- 09 11月, 2010 2 次提交
-
-
由 Suresh Jayaraman 提交于
Andrew Hendry reported a kmemleak warning in 2.6.37-rc1 while editing a text file with gedit over cifs. unreferenced object 0xffff88022ee08b40 (size 32): comm "gedit", pid 2524, jiffies 4300160388 (age 2633.655s) hex dump (first 32 bytes): 5c 2e 67 6f 75 74 70 75 74 73 74 72 65 61 6d 2d \.goutputstream- 35 42 41 53 4c 56 00 de 09 00 00 00 2c 26 78 ee 5BASLV......,&x. backtrace: [<ffffffff81504a4d>] kmemleak_alloc+0x2d/0x60 [<ffffffff81136e13>] __kmalloc+0xe3/0x1d0 [<ffffffffa0313db0>] build_path_from_dentry+0xf0/0x230 [cifs] [<ffffffffa031ae1e>] cifs_setattr+0x9e/0x770 [cifs] [<ffffffff8115fe90>] notify_change+0x170/0x2e0 [<ffffffff81145ceb>] sys_fchmod+0x10b/0x140 [<ffffffff8100c172>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff The commit 1025774c that removed inode_setattr() seems to have introduced this memleak by returning early without freeing 'full_path'. Reported-by: NAndrew Hendry <andrew.hendry@gmail.com> Cc: Christoph Hellwig <hch@lst.de> Reviewed-by: NJeff Layton <jlayton@redhat.com> Signed-off-by: NSuresh Jayaraman <sjayaraman@suse.de> Signed-off-by: NSteve French <sfrench@us.ibm.com>
-
由 Jeff Layton 提交于
Commit 13cfb733 made cifs_ioctl use the tlink attached to the cifsFileInfo for a filp. This ignores the case of an open directory however, which in CIFS can have a NULL private_data until a readdir is done on it. This patch re-adds the NULL pointer checks that were removed in commit 50ae28f0 and moves the setting of tcon and "caps" variables lower. Long term, a better fix would be to establish a f_op->open routine for directories that populates that field at open time, but that requires some other changes to how readdir calls are handled. Reported-by: NKjell Rune Skaaraas <kjella79@yahoo.no> Reviewed-and-Tested-by: NSuresh Jayaraman <sjayaraman@suse.de> Signed-off-by: NJeff Layton <jlayton@redhat.com> Signed-off-by: NSteve French <sfrench@us.ibm.com>
-
- 06 11月, 2010 23 次提交
-
-
由 Linus Torvalds 提交于
Commit 27ae60f8 ("ipw2x00: replace "ieee80211" with "libipw" where appropriate") changed DRV_NAME to be "libipw", but didn't properly fix up the places where it was used to specify the name for the /proc/net/ directory. For backwards compatibility reasons, that directory name remained "ieee80211", but due to the DRV_NAME change, the error case printouts and the cleanup functions now used "libipw" instead. Which made it all fail badly. For example, on module unload as reported by Randy: WARNING: at fs/proc/generic.c:816 remove_proc_entry+0x156/0x35e() name 'libipw' because it's trying to unregister a /proc directory that obviously doesn't even exist. Clean it all up to use DRV_PROCNAME for the actual /proc directory name. Reported-and-tested-by: NRandy Dunlap <randy.dunlap@oracle.com> Cc: Pavel Roskin <proski@gnu.org> Cc: John W. Linville <linville@tuxdriver.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/virt/kvm/kvm由 Linus Torvalds 提交于
* 'kvm-updates/2.6.37' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: PPC: BookE: Load the lower half of MSR KVM: PPC: BookE: fix sleep with interrupts disabled KVM: PPC: e500: Call kvm_vcpu_uninit() before kvmppc_e500_tlb_uninit(). PPC: KVM: Book E doesn't have __end_interrupts. KVM: x86: Issue smp_call_function_many with preemption disabled KVM: x86: fix information leak to userland KVM: PPC: fix information leak to userland KVM: MMU: fix rmap_remove on non present sptes KVM: Write protect memory after slot swap
-
由 Linus Torvalds 提交于
Commit 48821184 ("floppy: switch to one queue per drive instead of sharing a queue") introduced a use-after-free. We do "put_disk()" on the disk device _before_ we then clean up the queue associated with that disk. Move the put_disk() down to avoid dereferencing a free'd data structure. Cc: Jens Axboe <jaxboe@fusionio.com> Cc: Vivek Goyal <vgoyal@redhat.com> Reported-and-tested-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 David Daney 提交于
Commit d9ca07a0 ("watchdog: Avoid kernel crash when disabling watchdog") introduces a section mismatch. Now that we reference no_watchdog from non-__init code it can no longer be __initdata. Signed-off-by: NDavid Daney <ddaney@caviumnetworks.com> Cc: Stephane Eranian <eranian@google.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (41 commits) inet_diag: Make sure we actually run the same bytecode we audited. netlink: Make nlmsg_find_attr take a const nlmsghdr*. fib: fib_result_assign() should not change fib refcounts netfilter: ip6_tables: fix information leak to userspace cls_cgroup: Fix crash on module unload memory corruption in X.25 facilities parsing net dst: fix percpu_counter list corruption and poison overwritten rds: Remove kfreed tcp conn from list rds: Lost locking in loop connection freeing de2104x: fix panic on load atl1 : fix panic on load netxen: remove unused firmware exports caif: Remove noisy printout when disconnecting caif socket caif: SPI-driver bugfix - incorrect padding. caif: Bugfix for socket priority, bindtodev and dbg channel. smsc911x: Set Ethernet EEPROM size to supported device's size ipv4: netfilter: ip_tables: fix information leak to userland ipv4: netfilter: arp_tables: fix information leak to userland cxgb4vf: remove call to stop TX queues at load time. cxgb4: remove call to stop TX queues at load time. ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6由 Linus Torvalds 提交于
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: ohci: fix race when reading count in AR descriptor firewire: ohci: avoid reallocation of AR buffers firewire: ohci: fix race in AR split packet handling firewire: ohci: fix buffer overflow in AR split packet handling
-
git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6: cifs: make cifs_set_oplock_level() take a cifsInodeInfo pointer cifs: dereferencing first then checking cifs: trivial comment fix: tlink_tree is now a rbtree [CIFS] Cleanup unused variable build warning cifs: convert tlink_tree to a rbtree cifs: store pointer to master tlink in superblock (try #2) cifs: trivial doc fix: note setlease implemented CIFS: Add cifs_set_oplock_level FS: cifs, remove unneeded NULL tests
-
由 Oleg Nesterov 提交于
posix-cpu-timers.c correctly assumes that the dying process does posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD timers from signal->cpu_timers list. But, it also assumes that timer->it.cpu.task is always the group leader, and thus the dead ->task means the dead thread group. This is obviously not true after de_thread() changes the leader. After that almost every posix_cpu_timer_ method has problems. It is not simple to fix this bug correctly. First of all, I think that timer->it.cpu should use struct pid instead of task_struct. Also, the locking should be reworked completely. In particular, tasklist_lock should not be used at all. This all needs a lot of nontrivial and hard-to-test changes. Change __exit_signal() to do posix_cpu_timers_exit_group() when the old leader dies during exec. This is not the fix, just the temporary hack to hide the problem for 2.6.37 and stable. IOW, this is obviously wrong but this is what we currently have anyway: cpu timers do not work after mt exec. In theory this change adds another race. The exiting leader can detach the timers which were attached to the new leader. However, the window between de_thread() and release_task() is small, we can pretend that sys_timer_create() was called before de_thread(). Signed-off-by: NOleg Nesterov <oleg@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging由 Linus Torvalds 提交于
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging: hwmon: (ltc4261) Fix error message format hwmon: (ltc4261) Add missing newline in debug message
-
由 Pavel Shilovsky 提交于
All the callers already have a pointer to struct cifsInodeInfo. Use it. Signed-off-by: NSuresh Jayaraman <sjayaraman@suse.de> Signed-off-by: NPavel Shilovsky <piastryyy@gmail.com> Signed-off-by: NSteve French <sfrench@us.ibm.com>
-
由 Jean Delvare 提交于
adapter->id is deprecated and not set by any adapter driver, so this was certainly not what the author wanted to use. adapter->nr maybe, but as dev_err() already includes this value, as well as the client's address, there's no point repeating them. Better print a simple error message in plain English words. Signed-off-by: NJean Delvare <khali@linux-fr.org> Cc: Guenter Roeck <guenter.roeck@ericsson.com> Signed-off-by: NGuenter Roeck <guenter.roeck@ericsson.com>
-
由 Guenter Roeck 提交于
Reported-by: NJoe Perches <joe@perches.com> Signed-off-by: NGuenter Roeck <guenter.roeck@ericsson.com> Acked-by: NJean Delvare <khali@linux-fr.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile由 Linus Torvalds 提交于
* git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile: arch/tile: mark "hardwall" device as non-seekable asm-generic/stat.h: support 64-bit file time_t for stat() arch/tile: don't allow user code to set the PL via ptrace or signal return arch/tile: correct double syscall restart for nested signals arch/tile: avoid __must_check warning on one strict_strtol check arch/tile: bomb raw_local_irq_ to arch_local_irq_ arch/tile: complete migration to new kmap_atomic scheme
-
由 Randy Dunlap 提交于
Add MODULE_LICENSE() that matches file comments so that kernel is not tainted. leds_net5501: module license 'unspecified' taints kernel. Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com> Acked-by: NRichard Purdie <rpurdie@linux.intel.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Scott Wood 提交于
This was preventing the guest from setting any bits in the hardware MSR which aren't forced on, such as MSR[SPE]. Signed-off-by: NScott Wood <scottwood@freescale.com> Signed-off-by: NAlexander Graf <agraf@suse.de>
-
由 Scott Wood 提交于
It is not legal to call mutex_lock() with interrupts disabled. This will assert with debug checks enabled. If there's a real need to disable interrupts here, it could be done after the mutex is acquired -- but I don't see why it's needed at all. Signed-off-by: NScott Wood <scottwood@freescale.com> Reviewed-by: NChristian Ehrhardt <ehrhardt@linux.vnet.ibm.com> Signed-off-by: NAlexander Graf <agraf@suse.de>
-
由 Scott Wood 提交于
The VCPU uninit calls some TLB functions, and the TLB uninit function frees the memory used by them. Signed-off-by: NScott Wood <scottwood@freescale.com> Acked-by: NLiu Yu <yu.liu@freescale.com> Signed-off-by: NAlexander Graf <agraf@suse.de>
-
由 Scott Wood 提交于
Fix an unresolved symbol with CONFIG_KVM_GUEST plus CONFIG_RELOCATABLE on Book E. Signed-off-by: NScott Wood <scottwood@freescale.com> Signed-off-by: NAlexander Graf <agraf@suse.de>
-
由 Jan Kiszka 提交于
smp_call_function_many is specified to be called only with preemption disabled. Fulfill this requirement. Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com> Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
-
由 Vasiliy Kulikov 提交于
Structures kvm_vcpu_events, kvm_debugregs, kvm_pit_state2 and kvm_clock_data are copied to userland with some padding and reserved fields unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. In patch v1 Jan Kiszka suggested to fill reserved fields with zeros instead of memset'ting the whole struct. It makes sense as these fields are explicitly marked as padding. No more fields need zeroing. KVM-Stable-Tag. Signed-off-by: NVasiliy Kulikov <segooon@gmail.com> Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
-
由 Vasiliy Kulikov 提交于
Structure kvm_ppc_pvinfo is copied to userland with flags and pad fields unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: NVasiliy Kulikov <segooon@gmail.com> Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com>
-
由 Marcelo Tosatti 提交于
drop_spte should not attempt to rmap_remove a non present shadow pte. This fixes a BUG_ON seen on kvm-autotest. Signed-off-by: NMarcelo Tosatti <mtosatti@redhat.com> Reported-by: NLucas Meneghel Rodrigues <lmr@redhat.com> Signed-off-by: NAvi Kivity <avi@redhat.com>
-
由 Michael S. Tsirkin 提交于
I have observed the following bug trigger: 1. userspace calls GET_DIRTY_LOG 2. kvm_mmu_slot_remove_write_access is called and makes a page ro 3. page fault happens and makes the page writeable fault is logged in the bitmap appropriately 4. kvm_vm_ioctl_get_dirty_log swaps slot pointers a lot of time passes 5. guest writes into the page 6. userspace calls GET_DIRTY_LOG At point (5), bitmap is clean and page is writeable, thus, guest modification of memory is not logged and GET_DIRTY_LOG returns an empty bitmap. The rule is that all pages are either dirty in the current bitmap, or write-protected, which is violated here. It seems that just moving kvm_mmu_slot_remove_write_access down to after the slot pointer swap should fix this bug. KVM-Stable-Tag. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NAvi Kivity <avi@redhat.com>
-
- 05 11月, 2010 7 次提交
-
-
由 Jesper Juhl 提交于
We can optimize kernel/relay.c::relay_alloc_page_array() slightly by using vzalloc. The patch makes these changes: - use vzalloc instead of vmalloc+memset. - remove redundant local variable 'array'. - declare local 'pa_size' as const. Cuts down nicely on both source and object-code size. Signed-off-by: NJesper Juhl <jj@chaosbits.net> Acked-by: NPekka Enberg <penberg@kernel.org> Acked-by: NMathieu Desnoyers <mathieu.desnoyers@efficios.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu由 Linus Torvalds 提交于
* 'for-linus-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu: m68k, m68knommu: Do not include linux/hardirq.h in asm/irqflags.h m68knommu: add back in declaration of do_IRQ
-
由 Jeff Layton 提交于
This patch is based on Dan's original patch. His original description is below: Smatch complained about a couple checking for NULL after dereferencing bugs. I'm not super familiar with the code so I did the conservative thing and move the dereferences after the checks. The dereferences in cifs_lock() and cifs_fsync() were added in ba00ba64 "cifs: make various routines use the cifsFileInfo->tcon pointer". The dereference in find_writable_file() was added in 6508d904 "cifs: have find_readable/writable_file filter by fsuid". The comments there say it's possible to trigger the NULL dereference under stress. Signed-off-by: NDan Carpenter <error27@gmail.com> Signed-off-by: NJeff Layton <jlayton@redhat.com> Signed-off-by: NSteve French <sfrench@us.ibm.com>
-
由 Suresh Jayaraman 提交于
Noticed while reviewing (late) the rbtree conversion patchset (which has been merged already). Cc: Jeff Layton <jlayton@redhat.com> Signed-off-by: NSuresh Jayaraman <sjayaraman@suse.de> Signed-off-by: NSteve French <sfrench@us.ibm.com>
-
由 Nelson Elhage 提交于
We were using nlmsg_find_attr() to look up the bytecode by attribute when auditing, but then just using the first attribute when actually running bytecode. So, if we received a message with two attribute elements, where only the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different bytecode strings. Fix this by consistently using nlmsg_find_attr everywhere. Signed-off-by: NNelson Elhage <nelhage@ksplice.com> Signed-off-by: NThomas Graf <tgraf@infradead.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nelson Elhage 提交于
This will let us use it on a nlmsghdr stored inside a netlink_callback. Signed-off-by: NNelson Elhage <nelhage@ksplice.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
After commit ebc0ffae (RCU conversion of fib_lookup()), fib_result_assign() should not change fib refcounts anymore. Thanks to Michael who did the bisection and bug report. Reported-by: NMichael Ellerman <michael@ellerman.id.au> Tested-by: NMichael Ellerman <michael@ellerman.id.au> Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 04 11月, 2010 8 次提交
-
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Herbert Xu 提交于
Somewhere along the lines net_cls_subsys_id became a macro when cls_cgroup is built as a module. Not only did it make cls_cgroup completely useless, it also causes it to crash on module unload. This patch fixes this by removing that macro. Thanks to Eric Dumazet for diagnosing this problem. Reported-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Reviewed-by: NLi Zefan <lizf@cn.fujitsu.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 andrew hendry 提交于
Signed-of-by: NAndrew Hendry <andrew.hendry@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Xiaotian Feng 提交于
There're some percpu_counter list corruption and poison overwritten warnings in recent kernel, which is resulted by fc66f95c. commit fc66f95c switches to use percpu_counter, in ip6_route_net_init, kernel init the percpu_counter for dst entries, but, the percpu_counter is never destroyed in ip6_route_net_exit. So if the related data is freed by kernel, the freed percpu_counter is still on the list, then if we insert/remove other percpu_counter, list corruption resulted. Also, if the insert/remove option modifies the ->prev,->next pointer of the freed value, the poison overwritten is resulted then. With the following patch, the percpu_counter list corruption and poison overwritten warnings disappeared. Signed-off-by: NXiaotian Feng <dfeng@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi> Cc: James Morris <jmorris@namei.org> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Acked-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pavel Emelyanov 提交于
All the rds_tcp_connection objects are stored list, but when being freed it should be removed from there. Signed-off-by: NPavel Emelyanov <xemul@openvz.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pavel Emelyanov 提交于
The conn is removed from list in there and this requires proper lock protection. Signed-off-by: NPavel Emelyanov <xemul@openvz.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Eric Dumazet 提交于
Its now illegal to call netif_stop_queue() before register_netdev() Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-