1. 13 Jul, 2013 11 commits
    • Zhang Yi's avatar
      futex: Take hugepages into account when generating futex_key · ab1842f1
      Zhang Yi authored
      commit 13d60f4b upstream.
      
      The futex_keys of process shared futexes are generated from the page
      offset, the mapping host and the mapping index of the futex user space
      address. This should result in an unique identifier for each futex.
      
      Though this is not true when futexes are located in different subpages
      of an hugepage. The reason is, that the mapping index for all those
      futexes evaluates to the index of the base page of the hugetlbfs
      mapping. So a futex at offset 0 of the hugepage mapping and another
      one at offset PAGE_SIZE of the same hugepage mapping have identical
      futex_keys. This happens because the futex code blindly uses
      page->index.
      
      Steps to reproduce the bug:
      
      1. Map a file from hugetlbfs. Initialize pthread_mutex1 at offset 0
         and pthread_mutex2 at offset PAGE_SIZE of the hugetlbfs
         mapping.
      
         The mutexes must be initialized as PTHREAD_PROCESS_SHARED because
         PTHREAD_PROCESS_PRIVATE mutexes are not affected by this issue as
         their keys solely depend on the user space address.
      
      2. Lock mutex1 and mutex2
      
      3. Create thread1 and in the thread function lock mutex1, which
         results in thread1 blocking on the locked mutex1.
      
      4. Create thread2 and in the thread function lock mutex2, which
         results in thread2 blocking on the locked mutex2.
      
      5. Unlock mutex2. Despite the fact that mutex2 got unlocked, thread2
         still blocks on mutex2 because the futex_key points to mutex1.
      
      To solve this issue we need to take the normal page index of the page
      which contains the futex into account, if the futex is in an hugetlbfs
      mapping. In other words, we calculate the normal page mapping index of
      the subpage in the hugetlbfs mapping.
      
      Mappings which are not based on hugetlbfs are not affected and still
      use page->index.
      
      Thanks to Mel Gorman who provided a patch for adding proper evaluation
      functions to the hugetlbfs code to avoid exposing hugetlbfs specific
      details to the futex code.
      
      [ tglx: Massaged changelog ]
      Signed-off-by: default avatarZhang Yi <zhang.yi20@zte.com.cn>
      Reviewed-by: default avatarJiang Biao <jiang.biao2@zte.com.cn>
      Tested-by: default avatarMa Chenggong <ma.chenggong@zte.com.cn>
      Reviewed-by: default avatar'Mel Gorman' <mgorman@suse.de>
      Acked-by: default avatar'Darren Hart' <dvhart@linux.intel.com>
      Cc: 'Peter Zijlstra' <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/000101ce71a6%24a83c5880%24f8b50980%24@comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ab1842f1
    • Greg Kroah-Hartman's avatar
      MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information · 44016289
      Greg Kroah-Hartman authored
      commit 7b175c46 upstream.
      
      This hopefully will help point developers to the proper way that patches
      should be submitted for inclusion in the stable kernel releases.
      Reported-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      44016289
    • Kees Cook's avatar
      crypto: sanitize argument for format string · c231b9d0
      Kees Cook authored
      commit 1c8fca1d upstream.
      
      The template lookup interface does not provide a way to use format
      strings, so make sure that the interface cannot be abused accidentally.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c231b9d0
    • Kees Cook's avatar
      block: do not pass disk names as format strings · 88ce7cf7
      Kees Cook authored
      commit ffc8b308 upstream.
      
      Disk names may contain arbitrary strings, so they must not be
      interpreted as format strings.  It seems that only md allows arbitrary
      strings to be used for disk names, but this could allow for a local
      memory corruption from uid 0 into ring 0.
      
      CVE-2013-2851
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Jens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88ce7cf7
    • Mikulas Patocka's avatar
      hpfs: better test for errors · 70621db0
      Mikulas Patocka authored
      commit 3ebacb05 upstream.
      
      The test if bitmap access is out of bound could errorneously pass if the
      device size is divisible by 16384 sectors and we are asking for one bitmap
      after the end.
      
      Check for invalid size in the superblock. Invalid size could cause integer
      overflows in the rest of the code.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70621db0
    • Kees Cook's avatar
      charger-manager: Ensure event is not used as format string · e64c7e14
      Kees Cook authored
      commit 3594f4c0 upstream.
      
      The exposed interface for cm_notify_event() could result in the event msg
      string being parsed as a format string. Make sure it is only used as a
      literal string.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Anton Vorontsov <cbou@mail.ru>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarAnton Vorontsov <anton@enomsg.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e64c7e14
    • Rusty Russell's avatar
      module: do percpu allocation after uniqueness check. No, really! · 0b72ac96
      Rusty Russell authored
      commit 8d8022e8 upstream.
      
      v3.8-rc1-5-g1fb9341a was supposed to stop parallel kvm loads exhausting
      percpu memory on large machines:
      
          Now we have a new state MODULE_STATE_UNFORMED, we can insert the
          module into the list (and thus guarantee its uniqueness) before we
          allocate the per-cpu region.
      
      In my defence, it didn't actually say the patch did this.  Just that
      we "can".
      
      This patch actually *does* it.
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Tested-by: default avatarJim Hull <jim.hull@hp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b72ac96
    • Jonathan Salwan's avatar
      drivers/cdrom/cdrom.c: use kzalloc() for failing hardware · 2842e873
      Jonathan Salwan authored
      commit 542db015 upstream.
      
      In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
      area with kmalloc in line 2885.
      
        2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
        2886         if (cgc->buffer == NULL)
        2887                 return -ENOMEM;
      
      In line 2908 we can find the copy_to_user function:
      
        2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
      
      The cgc->buffer is never cleaned and initialized before this function.
      If ret = 0 with the previous basic block, it's possible to display some
      memory bytes in kernel space from userspace.
      
      When we read a block from the disk it normally fills the ->buffer but if
      the drive is malfunctioning there is a chance that it would only be
      partially filled.  The result is an leak information to userspace.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Jonathan Salwan <jonathan.salwan@gmail.com>
      Cc: Luis Henriques <luis.henriques@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2842e873
    • Josh Durgin's avatar
      libceph: fix invalid unsigned->signed conversion for timespec encoding · 1b7927f0
      Josh Durgin authored
      commit 8b8cf891 upstream.
      
      __kernel_time_t is a long, which cannot hold a U32_MAX on 32-bit
      architectures.  Just drop this check as it has limited value.
      
      This fixes a crash like:
      
      [  957.905812] kernel BUG at /srv/autobuild-ceph/gitbuilder.git/build/include/linux/ceph/decode.h:164!
      [  957.914849] Internal error: Oops - BUG: 0 [#1] SMP ARM
      [  957.919978] Modules linked in: rbd libceph libcrc32c ipmi_devintf ipmi_si ipmi_msghandler nfsd nfs_acl auth_rpcgss nfs fscache lockd sunrpc
      [  957.932547] CPU: 1    Tainted: G        W     (3.9.0-ceph-19bb6a83-highbank #1)
      [  957.939881] PC is at ceph_osdc_build_request+0x8c/0x4f8 [libceph]
      [  957.945967] LR is at 0xec520904
      [  957.949103] pc : [<bf13e76c>]    lr : [<ec520904>]    psr: 20000153
      [  957.949103] sp : ec753df8  ip : 00000001  fp : ec53e100
      [  957.960571] r10: ebef25c0  r9 : ec5fa400  r8 : ecbcc000
      [  957.965788] r7 : 00000000  r6 : 00000000  r5 : ffffffff  r4 : 00000020
      [  957.972307] r3 : 51cc8143  r2 : ec520900  r1 : ec753e58  r0 : ec520908
      [  957.978827] Flags: nzCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment user
      [  957.986039] Control: 10c5387d  Table: 2c59c04a  DAC: 00000015
      [  957.991777] Process rbd (pid: 2138, stack limit = 0xec752238)
      [  957.997514] Stack: (0xec753df8 to 0xec754000)
      [  958.001864] 3de0:                                                       00000001 00000001
      [  958.010032] 3e00: 00000001 bf139744 ecbcc000 ec55a0a0 00000024 00000000 ebef25c0 fffffffe
      [  958.018204] 3e20: ffffffff 00000000 00000000 00000001 ec5fa400 ebef25c0 ec53e100 bf166b68
      [  958.026377] 3e40: 00000000 0000220f fffffffe ffffffff ec753e58 bf13ff24 51cc8143 05b25ed2
      [  958.034548] 3e60: 00000001 00000000 00000000 bf1688d4 00000001 00000000 00000000 00000000
      [  958.042720] 3e80: 00000001 00000060 ec5fa400 ed53d200 ed439600 ed439300 00000001 00000060
      [  958.050888] 3ea0: ec5fa400 ed53d200 00000000 bf16a320 00000000 ec53e100 00000040 ec753eb8
      [  958.059059] 3ec0: ec51df00 ed53d7c0 ed53d200 ed53d7c0 00000000 ed53d7c0 ec5fa400 bf16ed70
      [  958.067230] 3ee0: 00000000 00000060 00000002 ed53d200 00000000 bf16acf4 ed53d7c0 ec752000
      [  958.075402] 3f00: ed980e50 e954f5d8 00000000 00000060 ed53d240 ed53d258 ec753f80 c04f44a8
      [  958.083574] 3f20: edb7910c ec664700 01ade920 c02e4c44 00000060 c016b3dc ec51de40 01adfb84
      [  958.091745] 3f40: 00000060 ec752000 ec753f80 ec752000 00000060 c0108444 00000007 ec51de48
      [  958.099914] 3f60: ed0eb8c0 00000000 00000000 ec51de40 01adfb84 00000001 00000060 c0108858
      [  958.108085] 3f80: 00000000 00000000 51cc8143 00000060 01adfb84 00000007 00000004 c000dd68
      [  958.116257] 3fa0: 00000000 c000dbc0 00000060 01adfb84 00000007 01adfb84 00000060 01adfb80
      [  958.124429] 3fc0: 00000060 01adfb84 00000007 00000004 beded1a8 00000000 01adf2f0 01ade920
      [  958.132599] 3fe0: 00000000 beded180 b6811324 b6811334 800f0010 00000007 2e7f5821 2e7f5c21
      [  958.140815] [<bf13e76c>] (ceph_osdc_build_request+0x8c/0x4f8 [libceph]) from [<bf166b68>] (rbd_osd_req_format_write+0x50/0x7c [rbd])
      [  958.152739] [<bf166b68>] (rbd_osd_req_format_write+0x50/0x7c [rbd]) from [<bf1688d4>] (rbd_dev_header_watch_sync+0xe0/0x204 [rbd])
      [  958.164486] [<bf1688d4>] (rbd_dev_header_watch_sync+0xe0/0x204 [rbd]) from [<bf16a320>] (rbd_dev_image_probe+0x23c/0x850 [rbd])
      [  958.175967] [<bf16a320>] (rbd_dev_image_probe+0x23c/0x850 [rbd]) from [<bf16acf4>] (rbd_add+0x3c0/0x918 [rbd])
      [  958.185975] [<bf16acf4>] (rbd_add+0x3c0/0x918 [rbd]) from [<c02e4c44>] (bus_attr_store+0x20/0x2c)
      [  958.194850] [<c02e4c44>] (bus_attr_store+0x20/0x2c) from [<c016b3dc>] (sysfs_write_file+0x168/0x198)
      [  958.203984] [<c016b3dc>] (sysfs_write_file+0x168/0x198) from [<c0108444>] (vfs_write+0x9c/0x170)
      [  958.212768] [<c0108444>] (vfs_write+0x9c/0x170) from [<c0108858>] (sys_write+0x3c/0x70)
      [  958.220768] [<c0108858>] (sys_write+0x3c/0x70) from [<c000dbc0>] (ret_fast_syscall+0x0/0x30)
      [  958.229199] Code: e59d1058 e5913000 e3530000 ba000114 (e7f001f2)
      Signed-off-by: default avatarJosh Durgin <josh.durgin@inktank.com>
      Reviewed-by: default avatarSage Weil <sage@inktank.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b7927f0
    • majianpeng's avatar
      ceph: fix sleeping function called from invalid context. · bd4d4d87
      majianpeng authored
      commit a1dc1937 upstream.
      
      [ 1121.231883] BUG: sleeping function called from invalid context at kernel/rwsem.c:20
      [ 1121.231935] in_atomic(): 1, irqs_disabled(): 0, pid: 9831, name: mv
      [ 1121.231971] 1 lock held by mv/9831:
      [ 1121.231973]  #0:  (&(&ci->i_ceph_lock)->rlock){+.+...},at:[<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
      [ 1121.231998] CPU: 3 PID: 9831 Comm: mv Not tainted 3.10.0-rc6+ #215
      [ 1121.232000] Hardware name: To Be Filled By O.E.M. To Be Filled By
      O.E.M./To be filled by O.E.M., BIOS 080015  11/09/2011
      [ 1121.232027]  ffff88006d355a80 ffff880092f69ce0 ffffffff8168348c ffff880092f69cf8
      [ 1121.232045]  ffffffff81070435 ffff88006d355a20 ffff880092f69d20 ffffffff816899ba
      [ 1121.232052]  0000000300000004 ffff8800b76911d0 ffff88006d355a20 ffff880092f69d68
      [ 1121.232056] Call Trace:
      [ 1121.232062]  [<ffffffff8168348c>] dump_stack+0x19/0x1b
      [ 1121.232067]  [<ffffffff81070435>] __might_sleep+0xe5/0x110
      [ 1121.232071]  [<ffffffff816899ba>] down_read+0x2a/0x98
      [ 1121.232080]  [<ffffffffa02baf70>] ceph_vxattrcb_layout+0x60/0xf0 [ceph]
      [ 1121.232088]  [<ffffffffa02bbd7f>] ceph_getxattr+0x9f/0x1d0 [ceph]
      [ 1121.232093]  [<ffffffff81188d28>] vfs_getxattr+0xa8/0xd0
      [ 1121.232097]  [<ffffffff8118900b>] getxattr+0xab/0x1c0
      [ 1121.232100]  [<ffffffff811704f2>] ? final_putname+0x22/0x50
      [ 1121.232104]  [<ffffffff81155f80>] ? kmem_cache_free+0xb0/0x260
      [ 1121.232107]  [<ffffffff811704f2>] ? final_putname+0x22/0x50
      [ 1121.232110]  [<ffffffff8109e63d>] ? trace_hardirqs_on+0xd/0x10
      [ 1121.232114]  [<ffffffff816957a7>] ? sysret_check+0x1b/0x56
      [ 1121.232120]  [<ffffffff81189c9c>] SyS_fgetxattr+0x6c/0xc0
      [ 1121.232125]  [<ffffffff81695782>] system_call_fastpath+0x16/0x1b
      [ 1121.232129] BUG: scheduling while atomic: mv/9831/0x10000002
      [ 1121.232154] 1 lock held by mv/9831:
      [ 1121.232156]  #0:  (&(&ci->i_ceph_lock)->rlock){+.+...}, at:
      [<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
      
      I think move the ci->i_ceph_lock down is safe because we can't free
      ceph_inode_info at there.
      Signed-off-by: default avatarJianpeng Ma <majianpeng@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@inktank.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd4d4d87
    • Tyler Hicks's avatar
      libceph: Fix NULL pointer dereference in auth client code · b96e7dac
      Tyler Hicks authored
      commit 2cb33cac upstream.
      
      A malicious monitor can craft an auth reply message that could cause a
      NULL function pointer dereference in the client's kernel.
      
      To prevent this, the auth_none protocol handler needs an empty
      ceph_auth_client_ops->build_request() function.
      
      CVE-2013-1059
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Reported-by: default avatarChanam Park <chanam.park@hkpco.kr>
      Reviewed-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Reviewed-by: default avatarSage Weil <sage@inktank.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b96e7dac
  2. 30 Jun, 2013 6 commits
    • Linus Torvalds's avatar
      Linux 3.10 · 8bb495e3
      Linus Torvalds authored
      8bb495e3
    • Linus Torvalds's avatar
      Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc · f0277dce
      Linus Torvalds authored
      Pull another powerpc fix from Benjamin Herrenschmidt:
       "I mentioned that while we had fixed the kernel crashes, EEH error
        recovery didn't always recover...  It appears that I had a fix for
        that already in powerpc-next (with a stable CC).
      
        I cherry-picked it today and did a few tests and it seems that things
        now work quite well.  The patch is also pretty simple, so I see no
        reason to wait before merging it."
      
      * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
        powerpc/eeh: Fix fetching bus for single-dev-PE
      f0277dce
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 4b483802
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is a set of seven bug fixes.  Several fcoe fixes for locking
        problems, initiator issues and a VLAN API change, all of which could
        eventually lead to data corruption, one fix for a qla2xxx locking
        problem which could lead to multiple completions of the same request
        (and subsequent data corruption) and a use after free in the ipr
        driver.  Plus one minor MAINTAINERS file update"
      
      (only six bugfixes in this pull, since I had already pulled the fcoe API
      fix directly from Robert Love)
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        [SCSI] ipr: Avoid target_destroy accessing memory after it was freed
        [SCSI] qla2xxx: Fix for locking issue between driver ISR and mailbox routines
        MAINTAINERS: Fix fcoe mailing list
        libfc: extend ex_lock to protect all of fc_seq_send
        libfc: Correct check for initiator role
        libfcoe: Fix Conflicting FCFs issue in the fabric
      4b483802
    • Gavin Shan's avatar
      powerpc/eeh: Fix fetching bus for single-dev-PE · ea461abf
      Gavin Shan authored
      While running Linux as guest on top of phyp, we possiblly have
      PE that includes single PCI device. However, we didn't return
      its PCI bus correctly and it leads to failure on recovery from
      EEH errors for single-dev-PE. The patch fixes the issue.
      
      Cc: <stable@vger.kernel.org> # v3.7+
      Cc: Steve Best <sbest@us.ibm.com>
      Signed-off-by: default avatarGavin Shan <shangw@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      ea461abf
    • Linus Torvalds's avatar
      Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc · 6c355bea
      Linus Torvalds authored
      Pull powerpc fixes from Ben Herrenschmidt:
       "We discovered some breakage in our "EEH" (PCI Error Handling) code
        while doing error injection, due to a couple of regressions.  One of
        them is due to a patch (37f02195 "powerpc/pci: fix PCI-e devices
        rescan issue on powerpc platform") that, in hindsight, I shouldn't
        have merged considering that it caused more problems than it solved.
      
        Please pull those two fixes.  One for a simple EEH address cache
        initialization issue.  The other one is a patch from Guenter that I
        had originally planned to put in 3.11 but which happens to also fix
        that other regression (a kernel oops during EEH error handling and
        possibly hotplug).
      
        With those two, the couple of test machines I've hammered with error
        injection are remaining up now.  EEH appears to still fail to recover
        on some devices, so there is another problem that Gavin is looking
        into but at least it's no longer crashing the kernel."
      
      * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
        powerpc/pci: Improve device hotplug initialization
        powerpc/eeh: Add eeh_dev to the cache during boot
      6c355bea
    • Olof Johansson's avatar
      ARM: dt: Only print warning, not WARN() on bad cpu map in device tree · 8d5bc1a6
      Olof Johansson authored
      Due to recent changes and expecations of proper cpu bindings, there are
      now cases for many of the in-tree devicetrees where a WARN() will hit
      on boot due to badly formatted /cpus nodes.
      
      Downgrade this to a pr_warn() to be less alarmist, since it's not a
      new problem.
      
      Tested on Arndale, Cubox, Seaboard and Panda ES. Panda hits the WARN
      without this, the others do not.
      Acked-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8d5bc1a6
  3. 29 Jun, 2013 11 commits
  4. 28 Jun, 2013 4 commits
    • Akira Takeuchi's avatar
      mn10300: Use early_param() to parse "mem=" parameter · e3f12a53
      Akira Takeuchi authored
      This fixes the problem that "init=" options may not be passed to kernel
      correctly.
      
      parse_mem_cmdline() of mn10300 arch gets rid of "mem=" string from
      redboot_command_line. Then init_setup() parses the "init=" options from
      static_command_line, which is a copy of redboot_command_line, and keeps
      the pointer to the init options in execute_command variable.
      
      Since the commit 026cee00 upstream (params: <level>_initcall-like kernel
      parameters), static_command_line becomes overwritten by saved_command_line at
      do_initcall_level(). Notice that saved_command_line is a command line
      which includes "mem=" string.
      
      As a result, execute_command may point to weird string by the length of
      "mem=" parameter.
      I noticed this problem when using the command line like this:
      
          mem=128M console=ttyS0,115200 init=/bin/sh
      
      Here is the processing flow of command line parameters.
          start_kernel()
            setup_arch(&command_line)
               parse_mem_cmdline(cmdline_p)
                 * strcpy(boot_command_line, redboot_command_line);
                 * Remove "mem=xxx" from redboot_command_line.
                 * *cmdline_p = redboot_command_line;
            setup_command_line(command_line) <-- command_line is redboot_command_line
              * strcpy(saved_command_line, boot_command_line)
              * strcpy(static_command_line, command_line)
            parse_early_param()
              strlcpy(tmp_cmdline, boot_command_line, COMMAND_LINE_SIZE);
              parse_early_options(tmp_cmdline);
                parse_args("early options", cmdline, NULL, 0, 0, 0, do_early_param);
            parse_args("Booting ..", static_command_line, ...);
              init_setup() <-- save the pointer in execute_command
            rest_init()
              kernel_thread(kernel_init, NULL, CLONE_FS | CLONE_SIGHAND);
      
      At this point, execute_command points to "/bin/sh" string.
      
          kernel_init()
            kernel_init_freeable()
              do_basic_setup()
                do_initcalls()
                  do_initcall_level()
                    (*) strcpy(static_command_line, saved_command_line);
      
      Here, execute_command gets to point to "200" string !!
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      e3f12a53
    • Akira Takeuchi's avatar
      mn10300: Allow to pass array name to get_user() · c6dc9f0a
      Akira Takeuchi authored
      This fixes the following compile error:
      
      CC block/scsi_ioctl.o
      block/scsi_ioctl.c: In function 'sg_scsi_ioctl':
      block/scsi_ioctl.c:449: error: invalid initializer
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      c6dc9f0a
    • Dave Airlie's avatar
    • Thadeu Lima de Souza Cascardo's avatar
      powerpc/eeh: Add eeh_dev to the cache during boot · 1abd6018
      Thadeu Lima de Souza Cascardo authored
      commit f8f7d63f ("powerpc/eeh: Trace eeh
      device from I/O cache") broke EEH on pseries for devices that were
      present during boot and have not been hotplugged/DLPARed.
      
      eeh_check_failure will get the eeh_dev from the cache, and will get
      NULL. eeh_addr_cache_build adds the addresses to the cache, but eeh_dev
      for the giving pci_device is not set yet. Just reordering the call to
      eeh_addr_cache_insert_dev works fine. The ordering is similar to the one
      in eeh_add_device_late.
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
      Acked-by: default avatarGavin Shan <shangw@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      1abd6018
  5. 27 Jun, 2013 5 commits
    • Josh Durgin's avatar
      rbd: send snapshot context with writes · d2d1f17a
      Josh Durgin authored
      Sending the right snapshot context with each write is required for
      snapshots to work. Due to the ordering of calls, the snapshot context
      is never set for any requests. This causes writes to the current
      version of the image to be reflected in all snapshots, which are
      supposed to be read-only.
      
      This happens because rbd_osd_req_format_write() sets the snapshot
      context based on obj_request->img_request. At this point, however,
      obj_request->img_request has not been set yet, to the snapshot context
      is set to NULL. Fix this by moving rbd_img_obj_request_add(), which
      sets obj_request->img_request, before the osd request formatting
      calls.
      
      This resolves:
          http://tracker.ceph.com/issues/5465Reported-by: default avatarKarol Jurak <karol.jurak@gmail.com>
      Signed-off-by: default avatarJosh Durgin <josh.durgin@inktank.com>
      Reviewed-by: default avatarSage Weil <sage@inktank.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      d2d1f17a
    • James Bottomley's avatar
      Merge tag 'fcoe1' into fixes · a9e94ec3
      James Bottomley authored
      This patch fixes a critical bug that was introduced in 3.9
      related to VLAN tagging FCoE frames.
      a9e94ec3
    • James Bottomley's avatar
      Merge tag 'fcoe' into fixes · 36a27968
      James Bottomley authored
      3.10 fixes
      36a27968
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 98b6ed0f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Found via trinity:
      
          If you connect up an ipv6 socket to an ipv4 mapped address then an
          ipv6 one, sendmsg() can croak because ip6_sk_dst_check() assumes the
          route cached in the socket is an ipv6 one.  In this case there is an
          ipv4 route attached, so it gets stomped on.
      
          Reported by Dave Jones and Hannes Frederic Sowa, fixed by Eric
          Dumazet.
      
       2) AF_KEY notifications leak some kernel memory to userspace, fix from
          Mathias Krause.
      
       3) DLCI calls __dev_get_by_name() without proper locking, and dlci_del
          doesn't validate that the device being deleted is actually a DLCI
          one.  Fixes from Li Zefan.
      
       4) Length check on bluetooth l2cap information responses is wrong, each
          response type has a different lenth, so we should make sure it's in
          a given range rather than enforce one single valid length.  From
          Jaganath Kanakkassery.
      
       5) Receive FIFO overflow is really easy to trigger in stress scenerios
          in the sh_eth driver, but the event isn't being handled properly at
          all.  Specifically, the mask of error interrupts doesn't include the
          event so we never clear it, resulting in the driver becomming wedged
          processing an interrupt that never gets cleared.
      
          Fix from Sergei Shtylyov.
      
       6) qlcnic sleeps while holding a spinlock, use mdelay() instead of
          msleep().  From Shahed Shaikh.
      
       7) Missing curly braces causes SIP netfilter NAT module to always drop
          packets.  Fix from Balazs Peter Odor.
      
       8) ipt_ULOG in netfilter passes the wrong value to timer setup, causing
          the timer to dereference crap when it fires.  Fix from Gao Feng.
      
       9) Missing RCU protection around txq->axq_acq traversal in
          ath_txq_schedule().  Fix from Felix Fietkau.
      
      10) Idle state transition test in ath9k_htc_config() is reversed, fix
          from Sujith Manoharan.
      
      11) IPV6 forwarding handles unicast Router Alert packets incorrectly.
          It tests the wrong option state.  Previously opt->ra being non-zero
          indicated a router alert marking in the SKB, but now it's indicated
          by a bit in opt->flags.  Fix from YOSHIFUJI Hideaki.
      
      12) SKB leak in GRE tunnel GSO handling, from Eric Dumazet.
      
      13) get_user_pages_fast() error handling in TUN and MACVTAP use the same
          local variable for the base index and the loop iterator for page
          traversal, oops! Fix from Michael S Tsirkin.
      
      14) ipv6_get_lladdr() can fail, and we must therefore check it's return
          value in inet6_set_iftoken().  For from Hannes Frederic Sowa.
      
      15) If you change an interface name and meanwhile can sneak in something
          that looks up the name (like SO_BINDTODEVICE or SIOCGIFNAME) we can
          deadlock with CONFIG_PREEMPT=n.  Fix this by providing a helper
          function that properly uses raw_seqcount_begin().  From Nicolas
          Schichan.
      
      16) Chain noise calibration test is inverted in iwlwifi, fix from
          Nikolay Martynov.
      
      17) Properly set TX iwlwifi descriptor flags for back requests.  Fix
          from Emmanuel Grumbach.
      
      18) We can't assume skb_transport_header() is set in xt_TCPOPTSTRAP
          module, fix from Pablo Neira Ayuso.
      
      19) Some crummy APs don't provide the proper High Throughput info in
          association response frames.  Add a workaround by assume we'll use
          whatever is in the beacon/probe.  Fix from Johannes Berg.
      
      20) mac80211 call to rate_idx_match_mask() swaps two arguments (mask and
          channel width).  Fix from Simon Wunderlich.
      
      21) xt_TCPMSS (like xt_TCPOPTSTRAP) must not try to handle fragmented
          frames.  Fix from Phil Oester.
      
      22) Fix rate control regression causing iwlwifi/iwlegacy chips to use
          1Mbit/s on pre-11n networks.  From Moshe Benji and Stanslaw Gruszka.
      
      23) Disable brcmsmac power-save functions, they cause regressions.  From
          Arend van Spriel.
      
      24) Enforce a sane minimum MTU in l2cap_build_cmd() otherwise we can
          easily crash.  Fix from Anderson Lizardo.
      
      25) If a learning packet arrives during vxlan_stop() we crash, easily
          fixed by checking netif_running().  From Stephen Hemminger.
      
      26) Static vxlan FDB entries should not be migrated, also from Stephen.
      
      27) skb_clone() failures not handled in vxlan_xmit(), oops.  Also from
          Stephen.
      
      28) Add minimal driver for AR816x/AR817x ethernet chips, from Johannes
          Berg.
      
      29) Fix regression in userspace VLAN acceleration control, added by the
          802.1ad support changes.  Fix from Fernando Luis Vazquez Cao.
      
      30) Interval selection for MLD queries in the bridging code was
          reversed.  Fix from Linus Lüssing.
      
      31) ipv6's ndisc_send_redirect() erroneously writes to the packet we
          received not the packet we are building to send out.  Fix from
          Matthias Schiffer.
      
      32) Don't free netdev before unregistering it, in usb_8dev can driver.
          From Marc Kleine-Budde.
      
      33) Fix nl80211 attribute buffer races, from Johannes Berg.
      
      34) Although netlink_diag.h is under uapi/ it isn't present in Kbuild.
          From Stephen Hemminger.
      
      35) Wrong address and family passed to MD5 key lookups in TCP, from
          Aydin Arik.
      
      36) phy_type attribute created by SFC driver should not be writable.
          From Ben Hutchings.
      
      37) Receive/Transmit queue allocations in pxa168_eth and mv643xx_eth
          should use kzalloc().  Otherwise if setup fails half-way, we'll
          dereference garbage when trying to teardown the rings.  From Lubomir
          Rintel.
      
      38) Fix double-allocation of dst (resulting in unfreeable net device) in
          ipv6's init_loopback().  From Gao Feng.
      
      39) Fix fragmentation handling SKB leak in netfilter conntrack, we were
          freeing the wrong skb pointer.  From Phil Oester.
      
      40) Don't report "-1" (SPEED_UNKNOWN) in bond_miimon_commit(), from
          Nikolay Aleksandrov.
      
      41) davinci_cpdma doesn't check for DMA mapping errors, letting the
          device scribble to random addresses.  From Sebastian Siewior.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
        dlci: validate the net device in dlci_del()
        dlci: acquire rtnl_lock before calling __dev_get_by_name()
        af_key: fix info leaks in notify messages
        ipv6: ip6_sk_dst_check() must not assume ipv6 dst
        net: fix kernel deadlock with interface rename and netdev name retrieval.
        net/tg3: Avoid delay during MMIO access
        ipv6: check return value of ipv6_get_lladdr
        macvtap: fix recovery from gup errors
        tun: fix recovery from gup errors
        gre: fix a possible skb leak
        ipv6: Process unicast packet with Router Alert by checking flag in skb.
        ath9k_htc: Handle IDLE state transition properly
        ath9k: fix an RCU issue in calling ieee80211_get_tx_rates
        netfilter: ipt_ULOG: fix incorrect setting of ulog timer
        netfilter: ctnetlink: send event when conntrack label was modified
        netfilter: nf_nat_sip: fix mangling
        qlcnic: Do not sleep while holding spinlock
        drivers: net: cpsw: fix compilation error with cpsw driver
        tcp: doc : fix the syncookies default value
        sh_eth: fix misreporting of transmit abort
        ...
      98b6ed0f
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 1a506e47
      Linus Torvalds authored
      Pull i915 drm fixes from Dave Airlie:
       "These should be the last two fixes for i915, one is for a fence leak
        killing X on some older GPUs, and one is a late regression partial
        revert for an swiotlb/xen/i915 interaction, Konrad has promised to
        figure out the proper answer, and this patch is the best thing to do
        at this stage to avoid regressing"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/i915: make compact dma scatter lists creation work with SWIOTLB backend.
        drm/i915: Restore fences after resume and GPU resets
      1a506e47
  6. 26 Jun, 2013 3 commits