- 05 1月, 2012 2 次提交
-
-
由 Ian Campbell 提交于
Haogang Chen found out that: There is a potential integer overflow in process_msg() that could result in cross-domain attack. body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH); When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent call to xb_read() would write to a zero-length buffer. The other end of this connection is always the xenstore backend daemon so there is no guest (malicious or otherwise) which can do this. The xenstore daemon is a trusted component in the system. However this seem like a reasonable robustness improvement so we should have it. And Ian when read the API docs found that: The payload length (len field of the header) is limited to 4096 (XENSTORE_PAYLOAD_MAX) in both directions. If a client exceeds the limit, its xenstored connection will be immediately killed by xenstored, which is usually catastrophic from the client's point of view. Clients (particularly domains, which cannot just reconnect) should avoid this. so this patch checks against that instead. This also avoids a potential integer overflow pointed out by Haogang Chen. Signed-off-by: NIan Campbell <ian.campbell@citrix.com> Cc: Haogang Chen <haogangchen@gmail.com> CC: stable@kernel.org Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Jan Beulich 提交于
The 'name', 'owner', and 'mod_name' members are redundant with the identically named fields in the 'driver' sub-structure. Rather than switching each instance to specify these fields explicitly, introduce a macro to simplify this. Eliminate further redundancy by allowing the drvname argument to DEFINE_XENBUS_DRIVER() to be blank (in which case the first entry from the ID table will be used for .driver.name). Also eliminate the questionable xenbus_register_{back,front}end() wrappers - their sole remaining purpose was the checking of the 'owner' field, proper setting of which shouldn't be an issue anymore when the macro gets used. v2: Restore DRV_NAME for the driver name in xen-pciback. Signed-off-by: NJan Beulich <jbeulich@suse.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: David S. Miller <davem@davemloft.net> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
- 04 1月, 2012 1 次提交
-
-
由 Julia Lawall 提交于
Error handling code following a kmalloc should free the allocated data. Out_unlock is used on both success and failure, so free vm_priv before jumping to that label. A simplified version of the semantic match that finds the problem is as follows: (http://coccinelle.lip6.fr) // <smpl> @r exists@ local idexpression x; statement S; identifier f1; position p1,p2; expression *ptr != NULL; @@ x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); ... if (x == NULL) S <... when != x when != if (...) { <+...x...+> } x->f1 ...> ( return \(0\|<+...x...+>\|ptr\); | return@p2 ...; ) @script:python@ p1 << r.p1; p2 << r.p2; @@ print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line) // </smpl> Signed-off-by: NJulia Lawall <julia@diku.dk> [v1: Altered the description a bit] Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
- 22 12月, 2011 1 次提交
-
-
由 Konrad Rzeszutek Wilk 提交于
drivers/xen/xenbus/xenbus_dev_backend.c:74:2: error: implicit declaration of function 'xen_initial_domain' Reported-by: NRandy Dunlap <rdunlap@xenotime.net> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
- 21 12月, 2011 5 次提交
-
-
由 Daniel De Graaf 提交于
Acked-by: NIan Campbell <ian.campbell@citrix.com> Acked-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NDaniel De Graaf <dgdegra@tycho.nsa.gov> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Daniel De Graaf 提交于
Add support for mappings without GNTMAP_contains_pte. This was not supported because the unmap operation assumed that this flag was being used; adding a parameter to the unmap operation to allow the PTE clearing to be disabled is sufficient to make unmap capable of supporting either mapping type. Signed-off-by: NDaniel De Graaf <dgdegra@tycho.nsa.gov> [v1: Fix cleanpatch warnings] Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Daniel De Graaf 提交于
For xenbus_{map,unmap}_ring to work on HVM, the grant table operations must be set up using the gnttab_set_{map,unmap}_op functions instead of directly populating the fields of gnttab_map_grant_ref. These functions simply populate the structure on paravirtualized Xen; however, on HVM they must call __pa() on vaddr when populating op->host_addr because the hypervisor cannot directly interpret guest-virtual addresses. Signed-off-by: NDaniel De Graaf <dgdegra@tycho.nsa.gov> [v1: Fixed cleanpatch error] Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Daniel De Graaf 提交于
Add HVM implementations of xenbus_(map,unmap)_ring_v(alloc,free) so that ring mappings can be done without using GNTMAP_contains_pte which is not supported on HVM. This also removes the need to use vmlist_lock on PV by tracking the allocated xenbus rings. Signed-off-by: NDaniel De Graaf <dgdegra@tycho.nsa.gov> [v1: Fix compile error when XENBUS_FRONTEND is defined as module] Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Konrad Rzeszutek Wilk 提交于
* commit 'v3.2-rc3': (412 commits) Linux 3.2-rc3 virtio-pci: make reset operation safer virtio-mmio: Correct the name of the guest features selector virtio: add HAS_IOMEM dependency to MMIO platform bus driver eCryptfs: Extend array bounds for all filename chars eCryptfs: Flush file in vma close eCryptfs: Prevent file create race condition regulator: TPS65910: Fix VDD1/2 voltage selector count i2c: Make i2cdev_notifier_call static i2c: Delete ANY_I2C_BUS i2c: Fix device name for 10-bit slave address i2c-algo-bit: Generate correct i2c address sequence for 10-bit target drm: integer overflow in drm_mode_dirtyfb_ioctl() Revert "of/irq: of_irq_find_parent: check for parent equal to child" drivers/gpu/vga/vgaarb.c: add missing kfree drm/radeon/kms/atom: unify i2c gpio table handling drm/radeon/kms: fix up gpio i2c mask bits for r4xx for real ttm: Don't return the bo reserved on error path mount_subtree() pointless use-after-free iio: fix a leak due to improper use of anon_inode_getfd() ...
-
- 20 12月, 2011 1 次提交
-
-
由 Konrad Rzeszutek Wilk 提交于
drivers/xen/xenbus/xenbus_dev_frontend.c: In function 'xenbus_init': drivers/xen/xenbus/xenbus_dev_frontend.c:609:2: error: implicit declaration of function 'xen_domain' Reported-by: NRandy Dunlap <rdunlap@xenotime.net> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
- 17 12月, 2011 11 次提交
-
-
由 Bastian Blank 提交于
Add the work frontend to the error message because we now also have a backend device. Signed-off-by: NBastian Blank <waldi@debian.org> Acked-by: NIan Campbell <ian.campbell@citrix.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Bastian Blank 提交于
This was used for ia64. But there is no working ia64 support in sight, so remove it for now. Signed-off-by: NBastian Blank <waldi@debian.org> Acked-by: NIan Campbell <ian.campbell@citrix.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Bastian Blank 提交于
Access for xenstored to the event channel and pre-allocated ring is managed via xenfs. This adds its own character device featuring mmap for the ring and an ioctl for the event channel. Signed-off-by: NBastian Blank <waldi@debian.org> Acked-by: NIan Campbell <ian.campbell@citrix.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Bastian Blank 提交于
Access to xenbus is currently handled via xenfs. This adds a device driver for xenbus and makes xenfs use this code. Signed-off-by: NBastian Blank <waldi@debian.org> Acked-by: NIan Campbell <ian.campbell@citrix.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Bastian Blank 提交于
Access to arbitrary hypercalls is currently provided via xenfs. This adds a standard character device to handle this. The support in xenfs remains for backward compatibility and uses the device driver code. Signed-off-by: NBastian Blank <waldi@debian.org> Acked-by: NIan Campbell <ian.campbell@citrix.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Daniel De Graaf 提交于
When a multi-page mapping of gntalloc is created, the reference counts of all pages in the vma are incremented. However, the vma open/close operations only adjusted the reference count of the first page in the mapping, leaking the other pages. Store a struct in the vm_private_data to track the original page count to properly free the pages when the last reference to the vma is closed. Reported-by: NAnil Madhavapeddy <anil@recoil.org> Signed-off-by: NDaniel De Graaf <dgdegra@tycho.nsa.gov> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Daniel De Graaf 提交于
gnttab_end_foreign_access_ref does not return the grant reference it is passed to the free list; gnttab_free_grant_reference needs to be explicitly called. While gnttab_end_foreign_access provides a wrapper for this, it is unsuitable because it does not return errors. Reported-by: NAnil Madhavapeddy <anil@recoil.org> Signed-off-by: NDaniel De Graaf <dgdegra@tycho.nsa.gov> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Daniel De Graaf 提交于
The event channel number provided to evtchn_get can be provided by userspace, so needs to be checked against the maximum number of event channels prior to using it to index into evtchn_to_irq. Signed-off-by: NDaniel De Graaf <dgdegra@tycho.nsa.gov> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Annie Li 提交于
These allow a domain A which has been granted access on a page of domain B's memory to issue domain C with a copy-grant on the same page. This is useful e.g. for forwarding packets between domains. Signed-off-by: NAnnie Li <annie.li@oracle.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Annie Li 提交于
- They can't be used to map the page (so can only be used in a GNTTABOP_copy hypercall). - It's possible to grant access with a finer granularity than whole pages. - Xen guarantees that they can be revoked quickly (a normal map grant can only be revoked with the cooperation of the domain which has been granted access). Signed-off-by: NAnnie Li <annie.li@oracle.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
由 Annie Li 提交于
Signed-off-by: NAnnie Li <annie.li@oracle.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
- 01 12月, 2011 1 次提交
-
-
由 Luck, Tony 提交于
include/xen/interface/xen.h:526: error: conflicting types for ‘__guest_handle_u64’ arch/ia64/include/asm/xen/interface.h:74: error: previous declaration of ‘__guest_handle_u64’ was here Problem introduced by "xen/granttable: Introducing grant table V2 stucture" which added a new definition to include/xen/interface/xen.h for "u64". Fix: delete the ia64 arch specific definition. Signed-off-by: NTony Luck <tony.luck@intel.com> Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-
- 24 11月, 2011 15 次提交
-
-
由 Linus Torvalds 提交于
-
git://github.com/rustyrussell/linux由 Linus Torvalds 提交于
* git://github.com/rustyrussell/linux: virtio-pci: make reset operation safer virtio-mmio: Correct the name of the guest features selector virtio: add HAS_IOMEM dependency to MMIO platform bus driver
-
由 Michael S. Tsirkin 提交于
virtio pci device reset actually just does an I/O write, which in PCI is really posted, that is it can complete on CPU before the device has received it. Further, interrupts might have been pending on another CPU, so device callback might get invoked after reset. This conflicts with how drivers use reset, which is typically: reset unregister a callback running after reset completed can race with unregister, potentially leading to use after free bugs. Fix by flushing out the write, and flushing pending interrupts. This assumes that device is never reset from its vq/config callbacks, or in parallel with being added/removed, document this assumption. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
-
由 Sasha Levin 提交于
Guest features selector spelling mistake. Cc: Pawel Moll <pawel.moll@arm.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: virtualization@lists.linux-foundation.org Signed-off-by: NSasha Levin <levinsasha928@gmail.com> Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
-
由 Heiko Carstens 提交于
Fix this compile error on s390: CC [M] drivers/virtio/virtio_mmio.o drivers/virtio/virtio_mmio.c: In function 'vm_get_features': drivers/virtio/virtio_mmio.c:107:2: error: implicit declaration of function 'writel' Cc: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com> Acked-by: NPawel Moll <pawel.moll@arm.com> Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
-
git://github.com/jgarzik/libata-dev由 Linus Torvalds 提交于
* 'upstream-linus' of git://github.com/jgarzik/libata-dev: libata: fix build without BMDMA [libata] ahci_platform: fix DT probing
-
git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci: PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs PCI: pciehp: wait 100 ms after Link Training check PCI: pciehp: wait 1000 ms before Link Training check PCI: pciehp: Retrieve link speed after link is trained PCI: Let PCI_PRI depend on PCI PCI: Fix compile errors with PCI_ATS and !PCI_IOV PCI / ACPI: Make acpiphp ignore root bridges using PCIe native hotplug
-
git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: eCryptfs: Extend array bounds for all filename chars eCryptfs: Flush file in vma close eCryptfs: Prevent file create race condition
-
由 Tyler Hicks 提交于
From mhalcrow's original commit message: Characters with ASCII values greater than the size of filename_rev_map[] are valid filename characters. ecryptfs_decode_from_filename() will access kernel memory beyond that array, and ecryptfs_parse_tag_70_packet() will then decrypt those characters. The attacker, using the FNEK of the crafted file, can then re-encrypt the characters to reveal the kernel memory past the end of the filename_rev_map[] array. I expect low security impact since this array is statically allocated in the text area, and the amount of memory past the array that is accessible is limited by the largest possible ASCII filename character. This patch solves the issue reported by mhalcrow but with an implementation suggested by Linus to simply extend the length of filename_rev_map[] to 256. Characters greater than 0x7A are mapped to 0x00, which is how invalid characters less than 0x7A were previously being handled. Signed-off-by: NTyler Hicks <tyhicks@canonical.com> Reported-by: NMichael Halcrow <mhalcrow@google.com> Cc: stable@kernel.org
-
由 Tyler Hicks 提交于
Dirty pages weren't being written back when an mmap'ed eCryptfs file was closed before the mapping was unmapped. Since f_ops->flush() is not called by the munmap() path, the lower file was simply being released. This patch flushes the eCryptfs file in the vm_ops->close() path. https://launchpad.net/bugs/870326Signed-off-by: NTyler Hicks <tyhicks@canonical.com> Cc: stable@kernel.org [2.6.39+]
-
由 Tyler Hicks 提交于
The file creation path prematurely called d_instantiate() and unlock_new_inode() before the eCryptfs inode info was fully allocated and initialized and before the eCryptfs metadata was written to the lower file. This could result in race conditions in subsequent file and inode operations leading to unexpected error conditions or a null pointer dereference while attempting to use the unallocated memory. https://launchpad.net/bugs/813146Signed-off-by: NTyler Hicks <tyhicks@canonical.com> Cc: stable@kernel.org
-
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest: ktest: Check parent options for iterated tests
-
git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging由 Linus Torvalds 提交于
* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: i2c: Make i2cdev_notifier_call static i2c: Delete ANY_I2C_BUS i2c: Fix device name for 10-bit slave address i2c-algo-bit: Generate correct i2c address sequence for 10-bit target
-
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator由 Linus Torvalds 提交于
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: TPS65910: Fix VDD1/2 voltage selector count
-
git://people.freedesktop.org/~airlied/linux由 Linus Torvalds 提交于
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (31 commits) drm: integer overflow in drm_mode_dirtyfb_ioctl() drivers/gpu/vga/vgaarb.c: add missing kfree drm/radeon/kms/atom: unify i2c gpio table handling drm/radeon/kms: fix up gpio i2c mask bits for r4xx for real ttm: Don't return the bo reserved on error path drm/radeon/kms: add a CS ioctl flag not to rewrite tiling flags in the CS drm/i915: Fix inconsistent backlight level during disabled drm, i915: Fix memory leak in i915_gem_busy_ioctl(). drm/i915: Use DPCD value for max DP lanes. drm/i915: Initiate DP link training only on the lanes we'll be using drm/i915: Remove trailing white space drm/i915: Try harder during dp pattern 1 link training drm/i915: Make DP prepare/commit consistent with DP dpms drm/i915: Let panel power sequencing hardware do its job drm/i915: Treat PCH eDP like DP in most places drm/i915: Remove link_status field from intel_dp structure drm/i915: Move common PCH_PP_CONTROL setup to ironlake_get_pp_control drm/i915: Module parameters using '-1' as default must be signed type drm/i915: Turn on another required clock gating bit on gen6. drm/i915: Turn on a required 3D clock gating bit on Sandybridge. ...
-
- 23 11月, 2011 3 次提交
-
-
由 Afzal Mohammed 提交于
Count of selector voltage is required for regulator_set_voltage to work via set_voltage_sel. VDD1/2 currently have it as zero, so regulator_set_voltage won't work for VDD1/2. Update count (n_voltages) for VDD1/2. Output Voltage = (step value * 12.5 mV + 562.5 mV) * gain With above expr, number of voltages that can be selected is step value count * gain count constant for gain count will be called VDD1_2_NUM_VOLT_COARSE existing constant for step value count is VDD1_2_NUM_VOLTS, use VDD1_2_NUM_VOLT_FINE instead to make clear that step value is not the only component in deciding selectable voltage count Signed-off-by: NAfzal Mohammed <afzal@ti.com> Signed-off-by: NMark Brown <broonie@opensource.wolfsonmicro.com>
-
由 Shubhrajyoti D 提交于
The function i2cdev_notifier_call is used only in i2c-dev file making it static. Also removes the following sparse warning drivers/i2c/i2c-dev.c:582:5: warning: symbol 'i2cdev_notifier_call' was not declared. Should it be static? Signed-off-by: NShubhrajyoti D <shubhrajyoti@ti.com> Signed-off-by: NJean Delvare <khali@linux-fr.org>
-
由 Jean Delvare 提交于
Last piece of code using ANY_I2C_BUS was deleted almost 2 years ago, so ANY_I2C_BUS can go away as well. Signed-off-by: NJean Delvare <khali@linux-fr.org>
-