1. 15 11月, 2012 4 次提交
  2. 13 11月, 2012 11 次提交
  3. 11 11月, 2012 2 次提交
  4. 08 11月, 2012 13 次提交
  5. 20 10月, 2012 1 次提交
  6. 19 10月, 2012 1 次提交
  7. 17 10月, 2012 3 次提交
    • T
      NLM: nlm_lookup_file() may return NLMv4-specific error codes · cd0b16c1
      Trond Myklebust 提交于
      If the filehandle is stale, or open access is denied for some reason,
      nlm_fopen() may return one of the NLMv4-specific error codes nlm4_stale_fh
      or nlm4_failed. These get passed right through nlm_lookup_file(),
      and so when nlmsvc_retrieve_args() calls the latter, it needs to filter
      the result through the cast_status() machinery.
      
      Failure to do so, will trigger the BUG_ON() in encode_nlm_stat...
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      Reported-by: NLarry McVoy <lm@bitmover.com>
      Cc: stable@kernel.org
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      cd0b16c1
    • D
      mm, mempolicy: fix printing stack contents in numa_maps · 32f8516a
      David Rientjes 提交于
      When reading /proc/pid/numa_maps, it's possible to return the contents of
      the stack where the mempolicy string should be printed if the policy gets
      freed from beneath us.
      
      This happens because mpol_to_str() may return an error the
      stack-allocated buffer is then printed without ever being stored.
      
      There are two possible error conditions in mpol_to_str():
      
       - if the buffer allocated is insufficient for the string to be stored,
         and
      
       - if the mempolicy has an invalid mode.
      
      The first error condition is not triggered in any of the callers to
      mpol_to_str(): at least 50 bytes is always allocated on the stack and this
      is sufficient for the string to be written.  A future patch should convert
      this into BUILD_BUG_ON() since we know the maximum strlen possible, but
      that's not -rc material.
      
      The second error condition is possible if a race occurs in dropping a
      reference to a task's mempolicy causing it to be freed during the read().
      The slab poison value is then used for the mode and mpol_to_str() returns
      -EINVAL.
      
      This race is only possible because get_vma_policy() believes that
      mm->mmap_sem protects task->mempolicy, which isn't true.  The exit path
      does not hold mm->mmap_sem when dropping the reference or setting
      task->mempolicy to NULL: it uses task_lock(task) instead.
      
      Thus, it's required for the caller of a task mempolicy to hold
      task_lock(task) while grabbing the mempolicy and reading it.  Callers with
      a vma policy store their mempolicy earlier and can simply increment the
      reference count so it's guaranteed not to be freed.
      Reported-by: NDave Jones <davej@redhat.com>
      Signed-off-by: NDavid Rientjes <rientjes@google.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      32f8516a
    • A
      fix a leak in replace_fd() users · 45525b26
      Al Viro 提交于
      replace_fd() began with "eats a reference, tries to insert into
      descriptor table" semantics; at some point I'd switched it to
      much saner current behaviour ("try to insert into descriptor
      table, grabbing a new reference if inserted; caller should do
      fput() in any case"), but forgot to update the callers.
      Mea culpa...
      
      [Spotted by Pavel Roskin, who has really weird system with pipe-fed
      coredumps as part of what he considers a normal boot ;-)]
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      45525b26
  8. 13 10月, 2012 5 次提交