* [ 0/8] 3.0.85-stable review
@ 2013-07-01 20:10 Greg Kroah-Hartman
2013-07-01 20:10 ` [ 1/8] Bluetooth: Fix crash in l2cap_build_cmd() with small MTU Greg Kroah-Hartman
` (9 more replies)
0 siblings, 10 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, torvalds, akpm, stable
This is the start of the stable review cycle for the 3.0.85 release.
There are 8 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed Jul 3 19:59:07 UTC 2013.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.0.85-rc1.gz
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 3.0.85-rc1
Liang Li <liang.li@windriver.com>
pch_uart: fix a deadlock when pch_uart as console
Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
UBIFS: fix a horrid bug
Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
UBIFS: prepare to fix a horrid bug
Stephane Eranian <eranian@google.com>
perf: Disable monitoring on setuid processes for regular users
Zefan Li <lizefan@huawei.com>
dlci: validate the net device in dlci_del()
Zefan Li <lizefan@huawei.com>
dlci: acquire rtnl_lock before calling __dev_get_by_name()
Oleg Nesterov <oleg@redhat.com>
hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot()
Anderson Lizardo <anderson.lizardo@openbossa.org>
Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
-------------
Diffstat:
Makefile | 4 ++--
drivers/net/wan/dlci.c | 26 +++++++++++++++++----
drivers/tty/serial/pch_uart.c | 29 +++++++++++++++++------
fs/exec.c | 16 +++++++------
fs/ubifs/dir.c | 54 +++++++++++++++++++++++++++++++------------
kernel/events/hw_breakpoint.c | 4 ++--
net/bluetooth/l2cap_core.c | 3 +++
7 files changed, 98 insertions(+), 38 deletions(-)
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 1/8] Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-01 20:10 ` [ 2/8] hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot() Greg Kroah-Hartman
` (8 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anderson Lizardo, Gustavo Padovan,
John W. Linville
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anderson Lizardo <anderson.lizardo@openbossa.org>
commit 300b962e5244a1ea010df7e88595faa0085b461d upstream.
If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
controller, memory corruption happens due to a memcpy() call with
negative length.
Fix this crash on either incoming or outgoing connections with a MTU
smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
[ 46.885433] BUG: unable to handle kernel paging request at f56ad000
[ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
[ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
[ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
[ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
[ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
[ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
[ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
[ 46.888037] EIP is at memcpy+0x1d/0x40
[ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
[ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
[ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
[ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 46.888037] DR6: ffff0ff0 DR7: 00000400
[ 46.888037] Stack:
[ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
[ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
[ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
[ 46.888037] Call Trace:
[ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
[ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
[ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
[ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
[ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
[ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
[ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
[ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
[ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
[ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
[ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
[ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
[ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
[ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
[ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
[ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
[ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
[ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
[ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
[ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
[ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
[ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
[ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
[ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
[ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
[ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
[ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
[ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
[ 46.888037] CR2: 00000000f56ad000
[ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1514,6 +1514,9 @@ static struct sk_buff *l2cap_build_cmd(s
BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
conn, code, ident, dlen);
+ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
+ return NULL;
+
len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
count = min_t(unsigned int, conn->mtu, len);
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 2/8] hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot()
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
2013-07-01 20:10 ` [ 1/8] Bluetooth: Fix crash in l2cap_build_cmd() with small MTU Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-01 20:10 ` [ 3/8] dlci: acquire rtnl_lock before calling __dev_get_by_name() Greg Kroah-Hartman
` (7 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vince Weaver, Oleg Nesterov,
Frederic Weisbecker, Ingo Molnar
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit c790b0ad23f427c7522ffed264706238c57c007e upstream.
fetch_bp_busy_slots() and toggle_bp_slot() use
for_each_online_cpu(), this is obviously wrong wrt cpu_up() or
cpu_down(), we can over/under account the per-cpu numbers.
For example:
# echo 0 >> /sys/devices/system/cpu/cpu1/online
# perf record -e mem:0x10 -p 1 &
# echo 1 >> /sys/devices/system/cpu/cpu1/online
# perf record -e mem:0x10,mem:0x10,mem:0x10,mem:0x10 -C1 -a &
# taskset -p 0x2 1
triggers the same WARN_ONCE("Can't find any breakpoint slot") in
arch_install_hw_breakpoint().
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Frederic Weisbecker <fweisbec@gmail.com>
Link: http://lkml.kernel.org/r/20130620155009.GA6327@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/hw_breakpoint.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/events/hw_breakpoint.c
+++ b/kernel/events/hw_breakpoint.c
@@ -147,7 +147,7 @@ fetch_bp_busy_slots(struct bp_busy_slots
return;
}
- for_each_online_cpu(cpu) {
+ for_each_possible_cpu(cpu) {
unsigned int nr;
nr = per_cpu(nr_cpu_bp_pinned[type], cpu);
@@ -233,7 +233,7 @@ toggle_bp_slot(struct perf_event *bp, bo
if (cpu >= 0) {
toggle_bp_task_slot(bp, cpu, enable, type, weight);
} else {
- for_each_online_cpu(cpu)
+ for_each_possible_cpu(cpu)
toggle_bp_task_slot(bp, cpu, enable, type, weight);
}
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 3/8] dlci: acquire rtnl_lock before calling __dev_get_by_name()
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
2013-07-01 20:10 ` [ 1/8] Bluetooth: Fix crash in l2cap_build_cmd() with small MTU Greg Kroah-Hartman
2013-07-01 20:10 ` [ 2/8] hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot() Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-01 20:10 ` [ 4/8] dlci: validate the net device in dlci_del() Greg Kroah-Hartman
` (6 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Li Zefan, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zefan Li <lizefan@huawei.com>
commit 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 upstream.
Otherwise the net device returned can be freed at anytime.
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wan/dlci.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/drivers/net/wan/dlci.c
+++ b/drivers/net/wan/dlci.c
@@ -378,20 +378,24 @@ static int dlci_del(struct dlci_add *dlc
struct net_device *master, *slave;
int err;
+ rtnl_lock();
+
/* validate slave device */
master = __dev_get_by_name(&init_net, dlci->devname);
- if (!master)
- return -ENODEV;
+ if (!master) {
+ err = -ENODEV;
+ goto out;
+ }
if (netif_running(master)) {
- return -EBUSY;
+ err = -EBUSY;
+ goto out;
}
dlp = netdev_priv(master);
slave = dlp->slave;
flp = netdev_priv(slave);
- rtnl_lock();
err = (*flp->deassoc)(slave, master);
if (!err) {
list_del(&dlp->list);
@@ -400,8 +404,8 @@ static int dlci_del(struct dlci_add *dlc
dev_put(slave);
}
+out:
rtnl_unlock();
-
return err;
}
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 4/8] dlci: validate the net device in dlci_del()
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
` (2 preceding siblings ...)
2013-07-01 20:10 ` [ 3/8] dlci: acquire rtnl_lock before calling __dev_get_by_name() Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-01 20:10 ` [ 5/8] perf: Disable monitoring on setuid processes for regular users Greg Kroah-Hartman
` (5 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Li Jinyue, Li Zefan, David S. Miller
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zefan Li <lizefan@huawei.com>
commit 578a1310f2592ba90c5674bca21c1dbd1adf3f0a upstream.
We triggered an oops while running trinity with 3.4 kernel:
BUG: unable to handle kernel paging request at 0000000100000d07
IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
PGD 640c0d067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
CPU 3
...
Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
...
Call Trace:
[<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
[<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
[<ffffffff8118354a>] ? fget_light+0x3ea/0x490
[<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
[<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
...
It's because the net device is not a dlci device.
Reported-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wan/dlci.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/net/wan/dlci.c
+++ b/drivers/net/wan/dlci.c
@@ -377,6 +377,7 @@ static int dlci_del(struct dlci_add *dlc
struct frad_local *flp;
struct net_device *master, *slave;
int err;
+ bool found = false;
rtnl_lock();
@@ -386,6 +387,17 @@ static int dlci_del(struct dlci_add *dlc
err = -ENODEV;
goto out;
}
+
+ list_for_each_entry(dlp, &dlci_devs, list) {
+ if (dlp->master == master) {
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ err = -ENODEV;
+ goto out;
+ }
if (netif_running(master)) {
err = -EBUSY;
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 5/8] perf: Disable monitoring on setuid processes for regular users
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
` (3 preceding siblings ...)
2013-07-01 20:10 ` [ 4/8] dlci: validate the net device in dlci_del() Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-01 20:10 ` [ 6/8] UBIFS: prepare to fix a horrid bug Greg Kroah-Hartman
` (4 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stephane Eranian, Jiri Olsa,
Peter Zijlstra, Ingo Molnar
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephane Eranian <eranian@google.com>
commit 2976b10f05bd7f6dab9f9e7524451ddfed656a89 upstream.
There was a a bug in setup_new_exec(), whereby
the test to disabled perf monitoring was not
correct because the new credentials for the
process were not yet committed and therefore
the get_dumpable() test was never firing.
The patch fixes the problem by moving the
perf_event test until after the credentials
are committed.
Signed-off-by: Stephane Eranian <eranian@google.com>
Tested-by: Jiri Olsa <jolsa@redhat.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exec.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1149,13 +1149,6 @@ void setup_new_exec(struct linux_binprm
set_dumpable(current->mm, suid_dumpable);
}
- /*
- * Flush performance counters when crossing a
- * security domain:
- */
- if (!get_dumpable(current->mm))
- perf_event_exit_task(current);
-
/* An exec changes our domain. We are no longer part of the thread
group */
@@ -1219,6 +1212,15 @@ void install_exec_creds(struct linux_bin
commit_creds(bprm->cred);
bprm->cred = NULL;
+
+ /*
+ * Disable monitoring for regular users
+ * when executing setuid binaries. Must
+ * wait until new credentials are committed
+ * by commit_creds() above
+ */
+ if (get_dumpable(current->mm) != SUID_DUMP_USER)
+ perf_event_exit_task(current);
/*
* cred_guard_mutex must be held at least to this point to prevent
* ptrace_attach() from altering our determination of the task's
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 6/8] UBIFS: prepare to fix a horrid bug
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
` (4 preceding siblings ...)
2013-07-01 20:10 ` [ 5/8] perf: Disable monitoring on setuid processes for regular users Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-01 20:10 ` [ 7/8] UBIFS: " Greg Kroah-Hartman
` (3 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Artem Bityutskiy
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
commit 33f1a63ae84dfd9ad298cf275b8f1887043ced36 upstream.
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.
First of all, this means that 'file->private_data' can be freed while
'ubifs_readdir()' uses it. But this particular patch does not fix the problem.
This patch is only a preparation, and the fix will follow next.
In this patch we make 'ubifs_readdir()' stop using 'file->f_pos' directly,
because 'file->f_pos' can be changed by '->llseek()' at any point. This may
lead 'ubifs_readdir()' to returning inconsistent data: directory entry names
may correspond to incorrect file positions.
So here we introduce a local variable 'pos', read 'file->f_pose' once at very
the beginning, and then stick to 'pos'. The result of this is that when
'ubifs_dir_llseek()' changes 'file->f_pos' while we are in the middle of
'ubifs_readdir()', the latter "wins".
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ubifs/dir.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -355,15 +355,16 @@ static unsigned int vfs_dent_type(uint8_
static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
{
int err, over = 0;
+ loff_t pos = file->f_pos;
struct qstr nm;
union ubifs_key key;
struct ubifs_dent_node *dent;
struct inode *dir = file->f_path.dentry->d_inode;
struct ubifs_info *c = dir->i_sb->s_fs_info;
- dbg_gen("dir ino %lu, f_pos %#llx", dir->i_ino, file->f_pos);
+ dbg_gen("dir ino %lu, f_pos %#llx", dir->i_ino, pos);
- if (file->f_pos > UBIFS_S_KEY_HASH_MASK || file->f_pos == 2)
+ if (pos > UBIFS_S_KEY_HASH_MASK || pos == 2)
/*
* The directory was seek'ed to a senseless position or there
* are no more entries.
@@ -371,15 +372,15 @@ static int ubifs_readdir(struct file *fi
return 0;
/* File positions 0 and 1 correspond to "." and ".." */
- if (file->f_pos == 0) {
+ if (pos == 0) {
ubifs_assert(!file->private_data);
over = filldir(dirent, ".", 1, 0, dir->i_ino, DT_DIR);
if (over)
return 0;
- file->f_pos = 1;
+ file->f_pos = pos = 1;
}
- if (file->f_pos == 1) {
+ if (pos == 1) {
ubifs_assert(!file->private_data);
over = filldir(dirent, "..", 2, 1,
parent_ino(file->f_path.dentry), DT_DIR);
@@ -395,7 +396,7 @@ static int ubifs_readdir(struct file *fi
goto out;
}
- file->f_pos = key_hash_flash(c, &dent->key);
+ file->f_pos = pos = key_hash_flash(c, &dent->key);
file->private_data = dent;
}
@@ -403,17 +404,16 @@ static int ubifs_readdir(struct file *fi
if (!dent) {
/*
* The directory was seek'ed to and is now readdir'ed.
- * Find the entry corresponding to @file->f_pos or the
- * closest one.
+ * Find the entry corresponding to @pos or the closest one.
*/
- dent_key_init_hash(c, &key, dir->i_ino, file->f_pos);
+ dent_key_init_hash(c, &key, dir->i_ino, pos);
nm.name = NULL;
dent = ubifs_tnc_next_ent(c, &key, &nm);
if (IS_ERR(dent)) {
err = PTR_ERR(dent);
goto out;
}
- file->f_pos = key_hash_flash(c, &dent->key);
+ file->f_pos = pos = key_hash_flash(c, &dent->key);
file->private_data = dent;
}
@@ -425,7 +425,7 @@ static int ubifs_readdir(struct file *fi
ubifs_inode(dir)->creat_sqnum);
nm.len = le16_to_cpu(dent->nlen);
- over = filldir(dirent, dent->name, nm.len, file->f_pos,
+ over = filldir(dirent, dent->name, nm.len, pos,
le64_to_cpu(dent->inum),
vfs_dent_type(dent->type));
if (over)
@@ -441,7 +441,7 @@ static int ubifs_readdir(struct file *fi
}
kfree(file->private_data);
- file->f_pos = key_hash_flash(c, &dent->key);
+ file->f_pos = pos = key_hash_flash(c, &dent->key);
file->private_data = dent;
cond_resched();
}
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 7/8] UBIFS: fix a horrid bug
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
` (5 preceding siblings ...)
2013-07-01 20:10 ` [ 6/8] UBIFS: prepare to fix a horrid bug Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-01 20:10 ` [ 8/8] pch_uart: fix a deadlock when pch_uart as console Greg Kroah-Hartman
` (2 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Artem Bityutskiy
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
commit 605c912bb843c024b1ed173dc427cd5c08e5d54d upstream.
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.
This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
but this may corrupt memory and lead to all kinds of problems like crashes an
security holes.
This patch fixes the problem by using the 'file->f_version' field, which
'->llseek()' always unconditionally sets to zero. We set it to 1 in
'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
seek and it is time to clear the state saved in 'file->private_data'.
I tested this patch by writing a user-space program which runds readdir and
seek in parallell. I could easily crash the kernel without these patches, but
could not crash it with these patches.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -371,6 +371,24 @@ static int ubifs_readdir(struct file *fi
*/
return 0;
+ if (file->f_version == 0) {
+ /*
+ * The file was seek'ed, which means that @file->private_data
+ * is now invalid. This may also be just the first
+ * 'ubifs_readdir()' invocation, in which case
+ * @file->private_data is NULL, and the below code is
+ * basically a no-op.
+ */
+ kfree(file->private_data);
+ file->private_data = NULL;
+ }
+
+ /*
+ * 'generic_file_llseek()' unconditionally sets @file->f_version to
+ * zero, and we use this for detecting whether the file was seek'ed.
+ */
+ file->f_version = 1;
+
/* File positions 0 and 1 correspond to "." and ".." */
if (pos == 0) {
ubifs_assert(!file->private_data);
@@ -444,6 +462,14 @@ static int ubifs_readdir(struct file *fi
file->f_pos = pos = key_hash_flash(c, &dent->key);
file->private_data = dent;
cond_resched();
+
+ if (file->f_version == 0)
+ /*
+ * The file was seek'ed meanwhile, lets return and start
+ * reading direntries from the new position on the next
+ * invocation.
+ */
+ return 0;
}
out:
@@ -454,15 +480,13 @@ out:
kfree(file->private_data);
file->private_data = NULL;
+ /* 2 is a special value indicating that there are no more direntries */
file->f_pos = 2;
return 0;
}
-/* If a directory is seeked, we have to free saved readdir() state */
static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int origin)
{
- kfree(file->private_data);
- file->private_data = NULL;
return generic_file_llseek(file, offset, origin);
}
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ 8/8] pch_uart: fix a deadlock when pch_uart as console
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
` (6 preceding siblings ...)
2013-07-01 20:10 ` [ 7/8] UBIFS: " Greg Kroah-Hartman
@ 2013-07-01 20:10 ` Greg Kroah-Hartman
2013-07-02 6:51 ` [ 0/8] 3.0.85-stable review Guenter Roeck
2013-07-02 18:46 ` Shuah Khan
9 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-01 20:10 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Liang Li, Yijing Wang
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liang Li <liang.li@windriver.com>
commit 384e301e3519599b000c1a2ecd938b533fc15d85 upstream.
When we use pch_uart as system console like 'console=ttyPCH0,115200',
then 'send break' to it. We'll encounter the deadlock on a cpu/core,
with interrupts disabled on the core. When we happen to have all irqs
affinity to cpu0 then the deadlock on cpu0 actually deadlock whole
system.
In pch_uart_interrupt, we have spin_lock_irqsave(&priv->lock, flags)
then call pch_uart_err_ir when break is received. Then the call to
dev_err would actually call to pch_console_write then we'll run into
another spin_lock(&priv->lock), with interrupts disabled.
So in the call sequence lead by pch_uart_interrupt, we should be
carefully to call functions that will 'print message to console' only
in case the uart port is not being used as serial console.
Signed-off-by: Liang Li <liang.li@windriver.com>
Cc: Yijing Wang <wangyijing@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/pch_uart.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -935,22 +935,37 @@ static unsigned int dma_handle_tx(struct
static void pch_uart_err_ir(struct eg20t_port *priv, unsigned int lsr)
{
u8 fcr = ioread8(priv->membase + UART_FCR);
+ struct uart_port *port = &priv->port;
+ struct tty_struct *tty = tty_port_tty_get(&port->state->port);
+ char *error_msg[5] = {};
+ int i = 0;
/* Reset FIFO */
fcr |= UART_FCR_CLEAR_RCVR;
iowrite8(fcr, priv->membase + UART_FCR);
if (lsr & PCH_UART_LSR_ERR)
- dev_err(&priv->pdev->dev, "Error data in FIFO\n");
+ error_msg[i++] = "Error data in FIFO\n";
- if (lsr & UART_LSR_FE)
- dev_err(&priv->pdev->dev, "Framing Error\n");
-
- if (lsr & UART_LSR_PE)
- dev_err(&priv->pdev->dev, "Parity Error\n");
-
- if (lsr & UART_LSR_OE)
- dev_err(&priv->pdev->dev, "Overrun Error\n");
+ if (lsr & UART_LSR_FE) {
+ port->icount.frame++;
+ error_msg[i++] = " Framing Error\n";
+ }
+
+ if (lsr & UART_LSR_PE) {
+ port->icount.parity++;
+ error_msg[i++] = " Parity Error\n";
+ }
+
+ if (lsr & UART_LSR_OE) {
+ port->icount.overrun++;
+ error_msg[i++] = " Overrun Error\n";
+ }
+
+ if (tty == NULL) {
+ for (i = 0; error_msg[i] != NULL; i++)
+ dev_err(&priv->pdev->dev, error_msg[i]);
+ }
}
static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ 0/8] 3.0.85-stable review
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
` (7 preceding siblings ...)
2013-07-01 20:10 ` [ 8/8] pch_uart: fix a deadlock when pch_uart as console Greg Kroah-Hartman
@ 2013-07-02 6:51 ` Guenter Roeck
2013-07-02 18:55 ` Greg Kroah-Hartman
2013-07-02 18:46 ` Shuah Khan
9 siblings, 1 reply; 13+ messages in thread
From: Guenter Roeck @ 2013-07-02 6:51 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-kernel, torvalds, akpm, stable
On Mon, Jul 01, 2013 at 01:10:32PM -0700, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.0.85 release.
> There are 8 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Jul 3 19:59:07 UTC 2013.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.0.85-rc1.gz
> and the diffstat can be found below.
>
Build results are as follows. Same results as with 3.0.84.
Guenter
---
Build x86_64:defconfig passed
Build x86_64:allyesconfig passed
Build x86_64:allmodconfig passed
Build x86_64:allnoconfig passed
Build x86_64:alldefconfig passed
Build i386:defconfig passed
Build i386:allyesconfig passed
Build i386:allmodconfig passed
Build i386:allnoconfig passed
Build i386:alldefconfig passed
Build mips:defconfig passed
Build mips:bcm47xx_defconfig passed
Build mips:bcm63xx_defconfig passed
Build mips:ar7_defconfig passed
Build mips:fuloong2e_defconfig passed
Build mips:e55_defconfig passed
Build mips:powertv_defconfig passed
Build mips:malta_defconfig passed
Build powerpc:defconfig failed
Build powerpc:allyesconfig failed
Build powerpc:allmodconfig failed
Build powerpc:maple_defconfig failed
Build powerpc:ppc6xx_defconfig passed
Build powerpc:mpc83xx_defconfig passed
Build powerpc:mpc85xx_defconfig passed
Build powerpc:mpc85xx_smp_defconfig passed
Build powerpc:tqm8xx_defconfig passed
Build powerpc:85xx/sbc8548_defconfig passed
Build powerpc:83xx/mpc834x_mds_defconfig passed
Build powerpc:86xx/sbc8641d_defconfig passed
Build arm:defconfig passed
Build arm:allyesconfig failed
Build arm:allmodconfig failed
Build arm:exynos4_defconfig passed
Build arm:kirkwood_defconfig passed
Build arm:omap2plus_defconfig passed
Build arm:tegra_defconfig passed
Build arm:u8500_defconfig failed
Build arm:ap4evb_defconfig passed
Build arm:pxa910_defconfig passed
Build m68k:defconfig passed
Build m68k:m5272c3_defconfig failed
Build m68k:m5307c3_defconfig failed
Build m68k:m5249evb_defconfig failed
Build m68k:m5407c3_defconfig failed
Build m68k:sun3_defconfig passed
Build sparc:defconfig passed
Build sparc:sparc64_defconfig passed
Build xtensa:defconfig failed
Build xtensa:iss_defconfig failed
Build microblaze:mmu_defconfig failed
Build microblaze:nommu_defconfig failed
Build blackfin:defconfig failed
Build parisc:defconfig failed
-----------------------
Total builds: 54 Total build errors: 17
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ 0/8] 3.0.85-stable review
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
` (8 preceding siblings ...)
2013-07-02 6:51 ` [ 0/8] 3.0.85-stable review Guenter Roeck
@ 2013-07-02 18:46 ` Shuah Khan
2013-07-02 18:55 ` Greg Kroah-Hartman
9 siblings, 1 reply; 13+ messages in thread
From: Shuah Khan @ 2013-07-02 18:46 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, torvalds, akpm, stable, Shuah Khan, shuahkhan
On 07/01/2013 03:08 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.0.85 release.
> There are 8 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Jul 3 19:59:07 UTC 2013.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.0.85-rc1.gz
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Patches applied cleanly to 3.0.84, 3.4.51, and 3.9.8
Compiled and booted on the following systems:
Samsung Series 9 900X4C Intel Corei5:
(3.4.52-rc1, and 3.9.9-rc1)
HP ProBook 6475b AMD A10-4600M APU with Radeon(tm) HD Graphics:
(3.0.85-rc1, 3.4.52-rc1, and 3.9.9-rc1)
dmesgs for all releases look good. No regressions compared to the
previous dmesgs for each of these releases.
Cross-compile testing:
HP Compaq dc7700 SFF desktop: x86-64 Intel Core-i2:
(3.0.85-rc1, 3.4.52-rc1, and 3.9.9-rc1)
Cross-compile tests results:
alpha: defconfig passed on all
arm: defconfig passed on all
arm64: not applicable to 3.0.y, 3.4.y. defconfig passed on 3.9.y
c6x: not applicable to 3.0.y, defconfig passed on 3.4.y, and 3.9.y
mips: defconfig passed on all
mipsel: defconfig passed on all
powerpc: wii_defconfig passed on all
sh: defconfig passed on all
sparc: defconfig passed on all
tile: tilegx_defconfig passed on all
-- Shuah
Shuah Khan, Linux Kernel Developer - Open Source Group Samsung Research
America (Silicon Valley) shuah.kh@samsung.com | (970) 672-0658
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ 0/8] 3.0.85-stable review
2013-07-02 18:46 ` Shuah Khan
@ 2013-07-02 18:55 ` Greg Kroah-Hartman
0 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-02 18:55 UTC (permalink / raw)
To: Shuah Khan; +Cc: linux-kernel, torvalds, akpm, stable, shuahkhan
On Tue, Jul 02, 2013 at 06:46:10PM +0000, Shuah Khan wrote:
> On 07/01/2013 03:08 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 3.0.85 release.
> > There are 8 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed Jul 3 19:59:07 UTC 2013.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.0.85-rc1.gz
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Patches applied cleanly to 3.0.84, 3.4.51, and 3.9.8
>
> Compiled and booted on the following systems:
>
> Samsung Series 9 900X4C Intel Corei5:
> (3.4.52-rc1, and 3.9.9-rc1)
> HP ProBook 6475b AMD A10-4600M APU with Radeon(tm) HD Graphics:
> (3.0.85-rc1, 3.4.52-rc1, and 3.9.9-rc1)
>
> dmesgs for all releases look good. No regressions compared to the
> previous dmesgs for each of these releases.
Thanks for testing and letting us know.
greg k-h
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ 0/8] 3.0.85-stable review
2013-07-02 6:51 ` [ 0/8] 3.0.85-stable review Guenter Roeck
@ 2013-07-02 18:55 ` Greg Kroah-Hartman
0 siblings, 0 replies; 13+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-02 18:55 UTC (permalink / raw)
To: Guenter Roeck; +Cc: linux-kernel, torvalds, akpm, stable
On Mon, Jul 01, 2013 at 11:51:47PM -0700, Guenter Roeck wrote:
> On Mon, Jul 01, 2013 at 01:10:32PM -0700, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 3.0.85 release.
> > There are 8 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed Jul 3 19:59:07 UTC 2013.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.0.85-rc1.gz
> > and the diffstat can be found below.
> >
>
> Build results are as follows. Same results as with 3.0.84.
Wonderful, thanks for testing.
greg k-h
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2013-07-02 18:55 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-01 20:10 [ 0/8] 3.0.85-stable review Greg Kroah-Hartman
2013-07-01 20:10 ` [ 1/8] Bluetooth: Fix crash in l2cap_build_cmd() with small MTU Greg Kroah-Hartman
2013-07-01 20:10 ` [ 2/8] hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot() Greg Kroah-Hartman
2013-07-01 20:10 ` [ 3/8] dlci: acquire rtnl_lock before calling __dev_get_by_name() Greg Kroah-Hartman
2013-07-01 20:10 ` [ 4/8] dlci: validate the net device in dlci_del() Greg Kroah-Hartman
2013-07-01 20:10 ` [ 5/8] perf: Disable monitoring on setuid processes for regular users Greg Kroah-Hartman
2013-07-01 20:10 ` [ 6/8] UBIFS: prepare to fix a horrid bug Greg Kroah-Hartman
2013-07-01 20:10 ` [ 7/8] UBIFS: " Greg Kroah-Hartman
2013-07-01 20:10 ` [ 8/8] pch_uart: fix a deadlock when pch_uart as console Greg Kroah-Hartman
2013-07-02 6:51 ` [ 0/8] 3.0.85-stable review Guenter Roeck
2013-07-02 18:55 ` Greg Kroah-Hartman
2013-07-02 18:46 ` Shuah Khan
2013-07-02 18:55 ` Greg Kroah-Hartman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.