Linux kernel source tree https://git.amat.us/linux/atom/lib?h=v2.6.34.3 2010-07-05T18:22:35Z 2010-07-05T18:22:35Z Imre Deak imre.deak@nokia.com 2010-05-26T21:43:38Z urn:sha1:f9e1801acb7b3be613ee0f1ae263e4134deefce8 commit 2dcb22b346be7b7b7e630a8970d69cf3f1111ec1 upstream. Currently idr_remove_all will fail with a use after free error if idr::layers is bigger than 2, which on 32 bit systems corresponds to items more than 1024. This is due to stepping back too many levels during backtracking. For simplicity let's assume that IDR_BITS=1 -> we have 2 nodes at each level below the root node and each leaf node stores two IDs. (In reality for 32 bit systems IDR_BITS=5, with 32 nodes at each sub-root level and 32 IDs in each leaf node). The sequence of freeing the nodes at the moment is as follows: layer 1 -> a(7) 2 -> b(3) c(5) 3 -> d(1) e(2) f(4) g(6) Until step 4 things go fine, but then node c is freed, whereas node g should be freed first. Since node c contains the pointer to node g we'll have a use after free error at step 6. How many levels we step back after visiting the leaf nodes is currently determined by the msb of the id we are currently visiting: Step 1. node d with IDs 0,1 is freed, current ID is advanced to 2. msb of the current ID bit 1. This means we need to step back 1 level to node b and take the next sibling, node e. 2-3. node e with IDs 2,3 is freed, current ID is 4, msb is bit 2. This means we need to step back 2 levels to node a, freeing node b on the way. 4-5. node f with IDs 4,5 is freed, current ID is 6, msb is still bit 2. This means we again need to step back 2 levels to node a and free c on the way. 6. We should visit node g, but its pointer is not available as node c was freed. The fix changes how we determine the number of levels to step back. Instead of deducting this merely from the msb of the current ID, we should really check if advancing the ID causes an overflow to a bit position corresponding to a given layer. In the above example overflow from bit 0 to bit 1 should mean stepping back 1 level. Overflow from bit 1 to bit 2 should mean stepping back 2 levels and so on. The fix was tested with IDs up to 1 << 20, which corresponds to 4 layers on 32 bit systems. Signed-off-by: Imre Deak <imre.deak@nokia.com> Reviewed-by: Tejun Heo <tj@kernel.org> Cc: Eric Paris <eparis@redhat.com> Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2010-05-15T19:48:10Z kirjanov@gmail.com kirjanov@gmail.com 2010-05-15T16:32:34Z urn:sha1:43aa7ac736a4e21aae4882bd8f7c67403aed45b8 mempool_alloc() can return null in atomic case. Signed-off-by: Denis Kirjanov <kirjanov@gmail.com> Cc: Joern Engel <joern@logfs.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-05-13T01:23:34Z Michel Lespinasse walken@google.com 2010-05-12T10:38:45Z urn:sha1:91af70814105f4c05e6e11b51c3269907b71794b If there are no active threasd using a semaphore, it is always correct to unqueue blocked threads. This seems to be what was intended in the undo code. What was done instead, was to look for a sem count of zero - this is an impossible situation, given that at least one thread is known to be queued on the semaphore. The code might be correct as written, but it's hard to reason about and it's not what was intended (otherwise the goto out would have been unconditional). Go for checking the active count - the alternative is not worth the headache. Signed-off-by: Michel Lespinasse <walken@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-04-24T18:31:26Z Hans Verkuil hverkuil@xs4all.nl 2010-04-23T17:18:04Z urn:sha1:98d5ce0d0044666fc85a01915a1d22407eb546fd Add a missing EXPORT_SYMBOL. I must be the first person that wants to use this function :-) Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-04-24T18:31:25Z Albin Tonnerre albin.tonnerre@free-electrons.com 2010-04-23T17:17:58Z urn:sha1:ccdb40048b2972f10bdc944913c0e0ee26b5d1f2 This patch fixes 2 issues with the LZO decompressor: - It doesn't handle the case where a block isn't compressed at all. In this case, calling lzo1x_decompress_safe will fail, so we need to just use memcpy() instead (the upstream LZO code does something similar) - Since commit 54291362d2a5738e1b0495df2abcb9e6b0563a3f ("initramfs: add missing decompressor error check") , the decompressor return code is checked in the init/initramfs.c The LZO decompressor didn't return the expected value, causing the initramfs code to falsely believe a decompression error occured Signed-off-by: Albin Tonnerre <albin.tonnerre@free-electrons.com> Tested-by: bert schulze <spambemyguest@googlemail.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-04-24T18:31:24Z Changli Gao xiaosuo@gmail.com 2010-04-23T17:17:45Z urn:sha1:e59464c735db19619cde2aa331609adb02005f5b memset() is called with the wrong address and the kernel panics. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Cc: Patrick McHardy <kaber@trash.net> Acked-by: David Rientjes <rientjes@google.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-04-15T19:20:56Z Linus Torvalds torvalds@linux-foundation.org 2010-04-15T19:20:56Z urn:sha1:dc57da3875f527b1cc195ea4ce5bd32e1e68433d * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86/gart: Disable GART explicitly before initialization dma-debug: Cleanup for copy-loop in filter_write() x86/amd-iommu: Remove obsolete parameter documentation x86/amd-iommu: use for_each_pci_dev Revert "x86: disable IOMMUs on kernel crash" x86/amd-iommu: warn when issuing command to uninitialized cmd buffer x86/amd-iommu: enable iommu before attaching devices x86/amd-iommu: Use helper function to destroy domain x86/amd-iommu: Report errors in acpi parsing functions upstream x86/amd-iommu: Pt mode fix for domain_destroy x86/amd-iommu: Protect IOMMU-API map/unmap path x86/amd-iommu: Remove double NULL check in check_device 2010-04-14T17:32:35Z Joe Perches joe@perches.com 2010-04-14T16:27:40Z urn:sha1:4e310fda91cb095915395f811d10b2c900c9589e Commit ef0658f3de484bf9b173639cd47544584e01efa5 changed precision from int to s8. There is existing kernel code that uses a larger precision. An example from the audit code: vsnprintf(...,..., " msg='%.1024s'", (char *)data); which overflows precision and truncates to nothing. Extending precision size fixes the audit system issue. Other changes: Change the size of the struct printf_spec.type from u16 to u8 so sizeof(struct printf_spec) stays as small as possible. Reorder the struct members so sizeof(struct printf_spec) remains 64 bits without alignment holes. Document the struct members a bit more. Original-patch-by: Eric Paris <eparis@redhat.com> Signed-off-by: Joe Perches <joe@perches.com> Tested-by: Justin P. Mattock <justinmattock@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-04-13T11:24:54Z Ingo Molnar mingo@elte.hu 2010-04-13T11:24:54Z urn:sha1:2b2f862ee6ef8ae8f913fee6af2112c5ffeedf94 2010-04-13T07:28:45Z David S. Miller davem@davemloft.net 2010-04-13T07:28:45Z urn:sha1:9343af084c7e8911897b0883042ee690cee3aaef Conflicts: lib/Kconfig.debug