commit 0c2dc4da120bacc62d6d3f7cdaed11ca18e4d410
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat Jul 13 11:40:22 2013 -0700
Linux 3.9.10
commit 3cfbfdc64a679a0f237a0e798e7cf034d26420d1
Author: Michal Hocko <mhocko@suse.cz>
Date: Mon Jul 8 16:00:27 2013 -0700
Revert "memcg: avoid dangling reference count in creation failure"
commit fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 upstream.
This reverts commit e4715f01be697a.
mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
an additional reference from all parents so the additional
mem_cgrroup_put(parent) potentially causes use-after-free.
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Glauber Costa <glommer@openvz.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 65fd7aab590d38047cfafdfaac47282373bda37a
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon May 27 19:07:19 2013 +0100
SCSI: sd: Fix parsing of 'temporary ' cache mode prefix
commit 2ee3e26c673e75c05ef8b914f54fadee3d7b9c88 upstream.
Commit 39c60a0948cc '[SCSI] sd: fix array cache flushing bug causing
performance problems' added temp as a pointer to "temporary " and used
sizeof(temp) - 1 as its length. But sizeof(temp) is the size of the
pointer, not the size of the string constant. Change temp to a static
array so that sizeof() does what was intended.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit afd8b04057818d14f6c01b7b83ecd2c03f073247
Author: Gleb Natapov <gleb@redhat.com>
Date: Fri Jun 28 13:17:18 2013 +0300
KVM: VMX: mark unusable segment as nonpresent
commit 03617c188f41eeeb4223c919ee7e66e5a114f2c6 upstream.
Some userspaces do not preserve unusable property. Since usable
segment has to be present according to VMX spec we can use present
property to amend userspace bug by making unusable segment always
nonpresent. vmx_segment_access_rights() already marks nonpresent segment
as unusable.
Reported-by: Stefan Pietsch <stefan.pietsch@lsexperts.de>
Tested-by: Stefan Pietsch <stefan.pietsch@lsexperts.de>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 014442e5ef9a2ec935a6c304e97d01b89fcb5d24
Author: J. Bruce Fields <bfields@redhat.com>
Date: Fri Jun 21 11:48:11 2013 -0400
nfsd4: fix decoding of compounds across page boundaries
commit 247500820ebd02ad87525db5d9b199e5b66f6636 upstream.
A freebsd NFSv4.0 client was getting rare IO errors expanding a tarball.
A network trace showed the server returning BAD_XDR on the final getattr
of a getattr+write+getattr compound. The final getattr started on a
page boundary.
I believe the Linux client ignores errors on the post-write getattr, and
that that's why we haven't seen this before.
Reported-by: Rick Macklem <rmacklem@uoguelph.ca>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0652e5080d810e8c93ab3a96dff26e37943613ec
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun Jun 30 09:03:06 2013 -0700
Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller"
commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream.
This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366.
As reported by Stefan, this device already works with the parport_serial
driver, so the 8250_pci driver should not also try to grab it as well.
Reported-by: Stefan Seyfried <stefan.seyfried@googlemail.com>
Cc: Wang YanQing <udknight@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b3fbfad0b7ff951317f1ef03026e43667851837d
Author: Zhang Yi <wetpzy@gmail.com>
Date: Tue Jun 25 21:19:31 2013 +0800
futex: Take hugepages into account when generating futex_key
commit 13d60f4b6ab5b702dc8d2ee20999f98a93728aec upstream.
The futex_keys of process shared futexes are generated from the page
offset, the mapping host and the mapping index of the futex user space
address. This should result in an unique identifier for each futex.
Though this is not true when futexes are located in different subpages
of an hugepage. The reason is, that the mapping index for all those
futexes evaluates to the index of the base page of the hugetlbfs
mapping. So a futex at offset 0 of the hugepage mapping and another
one at offset PAGE_SIZE of the same hugepage mapping have identical
futex_keys. This happens because the futex code blindly uses
page->index.
Steps to reproduce the bug:
1. Map a file from hugetlbfs. Initialize pthread_mutex1 at offset 0
and pthread_mutex2 at offset PAGE_SIZE of the hugetlbfs
mapping.
The mutexes must be initialized as PTHREAD_PROCESS_SHARED because
PTHREAD_PROCESS_PRIVATE mutexes are not affected by this issue as
their keys solely depend on the user space address.
2. Lock mutex1 and mutex2
3. Create thread1 and in the thread function lock mutex1, which
results in thread1 blocking on the locked mutex1.
4. Create thread2 and in the thread function lock mutex2, which
results in thread2 blocking on the locked mutex2.
5. Unlock mutex2. Despite the fact that mutex2 got unlocked, thread2
still blocks on mutex2 because the futex_key points to mutex1.
To solve this issue we need to take the normal page index of the page
which contains the futex into account, if the futex is in an hugetlbfs
mapping. In other words, we calculate the normal page mapping index of
the subpage in the hugetlbfs mapping.
Mappings which are not based on hugetlbfs are not affected and still
use page->index.
Thanks to Mel Gorman who provided a patch for adding proper evaluation
functions to the hugetlbfs code to avoid exposing hugetlbfs specific
details to the futex code.
[ tglx: Massaged changelog ]
Signed-off-by: Zhang Yi <zhang.yi20@zte.com.cn>
Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
Tested-by: Ma Chenggong <ma.chenggong@zte.com.cn>
Reviewed-by: 'Mel Gorman' <mgorman@suse.de>
Acked-by: 'Darren Hart' <dvhart@linux.intel.com>
Cc: 'Peter Zijlstra' <peterz@infradead.org>
Link: http://lkml.kernel.org/r/000101ce71a6%24a83c5880%24f8b50980%24@com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 994f0ca83579f4f80691bbee86268c9785b94974
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue Jun 18 12:58:12 2013 -0700
MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information
commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream.
This hopefully will help point developers to the proper way that patches
should be submitted for inclusion in the stable kernel releases.
Reported-by: David Howells <dhowells@redhat.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 24f046dd6d74e6625ab7aaa4917ad538f160693c
Author: Kees Cook <keescook@chromium.org>
Date: Wed Jul 3 15:01:15 2013 -0700
crypto: sanitize argument for format string
commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream.
The template lookup interface does not provide a way to use format
strings, so make sure that the interface cannot be abused accidentally.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c014eebac770438b946b6512f0961b0dc64ad0f6
Author: Kees Cook <keescook@chromium.org>
Date: Wed Jul 3 15:01:14 2013 -0700
block: do not pass disk names as format strings
commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream.
Disk names may contain arbitrary strings, so they must not be
interpreted as format strings. It seems that only md allows arbitrary
strings to be used for disk names, but this could allow for a local
memory corruption from uid 0 into ring 0.
CVE-2013-2851
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 179b66310e735a99c56b2a64fda5b3cbb03d3a97
Author: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Date: Thu Jul 4 18:42:29 2013 +0200
hpfs: better test for errors
commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream.
The test if bitmap access is out of bound could errorneously pass if the
device size is divisible by 16384 sectors and we are asking for one bitmap
after the end.
Check for invalid size in the superblock. Invalid size could cause integer
overflows in the rest of the code.
Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 93cc9014c4730b677100a349d4461c796f5cadb1
Author: Kees Cook <keescook@chromium.org>
Date: Thu Jun 6 13:52:21 2013 -0700
charger-manager: Ensure event is not used as format string
commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream.
The exposed interface for cm_notify_event() could result in the event msg
string being parsed as a format string. Make sure it is only used as a
literal string.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Anton Vorontsov <cbou@mail.ru>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Anton Vorontsov <anton@enomsg.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c569a3d754f675d41e453e7ca52573677e71290d
Author: Rusty Russell <rusty@rustcorp.com.au>
Date: Wed Jul 3 10:06:28 2013 +0930
module: do percpu allocation after uniqueness check. No, really!
commit 8d8022e8aba85192e937f1f0f7450e256d66ae5c upstream.
v3.8-rc1-5-g1fb9341 was supposed to stop parallel kvm loads exhausting
percpu memory on large machines:
Now we have a new state MODULE_STATE_UNFORMED, we can insert the
module into the list (and thus guarantee its uniqueness) before we
allocate the per-cpu region.
In my defence, it didn't actually say the patch did this. Just that
we "can".
This patch actually *does* it.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Tested-by: Jim Hull <jim.hull@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 07a24e531be911e4ae6e43c472b353ba775f1e22
Author: Jonathan Salwan <jonathan.salwan@gmail.com>
Date: Wed Jul 3 15:01:13 2013 -0700
drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream.
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
area with kmalloc in line 2885.
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
2886 if (cgc->buffer == NULL)
2887 return -ENOMEM;
In line 2908 we can find the copy_to_user function:
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
The cgc->buffer is never cleaned and initialized before this function.
If ret = 0 with the previous basic block, it's possible to display some
memory bytes in kernel space from userspace.
When we read a block from the disk it normally fills the ->buffer but if
the drive is malfunctioning there is a chance that it would only be
partially filled. The result is an leak information to userspace.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jonathan Salwan <jonathan.salwan@gmail.com>
Cc: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4e94a75e20addc7086627ceab0d1c90f3b27a205
Author: majianpeng <majianpeng@gmail.com>
Date: Wed Jun 19 14:58:10 2013 +0800
ceph: fix sleeping function called from invalid context.
commit a1dc1937337a93e699eaa56968b7de6e1a9e77cf upstream.
[ 1121.231883] BUG: sleeping function called from invalid context at kernel/rwsem.c:20
[ 1121.231935] in_atomic(): 1, irqs_disabled(): 0, pid: 9831, name: mv
[ 1121.231971] 1 lock held by mv/9831:
[ 1121.231973] #0: (&(&ci->i_ceph_lock)->rlock){+.+...},at:[<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
[ 1121.231998] CPU: 3 PID: 9831 Comm: mv Not tainted 3.10.0-rc6+ #215
[ 1121.232000] Hardware name: To Be Filled By O.E.M. To Be Filled By
O.E.M./To be filled by O.E.M., BIOS 080015 11/09/2011
[ 1121.232027] ffff88006d355a80 ffff880092f69ce0 ffffffff8168348c ffff880092f69cf8
[ 1121.232045] ffffffff81070435 ffff88006d355a20 ffff880092f69d20 ffffffff816899ba
[ 1121.232052] 0000000300000004 ffff8800b76911d0 ffff88006d355a20 ffff880092f69d68
[ 1121.232056] Call Trace:
[ 1121.232062] [<ffffffff8168348c>] dump_stack+0x19/0x1b
[ 1121.232067] [<ffffffff81070435>] __might_sleep+0xe5/0x110
[ 1121.232071] [<ffffffff816899ba>] down_read+0x2a/0x98
[ 1121.232080] [<ffffffffa02baf70>] ceph_vxattrcb_layout+0x60/0xf0 [ceph]
[ 1121.232088] [<ffffffffa02bbd7f>] ceph_getxattr+0x9f/0x1d0 [ceph]
[ 1121.232093] [<ffffffff81188d28>] vfs_getxattr+0xa8/0xd0
[ 1121.232097] [<ffffffff8118900b>] getxattr+0xab/0x1c0
[ 1121.232100] [<ffffffff811704f2>] ? final_putname+0x22/0x50
[ 1121.232104] [<ffffffff81155f80>] ? kmem_cache_free+0xb0/0x260
[ 1121.232107] [<ffffffff811704f2>] ? final_putname+0x22/0x50
[ 1121.232110] [<ffffffff8109e63d>] ? trace_hardirqs_on+0xd/0x10
[ 1121.232114] [<ffffffff816957a7>] ? sysret_check+0x1b/0x56
[ 1121.232120] [<ffffffff81189c9c>] SyS_fgetxattr+0x6c/0xc0
[ 1121.232125] [<ffffffff81695782>] system_call_fastpath+0x16/0x1b
[ 1121.232129] BUG: scheduling while atomic: mv/9831/0x10000002
[ 1121.232154] 1 lock held by mv/9831:
[ 1121.232156] #0: (&(&ci->i_ceph_lock)->rlock){+.+...}, at:
[<ffffffffa02bbd38>] ceph_getxattr+0x58/0x1d0 [ceph]
I think move the ci->i_ceph_lock down is safe because we can't free
ceph_inode_info at there.
Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fa074f3906ba77bc79d3b519e4a4b8ae08b98ea1
Author: Tyler Hicks <tyhicks@canonical.com>
Date: Thu Jun 20 13:13:59 2013 -0700
libceph: Fix NULL pointer dereference in auth client code
commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.
A malicious monitor can craft an auth reply message that could cause a
NULL function pointer dereference in the client's kernel.
To prevent this, the auth_none protocol handler needs an empty
ceph_auth_client_ops->build_request() function.
CVE-2013-1059
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Chanam Park <chanam.park@hkpco.kr>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>