1. 06 Dec, 2007 24 commits
  2. 05 Dec, 2007 16 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched · 7e1fb765
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched:
        futex: correctly return -EFAULT not -EINVAL
        lockdep: in_range() fix
        lockdep: fix debug_show_all_locks()
        sched: style cleanups
        futex: fix for futex_wait signal stack corruption
      7e1fb765
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6 · ad658cec
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
        VM/Security: add security hook to do_brk
        Security: round mmap hint address above mmap_min_addr
        security: protect from stack expantion into low vm addresses
        Security: allow capable check to permit mmap or low vm space
        SELinux: detect dead booleans
        SELinux: do not clear f_op when removing entries
      ad658cec
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 2a1292b3
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
        [LRO]: fix lro_gen_skb() alignment
        [TCP]: NAGLE_PUSH seems to be a wrong way around
        [TCP]: Move prior_in_flight collect to more robust place
        [TCP] FRTO: Use of existing funcs make code more obvious & robust
        [IRDA]: Move ircomm_tty_line_info() under #ifdef CONFIG_PROC_FS
        [ROSE]: Trivial compilation CONFIG_INET=n case
        [IPVS]: Fix sched registration race when checking for name collision.
        [IPVS]: Don't leak sysctl tables if the scheduler registration fails.
      2a1292b3
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6 · 2cfae273
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
        [SPARC64]: Update defconfig.
        [SPARC]: Add missing of_node_put
        [SPARC64]: check for possible NULL pointer dereference
        [SPARC]: Add missing "space"
        [SPARC64]: Add missing "space"
        [SPARC64]: Add missing pci_dev_put
        [SYSCTL_CHECK]: Fix typo in KERN_SPARC_SCONS_PWROFF entry string.
        [SPARC64]: Missing mdesc_release() in ldc_init().
      2cfae273
    • Al Viro's avatar
      remove nonsense force-casts from ocfs2 · 97bd7919
      Al Viro authored
      endianness annotations in networking code had been in place for quite a
      while; in particular, sin_port and s_addr are annotated as big-endian.
      
      Code in ocfs2 had __force casts added apparently to shut the sparse
      warnings up; of course, these days they only serve to *produce* warnings
      for no reason whatsoever...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      97bd7919
    • Al Viro's avatar
      regression: bfs endianness bug · 7e46aa5c
      Al Viro authored
      BFS_FILEBLOCKS() expects struct bfs_inode * (on-disk data, with little-
      endian fields), not struct bfs_inode_info * (in-core stuff, with host-
      endian ones).
      
      It's a macro and fields with the right names are present in
      bfs_inode_info, so it compiles, but on big-endian host it gives bogus
      results.
      
      Introduced in commit f433dc56 ("Fixes to
      the BFS filesystem driver").
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7e46aa5c
    • Al Viro's avatar
      fcrypt endianness misannotations · 3c50b368
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3c50b368
    • Al Viro's avatar
      no need to mess with KBUILD_CFLAGS on uml-i386 anymore · 79901a97
      Al Viro authored
      Now that X86_32 is provided on Kconfig level for uml-i386, there's no
      need to play with it explicitly on Makefile level anymore.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarJeff Dike <jdike@addtoit.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      79901a97
    • Al Viro's avatar
      regression: cifs endianness bug · 9b5e6857
      Al Viro authored
      access_flags_to_mode() gets on-the-wire data (little-endian) and treats
      it as host-endian.
      
      Introduced in commit e01b6400 ("[CIFS]
      enable get mode from ACL when cifsacl mount option specified")
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9b5e6857
    • Eric Paris's avatar
      VM/Security: add security hook to do_brk · ecaf18c1
      Eric Paris authored
      Given a specifically crafted binary do_brk() can be used to get low pages
      available in userspace virtual memory and can thus be used to circumvent
      the mmap_min_addr low memory protection.  Add security checks in do_brk().
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarAlan Cox <alan@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ecaf18c1
    • Vegard Nossum's avatar
      SLUB's ksize() fails for size > 2048 · 294a80a8
      Vegard Nossum authored
      I can't pass memory allocated by kmalloc() to ksize() if it is allocated by
      SLUB allocator and size is larger than (I guess) PAGE_SIZE / 2.
      
      The error of ksize() seems to be that it does not check if the allocation
      was made by SLUB or the page allocator.
      Reviewed-by: default avatarPekka Enberg <penberg@cs.helsinki.fi>
      Tested-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Christoph Lameter <clameter@sgi.com>, Matt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      294a80a8
    • Alexey Dobriyan's avatar
      proc: fix proc_dir_entry refcounting · 5a622f2d
      Alexey Dobriyan authored
      Creating PDEs with refcount 0 and "deleted" flag has problems (see below).
      Switch to usual scheme:
      * PDE is created with refcount 1
      * every de_get does +1
      * every de_put() and remove_proc_entry() do -1
      * once refcount reaches 0, PDE is freed.
      
      This elegantly fixes at least two following races (both observed) without
      introducing new locks, without abusing old locks, without spreading
      lock_kernel():
      
      1) PDE leak
      
      remove_proc_entry			de_put
      -----------------			------
      			[refcnt = 1]
      if (atomic_read(&de->count) == 0)
      					if (atomic_dec_and_test(&de->count))
      						if (de->deleted)
      							/* also not taken! */
      							free_proc_entry(de);
      else
      	de->deleted = 1;
      		[refcount=0, deleted=1]
      
      2) use after free
      
      remove_proc_entry			de_put
      -----------------			------
      			[refcnt = 1]
      
      					if (atomic_dec_and_test(&de->count))
      if (atomic_read(&de->count) == 0)
      	free_proc_entry(de);
      						/* boom! */
      						if (de->deleted)
      							free_proc_entry(de);
      
      BUG: unable to handle kernel paging request at virtual address 6b6b6b6b
      printing eip: c10acdda *pdpt = 00000000338f8001 *pde = 0000000000000000
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: af_packet ipv6 cpufreq_ondemand loop serio_raw psmouse k8temp hwmon sr_mod cdrom
      Pid: 23161, comm: cat Not tainted (2.6.24-rc2-8c086340 #4)
      EIP: 0060:[<c10acdda>] EFLAGS: 00210097 CPU: 1
      EIP is at strnlen+0x6/0x18
      EAX: 6b6b6b6b EBX: 6b6b6b6b ECX: 6b6b6b6b EDX: fffffffe
      ESI: c128fa3b EDI: f380bf34 EBP: ffffffff ESP: f380be44
       DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      Process cat (pid: 23161, ti=f380b000 task=f38f2570 task.ti=f380b000)
      Stack: c10ac4f0 00000278 c12ce000 f43cd2a8 00000163 00000000 7da86067 00000400
             c128fa20 00896b18 f38325a8 c128fe20 ffffffff 00000000 c11f291e 00000400
             f75be300 c128fa20 f769c9a0 c10ac779 f380bf34 f7bfee70 c1018e6b f380bf34
      Call Trace:
       [<c10ac4f0>] vsnprintf+0x2ad/0x49b
       [<c10ac779>] vscnprintf+0x14/0x1f
       [<c1018e6b>] vprintk+0xc5/0x2f9
       [<c10379f1>] handle_fasteoi_irq+0x0/0xab
       [<c1004f44>] do_IRQ+0x9f/0xb7
       [<c117db3b>] preempt_schedule_irq+0x3f/0x5b
       [<c100264e>] need_resched+0x1f/0x21
       [<c10190ba>] printk+0x1b/0x1f
       [<c107c8ad>] de_put+0x3d/0x50
       [<c107c8f8>] proc_delete_inode+0x38/0x41
       [<c107c8c0>] proc_delete_inode+0x0/0x41
       [<c1066298>] generic_delete_inode+0x5e/0xc6
       [<c1065aa9>] iput+0x60/0x62
       [<c1063c8e>] d_kill+0x2d/0x46
       [<c1063fa9>] dput+0xdc/0xe4
       [<c10571a1>] __fput+0xb0/0xcd
       [<c1054e49>] filp_close+0x48/0x4f
       [<c1055ee9>] sys_close+0x67/0xa5
       [<c10026b6>] sysenter_past_esp+0x5f/0x85
      =======================
      Code: c9 74 0c f2 ae 74 05 bf 01 00 00 00 4f 89 fa 5f 89 d0 c3 85 c9 57 89 c7 89 d0 74 05 f2 ae 75 01 4f 89 f8 5f c3 89 c1 89 c8 eb 06 <80> 38 00 74 07 40 4a 83 fa ff 75 f4 29 c8 c3 90 90 90 57 83 c9
      EIP: [<c10acdda>] strnlen+0x6/0x18 SS:ESP 0068:f380be44
      
      Also, remove broken usage of ->deleted from reiserfs: if sget() succeeds,
      module is already pinned and remove_proc_entry() can't happen => nobody
      can mark PDE deleted.
      
      Dummy proc root in netns code is not marked with refcount 1. AFAICS, we
      never get it, it's just for proper /proc/net removal. I double checked
      CLONE_NETNS continues to work.
      
      Patch survives many hours of modprobe/rmmod/cat loops without new bugs
      which can be attributed to refcounting.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@sw.ru>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5a622f2d
    • Jan Kara's avatar
      jbd: Fix assertion failure in fs/jbd/checkpoint.c · d4beaf4a
      Jan Kara authored
      Before we start committing a transaction, we call
      __journal_clean_checkpoint_list() to cleanup transaction's written-back
      buffers.
      
      If this call happens to remove all of them (and there were already some
      buffers), __journal_remove_checkpoint() will decide to free the transaction
      because it isn't (yet) a committing transaction and soon we fail some
      assertion - the transaction really isn't ready to be freed :).
      
      We change the check in __journal_remove_checkpoint() to free only a
      transaction in T_FINISHED state.  The locking there is subtle though (as
      everywhere in JBD ;().  We use j_list_lock to protect the check and a
      subsequent call to __journal_drop_transaction() and do the same in the end
      of journal_commit_transaction() which is the only place where a transaction
      can get to T_FINISHED state.
      
      Probably I'm too paranoid here and such locking is not really necessary -
      checkpoint lists are processed only from log_do_checkpoint() where a
      transaction must be already committed to be processed or from
      __journal_clean_checkpoint_list() where kjournald itself calls it and thus
      transaction cannot change state either.  Better be safe if something
      changes in future...
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: <linux-ext4@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d4beaf4a
    • Nick Piggin's avatar
      mm: fix XIP file writes · 369b8f5a
      Nick Piggin authored
      Writing to XIP files at a non-page-aligned offset results in data corruption
      because the writes were always sent to the start of the page.
      Signed-off-by: default avatarNick Piggin <npiggin@suse.de>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Acked-by: default avatarCarsten Otte <cotte@de.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      369b8f5a
    • Ben Gardner's avatar
      gpio_cs5535: disable AUX on output · 4670df83
      Ben Gardner authored
      The AMD CS5535/CS5536 GPIO has two alternate output modes: AUX-1 and AUX-2.
      When either AUX is enabled, the cs5535_gpio driver cannot control the
      output.
      
      Some BIOS code for the Geode processor enables AUX-1 for GPIO-1, which
      configures it as the PC BEEP output.
      
      This patch will disable AUX-1 and AUX-2 when the user enables output.
      Signed-of-by: default avatarBen Gardner <gardner.ben@gmail.com>
      Cc: Richard Knutsson <ricknu-0@student.ltu.se>
      Cc: David Brownell <david-b@pacbell.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4670df83
    • Pavel Emelyanov's avatar
      Avoid potential NULL dereference in unregister_sysctl_table · f1dad166
      Pavel Emelyanov authored
      register_sysctl_table() can return NULL sometimes, e.g.  when kmalloc()
      returns NULL or when sysctl check fails.
      
      I've also noticed, that many (most?) code in the kernel doesn't check for
      the return value from register_sysctl_table() and later simply calls the
      unregister_sysctl_table() with potentially NULL argument.
      
      This is unlikely on a common kernel configuration, but in case we're
      dealing with modules and/or fault-injection support, there's a slight
      possibility of an OOPS.
      
      Changing all the users to check for return code from the registering does
      not look like a good solution - there are too many code doing this and
      failure in sysctl tables registration is not a good reason to abort module
      loading (in most of the cases).
      
      So I think, that we can just have this check in unregister_sysctl_table
      just to avoid accidental OOPS-es (actually, the unregister_sysctl_table()
      did exactly this, before the start_unregistering() appeared).
      Signed-off-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f1dad166