1. 07 12月, 2011 1 次提交
    • A
      fix apparmor dereferencing potentially freed dentry, sanitize __d_path() API · 02125a82
      Al Viro 提交于
      __d_path() API is asking for trouble and in case of apparmor d_namespace_path()
      getting just that.  The root cause is that when __d_path() misses the root
      it had been told to look for, it stores the location of the most remote ancestor
      in *root.  Without grabbing references.  Sure, at the moment of call it had
      been pinned down by what we have in *path.  And if we raced with umount -l, we
      could have very well stopped at vfsmount/dentry that got freed as soon as
      prepend_path() dropped vfsmount_lock.
      
      It is safe to compare these pointers with pre-existing (and known to be still
      alive) vfsmount and dentry, as long as all we are asking is "is it the same
      address?".  Dereferencing is not safe and apparmor ended up stepping into
      that.  d_namespace_path() really wants to examine the place where we stopped,
      even if it's not connected to our namespace.  As the result, it looked
      at ->d_sb->s_magic of a dentry that might've been already freed by that point.
      All other callers had been careful enough to avoid that, but it's really
      a bad interface - it invites that kind of trouble.
      
      The fix is fairly straightforward, even though it's bigger than I'd like:
      	* prepend_path() root argument becomes const.
      	* __d_path() is never called with NULL/NULL root.  It was a kludge
      to start with.  Instead, we have an explicit function - d_absolute_root().
      Same as __d_path(), except that it doesn't get root passed and stops where
      it stops.  apparmor and tomoyo are using it.
      	* __d_path() returns NULL on path outside of root.  The main
      caller is show_mountinfo() and that's precisely what we pass root for - to
      skip those outside chroot jail.  Those who don't want that can (and do)
      use d_path().
      	* __d_path() root argument becomes const.  Everyone agrees, I hope.
      	* apparmor does *NOT* try to use __d_path() or any of its variants
      when it sees that path->mnt is an internal vfsmount.  In that case it's
      definitely not mounted anywhere and dentry_path() is exactly what we want
      there.  Handling of sysctl()-triggered weirdness is moved to that place.
      	* if apparmor is asked to do pathname relative to chroot jail
      and __d_path() tells it we it's not in that jail, the sucker just calls
      d_absolute_path() instead.  That's the other remaining caller of __d_path(),
      BTW.
              * seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway -
      the normal seq_file logics will take care of growing the buffer and redoing
      the call of ->show() just fine).  However, if it gets path not reachable
      from root, it returns SEQ_SKIP.  The only caller adjusted (i.e. stopped
      ignoring the return value as it used to do).
      Reviewed-by: NJohn Johansen <john.johansen@canonical.com>
      ACKed-by: NJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Cc: stable@vger.kernel.org
      02125a82
  2. 02 12月, 2011 5 次提交
    • L
      Linux 3.2-rc4 · 5611cc45
      Linus Torvalds 提交于
      5611cc45
    • L
      Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2 · 0a4ebed7
      Linus Torvalds 提交于
      * 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2: (31 commits)
        ocfs2: avoid unaligned access to dqc_bitmap
        ocfs2: Use filemap_write_and_wait() instead of write_inode_now()
        ocfs2: honor O_(D)SYNC flag in fallocate
        ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2
        ocfs2: send correct UUID to cleancache initialization
        ocfs2: Commit transactions in error cases -v2
        ocfs2: make direntry invalid when deleting it
        fs/ocfs2/dlm/dlmlock.c: free kmem_cache_zalloc'd data using kmem_cache_free
        ocfs2: Avoid livelock in ocfs2_readpage()
        ocfs2: serialize unaligned aio
        ocfs2: Implement llseek()
        ocfs2: Fix ocfs2_page_mkwrite()
        ocfs2: Add comment about orphan scanning
        ocfs2: Clean up messages in the fs
        ocfs2/cluster: Cluster up now includes network connections too
        ocfs2/cluster: Add new function o2net_fill_node_map()
        ocfs2/cluster: Fix output in file elapsed_time_in_ms
        ocfs2/dlm: dlmlock_remote() needs to account for remastery
        ocfs2/dlm: Take inflight reference count for remotely mastered resources too
        ocfs2/dlm: Cleanup dlm_wait_for_node_death() and dlm_wait_for_node_recovery()
        ...
      0a4ebed7
    • A
      ocfs2: avoid unaligned access to dqc_bitmap · 93925579
      Akinobu Mita 提交于
      The dqc_bitmap field of struct ocfs2_local_disk_chunk is 32-bit aligned,
      but not 64-bit aligned.  The dqc_bitmap is accessed by ocfs2_set_bit(),
      ocfs2_clear_bit(), ocfs2_test_bit(), or ocfs2_find_next_zero_bit().  These
      are wrapper macros for ext2_*_bit() which need to take an unsigned long
      aligned address (though some architectures are able to handle unaligned
      address correctly)
      
      So some 64bit architectures may not be able to access the dqc_bitmap
      correctly.
      
      This avoids such unaligned access by using another wrapper functions for
      ext2_*_bit().  The code is taken from fs/ext4/mballoc.c which also need to
      handle unaligned bitmap access.
      Signed-off-by: NAkinobu Mita <akinobu.mita@gmail.com>
      Acked-by: NJoel Becker <jlbec@evilplan.org>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NJoel Becker <jlbec@evilplan.org>
      93925579
    • L
      Merge branch 'fixes' of http://ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-2.6-arm · 3b120ab7
      Linus Torvalds 提交于
      * 'fixes' of http://ftp.arm.linux.org.uk/pub/linux/arm/kernel/git-cur/linux-2.6-arm:
        ARM: 7182/1: ARM cpu topology: fix warning
        ARM: 7181/1: Restrict kprobes probing SWP instructions to ARMv5 and below
        ARM: 7180/1: Change kprobes testcase with unpredictable STRD instruction
        ARM: 7177/1: GIC: avoid skipping non-existent PPIs in irq_start calculation
        ARM: 7176/1: cpu_pm: register GIC PM notifier only once
        ARM: 7175/1: add subname parameter to mfp_set_groupg callers
        ARM: 7174/1: Fix build error in kprobes test code on Thumb2 kernels
        ARM: 7172/1: dma: Drop GFP_COMP for DMA memory allocations
        ARM: 7171/1: unwind: add unwind directives to bitops assembly macros
        ARM: 7170/2: fix compilation breakage in entry-armv.S
        ARM: 7168/1: use cache type functions for arch_get_unmapped_area
        ARM: perf: check that we have a platform device when reserving PMU
        ARM: 7166/1: Use PMD_SHIFT instead of PGDIR_SHIFT in dma-consistent.c
        ARM: 7165/2: PL330: Fix typo in _prepare_ccr()
        ARM: 7163/2: PL330: Only register usable channels
        ARM: 7162/1: errata: tidy up Kconfig options for PL310 errata workarounds
        ARM: 7161/1: errata: no automatic store buffer drain
        ARM: perf: initialise used_mask for fake PMU during validation
        ARM: PMU: remove pmu_init declaration
        ARM: PMU: re-export release_pmu symbol to modules
      3b120ab7
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · b930c264
      Linus Torvalds 提交于
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: fix meta data raid-repair merge problem
        Btrfs: skip allocation attempt from empty cluster
        Btrfs: skip block groups without enough space for a cluster
        Btrfs: start search for new cluster at the beginning
        Btrfs: reset cluster's max_size when creating bitmap
        Btrfs: initialize new bitmaps' list
        Btrfs: fix oops when calling statfs on readonly device
        Btrfs: Don't error on resizing FS to same size
        Btrfs: fix deadlock on metadata reservation when evicting a inode
        Fix URL of btrfs-progs git repository in docs
        btrfs scrub: handle -ENOMEM from init_ipath()
      b930c264
  3. 01 12月, 2011 18 次提交
  4. 30 11月, 2011 6 次提交
    • R
      a493f1a2
    • L
      Merge branch 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 8cd79203
      Linus Torvalds 提交于
      * 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM: Update comments describing device power management callbacks
        PM / Sleep: Update documentation related to system wakeup
        PM / Runtime: Make documentation follow the new behavior of irq_safe
        PM / Sleep: Correct inaccurate information in devices.txt
        PM / Domains: Document how PM domains are used by the PM core
        PM / Hibernate: Do not leak memory in error/test code paths
      8cd79203
    • E
      IB: Fix RCU lockdep splats · 580da35a
      Eric Dumazet 提交于
      Commit f2c31e32 ("net: fix NULL dereferences in check_peer_redir()")
      forgot to take care of infiniband uses of dst neighbours.
      
      Many thanks to Marc Aurele who provided a nice bug report and feedback.
      Reported-by: NMarc Aurele La France <tsi@ualberta.ca>
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: <stable@kernel.org>
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      580da35a
    • M
      IB/ipoib: Prevent hung task or softlockup processing multicast response · 3874397c
      Mike Marciniszyn 提交于
      This following can occur with ipoib when processing a multicast reponse:
      
          BUG: soft lockup - CPU#0 stuck for 67s! [ib_mad1:982]
          Modules linked in: ...
          CPU 0:
          Modules linked in: ...
          Pid: 982, comm: ib_mad1 Not tainted 2.6.32-131.0.15.el6.x86_64 #1 ProLiant DL160 G5
          RIP: 0010:[<ffffffff814ddb27>]  [<ffffffff814ddb27>] _spin_unlock_irqrestore+0x17/0x20
          RSP: 0018:ffff8802119ed860  EFLAGS: 00000246
          0000000000000004 RBX: ffff8802119ed860 RCX: 000000000000a299
          RDX: ffff88021086c700 RSI: 0000000000000246 RDI: 0000000000000246
          RBP: ffffffff8100bc8e R08: ffff880210ac229c R09: 0000000000000000
          R10: ffff88021278aab8 R11: 0000000000000000 R12: ffff8802119ed860
          R13: ffffffff8100be6e R14: 0000000000000001 R15: 0000000000000003
          FS:  0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
          CR2: 00000000006d4840 CR3: 0000000209aa5000 CR4: 00000000000406f0
          DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
          DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
          Call Trace:
          [<ffffffffa032c247>] ? ipoib_mcast_send+0x157/0x480 [ib_ipoib]
          [<ffffffff8100bc8e>] ? apic_timer_interrupt+0xe/0x20
          [<ffffffff8100bc8e>] ? apic_timer_interrupt+0xe/0x20
          [<ffffffffa03283d4>] ? ipoib_path_lookup+0x124/0x2d0 [ib_ipoib]
          [<ffffffffa03286fc>] ? ipoib_start_xmit+0x17c/0x430 [ib_ipoib]
          [<ffffffff8141e758>] ? dev_hard_start_xmit+0x2c8/0x3f0
          [<ffffffff81439d0a>] ? sch_direct_xmit+0x15a/0x1c0
          [<ffffffff81423098>] ? dev_queue_xmit+0x388/0x4d0
          [<ffffffffa032d6b7>] ? ipoib_mcast_join_finish+0x2c7/0x510 [ib_ipoib]
          [<ffffffffa032dab8>] ? ipoib_mcast_sendonly_join_complete+0x1b8/0x1f0 [ib_ipoib]
          [<ffffffffa02a0946>] ? mcast_work_handler+0x1a6/0x710 [ib_sa]
          [<ffffffffa015f01e>] ? ib_send_mad+0xfe/0x3c0 [ib_mad]
          [<ffffffffa00f6c93>] ? ib_get_cached_lmc+0xa3/0xb0 [ib_core]
          [<ffffffffa02a0f9b>] ? join_handler+0xeb/0x200 [ib_sa]
          [<ffffffffa029e4fc>] ? ib_sa_mcmember_rec_callback+0x5c/0xa0 [ib_sa]
          [<ffffffffa029e79c>] ? recv_handler+0x3c/0x70 [ib_sa]
          [<ffffffffa01603a4>] ? ib_mad_completion_handler+0x844/0x9d0 [ib_mad]
          [<ffffffffa015fb60>] ? ib_mad_completion_handler+0x0/0x9d0 [ib_mad]
          [<ffffffff81088830>] ? worker_thread+0x170/0x2a0
          [<ffffffff8108e160>] ? autoremove_wake_function+0x0/0x40
          [<ffffffff810886c0>] ? worker_thread+0x0/0x2a0
          [<ffffffff8108ddf6>] ? kthread+0x96/0xa0
          [<ffffffff8100c1ca>] ? child_rip+0xa/0x20
      
      Coinciding with stack trace is the following message:
      
          ib0: ib_address_create failed
      
      The code below in ipoib_mcast_join_finish() will note the above
      failure in the address handle but otherwise continue:
      
                      ah = ipoib_create_ah(dev, priv->pd, &av);
                      if (!ah) {
                              ipoib_warn(priv, "ib_address_create failed\n");
                      } else {
      
      The while loop at the bottom of ipoib_mcast_join_finish() will attempt
      to send queued multicast packets in mcast->pkt_queue and eventually
      end up in ipoib_mcast_send():
      
              if (!mcast->ah) {
                      if (skb_queue_len(&mcast->pkt_queue) < IPOIB_MAX_MCAST_QUEUE)
                              skb_queue_tail(&mcast->pkt_queue, skb);
                      else {
                              ++dev->stats.tx_dropped;
                              dev_kfree_skb_any(skb);
                      }
      
      My read is that the code will requeue the packet and return to the
      ipoib_mcast_join_finish() while loop and the stage is set for the
      "hung" task diagnostic as the while loop never sees a non-NULL ah, and
      will do nothing to resolve.
      
      There are GFP_ATOMIC allocates in the provider routines, so this is
      possible and should be dealt with.
      
      The test that induced the failure is associated with a host SM on the
      same server during a shutdown.
      
      This patch causes ipoib_mcast_join_finish() to exit with an error
      which will flush the queued mcast packets.  Nothing is done to unwind
      the QP attached state so that subsequent sends from above will retry
      the join.
      Reviewed-by: NRam Vepa <ram.vepa@qlogic.com>
      Reviewed-by: NGary Leshner <gary.leshner@qlogic.com>
      Signed-off-by: NMike Marciniszyn <mike.marciniszyn@qlogic.com>
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      3874397c
    • L
      Merge branch 'slab/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux · 57db53b0
      Linus Torvalds 提交于
      * 'slab/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux:
        slub: avoid potential NULL dereference or corruption
        slub: use irqsafe_cpu_cmpxchg for put_cpu_partial
        slub: move discard_slab out of node lock
        slub: use correct parameter to add a page to partial list tail
      57db53b0
    • L
      Merge branch 'dev' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 883381d9
      Linus Torvalds 提交于
      * 'dev' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix racy use-after-free in ext4_end_io_dio()
      883381d9
  5. 29 11月, 2011 10 次提交