1. 17 Oct, 2013 31 commits
  2. 16 Oct, 2013 8 commits
    • K. Y. Srinivasan's avatar
      Drivers: hv: vmbus: Fix a bug in channel rescind code · 90d33f3e
      K. Y. Srinivasan authored
      Rescind of subchannels were not being correctly handled. Fix the bug.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Cc: <stable@vger.kernel.org>        [3.11+]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90d33f3e
    • Roel Kluin's avatar
      serial: vt8500: add missing braces · d969de8d
      Roel Kluin authored
      Due to missing braces on an if statement, in presence of a device_node a
      port was always assigned -1, regardless of any alias entries in the
      device tree. Conversely, if device_node was NULL, an unitialized port
      ended up being used.
      
      This patch adds the missing braces, fixing the issues.
      Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
      Acked-by: default avatarTony Prisk <linux@prisktech.co.nz>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d969de8d
    • Dan Carpenter's avatar
      ALSA: hdsp - info leak in snd_hdsp_hwdep_ioctl() · d14df339
      Dan Carpenter authored
      In GCC the sizeof(hdsp_version) is 8 because there is a 2 byte hole at
      the end of the struct after ->firmware_rev.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d14df339
    • Mikulas Patocka's avatar
      dm snapshot: fix data corruption · e9c6a182
      Mikulas Patocka authored
      This patch fixes a particular type of data corruption that has been
      encountered when loading a snapshot's metadata from disk.
      
      When we allocate a new chunk in persistent_prepare, we increment
      ps->next_free and we make sure that it doesn't point to a metadata area
      by further incrementing it if necessary.
      
      When we load metadata from disk on device activation, ps->next_free is
      positioned after the last used data chunk. However, if this last used
      data chunk is followed by a metadata area, ps->next_free is positioned
      erroneously to the metadata area. A newly-allocated chunk is placed at
      the same location as the metadata area, resulting in data or metadata
      corruption.
      
      This patch changes the code so that ps->next_free skips the metadata
      area when metadata are loaded in function read_exceptions.
      
      The patch also moves a piece of code from persistent_prepare_exception
      to a separate function skip_metadata to avoid code duplication.
      
      CVE-2013-4299
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Cc: Mike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      e9c6a182
    • John Johansen's avatar
      apparmor: fix bad lock balance when introspecting policy · ed2c7da3
      John Johansen authored
      BugLink: http://bugs.launchpad.net/bugs/1235977
      
      The profile introspection seq file has a locking bug when policy is viewed
      from a virtual root (task in a policy namespace), introspection from the
      real root is not affected.
      
      The test for root
          while (parent) {
      is correct for the real root, but incorrect for tasks in a policy namespace.
      This allows the task to walk backup the policy tree past its virtual root
      causing it to be unlocked before the virtual root should be in the p_stop
      fn.
      
      This results in the following lockdep back trace:
      [   78.479744] [ BUG: bad unlock balance detected! ]
      [   78.479792] 3.11.0-11-generic #17 Not tainted
      [   78.479838] -------------------------------------
      [   78.479885] grep/2223 is trying to release lock (&ns->lock) at:
      [   78.479952] [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
      [   78.480002] but there are no more locks to release!
      [   78.480037]
      [   78.480037] other info that might help us debug this:
      [   78.480037] 1 lock held by grep/2223:
      [   78.480037]  #0:  (&p->lock){+.+.+.}, at: [<ffffffff812111bd>] seq_read+0x3d/0x3d0
      [   78.480037]
      [   78.480037] stack backtrace:
      [   78.480037] CPU: 0 PID: 2223 Comm: grep Not tainted 3.11.0-11-generic #17
      [   78.480037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [   78.480037]  ffffffff817bf3be ffff880007763d60 ffffffff817b97ef ffff8800189d2190
      [   78.480037]  ffff880007763d88 ffffffff810e1c6e ffff88001f044730 ffff8800189d2190
      [   78.480037]  ffffffff817bf3be ffff880007763e00 ffffffff810e5bd6 0000000724fe56b7
      [   78.480037] Call Trace:
      [   78.480037]  [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
      [   78.480037]  [<ffffffff817b97ef>] dump_stack+0x54/0x74
      [   78.480037]  [<ffffffff810e1c6e>] print_unlock_imbalance_bug+0xee/0x100
      [   78.480037]  [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
      [   78.480037]  [<ffffffff810e5bd6>] lock_release_non_nested+0x226/0x300
      [   78.480037]  [<ffffffff817bf2fe>] ? __mutex_unlock_slowpath+0xce/0x180
      [   78.480037]  [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
      [   78.480037]  [<ffffffff810e5d5c>] lock_release+0xac/0x310
      [   78.480037]  [<ffffffff817bf2b3>] __mutex_unlock_slowpath+0x83/0x180
      [   78.480037]  [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
      [   78.480037]  [<ffffffff81376c91>] p_stop+0x51/0x90
      [   78.480037]  [<ffffffff81211408>] seq_read+0x288/0x3d0
      [   78.480037]  [<ffffffff811e9d9e>] vfs_read+0x9e/0x170
      [   78.480037]  [<ffffffff811ea8cc>] SyS_read+0x4c/0xa0
      [   78.480037]  [<ffffffff817ccc9d>] system_call_fastpath+0x1a/0x1f
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      ed2c7da3
    • John Johansen's avatar
      apparmor: fix memleak of the profile hash · 5cb3e91e
      John Johansen authored
      BugLink: http://bugs.launchpad.net/bugs/1235523
      
      This fixes the following kmemleak trace:
      unreferenced object 0xffff8801e8c35680 (size 32):
        comm "apparmor_parser", pid 691, jiffies 4294895667 (age 13230.876s)
        hex dump (first 32 bytes):
          e0 d3 4e b5 ac 6d f4 ed 3f cb ee 48 1c fd 40 cf  ..N..m..?..H..@.
          5b cc e9 93 00 00 00 00 00 00 00 00 00 00 00 00  [...............
        backtrace:
          [<ffffffff817a97ee>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff811ca9f3>] __kmalloc+0x103/0x290
          [<ffffffff8138acbc>] aa_calc_profile_hash+0x6c/0x150
          [<ffffffff8138074d>] aa_unpack+0x39d/0xd50
          [<ffffffff8137eced>] aa_replace_profiles+0x3d/0xd80
          [<ffffffff81376937>] profile_replace+0x37/0x50
          [<ffffffff811e9f2d>] vfs_write+0xbd/0x1e0
          [<ffffffff811ea96c>] SyS_write+0x4c/0xa0
          [<ffffffff817ccb1d>] system_call_fastpath+0x1a/0x1f
          [<ffffffffffffffff>] 0xffffffffffffffff
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      5cb3e91e
    • Linus Torvalds's avatar
      Merge tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux · 34ec4de4
      Linus Torvalds authored
      Pull device tree fixes and reverts from Grant Likely:
       "One bug fix and three reverts.  The reverts back out the slightly
        controversial feeding the entire device tree into the random pool and
        the reserved-memory binding which isn't fully baked yet.  Expect the
        reserved-memory patches at least to resurface for v3.13.
      
        The bug fixes removes a scary but harmless warning on SPARC that was
        introduced in the v3.12 merge window.  v3.13 will contain a proper fix
        that makes the new code work on SPARC.
      
        On the plus side, the diffstat looks *awesome*.  I love removing lines
        of code"
      
      * tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux:
        Revert "drivers: of: add initialization code for dma reserved memory"
        Revert "ARM: init: add support for reserved memory defined by device tree"
        Revert "of: Feed entire flattened device tree into the random pool"
        of: fix unnecessary warning on missing /cpus node
      34ec4de4
    • Linus Torvalds's avatar
      Merge branch 'fixes-for-v3.12' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping · ba0a062e
      Linus Torvalds authored
      Pull DMA-mapping fix from Marek Szyprowski:
       "A bugfix for the IOMMU-based implementation of dma-mapping subsystem
        for ARM architecture"
      
      * 'fixes-for-v3.12' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping:
        ARM: dma-mapping: Always pass proper prot flags to iommu_map()
      ba0a062e
  3. 15 Oct, 2013 1 commit