1. 05 Mar, 2011 16 commits
  2. 04 Mar, 2011 7 commits
  3. 03 Mar, 2011 17 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of... · b65a0e0c
      Linus Torvalds authored
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
        DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
      b65a0e0c
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 4438a02f
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
        MAINTAINERS: Add Andy Gospodarek as co-maintainer.
        r8169: disable ASPM
        RxRPC: Fix v1 keys
        AF_RXRPC: Handle receiving ACKALL packets
        cnic: Fix lost interrupt on bnx2x
        cnic: Prevent status block race conditions with hardware
        net: dcbnl: check correct ops in dcbnl_ieee_set()
        e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
        igb: fix sparse warning
        e1000: fix sparse warning
        netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
        dccp: fix oops on Reset after close
        ipvs: fix dst_lock locking on dest update
        davinci_emac: Add Carrier Link OK check in Davinci RX Handler
        bnx2x: update driver version to 1.62.00-6
        bnx2x: properly calculate lro_mss
        bnx2x: perform statistics "action" before state transition.
        bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode).
        bnx2x: Fix ethtool -t link test for MF (non-pmf) devices.
        bnx2x: Fix nvram test for single port devices.
        ...
      4438a02f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block · fb4b10ab
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.dk/linux-2.6-block:
        block: kill loop_mutex
        blktrace: Remove blk_fill_rwbs_rq.
        block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
        block: add @force_kblockd to __blk_run_queue()
        block: fix kernel-doc format for blkdev_issue_zeroout
        blk-throttle: Do not use kblockd workqueue for throtl work
      fb4b10ab
    • Linus Torvalds's avatar
      Merge branch 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 · 83360269
      Linus Torvalds authored
      * 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
        hfs: fix rename() over non-empty directory
        udf: fix i_nlink limit
        fix reiserfs mkdir() breakage
        exofs: i_nlink races in rename()
        nilfs2: i_nlink races in rename()
        minix: i_nlink races in rename()
        ufs: i_nlink races in rename()
        sysv: i_nlink races in rename()
      83360269
    • David Howells's avatar
      DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] · 1362fa07
      David Howells authored
      When a DNS resolver key is instantiated with an error indication, attempts to
      read that key will result in an oops because user_read() is expecting there to
      be a payload - and there isn't one [CVE-2011-1076].
      
      Give the DNS resolver key its own read handler that returns the error cached in
      key->type_data.x[0] as an error rather than crashing.
      
      Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
      amount of data it prints, since the data is not necessarily NUL-terminated.
      
      The buggy code was added in:
      
      	commit 4a2d7892
      	Author: Wang Lei <wang840925@gmail.com>
      	Date:   Wed Aug 11 09:37:58 2010 +0100
      	Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]
      
      This can trivially be reproduced by any user with the following program
      compiled with -lkeyutils:
      
      	#include <stdlib.h>
      	#include <keyutils.h>
      	#include <err.h>
      	static char payload[] = "#dnserror=6";
      	int main()
      	{
      		key_serial_t key;
      		key = add_key("dns_resolver", "a", payload, sizeof(payload),
      			      KEY_SPEC_SESSION_KEYRING);
      		if (key == -1)
      			err(1, "add_key");
      		if (keyctl_read(key, NULL, 0) == -1)
      			err(1, "read_key");
      		return 0;
      	}
      
      What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:
      
      	dns-break: read_key: No such device or address
      
      but instead the kernel oopses.
      
      This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
      as both of those cut the data down below the NUL termination that must be
      included in the data.  Without this dns_resolver_instantiate() will return
      -EINVAL and the key will not be instantiated such that it can be read.
      
      The oops looks like:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
      IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
      PGD 3bdf8067 PUD 385b9067 PMD 0
      Oops: 0000 [#1] SMP
      last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
      CPU 0
      Modules linked in:
      
      Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
      RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
      RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
      RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
      RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
      R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
      FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
      Stack:
       ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
       ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
       00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
      Call Trace:
       [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
       [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
       [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
      Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
      RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
       RSP <ffff88003bf47f08>
      CR2: 0000000000000010
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarJeff Layton <jlayton@redhat.com>
      cc: Wang Lei <wang840925@gmail.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      1362fa07
    • Jay Vosburgh's avatar
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs · 4c7fd114
      Linus Torvalds authored
      * 'for-linus' of git://oss.sgi.com/xfs/xfs:
        xfs: zero proper structure size for geometry calls
      4c7fd114
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2 · c640e13f
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2:
        nilfs2: fix regression that i-flag is not set on changeless checkpoints
      c640e13f
    • Stanislaw Gruszka's avatar
      r8169: disable ASPM · ba04c7c9
      Stanislaw Gruszka authored
      For some time is known that ASPM is causing troubles on r8169, i.e. make
      device randomly stop working without any errors in dmesg.
      
      Currently Tomi Leppikangas reports that system with r8169 device hangs
      with MCE errors when ASPM is enabled:
      https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4
      
      Lets disable ASPM for r8169 devices at all, to avoid problems with
      r8169 PCIe devices at least for some users.
      Reported-by: default avatarTomi Leppikangas <tomi.leppikangas@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba04c7c9
    • Petr Uzel's avatar
      block: kill loop_mutex · fd51469f
      Petr Uzel authored
      Following steps lead to deadlock in kernel:
      
      dd if=/dev/zero of=img bs=512 count=1000
      losetup -f img
      mkfs.ext2 /dev/loop0
      mount -t ext2 -o loop /dev/loop0 mnt
      umount mnt/
      
      Stacktrace:
      [<c102ec04>] irq_exit+0x36/0x59
      [<c101502c>] smp_apic_timer_interrupt+0x6b/0x75
      [<c127f639>] apic_timer_interrupt+0x31/0x38
      [<c101df88>] mutex_spin_on_owner+0x54/0x5b
      [<fe2250e9>] lo_release+0x12/0x67 [loop]
      [<c10c4eae>] __blkdev_put+0x7c/0x10c
      [<c10a4da5>] fput+0xd5/0x1aa
      [<fe2250cf>] loop_clr_fd+0x1a9/0x1b1 [loop]
      [<fe225110>] lo_release+0x39/0x67 [loop]
      [<c10c4eae>] __blkdev_put+0x7c/0x10c
      [<c10a59d9>] deactivate_locked_super+0x17/0x36
      [<c10b6f37>] sys_umount+0x27e/0x2a5
      [<c10b6f69>] sys_oldumount+0xb/0xe
      [<c1002897>] sysenter_do_call+0x12/0x26
      [<ffffffff>] 0xffffffff
      
      Regression since 2a48fc0a, which introduced the private
      loop_mutex as part of the BKL removal process.
      
      As per [1], the mutex can be safely removed.
      
      [1] http://www.gossamer-threads.com/lists/linux/kernel/1341930
      
      Addresses: https://bugzilla.novell.com/show_bug.cgi?id=669394
      Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=29172Signed-off-by: default avatarPetr Uzel <petr.uzel@suse.cz>
      Cc: stable@kernel.org
      Reviewed-by: default avatarNikanth Karthikesan <knikanth@suse.de>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJens Axboe <jaxboe@fusionio.com>
      fd51469f
    • Tao Ma's avatar
      blktrace: Remove blk_fill_rwbs_rq. · 2d3a8497
      Tao Ma authored
      If we enable trace events to trace block actions, We use
      blk_fill_rwbs_rq to analyze the corresponding actions
      in request's cmd_flags, but we only choose the minor 2 bits
      from it, so most of other flags(e.g, REQ_SYNC) are missing.
      For example, with a sync write we get:
      write_test-2409  [001]   160.013869: block_rq_insert: 3,64 W 0 () 258135 + =
      8 [write_test]
      
      Since now we have integrated the flags of both bio and request,
      it is safe to pass rq->cmd_flags directly to blk_fill_rwbs and
      blk_fill_rwbs_rq isn't needed any more.
      
      With this patch, after a sync write we get:
      write_test-2417  [000]   226.603878: block_rq_insert: 3,64 WS 0 () 258135 +=
       8 [write_test]
      Signed-off-by: default avatarTao Ma <boyu.mt@taobao.com>
      Acked-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarJens Axboe <jaxboe@fusionio.com>
      2d3a8497
    • Al Viro's avatar
      hfs: fix rename() over non-empty directory · 69102e9b
      Al Viro authored
      merge hfs_unlink() and hfs_rmdir(), while we are at it.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      69102e9b
    • Al Viro's avatar
      udf: fix i_nlink limit · 810c1b2e
      Al Viro authored
      (256 << sizeof(x)) - 1 is not the maximal possible value of x...
      In reality, the maximal allowed value for UDF FileLinkCount is
      65535.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      810c1b2e
    • Al Viro's avatar
      fix reiserfs mkdir() breakage · 99890a3b
      Al Viro authored
      if directory has so many subdirectories that its link count is set
      to 1 (i.e. "can't tell accurately") and reiserfs_new_inode() fails,
      we shouldn't decrement the parent's link count in cleanup path;
      that's what DEC_DIR_INODE_NLINK() is for.  As it is, we end up
      with parent suddenly getting zero i_nlink, with very unpleasant
      effects.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      99890a3b
    • Al Viro's avatar
      exofs: i_nlink races in rename() · babfe560
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      babfe560
    • Al Viro's avatar
      nilfs2: i_nlink races in rename() · 30eb43d3
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      30eb43d3
    • Al Viro's avatar
      minix: i_nlink races in rename() · 6f88049c
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6f88049c