1. 03 Jul, 2013 8 commits
    • Kees Cook's avatar
      drivers: avoid format string in dev_set_name · 02aa2a37
      Kees Cook authored
      Calling dev_set_name with a single paramter causes it to be handled as a
      format string.  Many callers are passing potentially dynamic string
      content, so use "%s" in those cases to avoid any potential accidents,
      including wrappers like device_create*() and bdi_register().
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      02aa2a37
    • Kees Cook's avatar
      clean up scary strncpy(dst, src, strlen(src)) uses · 096a8aac
      Kees Cook authored
      Fix various weird constructions of strncpy(dst, src, strlen(src)).
      
      Length limits should be about the space available in the destination,
      not repurposed as a method to either always include or always exclude a
      trailing NULL byte.  Either the NULL should always be copied (using
      strlcpy), or it should not be copied (using something like memcpy).
      Readable code should not depend on the weird behavior of strncpy when it
      hits the length limit.  Better to avoid the anti-pattern entirely.
      
      [akpm@linux-foundation.org: revert getdelays.c part due to missing bsd/string.h]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	[staging]
      Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>	[acpi]
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Ursula Braun <ursula.braun@de.ibm.com>
      Cc: Frank Blaschka <blaschka@linux.vnet.ibm.com>
      Cc: Richard Weinberger <richard@nod.at>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      096a8aac
    • Jiang Liu's avatar
      mm: correctly update zone->managed_pages · 3dcc0571
      Jiang Liu authored
      Enhance adjust_managed_page_count() to adjust totalhigh_pages for
      highmem pages.  And change code which directly adjusts totalram_pages to
      use adjust_managed_page_count() because it adjusts totalram_pages,
      totalhigh_pages and zone->managed_pages altogether in a safe way.
      
      Remove inc_totalhigh_pages() and dec_totalhigh_pages() from xen/balloon
      driver bacause adjust_managed_page_count() has already adjusted
      totalhigh_pages.
      
      This patch also fixes two bugs:
      
      1) enhances virtio_balloon driver to adjust totalhigh_pages when
         reserve/unreserve pages.
      2) enhance memory_hotplug.c to adjust totalhigh_pages when hot-removing
         memory.
      
      We still need to deal with modifications of totalram_pages in file
      arch/powerpc/platforms/pseries/cmm.c, but need help from PPC experts.
      
      [akpm@linux-foundation.org: remove ifdef, per Wanpeng Li, virtio_balloon.c cleanup, per Sergei]
      [akpm@linux-foundation.org: export adjust_managed_page_count() to modules, for drivers/virtio/virtio_balloon.c]
      Signed-off-by: default avatarJiang Liu <jiang.liu@huawei.com>
      Cc: Chris Metcalf <cmetcalf@tilera.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Jeremy Fitzhardinge <jeremy@goop.org>
      Cc: Wen Congyang <wency@cn.fujitsu.com>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: Mel Gorman <mel@csn.ul.ie>
      Cc: Minchan Kim <minchan@kernel.org>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <sworddragon2@aol.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Jianguo Wu <wujianguo@huawei.com>
      Cc: Joonsoo Kim <js1304@gmail.com>
      Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
      Cc: Marek Szyprowski <m.szyprowski@samsung.com>
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: Russell King <rmk@arm.linux.org.uk>
      Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3dcc0571
    • Libin's avatar
      uio: use vma_pages() to replace (vm_end - vm_start) >> PAGE_SHIFT · 52c2dad9
      Libin authored
      (*->vm_end - *->vm_start) >> PAGE_SHIFT operation is implemented
      as a inline funcion vma_pages() in linux/mm.h, so using it.
      Signed-off-by: default avatarLibin <huawei.libin@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      52c2dad9
    • Kees Cook's avatar
      block: do not pass disk names as format strings · ffc8b308
      Kees Cook authored
      Disk names may contain arbitrary strings, so they must not be
      interpreted as format strings.  It seems that only md allows arbitrary
      strings to be used for disk names, but this could allow for a local
      memory corruption from uid 0 into ring 0.
      
      CVE-2013-2851
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ffc8b308
    • Jonathan Salwan's avatar
      drivers/cdrom/cdrom.c: use kzalloc() for failing hardware · 542db015
      Jonathan Salwan authored
      In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
      area with kmalloc in line 2885.
      
        2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
        2886         if (cgc->buffer == NULL)
        2887                 return -ENOMEM;
      
      In line 2908 we can find the copy_to_user function:
      
        2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
      
      The cgc->buffer is never cleaned and initialized before this function.
      If ret = 0 with the previous basic block, it's possible to display some
      memory bytes in kernel space from userspace.
      
      When we read a block from the disk it normally fills the ->buffer but if
      the drive is malfunctioning there is a chance that it would only be
      partially filled.  The result is an leak information to userspace.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      542db015
    • Libo Chen's avatar
      drivers/cdrom/gdrom.c: fix device number leak · 31bd8fbb
      Libo Chen authored
      Without this patch, gdrom_major will leak when gd.cd_info alloc fails.
      Signed-off-by: default avatarLibo Chen <libo.chen@huawei.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      31bd8fbb
    • Bartlomiej Zolnierkiewicz's avatar
      drivers/dma/pl330.c: fix locking in pl330_free_chan_resources() · da331ba8
      Bartlomiej Zolnierkiewicz authored
      tasklet_kill() may sleep so call it before taking pch->lock.
      
      Fixes following lockup:
      
        BUG: scheduling while atomic: cat/2383/0x00000002
        Modules linked in:
          unwind_backtrace+0x0/0xfc
          __schedule_bug+0x4c/0x58
          __schedule+0x690/0x6e0
          sys_sched_yield+0x70/0x78
          tasklet_kill+0x34/0x8c
          pl330_free_chan_resources+0x24/0x88
          dma_chan_put+0x4c/0x50
        [...]
        BUG: spinlock lockup suspected on CPU#0, swapper/0/0
         lock: 0xe52aa04c, .magic: dead4ead, .owner: cat/2383, .owner_cpu: 1
          unwind_backtrace+0x0/0xfc
          do_raw_spin_lock+0x194/0x204
          _raw_spin_lock_irqsave+0x20/0x28
          pl330_tasklet+0x2c/0x5a8
          tasklet_action+0xfc/0x114
          __do_softirq+0xe4/0x19c
          irq_exit+0x98/0x9c
          handle_IPI+0x124/0x16c
          gic_handle_irq+0x64/0x68
          __irq_svc+0x40/0x70
          cpuidle_wrap_enter+0x4c/0xa0
          cpuidle_enter_state+0x18/0x68
          cpuidle_idle_call+0xac/0xe0
          cpu_idle+0xac/0xf0
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarKyungmin Park <kyungmin.park@samsung.com>
      Acked-by: default avatarJassi Brar <jassisinghbrar@gmail.com>
      Cc: Vinod Koul <vinod.koul@linux.intel.com>
      Cc: Tomasz Figa <t.figa@samsung.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      da331ba8
  2. 30 Jun, 2013 1 commit
  3. 29 Jun, 2013 24 commits
  4. 28 Jun, 2013 1 commit
  5. 27 Jun, 2013 2 commits
  6. 26 Jun, 2013 4 commits