1. 07 Dec, 2007 2 commits
  2. 06 Dec, 2007 24 commits
  3. 05 Dec, 2007 14 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched · 7e1fb765
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched:
        futex: correctly return -EFAULT not -EINVAL
        lockdep: in_range() fix
        lockdep: fix debug_show_all_locks()
        sched: style cleanups
        futex: fix for futex_wait signal stack corruption
      7e1fb765
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6 · ad658cec
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
        VM/Security: add security hook to do_brk
        Security: round mmap hint address above mmap_min_addr
        security: protect from stack expantion into low vm addresses
        Security: allow capable check to permit mmap or low vm space
        SELinux: detect dead booleans
        SELinux: do not clear f_op when removing entries
      ad658cec
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 2a1292b3
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
        [LRO]: fix lro_gen_skb() alignment
        [TCP]: NAGLE_PUSH seems to be a wrong way around
        [TCP]: Move prior_in_flight collect to more robust place
        [TCP] FRTO: Use of existing funcs make code more obvious & robust
        [IRDA]: Move ircomm_tty_line_info() under #ifdef CONFIG_PROC_FS
        [ROSE]: Trivial compilation CONFIG_INET=n case
        [IPVS]: Fix sched registration race when checking for name collision.
        [IPVS]: Don't leak sysctl tables if the scheduler registration fails.
      2a1292b3
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 · 2cfae273
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
        [SPARC64]: Update defconfig.
        [SPARC]: Add missing of_node_put
        [SPARC64]: check for possible NULL pointer dereference
        [SPARC]: Add missing "space"
        [SPARC64]: Add missing "space"
        [SPARC64]: Add missing pci_dev_put
        [SYSCTL_CHECK]: Fix typo in KERN_SPARC_SCONS_PWROFF entry string.
        [SPARC64]: Missing mdesc_release() in ldc_init().
      2cfae273
    • Al Viro's avatar
      remove nonsense force-casts from ocfs2 · 97bd7919
      Al Viro authored
      endianness annotations in networking code had been in place for quite a
      while; in particular, sin_port and s_addr are annotated as big-endian.
      
      Code in ocfs2 had __force casts added apparently to shut the sparse
      warnings up; of course, these days they only serve to *produce* warnings
      for no reason whatsoever...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      97bd7919
    • Al Viro's avatar
      regression: bfs endianness bug · 7e46aa5c
      Al Viro authored
      BFS_FILEBLOCKS() expects struct bfs_inode * (on-disk data, with little-
      endian fields), not struct bfs_inode_info * (in-core stuff, with host-
      endian ones).
      
      It's a macro and fields with the right names are present in
      bfs_inode_info, so it compiles, but on big-endian host it gives bogus
      results.
      
      Introduced in commit f433dc56 ("Fixes to
      the BFS filesystem driver").
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7e46aa5c
    • Al Viro's avatar
      fcrypt endianness misannotations · 3c50b368
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3c50b368
    • Al Viro's avatar
      no need to mess with KBUILD_CFLAGS on uml-i386 anymore · 79901a97
      Al Viro authored
      Now that X86_32 is provided on Kconfig level for uml-i386, there's no
      need to play with it explicitly on Makefile level anymore.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarJeff Dike <jdike@addtoit.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      79901a97
    • Al Viro's avatar
      regression: cifs endianness bug · 9b5e6857
      Al Viro authored
      access_flags_to_mode() gets on-the-wire data (little-endian) and treats
      it as host-endian.
      
      Introduced in commit e01b6400 ("[CIFS]
      enable get mode from ACL when cifsacl mount option specified")
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9b5e6857
    • Eric Paris's avatar
      VM/Security: add security hook to do_brk · ecaf18c1
      Eric Paris authored
      Given a specifically crafted binary do_brk() can be used to get low pages
      available in userspace virtual memory and can thus be used to circumvent
      the mmap_min_addr low memory protection.  Add security checks in do_brk().
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarAlan Cox <alan@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ecaf18c1
    • Vegard Nossum's avatar
      SLUB's ksize() fails for size > 2048 · 294a80a8
      Vegard Nossum authored
      I can't pass memory allocated by kmalloc() to ksize() if it is allocated by
      SLUB allocator and size is larger than (I guess) PAGE_SIZE / 2.
      
      The error of ksize() seems to be that it does not check if the allocation
      was made by SLUB or the page allocator.
      Reviewed-by: default avatarPekka Enberg <penberg@cs.helsinki.fi>
      Tested-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Christoph Lameter <clameter@sgi.com>, Matt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      294a80a8
    • Alexey Dobriyan's avatar
      proc: fix proc_dir_entry refcounting · 5a622f2d
      Alexey Dobriyan authored
      Creating PDEs with refcount 0 and "deleted" flag has problems (see below).
      Switch to usual scheme:
      * PDE is created with refcount 1
      * every de_get does +1
      * every de_put() and remove_proc_entry() do -1
      * once refcount reaches 0, PDE is freed.
      
      This elegantly fixes at least two following races (both observed) without
      introducing new locks, without abusing old locks, without spreading
      lock_kernel():
      
      1) PDE leak
      
      remove_proc_entry			de_put
      -----------------			------
      			[refcnt = 1]
      if (atomic_read(&de->count) == 0)
      					if (atomic_dec_and_test(&de->count))
      						if (de->deleted)
      							/* also not taken! */
      							free_proc_entry(de);
      else
      	de->deleted = 1;
      		[refcount=0, deleted=1]
      
      2) use after free
      
      remove_proc_entry			de_put
      -----------------			------
      			[refcnt = 1]
      
      					if (atomic_dec_and_test(&de->count))
      if (atomic_read(&de->count) == 0)
      	free_proc_entry(de);
      						/* boom! */
      						if (de->deleted)
      							free_proc_entry(de);
      
      BUG: unable to handle kernel paging request at virtual address 6b6b6b6b
      printing eip: c10acdda *pdpt = 00000000338f8001 *pde = 0000000000000000
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: af_packet ipv6 cpufreq_ondemand loop serio_raw psmouse k8temp hwmon sr_mod cdrom
      Pid: 23161, comm: cat Not tainted (2.6.24-rc2-8c086340 #4)
      EIP: 0060:[<c10acdda>] EFLAGS: 00210097 CPU: 1
      EIP is at strnlen+0x6/0x18
      EAX: 6b6b6b6b EBX: 6b6b6b6b ECX: 6b6b6b6b EDX: fffffffe
      ESI: c128fa3b EDI: f380bf34 EBP: ffffffff ESP: f380be44
       DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      Process cat (pid: 23161, ti=f380b000 task=f38f2570 task.ti=f380b000)
      Stack: c10ac4f0 00000278 c12ce000 f43cd2a8 00000163 00000000 7da86067 00000400
             c128fa20 00896b18 f38325a8 c128fe20 ffffffff 00000000 c11f291e 00000400
             f75be300 c128fa20 f769c9a0 c10ac779 f380bf34 f7bfee70 c1018e6b f380bf34
      Call Trace:
       [<c10ac4f0>] vsnprintf+0x2ad/0x49b
       [<c10ac779>] vscnprintf+0x14/0x1f
       [<c1018e6b>] vprintk+0xc5/0x2f9
       [<c10379f1>] handle_fasteoi_irq+0x0/0xab
       [<c1004f44>] do_IRQ+0x9f/0xb7
       [<c117db3b>] preempt_schedule_irq+0x3f/0x5b
       [<c100264e>] need_resched+0x1f/0x21
       [<c10190ba>] printk+0x1b/0x1f
       [<c107c8ad>] de_put+0x3d/0x50
       [<c107c8f8>] proc_delete_inode+0x38/0x41
       [<c107c8c0>] proc_delete_inode+0x0/0x41
       [<c1066298>] generic_delete_inode+0x5e/0xc6
       [<c1065aa9>] iput+0x60/0x62
       [<c1063c8e>] d_kill+0x2d/0x46
       [<c1063fa9>] dput+0xdc/0xe4
       [<c10571a1>] __fput+0xb0/0xcd
       [<c1054e49>] filp_close+0x48/0x4f
       [<c1055ee9>] sys_close+0x67/0xa5
       [<c10026b6>] sysenter_past_esp+0x5f/0x85
      =======================
      Code: c9 74 0c f2 ae 74 05 bf 01 00 00 00 4f 89 fa 5f 89 d0 c3 85 c9 57 89 c7 89 d0 74 05 f2 ae 75 01 4f 89 f8 5f c3 89 c1 89 c8 eb 06 <80> 38 00 74 07 40 4a 83 fa ff 75 f4 29 c8 c3 90 90 90 57 83 c9
      EIP: [<c10acdda>] strnlen+0x6/0x18 SS:ESP 0068:f380be44
      
      Also, remove broken usage of ->deleted from reiserfs: if sget() succeeds,
      module is already pinned and remove_proc_entry() can't happen => nobody
      can mark PDE deleted.
      
      Dummy proc root in netns code is not marked with refcount 1. AFAICS, we
      never get it, it's just for proper /proc/net removal. I double checked
      CLONE_NETNS continues to work.
      
      Patch survives many hours of modprobe/rmmod/cat loops without new bugs
      which can be attributed to refcounting.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@sw.ru>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5a622f2d
    • Jan Kara's avatar
      jbd: Fix assertion failure in fs/jbd/checkpoint.c · d4beaf4a
      Jan Kara authored
      Before we start committing a transaction, we call
      __journal_clean_checkpoint_list() to cleanup transaction's written-back
      buffers.
      
      If this call happens to remove all of them (and there were already some
      buffers), __journal_remove_checkpoint() will decide to free the transaction
      because it isn't (yet) a committing transaction and soon we fail some
      assertion - the transaction really isn't ready to be freed :).
      
      We change the check in __journal_remove_checkpoint() to free only a
      transaction in T_FINISHED state.  The locking there is subtle though (as
      everywhere in JBD ;().  We use j_list_lock to protect the check and a
      subsequent call to __journal_drop_transaction() and do the same in the end
      of journal_commit_transaction() which is the only place where a transaction
      can get to T_FINISHED state.
      
      Probably I'm too paranoid here and such locking is not really necessary -
      checkpoint lists are processed only from log_do_checkpoint() where a
      transaction must be already committed to be processed or from
      __journal_clean_checkpoint_list() where kjournald itself calls it and thus
      transaction cannot change state either.  Better be safe if something
      changes in future...
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: <linux-ext4@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d4beaf4a
    • Nick Piggin's avatar
      mm: fix XIP file writes · 369b8f5a
      Nick Piggin authored
      Writing to XIP files at a non-page-aligned offset results in data corruption
      because the writes were always sent to the start of the page.
      Signed-off-by: default avatarNick Piggin <npiggin@suse.de>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Acked-by: default avatarCarsten Otte <cotte@de.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      369b8f5a