1. 02 12月, 2013 4 次提交
    • D
      KEYS: Fix searching of nested keyrings · 9c5e45df
      David Howells 提交于
      If a keyring contains more than 16 keyrings (the capacity of a single node in
      the associative array) then those keyrings are split over multiple nodes
      arranged as a tree.
      
      If search_nested_keyrings() is called to search the keyring then it will
      attempt to manually walk over just the 0 branch of the associative array tree
      where all the keyring links are stored.  This works provided the key is found
      before the algorithm steps from one node containing keyrings to a child node
      or if there are sufficiently few keyring links that the keyrings are all in
      one node.
      
      However, if the algorithm does need to step from a node to a child node, it
      doesn't change the node pointer unless a shortcut also gets transited.  This
      means that the algorithm will keep scanning the same node over and over again
      without terminating and without returning.
      
      To fix this, move the internal-pointer-to-node translation from inside the
      shortcut transit handler so that it applies it to node arrival as well.
      
      This can be tested by:
      
      	r=`keyctl newring sandbox @s`
      	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
      	for ((i=0; i<=16; i++)); do keyctl add user a$i a %:ring$i; done
      	for ((i=0; i<=16; i++)); do keyctl search $r user a$i; done
      	for ((i=17; i<=20; i++)); do keyctl search $r user a$i; done
      
      The searches should all complete successfully (or with an error for 17-20),
      but instead one or more of them will hang.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NStephen Gallagher <sgallagh@redhat.com>
      9c5e45df
    • D
      KEYS: Fix multiple key add into associative array · 23fd78d7
      David Howells 提交于
      If sufficient keys (or keyrings) are added into a keyring such that a node in
      the associative array's tree overflows (each node has a capacity N, currently
      16) and such that all N+1 keys have the same index key segment for that level
      of the tree (the level'th nibble of the index key), then assoc_array_insert()
      calls ops->diff_objects() to indicate at which bit position the two index keys
      vary.
      
      However, __key_link_begin() passes a NULL object to assoc_array_insert() with
      the intention of supplying the correct pointer later before we commit the
      change.  This means that keyring_diff_objects() is given a NULL pointer as one
      of its arguments which it does not expect.  This results in an oops like the
      attached.
      
      With the previous patch to fix the keyring hash function, this can be forced
      much more easily by creating a keyring and only adding keyrings to it.  Add any
      other sort of key and a different insertion path is taken - all 16+1 objects
      must want to cluster in the same node slot.
      
      This can be tested by:
      
      	r=`keyctl newring sandbox @s`
      	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
      
      This should work fine, but oopses when the 17th keyring is added.
      
      Since ops->diff_objects() is always called with the first pointer pointing to
      the object to be inserted (ie. the NULL pointer), we can fix the problem by
      changing the to-be-inserted object pointer to point to the index key passed
      into assoc_array_insert() instead.
      
      Whilst we're at it, we also switch the arguments so that they are the same as
      for ->compare_object().
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
      IP: [<ffffffff81191ee4>] hash_key_type_and_desc+0x18/0xb0
      ...
      RIP: 0010:[<ffffffff81191ee4>] hash_key_type_and_desc+0x18/0xb0
      ...
      Call Trace:
       [<ffffffff81191f9d>] keyring_diff_objects+0x21/0xd2
       [<ffffffff811f09ef>] assoc_array_insert+0x3b6/0x908
       [<ffffffff811929a7>] __key_link_begin+0x78/0xe5
       [<ffffffff81191a2e>] key_create_or_update+0x17d/0x36a
       [<ffffffff81192e0a>] SyS_add_key+0x123/0x183
       [<ffffffff81400ddb>] tracesys+0xdd/0xe2
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NStephen Gallagher <sgallagh@redhat.com>
      23fd78d7
    • D
      KEYS: Fix the keyring hash function · d54e58b7
      David Howells 提交于
      The keyring hash function (used by the associative array) is supposed to clear
      the bottommost nibble of the index key (where the hash value resides) for
      keyrings and make sure it is non-zero for non-keyrings.  This is done to make
      keyrings cluster together on one branch of the tree separately to other keys.
      
      Unfortunately, the wrong mask is used, so only the bottom two bits are
      examined and cleared and not the whole bottom nibble.  This means that keys
      and keyrings can still be successfully searched for under most circumstances
      as the hash is consistent in its miscalculation, but if a keyring's
      associative array bottom node gets filled up then approx 75% of the keyrings
      will not be put into the 0 branch.
      
      The consequence of this is that a key in a keyring linked to by another
      keyring, ie.
      
      	keyring A -> keyring B -> key
      
      may not be found if the search starts at keyring A and then descends into
      keyring B because search_nested_keyrings() only searches up the 0 branch (as it
      "knows" all keyrings must be there and not elsewhere in the tree).
      
      The fix is to use the right mask.
      
      This can be tested with:
      
      	r=`keyctl newring sandbox @s`
      	for ((i=0; i<=16; i++)); do keyctl newring ring$i $r; done
      	for ((i=0; i<=16; i++)); do keyctl add user a$i a %:ring$i; done
      	for ((i=0; i<=16; i++)); do keyctl search $r user a$i; done
      
      This creates a sandbox keyring, then creates 17 keyrings therein (labelled
      ring0..ring16).  This causes the root node of the sandbox's associative array
      to overflow and for the tree to have extra nodes inserted.
      
      Each keyring then is given a user key (labelled aN for ringN) for us to search
      for.
      
      We then search for the user keys we added, starting from the sandbox.  If
      working correctly, it should return the same ordered list of key IDs as
      for...keyctl add... did.  Without this patch, it reports ENOKEY "Required key
      not available" for some of the keys.  Just which keys get this depends as the
      kernel pointer to the key type forms part of the hash function.
      Reported-by: NNalin Dahyabhai <nalin@redhat.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NStephen Gallagher <sgallagh@redhat.com>
      d54e58b7
    • D
      KEYS: Pre-clear struct key on allocation · 2480f57f
      David Howells 提交于
      The second word of key->payload does not get initialised in key_alloc(), but
      the big_key type is relying on it having been cleared.  The problem comes when
      big_key fails to instantiate a large key and doesn't then set the payload.  The
      big_key_destroy() op is called from the garbage collector and this assumes that
      the dentry pointer stored in the second word will be NULL if instantiation did
      not complete.
      
      Therefore just pre-clear the entire struct key on allocation rather than trying
      to be clever and only initialising to 0 only those bits that aren't otherwise
      initialised.
      
      The lack of initialisation can lead to a bug report like the following if
      big_key failed to initialise its file:
      
      	general protection fault: 0000 [#1] SMP
      	Modules linked in: ...
      	CPU: 0 PID: 51 Comm: kworker/0:1 Not tainted 3.10.0-53.el7.x86_64 #1
      	Hardware name: Dell Inc. PowerEdge 1955/0HC513, BIOS 1.4.4 12/09/2008
      	Workqueue: events key_garbage_collector
      	task: ffff8801294f5680 ti: ffff8801296e2000 task.ti: ffff8801296e2000
      	RIP: 0010:[<ffffffff811b4a51>] dput+0x21/0x2d0
      	...
      	Call Trace:
      	 [<ffffffff811a7b06>] path_put+0x16/0x30
      	 [<ffffffff81235604>] big_key_destroy+0x44/0x60
      	 [<ffffffff8122dc4b>] key_gc_unused_keys.constprop.2+0x5b/0xe0
      	 [<ffffffff8122df2f>] key_garbage_collector+0x1df/0x3c0
      	 [<ffffffff8107759b>] process_one_work+0x17b/0x460
      	 [<ffffffff8107834b>] worker_thread+0x11b/0x400
      	 [<ffffffff81078230>] ? rescuer_thread+0x3e0/0x3e0
      	 [<ffffffff8107eb00>] kthread+0xc0/0xd0
      	 [<ffffffff8107ea40>] ? kthread_create_on_node+0x110/0x110
      	 [<ffffffff815c4bec>] ret_from_fork+0x7c/0xb0
      	 [<ffffffff8107ea40>] ? kthread_create_on_node+0x110/0x110
      Reported-by: NPatrik Kis <pkis@redhat.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NStephen Gallagher <sgallagh@redhat.com>
      2480f57f
  2. 30 11月, 2013 11 次提交
    • R
      ima: store address of template_fmt_copy in a pointer before calling strsep · af91706d
      Roberto Sassu 提交于
      This patch stores the address of the 'template_fmt_copy' variable in a new
      variable, called 'template_fmt_ptr', so that the latter is passed as an
      argument of strsep() instead of the former. This modification is needed
      in order to correctly free the memory area referenced by
      'template_fmt_copy' (strsep() modifies the pointer of the passed string).
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Reported-by: NSebastian Ott <sebott@linux.vnet.ibm.com>
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      af91706d
    • L
      Linux 3.13-rc2 · dc1ccc48
      Linus Torvalds 提交于
      dc1ccc48
    • L
      Merge tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64 · d5ff835f
      Linus Torvalds 提交于
      Pull ARM64 fixes from Catalin Marinas:
       - Remove preempt_count modifications in the arm64 IRQ handling code
         since that's already dealt with in generic irq_enter/irq_exit
       - PTE_PROT_NONE bit moved higher up to avoid overlapping with the
         hardware bits (for PROT_NONE mappings which are pte_present)
       - Big-endian fixes for ptrace support
       - Asynchronous aborts unmasking while in the kernel
       - pgprot_writecombine() change to create Normal NonCacheable memory
         rather than Device GRE
      
      * tag 'arm64-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
        arm64: Move PTE_PROT_NONE higher up
        arm64: Use Normal NonCacheable memory for writecombine
        arm64: debug: make aarch32 bkpt checking endian clean
        arm64: ptrace: fix compat registes get/set to be endian clean
        arm64: Unmask asynchronous aborts when in kernel mode
        arm64: dts: Reserve the memory used for secondary CPU release address
        arm64: let the core code deal with preempt_count
      d5ff835f
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 033dbbde
      Linus Torvalds 提交于
      Pull s390 updates from Martin Schwidefsky:
       "One performance improvement and a few bug fixes.  Two of the fixes
        deal with the clock related problems we have seen on recent kernels"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/mm: handle asce-type exceptions as normal page fault
        s390,time: revert direct ktime path for s390 clockevent device
        s390/time,vdso: convert to the new update_vsyscall interface
        s390/uaccess: add missing page table walk range check
        s390/mm: optimize copy_page
        s390/dasd: validate request size before building CCW/TCW request
        s390/signal: always restore saved runtime instrumentation psw bit
      033dbbde
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · dc418f6e
      Linus Torvalds 提交于
      Pull i2c fixes from Wolfram Sang:
       "Some easy but needed fixes for i2c drivers since rc1"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: bcm2835: Linking platform nodes to adapter nodes
        i2c: omap: raw read and write endian fix
        i2c: i2c-bcm-kona: Fix module build
        i2c: i2c-diolan-u2c: different usb endpoints for DLN-2-U2C
        i2c: bcm-kona: remove duplicated include
        i2c: davinci: raw read and write endian fix
      dc418f6e
    • L
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · 7224b31b
      Linus Torvalds 提交于
      Pull workqueue fixes from Tejun Heo:
       "This contains one important fix.  The NUMA support added a while back
        broke ordering guarantees on ordered workqueues.  It was enforced by
        having single frontend interface with @max_active == 1 but the NUMA
        support puts multiple interfaces on unbound workqueues on NUMA
        machines thus breaking the ordered guarantee.  This is fixed by
        disabling NUMA support on ordered workqueues.
      
        The above and a couple other patches were sitting in for-3.12-fixes
        but I forgot to push that out, so they ended up waiting a bit too
        long.  My aplogies.
      
        Other fixes are minor"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: fix pool ID allocation leakage and remove BUILD_BUG_ON() in init_workqueues
        workqueue: fix comment typo for __queue_work()
        workqueue: fix ordered workqueues in NUMA setups
        workqueue: swap set_cpus_allowed_ptr() and PF_NO_SETAFFINITY
      7224b31b
    • L
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · de92a058
      Linus Torvalds 提交于
      Pull libata fixes from Tejun Heo:
       "libata device removal path was removing parent device node before its
        child, which is mostly harmless but triggers warning after recent
        sysfs changes.  Rafael's patch fixes the order.
      
        Other than that, minor controller-specific fixes and device ID
        additions"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ATA: Fix port removal ordering
        ahci: add Marvell 9230 to the AHCI PCI device list
        ata: fix acpi_bus_get_device() return value check
        pata_arasan_cf: add missing clk_disable_unprepare() on error path
        ahci: add support for IBM Akebono platform device
      de92a058
    • L
      Merge branch 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 2855987d
      Linus Torvalds 提交于
      Pull cgroup fixes from Tejun Heo:
       "Fixes for three issues.
      
         - cgroup destruction path could swamp system_wq possibly leading to
           deadlock.  This actually seems to happen in the wild with memcg
           because memcg destruction path adds nested dependency on system_wq.
      
           Resolved by isolating cgroup destruction work items on its
           dedicated workqueue.
      
         - Possible locking context deadlock through seqcount reported by
           lockdep
      
         - Memory leak under certain conditions"
      
      * 'for-3.13-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: fix cgroup_subsys_state leak for seq_files
        cpuset: Fix memory allocator deadlock
        cgroup: use a dedicated workqueue for cgroup destruction
      2855987d
    • L
      Merge tag 'sound-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · b8495995
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "Quite a few HD-Audio fixes, a WUSB audio fix and a fix for FireWire
        audio.  The HD-audio part contains a couple of fixes for the generic
        parser, and these are the only intrusive fixes.  The rest are mostly
        device-specific fixes"
      
      * tag 'sound-3.13-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Add LFE chmap to ASUS ET2700
        ALSA: hda - Initialize missing bass speaker pin for ASUS AIO ET2700
        ALSA: hda - limit mic boost on Asus UX31[A,E]
        ALSA: hda - Check leaf nodes to find aamix amps
        ALSA: hda - Fix hp-mic mode without VREF bits
        ALSA: hda - Create Headhpone Mic Jack Mode when really needed
        ALSA: usb: use multiple packets per urb for Wireless USB inbound audio
        ALSA: hda - Enable mute/mic-mute LEDs for more Thinkpads with Conexant codec
        ALSA: hda - Drop bus->avoid_link_reset flag
        ALSA: hda/realtek - Set pcbeep amp for ALC668
        ALSA: hda/realtek - Add support of ALC231 codec
        ALSA: firewire-lib: fix wrong value for FDF field as an empty packet
      b8495995
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · b01537bf
      Linus Torvalds 提交于
      Pull vfs dentry reference count fix from Al Viro.
      
      This fixes a possible inode_permission NULL pointer dereference (and
      other problems) that were due to the root dentry count being decremented
      too much.  In commit 48a066e7 ("RCU'd vfsmounts") the placement of
      clearing the LOOKUP_RCU bit changed, and we then returned failure of
      incrementing the lockref on the parent dentry with LOOKUP_RCU cleared.
      
      But that meant we needed to go through the same cleanup routines that
      the later failures did wrt LOOKUP_ROOT and nd->root.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fix bogus path_put() of nd->root after some unlazy_walk() failures
      b01537bf
    • L
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 282c183b
      Linus Torvalds 提交于
      Pull drm qxl leak fix from Dave Airlie:
       "As usual 5 mins after I send a trivial pull fix I find a real bug!
      
        This fixes a memory leak and I'd like to get it into stable queue
        asap"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/qxl: fix memory leak in release list handling
      282c183b
  3. 29 11月, 2013 10 次提交
  4. 28 11月, 2013 15 次提交