1. 20 Sep, 2010 3 commits
    • Al Viro's avatar
      frv: fix address verification holes in setup_frame/setup_rt_frame · 5f4ad04a
      Al Viro authored
      a) sa_handler might be maliciously set to point to kernel memory;
         blindly dereferencing it in FDPIC case is a Bad Idea(tm).
      
      b) I'm not sure you need that set_fs(USER_DS) there at all, but if you
         do, you'd better do it *before* checking the frame you've decided to
         use with access_ok(), lest sigaltstack() becomes a convenient
         roothole.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5f4ad04a
    • Al Viro's avatar
      frv: restart_block.fn needs to be reset on sigreturn · 20cd514d
      Al Viro authored
      Reset restart_block.fn on executing a sigreturn such that any currently
      pending system call restarts will be forced to return -EINTR.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20cd514d
    • Hugh Dickins's avatar
      mm: further fix swapin race condition · 31c4a3d3
      Hugh Dickins authored
      Commit 4969c119 ("mm: fix swapin race condition") is now agreed to
      be incomplete.  There's a race, not very much less likely than the
      original race envisaged, in which it is further necessary to check that
      the swapcache page's swap has not changed.
      
      Here's the reasoning: cast in terms of reuse_swap_page(), but probably
      could be reformulated to rely on try_to_free_swap() instead, or on
      swapoff+swapon.
      
      A, faults into do_swap_page(): does page1 = lookup_swap_cache(swap1) and
      comes through the lock_page(page1).
      
      B, a racing thread of the same process, faults on the same address: does
      page1 = lookup_swap_cache(swap1) and now waits in lock_page(page1), but
      for whatever reason is unlucky not to get the lock any time soon.
      
      A carries on through do_swap_page(), a write fault, but cannot reuse the
      swap page1 (another reference to swap1).  Unlocks the page1 (but B
      doesn't get it yet), does COW in do_wp_page(), page2 now in that pte.
      
      C, perhaps the parent of A+B, comes in and write faults the same swap
      page1 into its mm, reuse_swap_page() succeeds this time, swap1 is freed.
      
      kswapd comes in after some time (B still unlucky) and swaps out some
      pages from A+B and C: it allocates the original swap1 to page2 in A+B,
      and some other swap2 to the original page1 now in C.  But does not
      immediately free page1 (actually it couldn't: B holds a reference),
      leaving it in swap cache for now.
      
      B at last gets the lock on page1, hooray! Is PageSwapCache(page1)? Yes.
      Is pte_same(*page_table, orig_pte)? Yes, because page2 has now been
      given the swap1 which page1 used to have.  So B proceeds to insert page1
      into A+B's page_table, though its content now belongs to C, quite
      different from what A wrote there.
      
      B ought to have checked that page1's swap was still swap1.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      31c4a3d3
  2. 19 Sep, 2010 15 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha-2.6 · 2422084a
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha-2.6:
        alpha: deal with multiple simultaneously pending signals
        alpha: fix a 14 years old bug in sigreturn tracing
        alpha: unb0rk sigsuspend() and rt_sigsuspend()
        alpha: belated ERESTART_RESTARTBLOCK race fix
        alpha: Shift perf event pending work earlier in timer interrupt
        alpha: wire up fanotify and prlimit64 syscalls
        alpha: kill big kernel lock
        alpha: fix build breakage in asm/cacheflush.h
        alpha: remove unnecessary cast from void* in assignment.
        alpha: Use static const char * const where possible
      2422084a
    • Linus Torvalds's avatar
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 7d7dee96
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (21 commits)
        dca: disable dca on IOAT ver.3.0 multiple-IOH platforms
        netpoll: Disable IRQ around RCU dereference in netpoll_rx
        sctp: Do not reset the packet during sctp_packet_config().
        net/llc: storing negative error codes in unsigned short
        MAINTAINERS: move atlx discussions to netdev
        drivers/net/cxgb3/cxgb3_main.c: prevent reading uninitialized stack memory
        drivers/net/eql.c: prevent reading uninitialized stack memory
        drivers/net/usb/hso.c: prevent reading uninitialized memory
        xfrm: dont assume rcu_read_lock in xfrm_output_one()
        r8169: Handle rxfifo errors on 8168 chips
        3c59x: Remove atomic context inside vortex_{set|get}_wol
        tcp: Prevent overzealous packetization by SWS logic.
        net: RPS needs to depend upon USE_GENERIC_SMP_HELPERS
        phylib: fix PAL state machine restart on resume
        net: use rcu_barrier() in rollback_registered_many
        bonding: correctly process non-linear skbs
        ipv4: enable getsockopt() for IP_NODEFRAG
        ipv4: force_igmp_version ignored when a IGMPv3 query received
        ppp: potential NULL dereference in ppp_mp_explode()
        net/llc: make opt unsigned in llc_ui_setsockopt()
        ...
      7d7dee96
    • Linus Torvalds's avatar
      Merge branch 's5p-fixes-for-linus' of... · f1c9c979
      Linus Torvalds authored
      Merge branch 's5p-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung
      
      * 's5p-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
        ARM: S3C64XX: Add IORESOURCE_IRQ_HIGHLEVEL flag to dm9000 on mach-real6410
        ARM: S3C64XX: Fix coding style errors on mach-real6410
        ARM: S3C64XX: Prototype SPI devices
        ARM: S3C64XX: Fix dev-spi build
        ARM: SAMSUNG: Fix on s5p_gpio_[get,set]_drvstr
        ARM: SAMSUNG: Fix on drive strength value
        ARM: S5PV210: Add FIMC clocks
        ARM: S5PV210: Reduce the iodesc length of systimer
        ARM: S5PV210: Update I2C-1 Clock Register Property.
        ARM: S5P: Decrease IO Registers memory region size on FIMC
        ARM: S5P: Fix DMA coherent mask for FIMC
      f1c9c979
    • Jan Harkes's avatar
      Coda: mount hangs because of missed REQ_WRITE rename · 112d421d
      Jan Harkes authored
      Coda's REQ_* defines were renamed to avoid clashes with the block layer
      (commit 4aeefdc6: "coda: fixup clash with block layer REQ_*
      defines").
      
      However one was missed and response messages are no longer matched with
      requests and waiting threads are no longer woken up.  This patch fixes
      this.
      Signed-off-by: default avatarJan Harkes <jaharkes@cs.cmu.edu>
      [ Also fixed up whitespace while at it  -Linus ]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      112d421d
    • Al Viro's avatar
      alpha: deal with multiple simultaneously pending signals · 494486a1
      Al Viro authored
      Unlike the other targets, alpha sets _one_ sigframe and
      buggers off until the next syscall/interrupt, even if
      more signals are pending.  It leads to quite a few unpleasant
      inconsistencies, starting with SIGSEGV potentially arriving
      not where it should and including e.g. mess with sigsuspend();
      consider two pending signals blocked until sigsuspend()
      unblocks them.  We pick the first one; then, if we are hit
      by interrupt while in the handler, we process the second one
      as well.  If we are not, and if no syscalls had been made,
      we get out of the first handler and leave the second signal
      pending; normally sigreturn() would've picked it anyway, but
      here it starts with restoring the original mask and voila -
      the second signal is blocked again.  On everything else we
      get both delivered consistently.
      
      It's actually easy to fix; the only thing to watch out for
      is prevention of double syscall restart.  Fortunately, the
      idea I've nicked from arm fix by rmk works just fine...
      
      Testcase demonstrating the behaviour in question; on alpha
      we get one or both flags set (usually one), on everything
      else both are always set.
      	#include <signal.h>
      	#include <stdio.h>
      	int had1, had2;
      	void f1(int sig) { had1 = 1; }
      	void f2(int sig) { had2 = 1; }
      	main()
      	{
      		sigset_t set1, set2;
      		sigemptyset(&set1);
      		sigemptyset(&set2);
      		sigaddset(&set2, 1);
      		sigaddset(&set2, 2);
      		signal(1, f1);
      		signal(2, f2);
      		sigprocmask(SIG_SETMASK, &set2, NULL);
      		raise(1);
      		raise(2);
      		sigsuspend(&set1);
      		printf("had1:%d had2:%d\n", had1, had2);
      	}
      Tested-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      494486a1
    • Al Viro's avatar
      alpha: fix a 14 years old bug in sigreturn tracing · 53293638
      Al Viro authored
      The way sigreturn() is implemented on alpha breaks PTRACE_SYSCALL,
      all way back to 1.3.95 when alpha has grown PTRACE_SYSCALL support.
      
      What happens is direct return to ret_from_syscall, in order to bypass
      mangling of a3 (error indicator) and prevent other mutilations of
      registers (e.g. by syscall restart).  That's fine, but... the entire
      TIF_SYSCALL_TRACE codepath is kept separate on alpha and post-syscall
      stopping/notifying the tracer is after the syscall.  And the normal
      path we are forcibly switching to doesn't have it.
      
      So we end up with *one* stop in traced sigreturn() vs. two in other
      syscalls.  And yes, strace is visibly broken by that; try to strace
      the following
      	#include <signal.h>
      	#include <stdio.h>
      	void f(int sig) {}
      	main()
      	{
      		signal(SIGHUP, f);
      		raise(SIGHUP);
      		write(1, "eeeek\n", 6);
      	}
      and watch the show.  The
      	close(1)                                = 405
      in the end of strace output is coming from return value of write() (6 ==
      __NR_close on alpha) and syscall number of exit_group() (__NR_exit_group ==
      405 there).
      
      The fix is fairly simple - the only thing we end up missing is the call
      of syscall_trace() and we can tell whether we'd been called from the
      SYSCALL_TRACE path by checking ra value.  Since we are setting the
      switch_stack up (that's what sys_sigreturn() does), we have the right
      environment for calling syscall_trace() - just before we call
      undo_switch_stack() and return.  Since undo_switch_stack() will overwrite
      s0 anyway, we can use it to store the result of "has it been called from
      SYSCALL_TRACE path?" check.  The same thing applies in rt_sigreturn().
      Tested-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      53293638
    • Al Viro's avatar
      alpha: unb0rk sigsuspend() and rt_sigsuspend() · 392fb6e3
      Al Viro authored
      Old code used to set regs->r0 and regs->r19 to force the right
      return value.  Leaving that after switch to ERESTARTNOHAND
      was a Bad Idea(tm), since now that screws the restart - if we
      hit the case when get_signal_to_deliver() returns 0, we will
      step back to syscall insn, with v0 set to EINTR and a3 to 1.
      The latter won't matter, since EINTR is 4, aka __NR_write.
      
      Testcase:
      
      	#include <signal.h>
      	#define _GNU_SOURCE
      	#include <unistd.h>
      	#include <sys/syscall.h>
      
      	main()
      	{
      		sigset_t mask;
      		sigemptyset(&mask);
      		sigaddset(&mask, SIGCONT);
      		sigprocmask(SIG_SETMASK, &mask, NULL);
      		kill(0, SIGCONT);
      		syscall(__NR_sigsuspend, 1, "b0rken\n", 7);
      	}
      
      results on alpha in immediate message to stdout...
      
      Fix is obvious; moreover, since we don't need regs anymore, we can
      switch to normal prototypes for these guys and lose the wrappers.
      Even better, rt_sigsuspend() is identical to generic version in
      kernel/signal.c now.
      Tested-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      392fb6e3
    • Al Viro's avatar
      alpha: belated ERESTART_RESTARTBLOCK race fix · 2deba1bd
      Al Viro authored
      same thing as had been done on other targets back in 2003 -
      move setting ->restart_block.fn into {rt_,}sigreturn().
      Tested-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      2deba1bd
    • Michael Cree's avatar
      alpha: Shift perf event pending work earlier in timer interrupt · bdc8b891
      Michael Cree authored
      Pending work from the performance event subsystem is executed in
      the timer interrupt.  This patch shifts the call to
      perf_event_do_pending() before the call to update_process_times()
      as the latter may call back into the perf event subsystem and it
      is prudent to have the pending work executed first.
      Signed-off-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      bdc8b891
    • Mikael Pettersson's avatar
      alpha: wire up fanotify and prlimit64 syscalls · 531f0474
      Mikael Pettersson authored
      The 2.6.36-rc kernel added three new system calls:
      fanotify_init, fanotify_mark, and prlimit64.  This
      patch wires them up on Alpha.
      
      Built and booted on an XP900.  Untested beyond that.
      Signed-off-by: default avatarMikael Pettersson <mikpe@it.uu.se>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      531f0474
    • Arnd Bergmann's avatar
      alpha: kill big kernel lock · 12e750d9
      Arnd Bergmann authored
      All uses of the BKL on alpha are totally bogus, nothing
      is really protected by this. Remove the remaining users
      so we don't have to mark alpha as 'depends on BKL'.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Richard Henderson <rth@twiddle.net>
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: linux-alpha@vger.kernel.org
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      12e750d9
    • Tejun Heo's avatar
      alpha: fix build breakage in asm/cacheflush.h · b97f897d
      Tejun Heo authored
      Alpha SMP flush_icache_user_range() is implemented as an inline
      function inside include/asm/cacheflush.h.  It dereferences @current
      but doesn't include linux/sched.h and thus causes build failure if
      linux/sched.h wasn't included previously.  Fix it by including the
      needed header file explicitly.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      b97f897d
    • matt mooney's avatar
    • Joe Perches's avatar
  3. 18 Sep, 2010 4 commits
  4. 17 Sep, 2010 18 commits