Skip to content

L
linux
Switch branch/tag
  1. 17 Jan, 2012 12 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 5e599784
      Linus Torvalds authored 
      * 'for-linus' of git://git.kernel.dk/linux-block:
  cfq-iosched: fix use-after-free of cfqq
      5e599784
    • Jens Axboe's avatar
      cfq-iosched: fix use-after-free of cfqq · 54b466e4
      Jens Axboe authored 
      With the changes in life time management between the cfq IO contexts
and the cfq queues, we now risk having cfqd->active_queue being
freed when cfq_slice_expired() is being called. cfq_preempt_queue()
caches this queue and uses it after calling said function, causing
a use-after-free condition. This triggers the following oops,
when cfqq_type() attempts to dereference it:

BUG: unable to handle kernel paging request at ffff8800746c4f0c
IP: [<ffffffff81266d59>] cfqq_type+0xb/0x20
PGD 18d4063 PUD 1fe15067 PMD 1ffb9067 PTE 80000000746c4160
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU 3
Modules linked in:

Pid: 1, comm: init Not tainted 3.2.0-josef+ #367 Bochs Bochs
RIP: 0010:[<ffffffff81266d59>]  [<ffffffff81266d59>] cfqq_type+0xb/0x20
RSP: 0018:ffff880079c11778  EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff880076f3df08 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffff880074271888 RDI: ffff8800746c4f08
RBP: ffff880079c11778 R08: 0000000000000078 R09: 0000000000000001
R10: 09f911029d74e35b R11: 09f911029d74e35b R12: ffff880076f337f0
R13: ffff8800746c4f08 R14: ffff8800746c4f08 R15: 0000000000000002
FS:  00007f62fd44f700(0000) GS:ffff88007cd80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8800746c4f0c CR3: 0000000076c21000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process init (pid: 1, threadinfo ffff880079c10000, task ffff880079c0a040)
Stack:
 ffff880079c117c8 ffffffff812683d8 ffff880079c117a8 ffffffff8125de43
 ffff8800744fcf48 ffff880074b43e98 ffff8800770c8828 ffff880074b43e98
 0000000000000003 0000000000000000 ffff880079c117f8 ffffffff81254149
Call Trace:
 [<ffffffff812683d8>] cfq_insert_request+0x3f5/0x47c
 [<ffffffff8125de43>] ? blk_recount_segments+0x20/0x31
 [<ffffffff81254149>] __elv_add_request+0x1ca/0x200
 [<ffffffff8125aa99>] blk_queue_bio+0x2ef/0x312
 [<ffffffff81258f7b>] generic_make_request+0x9f/0xe0
 [<ffffffff8125907b>] submit_bio+0xbf/0xca
 [<ffffffff81136ec7>] submit_bh+0xdf/0xfe
 [<ffffffff81176d04>] ext3_bread+0x50/0x99
 [<ffffffff811785b3>] dx_probe+0x38/0x291
 [<ffffffff81178864>] ext3_dx_find_entry+0x58/0x219
 [<ffffffff81178ad5>] ext3_find_entry+0xb0/0x406
 [<ffffffff8110c4d5>] ? cache_alloc_debugcheck_after.isra.46+0x14d/0x1a0
 [<ffffffff8110cfbd>] ? kmem_cache_alloc+0xef/0x191
 [<ffffffff8117a330>] ext3_lookup+0x39/0xe1
 [<ffffffff81119461>] d_alloc_and_lookup+0x45/0x6c
 [<ffffffff8111ac41>] do_lookup+0x1e4/0x2f5
 [<ffffffff8111aef6>] link_path_walk+0x1a4/0x6ef
 [<ffffffff8111b557>] path_lookupat+0x59/0x5ea
 [<ffffffff8127406c>] ? __strncpy_from_user+0x30/0x5a
 [<ffffffff8111bce0>] do_path_lookup+0x23/0x59
 [<ffffffff8111cfd6>] user_path_at_empty+0x53/0x99
 [<ffffffff8107b37b>] ? remove_wait_queue+0x51/0x56
 [<ffffffff8111d02d>] user_path_at+0x11/0x13
 [<ffffffff811141f5>] vfs_fstatat+0x3a/0x64
 [<ffffffff8111425a>] vfs_stat+0x1b/0x1d
 [<ffffffff81114359>] sys_newstat+0x1a/0x33
 [<ffffffff81060e12>] ? task_stopped_code+0x42/0x42
 [<ffffffff815d6712>] system_call_fastpath+0x16/0x1b
Code: 89 e6 48 89 c7 e8 fa ca fe ff 85 c0 74 06 4c 89 2b 41 b6 01 5b 44 89 f0 41 5c 41 5d 41 5e 5d c3 55 48 89 e5 66 66 66 66 90 31 c0 <8b> 57 04 f6 c6 01 74 0b 83 e2 20 83 fa 01 19 c0 83 c0 02 5d c3
RIP  [<ffffffff81266d59>] cfqq_type+0xb/0x20
 RSP <ffff880079c11778>
CR2: ffff8800746c4f0c

Get rid of the caching of cfqd->active_queue, and reorder the
check so that it happens before we expire the active queue.

Thanks to Tejun for pin pointing the error location.
Reported-by: default avatarChris Mason <chris.mason@oracle.com>
Tested-by: default avatarChris Mason <chris.mason@oracle.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      54b466e4
    • Linus Torvalds's avatar
      Merge branch 'stable/for-linus-fixes-3.3' of... · 00b1d444
      Linus Torvalds authored 
      Merge branch 'stable/for-linus-fixes-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

* 'stable/for-linus-fixes-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen/balloon: Move the registration from device to subsystem.
      00b1d444
    • Linus Torvalds's avatar
      Merge branch 'next' of git://git.monstr.eu/linux-2.6-microblaze · 8364919c
      Linus Torvalds authored 
      * 'next' of git://git.monstr.eu/linux-2.6-microblaze:
  USB: EHCI: Don't use NO_IRQ in xilinx ehci driver
  microblaze: Add topology init
      8364919c
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · d3569d16
      Linus Torvalds authored 
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: virtuoso: Xonar DS: fix polarity of front output
  ALSA: Au88x0 - Reduce the number of playback subdevices of au8830 from 32 to 16
  ALSA: Au88x0 - Support 4 channels playback when AC97 codecs has SDAC bit
  ALSA: HDA: Fix internal microphone on Dell Studio 16 XPS 1645
  ALSA: Don't prompt for CONFIG_SND_COMPRESS_OFFLOAD
  ALSA: HDA: Use LPIB position fix for Macbook Pro 7,1
      d3569d16
    • Konstantin Khlebnikov's avatar
      tty: remove unused tty_driver->termios_locked · 20c300b1
      Konstantin Khlebnikov authored 
      This field is unused since 2.6.28 (commit fe6e29fd: "tty: simplify
ktermios allocation", to be exact)
Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20c300b1
    • Linus Torvalds's avatar
      Revert "capabitlies: ns_capable can use the cap helpers rather than lsm call" · 951880e6
      Linus Torvalds authored 
      This reverts commit d2a7009f.

J. R. Okajima explains:

 "After this commit, I am afraid access(2) on NFS may not work
  correctly.  The scenario based upon my guess.
   - access(2) overrides the credentials.
   - calls inode_permission() -- ... -- generic_permission() --
      ns_capable().
   - while the old ns_capable() calls security_capable(current_cred()),
     the new ns_capable() calls has_ns_capability(current) --
     security_capable(__task_cred(t)).

  current_cred() returns current->cred which is effective (overridden)
  credentials, but __task_cred(current) returns current->real_cred (the
  NFSD's credential).  And the overridden credentials by access(2) lost."
Requested-by: default avatarJ. R. Okajima <hooanon05@yahoo.co.jp>
Acked-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      951880e6
    • Linus Torvalds's avatar
      Merge branch 'x86/rdrand' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c2bc3a31
      Linus Torvalds authored 
      * 'x86/rdrand' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  random: Adjust the number of loops when initializing
  random: Use arch-specific RNG to initialize the entropy store
      c2bc3a31
    • Linus Torvalds's avatar
      Merge branch 'x86-syscall-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 5674124f
      Linus Torvalds authored 
      * 'x86-syscall-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86: Move <asm/asm-offsets.h> from trace_syscalls.c to asm/syscall.h
  x86, um: Fix typo in 32-bit system call modifications
  um: Use $(srctree) not $(KBUILD_SRC)
  x86, um: Mark system call tables readonly
  x86, um: Use the same style generated syscall tables as native
  um: Generate headers before generating user-offsets.s
  um: Run host archheaders, allow use of host generated headers
  kbuild, headers.sh: Don't make archheaders explicitly
  x86, syscall: Allow syscall offset to be symbolic
  x86, syscall: Re-fix typo in comment
  x86: Simplify syscallhdr.sh
  x86: Generate system call tables and unistd_*.h from tables
  checksyscalls: Use arch/x86/syscalls/syscall_32.tbl as source
  x86: Machine-readable syscall tables and scripts to process them
  trace: Include <asm/asm-offsets.h> in trace_syscalls.c
  x86-64, ia32: Move compat_ni_syscall into C and its own file
  x86-64, syscall: Adjust comment spacing and remove typo
  kbuild: Add support for an "archheaders" target
  kbuild: Add support for installing generated asm headers
      5674124f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest · 5d48421b
      Linus Torvalds authored 
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest:
  ktest: Add INGORE_ERRORS to ignore warnings in boot up
  ktest: Still do reboot even for REBOOT_TYPE = script
  ktest: Fix compare script to test if options are not documented
  ktest: Detect typos in option names
  ktest: Have all values be set by defaults
  ktest: Change initialization of defaults hash to perl format
  ktest: Add options SWITCH_TO_GOOD and SWITCH_TO_TEST
  ktest: Allow overriding bisect test results
  ktest: Evaluate options before processing them
  ktest: Evaluate $KERNEL_VERSION in both install and post install
  ktest: Only ask options needed for install
  ktest: When creating a new config, ask for BUILD_OPTIONS
  ktest: Do not ask for some options if the only test is build
  ktest: Ask for type of test when creating a new config
  ktest: Allow bisect test to restart where it left off
  ktest: When creating new config, allow the use of ${THIS_DIR}
  ktest: Add default for ssh-user, build-target and target-image
  ktest: Allow success logs to be stored
  ktest: Save test output
      5d48421b
    • Linus Torvalds's avatar
      Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 6e03db2b
      Linus Torvalds authored 
      * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  ARM: OMAP3: fix build on !CONFIG_IOMMU_API
      6e03db2b
    • Greg Kroah-Hartman's avatar
      mce: fix warning messages about static struct mce_device · e032d807
      Greg Kroah-Hartman authored 
      When suspending, there was a large list of warnings going something like:

	Device 'machinecheck1' does not have a release() function, it is broken and must be fixed

This patch turns the static mce_devices into dynamically allocated, and
properly frees them when they are removed from the system.  It solves
the warning messages on my laptop here.
Reported-by: default avatar"Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Tested-by: default avatarDjalal Harouni <tixxdz@opendz.org>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Borislav Petkov <bp@amd64.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e032d807
  3. 16 Jan, 2012 28 commits
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7