30 Aug, 2011
20 commits
-
commit 064b43304ed8ede8e13ff7b4338d09fd37bcffb1 upstream.
Register writes followed by a delay are required to have a flush
before the delay in order to commit the values to the register. Without
the flush, the code following the delay may not function correctly.Reported-by: Tong Ho
Reported-by: Guenter Roeck
Signed-off-by: Carolyn Wyborny
Tested-by: Aaron Brown
Signed-off-by: Jeff Kirsher
Signed-off-by: Greg Kroah-Hartman -
commit c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae upstream.
FUSE_NOTIFY_INVAL_ENTRY didn't check the length of the write so the
message processing could overrun and result in a "kernel BUG at
fs/fuse/dev.c:629!"Reported-by: Han-Wen Nienhuys
Signed-off-by: Miklos Szeredi
Signed-off-by: Greg Kroah-Hartman -
commit 7c4c3960dff109bc5db4c35da481c212dadb5eb5 upstream.
ttm_tt_destroy kfrees passed object, so we need to nullify
a reference to it.Signed-off-by: Marcin Slusarz
Reviewed-by: Thomas Hellstrom
Signed-off-by: Dave Airlie
Signed-off-by: Greg Kroah-Hartman -
commit 05e33fc20ea5e493a2a1e7f1d04f43cdf89f83ed upstream.
Delete the 10 msec delay between the INIT and SIPI when starting
slave cpus. I can find no requirement for this delay. BIOS also
has similar code sequences without the delay.Removing the delay reduces boot time by 40 sec. Every bit helps.
Signed-off-by: Jack Steiner
Link: http://lkml.kernel.org/r/20110805140900.GA6774@sgi.com
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman -
commit 7ca0758cdb7c241cb4e0490a8d95f0eb5b861daf upstream.
When we enter a 32-bit system call via SYSENTER or SYSCALL, we shuffle
the arguments to match the int $0x80 calling convention. This was
probably a design mistake, but it's what it is now. This causes
errors if the system call as to be restarted.For SYSENTER, we have to invoke the instruction from the vdso as the
return address is hardcoded. Accordingly, we can simply replace the
jump in the vdso with an int $0x80 instruction and use the slower
entry point for a post-restart.Suggested-by: Linus Torvalds
Signed-off-by: H. Peter Anvin
Link: http://lkml.kernel.org/r/CA%2B55aFztZ=r5wa0x26KJQxvZOaQq8s2v3u50wCyJcA-Sc4g8gQ@mail.gmail.com
Signed-off-by: Greg Kroah-Hartman -
commit 9ea71503a8ed9184d2d0b8ccc4d269d05f7940ae upstream.
commit 7485d0d3758e8e6491a5c9468114e74dc050785d (futexes: Remove rw
parameter from get_futex_key()) in 2.6.33 fixed two problems: First, It
prevented a loop when encountering a ZERO_PAGE. Second, it fixed RW
MAP_PRIVATE futex operations by forcing the COW to occur by
unconditionally performing a write access get_user_pages_fast() to get
the page. The commit also introduced a user-mode regression in that it
broke futex operations on read-only memory maps. For example, this
breaks workloads that have one or more reader processes doing a
FUTEX_WAIT on a futex within a read only shared file mapping, and a
writer processes that has a writable mapping issuing the FUTEX_WAKE.This fixes the regression for valid futex operations on RO mappings by
trying a RO get_user_pages_fast() when the RW get_user_pages_fast()
fails. This change makes it necessary to also check for invalid use
cases, such as anonymous RO mappings (which can never change) and the
ZERO_PAGE which the commit referenced above was written to address.This patch does restore the original behavior with RO MAP_PRIVATE
mappings, which have inherent user-mode usage problems and don't really
make sense. With this patch performing a FUTEX_WAIT within a RO
MAP_PRIVATE mapping will be successfully woken provided another process
updates the region of the underlying mapped file. However, the mmap()
man page states that for a MAP_PRIVATE mapping:It is unspecified whether changes made to the file after
the mmap() call are visible in the mapped region.So user-mode users attempting to use futex operations on RO MAP_PRIVATE
mappings are depending on unspecified behavior. Additionally a
RO MAP_PRIVATE mapping could fail to wake up in the following case.Thread-A: call futex(FUTEX_WAIT, memory-region-A).
get_futex_key() return inode based key.
sleep on the key
Thread-B: call mprotect(PROT_READ|PROT_WRITE, memory-region-A)
Thread-B: write memory-region-A.
COW happen. This process's memory-region-A become related
to new COWed private (ie PageAnon=1) page.
Thread-B: call futex(FUETX_WAKE, memory-region-A).
get_futex_key() return mm based key.
IOW, we fail to wake up Thread-A.Once again doing something like this is just silly and users who do
something like this get what they deserve.While RO MAP_PRIVATE mappings are nonsensical, checking for a private
mapping requires walking the vmas and was deemed too costly to avoid a
userspace hang.This Patch is based on Peter Zijlstra's initial patch with modifications to
only allow RO mappings for futex operations that need VERIFY_READ access.Reported-by: David Oliver
Signed-off-by: Shawn Bohrer
Acked-by: Peter Zijlstra
Signed-off-by: Darren Hart
Cc: KOSAKI Motohiro
Cc: peterz@infradead.org
Cc: eric.dumazet@gmail.com
Cc: zvonler@rgmadvisors.com
Cc: hughd@google.com
Link: http://lkml.kernel.org/r/1309450892-30676-1-git-send-email-sbohrer@rgmadvisors.com
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman -
commit eade7b281c9fc18401b989c77d5e5e660b25a3b7 upstream.
BugLink: https://bugs.launchpad.net/bugs/826081
The original reporter needs 'Headphone Jack Sense' enabled to have
audible audio, so add his PCI SSID to the whitelist.Reported-and-tested-by: Muhammad Khurram Khan
Signed-off-by: Daniel T Chen
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit da6094ea7d3c2295473d8f5134279307255d6ebf upstream.
The snd_usb_caiaq driver currently assumes that output urbs are serviced
in time and doesn't track when and whether they are given back by the
USB core. That usually works fine, but due to temporary limitations of
the XHCI stack, we faced that urbs were submitted more than once with
this approach.As it's no good practice to fire and forget urbs anyway, this patch
introduces a proper bit mask to track which requests have been submitted
and given back.That alone however doesn't make the driver work in case the host
controller is broken and doesn't give back urbs at all, and the output
stream will stop once all pre-allocated output urbs are consumed. But
it does prevent crashes of the controller stack in such cases.See http://bugzilla.kernel.org/show_bug.cgi?id=40702 for more details.
Signed-off-by: Daniel Mack
Reported-and-tested-by: Matej Laitl
Cc: Sarah Sharp
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2 upstream.
Signed-off-by: Timo Warns
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde upstream.
The kernel automatically evaluates partition tables of storage devices.
The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
a bug that causes a kernel oops on certain corrupted GUID partition
tables.This bug has security impacts, because it allows, for example, to
prepare a storage device that crashes a kernel subsystem upon connecting
the device (e.g., a "USB Stick of (Partial) Death").crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
There is no validation of (*gpt)->header_size before the efi_crc32 call.A corrupted partition table may have large values for (*gpt)->header_size.
In this case, the CRC32 computation access memory beyond the memory
allocated for gpt, which may cause a kernel heap overflow.Validate value of GUID partition table header size.
[akpm@linux-foundation.org: fix layout and indenting]
Signed-off-by: Timo Warns
Cc: Matt Domsch
Cc: Eugene Teo
Cc: Dave Jones
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
[dannf: backported to Debian's 2.6.32]
Signed-off-by: Greg Kroah-Hartman -
commit aba8d056078e47350d85b06a9cabd5afcc4b72ea upstream.
In addition to /etc/perfconfig and $HOME/.perfconfig, perf looks for
configuration in the file ./config, imitating git which looks at
$GIT_DIR/config. If ./config is not a perf configuration file, it
fails, or worse, treats it as a configuration file and changes behavior
in some unexpected way."config" is not an unusual name for a file to be lying around and perf
does not have a private directory dedicated for its own use, so let's
just stop looking for configuration in the cwd. Callers needing
context-sensitive configuration can use the PERF_CONFIG environment
variable.Requested-by: Christian Ohm
Cc: 632923@bugs.debian.org
Cc: Ben Hutchings
Cc: Christian Ohm
Cc: Ingo Molnar
Cc: Paul Mackerras
Cc: Peter Zijlstra
Link: http://lkml.kernel.org/r/20110805165838.GA7237@elie.gateway.2wire.net
Signed-off-by: Jonathan Nieder
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: Greg Kroah-Hartman -
commit f982f91516fa4cfd9d20518833cd04ad714585be upstream.
Commit db64fe02258f ("mm: rewrite vmap layer") introduced code that does
address calculations under the assumption that VMAP_BLOCK_SIZE is a
power of two. However, this might not be true if CONFIG_NR_CPUS is not
set to a power of two.Wrong vmap_block index/offset values could lead to memory corruption.
However, this has never been observed in practice (or never been
diagnosed correctly); what caught this was the BUG_ON in vb_alloc() that
checks for inconsistent vmap_block indices.To fix this, ensure that VMAP_BLOCK_SIZE always is a power of two.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=31572
Reported-by: Pavel Kysilka
Reported-by: Matias A. Fonzo
Signed-off-by: Clemens Ladisch
Signed-off-by: Stefan Richter
Cc: Nick Piggin
Cc: Jeremy Fitzhardinge
Cc: Krzysztof Helt
Cc: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit 15439bde3af7ff88459ea2b5520b77312e958df2 upstream.
This fixes faulty outbount packets in case the inbound packets
received from the hardware are fragmented and contain bogus input
iso frames. The bug has been there for ages, but for some strange
reasons, it was only triggered by newer machines in 64bit mode.Signed-off-by: Daniel Mack
Reported-and-tested-by: William Light
Reported-by: Pedro Ribeiro
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit 66a89b2164e2d30661edbd1953eacf0594d8203a upstream.
rs_resp is dynamically allocated in aem_read_sensor(), so it should be freed
before exiting in every case. This collects the kfree and the return at
the end of the function.Signed-off-by: Julia Lawall
Signed-off-by: Guenter Roeck
Signed-off-by: Greg Kroah-Hartman -
commit a08af810cdc29d2ca930e8a869d3d01744c392d8 upstream.
Reported-by: Pascal Hambourg
Signed-off-by: Chas Williams
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit e468561739fffb972d486b98f66c723936335136 upstream.
A new device ID pair is added for Qualcomm Modem present in Sagemcom's HiLo3G module.
Signed-off-by: Vijay Chavan
Signed-off-by: Greg Kroah-Hartman -
commit a871e4f5519d8c52430052e1d340dd5710eb5ad6 upstream.
Connecting the V2M to a Linux host results in a constant stream of
errors spammed to the console, all of the formsd 1:0:0:0: ioctl_internal_command return code = 8070000
: Sense Key : 0x4 [current]
: ASC=0x0 ASCQ=0x0The errors appear to be otherwise harmless. Add an unusual_devs entry
which eliminates all of the error messages.Signed-off-by: Nick Bowler
Acked-by: Alan Stern
Signed-off-by: Greg Kroah-Hartman -
commit 4f1a7a3e78037721496283ea3e87cfefc64d99c7 upstream.
Assign operator instead of equality test in the usbtmc_ioctl_abort_bulk_in() function.
Signed-off-by: Maxim A. Nikulin
Signed-off-by: Greg Kroah-Hartman -
commit 6768458b17f9bf48a4c3a34e49b20344091b5f7e upstream.
Software should set XHCI_HC_OS_OWNED bit to request ownership of xHC.
This patch should be backported to kernels as far back as 2.6.31.
Signed-off-by: JiSheng Zhang
Signed-off-by: Sarah Sharp
Signed-off-by: Greg Kroah-Hartman
16 Aug, 2011
7 commits
-
commit bed9a31527af8ff3dfbad62a1a42815cef4baab7 upstream.
On a box with 8TB of RAM the MMU hashtable is 64GB in size. That
means we have 4G PTEs. pSeries_lpar_hptab_clear was using a signed
int to store the index which will overflow at 2G.Signed-off-by: Anton Blanchard
Acked-by: Michael Neuling
Signed-off-by: Benjamin Herrenschmidt
Signed-off-by: Greg Kroah-Hartman -
commit 966728dd88b4026ec58fee169ccceaeaf56ef120 upstream.
I have a box that fails in OF during boot with:
DEFAULT CATCH!, exception-handler=fff00400
at %SRR0: 49424d2c4c6f6768 %SRR1: 800000004000b002ie "IBM,Logh". OF got corrupted with a device tree string.
Looking at make_room and alloc_up, we claim the first chunk (1 MB)
but we never claim any more. mem_end is always set to alloc_top
which is the top of our available address space, guaranteeing we will
never call alloc_up and claim more memory.Also alloc_up wasn't setting alloc_bottom to the bottom of the
available address space.This doesn't help the box to boot, but we at least fail with
an obvious error. We could relocate the device tree in a future
patch.Signed-off-by: Anton Blanchard
Signed-off-by: Benjamin Herrenschmidt
Signed-off-by: Greg Kroah-Hartman -
commit f4389489b5cbe60b3441869c68bb4afe760969c4 upstream.
Signed-off-by: Daniel Mack
Reported-by: Renato
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit 0584ffa548b6e59aceb027112f23a55f0133400e upstream.
A slave-timer instance has no timer reference, and this results in
NULL-dereference at stopping the timer, typically called at closing
the device.Reference: https://bugzilla.kernel.org/show_bug.cgi?id=40682
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
Computers have become a lot faster since we compromised on the
partial MD4 hash which we use currently for performance reasons.MD5 is a much safer choice, and is inline with both RFC1948 and
other ISS generators (OpenBSD, Solaris, etc.)Furthermore, only having 24-bits of the sequence number be truly
unpredictable is a very serious limitation. So the periodic
regeneration and 8-bit counter have been removed. We compute and
use a full 32-bit sequence number.For ipv6, DCCP was found to use a 32-bit truncated initial sequence
number (it needs 43-bits) and that is fixed here as well.Reported-by: Dan Kaminsky
Tested-by: Willy Tarreau
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
We are going to use this for TCP/IP sequence number and fragment ID
generation.Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
09 Aug, 2011
13 commits
-
commit 2e302ebfeac04beb5a5d6af1ac583c6a1fb76d1a upstream.
in routed mode, we don't have a hardware address so netdev_ops doesnt
need to validate our hardware address via .ndo_validate_addrReported-by: Manuel Fuentes
Signed-off-by: Chas Williams - CONTRACTOR
Signed-off-by: David S. Miller
Cc: Pascal Hambourg
Signed-off-by: Greg Kroah-Hartman -
The below patch is for -stable only, upstream has a much larger patch
that contains the below hunk in commit a8b0ca17b80e92faab46ee7179ba9e99ccb61233Vince found that under certain circumstances software event overflows
go wrong and deadlock. Avoid trying to delete a timer from the timer
callback.Reported-by: Vince Weaver
Signed-off-by: Peter Zijlstra
Signed-off-by: Greg Kroah-Hartman -
commit d15b774c2920d55e3d58275c97fbe3adc3afde38 upstream.
Destroy _minor_idr when unloading the core dm module. (Found by kmemleak.)
Signed-off-by: Alasdair G Kergon
Signed-off-by: Greg Kroah-Hartman -
commit 286f367dad40beb3234a18c17391d03ba939a7f3 upstream.
Avoid dereferencing a NULL pointer if the number of feature arguments
supplied is fewer than indicated.Signed-off-by: Mike Snitzer
Signed-off-by: Alasdair G Kergon
Signed-off-by: Greg Kroah-Hartman -
commit ca9380fd68514c7bc952282c1b4fc70607e9fe43 upstream.
Convert array index from the loop bound to the loop index.
A simplified version of the semantic patch that fixes this problem is as
follows: (http://coccinelle.lip6.fr/)//
@@
expression e1,e2,ar;
@@for(e1 = 0; e1 < e2; e1++) { }
//Signed-off-by: Julia Lawall
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream.
/proc/PID/io may be used for gathering private information. E.g. for
openssh and vsftpd daemons wchars/rchars may be used to learn the
precise password length. Restrict it to processes being able to ptrace
the target process.ptrace_may_access() is needed to prevent keeping open file descriptor of
"io" file, executing setuid binary and gathering io information of the
setuid'ed process.Signed-off-by: Vasiliy Kulikov
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream.
Fix several security issues in Alpha-specific syscalls. Untested, but
mostly trivial.1. Signedness issue in osf_getdomainname allows copying out-of-bounds
kernel memory to userland.2. Signedness issue in osf_sysinfo allows copying large amounts of
kernel memory to userland.3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy
size, allowing copying large amounts of kernel memory to userland.4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows
privilege escalation via writing return value of sys_wait4 to kernel
memory.Signed-off-by: Dan Rosenberg
Cc: Richard Henderson
Cc: Ivan Kokshaysky
Cc: Matt Turner
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 upstream.
Same stuff as in ip_gre patch: receive hook can be called before netns
setup is done, oopsing in net_generic().Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit e924960dacdf85d118a98c7262edf2f99c3015cf upstream.
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit c2892f02712e9516d72841d5c019ed6916329794 upstream.
GRE protocol receive hook can be called right after protocol addition is done.
If netns stuff is not yet initialized, we're going to oops in
net_generic().This is remotely oopsable if ip_gre is compiled as module and packet
comes at unfortunate moment of module loading.Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
[dannf: backported to Debian's 2.6.32]
Signed-off-by: Greg Kroah-Hartman -
commit 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 upstream.
It's possible for a cifsSesInfo struct to have a NULL password, so we
need to check for that prior to running strncmp on it.Signed-off-by: Jeff Layton
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit fc87a40677bbe0937e2ff0642c7e83c9a4813f3d upstream.
cifs_find_smb_ses assumes that the vol->password field is a valid
pointer, but that's only the case if a password was passed in via
the options string. It's possible that one won't be if there is
no mount helper on the box.Reported-by: diabel
Signed-off-by: Jeff Layton
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman