max = NGROUPS_MAX;
 
 #ifdef CONFIG_MODULES
 extern char modprobe_path[];
+extern int modules_disabled;
 #endif
 #ifdef CONFIG_CHR_DEV_SG
 extern int sg_big_buff;
@@ -534,6 +535,17 @@ static struct ctl_table kern_table[] = {
                 .proc_handler   = &proc_dostring,
                 .strategy       = &sysctl_string,
         },
+        {
+                .ctl_name       = CTL_UNNUMBERED,
+                .procname       = "modules_disabled",
+                .data           = &modules_disabled,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                /* only handle a transition from default "0" to "1" */
+                .proc_handler   = &proc_dointvec_minmax,
+                .extra1         = &one,
+                .extra2         = &one,
+        },
 #endif
 #if defined(CONFIG_HOTPLUG) && defined(CONFIG_NET)
         {
@@ -1233,7 +1245,6 @@ static struct ctl_table vm_table[] = {
                 .strategy       = &sysctl_jiffies,
         },
 #endif
-#ifdef CONFIG_SECURITY
         {
                 .ctl_name       = CTL_UNNUMBERED,
                 .procname       = "mmap_min_addr",
@@ -1242,7 +1253,6 @@ static struct ctl_table vm_table[] = {
                 .mode           = 0644,
                 .proc_handler   = &proc_doulongvec_minmax,
         },
-#endif
 #ifdef CONFIG_NUMA
         {
                 .ctl_name       = CTL_UNNUMBERED,