1. 10 Feb, 2012 3 commits
  2. 06 Feb, 2012 3 commits
    • Linus Torvalds's avatar
      Merge tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux-2.6 · 8597559a
      Linus Torvalds authored
      GPIO fixes for v3.3-rc2
      
      Straight forward bug fixes in this branch.  A couple of x86 gpio drivers
      missing spinlock initialization, an API change fixup for the samsung driver
      and a name typo fix.
      
      * tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux-2.6:
        gpio: Add missing spin_lock_init in gpio-ml-ioh driver
        gpio: Add missing spin_lock_init in gpio-pch driver
        gpio: samsung: adapt to changes in gpio specifier translator function declaration
        Correct bad gpio naming
      8597559a
    • Linus Torvalds's avatar
      Merge tag 'hwmon-fixes-for-3.3-rc3' of... · 105e5180
      Linus Torvalds authored
      Merge tag 'hwmon-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      One patch to fix fan detection on NCT6776F.
      
      * tag 'hwmon-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (w83627ehf) Fix number of fans for NCT6776F
      105e5180
    • Heiko Carstens's avatar
      exec: fix use-after-free bug in setup_new_exec() · 96e02d15
      Heiko Carstens authored
      Setting the task name is done within setup_new_exec() by accessing
      bprm->filename. However this happens after flush_old_exec().
      This may result in a use after free bug, flush_old_exec() may
      "complete" vfork_done, which will wake up the parent which in turn
      may free the passed in filename.
      To fix this add a new tcomm field in struct linux_binprm which
      contains the now early generated task name until it is used.
      
      Fixes this bug on s390:
      
        Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
        Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
        Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
        Call Trace:
        ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
         [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
         [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
         [<0000000000282b6c>] do_execve_common+0x410/0x514
         [<0000000000282cb6>] do_execve+0x46/0x58
         [<00000000005bce58>] kernel_execve+0x28/0x70
         [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
         [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
         [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
        Last Breaking-Event-Address:
         [<00000000002830f0>] setup_new_exec+0x2fc/0x374
      
        Kernel panic - not syncing: Fatal exception: panic_on_oops
      Reported-by: default avatarSebastian Ott <sebott@linux.vnet.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      96e02d15
  3. 05 Feb, 2012 1 commit
  4. 04 Feb, 2012 26 commits
  5. 03 Feb, 2012 4 commits
  6. 02 Feb, 2012 3 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · 6c073a7e
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        rbd: fix safety of rbd_put_client()
        rbd: fix a memory leak in rbd_get_client()
        ceph: create a new session lock to avoid lock inversion
        ceph: fix length validation in parse_reply_info()
        ceph: initialize client debugfs outside of monc->mutex
        ceph: change "ceph.layout" xattr to be "ceph.file.layout"
      6c073a7e
    • Josh Triplett's avatar
    • Alex Elder's avatar
      rbd: fix safety of rbd_put_client() · d23a4b3f
      Alex Elder authored
      The rbd_client structure uses a kref to arrange for cleaning up and
      freeing an instance when its last reference is dropped.  The cleanup
      routine is rbd_client_release(), and one of the things it does is
      delete the rbd_client from rbd_client_list.  It acquires node_lock
      to do so, but the way it is done is still not safe.
      
      The problem is that when attempting to reuse an existing rbd_client,
      the structure found might already be in the process of getting
      destroyed and cleaned up.
      
      Here's the scenario, with "CLIENT" representing an existing
      rbd_client that's involved in the race:
      
       Thread on CPU A                | Thread on CPU B
       ---------------                | ---------------
       rbd_put_client(CLIENT)         | rbd_get_client()
         kref_put()                   |   (acquires node_lock)
           kref->refcount becomes 0   |   __rbd_client_find() returns CLIENT
           calls rbd_client_release() |   kref_get(&CLIENT->kref);
                                      |   (releases node_lock)
             (acquires node_lock)     |
             deletes CLIENT from list | ...and starts using CLIENT...
             (releases node_lock)     |
             and frees CLIENT         | <-- but CLIENT gets freed here
      
      Fix this by having rbd_put_client() acquire node_lock.  The result
      could still be improved, but at least it avoids this problem.
      Signed-off-by: default avatarAlex Elder <elder@dreamhost.com>
      Signed-off-by: default avatarSage Weil <sage@newdream.net>
      d23a4b3f