- 08 Dec, 2010 3 commits
-
-
Borislav Petkov authored
When matching error address to the range contained by one memory node, we're in valid range when node interleaving 1. is disabled, or 2. enabled and when the address bits we interleave on match the interleave selector on this node (see the "Node Interleaving" section in the BKDG for an enlightening example). Thus, when we early-exit, we need to reverse the compound logic statement properly. Cc: <stable@kernel.org> Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
-
Andrei Konovalov authored
This corrects the misprint introduced when moving '#if PAGE_SHIFT' from i7core_edac.c to edac_core.h (commit e9144601) Cc: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Andrei Konovalov <akonovalov@mvista.com> Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
-
Borislav Petkov authored
00740c58 changed edac_core to un-/register a workqueue item only if a lowlevel driver supplies a polling routine. Normally, when we remove a polling low-level driver, we go and cancel all the queued work. However, the workqueue unreg happens based on the ->op_state setting, and edac_mc_del_mc() sets this to OP_OFFLINE _before_ we cancel the work item, leading to NULL ptr oops on the workqueue list. Fix it by putting the unreg stuff in proper order. Cc: <stable@kernel.org> #36.x Reported-and-tested-by: Tobias Karnat <tobias.karnat@googlemail.com> LKML-Reference: <1291201307.3029.21.camel@Tobias-Karnat> Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
-
- 07 Dec, 2010 3 commits
-
-
Linus Torvalds authored
-
git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2Linus Torvalds authored
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2: ocfs2_connection_find() returns pointer to bad structure ocfs2: char is not always signed Ocfs2: Stop tracking a negative dentry after dentry_iput(). ocfs2: fix memory leak fs/ocfs2/dlm: Use GFP_ATOMIC under spin_lock
-
Olof Johansson authored
Commit 0ea12930 ("arm: return both physical and virtual addresses from addruart") took out the test for MMU on/off but didn't switch the ldr instructions to no longer be conditionals based on said test. Fix that. Signed-off-by: Olof Johansson <olof@lixom.net> Acked-by: Colin Cross <ccross@android.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- 06 Dec, 2010 10 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6Linus Torvalds authored
* 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6: PM / Hibernate: Fix memory corruption related to swap PM / Hibernate: Use async I/O when reading compressed hibernation image
-
Rafael J. Wysocki authored
There is a problem that swap pages allocated before the creation of a hibernation image can be released and used for storing the contents of different memory pages while the image is being saved. Since the kernel stored in the image doesn't know of that, it causes memory corruption to occur after resume from hibernation, especially on systems with relatively small RAM that need to swap often. This issue can be addressed by keeping the GFP_IOFS bits clear in gfp_allowed_mask during the entire hibernation, including the saving of the image, until the system is finally turned off or the hibernation is aborted. Unfortunately, for this purpose it's necessary to rework the way in which the hibernate and suspend code manipulates gfp_allowed_mask. This change is based on an earlier patch from Hugh Dickins. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Reported-by: Ondrej Zary <linux@rainbow-software.org> Acked-by: Hugh Dickins <hughd@google.com> Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: stable@kernel.org
-
Linus Torvalds authored
* master.kernel.org:/home/rmk/linux-2.6-arm: ARM: 6524/1: GIC irq desciptor bug fix ARM: 6523/1: iop: ensure sched_clock() is notrace ARM: 6456/1: Fix for building DEBUG with sa11xx_base.c as a module. ARM: 6519/1: kuser: Fix incorrect cmpxchg syscall in kuser helpers ARM: 6505/1: kprobes: Don't HAVE_KPROBES when CONFIG_THUMB2_KERNEL is selected ARM: 6508/1: vexpress: Correct data alignment in headsmp.S for CONFIG_THUMB2_KERNEL ARM: 6507/1: RealView: Correct data alignment in headsmp.S for CONFIG_THUMB2_KERNEL ARM: 6504/1: Thumb-2: Fix long-distance conditional branches in head.S for Thumb-2. ARM: 6503/1: Thumb-2: Restore sensible zImage header layout for CONFIG_THUMB2_KERNEL ARM: 6502/1: Thumb-2: Fix CONFIG_THUMB2_KERNEL breakage in compressed/head.S ARM: 6501/1: Thumb-2: Correct data alignment for CONFIG_THUMB2_KERNEL in mm/proc-v7.S ARM: 6500/1: Thumb-2: Correct data alignment for CONFIG_THUMB2_KERNEL in kernel/head.S ARM: 6499/1: Thumb-2: Correct data alignment for CONFIG_THUMB2_KERNEL in bootp/init.S ARM: 6498/1: vfp: Correct data alignment for CONFIG_THUMB2_KERNEL ARM: 6497/1: kexec: Correct data alignment for CONFIG_THUMB2_KERNEL ARM: 6496/1: GIC: Do not try to register more then NR_IRQS interrupts ARM: cns3xxx: Fix build with CONFIG_PCI=y
-
Bojan Smojver authored
This is a fix for reading LZO compressed image using async I/O. Essentially, instead of having just one page into which we keep reading blocks from swap, we allocate enough of them to cover the largest compressed size and then let block I/O pick them all up. Once we have them all (and here we wait), we decompress them, as usual. Obviously, the very first block we still pick up synchronously, because we need to know the size of the lot before we pick up the rest. Also fixed the copyright line, which I've forgotten before. Signed-off-by: Bojan Smojver <bojan@rexursive.com> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
-
-
Chao Xie authored
gic_set_cpu will directly use irq_desc[]. If CONFIG_SPARSE_IRQ is enabled, there is no irq_desc[]. So we need use irq_to_desc(irq) to get the descriptor for irq. Signed-off-by: Chao Xie <chao.xie@marvell.com> Acked-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-
git://git.kernel.org/pub/scm/linux/kernel/git/penberg/slab-2.6Linus Torvalds authored
* 'slab/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/slab-2.6: slub: Fix a crash during slabinfo -v
-
git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6Linus Torvalds authored
* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6: initramfs: Really fix build break on symbol-prefixed archs [media] Fix Kconfig errors due to two visible menus i2c/algos: convert Kconfig to use the menu's `visible' keyword media/video: convert Kconfig to use the menu's `visible' keyword Revert "i2c: Fix Kconfig dependencies" kconfig: regen parser kconfig: add an option to determine a menu's visibility
-
git://git.kernel.org/pub/scm/linux/kernel/git/kyle/parisc-2.6Linus Torvalds authored
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kyle/parisc-2.6: parisc: Fix GSC PS/2 driver name for keyboard and mouse parisc: KittyHawk LCD fix parisc: convert the rest of the irq handlers to simple/percpu parisc: fix dino/gsc interrupts parisc: remove redundant initialization in sigsegv path of sys_rt_sigreturn
-
Eric W. Biederman authored
Because it caused a chroot ttyname regression in 2.6.36. As of 2.6.36 ttyname does not work in a chroot. It has already been reported that screen breaks, and for me this breaks an automated distribution testsuite, that I need to preserve the ability to run the existing binaries on for several more years. glibc 2.11.3 which has a fix for this is not an option. The root cause of this breakage is: commit 8df9d1a4 Author: Miklos Szeredi <mszeredi@suse.cz> Date: Tue Aug 10 11:41:41 2010 +0200 vfs: show unreachable paths in getcwd and proc Prepend "(unreachable)" to path strings if the path is not reachable from the current root. Two places updated are - the return string from getcwd() - and symlinks under /proc/$PID. Other uses of d_path() are left unchanged (we know that some old software crashes if /proc/mounts is changed). Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> So remove the nice sounding, but ultimately ill advised change to how /proc/fd symlinks work. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- 04 Dec, 2010 8 commits
-
-
Guy Martin authored
Fix kernel warnings caused by the driver name of GSC PS/2 containing '/'. The following warnings are observed on a K410 system : [ 10.700000] name 'GSC PS/2 keyboard' [ 10.732000] ------------[ cut here ]------------ [ 10.772000] WARNING: at fs/proc/generic.c:323 [ 10.828000] Modules linked in: [ 10.916000] [ 10.916000] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI [ 10.936000] PSW: 00000000000001000000000000001111 Not tainted [ 10.992000] r00-03 0004000f 104fe3e0 10201ea0 00000000 [ 11.060000] r04-07 4fc405c8 00000006 4fc405c8 4fc40694 [ 11.124000] r08-11 4fc40708 10438aa0 00000001 1043bfc8 [ 11.184000] r12-15 104ff2a0 104ff2a0 4fc38634 104ff2a0 [ 11.248000] r16-19 f0001570 10479af0 f000006c 1044fe50 [ 11.308000] r20-23 00000000 00000028 104cd858 00000000 [ 11.372000] r24-27 ffffffff 0000000e 1044fe10 1043bbe0 [ 11.436000] r28-31 0000002b 00000078 4fc40800 0000000d [ 11.496000] sr00-03 00000000 00000000 00000000 00000000 [ 11.560000] sr04-07 00000000 00000000 00000000 00000000 [ 11.624000] [ 11.688000] IASQ: 00000000 00000000 IAOQ: 10201ea0 10201ea4 [ 11.704000] IIR: 03ffe01f ISR: 00000000 IOR: 0000000d [ 11.772000] CPU: 0 CR30: 4fc40000 CR31: f01043b0 [ 11.836000] ORIG_R28: 4fc40940 [ 11.904000] IAOQ[0]: __xlate_proc_name+0x90/0xd0 [ 11.940000] IAOQ[1]: __xlate_proc_name+0x94/0xd0 [ 11.996000] RP(r2): __xlate_proc_name+0x90/0xd0 [ 12.052000] Backtrace: [ 12.108000] [<10257790>] vsnprintf+0x290/0x4f4 [ 12.136000] [ 12.188000] ---[ end trace 91bf6ece17e322dd ]--- [ 12.208000] serio: GSC PS/2 keyboard port at 0x0001c000 irq 19 @ 10:12:7 [ 12.264000] name 'GSC PS/2 mouse' [ 12.344000] ------------[ cut here ]------------ [ 12.384000] WARNING: at fs/proc/generic.c:323 [ 12.436000] Modules linked in: [ 12.524000] [ 12.528000] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI [ 12.544000] PSW: 00000000000001000000000000001111 Tainted: G W [ 12.600000] r00-03 0004000f 104fe3e0 10201ea0 00000000 [ 12.680000] r04-07 4fc405c8 00000006 4fc405c8 4fc40694 [ 12.740000] r08-11 4fc40708 10438aa0 00000001 1043bfc8 [ 12.804000] r12-15 104ff2a0 104ff2a0 4fc38634 104ff2a0 [ 12.868000] r16-19 f0001570 10479af0 f000006c 1044fe50 [ 12.928000] r20-23 00000000 00000025 104cd858 00000000 [ 12.992000] r24-27 ffffffff 0000000e 1044fe10 1043bbe0 [ 13.056000] r28-31 00000028 00000078 4fc40800 0000000d [ 13.116000] sr00-03 00000000 00000000 00000000 00000000 [ 13.180000] sr04-07 00000000 00000000 00000000 00000000 [ 13.244000] [ 13.308000] IASQ: 00000000 00000000 IAOQ: 10201ea0 10201ea4 [ 13.324000] IIR: 03ffe01f ISR: 00000000 IOR: 0000000d [ 13.392000] CPU: 0 CR30: 4fc40000 CR31: f01043b0 [ 13.456000] ORIG_R28: 4fc40940 [ 13.524000] IAOQ[0]: __xlate_proc_name+0x90/0xd0 [ 13.560000] IAOQ[1]: __xlate_proc_name+0x94/0xd0 [ 13.616000] RP(r2): __xlate_proc_name+0x90/0xd0 [ 13.672000] Backtrace: [ 13.728000] [<10257790>] vsnprintf+0x290/0x4f4 [ 13.756000] [ 13.808000] ---[ end trace 91bf6ece17e322de ]--- [ 13.828000] serio: GSC PS/2 mouse port at 0x00020100 irq 19 @ 10:12:8 Signed-off-by: Guy Martin <gmsoft@tuxicoman.be> Acked-by: Helge Deller <deller@gmx.de> Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
-
Guy Martin authored
K class aka KittyHawk don't have LED support on their LCD. Installing HP-UX confirmed this. The current led_wq fills the LCD with black characters each time it runs. The patch prevents the led_wq workqueue and its proc entry to be created for KittyHawk machines. It also increase min_cmd_delay as currently, one character out of two is lost when a string is sent to the LCD. Signed-off-by: Guy Martin <gmsoft@tuxicoman.be> Signed-off-by: Kyle McMartin <kyle@mcmartin.c>
-
James Bottomley authored
The generic conversion eliminates the spurious no_ack and no_end routines, converts all the cascaded handlers to handle_simple_irq() and makes iosapic use a modified handle_percpu_irq() to become the same as the CPU irq's. This isn't an essential change, but it eliminates the mask/unmask overhead of handle_level_irq(). Signed-off-by: James Bottomley <James.Bottomley@suse.de> Tested-by: Helge Deller <deller@gmx.de> Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
-
James Bottomley authored
The essential problem we're currently having is that dino (and gsc) is a cascaded CPU interrupt. Under the old __do_IRQ() handler, our CPU interrupts basically did an ack followed by an end. In the new scheme, we replaced them with level handlers which do a mask, an ack and then an unmask (but no end). Instead, with the renaming of end to eoi, we actually want to call the percpu flow handlers, because they actually have all the characteristics we want. This patch does the conversion and gets my C360 booting again. Signed-off-by: James Bottomley <James.Bottomley@suse.de> Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
-
Rabin Vincent authored
Include sched.h to ensure sched_clock() has the notrace annotation, and mark any functions it calls as notrace too. Include sched.h to ensure sched_clock() has the notrace annotation, and mark any functions it calls as notrace too. Acked-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Rabin Vincent <rabin@rab.in> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-
Marcelo Roberto Jimenez authored
This patch fixes a compilation issue when compiling PCMCIA SA1100 support as a module with PCMCIA_DEBUG enabled. The symbol soc_pcmcia_debug was not beeing exported. ARM: pcmcia: Fix for building DEBUG with sa11xx_base.c as a module. This patch fixes a compilation issue when compiling PCMCIA SA1100 support as a module with PCMCIA_DEBUG enabled. The symbol soc_pcmcia_debug was not beeing exported. Cc: <stable@kernel.org> Signed-off-by: Marcelo Roberto Jimenez <mroberto@cpti.cetuc.puc-rio.br> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-
Dave Martin authored
The existing code invokes the syscall with rubbish in r7, due to what looks like an incorrect literal load idiom. Reviewed-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Dave Martin <dave.martin@linaro.org> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-
Tero Roponen authored
Commit f7cb1933 ("SLUB: Pass active and inactive redzone flags instead of boolean to debug functions") missed two instances of check_object(). This caused a lot of warnings during 'slabinfo -v' finally leading to a crash: BUG ext4_xattr: Freepointer corrupt ... BUG buffer_head: Freepointer corrupt ... BUG ext4_alloc_context: Freepointer corrupt ... ... BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: [<ffffffff810a291f>] file_sb_list_del+0x1c/0x35 PGD 79d78067 PUD 79e67067 PMD 0 Oops: 0002 [#1] SMP last sysfs file: /sys/kernel/slab/:t-0000192/validate This patch fixes the problem by converting the two missed instances. Acked-by: Christoph Lameter <cl@linux.com> Signed-off-by: Tero Roponen <tero.roponen@gmail.com> Signed-off-by: Pekka Enberg <penberg@kernel.org>
-
- 03 Dec, 2010 13 commits
-
-
git://xenbits.xen.org/people/sstabellini/linux-pvhvmLinus Torvalds authored
* '2.6.37-rc4-pvhvm-fixes' of git://xenbits.xen.org/people/sstabellini/linux-pvhvm: xen: unplug the emulated devices at resume time xen: fix save/restore for PV on HVM guests with pirq remapping xen: resume the pv console for hvm guests too xen: fix MSI setup and teardown for PV on HVM guests xen: use PHYSDEVOP_get_free_pirq to implement find_unbound_pirq
-
Linus Torvalds authored
Merge branches 'upstream/core' and 'upstream/bugfix' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen * 'upstream/core' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen: xen: allocate irq descs on any NUMA node xen: prevent crashes with non-HIGHMEM 32-bit kernels with largeish memory xen: use default_idle xen: clean up "extra" memory handling some more * 'upstream/bugfix' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen: xen: x86/32: perform initial startup on initial_page_table xen: don't bother to stop other cpus on shutdown/reboot
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6Linus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ASoC: omap: N810: Don't select CONFIG_OMAP_MUX but make it as dependency ALSA: hda: Use "alienware" model quirk for another SSID ASoC: WM8731: Fix incorrect mask for bypass path disable s6105-ipcam: fix compilation s6000-pcm: fix compilation s6000-i2s: fix compilation ASoC: Fix missing spin_unlock_irqrestore ALSA: Fix SNDCTL_DSP_RESET ioctl for OSS emulation ASoC: Add missing dev_set_drvdata in p1022_ds_probe ASoC: Add missing dev_set_drvdata in mpc8610_hpcd_probe ASoC: Remove unneeded !! operations while checking return value of nuc900_checkready ASoC: Fix compile error for nuc900-pcm.c ASoC: Fix prototype for nuc900_ac97_probe and nuc900_ac97_remove ASoC: Fix compile error for nuc900-ac97.c ALSA: hda: Use BIOS auto-parsing instead of existing model quirk for MEDION MD2
-
git://git.infradead.org/ubi-2.6Linus Torvalds authored
* 'linux-next' of git://git.infradead.org/ubi-2.6: UBI: fix corrupted PEB detection for NOR flash
-
git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6Linus Torvalds authored
* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6: sh: se/7724: Remove FSI/B of GPIO init code sh: se/7724: Update clock framework of FSI clock to non-legacy sh: Assume new page cache pages have dirty dcache lines. sh: boards: mach-se: use IS_ERR() instead of NULL check sh: Add div6_reparent_clks to clock framework for FSI dma: shdma: add a MODULE_ALIAS() to allow module autoloading
-
Linus Torvalds authored
Merge branch 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-2.6 * 'fbdev-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/fbdev-2.6: lxfb: Maintain video processor palette through suspend/resume video: da8xx: Register IRQ as last thing in driver probing. framebuffer: fix fbcmap.c kernel-doc warning
-
David Howells authored
Implement asm/syscall.h for the MN10300 arch. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Artem Bityutskiy authored
My new shiny code for corrupted PEB detection has NOR specific bug. We tread PEB as corrupted and preserve it, if 1. EC header is OK. 2. VID header is corrupted. 3. data area is not "all 0xFFs" In case of NOR we have 'nor_erase_prepare()' quirk, which invalidates the headers before erasing the PEB. And we invalidate first the VID header, and then the EC header. So if a power cut happens after we have invalidated the VID header, but before we have invalidated the EC header, we end up with a PEB which satisfies the above 3 conditions, and the scanning code will treat it as corrupted, and will print scary warnings, wrongly. This patch fixes the issue by firt invalidating the EC header, then invalidating the VID header. In case of power cut inbetween, we still just lose the EC header, and UBI can deal with this situation gracefully. Thanks to Anatolij Gustschin <agust@denx.de> for tracking this down. Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Reported-by: Anatolij Gustschin <agust@denx.de> Tested-by: Anatolij Gustschin <agust@denx.de>
-
Paul Mundt authored
-
Nobuhiro Iwamatsu authored
se7724 board does not have FSI/B. Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
-
Nobuhiro Iwamatsu authored
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hidLinus Torvalds authored
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: length resolution should be reported units/mm HID: add support for F430 Force Feedback Wheel HID: egalax: Use kzalloc HID: Remove KERN_DEBUG from dbg_hid use Manually fixed trivial conflict in drivers/hid/hid-input.c (due to removal of KERN_DEBUG from dbg_hid use clashing with new keycode interface switch)
-
Jeremy Fitzhardinge authored
Allocate irq descs on any NUMA node (we don't care) rather than specifically node 0, which may not exist. (At the moment NUMA is meaningless within a domain, so any info the kernel has is just from an SRAT table we haven't suppressed/disabled.) Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
-
- 02 Dec, 2010 3 commits
-
-
Jeremy Fitzhardinge authored
If this is a non-HIGHMEM 32-bit kernel, then the page structures only go up to the limit of addressable memory, even if more memory is physically present. Don't try to add that extra memory to the balloon. Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
-
Nelson Elhage authored
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not otherwise reset before do_exit(). do_exit may later (via mm_release in fork.c) do a put_user to a user-controlled address, potentially allowing a user to leverage an oops into a controlled write into kernel memory. This is only triggerable in the presence of another bug, but this potentially turns a lot of DoS bugs into privilege escalations, so it's worth fixing. I have proof-of-concept code which uses this bug along with CVE-2010-3849 to write a zero to an arbitrary kernel address, so I've tested that this is not theoretical. A more logical place to put this fix might be when we know an oops has occurred, before we call do_exit(), but that would involve changing every architecture, in multiple places. Let's just stick it in do_exit instead. [akpm@linux-foundation.org: update code comment] Signed-off-by: Nelson Elhage <nelhage@ksplice.com> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
KOSAKI Motohiro authored
commit 62b61f61 ("ksm: memory hotremove migration only") caused the following new lockdep warning. ======================================================= [ INFO: possible circular locking dependency detected ] ------------------------------------------------------- bash/1621 is trying to acquire lock: ((memory_chain).rwsem){.+.+.+}, at: [<ffffffff81079339>] __blocking_notifier_call_chain+0x69/0xc0 but task is already holding lock: (ksm_thread_mutex){+.+.+.}, at: [<ffffffff8113a3aa>] ksm_memory_callback+0x3a/0xc0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ksm_thread_mutex){+.+.+.}: [<ffffffff8108b70a>] lock_acquire+0xaa/0x140 [<ffffffff81505d74>] __mutex_lock_common+0x44/0x3f0 [<ffffffff81506228>] mutex_lock_nested+0x48/0x60 [<ffffffff8113a3aa>] ksm_memory_callback+0x3a/0xc0 [<ffffffff8150c21c>] notifier_call_chain+0x8c/0xe0 [<ffffffff8107934e>] __blocking_notifier_call_chain+0x7e/0xc0 [<ffffffff810793a6>] blocking_notifier_call_chain+0x16/0x20 [<ffffffff813afbfb>] memory_notify+0x1b/0x20 [<ffffffff81141b7c>] remove_memory+0x1cc/0x5f0 [<ffffffff813af53d>] memory_block_change_state+0xfd/0x1a0 [<ffffffff813afd62>] store_mem_state+0xe2/0xf0 [<ffffffff813a0bb0>] sysdev_store+0x20/0x30 [<ffffffff811bc116>] sysfs_write_file+0xe6/0x170 [<ffffffff8114f398>] vfs_write+0xc8/0x190 [<ffffffff8114fc14>] sys_write+0x54/0x90 [<ffffffff810028b2>] system_call_fastpath+0x16/0x1b -> #0 ((memory_chain).rwsem){.+.+.+}: [<ffffffff8108b5ba>] __lock_acquire+0x155a/0x1600 [<ffffffff8108b70a>] lock_acquire+0xaa/0x140 [<ffffffff81506601>] down_read+0x51/0xa0 [<ffffffff81079339>] __blocking_notifier_call_chain+0x69/0xc0 [<ffffffff810793a6>] blocking_notifier_call_chain+0x16/0x20 [<ffffffff813afbfb>] memory_notify+0x1b/0x20 [<ffffffff81141f1e>] remove_memory+0x56e/0x5f0 [<ffffffff813af53d>] memory_block_change_state+0xfd/0x1a0 [<ffffffff813afd62>] store_mem_state+0xe2/0xf0 [<ffffffff813a0bb0>] sysdev_store+0x20/0x30 [<ffffffff811bc116>] sysfs_write_file+0xe6/0x170 [<ffffffff8114f398>] vfs_write+0xc8/0x190 [<ffffffff8114fc14>] sys_write+0x54/0x90 [<ffffffff810028b2>] system_call_fastpath+0x16/0x1b But it's a false positive. Both memory_chain.rwsem and ksm_thread_mutex have an outer lock (mem_hotplug_mutex). So they cannot deadlock. Thus, This patch annotate ksm_thread_mutex is not deadlock source. [akpm@linux-foundation.org: update comment, from Hugh] Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Acked-by: Hugh Dickins <hughd@google.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Andi Kleen <andi@firstfloor.org> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-