Skip to content

L
linux
Switch branch/tag
  1. 05 Mar, 2013 1 commit
    • Shankar Brahadeeswaran's avatar
      staging: android: ashmem: get_name,set_name not to hold ashmem_mutex · e5834d62
      Shankar Brahadeeswaran authored 
      Problem:
There exists a path in ashmem driver that could lead to acquistion
of mm->mmap_sem, ashmem_mutex in reverse order. This could lead
to deadlock in the system.
For Example, assume that mmap is called on a ashmem region
in the context of a thread say T1.
 sys_mmap_pgoff (1. acquires mm->mmap_sem)
  |
   --> mmap_region
 	|
         ----> ashmem_mmap (2. acquires asmem_mutex)
 Now if there is a context switch after 1 and before 2,
 and if another thread T2 (that shares the mm struct) invokes an
 ioctl say ASHMEM_GET_NAME, this can lead to the following path

ashmem_ioctl
  |
  -->get_name (3. acquires ashmem_mutex)
	|
	---> copy_to_user (4. acquires the mm->mmap_sem)
Note that the copy_to_user could lead to a valid fault if no
physical page is allocated yet for the user address passed.
Now T1 has mmap_sem and is waiting for ashmem_mutex.
and T2 has the ashmem_mutex and is waiting for mmap_sem
Thus leading to deadlock.

Solution:
Do not call copy_to_user or copy_from_user while holding the
ahsmem_mutex. Instead copy this to a local buffer that lives
in the stack while holding this lock. This will maintain data
integrity as well never reverse the lock order.

Testing:
Created a unit test case to reproduce the problem.
Used the same to test this fix on kernel version 3.4.0
Ported the same patch to 3.8
Signed-off-by: default avatarShankar Brahadeeswaran <shankoo77@gmail.com>
Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5834d62
  3. 04 Mar, 2013 30 commits
  5. 03 Mar, 2013 9 commits
    • Linus Torvalds's avatar
      Linux 3.9-rc1 · 6dbe51c2
      Linus Torvalds authored
      6dbe51c2
    • Linus Torvalds's avatar
      Merge tag 'disintegrate-fbdev-20121220' of git://git.infradead.org/users/dhowells/linux-headers · ea882c2e
      Linus Torvalds authored 
      Pull fbdev UAPI disintegration from David Howells:
 "You'll be glad to here that the end is nigh for the UAPI patches.
  Only the fbdev/framebuffer piece remains now that the SCSI stuff has
  gone in.

  Here are the UAPI disintegration bits for the fbdev drivers.  It
  appears that Florian hasn't had time to deal with my patch, but back
  in December he did say he didn't mind if I pushed it forward."

Yay.  No more uapi movement.  And hopefully no more big header file
cleanups coming up either, it just tends to be very painful.

* tag 'disintegrate-fbdev-20121220' of git://git.infradead.org/users/dhowells/linux-headers:
  UAPI: (Scripted) Disintegrate include/video
      ea882c2e
    • Linus Torvalds's avatar
      Merge tag 'stable/for-linus-3.9-rc1-tag' of... · 8e8b180a
      Linus Torvalds authored 
      Merge tag 'stable/for-linus-3.9-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

Pull Xen bug-fixes from Konrad Rzeszutek Wilk:
 - Update the Xen ACPI memory and CPU hotplug locking mechanism.
 - Fix PAT issues wherein various applications would not start
 - Fix handling of multiple MSI as AHCI now does it.
 - Fix ARM compile failures.

* tag 'stable/for-linus-3.9-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xenbus: fix compile failure on ARM with Xen enabled
  xen/pci: We don't do multiple MSI's.
  xen/pat: Disable PAT using pat_enabled value.
  xen/acpi: xen cpu hotplug minor updates
  xen/acpi: xen memory hotplug minor updates
      8e8b180a
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 56a79b7b
      Linus Torvalds authored 
      Pull  more VFS bits from Al Viro:
 "Unfortunately, it looks like xattr series will have to wait until the
  next cycle ;-/

  This pile contains 9p cleanups and fixes (races in v9fs_fid_add()
  etc), fixup for nommu breakage in shmem.c, several cleanups and a bit
  more file_inode() work"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  constify path_get/path_put and fs_struct.c stuff
  fix nommu breakage in shmem.c
  cache the value of file_inode() in struct file
  9p: if v9fs_fid_lookup() gets to asking server, it'd better have hashed dentry
  9p: make sure ->lookup() adds fid to the right dentry
  9p: untangle ->lookup() a bit
  9p: double iput() in ->lookup() if d_materialise_unique() fails
  9p: v9fs_fid_add() can't fail now
  v9fs: get rid of v9fs_dentry
  9p: turn fid->dlist into hlist
  9p: don't bother with private lock in ->d_fsdata; dentry->d_lock will do just fine
  more file_inode() open-coded instances
  selinux: opened file can't have NULL or negative ->f_path.dentry

(In the meantime, the hlist traversal macros have changed, so this
required a semantic conflict fixup for the newly hlistified fid->dlist)
      56a79b7b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 1c82315a
      Linus Torvalds authored 
      Pull btrfs fixup from Chris Mason:
 "Geert and James both sent this one in, sorry guys"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  btrfs/raid56: Add missing #include <linux/vmalloc.h>
      1c82315a
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 530ede14
      Linus Torvalds authored 
      Pull second set of s390 patches from Martin Schwidefsky:
 "The main part of this merge are Heikos uaccess patches.  Together with
  commit 09884964 ("mm: do not grow the stack vma just because of an
  overrun on preceding vma") the user string access is hopefully fixed
  for good.

  In addition some bug fixes and two cleanup patches."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/module: fix compile warning
  qdio: remove unused parameters
  s390/uaccess: fix kernel ds access for page table walk
  s390/uaccess: fix strncpy_from_user string length check
  input: disable i8042 PC Keyboard controller for s390
  s390/dis: Fix invalid array size
  s390/uaccess: remove pointless access_ok() checks
  s390/uaccess: fix strncpy_from_user/strnlen_user zero maxlen case
  s390/uaccess: shorten strncpy_from_user/strnlen_user
  s390/dasd: fix unresponsive device after all channel paths were lost
  s390/mm: ignore change bit for vmemmap
  s390/page table dumper: add support for change-recording override bit
      530ede14
    • Linus Torvalds's avatar
      Merge branch 'fixes-for-3.9-latest' of... · 6977c6fc
      Linus Torvalds authored 
      Merge branch 'fixes-for-3.9-latest' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux

Pull second round of PARISC updates from Helge Deller:
 "The most important fix in this branch is the switch of io_setup,
  io_getevents and io_submit syscalls to use the available compat
  syscalls when running 32bit userspace on 64bit kernel.  Other than
  that it's mostly removal of compile warnings."

* 'fixes-for-3.9-latest' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
  parisc: fix redefinition of SET_PERSONALITY
  parisc: do not install modules when installing kernel
  parisc: fix compile warnings triggered by atomic_sub(sizeof(),v)
  parisc: check return value of down_interruptible() in hp_sdc_rtc.c
  parisc: avoid unitialized variable warning in pa_memcpy()
  parisc: remove unused variable 'compat_val'
  parisc: switch to compat_functions of io_setup, io_getevents and io_submit
  parisc: select ARCH_WANT_FRAME_POINTERS
      6977c6fc
    • Linus Torvalds's avatar
      Merge tag 'metag-v3.9-rc1-v4' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag · 8fd5e7a2
      Linus Torvalds authored 
      Pull new ImgTec Meta architecture from James Hogan:
 "This adds core architecture support for Imagination's Meta processor
  cores, followed by some later miscellaneous arch/metag cleanups and
  fixes which I kept separate to ease review:

   - Support for basic Meta 1 (ATP) and Meta 2 (HTP) core architecture
   - A few fixes all over, particularly for symbol prefixes
   - A few privilege protection fixes
   - Several cleanups (setup.c includes, split out a lot of
     metag_ksyms.c)
   - Fix some missing exports
   - Convert hugetlb to use vm_unmapped_area()
   - Copy device tree to non-init memory
   - Provide dma_get_sgtable()"

* tag 'metag-v3.9-rc1-v4' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/metag: (61 commits)
  metag: Provide dma_get_sgtable()
  metag: prom.h: remove declaration of metag_dt_memblock_reserve()
  metag: copy devicetree to non-init memory
  metag: cleanup metag_ksyms.c includes
  metag: move mm/init.c exports out of metag_ksyms.c
  metag: move usercopy.c exports out of metag_ksyms.c
  metag: move setup.c exports out of metag_ksyms.c
  metag: move kick.c exports out of metag_ksyms.c
  metag: move traps.c exports out of metag_ksyms.c
  metag: move irq enable out of irqflags.h on SMP
  genksyms: fix metag symbol prefix on crc symbols
  metag: hugetlb: convert to vm_unmapped_area()
  metag: export clear_page and copy_page
  metag: export metag_code_cache_flush_all
  metag: protect more non-MMU memory regions
  metag: make TXPRIVEXT bits explicit
  metag: kernel/setup.c: sort includes
  perf: Enable building perf tools for Meta
  metag: add boot time LNKGET/LNKSET check
  metag: add __init to metag_cache_probe()
  ...
      8fd5e7a2
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.linaro.org/people/rmk/linux-arm · 529e5fbc
      Linus Torvalds authored 
      Pull late ARM updates from Russell King:
 "Here is the late set of ARM updates for this merge window; in here is:

   - The ARM parts of the broadcast timer support, core parts merged
     through tglx's tree.  This was left over from the previous merge to
     allow the dependency on tglx's tree to be resolved.

   - A fix to the VFP code which shows up on Raspberry Pi's, as well as
     fixing the fallout from a previous commit in this area.

   - A number of smaller fixes scattered throughout the ARM tree"

* 'for-linus' of git://git.linaro.org/people/rmk/linux-arm:
  ARM: Fix broken commit 0cc41e4a corrupting kernel messages
  ARM: fix scheduling while atomic warning in alignment handling code
  ARM: VFP: fix emulation of second VFP instruction
  ARM: 7656/1: uImage: Error out on build of multiplatform without LOADADDR
  ARM: 7640/1: memory: tegra_ahb_enable_smmu() depends on TEGRA_IOMMU_SMMU
  ARM: 7654/1: Preserve L_PTE_VALID in pte_modify()
  ARM: 7653/2: do not scale loops_per_jiffy when using a constant delay clock
  ARM: 7651/1: remove unused smp_timer_broadcast #define
      529e5fbc
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7