1. 05 12月, 2014 2 次提交
    • V
      i2c: cadence: Set the hardware time-out register to maximum value · 681d15a0
      Vishnu Motghare 提交于
      Cadence I2C controller has bug wherein it generates invalid read transactions
      after timeout in master receiver mode. This driver does not use the HW
      timeout and this interrupt is disabled but the feature itself cannot be
      disabled. Hence, this patch writes the maximum value (0xFF) to this register.
      This is one of the workarounds to this bug and it will not avoid the issue
      completely but reduces the chances of error.
      Signed-off-by: NVishnu Motghare <vishnum@xilinx.com>
      Signed-off-by: NHarini Katakam <harinik@xilinx.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Cc: stable@kernel.org
      681d15a0
    • G
      i2c: davinci: generate STP always when NACK is received · 9ea359f7
      Grygorii Strashko 提交于
      According to I2C specification the NACK should be handled as follows:
      "When SDA remains HIGH during this ninth clock pulse, this is defined as the Not
      Acknowledge signal. The master can then generate either a STOP condition to
      abort the transfer, or a repeated START condition to start a new transfer."
      [I2C spec Rev. 6, 3.1.6: http://www.nxp.com/documents/user_manual/UM10204.pdf]
      
      Currently the Davinci i2c driver interrupts the transfer on receipt of a
      NACK but fails to send a STOP in some situations and so makes the bus
      stuck until next I2C IP reset (idle/enable).
      
      For example, the issue will happen during SMBus read transfer which
      consists from two i2c messages write command/address and read data:
      
      S Slave Address Wr A Command Code A Sr Slave Address Rd A D1..Dn A P
      <--- write -----------------------> <--- read --------------------->
      
      The I2C client device will send NACK if it can't recognize "Command Code"
      and it's expected from I2C master to generate STP in this case.
      But now, Davinci i2C driver will just exit with -EREMOTEIO and STP will
      not be generated.
      
      Hence, fix it by generating Stop condition (STP) always when NACK is received.
      
      This patch fixes Davinci I2C in the same way it was done for OMAP I2C
      commit cda2109a ("i2c: omap: query STP always when NACK is received").
      Reviewed-by: NUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Reported-by: NHein Tibosch <hein_tibosch@yahoo.es>
      Signed-off-by: NGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      Cc: stable@kernel.org
      9ea359f7
  2. 04 12月, 2014 16 次提交
  3. 03 12月, 2014 9 次提交
    • H
    • S
      xen-netfront: Remove BUGs on paged skb data which crosses a page boundary · 8d609725
      Seth Forshee 提交于
      These BUGs can be erroneously triggered by frags which refer to
      tail pages within a compound page. The data in these pages may
      overrun the hardware page while still being contained within the
      compound page, but since compound_order() evaluates to 0 for tail
      pages the assertion fails. The code already iterates through
      subsequent pages correctly in this scenario, so the BUGs are
      unnecessary and can be removed.
      
      Fixes: f36c3747 ("xen/netfront: handle compound page fragments on transmit")
      Cc: <stable@vger.kernel.org> # 3.7+
      Signed-off-by: NSeth Forshee <seth.forshee@canonical.com>
      Reviewed-by: NDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8d609725
    • A
      mm/vmpressure.c: fix race in vmpressure_work_fn() · 91b57191
      Andrew Morton 提交于
      In some android devices, there will be a "divide by zero" exception.
      vmpr->scanned could be zero before spin_lock(&vmpr->sr_lock).
      
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=88051
      
      [akpm@linux-foundation.org: neaten]
      Reported-by: Nji_ang <ji_ang@163.com>
      Cc: Anton Vorontsov <anton.vorontsov@linaro.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      91b57191
    • W
      mm: frontswap: invalidate expired data on a dup-store failure · fb993fa1
      Weijie Yang 提交于
      If a frontswap dup-store failed, it should invalidate the expired page
      in the backend, or it could trigger some data corruption issue.
      Such as:
       1. use zswap as the frontswap backend with writeback feature
       2. store a swap page(version_1) to entry A, success
       3. dup-store a newer page(version_2) to the same entry A, fail
       4. use __swap_writepage() write version_2 page to swapfile, success
       5. zswap do shrink, writeback version_1 page to swapfile
       6. version_2 page is overwrited by version_1, data corrupt.
      
      This patch fixes this issue by invalidating expired data immediately
      when meet a dup-store failure.
      Signed-off-by: NWeijie Yang <weijie.yang@samsung.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Seth Jennings <sjennings@variantweb.net>
      Cc: Dan Streetman <ddstreet@ieee.org>
      Cc: Minchan Kim <minchan@kernel.org>
      Cc: Bob Liu <bob.liu@oracle.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      fb993fa1
    • R
      mm: do not overwrite reserved pages counter at show_mem() · bc127bda
      Rafael Aquini 提交于
      Minor fixlet to perform the reserved pages counter aggregation for each
      node, at show_mem()
      Signed-off-by: NRafael Aquini <aquini@redhat.com>
      Acked-by: NRik van Riel <riel@redhat.com>
      Acked-by: NJohannes Weiner <jweiner@redhat.com>
      Acked-by: NYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      bc127bda
    • D
      Merge branch 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 00d6a9b6
      Dave Airlie 提交于
      A few more small fixes for 3.18.
      
      * 'drm-fixes-3.18' of git://people.freedesktop.org/~agd5f/linux:
        drm/radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6
        drm/radeon: Ignore RADEON_GEM_GTT_WC on 32-bit x86
        drm/radeon: sync all BOs involved in a CS v2
      00d6a9b6
    • P
      drm/radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6 · f5475cc4
      Petr Mladek 提交于
      I was unable too boot 3.18.0-rc6 because of the following kernel
      panic in drm_calc_vbltimestamp_from_scanoutpos():
      
          [drm] Initialized drm 1.1.0 20060810
          [drm] radeon kernel modesetting enabled.
          [drm] initializing kernel modesetting (RV100 0x1002:0x515E 0x15D9:0x8080).
          [drm] register mmio base: 0xC8400000
          [drm] register mmio size: 65536
          radeon 0000:0b:01.0: VRAM: 128M 0x00000000D0000000 - 0x00000000D7FFFFFF (16M used)
          radeon 0000:0b:01.0: GTT: 512M 0x00000000B0000000 - 0x00000000CFFFFFFF
          [drm] Detected VRAM RAM=128M, BAR=128M
          [drm] RAM width 16bits DDR
          [TTM] Zone  kernel: Available graphics memory: 3829346 kiB
          [TTM] Zone   dma32: Available graphics memory: 2097152 kiB
          [TTM] Initializing pool allocator
          [TTM] Initializing DMA pool allocator
          [drm] radeon: 16M of VRAM memory ready
          [drm] radeon: 512M of GTT memory ready.
          [drm] GART: num cpu pages 131072, num gpu pages 131072
          [drm] PCI GART of 512M enabled (table at 0x0000000037880000).
          radeon 0000:0b:01.0: WB disabled
          radeon 0000:0b:01.0: fence driver on ring 0 use gpu addr 0x00000000b0000000 and cpu addr 0xffff8800bbbfa000
          [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
          [drm] Driver supports precise vblank timestamp query.
          [drm] radeon: irq initialized.
          [drm] Loading R100 Microcode
          radeon 0000:0b:01.0: Direct firmware load for radeon/R100_cp.bin failed with error -2
          radeon_cp: Failed to load firmware "radeon/R100_cp.bin"
          [drm:r100_cp_init] *ERROR* Failed to load firmware!
          radeon 0000:0b:01.0: failed initializing CP (-2).
          radeon 0000:0b:01.0: Disabling GPU acceleration
          [drm] radeon: cp finalized
          BUG: unable to handle kernel NULL pointer dereference at 000000000000025c
          IP: [<ffffffff8150423b>] drm_calc_vbltimestamp_from_scanoutpos+0x4b/0x320
          PGD 0
          Oops: 0000 [#1] SMP
          Modules linked in:
          CPU: 1 PID: 1 Comm: swapper/0 Not tainted 3.18.0-rc6-4-default #2649
          Hardware name: Supermicro X7DB8/X7DB8, BIOS 6.00 07/26/2006
          task: ffff880234da2010 ti: ffff880234da4000 task.ti: ffff880234da4000
          RIP: 0010:[<ffffffff8150423b>]  [<ffffffff8150423b>] drm_calc_vbltimestamp_from_scanoutpos+0x4b/0x320
          RSP: 0000:ffff880234da7918  EFLAGS: 00010086
          RAX: ffffffff81557890 RBX: 0000000000000000 RCX: ffff880234da7a48
          RDX: ffff880234da79f4 RSI: 0000000000000000 RDI: ffff880232e15000
          RBP: ffff880234da79b8 R08: 0000000000000000 R09: 0000000000000000
          R10: 000000000000000a R11: 0000000000000001 R12: ffff880232dda1c0
          R13: ffff880232e1518c R14: 0000000000000292 R15: ffff880232e15000
          FS:  0000000000000000(0000) GS:ffff88023fc40000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
          CR2: 000000000000025c CR3: 0000000002014000 CR4: 00000000000007e0
          Stack:
           ffff880234da79d8 0000000000000286 ffff880232dcbc00 0000000000002480
           ffff880234da7958 0000000000000296 ffff880234da7998 ffffffff8151b51d
           ffff880234da7a48 0000000032dcbeb0 ffff880232dcbc00 ffff880232dcbc58
          Call Trace:
           [<ffffffff8151b51d>] ? drm_vma_offset_remove+0x1d/0x110
           [<ffffffff8152dc98>] radeon_get_vblank_timestamp_kms+0x38/0x60
           [<ffffffff8152076a>] ? ttm_bo_release_list+0xba/0x180
           [<ffffffff81503751>] drm_get_last_vbltimestamp+0x41/0x70
           [<ffffffff81503933>] vblank_disable_and_save+0x73/0x1d0
           [<ffffffff81106b2f>] ? try_to_del_timer_sync+0x4f/0x70
           [<ffffffff81505245>] drm_vblank_cleanup+0x65/0xa0
           [<ffffffff815604fa>] radeon_irq_kms_fini+0x1a/0x70
           [<ffffffff8156c07e>] r100_init+0x26e/0x410
           [<ffffffff8152ae3e>] radeon_device_init+0x7ae/0xb50
           [<ffffffff8152d57f>] radeon_driver_load_kms+0x8f/0x210
           [<ffffffff81506965>] drm_dev_register+0xb5/0x110
           [<ffffffff8150998f>] drm_get_pci_dev+0x8f/0x200
           [<ffffffff815291cd>] radeon_pci_probe+0xad/0xe0
           [<ffffffff8141a365>] local_pci_probe+0x45/0xa0
           [<ffffffff8141b741>] pci_device_probe+0xd1/0x130
           [<ffffffff81633dad>] driver_probe_device+0x12d/0x3e0
           [<ffffffff8163413b>] __driver_attach+0x9b/0xa0
           [<ffffffff816340a0>] ? __device_attach+0x40/0x40
           [<ffffffff81631cd3>] bus_for_each_dev+0x63/0xa0
           [<ffffffff8163378e>] driver_attach+0x1e/0x20
           [<ffffffff81633390>] bus_add_driver+0x180/0x240
           [<ffffffff81634914>] driver_register+0x64/0xf0
           [<ffffffff81419cac>] __pci_register_driver+0x4c/0x50
           [<ffffffff81509bf5>] drm_pci_init+0xf5/0x120
           [<ffffffff821dc871>] ? ttm_init+0x6a/0x6a
           [<ffffffff821dc908>] radeon_init+0x97/0xb5
           [<ffffffff810002fc>] do_one_initcall+0xbc/0x1f0
           [<ffffffff810e3278>] ? __wake_up+0x48/0x60
           [<ffffffff8218e256>] kernel_init_freeable+0x18a/0x215
           [<ffffffff8218d983>] ? initcall_blacklist+0xc0/0xc0
           [<ffffffff818a78f0>] ? rest_init+0x80/0x80
           [<ffffffff818a78fe>] kernel_init+0xe/0xf0
           [<ffffffff818c0c3c>] ret_from_fork+0x7c/0xb0
           [<ffffffff818a78f0>] ? rest_init+0x80/0x80
          Code: 45 ac 0f 88 a8 01 00 00 3b b7 d0 01 00 00 49 89 ff 0f 83 99 01 00 00 48 8b 47 20 48 8b 80 88 00 00 00 48 85 c0 0f 84 cd 01 00 00 <41> 8b b1 5c 02 00 00 41 8b 89 58 02 00 00 89 75 98 41 8b b1 60
          RIP  [<ffffffff8150423b>] drm_calc_vbltimestamp_from_scanoutpos+0x4b/0x320
           RSP <ffff880234da7918>
          CR2: 000000000000025c
          ---[ end trace ad2c0aadf48e2032 ]---
          Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
      
      It has helped me to add a NULL pointer check that was suggested at
      http://lists.freedesktop.org/archives/dri-devel/2014-October/070663.html
      
      I am not familiar with the code. But the change looks sane
      and we need something fast at this stage of 3.18 development.
      Suggested-by: NHelge Deller <deller@gmx.de>
      Signed-off-by: NPetr Mladek <pmladek@suse.cz>
      Tested-by: NPetr Mladek <pmladek@suse.cz>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      f5475cc4
    • M
      a08b588e
    • C
      drm/radeon: sync all BOs involved in a CS v2 · 86b27638
      Christian König 提交于
      Not just the userspace relocs, otherwise we won't wait
      for a swapped out page tables to be swapped in again.
      
      v2: rebased on Alex current drm-fixes-3.18
      Signed-off-by: NChristian König <christian.koenig@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      86b27638
  4. 02 12月, 2014 13 次提交
    • D
      block: fix regression where bio_integrity_process uses wrong bio_vec iterator · 594416a7
      Darrick J. Wong 提交于
      bio integrity handling is broken on a system with LVM layered atop a
      DIF/DIX SCSI drive because device mapper clones the bio, modifies the
      clone, and sends the clone to the lower layers for processing.
      However, the clone bio has bi_vcnt == 0, which means that when the sd
      driver calls bio_integrity_process to attach DIX data, the
      for_each_segment_all() call (which uses bi_vcnt) returns immediately
      and random garbage is sent to the disk on a disk write.  The disk of
      course returns an error.
      
      Therefore, teach bio_integrity_process() to use bio_for_each_segment()
      to iterate the bio_vecs, since the per-bio iterator tracks which
      bio_vecs are associated with that particular bio.  The integrity
      handling code is effectively part of the "driver" (it's not the bio
      owner), so it must use the correct iterator function.
      
      v2: Fix a compiler warning about abandoned local variables.  This
      patch supersedes "block: bio_integrity_process uses wrong bio_vec
      iterator".  Patch applies against 3.18-rc6.
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Acked-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NJens Axboe <axboe@fb.com>
      594416a7
    • J
      Merge tag 'keys-fixes-20141201' of... · 18832480
      James Morris 提交于
      Merge tag 'keys-fixes-20141201' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into for-linus
      18832480
    • D
      nouveau: move the hotplug ignore to correct place. · 8b62c8c6
      Dave Airlie 提交于
      Introduced in b440bde7, however it was added to
      the wrong function in nouveau.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=86011
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      CC: stable@vger.kernel.org  # v3.15+
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      8b62c8c6
    • D
      Merge branch 'linux-3.18' of git://anongit.freedesktop.org/git/nouveau/linux-2.6 into drm-fixes · d87c0e3d
      Dave Airlie 提交于
      Just a couple of fixes for the fallout from the fence rework.
      
      * 'linux-3.18' of git://anongit.freedesktop.org/git/nouveau/linux-2.6:
        drm/nouveau/gf116: remove copy1 engine
        drm/nouveau: prevent stale fence->channel pointers, and protect with rcu
        drm/nouveau/fifo/g84-: ack non-stall interrupt before handling it
      d87c0e3d
    • I
      drm/nouveau/gf116: remove copy1 engine · 226d63a1
      Ilia Mirkin 提交于
      Indications are that no GF116's actually have a copy engine there, but
      actually have the decompression engine. This engine can be made to do
      copies, but that should be done separately.
      
      Unclear why this didn't turn up on all GF116's, but perhaps the
      non-mobile ones came with enough VRAM to not trigger ttm migrations in
      test scenarios.
      
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=85465
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=59168
      Cc: stable@vger.kernel.org
      Signed-off-by: NIlia Mirkin <imirkin@alum.mit.edu>
      Signed-off-by: NBen Skeggs <bskeggs@redhat.com>
      226d63a1
    • M
    • B
      drm/nouveau/fifo/g84-: ack non-stall interrupt before handling it · 19a10828
      Ben Skeggs 提交于
      Closes a very unlikely race that can occur if another NonStallInterrupt
      method passes between checking fences and acking the previous interrupt.
      
      With this change, the interrupt will re-fire under such conditions.
      Tested-by: NTobias Klausmann <tobias.johannes.klausmann@mni.thm.de>
      Signed-off-by: NBen Skeggs <bskeggs@redhat.com>
      19a10828
    • L
      Merge tag 'ext4_for_linus_urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 3a18ca06
      Linus Torvalds 提交于
      Pull ext4 bugfix from Ted Ts'o:
       "Fix an ext4 metadata checksum regression introduced in v3.18-rc3"
      
      * tag 'ext4_for_linus_urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        jbd2: fix regression where we fail to initialize checksum seed when loading
      3a18ca06
    • D
      jbd2: fix regression where we fail to initialize checksum seed when loading · 32f38691
      Darrick J. Wong 提交于
      When we're enabling journal features, we cannot use the predicate
      jbd2_journal_has_csum_v2or3() because we haven't yet set the sb
      feature flag fields!  Moreover, we just finished loading the shash
      driver, so the test is unnecessary; calculate the seed always.
      
      Without this patch, we fail to initialize the checksum seed the first
      time we turn on journal_checksum, which means that all journal blocks
      written during that first mount are corrupt.  Transactions written
      after the second mount will be fine, since the feature flag will be
      set in the journal superblock.  xfstests generic/{034,321,322} are the
      regression tests.
      
      (This is important for 3.18.)
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.coM>
      Reported-by: NEric Whitney <enwlinux@gmail.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      32f38691
    • T
      PCI: tegra: Use physical range for I/O mapping · 5106787a
      Thierry Reding 提交于
      Commit 0b0b0893 ("of/pci: Fix the conversion of IO ranges into IO
      resources") changed how I/O resources are parsed from DT.  Rather than
      containing the physical address of the I/O region, the addresses will now
      be in I/O address space.
      
      On Tegra the union of all ranges is used to expose a top-level memory-
      mapped resource for the PCI host bridge.  This helps to make /proc/iomem
      more readable.
      
      Combining both of the above, the union would now include the I/O space
      region.  This causes a regression on Tegra20, where the physical base
      address of the PCIe controller (and therefore of the union) is located at
      physical address 0x80000000.  Since I/O space starts at 0, the union will
      now include all of system RAM which starts at 0x00000000.
      
      This commit fixes this by keeping two copies of the I/O range: one that
      represents the range in the CPU's physical address space, the other for the
      range in the I/O address space.  This allows the translation setup within
      the driver to reuse the physical addresses.  The code registering the I/O
      region with the PCI core uses both ranges to establish the mapping.
      
      Fixes: 0b0b0893 ("of/pci: Fix the conversion of IO ranges into IO resources")
      Reported-by: NMarc Zyngier <marc.zyngier@arm.com>
      Tested-by: NMarc Zyngier <marc.zyngier@arm.com>
      Suggested-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NThierry Reding <treding@nvidia.com>
      Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: NArnd Bergmann <arnd@arndb.de>
      5106787a
    • D
      KEYS: request_key() should reget expired keys rather than give EKEYEXPIRED · 0b0a8415
      David Howells 提交于
      Since the keyring facility can be viewed as a cache (at least in some
      applications), the local expiration time on the key should probably be viewed
      as a 'needs updating after this time' property rather than an absolute 'anyone
      now wanting to use this object is out of luck' property.
      
      Since request_key() is the main interface for the usage of keys, this should
      update or replace an expired key rather than issuing EKEYEXPIRED if the local
      expiration has been reached (ie. it should refresh the cache).
      
      For absolute conditions where refreshing the cache probably doesn't help, the
      key can be negatively instantiated using KEYCTL_REJECT_KEY with EKEYEXPIRED
      given as the error to issue.  This will still cause request_key() to return
      EKEYEXPIRED as that was explicitly set.
      
      In the future, if the key type has an update op available, we might want to
      upcall with the expired key and allow the upcall to update it.  We would pass
      a different operation name (the first column in /etc/request-key.conf) to the
      request-key program.
      
      request_key() returning EKEYEXPIRED is causing an NFS problem which Chuck
      Lever describes thusly:
      
      	After about 10 minutes, my NFSv4 functional tests fail because the
      	ownership of the test files goes to "-2". Looking at /proc/keys
      	shows that the id_resolv keys that map to my test user ID have
      	expired. The ownership problem persists until the expired keys are
      	purged from the keyring, and fresh keys are obtained.
      
      	I bisected the problem to 3.13 commit b2a4df20 ("KEYS: Expand
      	the capacity of a keyring"). This commit inadvertantly changes the
      	API contract of the internal function keyring_search_aux().
      
      	The root cause appears to be that b2a4df20 made "no state check"
      	the default behavior. "No state check" means the keyring search
      	iterator function skips checking the key's expiry timeout, and
      	returns expired keys.  request_key_and_link() depends on getting
      	an -EAGAIN result code to know when to perform an upcall to refresh
      	an expired key.
      
      This patch can be tested directly by:
      
      	keyctl request2 user debug:fred a @s
      	keyctl timeout %user:debug:fred 3
      	sleep 4
      	keyctl request2 user debug:fred a @s
      
      Without the patch, the last command gives error EKEYEXPIRED, but with the
      command it gives a new key.
      Reported-by: NCarl Hetherington <cth@carlh.net>
      Reported-by: NChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NChuck Lever <chuck.lever@oracle.com>
      0b0a8415
    • D
      KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags · 054f6180
      David Howells 提交于
      Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags to be two variations of the
      same flag.  They are effectively mutually exclusive and one or the other
      should be provided, but not both.
      
      Keyring cycle detection and key possession determination are the only things
      that set NO_STATE_CHECK, except that neither flag really does anything there
      because neither purpose makes use of the keyring_search_iterator() function,
      but rather provides their own.
      
      For cycle detection we definitely want to check inside of expired keyrings,
      just so that we don't create a cycle we can't get rid of.  Revoked keyrings
      are cleared at revocation time and can't then be reused, so shouldn't be a
      problem either way.
      
      For possession determination, we *might* want to validate each keyring before
      searching it: do you possess a key that's hidden behind an expired or just
      plain inaccessible keyring?  Currently, the answer is yes.  Note that you
      cannot, however, possess a key behind a revoked keyring because they are
      cleared on revocation.
      
      keyring_search() sets DO_STATE_CHECK, which is correct.
      
      request_key_and_link() currently doesn't specify whether to check the key
      state or not - but it should set DO_STATE_CHECK.
      
      key_get_instantiation_authkey() also currently doesn't specify whether to
      check the key state or not - but it probably should also set DO_STATE_CHECK.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NChuck Lever <chuck.lever@oracle.com>
      054f6180
    • D
      KEYS: Fix the size of the key description passed to/from userspace · aa9d4437
      David Howells 提交于
      When a key description argument is imported into the kernel from userspace, as
      happens in add_key(), request_key(), KEYCTL_JOIN_SESSION_KEYRING,
      KEYCTL_SEARCH, the description is copied into a buffer up to PAGE_SIZE in size.
      PAGE_SIZE, however, is a variable quantity, depending on the arch.  Fix this at
      4096 instead (ie. 4095 plus a NUL termination) and define a constant
      (KEY_MAX_DESC_SIZE) to this end.
      
      When reading the description back with KEYCTL_DESCRIBE, a PAGE_SIZE internal
      buffer is allocated into which the information and description will be
      rendered.  This means that the description will get truncated if an extremely
      long description it has to be crammed into the buffer with the stringified
      information.  There is no particular need to copy the description into the
      buffer, so just copy it directly to userspace in a separate operation.
      Reported-by: NChristian Kastner <debian@kvr.at>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NChristian Kastner <debian@kvr.at>
      aa9d4437