1. 21 12月, 2012 10 次提交
    • K
      exec: do not leave bprm->interp on stack · b66c5984
      Kees Cook 提交于
      If a series of scripts are executed, each triggering module loading via
      unprintable bytes in the script header, kernel stack contents can leak
      into the command line.
      
      Normally execution of binfmt_script and binfmt_misc happens recursively.
      However, when modules are enabled, and unprintable bytes exist in the
      bprm->buf, execution will restart after attempting to load matching
      binfmt modules.  Unfortunately, the logic in binfmt_script and
      binfmt_misc does not expect to get restarted.  They leave bprm->interp
      pointing to their local stack.  This means on restart bprm->interp is
      left pointing into unused stack memory which can then be copied into the
      userspace argv areas.
      
      After additional study, it seems that both recursion and restart remains
      the desirable way to handle exec with scripts, misc, and modules.  As
      such, we need to protect the changes to interp.
      
      This changes the logic to require allocation for any changes to the
      bprm->interp.  To avoid adding a new kmalloc to every exec, the default
      value is left as-is.  Only when passing through binfmt_script or
      binfmt_misc does an allocation take place.
      
      For a proof of concept, see DoTest.sh from:
      
         http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/Signed-off-by: NKees Cook <keescook@chromium.org>
      Cc: halfdog <me@halfdog.net>
      Cc: P J P <ppandit@redhat.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b66c5984
    • Z
      drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists · 9f9c9cbb
      Zhenzhong Duan 提交于
      The right dmi version is in SMBIOS if it's zero in DMI region
      
      This issue was originally found from an oracle bug.
      One customer noticed system UUID doesn't match between dmidecode & uek2.
      
       - HP ProLiant BL460c G6 :
         # cat /sys/devices/virtual/dmi/id/product_uuid
         00000000-0000-4C48-3031-4D5030333531
         # dmidecode | grep -i uuid
         UUID: 00000000-0000-484C-3031-4D5030333531
      
      From SMBIOS 2.6 on, spec use little-endian encoding for UUID other than
      network byte order.
      
      So we need to get dmi version to distinguish.  If version is 0.0, the
      real version is taken from the SMBIOS version.  This is part of original
      kernel comment in code.
      
      [akpm@linux-foundation.org: checkpatch fixes]
      Signed-off-by: NZhenzhong Duan <zhenzhong.duan@oracle.com>
      Cc: Feng Jin <joe.jin@oracle.com>
      Cc: Jean Delvare <khali@linux-fr.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      9f9c9cbb
    • Z
      drivers/firmware/dmi_scan.c: check dmi version when get system uuid · f1d8e614
      Zhenzhong Duan 提交于
      As of version 2.6 of the SMBIOS specification, the first 3 fields of the
      UUID are supposed to be little-endian encoded.
      
      Also a minor fix to match variable meaning and mute checkpatch.pl
      
      [akpm@linux-foundation.org: tweak code comment]
      Signed-off-by: NZhenzhong Duan <zhenzhong.duan@oracle.com>
      Cc: Feng Jin <joe.jin@oracle.com>
      Cc: Jean Delvare <khali@linux-fr.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f1d8e614
    • J
      Documentation: kernel-parameters.txt remove capability.disable · 038b358e
      Josh Boyer 提交于
      Remove the documentation for capability.disable.  The code supporting
      this parameter was removed with commit 5915eb53 ("security: remove
      dummy module")
      Signed-off-by: NJosh Boyer <jwboyer@redhat.com>
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Cc: Rob Landley <rob@landley.net>
      Cc: Miklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      038b358e
    • S
      mm: fix calculation of dirtyable memory · c8b74c2f
      Sonny Rao 提交于
      The system uses global_dirtyable_memory() to calculate number of
      dirtyable pages/pages that can be allocated to the page cache.  A bug
      causes an underflow thus making the page count look like a big unsigned
      number.  This in turn confuses the dirty writeback throttling to
      aggressively write back pages as they become dirty (usually 1 page at a
      time).  This generally only affects systems with highmem because the
      underflowed count gets subtracted from the global count of dirtyable
      memory.
      
      The problem was introduced with v3.2-4896-gab8fabd4
      
      Fix is to ensure we don't get an underflowed total of either highmem or
      global dirtyable memory.
      Signed-off-by: NSonny Rao <sonnyrao@chromium.org>
      Signed-off-by: NPuneet Kumar <puneetster@chromium.org>
      Acked-by: NJohannes Weiner <hannes@cmpxchg.org>
      Tested-by: NDamien Wyart <damien.wyart@free.fr>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c8b74c2f
    • M
      compaction: fix build error in CMA && !COMPACTION · 010fc29a
      Minchan Kim 提交于
      isolate_freepages_block() and isolate_migratepages_range() are used for
      CMA as well as compaction so it breaks build for CONFIG_CMA &&
      !CONFIG_COMPACTION.
      
      This patch fixes it.
      
      [akpm@linux-foundation.org: add "do { } while (0)", per Mel]
      Signed-off-by: NMinchan Kim <minchan@kernel.org>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Marek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      010fc29a
    • L
      Merge tag 'iommu-updates-v3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 787314c3
      Linus Torvalds 提交于
      Pull IOMMU updates from Joerg Roedel:
       "A few new features this merge-window.  The most important one is
        probably, that dma-debug now warns if a dma-handle is not checked with
        dma_mapping_error by the device driver.  This requires minor changes
        to some architectures which make use of dma-debug.  Most of these
        changes have the respective Acks by the Arch-Maintainers.
      
        Besides that there are updates to the AMD IOMMU driver for refactor
        the IOMMU-Groups support and to make sure it does not trigger a
        hardware erratum.
      
        The OMAP changes (for which I pulled in a branch from Tony Lindgren's
        tree) have a conflict in linux-next with the arm-soc tree.  The
        conflict is in the file arch/arm/mach-omap2/clock44xx_data.c which is
        deleted in the arm-soc tree.  It is safe to delete the file too so
        solve the conflict.  Similar changes are done in the arm-soc tree in
        the common clock framework migration.  A missing hunk from the patch
        in the IOMMU tree will be submitted as a seperate patch when the
        merge-window is closed."
      
      * tag 'iommu-updates-v3.8' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: (29 commits)
        ARM: dma-mapping: support debug_dma_mapping_error
        ARM: OMAP4: hwmod data: ipu and dsp to use parent clocks instead of leaf clocks
        iommu/omap: Adapt to runtime pm
        iommu/omap: Migrate to hwmod framework
        iommu/omap: Keep mmu enabled when requested
        iommu/omap: Remove redundant clock handling on ISR
        iommu/amd: Remove obsolete comment
        iommu/amd: Don't use 512GB pages
        iommu/tegra: smmu: Move bus_set_iommu after probe for multi arch
        iommu/tegra: gart: Move bus_set_iommu after probe for multi arch
        iommu/tegra: smmu: Remove unnecessary PTC/TLB flush all
        tile: dma_debug: add debug_dma_mapping_error support
        sh: dma_debug: add debug_dma_mapping_error support
        powerpc: dma_debug: add debug_dma_mapping_error support
        mips: dma_debug: add debug_dma_mapping_error support
        microblaze: dma-mapping: support debug_dma_mapping_error
        ia64: dma_debug: add debug_dma_mapping_error support
        c6x: dma_debug: add debug_dma_mapping_error support
        ARM64: dma_debug: add debug_dma_mapping_error support
        intel-iommu: Prevent devices with RMRRs from being placed into SI Domain
        ...
      787314c3
    • W
      intel-iommu: Free old page tables before creating superpage · 6491d4d0
      Woodhouse, David 提交于
      The dma_pte_free_pagetable() function will only free a page table page
      if it is asked to free the *entire* 2MiB range that it covers. So if a
      page table page was used for one or more small mappings, it's likely to
      end up still present in the page tables... but with no valid PTEs.
      
      This was fine when we'd only be repopulating it with 4KiB PTEs anyway
      but the same virtual address range can end up being reused for a
      *large-page* mapping. And in that case were were trying to insert the
      large page into the second-level page table, and getting a complaint
      from the sanity check in __domain_mapping() because there was already a
      corresponding entry. This was *relatively* harmless; it led to a memory
      leak of the old page table page, but no other ill-effects.
      
      Fix it by calling dma_pte_clear_range (hopefully redundant) and
      dma_pte_free_pagetable() before setting up the new large page.
      Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com>
      Tested-by: NRavi Murty <Ravi.Murty@intel.com>
      Tested-by: NSudeep Dutt <sudeep.dutt@intel.com>
      Cc: stable@kernel.org [3.0+]
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6491d4d0
    • V
      ARM: OMAP: Fix build breakage due to missing include in i2c.c · 18000985
      Vaibhav Bedia 提交于
      Merge commit 752451f0 ("Merge branch 'i2c-embedded/for-next' of
      git://git.pengutronix.de/git/wsa/linux") resulted in a build breakage
      for OMAP
      
        arch/arm/mach-omap2/i2c.c: In function 'omap_pm_set_max_mpu_wakeup_lat_compat':
        arch/arm/mach-omap2/i2c.c:130:2: error: implicit declaration of function 'omap_pm_set_max_mpu_wakeup_lat'
        make[1]: *** [arch/arm/mach-omap2/i2c.o] Error 1
      
      Fix this by including the appropriate header file with the function
      prototype.
      Reported-by: NFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NVaibhav Bedia <vaibhav.bedia@ti.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      18000985
    • L
      Merge tag 'virtio-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux · b7dfde95
      Linus Torvalds 提交于
      Pull virtio update from Rusty Russell:
       "Some nice cleanups, and even a patch my wife did as a "live" demo for
        Latinoware 2012.
      
        There's a slightly non-trivial merge in virtio-net, as we cleaned up
        the virtio add_buf interface while DaveM accepted the mq virtio-net
        patches."
      
      * tag 'virtio-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (27 commits)
        virtio_console: Add support for remoteproc serial
        virtio_console: Merge struct buffer_token into struct port_buffer
        virtio: add drv_to_virtio to make code clearly
        virtio: use dev_to_virtio wrapper in virtio
        virtio-mmio: Fix irq parsing in command line parameter
        virtio_console: Free buffers from out-queue upon close
        virtio: Convert dev_printk(KERN_<LEVEL> to dev_<level>(
        virtio_console: Use kmalloc instead of kzalloc
        virtio_console: Free buffer if splice fails
        virtio: tools: make it clear that virtqueue_add_buf() no longer returns > 0
        virtio: scsi: make it clear that virtqueue_add_buf() no longer returns > 0
        virtio: rpmsg: make it clear that virtqueue_add_buf() no longer returns > 0
        virtio: net: make it clear that virtqueue_add_buf() no longer returns > 0
        virtio: console: make it clear that virtqueue_add_buf() no longer returns > 0
        virtio: make virtqueue_add_buf() returning 0 on success, not capacity.
        virtio: console: don't rely on virtqueue_add_buf() returning capacity.
        virtio_net: don't rely on virtqueue_add_buf() returning capacity.
        virtio-net: remove unused skb_vnet_hdr->num_sg field
        virtio-net: correct capacity math on ring full
        virtio: move queue_index and num_free fields into core struct virtqueue.
        ...
      b7dfde95
  2. 20 12月, 2012 30 次提交