Merge branch 'akpm' (patches from Andrew)
Merge more updates from Andrew Morton:
"147 patches, based on 7d2a07b769.
Subsystems affected by this patch series: mm (memory-hotplug, rmap,
ioremap, highmem, cleanups, secretmem, kfence, damon, and vmscan),
alpha, percpu, procfs, misc, core-kernel, MAINTAINERS, lib,
checkpatch, epoll, init, nilfs2, coredump, fork, pids, criu, kconfig,
selftests, ipc, and scripts"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (94 commits)
scripts: check_extable: fix typo in user error message
mm/workingset: correct kernel-doc notations
ipc: replace costly bailout check in sysvipc_find_ipc()
selftests/memfd: remove unused variable
Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH
configs: remove the obsolete CONFIG_INPUT_POLLDEV
prctl: allow to setup brk for et_dyn executables
pid: cleanup the stale comment mentioning pidmap_init().
kernel/fork.c: unexport get_{mm,task}_exe_file
coredump: fix memleak in dump_vma_snapshot()
fs/coredump.c: log if a core dump is aborted due to changed file permissions
nilfs2: use refcount_dec_and_lock() to fix potential UAF
nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group
nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group
nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group
nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group
nilfs2: fix NULL pointer in nilfs_##name##_attr_release
nilfs2: fix memory leak in nilfs_sysfs_create_device_group
trap: cleanup trap_init()
init: move usermodehelper_enable() to populate_rootfs()
...
This commit is contained in:
Linus Torvalds
@@ -782,10 +782,17 @@ void do_coredump(const kernel_siginfo_t *siginfo)
|
||||
* filesystem.
|
||||
*/
|
||||
mnt_userns = file_mnt_user_ns(cprm.file);
|
||||
if (!uid_eq(i_uid_into_mnt(mnt_userns, inode), current_fsuid()))
|
||||
if (!uid_eq(i_uid_into_mnt(mnt_userns, inode),
|
||||
current_fsuid())) {
|
||||
pr_info_ratelimited("Core dump to %s aborted: cannot preserve file owner\n",
|
||||
cn.corename);
|
||||
goto close_fail;
|
||||
if ((inode->i_mode & 0677) != 0600)
|
||||
}
|
||||
if ((inode->i_mode & 0677) != 0600) {
|
||||
pr_info_ratelimited("Core dump to %s aborted: cannot preserve file permissions\n",
|
||||
cn.corename);
|
||||
goto close_fail;
|
||||
}
|
||||
if (!(cprm.file->f_mode & FMODE_CAN_WRITE))
|
||||
goto close_fail;
|
||||
if (do_truncate(mnt_userns, cprm.file->f_path.dentry,
|
||||
@@ -1127,8 +1134,10 @@ int dump_vma_snapshot(struct coredump_params *cprm, int *vma_count,
|
||||
|
||||
mmap_write_unlock(mm);
|
||||
|
||||
if (WARN_ON(i != *vma_count))
|
||||
if (WARN_ON(i != *vma_count)) {
|
||||
kvfree(*vma_meta);
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
*vma_data_size_ptr = vma_data_size;
|
||||
return 0;
|
||||
|
||||
@@ -723,7 +723,7 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi)
|
||||
*/
|
||||
call_rcu(&epi->rcu, epi_rcu_free);
|
||||
|
||||
atomic_long_dec(&ep->user->epoll_watches);
|
||||
percpu_counter_dec(&ep->user->epoll_watches);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1439,7 +1439,6 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
|
||||
{
|
||||
int error, pwake = 0;
|
||||
__poll_t revents;
|
||||
long user_watches;
|
||||
struct epitem *epi;
|
||||
struct ep_pqueue epq;
|
||||
struct eventpoll *tep = NULL;
|
||||
@@ -1449,11 +1448,15 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
|
||||
|
||||
lockdep_assert_irqs_enabled();
|
||||
|
||||
user_watches = atomic_long_read(&ep->user->epoll_watches);
|
||||
if (unlikely(user_watches >= max_user_watches))
|
||||
if (unlikely(percpu_counter_compare(&ep->user->epoll_watches,
|
||||
max_user_watches) >= 0))
|
||||
return -ENOSPC;
|
||||
if (!(epi = kmem_cache_zalloc(epi_cache, GFP_KERNEL)))
|
||||
percpu_counter_inc(&ep->user->epoll_watches);
|
||||
|
||||
if (!(epi = kmem_cache_zalloc(epi_cache, GFP_KERNEL))) {
|
||||
percpu_counter_dec(&ep->user->epoll_watches);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
/* Item initialization follow here ... */
|
||||
INIT_LIST_HEAD(&epi->rdllink);
|
||||
@@ -1466,17 +1469,16 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event,
|
||||
mutex_lock_nested(&tep->mtx, 1);
|
||||
/* Add the current item to the list of active epoll hook for this file */
|
||||
if (unlikely(attach_epitem(tfile, epi) < 0)) {
|
||||
kmem_cache_free(epi_cache, epi);
|
||||
if (tep)
|
||||
mutex_unlock(&tep->mtx);
|
||||
kmem_cache_free(epi_cache, epi);
|
||||
percpu_counter_dec(&ep->user->epoll_watches);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
if (full_check && !tep)
|
||||
list_file(tfile);
|
||||
|
||||
atomic_long_inc(&ep->user->epoll_watches);
|
||||
|
||||
/*
|
||||
* Add the current item to the RB tree. All RB tree operations are
|
||||
* protected by "mtx", and ep_insert() is called with "mtx" held.
|
||||
|
||||
@@ -51,11 +51,9 @@ static const struct sysfs_ops nilfs_##name##_attr_ops = { \
|
||||
#define NILFS_DEV_INT_GROUP_TYPE(name, parent_name) \
|
||||
static void nilfs_##name##_attr_release(struct kobject *kobj) \
|
||||
{ \
|
||||
struct nilfs_sysfs_##parent_name##_subgroups *subgroups; \
|
||||
struct the_nilfs *nilfs = container_of(kobj->parent, \
|
||||
struct the_nilfs, \
|
||||
ns_##parent_name##_kobj); \
|
||||
subgroups = nilfs->ns_##parent_name##_subgroups; \
|
||||
struct nilfs_sysfs_##parent_name##_subgroups *subgroups = container_of(kobj, \
|
||||
struct nilfs_sysfs_##parent_name##_subgroups, \
|
||||
sg_##name##_kobj); \
|
||||
complete(&subgroups->sg_##name##_kobj_unregister); \
|
||||
} \
|
||||
static struct kobj_type nilfs_##name##_ktype = { \
|
||||
@@ -81,12 +79,12 @@ static int nilfs_sysfs_create_##name##_group(struct the_nilfs *nilfs) \
|
||||
err = kobject_init_and_add(kobj, &nilfs_##name##_ktype, parent, \
|
||||
#name); \
|
||||
if (err) \
|
||||
return err; \
|
||||
return 0; \
|
||||
kobject_put(kobj); \
|
||||
return err; \
|
||||
} \
|
||||
static void nilfs_sysfs_delete_##name##_group(struct the_nilfs *nilfs) \
|
||||
{ \
|
||||
kobject_del(&nilfs->ns_##parent_name##_subgroups->sg_##name##_kobj); \
|
||||
kobject_put(&nilfs->ns_##parent_name##_subgroups->sg_##name##_kobj); \
|
||||
}
|
||||
|
||||
/************************************************************************
|
||||
@@ -197,14 +195,14 @@ int nilfs_sysfs_create_snapshot_group(struct nilfs_root *root)
|
||||
}
|
||||
|
||||
if (err)
|
||||
return err;
|
||||
kobject_put(&root->snapshot_kobj);
|
||||
|
||||
return 0;
|
||||
return err;
|
||||
}
|
||||
|
||||
void nilfs_sysfs_delete_snapshot_group(struct nilfs_root *root)
|
||||
{
|
||||
kobject_del(&root->snapshot_kobj);
|
||||
kobject_put(&root->snapshot_kobj);
|
||||
}
|
||||
|
||||
/************************************************************************
|
||||
@@ -986,7 +984,7 @@ int nilfs_sysfs_create_device_group(struct super_block *sb)
|
||||
err = kobject_init_and_add(&nilfs->ns_dev_kobj, &nilfs_dev_ktype, NULL,
|
||||
"%s", sb->s_id);
|
||||
if (err)
|
||||
goto free_dev_subgroups;
|
||||
goto cleanup_dev_kobject;
|
||||
|
||||
err = nilfs_sysfs_create_mounted_snapshots_group(nilfs);
|
||||
if (err)
|
||||
@@ -1023,9 +1021,7 @@ delete_mounted_snapshots_group:
|
||||
nilfs_sysfs_delete_mounted_snapshots_group(nilfs);
|
||||
|
||||
cleanup_dev_kobject:
|
||||
kobject_del(&nilfs->ns_dev_kobj);
|
||||
|
||||
free_dev_subgroups:
|
||||
kobject_put(&nilfs->ns_dev_kobj);
|
||||
kfree(nilfs->ns_dev_subgroups);
|
||||
|
||||
failed_create_device_group:
|
||||
|
||||
@@ -792,14 +792,13 @@ nilfs_find_or_create_root(struct the_nilfs *nilfs, __u64 cno)
|
||||
|
||||
void nilfs_put_root(struct nilfs_root *root)
|
||||
{
|
||||
if (refcount_dec_and_test(&root->count)) {
|
||||
struct the_nilfs *nilfs = root->nilfs;
|
||||
struct the_nilfs *nilfs = root->nilfs;
|
||||
|
||||
nilfs_sysfs_delete_snapshot_group(root);
|
||||
|
||||
spin_lock(&nilfs->ns_cptree_lock);
|
||||
if (refcount_dec_and_lock(&root->count, &nilfs->ns_cptree_lock)) {
|
||||
rb_erase(&root->rb_node, &nilfs->ns_cptree);
|
||||
spin_unlock(&nilfs->ns_cptree_lock);
|
||||
|
||||
nilfs_sysfs_delete_snapshot_group(root);
|
||||
iput(root->ifile);
|
||||
|
||||
kfree(root);
|
||||
|
||||
@@ -98,27 +98,17 @@
|
||||
|
||||
void proc_task_name(struct seq_file *m, struct task_struct *p, bool escape)
|
||||
{
|
||||
char *buf;
|
||||
size_t size;
|
||||
char tcomm[64];
|
||||
int ret;
|
||||
|
||||
if (p->flags & PF_WQ_WORKER)
|
||||
wq_worker_comm(tcomm, sizeof(tcomm), p);
|
||||
else
|
||||
__get_task_comm(tcomm, sizeof(tcomm), p);
|
||||
|
||||
size = seq_get_buf(m, &buf);
|
||||
if (escape) {
|
||||
ret = string_escape_str(tcomm, buf, size,
|
||||
ESCAPE_SPACE | ESCAPE_SPECIAL, "\n\\");
|
||||
if (ret >= size)
|
||||
ret = -1;
|
||||
} else {
|
||||
ret = strscpy(buf, tcomm, size);
|
||||
}
|
||||
|
||||
seq_commit(m, ret);
|
||||
if (escape)
|
||||
seq_escape_str(m, tcomm, ESCAPE_SPACE | ESCAPE_SPECIAL, "\n\\");
|
||||
else
|
||||
seq_printf(m, "%.64s", tcomm);
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@@ -95,6 +95,7 @@
|
||||
#include <linux/posix-timers.h>
|
||||
#include <linux/time_namespace.h>
|
||||
#include <linux/resctrl.h>
|
||||
#include <linux/cn_proc.h>
|
||||
#include <trace/events/oom.h>
|
||||
#include "internal.h"
|
||||
#include "fd.h"
|
||||
@@ -1674,8 +1675,10 @@ static ssize_t comm_write(struct file *file, const char __user *buf,
|
||||
if (!p)
|
||||
return -ESRCH;
|
||||
|
||||
if (same_thread_group(current, p))
|
||||
if (same_thread_group(current, p)) {
|
||||
set_task_comm(p, buffer);
|
||||
proc_comm_connector(p);
|
||||
}
|
||||
else
|
||||
count = -EINVAL;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user