1. 24 Sep, 2013 1 commit
    • Davidlohr Bueso's avatar
      ipc: fix race with LSMs · 53dad6d3
      Davidlohr Bueso authored
      Currently, IPC mechanisms do security and auditing related checks under
      RCU.  However, since security modules can free the security structure,
      for example, through selinux_[sem,msg_queue,shm]_free_security(), we can
      race if the structure is freed before other tasks are done with it,
      creating a use-after-free condition.  Manfred illustrates this nicely,
      for instance with shared mem and selinux:
      
       -> do_shmat calls rcu_read_lock()
       -> do_shmat calls shm_object_check().
           Checks that the object is still valid - but doesn't acquire any locks.
           Then it returns.
       -> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat)
       -> selinux_shm_shmat calls ipc_has_perm()
       -> ipc_has_perm accesses ipc_perms->security
      
      shm_close()
       -> shm_close acquires rw_mutex & shm_lock
       -> shm_close calls shm_destroy
       -> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security)
       -> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm)
       -> ipc_free_security calls kfree(ipc_perms->security)
      
      This patch delays the freeing of the security structures after all RCU
      readers are done.  Furthermore it aligns the security life cycle with
      that of the rest of IPC - freeing them based on the reference counter.
      For situations where we need not free security, the current behavior is
      kept.  Linus states:
      
       "... the old behavior was suspect for another reason too: having the
        security blob go away from under a user sounds like it could cause
        various other problems anyway, so I think the old code was at least
        _prone_ to bugs even if it didn't have catastrophic behavior."
      
      I have tested this patch with IPC testcases from LTP on both my
      quad-core laptop and on a 64 core NUMA server.  In both cases selinux is
      enabled, and tests pass for both voluntary and forced preemption models.
      While the mentioned races are theoretical (at least no one as reported
      them), I wanted to make sure that this new logic doesn't break anything
      we weren't aware of.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarDavidlohr Bueso <davidlohr@hp.com>
      Acked-by: default avatarManfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      53dad6d3
  2. 23 Sep, 2013 4 commits
    • Linus Torvalds's avatar
      Linux 3.12-rc2 · 4a10c2ac
      Linus Torvalds authored
      4a10c2ac
    • Linus Torvalds's avatar
      Merge tag 'staging-3.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 9d23108d
      Linus Torvalds authored
      Pull staging fixes from Greg KH:
       "Here are a number of small staging tree and iio driver fixes.  Nothing
        major, just lots of little things"
      
      * tag 'staging-3.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (34 commits)
        iio:buffer_cb: Add missing iio_buffer_init()
        iio: Prevent race between IIO chardev opening and IIO device free
        iio: fix: Keep a reference to the IIO device for open file descriptors
        iio: Stop sampling when the device is removed
        iio: Fix crash when scan_bytes is computed with active_scan_mask == NULL
        iio: Fix mcp4725 dev-to-indio_dev conversion in suspend/resume
        iio: Fix bma180 dev-to-indio_dev conversion in suspend/resume
        iio: Fix tmp006 dev-to-indio_dev conversion in suspend/resume
        iio: iio_device_add_event_sysfs() bugfix
        staging: iio: ade7854-spi: Fix return value
        staging:iio:hmc5843: Fix measurement conversion
        iio: isl29018: Fix uninitialized value
        staging:iio:dummy fix kfifo_buf kconfig dependency issue if kfifo modular and buffer enabled for built in dummy driver.
        iio: at91: fix adc_clk overflow
        staging: line6: add bounds check in snd_toneport_source_put()
        Staging: comedi: Fix dependencies for drivers misclassified as PCI
        staging: r8188eu: Adjust RX gain
        staging: r8188eu: Fix smatch warning in core/rtw_ieee80211.
        staging: r8188eu: Fix smatch error in core/rtw_mlme_ext.c
        staging: r8188eu: Fix Smatch off-by-one warning in hal/rtl8188e_hal_init.c
        ...
      9d23108d
    • Linus Torvalds's avatar
      Merge tag 'usb-3.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · e04a0a5a
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of small USB fixes for 3.12-rc2.
      
        One is a revert of a EHCI change that isn't quite ready for 3.12.
        Others are minor things, gadget fixes, Kconfig fixes, and some quirks
        and documentation updates.
      
        All have been in linux-next for a bit"
      
      * tag 'usb-3.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: pl2303: distinguish between original and cloned HX chips
        USB: Faraday fotg210: fix email addresses
        USB: fix typo in usb serial simple driver Kconfig
        Revert "USB: EHCI: support running URB giveback in tasklet context"
        usb: s3c-hsotg: do not disconnect gadget when receiving ErlySusp intr
        usb: s3c-hsotg: fix unregistration function
        usb: gadget: f_mass_storage: reset endpoint driver data when disabled
        usb: host: fsl-mph-dr-of: Staticize local symbols
        usb: gadget: f_eem: Staticize eem_alloc
        usb: gadget: f_ecm: Staticize ecm_alloc
        usb: phy: omap-usb3: Fix return value
        usb: dwc3: gadget: avoid memory leak when failing to allocate all eps
        usb: dwc3: remove extcon dependency
        usb: gadget: add '__ref' for rndis_config_register() and cdc_config_register()
        usb: dwc3: pci: add support for BayTrail
        usb: gadget: cdc2: fix conversion to new interface of f_ecm
        usb: gadget: fix a bug and a WARN_ON in dummy-hcd
        usb: gadget: mv_u3d_core: fix violation of locking discipline in mv_u3d_ep_disable()
      e04a0a5a
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · d8524ae9
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       - some small fixes for msm and exynos
       - a regression revert affecting nouveau users with old userspace
       - intel pageflip deadlock and gpu hang fixes, hsw modesetting hangs
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (22 commits)
        Revert "drm: mark context support as a legacy subsystem"
        drm/i915: Don't enable the cursor on a disable pipe
        drm/i915: do not update cursor in crtc mode set
        drm/exynos: fix return value check in lowlevel_buffer_allocate()
        drm/exynos: Fix address space warnings in exynos_drm_fbdev.c
        drm/exynos: Fix address space warning in exynos_drm_buf.c
        drm/exynos: Remove redundant OF dependency
        drm/msm: drop unnecessary set_need_resched()
        drm/i915: kill set_need_resched
        drm/msm: fix potential NULL pointer dereference
        drm/i915/dvo: set crtc timings again for panel fixed modes
        drm/i915/sdvo: Robustify the dtd<->drm_mode conversions
        drm/msm: workaround for missing irq
        drm/msm: return -EBUSY if bo still active
        drm/msm: fix return value check in ERR_PTR()
        drm/msm: fix cmdstream size check
        drm/msm: hangcheck harder
        drm/msm: handle read vs write fences
        drm/i915/sdvo: Fully translate sync flags in the dtd->mode conversion
        drm/i915: Use proper print format for debug prints
        ...
      d8524ae9
  3. 22 Sep, 2013 3 commits
    • Linus Torvalds's avatar
      Merge branch 'for-3.12/core' of git://git.kernel.dk/linux-block · 68cf8d0c
      Linus Torvalds authored
      Pull block IO fixes from Jens Axboe:
       "After merge window, no new stuff this time only a collection of neatly
        confined and simple fixes"
      
      * 'for-3.12/core' of git://git.kernel.dk/linux-block:
        cfq: explicitly use 64bit divide operation for 64bit arguments
        block: Add nr_bios to block_rq_remap tracepoint
        If the queue is dying then we only call the rq->end_io callout. This leaves bios setup on the request, because the caller assumes when the blk_execute_rq_nowait/blk_execute_rq call has completed that the rq->bios have been cleaned up.
        bio-integrity: Fix use of bs->bio_integrity_pool after free
        blkcg: relocate root_blkg setting and clearing
        block: Convert kmalloc_node(...GFP_ZERO...) to kzalloc_node(...)
        block: trace all devices plug operation
      68cf8d0c
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 0fbf2cc9
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "These are mostly bug fixes and a two small performance fixes.  The
        most important of the bunch are Josef's fix for a snapshotting
        regression and Mark's update to fix compile problems on arm"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: (25 commits)
        Btrfs: create the uuid tree on remount rw
        btrfs: change extent-same to copy entire argument struct
        Btrfs: dir_inode_operations should use btrfs_update_time also
        btrfs: Add btrfs: prefix to kernel log output
        btrfs: refuse to remount read-write after abort
        Btrfs: btrfs_ioctl_default_subvol: Revert back to toplevel subvolume when arg is 0
        Btrfs: don't leak transaction in btrfs_sync_file()
        Btrfs: add the missing mutex unlock in write_all_supers()
        Btrfs: iput inode on allocation failure
        Btrfs: remove space_info->reservation_progress
        Btrfs: kill delay_iput arg to the wait_ordered functions
        Btrfs: fix worst case calculator for space usage
        Revert "Btrfs: rework the overcommit logic to be based on the total size"
        Btrfs: improve replacing nocow extents
        Btrfs: drop dir i_size when adding new names on replay
        Btrfs: replay dir_index items before other items
        Btrfs: check roots last log commit when checking if an inode has been logged
        Btrfs: actually log directory we are fsync()'ing
        Btrfs: actually limit the size of delalloc range
        Btrfs: allocate the free space by the existed max extent size when ENOSPC
        ...
      0fbf2cc9
    • Anatol Pomozov's avatar
      cfq: explicitly use 64bit divide operation for 64bit arguments · f3cff25f
      Anatol Pomozov authored
      'samples' is 64bit operant, but do_div() second parameter is 32.
      do_div silently truncates high 32 bits and calculated result
      is invalid.
      
      In case if low 32bit of 'samples' are zeros then do_div() produces
      kernel crash.
      Signed-off-by: default avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      f3cff25f
  4. 21 Sep, 2013 32 commits