1. 21 Sep, 2012 1 commit
    • Tejun Heo's avatar
      block: lift the initial queue bypass mode on blk_register_queue() instead of... · 749fefe6
      Tejun Heo authored
      block: lift the initial queue bypass mode on blk_register_queue() instead of blk_init_allocated_queue()
      
      b82d4b19 ("blkcg: make request_queue bypassing on allocation") made
      request_queues bypassed on allocation to avoid switching on and off
      bypass mode on a queue being initialized.  Some drivers allocate and
      then destroy a lot of queues without fully initializing them and
      incurring bypass latency overhead on each of them could add upto
      significant overhead.
      
      Unfortunately, blk_init_allocated_queue() is never used by queues of
      bio-based drivers, which means that all bio-based driver queues are in
      bypass mode even after initialization and registration complete
      successfully.
      
      Due to the limited way request_queues are used by bio drivers, this
      problem is hidden pretty well but it shows up when blk-throttle is
      used in combination with a bio-based driver.  Trying to configure
      (echoing to cgroupfs file) blk-throttle for a bio-based driver hangs
      indefinitely in blkg_conf_prep() waiting for bypass mode to end.
      
      This patch moves the initial blk_queue_bypass_end() call from
      blk_init_allocated_queue() to blk_register_queue() which is called for
      any userland-visible queues regardless of its type.
      
      I believe this is correct because I don't think there is any block
      driver which needs or wants working elevator and blk-cgroup on a queue
      which isn't visible to userland.  If there are such users, we need a
      different solution.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJoseph Glanville <joseph.glanville@orionvm.com.au>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      749fefe6
  2. 20 Sep, 2012 5 commits
  3. 12 Sep, 2012 1 commit
    • Peter Senna Tschudin's avatar
      block/blk-tag.c: Remove useless kfree · d41570b7
      Peter Senna Tschudin authored
      Remove useless kfree() and clean up code related to the removal.
      
      The semantic patch that finds this problem is as follows:
      (http://coccinelle.lip6.fr/)
      
      // <smpl>
      @r exists@
      position p1,p2;
      expression x;
      @@
      
      if (x@p1 == NULL) { ... kfree@p2(x); ... return ...; }
      
      @unchanged exists@
      position r.p1,r.p2;
      expression e <= r.x,x,e1;
      iterator I;
      statement S;
      @@
      
      if (x@p1 == NULL) { ... when != I(x,...) S
                              when != e = e1
                              when != e += e1
                              when != e -= e1
                              when != ++e
                              when != --e
                              when != e++
                              when != e--
                              when != &e
         kfree@p2(x); ... return ...; }
      
      @ok depends on unchanged exists@
      position any r.p1;
      position r.p2;
      expression x;
      @@
      
      ... when != true x@p1 == NULL
      kfree@p2(x);
      
      @depends on !ok && unchanged@
      position r.p2;
      expression x;
      @@
      
      *kfree@p2(x);
      // </smpl>
      Signed-off-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      d41570b7
  4. 09 Sep, 2012 10 commits
    • Jaehoon Chung's avatar
      block: remove the duplicated setting for congestion_threshold · e32463b2
      Jaehoon Chung authored
      Before call the blk_queue_congestion_threshold(),
      the blk_queue_congestion_threshold() is already called at blk_queue_make_rquest().
      Because this code is the duplicated, it has removed.
      Signed-off-by: default avatarJaehoon Chung <jh80.chung@samsung.com>
      Signed-off-by: default avatarKyungmin Park <kyungmin.park@samsung.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      e32463b2
    • Dave Reisner's avatar
      block: reject invalid queue attribute values · b1f3b64d
      Dave Reisner authored
      Instead of using simple_strtoul which "converts" invalid numbers to 0,
      use strict_strtoul and perform error checking to ensure that userspace
      passes us a valid unsigned long. This addresses problems with functions
      such as writev, which might want to write a trailing newline -- the
      newline should rightfully be rejected, but the value preceeding it
      should be preserved.
      
      Fixes BZ#46981.
      Signed-off-by: default avatarDave Reisner <dreisner@archlinux.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      b1f3b64d
    • Kent Overstreet's avatar
      block: Add bio_clone_bioset(), bio_clone_kmalloc() · bf800ef1
      Kent Overstreet authored
      Previously, there was bio_clone() but it only allocated from the fs bio
      set; as a result various users were open coding it and using
      __bio_clone().
      
      This changes bio_clone() to become bio_clone_bioset(), and then we add
      bio_clone() and bio_clone_kmalloc() as wrappers around it, making use of
      the functionality the last patch adedd.
      
      This will also help in a later patch changing how bio cloning works.
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      CC: Jens Axboe <axboe@kernel.dk>
      CC: NeilBrown <neilb@suse.de>
      CC: Alasdair Kergon <agk@redhat.com>
      CC: Boaz Harrosh <bharrosh@panasas.com>
      CC: Jeff Garzik <jeff@garzik.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      bf800ef1
    • Kent Overstreet's avatar
      block: Consolidate bio_alloc_bioset(), bio_kmalloc() · 3f86a82a
      Kent Overstreet authored
      Previously, bio_kmalloc() and bio_alloc_bioset() behaved slightly
      different because there was some almost-duplicated code - this fixes
      some of that.
      
      The important change is that previously bio_kmalloc() always set
      bi_io_vec = bi_inline_vecs, even if nr_iovecs == 0 - unlike
      bio_alloc_bioset(). This would cause bio_has_data() to return true; I
      don't know if this resulted in any actual bugs but it was certainly
      wrong.
      
      bio_kmalloc() and bio_alloc_bioset() also have different arbitrary
      limits on nr_iovecs - 1024 (UIO_MAXIOV) for bio_kmalloc(), 256
      (BIO_MAX_PAGES) for bio_alloc_bioset(). This patch doesn't fix that, but
      at least they're enforced closer together and hopefully they will be
      fixed in a later patch.
      
      This'll also help with some future cleanups - there are a fair number of
      functions that allocate bios (e.g. bio_clone()), and now they don't have
      to be duplicated for bio_alloc(), bio_alloc_bioset(), and bio_kmalloc().
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      CC: Jens Axboe <axboe@kernel.dk>
      v7: Re-add dropped comments, improv patch description
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      3f86a82a
    • Kent Overstreet's avatar
      block: Kill bi_destructor · 4254bba1
      Kent Overstreet authored
      Now that we've got generic code for freeing bios allocated from bio
      pools, this isn't needed anymore.
      
      This patch also makes bio_free() static, since without bi_destructor
      there should be no need for it to be called anywhere else.
      
      bio_free() is now only called from bio_put, so we can refactor those a
      bit - move some code from bio_put() to bio_free() and kill the redundant
      bio->bi_next = NULL.
      
      v5: Switch to BIO_KMALLOC_POOL ((void *)~0), per Boaz
      v6: BIO_KMALLOC_POOL now NULL, drop bio_free's EXPORT_SYMBOL
      v7: No #define BIO_KMALLOC_POOL anymore
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      CC: Jens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      4254bba1
    • Kent Overstreet's avatar
      pktcdvd: Switch to bio_kmalloc() · ccc5c9ca
      Kent Overstreet authored
      This is prep work for killing bi_destructor - previously, pktcdvd had
      its own pkt_bio_alloc which was basically duplication bio_kmalloc(),
      necessitating its own bi_destructor implementation.
      
      v5: Un-reorder some functions, to make the patch easier to review
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      Acked-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      ccc5c9ca
    • Kent Overstreet's avatar
      block: Add bio_reset() · f44b48c7
      Kent Overstreet authored
      Reusing bios is something that's been highly frowned upon in the past,
      but driver code keeps doing it anyways. If it's going to happen anyways,
      we should provide a generic method.
      
      This'll help with getting rid of bi_destructor - drivers/block/pktcdvd.c
      was open coding it, by doing a bio_init() and resetting bi_destructor.
      
      This required reordering struct bio, but the block layer is not yet
      nearly fast enough for any cacheline effects to matter here.
      
      v5: Add a define BIO_RESET_BITS, to be very explicit about what parts of
      bio->bi_flags are saved.
      v6: Further commenting verbosity, per Tejun
      v9: Add a function comment
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      CC: Jens Axboe <axboe@kernel.dk>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      f44b48c7
    • Kent Overstreet's avatar
      dm: Use bioset's front_pad for dm_rq_clone_bio_info · 94818742
      Kent Overstreet authored
      Previously, dm_rq_clone_bio_info needed to be freed by the bio's
      destructor to avoid a memory leak in the blk_rq_prep_clone() error path.
      This gets rid of a memory allocation and means we can kill
      dm_rq_bio_destructor.
      
      The _rq_bio_info_cache kmem cache is unused now and needs to be deleted,
      but due to the way io_pool is used and overloaded this looks not quite
      trivial so I'm leaving it for a later patch.
      
      v6: Fix comment on struct dm_rq_clone_bio_info, per Tejun
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      CC: Alasdair Kergon <agk@redhat.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      94818742
    • Kent Overstreet's avatar
      block: Ues bi_pool for bio_integrity_alloc() · 1e2a410f
      Kent Overstreet authored
      Now that bios keep track of where they were allocated from,
      bio_integrity_alloc_bioset() becomes redundant.
      
      Remove bio_integrity_alloc_bioset() and drop bio_set argument from the
      related functions and make them use bio->bi_pool.
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      CC: Jens Axboe <axboe@kernel.dk>
      CC: Martin K. Petersen <martin.petersen@oracle.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      1e2a410f
    • Kent Overstreet's avatar
      block: Generalized bio pool freeing · 395c72a7
      Kent Overstreet authored
      With the old code, when you allocate a bio from a bio pool you have to
      implement your own destructor that knows how to find the bio pool the
      bio was originally allocated from.
      
      This adds a new field to struct bio (bi_pool) and changes
      bio_alloc_bioset() to use it. This makes various bio destructors
      unnecessary, so they're then deleted.
      
      v6: Explain the temporary if statement in bio_put
      Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
      CC: Jens Axboe <axboe@kernel.dk>
      CC: NeilBrown <neilb@suse.de>
      CC: Alasdair Kergon <agk@redhat.com>
      CC: Nicholas Bellinger <nab@linux-iscsi.org>
      CC: Lars Ellenberg <lars.ellenberg@linbit.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      395c72a7
  5. 06 Sep, 2012 13 commits
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · eeea3ac9
      Linus Torvalds authored
      Pull ARM SoC bug fixes from Olof Johansson:
       "Mostly Renesas and Atmel bugfixes this time, targeting boot and build
        problems.  A couple of patches for gemini and kirkwood as well.  On a
        whole nothing very controversial."
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: gemini: fix the gemini build
        ARM: shmobile: armadillo800eva: enable rw rootfs mount
        ARM: Kirkwood: Fix 'SZ_1M' undeclared here for db88f6281-bp-setup.c
        ARM: shmobile: mackerel: fixup usb module order
        ARM: shmobile: armadillo800eva: fixup: sound card detection order
        ARM: shmobile: marzen: fixup smsc911x id for regulator
        ARM: at91/feature-removal-schedule: delay at91_mci removal
        ARM: mach-shmobile: armadillo800eva: Enable power button as wakeup source
        ARM: mach-shmobile: armadillo800eva: Fix GPIO buttons descriptions
        ARM: at91/dts: remove partial parameter in at91sam9g25ek.dts
        ARM: at91/clock: fix PLLA overclock warning
        ARM: at91: fix rtc-at91sam9 irq issue due to sparse irq support
        ARM: at91: fix system timer irq issue due to sparse irq support
        ARM: shmobile: sh73a0: fixup RELOC_BASE of intca_irq_pins_desc
      eeea3ac9
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging · c7c6bf1e
      Linus Torvalds authored
      Pull a hwmon fix from Guenter Roeck:
       "One patch, fixing DIV_ROUND_CLOSEST to support negative dividends.
      
        While the changes are not in the drivers/hwmon directory, the problem
        primarily affects hwmon drivers, and it makes sense to push the patch
        through the hwmon tree."
      
      * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        linux/kernel.h: Fix DIV_ROUND_CLOSEST to support negative dividends
      c7c6bf1e
    • Linus Torvalds's avatar
      Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · bd12ce8c
      Linus Torvalds authored
      Pull kbuild fixes from Michal Marek:
       "These are two fixes that should go into 3.6.  The link-vmlinux.sh one
        is obvious.
      
        The other one fixes make firmware_install with certain configurations,
        where a file in the toplevel firmware tree gets installed first, and
        $(INSTALL_FW_PATH)/$$(dir <file>) results in /lib/firmware/./, which
        confuses make 3.82 for some reason."
      
      * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        firmware: fix directory creation rule matching with make 3.82
        link-vmlinux.sh: Fix stray "echo" in error message
      bd12ce8c
    • Dave Jones's avatar
      Remove user-triggerable BUG from mpol_to_str · 80de7c31
      Dave Jones authored
      Trivially triggerable, found by trinity:
      
        kernel BUG at mm/mempolicy.c:2546!
        Process trinity-child2 (pid: 23988, threadinfo ffff88010197e000, task ffff88007821a670)
        Call Trace:
          show_numa_map+0xd5/0x450
          show_pid_numa_map+0x13/0x20
          traverse+0xf2/0x230
          seq_read+0x34b/0x3e0
          vfs_read+0xac/0x180
          sys_pread64+0xa2/0xc0
          system_call_fastpath+0x1a/0x1f
        RIP: mpol_to_str+0x156/0x360
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      80de7c31
    • Linus Torvalds's avatar
      Merge tag 'mmc-fixes-for-3.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc · 08090950
      Linus Torvalds authored
      Pull MMC fixes from Chris Ball:
       - a firmware bug on several Samsung MoviNAND eMMC models causes
         permanent corruption on the device when secure erase and secure trim
         requests are made, so we disable those requests on these eMMC devices.
       - atmel-mci: fix a hang with some SD cards by waiting for not-busy flag.
       - dw_mmc: low-power mode breaks SDIO interrupts; fix PIO error handling;
         fix handling of error interrupts.
       - mxs-mmc: fix deadlocks; fix compile error due to dma.h arch change.
       - omap: fix broken PIO mode causing memory corruption.
       - sdhci-esdhc: fix card detection.
      
      * tag 'mmc-fixes-for-3.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc:
        mmc: omap: fix broken PIO mode
        mmc: card: Skip secure erase on MoviNAND; causes unrecoverable corruption.
        mmc: dw_mmc: Disable low power mode if SDIO interrupts are used
        mmc: dw_mmc: fix error handling in PIO mode
        mmc: dw_mmc: correct mishandling error interrupt
        mmc: dw_mmc: amend using error interrupt status
        mmc: atmel-mci: not busy flag has also to be used for read operations
        mmc: sdhci-esdhc: break out early if clock is 0
        mmc: mxs-mmc: fix deadlock caused by recursion loop
        mmc: mxs-mmc: fix deadlock in SDIO IRQ case
        mmc: bfin_sdh: fix dma_desc_array build error
      08090950
    • Miklos Szeredi's avatar
      uml: fix compile error in deliver_alarm() · bc6c8364
      Miklos Szeredi authored
      Fix the following compile error on UML.
      
        arch/um/os-Linux/time.c: In function 'deliver_alarm':
        arch/um/os-Linux/time.c:117:3: error: too few arguments to function 'alarm_handler'
        arch/um/os-Linux/internal.h:1:6: note: declared here
      
      The error was introduced by commit d3c1cfcd ("um: pass siginfo to guest
      process") in 3.6-rc1.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      CC: Martin Pärtel <martin.partel@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bc6c8364
    • Alan Cox's avatar
      dj: memory scribble in logi_dj · 8a55ade7
      Alan Cox authored
      Allocate a structure not a pointer to it !
      Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8a55ade7
    • Linus Torvalds's avatar
      Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc · cb4f9a29
      Linus Torvalds authored
      Pull powerpc fixes from Benjamin Herrenschmidt:
       "Here are a few fixes for 3.6 that were piling up while I was away or
        busy (I was mostly MIA a week or two before San Diego).
      
        Some fixes from Anton fixing up issues with our relatively new DSCR
        control feature, and a few other fixes that are either regressions or
        bugs nasty enough to warrant not waiting."
      
      * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
        powerpc: Don't use __put_user() in patch_instruction
        powerpc: Make sure IPI handlers see data written by IPI senders
        powerpc: Restore correct DSCR in context switch
        powerpc: Fix DSCR inheritance in copy_thread()
        powerpc: Keep thread.dscr and thread.dscr_inherit in sync
        powerpc: Update DSCR on all CPUs when writing sysfs dscr_default
        powerpc/powernv: Always go into nap mode when CPU is offline
        powerpc: Give hypervisor decrementer interrupts their own handler
        powerpc/vphn: Fix arch_update_cpu_topology() return value
      cb4f9a29
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 813e6438
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "These are some GPIO regression fixes for v3.6:
         - Erroneous debug message from of_get_named_gpio_flags()
         - Make sure the MC9S08DZ60 GPIO driver depend on I2C being compiled
           in (not module) or allmodconfig breaks.
         - Check return value from irq_alloc_descs() in the Emma Mobile GPIO
           driver.
         - Assign the owner field for the rdc321x driver so the module won't
           be removed if it has active GPIOs."
      
      * tag 'gpio-fixes-for-v3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: rdc321x: Prevent removal of modules exporting active GPIOs
        gpio: em: Fix checking return value of irq_alloc_descs
        gpio: mc9s08dz60: Fix build error if I2C=m
        gpio: Fix debug message in of_get_named_gpio_flags()
      813e6438
    • Linus Torvalds's avatar
      Merge tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 5e682c0e
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "There are nothing scaring, contains only small fixes for HD-audio and
        USB-audio:
         - EPSS regression fix and GPIO fix for HD-audio IDT codecs
         - A series of USB-audio regression fixes that are found since 3.5
           kernel"
      
      * tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: snd-usb: fix cross-interface streaming devices
        ALSA: snd-usb: fix calls to next_packet_size
        ALSA: snd-usb: restore delay information
        ALSA: snd-usb: use list_for_each_safe for endpoint resources
        ALSA: snd-usb: Fix URB cancellation at stream start
        ALSA: hda - Don't trust codec EPSS bit for IDT 92HD83xx & co
        ALSA: hda - Avoid unnecessary parameter read for EPSS
        ALSA: hda - Do not set GPIOs for speakers on IDT if there are no speakers
      5e682c0e
    • Linus Torvalds's avatar
      Merge tag 'fbdev-fixes-for-3.6-1' of git://github.com/schandinat/linux-2.6 · 6d1a0503
      Linus Torvalds authored
      Pull fbdev fixes from Florian Tobias Schandinat:
       - a fix by Paul Cercueil to prevent a possible buffer overflow
       - a fix by Bruno Prémont to prevent a rare sleep in invalid context
       - a fix by Julia Lawall for a double free in auo_k190x
       - a fix by Dan Carpenter to prevent a division by zero in mb862xxfb
       - a regression fix by Tomi Valkeinen for the SDI output in OMAP
       - a fix by Grazvydas Ignotas to fix the console colors in OMAP
      
      * tag 'fbdev-fixes-for-3.6-1' of git://github.com/schandinat/linux-2.6:
        OMAPFB: fix framebuffer console colors
        OMAPDSS: Fix SDI PLL locking
        video: mb862xxfb: prevent divide by zero bug
        drivers/video/auo_k190x.c: drop kfree of devm_kzalloc's data
        fbcon: Fix bit_putcs() call to kmalloc(s, GFP_KERNEL)
        fbcon: prevent possible buffer overflow.
      6d1a0503
    • Linus Torvalds's avatar
      Merge tag 'upstream-3.6-rc5' of git://git.infradead.org/linux-ubi · 50234c58
      Linus Torvalds authored
      Pull ubi fix from Artem Bityutskiy:
       "A single small fix for memory deallocation: we allocated memory using
        'kmem_cache_alloc()' but were freeing it using 'kfree()' in some
        cases.  Now we fix this by using 'kmem_cache_free()' instead."
      
      * tag 'upstream-3.6-rc5' of git://git.infradead.org/linux-ubi:
        UBI: fix a horrible memory deallocation bug
      50234c58
    • Mikulas Patocka's avatar
      Fix order of arguments to compat_put_time[spec|val] · ed6fe9d6
      Mikulas Patocka authored
      Commit 644595f8 ("compat: Handle COMPAT_USE_64BIT_TIME in
      net/socket.c") introduced a bug where the helper functions to take
      either a 64-bit or compat time[spec|val] got the arguments in the wrong
      order, passing the kernel stack pointer off as a user pointer (and vice
      versa).
      
      Because of the user address range check, that in turn then causes an
      EFAULT due to the user pointer range checking failing for the kernel
      address.  Incorrectly resuling in a failed system call for 32-bit
      processes with a 64-bit kernel.
      
      On odder architectures like HP-PA (with separate user/kernel address
      spaces), it can be used read kernel memory.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ed6fe9d6
  6. 05 Sep, 2012 10 commits