1. 09 4月, 2015 1 次提交
  2. 07 4月, 2015 2 次提交
    • A
      ioctx_alloc(): fix vma (and file) leak on failure · deeb8525
      Al Viro 提交于
      If we fail past the aio_setup_ring(), we need to destroy the
      mapping.  We don't need to care about anybody having found ctx,
      or added requests to it, since the last failure exit is exactly
      the failure to make ctx visible to lookups.
      
      Reproducer (based on one by Joe Mario <jmario@redhat.com>):
      
      void count(char *p)
      {
      	char s[80];
      	printf("%s: ", p);
      	fflush(stdout);
      	sprintf(s, "/bin/cat /proc/%d/maps|/bin/fgrep -c '/[aio] (deleted)'", getpid());
      	system(s);
      }
      
      int main()
      {
      	io_context_t *ctx;
      	int created, limit, i, destroyed;
      	FILE *f;
      
      	count("before");
      	if ((f = fopen("/proc/sys/fs/aio-max-nr", "r")) == NULL)
      		perror("opening aio-max-nr");
      	else if (fscanf(f, "%d", &limit) != 1)
      		fprintf(stderr, "can't parse aio-max-nr\n");
      	else if ((ctx = calloc(limit, sizeof(io_context_t))) == NULL)
      		perror("allocating aio_context_t array");
      	else {
      		for (i = 0, created = 0; i < limit; i++) {
      			if (io_setup(1000, ctx + created) == 0)
      				created++;
      		}
      		for (i = 0, destroyed = 0; i < created; i++)
      			if (io_destroy(ctx[i]) == 0)
      				destroyed++;
      		printf("created %d, failed %d, destroyed %d\n",
      			created, limit - created, destroyed);
      		count("after");
      	}
      }
      Found-by: NJoe Mario <jmario@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      deeb8525
    • A
      fix mremap() vs. ioctx_kill() race · b2edffdd
      Al Viro 提交于
      teach ->mremap() method to return an error and have it fail for
      aio mappings in process of being killed
      
      Note that in case of ->mremap() failure we need to undo move_page_tables()
      we'd already done; we could call ->mremap() first, but then the failure of
      move_page_tables() would require undoing whatever _successful_ ->mremap()
      has done, which would be a lot more headache in general.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b2edffdd
  3. 03 4月, 2015 12 次提交
  4. 02 4月, 2015 16 次提交
  5. 01 4月, 2015 9 次提交
    • J
      mac80211: fix RX A-MPDU session reorder timer deletion · 788211d8
      Johannes Berg 提交于
      There's an issue with the way the RX A-MPDU reorder timer is
      deleted that can cause a kernel crash like this:
      
       * tid_rx is removed - call_rcu(ieee80211_free_tid_rx)
       * station is destroyed
       * reorder timer fires before ieee80211_free_tid_rx() runs,
         accessing the station, thus potentially crashing due to
         the use-after-free
      
      The station deletion is protected by synchronize_net(), but
      that isn't enough -- ieee80211_free_tid_rx() need not have
      run when that returns (it deletes the timer.) We could use
      rcu_barrier() instead of synchronize_net(), but that's much
      more expensive.
      
      Instead, to fix this, add a field tracking that the session
      is being deleted. In this case, the only re-arming of the
      timer happens with the reorder spinlock held, so make that
      code not rearm it if the session is being deleted and also
      delete the timer after setting that field. This ensures the
      timer cannot fire after ___ieee80211_stop_rx_ba_session()
      returns, which fixes the problem.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      788211d8
    • J
      MAINTAINERS: Update Intel Wired Ethernet Driver info · 2f302324
      Jeff Kirsher 提交于
      Update the git tree info with a recent change in tree names.  Also
      add our new mailing list created solely for Linux kernel patches
      and kernel development, as well as the new patchwork project for
      tracking patches.  Lastly update the list of "reviewers" since a
      couple of developers have moved on to different projects.
      
      Made an update to the section header so that it is more manageable
      going forward as we add new drivers.
      Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
      2f302324
    • Y
      tipc: fix a slab object leak · 7e436905
      Ying Xue 提交于
      When remove TIPC module, there is a warning to remind us that a slab
      object is leaked like:
      
      root@localhost:~# rmmod tipc
      [   19.056226] =============================================================================
      [   19.057549] BUG TIPC (Not tainted): Objects remaining in TIPC on kmem_cache_close()
      [   19.058736] -----------------------------------------------------------------------------
      [   19.058736]
      [   19.060287] INFO: Slab 0xffffea0000519a00 objects=23 used=1 fp=0xffff880014668b00 flags=0x100000000004080
      [   19.061915] INFO: Object 0xffff880014668000 @offset=0
      [   19.062717] kmem_cache_destroy TIPC: Slab cache still has objects
      
      This is because the listening socket of TIPC topology server is not
      closed before TIPC proto handler is unregistered with proto_unregister().
      However, as the socket is closed in tipc_exit_net() which is called by
      unregister_pernet_subsys() during unregistering TIPC namespace operation,
      the warning can be eliminated if calling unregister_pernet_subsys() is
      moved before calling proto_unregister().
      
      Fixes: e05b31f4 ("tipc: make tipc socket support net namespace")
      Reviewed-by: NErik Hugne <erik.hugne@ericsson.com>
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7e436905
    • J
      powerpc: fix memory corruption by pnv_alloc_idle_core_states · d52356e7
      Jan Stancek 提交于
      Space allocated for paca is based off nr_cpu_ids,
      but pnv_alloc_idle_core_states() iterates paca with
      cpu_nr_cores()*threads_per_core, which is using NR_CPUS.
      
      This causes pnv_alloc_idle_core_states() to write over memory,
      which is outside of paca array and may later lead to various panics.
      
      Fixes: 7cba160a (powernv/cpuidle: Redesign idle states management)
      Signed-off-by: NJan Stancek <jstancek@redhat.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      d52356e7
    • C
      net/usb/r8152: add device id for Lenovo TP USB 3.0 Ethernet · 347eec34
      Christian Hesse 提交于
      This device is sold as 'Lenovo Tinkpad USB 3.0 Ethernet 4X90E51405'.
      Chipset is RTL8153 and works with r8152.
      Signed-off-by: NChristian Hesse <mail@eworm.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      347eec34
    • E
      af_iucv: fix AF_IUCV sendmsg() errno · ed4ac422
      Eugene Crosser 提交于
      When sending over AF_IUCV socket, errno was incorrectly set to
      ENOMEM even when other values where appropriate, notably EAGAIN.
      With this patch, error indicator returned by sock_alloc_send_skb()
      is passed to the caller, rather than being overwritten with ENOMEM.
      Signed-off-by: NEugene Crosser <Eugene.Crosser@ru.ibm.com>
      Signed-off-by: NUrsula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ed4ac422
    • T
      openvswitch: Return vport module ref before destruction · fa2d8ff4
      Thomas Graf 提交于
      Return module reference before invoking the respective vport
      ->destroy() function. This is needed as ovs_vport_del() is not
      invoked inside an RCU read side critical section so the kfree
      can occur immediately before returning to ovs_vport_del().
      
      Returning the module reference before ->destroy() is safe because
      the module unregistration is blocked on ovs_lock which we hold
      while destroying the datapath.
      
      Fixes: 62b9c8d0 ("ovs: Turn vports with dependencies into separate modules")
      Reported-by: NPravin Shelar <pshelar@nicira.com>
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Acked-by: NPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fa2d8ff4
    • J
      sunrpc: make debugfs file creation failure non-fatal · f9c72d10
      Jeff Layton 提交于
      We currently have a problem that SELinux policy is being enforced when
      creating debugfs files. If a debugfs file is created as a side effect of
      doing some syscall, then that creation can fail if the SELinux policy
      for that process prevents it.
      
      This seems wrong. We don't do that for files under /proc, for instance,
      so Bruce has proposed a patch to fix that.
      
      While discussing that patch however, Greg K.H. stated:
      
          "No kernel code should care / fail if a debugfs function fails, so
           please fix up the sunrpc code first."
      
      This patch converts all of the sunrpc debugfs setup code to be void
      return functins, and the callers to not look for errors from those
      functions.
      
      This should allow rpc_clnt and rpc_xprt creation to work, even if the
      kernel fails to create debugfs files for some reason.
      
      Symptoms were failing krb5 mounts on systems using gss-proxy and
      selinux.
      
      Fixes: 388f0c77 "sunrpc: add a debugfs rpc_xprt directory..."
      Cc: stable@vger.kernel.org
      Signed-off-by: NJeff Layton <jeff.layton@primarydata.com>
      Acked-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      f9c72d10
    • J
      netlink: pad nla_memcpy dest buffer with zeroes · 5899f047
      Jiri Benc 提交于
      This is especially important in cases where the kernel allocs a new
      structure and expects a field to be set from a netlink attribute. If such
      attribute is shorter than expected, the rest of the field is left containing
      previous data. When such field is read back by the user space, kernel memory
      content is leaked.
      Signed-off-by: NJiri Benc <jbenc@redhat.com>
      Acked-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5899f047