Skip to content

L
linux
Switch branch/tag
  1. 17 Jan, 2012 13 commits
    • Linus Torvalds's avatar
      proc: clean up and fix /proc/<pid>/mem handling · e268337d
      Linus Torvalds authored 
      Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
robust, and it also doesn't match the permission checking of any of the
other related files.

This changes it to do the permission checks at open time, and instead of
tracking the process, it tracks the VM at the time of the open.  That
simplifies the code a lot, but does mean that if you hold the file
descriptor open over an execve(), you'll continue to read from the _old_
VM.

That is different from our previous behavior, but much simpler.  If
somebody actually finds a load where this matters, we'll need to revert
this commit.

I suspect that nobody will ever notice - because the process mapping
addresses will also have changed as part of the execve.  So you cannot
actually usefully access the fd across a VM change simply because all
the offsets for IO would have changed too.
Reported-by: default avatarJüri Aedla <asd@ut.ee>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e268337d
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 5e599784
      Linus Torvalds authored 
      * 'for-linus' of git://git.kernel.dk/linux-block:
  cfq-iosched: fix use-after-free of cfqq
      5e599784
    • Jens Axboe's avatar
      cfq-iosched: fix use-after-free of cfqq · 54b466e4
      Jens Axboe authored 
      With the changes in life time management between the cfq IO contexts
and the cfq queues, we now risk having cfqd->active_queue being
freed when cfq_slice_expired() is being called. cfq_preempt_queue()
caches this queue and uses it after calling said function, causing
a use-after-free condition. This triggers the following oops,
when cfqq_type() attempts to dereference it:

BUG: unable to handle kernel paging request at ffff8800746c4f0c
IP: [<ffffffff81266d59>] cfqq_type+0xb/0x20
PGD 18d4063 PUD 1fe15067 PMD 1ffb9067 PTE 80000000746c4160
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU 3
Modules linked in:

Pid: 1, comm: init Not tainted 3.2.0-josef+ #367 Bochs Bochs
RIP: 0010:[<ffffffff81266d59>]  [<ffffffff81266d59>] cfqq_type+0xb/0x20
RSP: 0018:ffff880079c11778  EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff880076f3df08 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffff880074271888 RDI: ffff8800746c4f08
RBP: ffff880079c11778 R08: 0000000000000078 R09: 0000000000000001
R10: 09f911029d74e35b R11: 09f911029d74e35b R12: ffff880076f337f0
R13: ffff8800746c4f08 R14: ffff8800746c4f08 R15: 0000000000000002
FS:  00007f62fd44f700(0000) GS:ffff88007cd80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8800746c4f0c CR3: 0000000076c21000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process init (pid: 1, threadinfo ffff880079c10000, task ffff880079c0a040)
Stack:
 ffff880079c117c8 ffffffff812683d8 ffff880079c117a8 ffffffff8125de43
 ffff8800744fcf48 ffff880074b43e98 ffff8800770c8828 ffff880074b43e98
 0000000000000003 0000000000000000 ffff880079c117f8 ffffffff81254149
Call Trace:
 [<ffffffff812683d8>] cfq_insert_request+0x3f5/0x47c
 [<ffffffff8125de43>] ? blk_recount_segments+0x20/0x31
 [<ffffffff81254149>] __elv_add_request+0x1ca/0x200
 [<ffffffff8125aa99>] blk_queue_bio+0x2ef/0x312
 [<ffffffff81258f7b>] generic_make_request+0x9f/0xe0
 [<ffffffff8125907b>] submit_bio+0xbf/0xca
 [<ffffffff81136ec7>] submit_bh+0xdf/0xfe
 [<ffffffff81176d04>] ext3_bread+0x50/0x99
 [<ffffffff811785b3>] dx_probe+0x38/0x291
 [<ffffffff81178864>] ext3_dx_find_entry+0x58/0x219
 [<ffffffff81178ad5>] ext3_find_entry+0xb0/0x406
 [<ffffffff8110c4d5>] ? cache_alloc_debugcheck_after.isra.46+0x14d/0x1a0
 [<ffffffff8110cfbd>] ? kmem_cache_alloc+0xef/0x191
 [<ffffffff8117a330>] ext3_lookup+0x39/0xe1
 [<ffffffff81119461>] d_alloc_and_lookup+0x45/0x6c
 [<ffffffff8111ac41>] do_lookup+0x1e4/0x2f5
 [<ffffffff8111aef6>] link_path_walk+0x1a4/0x6ef
 [<ffffffff8111b557>] path_lookupat+0x59/0x5ea
 [<ffffffff8127406c>] ? __strncpy_from_user+0x30/0x5a
 [<ffffffff8111bce0>] do_path_lookup+0x23/0x59
 [<ffffffff8111cfd6>] user_path_at_empty+0x53/0x99
 [<ffffffff8107b37b>] ? remove_wait_queue+0x51/0x56
 [<ffffffff8111d02d>] user_path_at+0x11/0x13
 [<ffffffff811141f5>] vfs_fstatat+0x3a/0x64
 [<ffffffff8111425a>] vfs_stat+0x1b/0x1d
 [<ffffffff81114359>] sys_newstat+0x1a/0x33
 [<ffffffff81060e12>] ? task_stopped_code+0x42/0x42
 [<ffffffff815d6712>] system_call_fastpath+0x16/0x1b
Code: 89 e6 48 89 c7 e8 fa ca fe ff 85 c0 74 06 4c 89 2b 41 b6 01 5b 44 89 f0 41 5c 41 5d 41 5e 5d c3 55 48 89 e5 66 66 66 66 90 31 c0 <8b> 57 04 f6 c6 01 74 0b 83 e2 20 83 fa 01 19 c0 83 c0 02 5d c3
RIP  [<ffffffff81266d59>] cfqq_type+0xb/0x20
 RSP <ffff880079c11778>
CR2: ffff8800746c4f0c

Get rid of the caching of cfqd->active_queue, and reorder the
check so that it happens before we expire the active queue.

Thanks to Tejun for pin pointing the error location.
Reported-by: default avatarChris Mason <chris.mason@oracle.com>
Tested-by: default avatarChris Mason <chris.mason@oracle.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      54b466e4
    • Linus Torvalds's avatar
      Merge branch 'stable/for-linus-fixes-3.3' of... · 00b1d444
      Linus Torvalds authored 
      Merge branch 'stable/for-linus-fixes-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

* 'stable/for-linus-fixes-3.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen/balloon: Move the registration from device to subsystem.
      00b1d444
    • Linus Torvalds's avatar
      Merge branch 'next' of git://git.monstr.eu/linux-2.6-microblaze · 8364919c
      Linus Torvalds authored 
      * 'next' of git://git.monstr.eu/linux-2.6-microblaze:
  USB: EHCI: Don't use NO_IRQ in xilinx ehci driver
  microblaze: Add topology init
      8364919c
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · d3569d16
      Linus Torvalds authored 
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: virtuoso: Xonar DS: fix polarity of front output
  ALSA: Au88x0 - Reduce the number of playback subdevices of au8830 from 32 to 16
  ALSA: Au88x0 - Support 4 channels playback when AC97 codecs has SDAC bit
  ALSA: HDA: Fix internal microphone on Dell Studio 16 XPS 1645
  ALSA: Don't prompt for CONFIG_SND_COMPRESS_OFFLOAD
  ALSA: HDA: Use LPIB position fix for Macbook Pro 7,1
      d3569d16
    • Konstantin Khlebnikov's avatar
      tty: remove unused tty_driver->termios_locked · 20c300b1
      Konstantin Khlebnikov authored 
      This field is unused since 2.6.28 (commit fe6e29fd: "tty: simplify
ktermios allocation", to be exact)
Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20c300b1
    • Linus Torvalds's avatar
      Revert "capabitlies: ns_capable can use the cap helpers rather than lsm call" · 951880e6
      Linus Torvalds authored 
      This reverts commit d2a7009f.

J. R. Okajima explains:

 "After this commit, I am afraid access(2) on NFS may not work
  correctly.  The scenario based upon my guess.
   - access(2) overrides the credentials.
   - calls inode_permission() -- ... -- generic_permission() --
      ns_capable().
   - while the old ns_capable() calls security_capable(current_cred()),
     the new ns_capable() calls has_ns_capability(current) --
     security_capable(__task_cred(t)).

  current_cred() returns current->cred which is effective (overridden)
  credentials, but __task_cred(current) returns current->real_cred (the
  NFSD's credential).  And the overridden credentials by access(2) lost."
Requested-by: default avatarJ. R. Okajima <hooanon05@yahoo.co.jp>
Acked-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      951880e6
    • Linus Torvalds's avatar
      Merge branch 'x86/rdrand' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c2bc3a31
      Linus Torvalds authored 
      * 'x86/rdrand' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  random: Adjust the number of loops when initializing
  random: Use arch-specific RNG to initialize the entropy store
      c2bc3a31
    • Linus Torvalds's avatar
      Merge branch 'x86-syscall-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 5674124f
      Linus Torvalds authored 
      * 'x86-syscall-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86: Move <asm/asm-offsets.h> from trace_syscalls.c to asm/syscall.h
  x86, um: Fix typo in 32-bit system call modifications
  um: Use $(srctree) not $(KBUILD_SRC)
  x86, um: Mark system call tables readonly
  x86, um: Use the same style generated syscall tables as native
  um: Generate headers before generating user-offsets.s
  um: Run host archheaders, allow use of host generated headers
  kbuild, headers.sh: Don't make archheaders explicitly
  x86, syscall: Allow syscall offset to be symbolic
  x86, syscall: Re-fix typo in comment
  x86: Simplify syscallhdr.sh
  x86: Generate system call tables and unistd_*.h from tables
  checksyscalls: Use arch/x86/syscalls/syscall_32.tbl as source
  x86: Machine-readable syscall tables and scripts to process them
  trace: Include <asm/asm-offsets.h> in trace_syscalls.c
  x86-64, ia32: Move compat_ni_syscall into C and its own file
  x86-64, syscall: Adjust comment spacing and remove typo
  kbuild: Add support for an "archheaders" target
  kbuild: Add support for installing generated asm headers
      5674124f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest · 5d48421b
      Linus Torvalds authored 
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest:
  ktest: Add INGORE_ERRORS to ignore warnings in boot up
  ktest: Still do reboot even for REBOOT_TYPE = script
  ktest: Fix compare script to test if options are not documented
  ktest: Detect typos in option names
  ktest: Have all values be set by defaults
  ktest: Change initialization of defaults hash to perl format
  ktest: Add options SWITCH_TO_GOOD and SWITCH_TO_TEST
  ktest: Allow overriding bisect test results
  ktest: Evaluate options before processing them
  ktest: Evaluate $KERNEL_VERSION in both install and post install
  ktest: Only ask options needed for install
  ktest: When creating a new config, ask for BUILD_OPTIONS
  ktest: Do not ask for some options if the only test is build
  ktest: Ask for type of test when creating a new config
  ktest: Allow bisect test to restart where it left off
  ktest: When creating new config, allow the use of ${THIS_DIR}
  ktest: Add default for ssh-user, build-target and target-image
  ktest: Allow success logs to be stored
  ktest: Save test output
      5d48421b
    • Linus Torvalds's avatar
      Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 6e03db2b
      Linus Torvalds authored 
      * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  ARM: OMAP3: fix build on !CONFIG_IOMMU_API
      6e03db2b
    • Greg Kroah-Hartman's avatar
      mce: fix warning messages about static struct mce_device · e032d807
      Greg Kroah-Hartman authored 
      When suspending, there was a large list of warnings going something like:

	Device 'machinecheck1' does not have a release() function, it is broken and must be fixed

This patch turns the static mce_devices into dynamically allocated, and
properly frees them when they are removed from the system.  It solves
the warning messages on my laptop here.
Reported-by: default avatar"Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Tested-by: default avatarDjalal Harouni <tixxdz@opendz.org>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Borislav Petkov <bp@amd64.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e032d807
  3. 16 Jan, 2012 27 commits
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7