Skip to content

L
linux-davinci
Switch branch/tag
  1. 22 Aug, 2009 1 commit
    • Vegard Nossum's avatar
      On 2009/6/17 Ingo Molnar <mingo@elte.hu> reported: · 95096a22
      Vegard Nossum authored 
      >
> btw., here's an old friend of a warning:
>
> async_continuing @ 1 after 0 usec
> WARNING: kmemcheck: Caught 8-bit read from freed memory (f5f33004)
> 0040f3f57400686f74706c756700000000000000000000000000000000000000
>  i i i i f f f f f f f f f f f f f f f f f f f f f f f f f f f f
>          ^
>
> Pid: 1, comm: swapper Not tainted (2.6.30-tip-04303-g5ada65e-dirty #767) P4DC6
> EIP: 0060:[<c1248df4>] EFLAGS: 00010246 CPU: 0
> EIP is at exact_copy_from_user+0x64/0x130
> EAX: 00000000 EBX: 00000001 ECX: 000000f5 EDX: 000000f5
> ESI: f5fdeffb EDI: f5f33004 EBP: f6c48ee8 ESP: c29598cc
>  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> CR0: 8005003b CR2: f6c20044 CR3: 0294d000 CR4: 000006d0
> DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> DR6: ffff4ff0 DR7: 00000400
>  [<c124916a>] copy_mount_options+0xba/0x1c0
>  [<c124dc0a>] sys_mount+0x1a/0x170
>  [<c263c937>] do_mount_root+0x27/0xe0
>  [<c263ca33>] mount_block_root+0x43/0x140
>  [<c263cc02>] mount_root+0xd2/0x160
>  [<c263ce49>] prepare_namespace+0x1b9/0x380
>  [<c263c4c8>] kernel_init+0xb8/0x110
>  [<c103ab13>] kernel_thread_helper+0x7/0x14
>  [<ffffffff>] 0xffffffff
> EXT3-fs: INFO: recovery required on readonly filesystem.
> EXT3-fs: write access will be enabled during recovery.

sys_mount() reads/copies a whole page for its "type" parameter.  When
do_mount_root() passes a kernel address that points to an object which is
smaller than a whole page, copy_mount_options() will happily go past this
memory object, possibly dereferencing "wild" pointers that could be in any
state (hence the kmemcheck warning, which shows that parts of the next
page are not even allocated).

(The likelihood of something going wrong here is pretty low -- first of
all this only applies to kernel calls to sys_mount(), which are mostly
found in the boot code.  Secondly, I guess if the page was not mapped,
exact_copy_from_user() _would_ in fact handle it correctly because of its
access_ok(), etc.  checks.)

But it is much nicer to avoid the dubious reads altogether, by stopping as
soon as we find a NUL byte.  Is there a good reason why we can't do
something like this, using the already existing strndup_from_user()?

[akpm@linux-foundation.org: make copy_mount_string() static]
Reported-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      95096a22
  3. 24 Aug, 2009 2 commits
  5. 10 Jun, 2009 1 commit
  7. 20 Apr, 2009 1 commit
  9. 24 Aug, 2009 2 commits
    • Al Viro's avatar
      RAW_SETBIND and RAW_GETBIND 32bit versions are fscked in interesting ways. · 2c7a9493
      Al Viro authored 
      1) fs/compat_ioctl.c has COMPATIBLE_IOCTL(RAW_SETBIND) followed by
HANDLE_IOCTL(RAW_SETBIND, raw_ioctl).  The latter is ignored.

2) on amd64 (and itanic) the damn thing is broken - we have int + u64 + u64
and layouts on i386 and amd64 are _not_ the same.  raw_ioctl() would
work there, but it's never called due to (1).  As it is, i386 /sbin/raw
definitely doesn't work on amd64 boxen.

3) switching to raw_ioctl() as is would *not* work on e.g. sparc64 and ppc64,
which would be rather sad, seeing that normal userland there is 32bit.
The thing is, slapping __packed on the struct in question does not DTRT -
it eliminates *all* padding.  The real solution is to use compat_u64.

4) of course, all that stuff has no business being outside of raw.c in the
first place - there should be ->compat_ioctl() for /dev/rawctl instead of
messing with compat_ioctl.c.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      2c7a9493
    • Miklos Szeredi's avatar
      vfs_rename_dir() doesn't properly account for filesystems with · 5717077e
      Miklos Szeredi authored 
      FS_RENAME_DOES_D_MOVE.  If new_dentry has a target inode attached, it
unhashes the new_dentry prior to the rename() iop and rehashes it after,
but doesn't account for the possibility that rename() may have swapped
{old,new}_dentry.  For FS_RENAME_DOES_D_MOVE filesystems, it rehashes
new_dentry (now the old renamed-from name, which d_move() expected to go
away), such that a subsequent lookup will find it.

This was caught by the recently posted POSIX fstest suite, rename/10.t
test 62 (and others) on ceph.

The bug was introduced by: commit 349457cc
"[PATCH] Allow file systems to manually d_move() inside of ->rename()"

Fix by not rehashing the new dentry.  Rehashing used to be needed by
d_move() but isn't anymore.
Reported-by: default avatarSage Weil <sage@newdream.net>
Cc: Zach Brown <zach.brown@oracle.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
Cc: Mark Fasheh <mark.fasheh@oracle.com>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      5717077e
  11. 10 Sep, 2009 1 commit
  13. 03 Sep, 2009 3 commits
  15. 22 Aug, 2009 1 commit
  17. 13 Aug, 2009 1 commit
  19. 03 Sep, 2009 1 commit
  21. 02 Sep, 2009 2 commits
  23. 31 Aug, 2009 1 commit
  25. 25 Aug, 2009 1 commit
  27. 24 Aug, 2009 2 commits
  29. 20 Aug, 2009 1 commit
  31. 04 Aug, 2009 2 commits
  33. 29 Jul, 2009 4 commits
  35. 17 Jul, 2009 1 commit
  37. 11 Aug, 2009 1 commit
  39. 02 Oct, 2008 2 commits
    • Harvey Harrison's avatar
      It would be easy to get rid of the typedefs too, but I kept this · 92821ff1
      Harvey Harrison authored 
      minimal.

Noticed by sparse:
drivers/scsi/gdth.c:2395:31: warning: incorrect type in assignment (different base types)
drivers/scsi/gdth.c:2395:31:    expected unsigned int [unsigned] [assigned] [usertype] last_block_no
drivers/scsi/gdth.c:2395:31:    got restricted __be32 [usertype] <noident>
drivers/scsi/gdth.c:2396:27: warning: incorrect type in assignment (different base types)
drivers/scsi/gdth.c:2396:27:    expected unsigned int [unsigned] [assigned] [usertype] block_length
drivers/scsi/gdth.c:2396:27:    got restricted __be32 [usertype] <noident>
drivers/scsi/gdth.c:2406:33: warning: incorrect type in assignment (different base types)
drivers/scsi/gdth.c:2406:33:    expected unsigned long long [unsigned] [usertype] last_block_no
drivers/scsi/gdth.c:2406:33:    got restricted __be64 [usertype] <noident>
drivers/scsi/gdth.c:2407:33: warning: incorrect type in assignment (different base types)
drivers/scsi/gdth.c:2407:33:    expected unsigned int [unsigned] [usertype] block_length
drivers/scsi/gdth.c:2407:33:    got restricted __be32 [usertype] <noident>
Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
Cc: Boaz Harrosh <bharrosh@panasas.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      92821ff1
    • Harvey Harrison's avatar
      Remove two now unnecessary local vars. · d9d28518
      Harvey Harrison authored 
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
Cc: Boaz Harrosh <bharrosh@panasas.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      d9d28518
  41. 13 May, 2008 1 commit
  43. 02 Sep, 2009 1 commit
  45. 12 Aug, 2009 1 commit
    • Andrew Morton's avatar
      WARNING: line over 80 characters · 53990e05
      Andrew Morton authored 
      #29: FILE: include/linux/wait.h:80:
+extern void __init_waitqueue_head(wait_queue_head_t *q, struct lock_class_key *);

WARNING: EXPORT_SYMBOL(foo); should immediately follow its function/variable
#56: FILE: kernel/wait.c:20:
+EXPORT_SYMBOL(__init_waitqueue_head);

total: 0 errors, 2 warnings, 31 lines checked

./patches/waitqueues-give-waitqueue-spinlocks-their-own-lockdep-classes.patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: David Howells <dhowells@redhat.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      53990e05
  47. 04 Aug, 2009 1 commit
  49. 24 Jul, 2009 1 commit
  51. 25 Aug, 2009 1 commit
  53. 04 Aug, 2009 1 commit
  55. 13 Jul, 2009 1 commit
  57. 07 Aug, 2009 1 commit