- 19 Apr, 2004 4 commits
-
-
Chris Wright authored
> [BUG] minor > /home/kash/linux/linux-2.6.5/drivers/net/wan/sdla.c:1206:sdla_xfer: > ERROR:TAINT: 1201:1206:Passing unbounded user value "(mem).len" as arg 0 > to function "kmalloc", which uses it unsafely in model > [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] > [SINK_MODEL=(lib,kmalloc,user,trustingsink)] [MINOR] [PATH=] [Also > used at, line 1219 in argument 0 to function "kmalloc"] > static int sdla_xfer(struct net_device *dev, struct sdla_mem *info, int > read) > { > struct sdla_mem mem; > char *temp; > > Start ---> > if(copy_from_user(&mem, info, sizeof(mem))) > return -EFAULT; > > if (read) > { > Error ---> > temp = kmalloc(mem.len, GFP_KERNEL); > if (!temp) > return(-ENOMEM); > sdla_read(dev, mem.addr, temp, mem.len); Hrm, I believe you could use this to read 128k of kernel memory. sdla_read() takes len as a short, whereas mem.len is an int. So, if mem.len == 0x20000, the allocation could still succeed. When cast to short, len will be 0x0, causing the read loop to copy nothing into the buffer. At least it's protected by a capable() check. I don't know what proper upper bound is for this hardware, or how much it's used/cared about. Simple memset() is trivial fix.
-
Jeff Garzik authored
Caught by Stanford checker.
-
Andrew Morton authored
If __ISAPNP__ and CONFIG_X86_PC9800 are not set, we forget to link the device into the global chain and el3_init_module dereferences NULL.
-
Olaf Hering authored
small cosmetic fix for powermac mace network driver. eth%d: MACE at 00:05:02:f4:1b:1d, chip revision 25.64 vs. eth0: MACE at 00:05:02:f4:1b:1d, chip revision 25.64
-
- 18 Apr, 2004 21 commits
-
-
bk://bk.arm.linux.org.uk/linux-2.6-rmkLinus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
Russell King authored
This removes a number of unnecessary includes from the ARM specific files throughout the kernel. Most notably asm/pgalloc.h is needlessly included in several places. There were some places including it as a means to get at the cache flushing functions, so this has been corrected.
-
Benjamin Herrenschmidt authored
This is my brown paper bag day, I sent you the wrong patch for fixing the deadlock in rtas.c, here's one to apply on top of current bk that fixes build.
-
Linus Torvalds authored
-
Geert Uytterhoeven authored
Amiga Zorro8390 Ethernet: Add KERN_* prefixes to printk() messages
-
Geert Uytterhoeven authored
Amiga Hydra Ethernet: Add KERN_* prefixes to printk() messages
-
Geert Uytterhoeven authored
Amiga Ariadne Ethernet: Add KERN_* prefixes to printk() messages
-
Geert Uytterhoeven authored
Amiga A2065 Ethernet: Add missing variable in debug code
-
Andrew Morton authored
From: Andrey Panin <pazke@donpac.ru> this small patch fixes visws build error in 2.6.5.
-
Andrew Morton authored
From: Bart Samwel <bart@samwel.tk> Currently, an `hdparm -Y' can trigger a sync in laptop mode. We should only count fs-originated requests as being "disk activity".
-
Andrew Morton authored
Take the idr's lock while removing an element on the error path. Spotted by Nathan Lynch <nathanl@austin.ibm.com>.
-
Andrew Morton authored
From: Rusty Russell <rusty@rustcorp.com.au> People still build modules wrong, particularly without -fno-common. The resulting modules don't load, but we should at least warn about it.
-
Andrew Morton authored
Reduce the locking coverage of the oft-used j_list_lock: the per-bh jbd_lock_bh_state() gives us sufficient locking of buffer_head and journal_head internals.
-
Andrew Morton authored
From: Hugh Dickins <hugh@veritas.com> The earlier changes introducing PageAnon left truncated pages mapped into nonlinear vmas unswappable. Once we go to object-based rmap, it's impossible to find where file page is mapped once page->mapping cleared: switching them to anonymous is odd, and breaks strict commit accounting. So now handle truncation of nonlinear vmas correctly. And factor in Daniel's cluster filesystem needs while we're there: when invalidating local cache, we do want to unmap shared pages from all mms, but we do not want to discard private COWed modifications of those pages (which truncation discards to satisfy the SIGBUS semantics demanded by specs). Drew from Daniel's patch (LKML 2 Mar 04), but didn't always follow it; fewer name changes, but still some - "unmap" rather than "invalidate". zap_page_range is not exported, safe to give it and all the too-many layers an extra zap_details arg, in normal cases just NULL. Given details, zap_pte_range checks page mapping or index to skip anon or untruncated pages. I didn't realize before implementing, that in nonlinear case, it should set a file pte when truncating - otherwise linear pages might appear in place of SIGBUS. I suspect this implies that ->populate functions ought to set file ptes beyond EOF instead of failing, but haven't changed them as yet. To avoid making yet another copy of that ugly linear pgidx test, added inline function linear_page_index (to pagemap.h to get PAGE_CACHE_SIZE, though as usual things don't really work if it differs from PAGE_SIZE). Ooh, I thought I'd removed ___add_to_page_cache last time, do so now. unmap_page_range static, shift its hugepage check up into sole caller unmap_vmas. Killed "killme" debug from unmap_vmas, not seen it trigger. unmap_mapping_range is exported without restriction: I'm one of those who believe it should be generally available. But I'm wrongly placed to decide that, probably just sob quietly to myself if _GPL added later.
-
Andrew Morton authored
From: Hugh Dickins <hugh@veritas.com> Good example of "swapper_space considered harmful": swap_unplug_io_fn was originally designed for calling via swapper_space.backing_dev_info; but that way it loses track of which device is to be unplugged, so had to unplug all swap devices. But now sync_page tests SwapCache anyway, can call swap_unplug_io_fn with page, which leads direct to the device. Reverted -mc4's CONFIG_SWAP=n fix, just add another NOTHING for it. Reverted -mc3's editorial adjustments to swap_backing_dev_info and swapper_space initializations: they document the few fields which are actually used now, as comment above them says (sound of slapped wrist).
-
Andrew Morton authored
From: Hugh Dickins <hugh@veritas.com> One of the callers of flush_dcache_page is do_generic_mapping_read, where file is read without i_sem and without page lock: concurrent truncation may at any moment remove page from cache, NULLing ->mapping, making flush_dcache_page liable to oops. Put result of page_mapping in a local variable and apply mapping_mapped to that (if we were to check for NULL within mapping_mapped, it's unclear whether to say yes or no). parisc and arm do have other locking unsafety in their i_mmap(_shared) searching, but that's a larger issue to be dealt with down the line.
-
Andrew Morton authored
From: Anton Blanchard <anton@samba.org> Oprofilefs cant handle > 99 cpus. This should fix it.
-
Andrew Morton authored
From: Rusty Russell <rusty@rustcorp.com.au> # lsmod Module Size Used by 1 26060 6 # The compiler #define's unix to 1: we use -DKBUILD_MODNAME=unix. We used to #undef unix at the top of af_unix.c, but now the name is inserted by modpost, that doesn't help. #undef unix in modpost.c's generated C file.
-
Andrew Morton authored
From: Benjamin Herrenschmidt <benh@kernel.crashing.org> My RTAS locking fixes incorrectly added a spinlock around the function used to stop a CPU, that function never returns, thus the lock becomes stale. The correct fix is to disable interrupts instead (the RTAS params beeing per-CPU, this should be safe enough)
-
Linus Torvalds authored
But obviously only if we're not passing in any offset pointer. This is how 2.4.x worked, and vsftpd relies on it. Bug reported by Chris < chris@scary.beasts.org>
-
Linus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
- 17 Apr, 2004 15 commits
-
-
Russell King authored
This adds detailed documentation concerning how we map the Linux page table structure onto the hardware tables on ARM. In addition, it also adds documentation describing how we emulate the "dirty" and "young" or "accessed" page table bits. This should be of interest to Linux MM developers.
-
Hugh Dickins authored
It occurred to me that if vma and new_vma are one and the same, then vma_relink_file will not do a good job of linking it after itself - in that pretty unlikely case when move_page_tables fails. And more generally, whenever copy_vma's vma_merge succeeds, we have no guarantee that old vma comes before new_vma in the i_mmap lists, as we need to satisfy Rajesh's point: that ordering is only guaranteed in the newly allocated case. We have to abandon the ordering method when/if we move from lists to prio_trees, so this patch switches to the less glamorous use of i_shared_sem exclusion, as in my prio_tree mremap.
-
Alexander Viro authored
The field in question is a) unused b) damn next to impossible to use correctly, due to struct super_block lifetime and locking rules.
-
bk://bk.arm.linux.org.uk/linux-2.6-pcmciaLinus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
bk://bk.arm.linux.org.uk/linux-2.6-serialLinus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
Russell King authored
Update serial to use new module parameters rather than MODULE_PARM.
-
Russell King authored
-
bk://bk.arm.linux.org.uk/linux-2.6-rmkLinus Torvalds authored
into ppc970.osdl.org:/home/torvalds/v2.6/linux
-
Pavel Roskin authored
Patch from: Pavel Roskin As it turns out, mixing MODULE_PARM and module_param in one module is wrong. The parameters specified in module_param are ignored. I've just posted a patch to LKML that will detect this condition and warn about it. The new debugging code used the new-style module_param, which means that all instances of MODULE_PARM should be converted. The attached patch does that. An additional bonus is that module_param_array provides the number of array elements. This allowed me to change tcic.c and i82365.c to use this number for IRQ list. This change was tested with i82365. If "irq_list" is not specified, irq_list_count is 0. I set all permissions to 0444 to be safe. I think we have no secrets from the users regarding those parameters. If some parameters can be changed safely at the runtime, the permissions could be changed to 0644. I didn't examine how safe (and how useful) it would be, so it's 0444 for now.
-
Andrew Morton authored
From: William Lee Irwin III <wli@holomorphy.com> rmk mentioned that ARM was borked as the relation, assumed by generic rmap, PTRS_PER_PTE*sizeof(pte_t) == PAGE_SIZE, fails to hold. The following patch, developed jointly with him (or depending on POV, by him with me acting as codemonkey), is reported to resolve the issue. Specifically, while ARM dedicates an entire PAGE_SIZE -sized block of memory to each PTE table, the PTE table itself only spans half that, the remainder being dedicated to hardware-interpreted structures. As the hardware structure must be contiguous, wider ptes can't be used. So the core-visible PTE table only spans PAGE_SIZE/2 bytes, violating the assumption. This corrects masking and scaling done in ptep_to_address().
-
Andrew Morton authored
From: Dave Jones <davej@redhat.com>
-
Andrew Morton authored
From: Manfred Spraul <manfred@colorfullife.com> Any user can delete any entries in a mqueue mounted filesystem. The attached patch prevents that. - remove the writable test from mq_unlink. - set the sticky bit in the root inode. This affects both mq_unlink and sys_unlink: only the owner (and root) should be allowed to remove queues.
-
Andrew Morton authored
From: David Gibson <david@gibson.dropbear.id.au> Some versions of follow_huge_addr() and follow_huge_pmd() are doing a get_page() on the target page. They shouldn't: follow_page() returns an unpinned page and it is the caller's responsibility to pin the page (if desired) before dropping page_table_lock.
-
Andrew Morton authored
From: David Gibson <david@gibson.dropbear.id.au> Trivial cleanup to flush_hash_hugepage() in the ppc64 hugepage code.
-
Andrew Morton authored
From: Geert Uytterhoeven <geert@linux-m68k.org> While compiling drivers/char/ipmi/ipmi_si_intf.c in 2.6.6-rc1 on m68k, I noticed a missing include (needed for disable_irq_nosync() and enable_irq())
-