1. 13 3月, 2013 3 次提交
  2. 12 3月, 2013 3 次提交
    • A
      vfs: fix pipe counter breakage · a930d879
      Al Viro 提交于
      If you open a pipe for neither read nor write, the pipe code will not
      add any usage counters to the pipe, causing the 'struct pipe_inode_info"
      to be potentially released early.
      
      That doesn't normally matter, since you cannot actually use the pipe,
      but the pipe release code - particularly fasync handling - still expects
      the actual pipe infrastructure to all be there.  And rather than adding
      NULL pointer checks, let's just disallow this case, the same way we
      already do for the named pipe ("fifo") case.
      
      This is ancient going back to pre-2.4 days, and until trinity, nobody
      naver noticed.
      Reported-by: NDave Jones <davej@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a930d879
    • D
      keys: fix race with concurrent install_user_keyrings() · 0da9dfdd
      David Howells 提交于
      This fixes CVE-2013-1792.
      
      There is a race in install_user_keyrings() that can cause a NULL pointer
      dereference when called concurrently for the same user if the uid and
      uid-session keyrings are not yet created.  It might be possible for an
      unprivileged user to trigger this by calling keyctl() from userspace in
      parallel immediately after logging in.
      
      Assume that we have two threads both executing lookup_user_key(), both
      looking for KEY_SPEC_USER_SESSION_KEYRING.
      
      	THREAD A			THREAD B
      	===============================	===============================
      					==>call install_user_keyrings();
      	if (!cred->user->session_keyring)
      	==>call install_user_keyrings()
      					...
      					user->uid_keyring = uid_keyring;
      	if (user->uid_keyring)
      		return 0;
      	<==
      	key = cred->user->session_keyring [== NULL]
      					user->session_keyring = session_keyring;
      	atomic_inc(&key->usage); [oops]
      
      At the point thread A dereferences cred->user->session_keyring, thread B
      hasn't updated user->session_keyring yet, but thread A assumes it is
      populated because install_user_keyrings() returned ok.
      
      The race window is really small but can be exploited if, for example,
      thread B is interrupted or preempted after initializing uid_keyring, but
      before doing setting session_keyring.
      
      This couldn't be reproduced on a stock kernel.  However, after placing
      systemtap probe on 'user->session_keyring = session_keyring;' that
      introduced some delay, the kernel could be crashed reliably.
      
      Fix this by checking both pointers before deciding whether to return.
      Alternatively, the test could be done away with entirely as it is checked
      inside the mutex - but since the mutex is global, that may not be the best
      way.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reported-by: NMateusz Guzik <mguzik@redhat.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      0da9dfdd
    • S
      libceph: fix decoding of pgids · d6c0dd6b
      Sage Weil 提交于
      In 4f6a7e5e we effectively dropped support
      for the legacy encoding for the OSDMap and incremental.  However, we didn't
      fix the decoding for the pgid.
      Signed-off-by: NSage Weil <sage@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      d6c0dd6b
  3. 11 3月, 2013 17 次提交
  4. 10 3月, 2013 7 次提交
    • M
      dcbnl: fix various netlink info leaks · 29cd8ae0
      Mathias Krause 提交于
      The dcb netlink interface leaks stack memory in various places:
      * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
        copied completely,
      * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
        so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
        for ieee_pfc structs, etc.,
      * the same is true for CEE -- no in-kernel driver fills the whole
        struct,
      
      Prevent all of the above stack info leaks by properly initializing the
      buffers/structures involved.
      Signed-off-by: NMathias Krause <minipli@googlemail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29cd8ae0
    • M
      rtnl: fix info leak on RTM_GETLINK request for VF devices · 84d73cd3
      Mathias Krause 提交于
      Initialize the mac address buffer with 0 as the driver specific function
      will probably not fill the whole buffer. In fact, all in-kernel drivers
      fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
      bytes. Therefore we currently leak 26 bytes of stack memory to userland
      via the netlink interface.
      Signed-off-by: NMathias Krause <minipli@googlemail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      84d73cd3
    • M
      bridge: fix mdb info leaks · c085c499
      Mathias Krause 提交于
      The bridging code discloses heap and stack bytes via the RTM_GETMDB
      netlink interface and via the notify messages send to group RTNLGRP_MDB
      afer a successful add/del.
      
      Fix both cases by initializing all unset members/padding bytes with
      memset(0).
      
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: NMathias Krause <minipli@googlemail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c085c499
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 72932611
      Linus Torvalds 提交于
      Pull namespace bugfixes from Eric Biederman:
       "This is three simple fixes against 3.9-rc1.  I have tested each of
        these fixes and verified they work correctly.
      
        The userns oops in key_change_session_keyring and the BUG_ON triggered
        by proc_ns_follow_link were found by Dave Jones.
      
        I am including the enhancement for mount to only trigger requests of
        filesystem modules here instead of delaying this for the 3.10 merge
        window because it is both trivial and the kind of change that tends to
        bit-rot if left untouched for two months."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        proc: Use nd_jump_link in proc_ns_follow_link
        fs: Limit sys_mount to only request filesystem modules (Part 2).
        fs: Limit sys_mount to only request filesystem modules.
        userns: Stop oopsing in key_change_session_keyring
      72932611
    • S
      Input: wacom - add support for 0x10d · 58694837
      Stephan Frank 提交于
      It is a Wacom device found in Fujitsu Lifebook T902.
      Signed-off-by: NStephan Frank <sfrank@cs.tu-berlin.de>
      Acked-by: NPing Cheng <pingc@wacom.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      58694837
    • L
      Atmel MXT touchscreen: increase reset timeouts · 8343bce1
      Linus Torvalds 提交于
      There is a more complete atmel patch-series out by Nick Dyer that fixes
      this and other things, but in the meantime this is the minimal thing to
      get the touchscreen going on (at least my) Pixel Chromebook.
      
      Not that I want my dirty fingers near that beautiful screen, but it
      seems that a non-initialized touchscreen will also end up being a
      constant wakeup source, so you have to disable it to go to sleep.  And
      it's easier to just fix the initialization sequence.
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8343bce1
    • J
      sunrpc: don't attempt to cancel unitialized work · 190b1ecf
      J. Bruce Fields 提交于
      As of dc107402 "SUNRPC: make AF_LOCAL connect synchronous", we no longer initialize connect_worker in the
      AF_LOCAL case, resulting in warnings like:
      
          WARNING: at lib/debugobjects.c:261 debug_print_object+0x8c/0xb0() Hardware name: Bochs
          ODEBUG: assert_init not available (active state 0) object type: timer_list hint: stub_timer+0x0/0x20
          Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi nfsd auth_rpcgss nfs_acl lockd sunrpc
          Pid: 4816, comm: nfsd Tainted: G        W    3.8.0-rc2-00049-gdc107402 #801
          Call Trace:
           [<ffffffff8156ec00>] ? free_obj_work+0x60/0xa0
           [<ffffffff81046aaf>] warn_slowpath_common+0x7f/0xc0
           [<ffffffff81046ba6>] warn_slowpath_fmt+0x46/0x50
           [<ffffffff8156eccc>] debug_print_object+0x8c/0xb0
           [<ffffffff81055030>] ? timer_debug_hint+0x10/0x10
           [<ffffffff8156f7e3>] debug_object_assert_init+0xe3/0x120
           [<ffffffff81057ebb>] del_timer+0x2b/0x80
           [<ffffffff8109c4e6>] ? mark_held_locks+0x86/0x110
           [<ffffffff81065a29>] try_to_grab_pending+0xd9/0x150
           [<ffffffff81065b57>] __cancel_work_timer+0x27/0xc0
           [<ffffffff81065c03>] cancel_delayed_work_sync+0x13/0x20
           [<ffffffffa0007067>] xs_destroy+0x27/0x80 [sunrpc]
           [<ffffffffa00040d8>] xprt_destroy+0x78/0xa0 [sunrpc]
           [<ffffffffa0006241>] xprt_put+0x21/0x30 [sunrpc]
           [<ffffffffa00030cf>] rpc_free_client+0x10f/0x1a0 [sunrpc]
           [<ffffffffa0002ff3>] ? rpc_free_client+0x33/0x1a0 [sunrpc]
           [<ffffffffa0002f7e>] rpc_release_client+0x6e/0xb0 [sunrpc]
           [<ffffffffa000325d>] rpc_shutdown_client+0xfd/0x1b0 [sunrpc]
           [<ffffffffa0017196>] rpcb_put_local+0x106/0x130 [sunrpc]
          ...
      Acked-by: N"Myklebust, Trond" <Trond.Myklebust@netapp.com>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      190b1ecf
  5. 09 3月, 2013 10 次提交
    • E
      proc: Use nd_jump_link in proc_ns_follow_link · db04dc67
      Eric W. Biederman 提交于
      Update proc_ns_follow_link to use nd_jump_link instead of just
      manually updating nd.path.dentry.
      
      This fixes the BUG_ON(nd->inode != parent->d_inode) reported by Dave
      Jones and reproduced trivially with mkdir /proc/self/ns/uts/a.
      
      Sigh it looks like the VFS change to require use of nd_jump_link
      happend while proc_ns_follow_link was baking and since the common case
      of proc_ns_follow_link continued to work without problems the need for
      making this change was overlooked.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      db04dc67
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 0aefda3e
      Linus Torvalds 提交于
      Pull btrfs fixes from Chris Mason:
       "These are scattered fixes and one performance improvement.  The
        biggest functional change is in how we throttle metadata changes.  The
        new code bumps our average file creation rate up by ~13% in fs_mark,
        and lowers CPU usage.
      
        Stefan bisected out a regression in our allocation code that made
        balance loop on extents larger than 256MB."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: improve the delayed inode throttling
        Btrfs: fix a mismerge in btrfs_balance()
        Btrfs: enforce min_bytes parameter during extent allocation
        Btrfs: allow running defrag in parallel to administrative tasks
        Btrfs: avoid deadlock on transaction waiting list
        Btrfs: do not BUG_ON on aborted situation
        Btrfs: do not BUG_ON in prepare_to_reloc
        Btrfs: free all recorded tree blocks on error
        Btrfs: build up error handling for merge_reloc_roots
        Btrfs: check for NULL pointer in updating reloc roots
        Btrfs: fix unclosed transaction handler when the async transaction commitment fails
        Btrfs: fix wrong handle at error path of create_snapshot() when the commit fails
        Btrfs: use set_nlink if our i_nlink is 0
      0aefda3e
    • B
      Platform: x86: chromeos_laptop : Add basic platform data for atmel devices · 2ef39204
      Benson Leung 提交于
      Add basic platform data to get the current upstream driver working
      with the 224s touchpad and 1664s touchscreen.
      We will be using NULL config so we will use the settings from the
      devices' NVRAMs.
      Signed-off-by: NBenson Leung <bleung@chromium.org>
      Tested-by: NOlof Johansson <olof@lixom.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2ef39204
    • D
      Input: atmel_mxt_ts - Support for touchpad variant · 22dfab7f
      Daniel Kurtz 提交于
      This same driver can be used by atmel based touchscreens and touchpads
      (buttonpads). Platform data may specify a device is a touchpad
      using the is_tp flag.
      
      This will cause the driver to perform some touchpad specific
      initializations, such as:
        * register input device name "Atmel maXTouch Touchpad" instead of
        Touchscreen.
        * register BTN_LEFT & BTN_TOOL_* event types.
        * register axis resolution (as a fixed constant, for now)
        * register BUTTONPAD property
        * process GPIO buttons using reportid T19
      
      Input event GPIO mapping is done by the platform data key_map array.
      
      key_map[x] should contain the KEY or BTN code to send when processing
      GPIOx from T19. To specify a GPIO as not an input source, populate
      with KEY_RESERVED, or 0.
      Signed-off-by: NDaniel Kurtz <djkurtz@chromium.org>
      Signed-off-by: NBenson Leung <bleung@chromium.org>
      Signed-off-by: NNick Dyer <nick.dyer@itdev.co.uk>
      Tested-by: NOlof Johansson <olof@lixom.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      22dfab7f
    • L
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · 67a865a4
      Linus Torvalds 提交于
      Pull CIFS fixes from Steve French:
       "A small set of cifs fixes which includes one for a recent regression
        in the write path (pointed out by Anton), some fixes for rename
        problems and as promised for 3.9 removing the obsolete sockopt mount
        option (and the accompanying deprecation warning)."
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        CIFS: Fix missing of oplock_read value in smb30_values structure
        cifs: don't try to unlock pagecache page after releasing it
        cifs: remove the sockopt= mount option
        cifs: Check server capability before attempting silly rename
        cifs: Fix bug when checking error condition in cifs_rename_pending_delete()
      67a865a4
    • L
      Merge branch 'akpm' (fixes from Andrew) · 59d8e5eb
      Linus Torvalds 提交于
      Merge misc fixes from Andrew Morton.
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        alpha: boot: fix build breakage introduced by system.h disintegration
        memcg: initialize kmem-cache destroying work earlier
        Randy has moved
        ksm: fix m68k build: only NUMA needs pfn_to_nid
        dmi_scan: fix missing check for _DMI_ signature in smbios_present()
        Revert parts of "hlist: drop the node parameter from iterators"
        idr: remove WARN_ON_ONCE() on negative IDs
        mm/mempolicy.c: fix sp_node_init() argument ordering
        mm/mempolicy.c: fix wrong sp_node insertion
        ipc: don't allocate a copy larger than max
        ipc: fix potential oops when src msg > 4k w/ MSG_COPY
      59d8e5eb
    • W
      alpha: boot: fix build breakage introduced by system.h disintegration · c3d6b628
      Will Deacon 提交于
      Commit ec221208 ("Disintegrate asm/system.h for Alpha") removed the
      system.h include from boot/head.S, which puts the PAL_* asm constants
      out of scope.
      
      Include <asm/pal.h> so we can get building again.
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Cc: David Rusling <david.rusling@linaro.org>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c3d6b628
    • K
      memcg: initialize kmem-cache destroying work earlier · 15cf17d2
      Konstantin Khlebnikov 提交于
      Fix a warning from lockdep caused by calling cancel_work_sync() for
      uninitialized struct work.  This path has been triggered by destructon
      kmem-cache hierarchy via destroying its root kmem-cache.
      
        cache ffff88003c072d80
        obj ffff88003b410000 cache ffff88003c072d80
        obj ffff88003b924000 cache ffff88003c20bd40
        INFO: trying to register non-static key.
        the code is fine but needs lockdep annotation.
        turning off the locking correctness validator.
        Pid: 2825, comm: insmod Tainted: G           O 3.9.0-rc1-next-20130307+ #611
        Call Trace:
          __lock_acquire+0x16a2/0x1cb0
          lock_acquire+0x8a/0x120
          flush_work+0x38/0x2a0
          __cancel_work_timer+0x89/0xf0
          cancel_work_sync+0xb/0x10
          kmem_cache_destroy_memcg_children+0x81/0xb0
          kmem_cache_destroy+0xf/0xe0
          init_module+0xcb/0x1000 [kmem_test]
          do_one_initcall+0x11a/0x170
          load_module+0x19b0/0x2320
          SyS_init_module+0xc6/0xf0
          system_call_fastpath+0x16/0x1b
      
      Example module to demonstrate:
      
        #include <linux/module.h>
        #include <linux/slab.h>
        #include <linux/mm.h>
        #include <linux/workqueue.h>
      
        int __init mod_init(void)
        {
        	int size = 256;
        	struct kmem_cache *cache;
        	void *obj;
        	struct page *page;
      
        	cache = kmem_cache_create("kmem_cache_test", size, size, 0, NULL);
        	if (!cache)
        		return -ENOMEM;
      
        	printk("cache %p\n", cache);
      
        	obj = kmem_cache_alloc(cache, GFP_KERNEL);
        	if (obj) {
        		page = virt_to_head_page(obj);
        		printk("obj %p cache %p\n", obj, page->slab_cache);
        		kmem_cache_free(cache, obj);
        	}
      
        	flush_scheduled_work();
      
        	obj = kmem_cache_alloc(cache, GFP_KERNEL);
        	if (obj) {
        		page = virt_to_head_page(obj);
        		printk("obj %p cache %p\n", obj, page->slab_cache);
        		kmem_cache_free(cache, obj);
        	}
      
        	kmem_cache_destroy(cache);
      
        	return -EBUSY;
        }
      
        module_init(mod_init);
        MODULE_LICENSE("GPL");
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@openvz.org>
      Cc: Glauber Costa <glommer@parallels.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      15cf17d2
    • R
      Randy has moved · 755727b7
      Randy Dunlap 提交于
      Update email address and CREDITS info.  xenotime.net is defunct.
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: Harry Wei <harryxiyou@gmail.com>
      Cc: Keiichi KII <k-keiichi@bx.jp.nec.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      755727b7
    • H
      ksm: fix m68k build: only NUMA needs pfn_to_nid · d8fc16a8
      Hugh Dickins 提交于
      A CONFIG_DISCONTIGMEM=y m68k config gave
      
        mm/ksm.c: In function `get_kpfn_nid':
        mm/ksm.c:492: error: implicit declaration of function `pfn_to_nid'
      
      linux/mmzone.h declares it for CONFIG_SPARSEMEM and CONFIG_FLATMEM, but
      expects the arch's asm/mmzone.h to declare it for CONFIG_DISCONTIGMEM
      (see arch/mips/include/asm/mmzone.h for example).
      
      Or perhaps it is only expected when CONFIG_NUMA=y: too much of a maze,
      and m68k got away without it so far, so fix the build in mm/ksm.c.
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Reported-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Petr Holasek <pholasek@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d8fc16a8