1. 05 Nov, 2007 7 commits
    • Ingo Molnar's avatar
      x86: fix global_flush_tlb() bug · e2b35e3a
      Ingo Molnar authored
      patch 9a24d04a upstream
      
      While we were reviewing pageattr_32/64.c for unification,
      Thomas Gleixner noticed the following serious SMP bug in
      global_flush_tlb():
      
      	down_read(&init_mm.mmap_sem);
      	list_replace_init(&deferred_pages, &l);
      	up_read(&init_mm.mmap_sem);
      
      this is SMP-unsafe because list_replace_init() done on two CPUs in
      parallel can corrupt the list.
      
      This bug has been introduced about a year ago in the 64-bit tree:
      
             commit ea7322de
             Author: Andi Kleen <ak@suse.de>
             Date:   Thu Dec 7 02:14:05 2006 +0100
      
             [PATCH] x86-64: Speed and clean up cache flushing in change_page_attr
      
                      down_read(&init_mm.mmap_sem);
              -       dpage = xchg(&deferred_pages, NULL);
              +       list_replace_init(&deferred_pages, &l);
                      up_read(&init_mm.mmap_sem);
      
      the xchg() based version was SMP-safe, but list_replace_init() is not.
      So this "cleanup" introduced a nasty bug.
      
      why this bug never become prominent is a mystery - it can probably be
      explained with the (still) relative obscurity of the x86_64 architecture.
      
      the safe fix for now is to write-lock init_mm.mmap_sem.
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Andi Kleen <ak@suse.de>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      e2b35e3a
    • Dave Young's avatar
      param_sysfs_builtin memchr argument fix · b5f59183
      Dave Young authored
      patch faf8c714 in mainline.
      
      If memchr argument is longer than strlen(kp->name), there will be some
      weird result.
      
      It will casuse duplicate filenames in sysfs for the "nousb".  kernel
      warning messages are as bellow:
      
      sysfs: duplicate filename 'usbcore' can not be created
      WARNING: at fs/sysfs/dir.c:416 sysfs_add_one()
       [<c01c4750>] sysfs_add_one+0xa0/0xe0
       [<c01c4ab8>] create_dir+0x48/0xb0
       [<c01c4b69>] sysfs_create_dir+0x29/0x50
       [<c024e0fb>] create_dir+0x1b/0x50
       [<c024e3b6>] kobject_add+0x46/0x150
       [<c024e2da>] kobject_init+0x3a/0x80
       [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
       [<c053b9ce>] param_sysfs_builtin+0xee/0x130
       [<c053ba33>] param_sysfs_init+0x23/0x60
       [<c024d062>] __next_cpu+0x12/0x20
       [<c052aa30>] kernel_init+0x0/0xb0
       [<c052aa30>] kernel_init+0x0/0xb0
       [<c052a856>] do_initcalls+0x46/0x1e0
       [<c01bdb12>] create_proc_entry+0x52/0x90
       [<c0158d4c>] register_irq_proc+0x9c/0xc0
       [<c01bda94>] proc_mkdir_mode+0x34/0x50
       [<c052aa30>] kernel_init+0x0/0xb0
       [<c052aa92>] kernel_init+0x62/0xb0
       [<c0104f83>] kernel_thread_helper+0x7/0x14
       =======================
      kobject_add failed for usbcore with -EEXIST, don't try to register things with the same name in the same directory.
       [<c024e466>] kobject_add+0xf6/0x150
       [<c053b880>] kernel_param_sysfs_setup+0x50/0xb0
       [<c053b9ce>] param_sysfs_builtin+0xee/0x130
       [<c053ba33>] param_sysfs_init+0x23/0x60
       [<c024d062>] __next_cpu+0x12/0x20
       [<c052aa30>] kernel_init+0x0/0xb0
       [<c052aa30>] kernel_init+0x0/0xb0
       [<c052a856>] do_initcalls+0x46/0x1e0
       [<c01bdb12>] create_proc_entry+0x52/0x90
       [<c0158d4c>] register_irq_proc+0x9c/0xc0
       [<c01bda94>] proc_mkdir_mode+0x34/0x50
       [<c052aa30>] kernel_init+0x0/0xb0
       [<c052aa92>] kernel_init+0x62/0xb0
       [<c0104f83>] kernel_thread_helper+0x7/0x14
       =======================
      Module 'usbcore' failed to be added to sysfs, error number -17
      The system will be unstable now.
      Signed-off-by: default avatarDave Young <hidave.darkstar@gmail.com>
      Cc: Greg KH <greg@kroah.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      b5f59183
    • Eric Sandeen's avatar
      minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058) · 59531fe8
      Eric Sandeen authored
      patch 44ec6f3f89889a469773b1fd894f8fcc07c29cf in mainline
      
      This attempts to address CVE-2006-6058
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
      
      first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
      
      Essentially a corrupted minix dir inode reporting a very large
      i_size will loop for a very long time in minix_readdir, minix_find_entry,
      etc, because on EIO they just move on to try the next page.  This is
      under the BKL, printk-storming as well.  This can lock up the machine
      for a very long time.  Simply ratelimiting the printks gets things back
      under control.  Make the message a bit more informative while we're here.
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Cc: Bodo Eggert <7eggert@gmx.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      59531fe8
    • Roland Dreier's avatar
      IB/uverbs: Fix checking of userspace object ownership · b67e7778
      Roland Dreier authored
      Upstream as cbfb50e6
      
      Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex")
      rewrote how userspace objects are looked up in the uverbs module's
      idrs, and introduced a severe bug in the process: there is no checking
      that an operation is being performed by the right process any more.
      Fix this by adding the missing check of uobj->context in __idr_get_uobj().
      
      Apparently everyone is being very careful to only touch their own
      objects, because this bug was introduced in June 2006 in 2.6.18, and
      has gone undetected until now.
      Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      b67e7778
    • Thomas Gleixner's avatar
      genirq: mark io_apic level interrupts to avoid resend · b9941186
      Thomas Gleixner authored
      patch cc75b92d in mainline.
      
      Level type interrupts do not need to be resent.  It was also found that
      some chipsets get confused in case of the resend.
      
      Mark the ioapic level type interrupts as such to avoid the resend
      functionality in the generic irq code.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      b9941186
    • Thomas Gleixner's avatar
      genirq: suppress resend of level interrupts · 2f21ad63
      Thomas Gleixner authored
      patch 2464286a in mainline.
      
      Level type interrupts are resent by the interrupt hardware when they are
      still active at irq_enable().
      
      Suppress the resend mechanism for interrupts marked as level.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      2f21ad63
    • Thomas Gleixner's avatar
      genirq: cleanup mismerge artifact · 5399b807
      Thomas Gleixner authored
      patch 49663421 in mainline.
      
      Commit 5a43a066: "genirq: Allow fasteoi
      handler to retrigger disabled interrupts" was erroneously applied to
      handle_level_irq().  This added the irq retrigger / resend functionality
      to the level irq handler.
      
      Revert the offending bits.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      5399b807
  2. 02 Nov, 2007 28 commits
  3. 10 Oct, 2007 5 commits