1. 12 Mar, 2013 11 commits
    • Stephen Rothwell's avatar
      Select VIRT_TO_BUS directly where needed · 4febd95a
      Stephen Rothwell authored
      In commit 887cbce0 ("arch Kconfig: centralise ARCH_NO_VIRT_TO_BUS")
      I introduced the config sybmol HAVE_VIRT_TO_BUS and selected that where
      needed.  I am not sure what I was thinking.  Instead, just directly
      select VIRT_TO_BUS where it is needed.
      Signed-off-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4febd95a
    • Mathieu Desnoyers's avatar
      Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys · 8aec0f5d
      Mathieu Desnoyers authored
      Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
      compat_process_vm_rw() shows that the compatibility code requires an
      explicit "access_ok()" check before calling
      compat_rw_copy_check_uvector(). The same difference seems to appear when
      we compare fs/read_write.c:do_readv_writev() to
      fs/compat.c:compat_do_readv_writev().
      
      This subtle difference between the compat and non-compat requirements
      should probably be debated, as it seems to be error-prone. In fact,
      there are two others sites that use this function in the Linux kernel,
      and they both seem to get it wrong:
      
      Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
      also ends up calling compat_rw_copy_check_uvector() through
      aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
      be missing. Same situation for
      security/keys/compat.c:compat_keyctl_instantiate_key_iov().
      
      I propose that we add the access_ok() check directly into
      compat_rw_copy_check_uvector(), so callers don't have to worry about it,
      and it therefore makes the compat call code similar to its non-compat
      counterpart. Place the access_ok() check in the same location where
      copy_from_user() can trigger a -EFAULT error in the non-compat code, so
      the ABI behaviors are alike on both compat and non-compat.
      
      While we are here, fix compat_do_readv_writev() so it checks for
      compat_rw_copy_check_uvector() negative return values.
      
      And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
      handling.
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8aec0f5d
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · c39ac49f
      Linus Torvalds authored
      Pull drm nouveau fixes from Dave Airlie:
       "This is just nouveau fixes from Ben, one fixes a nasty oops that some
        Fedora people have been seeing, so I'd like to get it out of the way."
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/nv50: use correct tiling methods for m2mf buffer moves
        drm/nouveau: idle channel before releasing notify object
        drm/nouveau: fix regression in vblanking
        drm/nv50: encoder creation failure doesn't mean full init failure
      c39ac49f
    • Linus Torvalds's avatar
      Merge tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 6d9431a7
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "These bug fixes are for the largest part for mvebu/kirkwood, which saw
        a few regressions after the clock infrastructure was enabled, and for
        OMAP, which showed a few more preexisting bugs with the new
        multiplatform support.
      
        Other small fixes are for imx, mxs, tegra, spear and socfpga"
      
      * tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (37 commits)
        ARM: spear3xx: Use correct pl080 header file
        Arm: socfpga: pl330: Add #dma-cells for generic dma binding support
        ARM: multiplatform: Sort the max gpio numbers.
        ARM: imx: fix typo "DEBUG_IMX50_IMX53_UART"
        ARM: imx: pll1_sys should be an initial on clk
        arm: mach-orion5x: fix typo in compatible string of a .dts file
        arm: mvebu: fix address-cells in mpic DT node
        arm: plat-orion: fix address decoding when > 4GB is used
        arm: mvebu: Reduce reg-io-width with UARTs
        ARM: Dove: add RTC device node
        arm: mvebu: enable the USB ports on Armada 370 Reference Design board
        ARM: dove: drop "select COMMON_CLK_DOVE"
        rtc: rtc-mv: Add support for clk to avoid lockups
        gpio: mvebu: Add clk support to prevent lockup
        ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels
        ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency
        ARM: mxs: cfa10049: Fix fb initialisation function
        ARM: SPEAr13xx: Fix typo "ARCH_HAVE_CPUFREQ"
        ARM: OMAP: RX-51: add missing USB phy binding
        clk: Tegra: Remove duplicate smp_twd clock
        ...
      6d9431a7
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu · 4388817f
      Linus Torvalds authored
      Pull m68knommu fixes from Greg Ungerer:
       "It contains a few small fixes for the non-MMU m68k platforms.  Fixes
        some compilation problems, some broken header definitions, removes an
        unused config option and adds a name for the old 68000 CPU support."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
        m68k: drop "select EMAC_INC"
        m68knommu: fix misnamed GPIO pin definition for ColdFire 528x CPU
        m68knommu: fix MC68328.h defines
        m68knommu: fix build when CPU is not coldfire
        m68knommu: add CPU_NAME for 68000
      4388817f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · fa4a6732
      Linus Torvalds authored
      Pull key management race fix from James Morris.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        keys: fix race with concurrent install_user_keyrings()
      fa4a6732
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · 368edaad
      Linus Torvalds authored
      Pull Ceph fix from Sage Weil:
       "This fixes a bug in the new message decoding that just went in during
        the last window."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        libceph: fix decoding of pgids
      368edaad
    • Linus Torvalds's avatar
      Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux · 5b22b184
      Linus Torvalds authored
      Pull nfsd bugfixes from Bruce Fields:
       "Some minor fallout from the user-namespace work broke most krb5 mounts
        to nfsd, and I screwed up a change to the AF_LOCAL rpc code."
      
      * 'for-3.9' of git://linux-nfs.org/~bfields/linux:
        sunrpc: don't attempt to cancel unitialized work
        nfsd: fix krb5 handling of anonymous principals
      5b22b184
    • Al Viro's avatar
      vfs: fix pipe counter breakage · a930d879
      Al Viro authored
      If you open a pipe for neither read nor write, the pipe code will not
      add any usage counters to the pipe, causing the 'struct pipe_inode_info"
      to be potentially released early.
      
      That doesn't normally matter, since you cannot actually use the pipe,
      but the pipe release code - particularly fasync handling - still expects
      the actual pipe infrastructure to all be there.  And rather than adding
      NULL pointer checks, let's just disallow this case, the same way we
      already do for the named pipe ("fifo") case.
      
      This is ancient going back to pre-2.4 days, and until trinity, nobody
      naver noticed.
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a930d879
    • Arnd Bergmann's avatar
      ARM: spear3xx: Use correct pl080 header file · 27f423fe
      Arnd Bergmann authored
      The definitions have move around recently, causing build errors
      in spear3xx for all configurations:
      
      spear3xx.c:47:5: error: 'PL080_BSIZE_16' undeclared here (not in a function)
      spear3xx.c:47:23: error: 'PL080_CONTROL_SB_SIZE_SHIFT' undeclared here (not in a function)
      spear3xx.c:48:22: error: 'PL080_CONTROL_DB_SIZE_SHIFT' undeclared here (not in a function)
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Alessandro Rubini <rubini@gnudd.com>
      Cc: Viresh Kumar <viresh.kumar@linaro.org>
      27f423fe
    • David Howells's avatar
      keys: fix race with concurrent install_user_keyrings() · 0da9dfdd
      David Howells authored
      This fixes CVE-2013-1792.
      
      There is a race in install_user_keyrings() that can cause a NULL pointer
      dereference when called concurrently for the same user if the uid and
      uid-session keyrings are not yet created.  It might be possible for an
      unprivileged user to trigger this by calling keyctl() from userspace in
      parallel immediately after logging in.
      
      Assume that we have two threads both executing lookup_user_key(), both
      looking for KEY_SPEC_USER_SESSION_KEYRING.
      
      	THREAD A			THREAD B
      	===============================	===============================
      					==>call install_user_keyrings();
      	if (!cred->user->session_keyring)
      	==>call install_user_keyrings()
      					...
      					user->uid_keyring = uid_keyring;
      	if (user->uid_keyring)
      		return 0;
      	<==
      	key = cred->user->session_keyring [== NULL]
      					user->session_keyring = session_keyring;
      	atomic_inc(&key->usage); [oops]
      
      At the point thread A dereferences cred->user->session_keyring, thread B
      hasn't updated user->session_keyring yet, but thread A assumes it is
      populated because install_user_keyrings() returned ok.
      
      The race window is really small but can be exploited if, for example,
      thread B is interrupted or preempted after initializing uid_keyring, but
      before doing setting session_keyring.
      
      This couldn't be reproduced on a stock kernel.  However, after placing
      systemtap probe on 'user->session_keyring = session_keyring;' that
      introduced some delay, the kernel could be crashed reliably.
      
      Fix this by checking both pointers before deciding whether to return.
      Alternatively, the test could be done away with entirely as it is checked
      inside the mutex - but since the mutex is global, that may not be the best
      way.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reported-by: default avatarMateusz Guzik <mguzik@redhat.com>
      Cc: <stable@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      0da9dfdd
  2. 11 Mar, 2013 23 commits
  3. 10 Mar, 2013 6 commits