1. 22 Nov, 2013 19 commits
    • Linus Torvalds's avatar
      Merge tag 'xfs-for-linus-v3.13-rc1-2' of git://oss.sgi.com/xfs/xfs · 6ea9786e
      Linus Torvalds authored
      Pull second xfs update from Ben Myers:
       "There are a couple of patches that I wasn't quite sure about in time
        for our initial 3.13 pull request, a bugfix, and an update to add Dave
        to MAINTAINERS:
      
        Here we have a performance fix for inode iversion, increased inode
        cluster size for v5 superblock filesystems, a fix for error handling
        in xfs_bmap_add_attrfork, and a MAINTAINERS update to add Dave"
      
      * tag 'xfs-for-linus-v3.13-rc1-2' of git://oss.sgi.com/xfs/xfs:
        xfs: open code inc_inode_iversion when logging an inode
        xfs: increase inode cluster size for v5 filesystems
        xfs: fix unlock in xfs_bmap_add_attrfork
        xfs: update maintainers
      6ea9786e
    • Linus Torvalds's avatar
      Merge branch 'slab/next' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux · 24f971ab
      Linus Torvalds authored
      Pull SLAB changes from Pekka Enberg:
       "The patches from Joonsoo Kim switch mm/slab.c to use 'struct page' for
        slab internals similar to mm/slub.c.  This reduces memory usage and
        improves performance:
      
          https://lkml.org/lkml/2013/10/16/155
      
        Rest of the changes are bug fixes from various people"
      
      * 'slab/next' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux: (21 commits)
        mm, slub: fix the typo in mm/slub.c
        mm, slub: fix the typo in include/linux/slub_def.h
        slub: Handle NULL parameter in kmem_cache_flags
        slab: replace non-existing 'struct freelist *' with 'void *'
        slab: fix to calm down kmemleak warning
        slub: proper kmemleak tracking if CONFIG_SLUB_DEBUG disabled
        slab: rename slab_bufctl to slab_freelist
        slab: remove useless statement for checking pfmemalloc
        slab: use struct page for slab management
        slab: replace free and inuse in struct slab with newly introduced active
        slab: remove SLAB_LIMIT
        slab: remove kmem_bufctl_t
        slab: change the management method of free objects of the slab
        slab: use __GFP_COMP flag for allocating slab pages
        slab: use well-defined macro, virt_to_slab()
        slab: overloading the RCU head over the LRU for RCU free
        slab: remove cachep in struct slab_rcu
        slab: remove nodeid in struct slab
        slab: remove colouroff in struct slab
        slab: change return type of kmem_getpages() to struct page
        ...
      24f971ab
    • Linus Torvalds's avatar
      Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc · 3bab0bf0
      Linus Torvalds authored
      Pull third set of powerpc updates from Benjamin Herrenschmidt:
       "This is a small collection of random bug fixes and a few improvements
        of Oops output which I deemed valuable enough to include as well.
      
        The fixes are essentially recent build breakage and regressions, and a
        couple of older bugs such as the DTL log duplication, the EEH issue
        with PCI_COMMAND_MASTER and the problem with small contexts passed to
        get/set_context with VSX enabled"
      
      * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
        powerpc/signals: Mark VSX not saved with small contexts
        powerpc/pseries: Fix SMP=n build of rng.c
        powerpc: Make cpu_to_chip_id() available when SMP=n
        powerpc/vio: Fix a dma_mask issue of vio
        powerpc: booke: Fix build failures
        powerpc: ppc64 address space capped at 32TB, mmap randomisation disabled
        powerpc: Only print PACATMSCRATCH in oops when TM is active
        powerpc/pseries: Duplicate dtl entries sometimes sent to userspace
        powerpc: Remove a few lines of oops output
        powerpc: Print DAR and DSISR on machine check oopses
        powerpc: Fix __get_user_pages_fast() irq handling
        powerpc/eeh: More accurate log
        powerpc/eeh: Enable PCI_COMMAND_MASTER for PCI bridges
      3bab0bf0
    • Linus Torvalds's avatar
      Merge branch 'akpm' (fixes from Andrew) · a5d6e633
      Linus Torvalds authored
      Merge patches from Andrew Morton:
       "13 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm: place page->pmd_huge_pte to right union
        MAINTAINERS: add keyboard driver to Hyper-V file list
        x86, mm: do not leak page->ptl for pmd page tables
        ipc,shm: correct error return value in shmctl (SHM_UNLOCK)
        mm, mempolicy: silence gcc warning
        block/partitions/efi.c: fix bound check
        ARM: drivers/rtc/rtc-at91rm9200.c: disable interrupts at shutdown
        mm: hugetlbfs: fix hugetlbfs optimization
        kernel: remove CONFIG_USE_GENERIC_SMP_HELPERS cleanly
        ipc,shm: fix shm_file deletion races
        mm: thp: give transparent hugepage code a separate copy_page
        checkpatch: fix "Use of uninitialized value" warnings
        configfs: fix race between dentry put and lookup
      a5d6e633
    • Linus Torvalds's avatar
      Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 78dc53c4
      Linus Torvalds authored
      Pull security subsystem updates from James Morris:
       "In this patchset, we finally get an SELinux update, with Paul Moore
        taking over as maintainer of that code.
      
        Also a significant update for the Keys subsystem, as well as
        maintenance updates to Smack, IMA, TPM, and Apparmor"
      
      and since I wanted to know more about the updates to key handling,
      here's the explanation from David Howells on that:
      
       "Okay.  There are a number of separate bits.  I'll go over the big bits
        and the odd important other bit, most of the smaller bits are just
        fixes and cleanups.  If you want the small bits accounting for, I can
        do that too.
      
         (1) Keyring capacity expansion.
      
              KEYS: Consolidate the concept of an 'index key' for key access
              KEYS: Introduce a search context structure
              KEYS: Search for auth-key by name rather than target key ID
              Add a generic associative array implementation.
              KEYS: Expand the capacity of a keyring
      
           Several of the patches are providing an expansion of the capacity of a
           keyring.  Currently, the maximum size of a keyring payload is one page.
           Subtract a small header and then divide up into pointers, that only gives
           you ~500 pointers on an x86_64 box.  However, since the NFS idmapper uses
           a keyring to store ID mapping data, that has proven to be insufficient to
           the cause.
      
           Whatever data structure I use to handle the keyring payload, it can only
           store pointers to keys, not the keys themselves because several keyrings
           may point to a single key.  This precludes inserting, say, and rb_node
           struct into the key struct for this purpose.
      
           I could make an rbtree of records such that each record has an rb_node
           and a key pointer, but that would use four words of space per key stored
           in the keyring.  It would, however, be able to use much existing code.
      
           I selected instead a non-rebalancing radix-tree type approach as that
           could have a better space-used/key-pointer ratio.  I could have used the
           radix tree implementation that we already have and insert keys into it by
           their serial numbers, but that means any sort of search must iterate over
           the whole radix tree.  Further, its nodes are a bit on the capacious side
           for what I want - especially given that key serial numbers are randomly
           allocated, thus leaving a lot of empty space in the tree.
      
           So what I have is an associative array that internally is a radix-tree
           with 16 pointers per node where the index key is constructed from the key
           type pointer and the key description.  This means that an exact lookup by
           type+description is very fast as this tells us how to navigate directly to
           the target key.
      
           I made the data structure general in lib/assoc_array.c as far as it is
           concerned, its index key is just a sequence of bits that leads to a
           pointer.  It's possible that someone else will be able to make use of it
           also.  FS-Cache might, for example.
      
         (2) Mark keys as 'trusted' and keyrings as 'trusted only'.
      
              KEYS: verify a certificate is signed by a 'trusted' key
              KEYS: Make the system 'trusted' keyring viewable by userspace
              KEYS: Add a 'trusted' flag and a 'trusted only' flag
              KEYS: Separate the kernel signature checking keyring from module signing
      
           These patches allow keys carrying asymmetric public keys to be marked as
           being 'trusted' and allow keyrings to be marked as only permitting the
           addition or linkage of trusted keys.
      
           Keys loaded from hardware during kernel boot or compiled into the kernel
           during build are marked as being trusted automatically.  New keys can be
           loaded at runtime with add_key().  They are checked against the system
           keyring contents and if their signatures can be validated with keys that
           are already marked trusted, then they are marked trusted also and can
           thus be added into the master keyring.
      
           Patches from Mimi Zohar make this usable with the IMA keyrings also.
      
         (3) Remove the date checks on the key used to validate a module signature.
      
              X.509: Remove certificate date checks
      
           It's not reasonable to reject a signature just because the key that it was
           generated with is no longer valid datewise - especially if the kernel
           hasn't yet managed to set the system clock when the first module is
           loaded - so just remove those checks.
      
         (4) Make it simpler to deal with additional X.509 being loaded into the kernel.
      
              KEYS: Load *.x509 files into kernel keyring
              KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate
      
           The builder of the kernel now just places files with the extension ".x509"
           into the kernel source or build trees and they're concatenated by the
           kernel build and stuffed into the appropriate section.
      
         (5) Add support for userspace kerberos to use keyrings.
      
              KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
              KEYS: Implement a big key type that can save to tmpfs
      
           Fedora went to, by default, storing kerberos tickets and tokens in tmpfs.
           We looked at storing it in keyrings instead as that confers certain
           advantages such as tickets being automatically deleted after a certain
           amount of time and the ability for the kernel to get at these tokens more
           easily.
      
           To make this work, two things were needed:
      
           (a) A way for the tickets to persist beyond the lifetime of all a user's
               sessions so that cron-driven processes can still use them.
      
               The problem is that a user's session keyrings are deleted when the
               session that spawned them logs out and the user's user keyring is
               deleted when the UID is deleted (typically when the last log out
               happens), so neither of these places is suitable.
      
               I've added a system keyring into which a 'persistent' keyring is
               created for each UID on request.  Each time a user requests their
               persistent keyring, the expiry time on it is set anew.  If the user
               doesn't ask for it for, say, three days, the keyring is automatically
               expired and garbage collected using the existing gc.  All the kerberos
               tokens it held are then also gc'd.
      
           (b) A key type that can hold really big tickets (up to 1MB in size).
      
               The problem is that Active Directory can return huge tickets with lots
               of auxiliary data attached.  We don't, however, want to eat up huge
               tracts of unswappable kernel space for this, so if the ticket is
               greater than a certain size, we create a swappable shmem file and dump
               the contents in there and just live with the fact we then have an
               inode and a dentry overhead.  If the ticket is smaller than that, we
               slap it in a kmalloc()'d buffer"
      
      * 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits)
        KEYS: Fix keyring content gc scanner
        KEYS: Fix error handling in big_key instantiation
        KEYS: Fix UID check in keyctl_get_persistent()
        KEYS: The RSA public key algorithm needs to select MPILIB
        ima: define '_ima' as a builtin 'trusted' keyring
        ima: extend the measurement list to include the file signature
        kernel/system_certificate.S: use real contents instead of macro GLOBAL()
        KEYS: fix error return code in big_key_instantiate()
        KEYS: Fix keyring quota misaccounting on key replacement and unlink
        KEYS: Fix a race between negating a key and reading the error set
        KEYS: Make BIG_KEYS boolean
        apparmor: remove the "task" arg from may_change_ptraced_domain()
        apparmor: remove parent task info from audit logging
        apparmor: remove tsk field from the apparmor_audit_struct
        apparmor: fix capability to not use the current task, during reporting
        Smack: Ptrace access check mode
        ima: provide hash algo info in the xattr
        ima: enable support for larger default filedata hash algorithms
        ima: define kernel parameter 'ima_template=' to change configured default
        ima: add Kconfig default measurement list template
        ...
      78dc53c4
    • Linus Torvalds's avatar
      Merge git://git.infradead.org/users/eparis/audit · 3eaded86
      Linus Torvalds authored
      Pull audit updates from Eric Paris:
       "Nothing amazing.  Formatting, small bug fixes, couple of fixes where
        we didn't get records due to some old VFS changes, and a change to how
        we collect execve info..."
      
      Fixed conflict in fs/exec.c as per Eric and linux-next.
      
      * git://git.infradead.org/users/eparis/audit: (28 commits)
        audit: fix type of sessionid in audit_set_loginuid()
        audit: call audit_bprm() only once to add AUDIT_EXECVE information
        audit: move audit_aux_data_execve contents into audit_context union
        audit: remove unused envc member of audit_aux_data_execve
        audit: Kill the unused struct audit_aux_data_capset
        audit: do not reject all AUDIT_INODE filter types
        audit: suppress stock memalloc failure warnings since already managed
        audit: log the audit_names record type
        audit: add child record before the create to handle case where create fails
        audit: use given values in tty_audit enable api
        audit: use nlmsg_len() to get message payload length
        audit: use memset instead of trying to initialize field by field
        audit: fix info leak in AUDIT_GET requests
        audit: update AUDIT_INODE filter rule to comparator function
        audit: audit feature to set loginuid immutable
        audit: audit feature to only allow unsetting the loginuid
        audit: allow unsetting the loginuid (with priv)
        audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE
        audit: loginuid functions coding style
        selinux: apply selinux checks on new audit message types
        ...
      3eaded86
    • Kirill A. Shutemov's avatar
      mm: place page->pmd_huge_pte to right union · 7aa555bf
      Kirill A. Shutemov authored
      I don't know what went wrong, mis-merge or something, but ->pmd_huge_pte
      placed in wrong union within struct page.
      
      In original patch[1] it's placed to union with ->lru and ->slab, but in
      commit e009bb30 ("mm: implement split page table lock for PMD
      level") it's in union with ->index and ->freelist.
      
      That union seems also unused for pages with table tables and safe to
      re-use, but it's not what I've tested.
      
      Let's move it to original place.  It fixes indentation at least.  :)
      
      [1] https://lkml.org/lkml/2013/10/7/288Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Reviewed-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7aa555bf
    • Haiyang Zhang's avatar
      MAINTAINERS: add keyboard driver to Hyper-V file list · f92ca80b
      Haiyang Zhang authored
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: "K. Y. Srinivasan" <kys@microsoft.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f92ca80b
    • Kirill A. Shutemov's avatar
      x86, mm: do not leak page->ptl for pmd page tables · c283610e
      Kirill A. Shutemov authored
      There are two code paths how page with pmd page table can be freed:
      pmd_free() and pmd_free_tlb().
      
      I've missed the second one and didn't add page table destructor call
      there.  It leads to leak of page->ptl for pmd page tables, if
      dynamically allocated page->ptl is in use.
      
      The patch adds the missed destructor and modifies documentation
      accordingly.
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Reported-by: default avatarAndrey Vagin <avagin@openvz.org>
      Tested-by: default avatarAndrey Vagin <avagin@openvz.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c283610e
    • Jesper Nilsson's avatar
      ipc,shm: correct error return value in shmctl (SHM_UNLOCK) · 3a72660b
      Jesper Nilsson authored
      Commit 2caacaa8 ("ipc,shm: shorten critical region for shmctl")
      restructured the ipc shm to shorten critical region, but introduced a
      path where the return value could be -EPERM, even if the operation
      actually was performed.
      
      Before the commit, the err return value was reset by the return value
      from security_shm_shmctl() after the if (!ns_capable(...)) statement.
      
      Now, we still exit the if statement with err set to -EPERM, and in the
      case of SHM_UNLOCK, it is not reset at all, and used as the return value
      from shmctl.
      
      To fix this, we only set err when errors occur, leaving the fallthrough
      case alone.
      Signed-off-by: default avatarJesper Nilsson <jesper.nilsson@axis.com>
      Cc: Davidlohr Bueso <davidlohr@hp.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>	[3.12.x]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3a72660b
    • David Rientjes's avatar
      mm, mempolicy: silence gcc warning · b7a9f420
      David Rientjes authored
      Fengguang Wu reports that compiling mm/mempolicy.c results in a warning:
      
        mm/mempolicy.c: In function 'mpol_to_str':
        mm/mempolicy.c:2878:2: error: format not a string literal and no format arguments
      
      Kees says this is because he is using -Wformat-security.
      
      Silence the warning.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Suggested-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b7a9f420
    • Antti P Miettinen's avatar
      block/partitions/efi.c: fix bound check · 49204c11
      Antti P Miettinen authored
      Use ARRAY_SIZE instead of sizeof to get proper max for label length.
      
      Since this is just a read out of bounds it's not that bad, but the
      problem becomes user-visible eg if one tries to use DEBUG_PAGEALLOC and
      DEBUG_RODATA, at least with some enhancements from Hiroshi.  Of course
      the destination array can contain garbage when we read beyond the end of
      source array so that would be another user-visible problem.
      Signed-off-by: default avatarAntti P Miettinen <amiettinen@nvidia.com>
      Reviewed-by: default avatarHiroshi Doyu <hdoyu@nvidia.com>
      Tested-by: default avatarHiroshi Doyu <hdoyu@nvidia.com>
      Cc: Will Drewry <wad@chromium.org>
      Cc: Matt Fleming <matt.fleming@intel.com>
      Acked-by: default avatarDavidlohr Bueso <davidlohr@hp.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      49204c11
    • Johan Hovold's avatar
      ARM: drivers/rtc/rtc-at91rm9200.c: disable interrupts at shutdown · 51a0d036
      Johan Hovold authored
      Make sure RTC-interrupts are disabled at shutdown.
      
      As the RTC is generally powered by backup power (VDDBU), its interrupts
      are not disabled on wake-up, user, watchdog or software reset.  This
      could cause troubles on other systems (e.g.  older kernels) if an
      interrupt occurs before a handler has been installed at next boot.
      
      Let us be well-behaved and disable them on clean shutdowns at least (as
      do the RTT-based rtc-at91sam9 driver).
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
      Cc: Andrew Victor <linux@maxim.org.za>
      Cc: Alessandro Zummo <a.zummo@towertech.it>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      51a0d036
    • Andrea Arcangeli's avatar
      mm: hugetlbfs: fix hugetlbfs optimization · 27c73ae7
      Andrea Arcangeli authored
      Commit 7cb2ef56 ("mm: fix aio performance regression for database
      caused by THP") can cause dereference of a dangling pointer if
      split_huge_page runs during PageHuge() if there are updates to the
      tail_page->private field.
      
      Also it is repeating compound_head twice for hugetlbfs and it is running
      compound_head+compound_trans_head for THP when a single one is needed in
      both cases.
      
      The new code within the PageSlab() check doesn't need to verify that the
      THP page size is never bigger than the smallest hugetlbfs page size, to
      avoid memory corruption.
      
      A longstanding theoretical race condition was found while fixing the
      above (see the change right after the skip_unlock label, that is
      relevant for the compound_lock path too).
      
      By re-establishing the _mapcount tail refcounting for all compound
      pages, this also fixes the below problem:
      
        echo 0 >/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
      
        BUG: Bad page state in process bash  pfn:59a01
        page:ffffea000139b038 count:0 mapcount:10 mapping:          (null) index:0x0
        page flags: 0x1c00000000008000(tail)
        Modules linked in:
        CPU: 6 PID: 2018 Comm: bash Not tainted 3.12.0+ #25
        Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        Call Trace:
          dump_stack+0x55/0x76
          bad_page+0xd5/0x130
          free_pages_prepare+0x213/0x280
          __free_pages+0x36/0x80
          update_and_free_page+0xc1/0xd0
          free_pool_huge_page+0xc2/0xe0
          set_max_huge_pages.part.58+0x14c/0x220
          nr_hugepages_store_common.isra.60+0xd0/0xf0
          nr_hugepages_store+0x13/0x20
          kobj_attr_store+0xf/0x20
          sysfs_write_file+0x189/0x1e0
          vfs_write+0xc5/0x1f0
          SyS_write+0x55/0xb0
          system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarKhalid Aziz <khalid.aziz@oracle.com>
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Tested-by: default avatarKhalid Aziz <khalid.aziz@oracle.com>
      Cc: Pravin Shelar <pshelar@nicira.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Ben Hutchings <bhutchings@solarflare.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Johannes Weiner <jweiner@redhat.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Minchan Kim <minchan@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      27c73ae7
    • Yuanhan Liu's avatar
      kernel: remove CONFIG_USE_GENERIC_SMP_HELPERS cleanly · 044c8d4b
      Yuanhan Liu authored
      Remove CONFIG_USE_GENERIC_SMP_HELPERS left by commit 0a06ff06
      ("kernel: remove CONFIG_USE_GENERIC_SMP_HELPERS").
      Signed-off-by: default avatarYuanhan Liu <yuanhan.liu@linux.intel.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      044c8d4b
    • Greg Thelen's avatar
      ipc,shm: fix shm_file deletion races · a399b29d
      Greg Thelen authored
      When IPC_RMID races with other shm operations there's potential for
      use-after-free of the shm object's associated file (shm_file).
      
      Here's the race before this patch:
      
        TASK 1                     TASK 2
        ------                     ------
        shm_rmid()
          ipc_lock_object()
                                   shmctl()
                                   shp = shm_obtain_object_check()
      
          shm_destroy()
            shum_unlock()
            fput(shp->shm_file)
                                   ipc_lock_object()
                                   shmem_lock(shp->shm_file)
                                   <OOPS>
      
      The oops is caused because shm_destroy() calls fput() after dropping the
      ipc_lock.  fput() clears the file's f_inode, f_path.dentry, and
      f_path.mnt, which causes various NULL pointer references in task 2.  I
      reliably see the oops in task 2 if with shmlock, shmu
      
      This patch fixes the races by:
      1) set shm_file=NULL in shm_destroy() while holding ipc_object_lock().
      2) modify at risk operations to check shm_file while holding
         ipc_object_lock().
      
      Example workloads, which each trigger oops...
      
      Workload 1:
        while true; do
          id=$(shmget 1 4096)
          shm_rmid $id &
          shmlock $id &
          wait
        done
      
        The oops stack shows accessing NULL f_inode due to racing fput:
          _raw_spin_lock
          shmem_lock
          SyS_shmctl
      
      Workload 2:
        while true; do
          id=$(shmget 1 4096)
          shmat $id 4096 &
          shm_rmid $id &
          wait
        done
      
        The oops stack is similar to workload 1 due to NULL f_inode:
          touch_atime
          shmem_mmap
          shm_mmap
          mmap_region
          do_mmap_pgoff
          do_shmat
          SyS_shmat
      
      Workload 3:
        while true; do
          id=$(shmget 1 4096)
          shmlock $id
          shm_rmid $id &
          shmunlock $id &
          wait
        done
      
        The oops stack shows second fput tripping on an NULL f_inode.  The
        first fput() completed via from shm_destroy(), but a racing thread did
        a get_file() and queued this fput():
          locks_remove_flock
          __fput
          ____fput
          task_work_run
          do_notify_resume
          int_signal
      
      Fixes: c2c737a0 ("ipc,shm: shorten critical region for shmat")
      Fixes: 2caacaa8 ("ipc,shm: shorten critical region for shmctl")
      Signed-off-by: default avatarGreg Thelen <gthelen@google.com>
      Cc: Davidlohr Bueso <davidlohr@hp.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: <stable@vger.kernel.org>  # 3.10.17+ 3.11.6+
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a399b29d
    • Dave Hansen's avatar
      mm: thp: give transparent hugepage code a separate copy_page · 30b0a105
      Dave Hansen authored
      Right now, the migration code in migrate_page_copy() uses copy_huge_page()
      for hugetlbfs and thp pages:
      
             if (PageHuge(page) || PageTransHuge(page))
                      copy_huge_page(newpage, page);
      
      So, yay for code reuse.  But:
      
        void copy_huge_page(struct page *dst, struct page *src)
        {
              struct hstate *h = page_hstate(src);
      
      and a non-hugetlbfs page has no page_hstate().  This works 99% of the
      time because page_hstate() determines the hstate from the page order
      alone.  Since the page order of a THP page matches the default hugetlbfs
      page order, it works.
      
      But, if you change the default huge page size on the boot command-line
      (say default_hugepagesz=1G), then we might not even *have* a 2MB hstate
      so page_hstate() returns null and copy_huge_page() oopses pretty fast
      since copy_huge_page() dereferences the hstate:
      
        void copy_huge_page(struct page *dst, struct page *src)
        {
              struct hstate *h = page_hstate(src);
              if (unlikely(pages_per_huge_page(h) > MAX_ORDER_NR_PAGES)) {
        ...
      
      Mel noticed that the migration code is really the only user of these
      functions.  This moves all the copy code over to migrate.c and makes
      copy_huge_page() work for THP by checking for it explicitly.
      
      I believe the bug was introduced in commit b32967ff ("mm: numa: Add
      THP migration for the NUMA working set scanning fault case")
      
      [akpm@linux-foundation.org: fix coding-style and comment text, per Naoya Horiguchi]
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Acked-by: default avatarMel Gorman <mgorman@suse.de>
      Reviewed-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Hillf Danton <dhillf@gmail.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Tested-by: default avatarDave Jiang <dave.jiang@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      30b0a105
    • Joe Perches's avatar
      checkpatch: fix "Use of uninitialized value" warnings · c11230f4
      Joe Perches authored
      checkpatch is currently confused about some complex macros and references
      undefined variables $stat and $cond.
      
      Make sure these are defined before using them.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Reported-by: default avatarGerhard Sittig <gsi@denx.de>
      Acked-by: default avatarAndy Whitcroft <apw@canonical.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c11230f4
    • Junxiao Bi's avatar
      configfs: fix race between dentry put and lookup · 76ae281f
      Junxiao Bi authored
      A race window in configfs, it starts from one dentry is UNHASHED and end
      before configfs_d_iput is called.  In this window, if a lookup happen,
      since the original dentry was UNHASHED, so a new dentry will be
      allocated, and then in configfs_attach_attr(), sd->s_dentry will be
      updated to the new dentry.  Then in configfs_d_iput(),
      BUG_ON(sd->s_dentry != dentry) will be triggered and system panic.
      
      sys_open:                     sys_close:
       ...                           fput
                                      dput
                                       dentry_kill
                                        __d_drop <--- dentry unhashed here,
                                                 but sd->dentry still point
                                                 to this dentry.
      
       lookup_real
        configfs_lookup
         configfs_attach_attr---> update sd->s_dentry
                                  to new allocated dentry here.
      
                                         d_kill
                                           configfs_d_iput <--- BUG_ON(sd->s_dentry != dentry)
                                                           triggered here.
      
      To fix it, change configfs_d_iput to not update sd->s_dentry if
      sd->s_count > 2, that means there are another dentry is using the sd
      beside the one that is going to be put.  Use configfs_dirent_lock in
      configfs_attach_attr to sync with configfs_d_iput.
      
      With the following steps, you can reproduce the bug.
      
      1. enable ocfs2, this will mount configfs at /sys/kernel/config and
         fill configure in it.
      
      2. run the following script.
      	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms > /dev/null; done &
      	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms > /dev/null; done &
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      76ae281f
  2. 20 Nov, 2013 21 commits