1. 09 Dec, 2012 3 commits
    • Jeff Layton's avatar
      cifs: extra sanity checking for cifs.idmap keys · 2ae03025
      Jeff Layton authored
      Now that we aren't so rigid about the length of the key being passed
      in, we need to be a bit more rigorous about checking the length of
      the actual data against the claimed length (a'la num_subauths field).
      
      Check for the case where userspace sends us a seemingly valid key
      with a num_subauths field that goes beyond the end of the array. If
      that happens, return -EIO and invalidate the key.
      
      Also change the other places where we check for malformed keys in this
      code to invalidate the key as well.
      Reviewed-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      2ae03025
    • Jeff Layton's avatar
      cifs: avoid extra allocation for small cifs.idmap keys · 41a9f1f6
      Jeff Layton authored
      The cifs.idmap keytype always allocates memory to hold the payload from
      userspace. In the common case where we're translating a SID to a UID or
      GID, we're allocating memory to hold something that's less than or equal
      to the size of a pointer.
      
      When the payload is the same size as a pointer or smaller, just store
      it in the payload.value union member instead. That saves us an extra
      allocation on the sid_to_id upcall.
      
      Note that we have to take extra care to check the datalen when we
      go to dereference the .data pointer in the union, but the callers
      now check that as a matter of course anyway.
      Reviewed-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      41a9f1f6
    • Jeff Layton's avatar
      cifs: simplify id_to_sid and sid_to_id mapping code · faa65f07
      Jeff Layton authored
      The cifs.idmap handling code currently causes the kernel to cache the
      data from userspace twice. It first looks in a rbtree to see if there is
      a matching entry for the given id. If there isn't then it calls
      request_key which then checks its cache and then calls out to userland
      if it doesn't have one. If the userland program establishes a mapping
      and downcalls with that info, it then gets cached in the keyring and in
      this rbtree.
      
      Aside from the double memory usage and the performance penalty in doing
      all of these extra copies, there are some nasty bugs in here too. The
      code declares four rbtrees and spinlocks to protect them, but only seems
      to use two of them. The upshot is that the same tree is used to hold
      (eg) uid:sid and sid:uid mappings. The comparitors aren't equipped to
      deal with that.
      
      I think we'd be best off to remove a layer of caching in this code. If
      this was originally done for performance reasons, then that really seems
      like a premature optimization.
      
      This patch does that -- it removes the rbtrees and the locks that
      protect them and simply has the code do a request_key call on each call
      into sid_to_id and id_to_sid. This greatly simplifies this code and
      should roughly halve the memory utilization from using the idmapping
      code.
      Reviewed-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      faa65f07
  2. 07 Dec, 2012 2 commits
  3. 05 Dec, 2012 30 commits
  4. 04 Dec, 2012 5 commits
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux · df2fc246
      Linus Torvalds authored
      Pull module fixes from Rusty Russell:
       "Module signing build fixes for blackfin and metag"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
        modsign: add symbol prefix to certificate list
        linux/kernel.h: define SYMBOL_PREFIX
      df2fc246
    • Linus Torvalds's avatar
      Merge tag 'upstream-3.7-rc9' of git://git.infradead.org/linux-ubi · 70dcc535
      Linus Torvalds authored
      Pull UBI changes from Artem Bityutskiy:
       "Fixes for 2 brown-paperbag bugs introduced this merge window by the
        fastmap code:
      
         1.  The UBI background thread got stuck when a bit-flip happened
             because free LEBs was not removed from the "free" tree when we
             started using it.
         2.  I/O debugging checks did not work because we called a sleeping
             function in atomic context."
      
      * tag 'upstream-3.7-rc9' of git://git.infradead.org/linux-ubi:
        UBI: dont call ubi_self_check_all_ff() in __wl_get_peb()
        UBI: remove PEB from free tree in get_peb_for_wl()
      70dcc535
    • Linus Torvalds's avatar
      Merge branch 'for-3.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · ca50496e
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "So, safe fixes my ass.
      
        Commit 8852aac2 ("workqueue: mod_delayed_work_on() shouldn't queue
        timer on 0 delay") had the side-effect of performing delayed_work
        sanity checks even when @delay is 0, which should be fine for any sane
        use cases.
      
        Unfortunately, megaraid was being overly ingenious.  It seemingly
        wanted to use cancel_delayed_work_sync() before cancel_work_sync() was
        introduced, but didn't want to waste the space for full delayed_work
        as it was only going to use 0 @delay.  So, it only allocated space for
        struct work_struct and then cast it to struct delayed_work and passed
        it into delayed_work functions - truly awesome engineering tradeoff to
        save some bytes.
      
        Xiaotian fixed it by making megraid allocate full delayed_work for
        now.  It should be converted to use work_struct and cancel_work_sync()
        but I think we better do that after 3.7.
      
        I added another commit to change BUG_ON()s in __queue_delayed_work()
        to WARN_ON_ONCE()s so that the kernel doesn't crash even if there are
        more such abuses."
      
      * 'for-3.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: convert BUG_ON()s in __queue_delayed_work() to WARN_ON_ONCE()s
        megaraid: fix BUG_ON() from incorrect use of delayed work
      ca50496e
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 609e3ff3
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
       "Two small fixes for Sparc, nobody uses sparc, so these are low risk :-)
      
         1) Piggyback is too picky about the symbol types that _start and _end
            have in the final kernel image, and it thus breaks with newer
            binutils.  Future proof by getting rid of the symbol type checks.
      
         2) exit_group() should kill register windows on sparc64 the same way
            we do for plain exit().  Thanks to Al Viro for spotting this."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: Fix piggyback with newer binutils.
        sparc64: exit_group should kill register windows just like plain exit.
      609e3ff3
    • Linus Torvalds's avatar
      vfs: avoid "attempt to access beyond end of device" warnings · 57302e0d
      Linus Torvalds authored
      The block device access simplification that avoided accessing the (racy)
      block size information (commit bbec0270: "blkdev_max_block: make
      private to fs/buffer.c") no longer checks the maximum block size in the
      block mapping path.
      
      That was _almost_ as simple as just removing the code entirely, because
      the readers and writers all check the size of the device anyway, so
      under normal circumstances it "just worked".
      
      However, the block size may be such that the end of the device may
      straddle one single buffer_head.  At which point we may still want to
      access the end of the device, but the buffer we use to access it
      partially extends past the end.
      
      The 'bd_set_size()' function intentionally sets the block size to avoid
      this, but mounting the device - or setting the block size by hand to
      some other value - can modify that block size.
      
      So instead, teach 'submit_bh()' about the special case of the buffer
      head straddling the end of the device, and turning such an access into a
      smaller IO access, avoiding the problem.
      
      This, btw, also means that unlike before, we can now access the whole
      device regardless of device block size setting.  So now, even if the
      device size is only 512-byte aligned, we can read and write even the
      last sector even when having a much bigger block size for accessing the
      rest of the device.
      
      So with this, we could now get rid of the 'bd_set_size()' block size
      code entirely - resulting in faster IO for the common case - but that
      would be a separate patch.
      Reported-and-tested-by: default avatarRomain Francoise <romain@orebokech.com>
      Reporeted-and-tested-by: default avatarMeelis Roos <mroos@linux.ee>
      Reported-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      57302e0d