1. 28 Aug, 2015 9 commits
  2. 27 Aug, 2015 11 commits
  3. 12 Aug, 2015 1 commit
    • Benjamin Randazzo's avatar
      md: use kzalloc() when bitmap is disabled · 74df5a75
      Benjamin Randazzo authored
      commit b6878d9e upstream.
      
      In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
      mdu_bitmap_file_t called "file".
      
      5769         file = kmalloc(sizeof(*file), GFP_NOIO);
      5770         if (!file)
      5771                 return -ENOMEM;
      
      This structure is copied to user space at the end of the function.
      
      5786         if (err == 0 &&
      5787             copy_to_user(arg, file, sizeof(*file)))
      5788                 err = -EFAULT
      
      But if bitmap is disabled only the first byte of "file" is initialized
      with zero, so it's possible to read some bytes (up to 4095) of kernel
      space memory from user space. This is an information leak.
      
      5775         /* bitmap disabled, zero the first byte and copy out */
      5776         if (!mddev->bitmap_info.file)
      5777                 file->pathname[0] = '\0';
      Signed-off-by: default avatarBenjamin Randazzo <benjamin@randazzo.fr>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Reference: CVE-2015-5697
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      74df5a75
  4. 11 Aug, 2015 5 commits
    • Kamal Mostafa's avatar
      Linux 3.19.8-ckt5 · 4b186bdc
      Kamal Mostafa authored
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      4b186bdc
    • Wengang Wang's avatar
      rds: rds_ib_device.refcount overflow · a6a33d67
      Wengang Wang authored
      commit 4fabb594 upstream.
      
      Fixes: 3e0249f9 ("RDS/IB: add refcount tracking to struct rds_ib_device")
      
      There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
      failed(mr pool running out). this lead to the refcount overflow.
      
      A complain in line 117(see following) is seen. From vmcore:
      s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev->refcount is -2147475448.
      That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
      to return ERR_PTR(-EAGAIN).
      
      115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
      116 {
      117         BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
      118         if (atomic_dec_and_test(&rds_ibdev->refcount))
      119                 queue_work(rds_wq, &rds_ibdev->free_work);
      120 }
      
      fix is to drop refcount when rds_ib_alloc_fmr failed.
      Signed-off-by: default avatarWengang Wang <wen.gang.wang@oracle.com>
      Reviewed-by: default avatarHaggai Eran <haggaie@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a6a33d67
    • Florian Fainelli's avatar
      net: dsa: Test array index before use · 336fe934
      Florian Fainelli authored
      commit 8f5063e9 upstream.
      
      port_index is used an index into an array, and this information comes
      from Device Tree, make sure that port_index is not equal to the array
      size before using it. Move the check against port_index earlier in the
      loop.
      
      Fixes: 5e95329b: ("dsa: add device tree bindings to register DSA switches")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      336fe934
    • Arnaldo Carvalho de Melo's avatar
      perf hists browser: Take the --comm, --dsos, etc filters into account · 8401d7fe
      Arnaldo Carvalho de Melo authored
      commit 9c0fa8dd upstream.
      
      At some point:
      
        commit 2c86c7ca
        Author: Namhyung Kim <namhyung@kernel.org>
        Date:   Mon Mar 17 18:18:54 2014 -0300
      
          perf report: Merge al->filtered with hist_entry->filtered
      
      We stopped dropping samples for things filtered via the --comms, --dsos,
      --symbols, etc, i.e. things marked as filtered in the symbol resolution
      routines (thread__find_addr_map(), perf_event__preprocess_sample(),
      etc).
      
      But then, in:
      
        commit 268397cb
        Author: Namhyung Kim <namhyung@kernel.org>
        Date:   Tue Apr 22 14:49:31 2014 +0900
      
          perf top/tui: Update nr_entries properly after a filter is applied
      
      We don't take into account entries that were filtered in
      perf_event__preprocess_sample() and friends, which leads to
      inconsistency in the browser seek routines, that expects the number of
      hist_entry->filtered entries to match what it thinks is the number of
      unfiltered, browsable entries.
      
      So, for instance, when we do:
      
        perf top --symbols ___non_existent_symbol___
      
      the hist_browser__nr_entries() routine thinks there are no filters in
      place, uses the hists->nr_entries but all entries are filtered, leading
      to a segfault.
      
      Tested with:
      
         perf top --symbols malloc,free --percentage=relative
      
      Freezing, by pressing 'f', at any time and doing the math on the
      percentages ends up with 100%, ditto for:
      
         perf top --dsos libpthread-2.20.so,libxul.so --percentage=relative
      
      Both were segfaulting, all fixed now.
      
      More work needed to do away with checking if filters are in place, we
      should just use the nr_non_filtered_samples counter, no need to
      conditionally use it or hists.nr_filter, as what the browser does is
      just show unfiltered stuff. An audit of how it is being accounted is
      needed, this is the minimal fix.
      Reported-by: default avatarMichael Petlan <mpetlan@redhat.com>
      Fixes: 268397cb ("perf top/tui: Update nr_entries properly after a filter is applied")
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Stephane Eranian <eranian@google.com>
      Link: http://lkml.kernel.org/n/tip-6w01d5q97qk0d64kuojme5in@git.kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      8401d7fe
    • Arnaldo Carvalho de Melo's avatar
      perf symbols: Store if there is a filter in place · 7e447b5f
      Arnaldo Carvalho de Melo authored
      commit 0bc2f2f7 upstream.
      
      When setting yup the symbols library we setup several filter lists,
      for dsos, comms, symbols, etc, and there is code that, if there are
      filters, do certain operations, like recalculate the number of non
      filtered histogram entries in the top/report TUI.
      
      But they were considering just the "Zoom" filters, when they need to
      take into account as well the above mentioned filters (perf top --comms,
      --dsos, etc).
      
      So store in symbol_conf.has_filter true if any of those filters is in
      place.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Stephane Eranian <eranian@google.com>
      Link: http://lkml.kernel.org/n/tip-f5edfmhq69vfvs1kmikq1wep@git.kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      [ kamal: 3.19-stable prereq for
        9c0fa8dd perf hists browser: Take the --comm, --dsos, etc filters into account ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      7e447b5f
  5. 06 Aug, 2015 14 commits