From 1d46e232f8637f31f8df2e50b27fd20d8135bd93 Mon Sep 17 00:00:00 2001 From: Richard Weinberger Date: Fri, 19 Oct 2012 13:56:47 -0700 Subject: [PATCH 1/7] linux/coredump.h needs asm/siginfo.h Commit 5ab1c309b344 ("coredump: pass siginfo_t* to do_coredump() and below, not merely signr") added siginfo_t to linux/coredump.h but forgot to include asm/siginfo.h. This breaks the build for UML/i386. (And any other arch where asm/siginfo.h is not magically preincluded...) In file included from arch/x86/um/elfcore.c:2:0: include/linux/coredump.h:15:25: error: unknown type name 'siginfo_t' make[1]: *** [arch/x86/um/elfcore.o] Error 1 Signed-off-by: Richard Weinberger Cc: Denys Vlasenko Cc: Oleg Nesterov Cc: Amerigo Wang Cc: "Jonathan M. Foote" Cc: Roland McGrath Cc: Pedro Alves Cc: Fengguang Wu Cc: Stephen Rothwell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- include/linux/coredump.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/coredump.h b/include/linux/coredump.h index 1775eb8acc03..1d7399314a89 100644 --- a/include/linux/coredump.h +++ b/include/linux/coredump.h @@ -4,6 +4,7 @@ #include #include #include +#include /* * These are the only things you should do on a core-file: use only these From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 19 Oct 2012 13:56:51 -0700 Subject: [PATCH 2/7] kernel/sys.c: fix stack memory content leak via UNAME26 Calling uname() with the UNAME26 personality set allows a leak of kernel stack contents. This fixes it by defensively calculating the length of copy_to_user() call, making the len argument unsigned, and initializing the stack buffer to zero (now technically unneeded, but hey, overkill). CVE-2012-0957 Reported-by: PaX Team Signed-off-by: Kees Cook Cc: Andi Kleen Cc: PaX Team Cc: Brad Spengler Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- kernel/sys.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index c5cb5b99cb81..01865c6fb6a0 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem); * Work around broken programs that cannot handle "Linux 3.0". * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 */ -static int override_release(char __user *release, int len) +static int override_release(char __user *release, size_t len) { int ret = 0; - char buf[65]; if (current->personality & UNAME26) { - char *rest = UTS_RELEASE; + const char *rest = UTS_RELEASE; + char buf[65] = { 0 }; int ndots = 0; unsigned v; + size_t copy; while (*rest) { if (*rest == '.' && ++ndots >= 3) @@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len) rest++; } v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; - snprintf(buf, len, "2.6.%u%s", v, rest); - ret = copy_to_user(release, buf, len); + copy = min(sizeof(buf), max_t(size_t, 1, len)); + copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); + ret = copy_to_user(release, buf, copy + 1); } return ret; } From dc36d7e7cd422d69b15e7ec7cc1f021f581a6b6d Mon Sep 17 00:00:00 2001 From: Axel Lin Date: Fri, 19 Oct 2012 13:56:52 -0700 Subject: [PATCH 3/7] drivers/video/backlight/lm3639_bl.c: return proper error in lm3639_bled_mode_store() error paths Signed-off-by: Axel Lin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/video/backlight/lm3639_bl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/video/backlight/lm3639_bl.c b/drivers/video/backlight/lm3639_bl.c index c6915c6c3cd1..585949b57055 100644 --- a/drivers/video/backlight/lm3639_bl.c +++ b/drivers/video/backlight/lm3639_bl.c @@ -206,11 +206,11 @@ static ssize_t lm3639_bled_mode_store(struct device *dev, out: dev_err(pchip->dev, "%s:i2c access fail to register\n", __func__); - return size; + return ret; out_input: dev_err(pchip->dev, "%s:input conversion fail\n", __func__); - return size; + return ret; } From bbc2e3ef87851bc5430b2b4cf4ca3a2f29baeda6 Mon Sep 17 00:00:00 2001 From: Cyrill Gorcunov Date: Fri, 19 Oct 2012 13:56:53 -0700 Subject: [PATCH 4/7] pidns: remove recursion from free_pid_ns() free_pid_ns() operates in a recursive fashion: free_pid_ns(parent) put_pid_ns(parent) kref_put(&ns->kref, free_pid_ns); free_pid_ns thus if there was a huge nesting of namespaces the userspace may trigger avalanche calling of free_pid_ns leading to kernel stack exhausting and a panic eventually. This patch turns the recursion into an iterative loop. Based on a patch by Andrew Vagin. [akpm@linux-foundation.org: export put_pid_ns() to modules] Signed-off-by: Cyrill Gorcunov Cc: Andrew Vagin Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Pavel Emelyanov Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- include/linux/pid_namespace.h | 8 +------- kernel/pid_namespace.c | 23 +++++++++++++++-------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index 00474b047145..65e3e87eacc5 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -47,15 +47,9 @@ static inline struct pid_namespace *get_pid_ns(struct pid_namespace *ns) } extern struct pid_namespace *copy_pid_ns(unsigned long flags, struct pid_namespace *ns); -extern void free_pid_ns(struct kref *kref); extern void zap_pid_ns_processes(struct pid_namespace *pid_ns); extern int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd); - -static inline void put_pid_ns(struct pid_namespace *ns) -{ - if (ns != &init_pid_ns) - kref_put(&ns->kref, free_pid_ns); -} +extern void put_pid_ns(struct pid_namespace *ns); #else /* !CONFIG_PID_NS */ #include diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index 478bad2745e3..eb00be205811 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c @@ -133,19 +133,26 @@ struct pid_namespace *copy_pid_ns(unsigned long flags, struct pid_namespace *old return create_pid_namespace(old_ns); } -void free_pid_ns(struct kref *kref) +static void free_pid_ns(struct kref *kref) { - struct pid_namespace *ns, *parent; + struct pid_namespace *ns; ns = container_of(kref, struct pid_namespace, kref); - - parent = ns->parent; destroy_pid_namespace(ns); - - if (parent != NULL) - put_pid_ns(parent); } -EXPORT_SYMBOL_GPL(free_pid_ns); + +void put_pid_ns(struct pid_namespace *ns) +{ + struct pid_namespace *parent; + + while (ns != &init_pid_ns) { + parent = ns->parent; + if (!kref_put(&ns->kref, free_pid_ns)) + break; + ns = parent; + } +} +EXPORT_SYMBOL_GPL(put_pid_ns); void zap_pid_ns_processes(struct pid_namespace *pid_ns) { From bac716966094e39c8027428993a57b79f2dd6c97 Mon Sep 17 00:00:00 2001 From: Fengguang Wu Date: Fri, 19 Oct 2012 13:56:55 -0700 Subject: [PATCH 5/7] firmware/memmap: avoid type conflicts with the generic memmap_init() Fix this build error: drivers/firmware/memmap.c:240:19: error: conflicting types for 'memmap_init' arch/ia64/include/asm/pgtable.h:565:17: note: previous declaration of 'memmap_init' was here Signed-off-by: Fengguang Wu Cc: Bernhard Walle Cc: Glauber Costa Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/firmware/memmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/memmap.c b/drivers/firmware/memmap.c index c1cdc9236666..90723e65b081 100644 --- a/drivers/firmware/memmap.c +++ b/drivers/firmware/memmap.c @@ -237,7 +237,7 @@ static ssize_t memmap_attr_show(struct kobject *kobj, * firmware_map_add() or firmware_map_add_early() afterwards, the entries * are not added to sysfs. */ -static int __init memmap_init(void) +static int __init firmware_memmap_init(void) { struct firmware_map_entry *entry; @@ -246,5 +246,5 @@ static int __init memmap_init(void) return 0; } -late_initcall(memmap_init); +late_initcall(firmware_memmap_init); From 0db63d7e25f96e2c6da925c002badf6f144ddf30 Mon Sep 17 00:00:00 2001 From: Mel Gorman Date: Fri, 19 Oct 2012 13:56:57 -0700 Subject: [PATCH 6/7] mm: compaction: correct the nr_strict va isolated check for CMA Thierry reported that the "iron out" patch for isolate_freepages_block() had problems due to the strict check being too strict with "mm: compaction: Iron out isolate_freepages_block() and isolate_freepages_range() -fix1". It's possible that more pages than necessary are isolated but the check still fails and I missed that this fix was not picked up before RC1. This same problem has been identified in 3.7-RC1 by Tony Prisk and should be addressed by the following patch. Signed-off-by: Mel Gorman Tested-by: Tony Prisk Reported-by: Thierry Reding Acked-by: Rik van Riel Acked-by: Minchan Kim Cc: Richard Davies Cc: Shaohua Li Cc: Avi Kivity Cc: Arnd Bergmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- mm/compaction.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/compaction.c b/mm/compaction.c index 2c4ce17651d8..9eef55838fca 100644 --- a/mm/compaction.c +++ b/mm/compaction.c @@ -346,7 +346,7 @@ static unsigned long isolate_freepages_block(struct compact_control *cc, * pages requested were isolated. If there were any failures, 0 is * returned and CMA will fail. */ - if (strict && nr_strict_required != total_isolated) + if (strict && nr_strict_required > total_isolated) total_isolated = 0; if (locked) From fe73fbe1c5eda709084dedb66cbdd4b86826cce7 Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Fri, 19 Oct 2012 13:57:01 -0700 Subject: [PATCH 7/7] lib/dma-debug.c: fix __hash_bucket_find() If there is only one match, the unique matched entry should be returned. Without the fix, the upcoming dma debug interfaces ("dma-debug: new interfaces to debug dma mapping errors") can't work reliably because only device and dma_addr are passed to dma_mapping_error(). Signed-off-by: Ming Lei Reported-by: Wu Fengguang Cc: Joerg Roedel Tested-by: Shuah Khan Cc: Paul Gortmaker Cc: Jakub Kicinski Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- lib/dma-debug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dma-debug.c b/lib/dma-debug.c index b9087bff008b..d84beb994f36 100644 --- a/lib/dma-debug.c +++ b/lib/dma-debug.c @@ -264,7 +264,7 @@ static struct dma_debug_entry *__hash_bucket_find(struct hash_bucket *bucket, match_fn match) { struct dma_debug_entry *entry, *ret = NULL; - int matches = 0, match_lvl, last_lvl = 0; + int matches = 0, match_lvl, last_lvl = -1; list_for_each_entry(entry, &bucket->list, list) { if (!match(ref, entry)) @@ -293,7 +293,7 @@ static struct dma_debug_entry *__hash_bucket_find(struct hash_bucket *bucket, } else if (match_lvl > last_lvl) { /* * We found an entry that fits better then the - * previous one + * previous one or it is the 1st match. */ last_lvl = match_lvl; ret = entry;