- 12 Sep, 2014 8 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-securityLinus Torvalds authored
Pull assoc array garbage collection fix from James Morris. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: KEYS: Fix termination condition in assoc array garbage collection
-
git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linuxLinus Torvalds authored
Pull fbdev fixes from Tomi Valkeinen: "Minor fixes for amba-clcd and video DT bindings" * tag 'fbdev-fixes-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux: video: ARM CLCD: Fix color model capabilities for DT platforms video: fix composite video connector compatible string
-
git://people.freedesktop.org/~airlied/linuxLinus Torvalds authored
Pull drm fixes from Dave Airlie: "AST, i915, radeon and msm fixes, all over the place. All fixing build issues, regressions, oopses or failure to detect cards" * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/ast: AST2000 cannot be detected correctly drm/ast: open key before detect chips drm/msm: don't crash if no msm.vram param drm/msm/hdmi: fix build break on non-CCF platforms drm/msm: Change nested function to static function drm/radeon/dpm: set the thermal type properly for special configs drm/radeon: reduce memory footprint for debugging drm/radeon: add connector quirk for fujitsu board drm/radeon: fix semaphore value init drm/radeon: only use me/pfp sync on evergreen+ drm/i915: Wait for vblank before enabling the TV encoder drm/i915: Evict CS TLBs between batches drm/i915: Fix irq enable tracking in driver load drm/i915: Fix EIO/wedged handling in gem fault handler drm/i915: Prevent recursive deadlock on releasing a busy userptr
-
David Howells authored
This fixes CVE-2014-3631. It is possible for an associative array to end up with a shortcut node at the root of the tree if there are more than fan-out leaves in the tree, but they all crowd into the same slot in the lowest level (ie. they all have the same first nibble of their index keys). When assoc_array_gc() returns back up the tree after scanning some leaves, it can fall off of the root and crash because it assumes that the back pointer from a shortcut (after label ascend_old_tree) must point to a normal node - which isn't true of a shortcut node at the root. Should we find we're ascending rootwards over a shortcut, we should check to see if the backpointer is zero - and if it is, we have completed the scan. This particular bug cannot occur if the root node is not a shortcut - ie. if you have fewer than 17 keys in a keyring or if you have at least two keys that sit into separate slots (eg. a keyring and a non keyring). This can be reproduced by: ring=`keyctl newring bar @s` for ((i=1; i<=18; i++)); do last_key=`keyctl newring foo$i $ring`; done keyctl timeout $last_key 2 Doing this: echo 3 >/proc/sys/kernel/keys/gc_delay first will speed things up. If we do fall off of the top of the tree, we get the following oops: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 PGD dae15067 PUD cfc24067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: xt_nat xt_mark nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_ni CPU: 0 PID: 26011 Comm: kworker/0:1 Not tainted 3.14.9-200.fc20.x86_64 #1 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: events key_garbage_collector task: ffff8800918bd580 ti: ffff8800aac14000 task.ti: ffff8800aac14000 RIP: 0010:[<ffffffff8136cea7>] [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 RSP: 0018:ffff8800aac15d40 EFLAGS: 00010206 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800aaecacc0 RDX: ffff8800daecf440 RSI: 0000000000000001 RDI: ffff8800aadc2bc0 RBP: ffff8800aac15da8 R08: 0000000000000001 R09: 0000000000000003 R10: ffffffff8136ccc7 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000070 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000018 CR3: 00000000db10d000 CR4: 00000000000006f0 Stack: ffff8800aac15d50 0000000000000011 ffff8800aac15db8 ffffffff812e2a70 ffff880091a00600 0000000000000000 ffff8800aadc2bc3 00000000cd42c987 ffff88003702df20 ffff88003702dfa0 0000000053b65c09 ffff8800aac15fd8 Call Trace: [<ffffffff812e2a70>] ? keyring_detect_cycle_iterator+0x30/0x30 [<ffffffff812e3e75>] keyring_gc+0x75/0x80 [<ffffffff812e1424>] key_garbage_collector+0x154/0x3c0 [<ffffffff810a67b6>] process_one_work+0x176/0x430 [<ffffffff810a744b>] worker_thread+0x11b/0x3a0 [<ffffffff810a7330>] ? rescuer_thread+0x3b0/0x3b0 [<ffffffff810ae1a8>] kthread+0xd8/0xf0 [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40 [<ffffffff816ffb7c>] ret_from_fork+0x7c/0xb0 [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40 Code: 08 4c 8b 22 0f 84 bf 00 00 00 41 83 c7 01 49 83 e4 fc 41 83 ff 0f 4c 89 65 c0 0f 8f 5a fe ff ff 48 8b 45 c0 4d 63 cf 49 83 c1 02 <4e> 8b 34 c8 4d 85 f6 0f 84 be 00 00 00 41 f6 c6 01 0f 84 92 RIP [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 RSP <ffff8800aac15d40> CR2: 0000000000000018 ---[ end trace 1129028a088c0cbd ]--- Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Don Zickus <dzickus@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
-
Pawel Moll authored
The DT-based panel capabilities selection was picking up a subset of available modes based on hardware configuration. This was wrong, as the capabilities describe available memory models and adapt the display controller to them that the RGB output is wired up correctly (as in: R and B components are not swapped). This patch fixes it by removing the unnecessary limitation. Signed-off-by: Pawel Moll <pawel.moll@arm.com> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
-
Y.C. Chen authored
Type error and cause AST2000 cannot be detected correctly Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com> Reviewed-by: Egbert Eich <eich@suse.de> Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>
-
Y.C. Chen authored
Some config settings like 3rd TX chips will not get correctly if the extended reg is protected Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com> Reviewed-by: Egbert Eich <eich@suse.de> Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-clientLinus Torvalds authored
Pull Ceph fixes from Sage Weil: "The main thing here is a set of three patches that fix a buffer overrun for large authentication tickets (sigh). There is also a trivial warning fix and an error path fix that are both regressions" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: libceph: do not hard code max auth ticket len libceph: add process_one_ticket() helper libceph: gracefully handle large reply messages from the mon rbd: fix error return code in rbd_dev_device_setup() rbd: avoid format-security warning inside alloc_workqueue()
-
- 11 Sep, 2014 15 commits
-
-
Linus Torvalds authored
Merge tag 'stable/for-linus-3.17-b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull Xen bug fixes from David Vrabel: - fix for PVHVM suspend/resume and migration - don't pointlessly retry certain ballooning ops - fix gntalloc when grefs have run out. - fix PV boot if KSALR is enable or very large modules are used. * tag 'stable/for-linus-3.17-b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: x86/xen: don't copy bogus duplicate entries into kernel page tables xen/gntalloc: safely delete grefs in add_grefs() undo path xen/gntalloc: fix oops after runnning out of grant refs xen/balloon: cancel ballooning if adding new memory failed xen/manage: Always freeze/thaw processes when suspend/resuming
-
git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linuxLinus Torvalds authored
Pull powerpc fixes from Michael Ellerman: "Ben's travelling so this is my first attempt at a pull request. There's nothing too exciting. The CONFIG_FHANDLE one is annoying, I know you love defconfig changes. But we've had a couple of developers waste time debugging boxes that wouldn't boot, only to realise it's just that systemd needs CONFIG_FHANDLE and our defconfigs don't have it. The new syscalls seem to be working, I've run the selftests that exist, and also let trinity bash on them for a while" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux: powerpc: Wire up sys_seccomp(), sys_getrandom() and sys_memfd_create() powerpc: Make CONFIG_FHANDLE=y for all 64 bit powerpc defconfigs powerpc: use machine_subsys_initcall() for opal_hmi_handler_init() powerpc/perf: Fix ABIv2 kernel backtraces powerpc/pseries: Fix endian issues in memory hotplug
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull ACPI and power management fixes from Rafael Wysocki: "These are regression fixes (cpufreq, ACPI battery) and fixes for stuff that never worked correctly (ACPI RTC operation region handler and PM domain implementation in the ACPI LPSS driver). Specifics: - Fix for the cpufreq Operation Performance Points (OPP) code where a recent commit added a kcalloc() call with an incorrect ordering of arguments. From Anand Moon. - Reverts of two ACPI battery commits that caused incorrect diagnostic information to be printed to dmesg in some cases from Bjørn Mork. - Fix for the ACPI RTC operation region handler that applied the & operator to an argument already representing an address and that caused it to overwrite its own argument instead of writing to the address contained in it as expected. From Chun-Yi Lee. - Fix for the PM domain implementation in the ACPI LPSS (Low-Power Subsystem) driver where one callback pointer pointed to a wrong routine and one was NULL, but it shouldn't. From Fu Zhonghui" * tag 'pm+acpi-3.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI / LPSS: complete PM entries for LPSS power domain Revert "ACPI / battery: fix wrong value of capacity_now reported when fully charged" Revert "ACPI / battery: Fix warning message in acpi_battery_get_state()" ACPI / RTC: Fix CMOS RTC opregion handler accesses to wrong addresses cpufreq / OPP: Fix the order of arguments for kcalloc()
-
git://git.infradead.org/users/vkoul/slave-dmaLinus Torvalds authored
Pull dmaengine fixes from Vinod Koul: "Two minor fixes. First one from Kuninori clarifying dmas bindings and second from Lars for fixing dma descriptor completion in non cyclic case" * 'fixes' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: jz4740: Fix non-cyclic descriptor completion dt/bindings: rcar-audmapp: tidyup dmas explanation
-
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrlLinus Torvalds authored
Pull two pin control fixes from Linus Walleij: - fix a warning about unbalanced IRQs on the Baytrail - update Tomasz Figa's address in MAINTAINERS * tag 'pinctrl-v3.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: MAINTAINERS: Tomasz has moved pinctrl: baytrail: resolve unbalanced IRQ wake disable warning
-
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/inputLinus Torvalds authored
Pull input updates from Dmitry Torokhov: "An update to Synaptics PS/2 driver to handle "ForcePads" (currently found in HP EliteBook 1040 laptops), a change for Elan PS/2 driver to detect newer touchpads, bunch of devices get annotated as Trackpoint and/or Pointer to help userspace classify and handle them, plus assorted driver fixes" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: serport - add compat handling for SPIOCSTYPE ioctl Input: atmel_mxt_ts - fix double free of input device Input: synaptics - add support for ForcePads Input: matrix_keypad - use request_any_context_irq() Input: atmel_mxt_ts - downgrade warning about empty interrupts Input: wm971x - fix typo in module parameter description Input: cap1106 - fix register definition Input: add missing POINTER / DIRECT properties to a bunch of drivers Input: add INPUT_PROP_POINTING_STICK property Input: elantech - fix detection of touchpad on ASUS s301l
-
Rafael J. Wysocki authored
* acpi-rtc: ACPI / RTC: Fix CMOS RTC opregion handler accesses to wrong addresses * acpi-lpss: ACPI / LPSS: complete PM entries for LPSS power domain * acpi-battery: Revert "ACPI / battery: fix wrong value of capacity_now reported when fully charged" Revert "ACPI / battery: Fix warning message in acpi_battery_get_state()"
-
Rafael J. Wysocki authored
* pm-cpufreq: cpufreq / OPP: Fix the order of arguments for kcalloc()
-
git://people.freedesktop.org/~robclark/linuxDave Airlie authored
A couple more little fixes: 1) fix from llvm/clang folks 2) fix build if common clock framework is not used 3) if vram carveout is used, have default size for vram carveout * 'msm-fixes-3.17-rc4' of git://people.freedesktop.org/~robclark/linux: drm/msm: don't crash if no msm.vram param drm/msm/hdmi: fix build break on non-CCF platforms drm/msm: Change nested function to static function
-
Rob Clark authored
If VRAM carveout is used, due to no IOMMU, we should have a default value for msm.vram so that we don't simply crash. Reported-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Signed-off-by: Rob Clark <robdclark@gmail.com>
-
Rob Clark authored
Reported-by: Russell King <linux@arm.linux.org.uk> Signed-off-by: Rob Clark <robdclark@gmail.com>
-
Mark Charlebois authored
There is currently a nested function in Russel King's tree for the msm HDMI driver. The last nested function was removed from the Linux kernel when the Thinkpad driver was fixed. I believe nested functions are not desired upstream, and it also breaks compilation with clang so here is a patch to change the nested function into static function. The patch works with both clang and gcc. Signed-off-by: Mark Charlebois <charlebm@gmail.com> Signed-off-by: Rob Clark <robdclark@gmail.com>
-
git://anongit.freedesktop.org/drm-intelDave Airlie authored
more fixes for 3.17, almost all Cc: stable material. * tag 'drm-intel-fixes-2014-09-10' of git://anongit.freedesktop.org/drm-intel: drm/i915: Wait for vblank before enabling the TV encoder drm/i915: Evict CS TLBs between batches drm/i915: Fix irq enable tracking in driver load drm/i915: Fix EIO/wedged handling in gem fault handler drm/i915: Prevent recursive deadlock on releasing a busy userptr
-
git://people.freedesktop.org/~agd5f/linuxDave Airlie authored
Just a few fixes for radeon for 3.17. * 'drm-fixes-3.17' of git://people.freedesktop.org/~agd5f/linux: drm/radeon/dpm: set the thermal type properly for special configs drm/radeon: reduce memory footprint for debugging drm/radeon: add connector quirk for fujitsu board drm/radeon: fix semaphore value init drm/radeon: only use me/pfp sync on evergreen+
-
Lars-Peter Clausen authored
We need to make sure to deqeueue the descriptor from the active list before we call vchan_cookie_complete(). Also we need obviously only set chan->desc to NULL after we stopped using it. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Vinod Koul <vinod.koul@intel.com>
-
- 10 Sep, 2014 17 commits
-
-
Linus Torvalds authored
Merge misc fixes from Andrew Morton: "10 fixes" * emailed patches from Andrew Morton <akpm@linux-foundation.org>: fs/notify: don't show f_handle if exportfs_encode_inode_fh failed fsnotify/fdinfo: use named constants instead of hardcoded values kcmp: fix standard comparison bug mm/mmap.c: use pr_emerg when printing BUG related information shm: add memfd.h to UAPI export list checkpatch: allow commit descriptions on separate line from commit id sh: get_user_pages_fast() must flush cache eventpoll: fix uninitialized variable in epoll_ctl kernel/printk/printk.c: fix faulty logic in the case of recursive printk mem-hotplug: let memblock skip the hotpluggable memory regions in __next_mem_range()
-
Andrey Vagin authored
Currently we handle only ENOSPC. In case of other errors the file_handle variable isn't filled properly and we will show a part of stack. Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Andrey Vagin authored
MAX_HANDLE_SZ is equal to 128, but currently the size of pad is only 64 bytes, so exportfs_encode_inode_fh can return an error. Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Rasmus Villemoes authored
The C operator <= defines a perfectly fine total ordering on the set of values representable in a long. However, unlike its namesake in the integers, it is not translation invariant, meaning that we do not have "b <= c" iff "a+b <= a+c" for all a,b,c. This means that it is always wrong to try to boil down the relationship between two longs to a question about the sign of their difference, because the resulting relation [a LEQ b iff a-b <= 0] is neither anti-symmetric or transitive. The former is due to -LONG_MIN==LONG_MIN (take any two a,b with a-b = LONG_MIN; then a LEQ b and b LEQ a, but a != b). The latter can either be seen observing that x LEQ x+1 for all x, implying x LEQ x+1 LEQ x+2 ... LEQ x-1 LEQ x; or more directly with the simple example a=LONG_MIN, b=0, c=1, for which a-b < 0, b-c < 0, but a-c > 0. Note that it makes absolutely no difference that a transmogrying bijection has been applied before the comparison is done. In fact, had the obfuscation not been done, one could probably not observe the bug (assuming all values being compared always lie in one half of the address space, the mathematical value of a-b is always representable in a long). As it stands, one can easily obtain three file descriptors exhibiting the non-transitivity of kcmp(). Side note 1: I can't see that ensuring the MSB of the multiplier is set serves any purpose other than obfuscating the obfuscating code. Side note 2: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <assert.h> #include <sys/syscall.h> enum kcmp_type { KCMP_FILE, KCMP_VM, KCMP_FILES, KCMP_FS, KCMP_SIGHAND, KCMP_IO, KCMP_SYSVSEM, KCMP_TYPES, }; pid_t pid; int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { return syscall(SYS_kcmp, pid1, pid2, type, idx1, idx2); } int cmp_fd(int fd1, int fd2) { int c = kcmp(pid, pid, KCMP_FILE, fd1, fd2); if (c < 0) { perror("kcmp"); exit(1); } assert(0 <= c && c < 3); return c; } int cmp_fdp(const void *a, const void *b) { static const int normalize[] = {0, -1, 1}; return normalize[cmp_fd(*(int*)a, *(int*)b)]; } #define MAX 100 /* This is plenty; I've seen it trigger for MAX==3 */ int main(int argc, char *argv[]) { int r, s, count = 0; int REL[3] = {0,0,0}; int fd[MAX]; pid = getpid(); while (count < MAX) { r = open("/dev/null", O_RDONLY); if (r < 0) break; fd[count++] = r; } printf("opened %d file descriptors\n", count); for (r = 0; r < count; ++r) { for (s = r+1; s < count; ++s) { REL[cmp_fd(fd[r], fd[s])]++; } } printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]); qsort(fd, count, sizeof(fd[0]), cmp_fdp); memset(REL, 0, sizeof(REL)); for (r = 0; r < count; ++r) { for (s = r+1; s < count; ++s) { REL[cmp_fd(fd[r], fd[s])]++; } } printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]); return (REL[0] + REL[2] != 0); } Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> "Eric W. Biederman" <ebiederm@xmission.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Sasha Levin authored
Make sure we actually see the output of validate_mm() and browse_rb() before triggering a BUG(). pr_info isn't shown by default so the reason for the BUG() isn't obvious. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
David Drysdale authored
The new header file memfd.h from commit 9183df25 ("shm: add memfd_create() syscall") should be exported. Signed-off-by: David Drysdale <drysdale@google.com> Reviewed-by: David Herrmann <dh.herrmann@gmail.com> Cc: Hugh Dickins <hughd@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Joe Perches authored
The general form for commit id and description is 'Commit <12+hexdigits> ("commit description/subject line")' but commit logs often have relatively long commit ids and the commit description emds on the next line like: Some explanation as to why commit <12+hexdigits> ("commit foo description/subject line") is improved. Allow this form. Signed-off-by: Joe Perches <joe@perches.com> Suggested-by: Joe Lawrence <joe.lawrence@stratus.com> Tested-by: Joe Lawrence <joe.lawrence@stratus.com> Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Stas Sergeev authored
This patch avoids fuse hangs on sh4 by flushing the cache on get_user_pages_fast(). This is not necessary a good thing to do, but get_user_pages() does this, so get_user_pages_fast() should too. Please note the patch for mips arch that addresses the similar problem: https://kernel.googlesource.com/pub/scm/linux/kernel/git/ralf/linux/+/linux-3.4.50%5E!/#F0 They basically simply disable get_user_pages_fast() at all, using a fall-back to get_user_pages(). But my fix is different, it adds an explicit cache flushes. Signed-off-by: Stas Sergeev <stsp@users.sourceforge.net> Cc: Geert Uytterhoeven <geert+renesas@glider.be> Cc: Kamal Dasu <kdasu.kdev@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Nicolas Iooss authored
When calling epoll_ctl with operation EPOLL_CTL_DEL, structure epds is not initialized but ep_take_care_of_epollwakeup reads its event field. When this unintialized field has EPOLLWAKEUP bit set, a capability check is done for CAP_BLOCK_SUSPEND in ep_take_care_of_epollwakeup. This produces unexpected messages in the audit log, such as (on a system running SELinux): type=AVC msg=audit(1408212798.866:410): avc: denied { block_suspend } for pid=7754 comm="dbus-daemon" capability=36 scontext=unconfined_u:unconfined_r:unconfined_t tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2 permissive=1 type=SYSCALL msg=audit(1408212798.866:410): arch=c000003e syscall=233 success=yes exit=0 a0=3 a1=2 a2=9 a3=7fffd4d66ec0 items=0 ppid=1 pid=7754 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=unconfined_u:unconfined_r:unconfined_t key=(null) ("arch=c000003e syscall=233 a1=2" means "epoll_ctl(op=EPOLL_CTL_DEL)") Remove use of epds in epoll_ctl when op == EPOLL_CTL_DEL. Fixes: 4d7e30d9 ("epoll: Add a flag, EPOLLWAKEUP, to prevent suspend while epoll events are ready") Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Arve Hjønnevåg <arve@android.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Patrick Palka authored
We shouldn't set text_len in the code path that detects printk recursion because text_len corresponds to the length of the string inside textbuf. A few lines down from the line text_len = strlen(recursion_msg); is the line text_len += vscnprintf(text + text_len, ...); So if printk detects recursion, it sets text_len to 29 (the length of recursion_msg) and logs an error. Then the message supplied by the caller of printk is stored inside textbuf but offset by 29 bytes. This means that the output of the recursive call to printk will contain 29 bytes of garbage in front of it. This defect is caused by commit 458df9fd ("printk: remove separate printk_sched buffers and use printk buf instead") which turned the line text_len = vscnprintf(text, ...); into text_len += vscnprintf(text + text_len, ...); To fix this, this patch avoids setting text_len when logging the printk recursion error. This patch also marks unlikely() the branch leading up to this code. Fixes: 458df9fd ("printk: remove separate printk_sched buffers and use printk buf instead") Signed-off-by: Patrick Palka <patrick@parcs.ath.cx> Reviewed-by: Petr Mladek <pmladek@suse.cz> Reviewed-by: Jan Kara <jack@suse.cz> Acked-by: Steven Rostedt <rostedt@goodmis.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Xishi Qiu authored
Let memblock skip the hotpluggable memory regions in __next_mem_range(), it is used to to prevent memblock from allocating hotpluggable memory for the kernel at early time. The code is the same as __next_mem_range_rev(). Clear hotpluggable flag before releasing free pages to the buddy allocator. If we don't clear hotpluggable flag in free_low_memory_core_early(), the memory which marked hotpluggable flag will not free to buddy allocator. Because __next_mem_range() will skip them. free_low_memory_core_early for_each_free_mem_range for_each_mem_range __next_mem_range [akpm@linux-foundation.org: fix warning] Signed-off-by: Xishi Qiu <qiuxishi@huawei.com> Cc: Tejun Heo <tj@kernel.org> Cc: Tang Chen <tangchen@cn.fujitsu.com> Cc: Zhang Yanfei <zhangyanfei@cn.fujitsu.com> Cc: Wen Congyang <wency@cn.fujitsu.com> Cc: "Rafael J. Wysocki" <rjw@sisk.pl> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fsLinus Torvalds authored
Pull UDF fixes from Jan Kara: "Fixes for UDF handling of NFS handles and one fix for proper handling of corrupted media" * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: udf: saner calling conventions for udf_new_inode() udf: fix the udf_iget() vs. udf_new_inode() races udf: merge the pieces inserting a new non-directory object into directory udf: Set i_generation field udf: Properly detect stale inodes udf: Make udf_read_inode() and udf_iget() return error udf: Avoid infinite loop when processing indirect ICBs udf: Fold udf_fill_inode() into __udf_read_inode() udf: Avoid dir link count to go negative
-
John Sung authored
When running a 32-bit inputattach utility in a 64-bit system, there will be error code "inputattach: can't set device type". This is caused by the serport device driver not supporting compat_ioctl, so that SPIOCSTYPE ioctl fails. Cc: stable@vger.kernel.org Signed-off-by: John Sung <penmount.touch@gmail.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
Stephen Warren authored
[Nick Dyer: reworked to move free of input device into separate function and only call in paths that require it.] Signed-off-by: Nick Dyer <nick.dyer@itdev.co.uk> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
Ilya Dryomov authored
We hard code cephx auth ticket buffer size to 256 bytes. This isn't enough for any moderate setups and, in case tickets themselves are not encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the buffer is allocated dynamically anyway, allocated it a bit later, at the point where we know how much is going to be needed. Fixes: http://tracker.ceph.com/issues/8979 Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> Reviewed-by: Sage Weil <sage@redhat.com>
-
Ilya Dryomov authored
Add a helper for processing individual cephx auth tickets. Needed for the next commit, which deals with allocating ticket buffers. (Most of the diff here is whitespace - view with git diff -b). Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> Reviewed-by: Sage Weil <sage@redhat.com>
-
Sage Weil authored
We preallocate a few of the message types we get back from the mon. If we get a larger message than we are expecting, fall back to trying to allocate a new one instead of blindly using the one we have. CC: stable@vger.kernel.org Signed-off-by: Sage Weil <sage@redhat.com> Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com>
-