<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/lib, branch v3.10.22</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/lib?h=v3.10.22</id>
<link rel='self' href='https://git.amat.us/linux/atom/lib?h=v3.10.22'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2013-12-04T18:56:06Z</updated>
<entry>
<title>vsprintf: check real user/group id for %pK</title>
<updated>2013-12-04T18:56:06Z</updated>
<author>
<name>Ryan Mallon</name>
<email>rmallon@gmail.com</email>
</author>
<published>2013-11-12T23:08:51Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7135a8a100fb1bc8d15f90a31e72faccdb4d7118'/>
<id>urn:sha1:7135a8a100fb1bc8d15f90a31e72faccdb4d7118</id>
<content type='text'>
commit 312b4e226951f707e120b95b118cbc14f3d162b2 upstream.

Some setuid binaries will allow reading of files which have read
permission by the real user id.  This is problematic with files which
use %pK because the file access permission is checked at open() time,
but the kptr_restrict setting is checked at read() time.  If a setuid
binary opens a %pK file as an unprivileged user, and then elevates
permissions before reading the file, then kernel pointer values may be
leaked.

This happens for example with the setuid pppd application on Ubuntu 12.04:

  $ head -1 /proc/kallsyms
  00000000 T startup_32

  $ pppd file /proc/kallsyms
  pppd: In file /proc/kallsyms: unrecognized option 'c1000000'

This will only leak the pointer value from the first line, but other
setuid binaries may leak more information.

Fix this by adding a check that in addition to the current process having
CAP_SYSLOG, that effective user and group ids are equal to the real ids.
If a setuid binary reads the contents of a file which uses %pK then the
pointer values will be printed as NULL if the real user is unprivileged.

Update the sysctl documentation to reflect the changes, and also correct
the documentation to state the kptr_restrict=0 is the default.

This is a only temporary solution to the issue.  The correct solution is
to do the permission check at open() time on files, and to replace %pK
with a function which checks the open() time permission.  %pK uses in
printk should be removed since no sane permission check can be done, and
instead protected by using dmesg_restrict.

Signed-off-by: Ryan Mallon &lt;rmallon@gmail.com&gt;
Cc: Kees Cook &lt;keescook@chromium.org&gt;
Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;
Cc: Joe Perches &lt;joe@perches.com&gt;
Cc: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>lib/scatterlist.c: don't flush_kernel_dcache_page on slab page</title>
<updated>2013-11-13T03:05:33Z</updated>
<author>
<name>Ming Lei</name>
<email>ming.lei@canonical.com</email>
</author>
<published>2013-10-31T23:34:17Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=e14594cd658f655ae3384fcc3ec8c345b36cd4d0'/>
<id>urn:sha1:e14594cd658f655ae3384fcc3ec8c345b36cd4d0</id>
<content type='text'>
commit 3d77b50c5874b7e923be946ba793644f82336b75 upstream.

Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
functions") introduces two sg buffer copy helpers, and calls
flush_kernel_dcache_page() on pages in SG list after these pages are
written to.

Unfortunately, the commit may introduce a potential bug:

 - Before sending some SCSI commands, kmalloc() buffer may be passed to
   block layper, so flush_kernel_dcache_page() can see a slab page
   finally

 - According to cachetlb.txt, flush_kernel_dcache_page() is only called
   on "a user page", which surely can't be a slab page.

 - ARCH's implementation of flush_kernel_dcache_page() may use page
   mapping information to do optimization so page_mapping() will see the
   slab page, then VM_BUG_ON() is triggered.

Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
and this patch fixes the bug by adding test of '!PageSlab(miter-&gt;page)'
before calling flush_kernel_dcache_page().

Signed-off-by: Ming Lei &lt;ming.lei@canonical.com&gt;
Reported-by: Aaro Koskinen &lt;aaro.koskinen@iki.fi&gt;
Tested-by: Simon Baatz &lt;gmbnomis@gmail.com&gt;
Cc: Russell King - ARM Linux &lt;linux@arm.linux.org.uk&gt;
Cc: Will Deacon &lt;will.deacon@arm.com&gt;
Cc: Aaro Koskinen &lt;aaro.koskinen@iki.fi&gt;
Acked-by: Catalin Marinas &lt;catalin.marinas@arm.com&gt;
Cc: FUJITA Tomonori &lt;fujita.tomonori@lab.ntt.co.jp&gt;
Cc: Tejun Heo &lt;tj@kernel.org&gt;
Cc: "James E.J. Bottomley" &lt;JBottomley@parallels.com&gt;
Cc: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>lib/Kconfig.debug: Restrict FRAME_POINTER for MIPS</title>
<updated>2013-07-28T23:30:12Z</updated>
<author>
<name>Markos Chandras</name>
<email>markos.chandras@imgtec.com</email>
</author>
<published>2013-06-11T08:49:50Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=3c19c4f9b4eeabe75eddbec1a0e8599c940e8ec8'/>
<id>urn:sha1:3c19c4f9b4eeabe75eddbec1a0e8599c940e8ec8</id>
<content type='text'>
commit 25c87eae1725ed77a8b44d782a86abdc279b4ede upstream.

FAULT_INJECTION_STACKTRACE_FILTER selects FRAME_POINTER but
that symbol is not available for MIPS.

Fixes the following problem on a randconfig:
warning: (LOCKDEP &amp;&amp; FAULT_INJECTION_STACKTRACE_FILTER &amp;&amp; LATENCYTOP &amp;&amp;
 KMEMCHECK) selects FRAME_POINTER which has unmet direct dependencies
(DEBUG_KERNEL &amp;&amp; (CRIS || M68K || FRV || UML || AVR32 || SUPERH || BLACKFIN ||
MN10300 || METAG) || ARCH_WANT_FRAME_POINTERS)

Signed-off-by: Markos Chandras &lt;markos.chandras@imgtec.com&gt;
Acked-by: Steven J. Hill &lt;Steven.Hill@imgtec.com&gt;
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/5441/
Signed-off-by: Ralf Baechle &lt;ralf@linux-mips.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
</entry>
<entry>
<title>lib/mpi/mpicoder.c: looping issue, need stop when equal to zero, found by 'EXTRA_FLAGS=-W'.</title>
<updated>2013-06-12T23:29:44Z</updated>
<author>
<name>Chen Gang</name>
<email>gang.chen@asianux.com</email>
</author>
<published>2013-06-12T21:04:40Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=5402b8047b0d286b6501f9097891cbf1e06daa3a'/>
<id>urn:sha1:5402b8047b0d286b6501f9097891cbf1e06daa3a</id>
<content type='text'>
For 'while' looping, need stop when 'nbytes == 0', or will cause issue.
('nbytes' is size_t which is always bigger or equal than zero).

The related warning: (with EXTRA_CFLAGS=-W)

  lib/mpi/mpicoder.c:40:2: warning: comparison of unsigned expression &gt;= 0 is always true [-Wtype-limits]

Signed-off-by: Chen Gang &lt;gang.chen@asianux.com&gt;
Cc: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Cc: James Morris &lt;james.l.morris@oracle.com&gt;
Cc: Andy Shevchenko &lt;andriy.shevchenko@linux.intel.com&gt;
Acked-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>MPILIB: disable usage of floating point registers on parisc</title>
<updated>2013-05-24T20:30:11Z</updated>
<author>
<name>Helge Deller</name>
<email>deller@gmx.de</email>
</author>
<published>2013-05-05T22:08:22Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=70ef5578dd8011eeafa999a18194d9b548a4d889'/>
<id>urn:sha1:70ef5578dd8011eeafa999a18194d9b548a4d889</id>
<content type='text'>
The umul_ppmm() macro for parisc uses the xmpyu assembler statement
which does calculation via a floating point register.

But usage of floating point registers inside the Linux kernel are not
allowed and gcc will stop compilation due to the -mdisable-fpregs
compiler option.

Fix this by disabling the umul_ppmm() and udiv_qrnnd() macros. The
mpilib will then use the generic built-in implementations instead.

Signed-off-by: Helge Deller &lt;deller@gmx.de&gt;
</content>
</entry>
<entry>
<title>Merge tag 'driver-core-3.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core</title>
<updated>2013-05-23T16:27:08Z</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2013-05-23T16:27:08Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=c7153d0643dd161df9e7a2fcb952418055aa5fca'/>
<id>urn:sha1:c7153d0643dd161df9e7a2fcb952418055aa5fca</id>
<content type='text'>
Pull driver core fixes from Greg Kroah-Hartman:
 "Here are 3 tiny driver core fixes for 3.10-rc2.

  A needed symbol export, a change to make it easier to track down
  offending sysfs files with incorrect attributes, and a klist bugfix.

  All have been in linux-next for a while"

* tag 'driver-core-3.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  klist: del waiter from klist_remove_waiters before wakeup waitting process
  driver core: print sysfs attribute name when warning about bogus permissions
  driver core: export subsys_virtual_register
</content>
</entry>
<entry>
<title>lib: make iovec obj instead of lib</title>
<updated>2013-05-23T16:17:11Z</updated>
<author>
<name>Randy Dunlap</name>
<email>rdunlap@infradead.org</email>
</author>
<published>2013-05-23T05:46:09Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=b4d3ba3346f092b9185da991414775281ceacaac'/>
<id>urn:sha1:b4d3ba3346f092b9185da991414775281ceacaac</id>
<content type='text'>
Fix build error io vmw_vmci.ko when CONFIG_VMWARE_VMCI=m by chaning
iovec.o from lib-y to obj-y.

  ERROR: "memcpy_toiovec" [drivers/misc/vmw_vmci/vmw_vmci.ko] undefined!
  ERROR: "memcpy_fromiovec" [drivers/misc/vmw_vmci/vmw_vmci.ko] undefined!

Signed-off-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Acked-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>klist: del waiter from klist_remove_waiters before wakeup waitting process</title>
<updated>2013-05-21T17:16:39Z</updated>
<author>
<name>wang, biao</name>
<email>biao.wang@intel.com</email>
</author>
<published>2013-05-16T01:50:13Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ac5a2962b02f57dea76d314ef2521a2170b28ab6'/>
<id>urn:sha1:ac5a2962b02f57dea76d314ef2521a2170b28ab6</id>
<content type='text'>
There is a race between klist_remove and klist_release. klist_remove
uses a local var waiter saved on stack. When klist_release calls
wake_up_process(waiter-&gt;process) to wake up the waiter, waiter might run
immediately and reuse the stack. Then, klist_release calls
list_del(&amp;waiter-&gt;list) to change previous
wait data and cause prior waiter thread corrupt.

The patch fixes it against kernel 3.9.

Signed-off-by: wang, biao &lt;biao.wang@intel.com&gt;
Acked-by: Peter Zijlstra &lt;peterz@infradead.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>Hoist memcpy_fromiovec/memcpy_toiovec into lib/</title>
<updated>2013-05-20T00:54:22Z</updated>
<author>
<name>Rusty Russell</name>
<email>rusty@rustcorp.com.au</email>
</author>
<published>2013-05-16T23:35:21Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=d2f83e9078b8114e3b9d09082856c1aac299aa37'/>
<id>urn:sha1:d2f83e9078b8114e3b9d09082856c1aac299aa37</id>
<content type='text'>
ERROR: "memcpy_fromiovec" [drivers/vhost/vhost_scsi.ko] undefined!

That function is only present with CONFIG_NET.  Turns out that
crypto/algif_skcipher.c also uses that outside net, but it actually
needs sockets anyway.

In addition, commit 6d4f0139d642c45411a47879325891ce2a7c164a added
CONFIG_NET dependency to CONFIG_VMCI for memcpy_toiovec, so hoist
that function and revert that commit too.

socket.h already includes uio.h, so no callers need updating; trying
only broke things fo x86_64 randconfig (thanks Fengguang!).

Reported-by: Randy Dunlap &lt;rdunlap@infradead.org&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Acked-by: Michael S. Tsirkin &lt;mst@redhat.com&gt;
Signed-off-by: Rusty Russell &lt;rusty@rustcorp.com.au&gt;
</content>
</entry>
<entry>
<title>Merge branch 'for-3.10/drivers' of git://git.kernel.dk/linux-block</title>
<updated>2013-05-08T18:51:05Z</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2013-05-08T18:51:05Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=ebb37277796269da36a8bc5d72ed1e8e1fb7d34b'/>
<id>urn:sha1:ebb37277796269da36a8bc5d72ed1e8e1fb7d34b</id>
<content type='text'>
Pull block driver updates from Jens Axboe:
 "It might look big in volume, but when categorized, not a lot of
  drivers are touched.  The pull request contains:

   - mtip32xx fixes from Micron.

   - A slew of drbd updates, this time in a nicer series.

   - bcache, a flash/ssd caching framework from Kent.

   - Fixes for cciss"

* 'for-3.10/drivers' of git://git.kernel.dk/linux-block: (66 commits)
  bcache: Use bd_link_disk_holder()
  bcache: Allocator cleanup/fixes
  cciss: bug fix to prevent cciss from loading in kdump crash kernel
  cciss: add cciss_allow_hpsa module parameter
  drivers/block/mg_disk.c: add CONFIG_PM_SLEEP to suspend/resume functions
  mtip32xx: Workaround for unaligned writes
  bcache: Make sure blocksize isn't smaller than device blocksize
  bcache: Fix merge_bvec_fn usage for when it modifies the bvm
  bcache: Correctly check against BIO_MAX_PAGES
  bcache: Hack around stuff that clones up to bi_max_vecs
  bcache: Set ra_pages based on backing device's ra_pages
  bcache: Take data offset from the bdev superblock.
  mtip32xx: mtip32xx: Disable TRIM support
  mtip32xx: fix a smatch warning
  bcache: Disable broken btree fuzz tester
  bcache: Fix a format string overflow
  bcache: Fix a minor memory leak on device teardown
  bcache: Documentation updates
  bcache: Use WARN_ONCE() instead of __WARN()
  bcache: Add missing #include &lt;linux/prefetch.h&gt;
  ...
</content>
</entry>
</feed>
