1. 16 Mar, 2009 3 commits
    • Artem Bityutskiy's avatar
      UBIFS: introduce a helpful variable · fb1cd01a
      Artem Bityutskiy authored
      This patch introduces a helpful @c->idx_leb_size variable.
      The patch also fixes some spelling issues and makes comments
      use "LEB" instead of "eraseblock", which is more correct.
      Signed-off-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      fb1cd01a
    • Artem Bityutskiy's avatar
      UBIFS: use KERN_CONT · c9927c3e
      Artem Bityutskiy authored
      Signed-off-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      c9927c3e
    • Artem Bityutskiy's avatar
      UBIFS: fix lprops committing bug · 0a6fb8d9
      Artem Bityutskiy authored
      When writing lprop nodes, do not forget to set @from to 0 when
      switching the LEB. This fixes the following bug:
      
      UBIFS error (pid 27768): ubifs_leb_write: writing -15456 bytes at 16:15880, error -22
      UBIFS error (pid 27768): do_commit: commit failed, error -22
      UBIFS warning (pid 27768): ubifs_ro_mode: switched to read-only mode, error -22
      Pid: 27768, comm: freespace Not tainted 2.6.29-rc4-ubifs-2.6 #43
      Call Trace:
       [<ffffffffa00c46d6>] ubifs_ro_mode+0x54/0x56 [ubifs]
       [<ffffffffa00cfa16>] do_commit+0x4f5/0x50a [ubifs]
       [<ffffffffa00cfae7>] ubifs_run_commit+0xbc/0xdb [ubifs]
       [<ffffffffa00d42b9>] ubifs_budget_space+0x742/0x9ed [ubifs]
       [<ffffffff812daf45>] ? __mutex_lock_common+0x361/0x3ae
       [<ffffffffa00bc437>] ? ubifs_write_begin+0x18d/0x44c [ubifs]
       [<ffffffffa00bc5cb>] ubifs_write_begin+0x321/0x44c [ubifs]
       [<ffffffff8106222b>] ? trace_hardirqs_on_caller+0x1f/0x14d
       [<ffffffff81097ce2>] generic_file_buffered_write+0x12f/0x2d9
       [<ffffffff8109828d>] __generic_file_aio_write_nolock+0x261/0x295
       [<ffffffff81098aff>] generic_file_aio_write+0x69/0xc5
       [<ffffffffa00bb914>] ubifs_aio_write+0x14c/0x19e [ubifs]
       [<ffffffff810c8f42>] do_sync_write+0xe7/0x12d
       [<ffffffff81055378>] ? autoremove_wake_function+0x0/0x38
       [<ffffffff81149edc>] ? security_file_permission+0x11/0x13
       [<ffffffff810c9827>] vfs_write+0xab/0x105
       [<ffffffff810c9945>] sys_write+0x47/0x6f
       [<ffffffff8100c35b>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      0a6fb8d9
  2. 15 Mar, 2009 1 commit
  3. 14 Mar, 2009 1 commit
    • Adrian Hunter's avatar
      UBIFS: fix bug where page is marked uptodate when out of space · f55aa591
      Adrian Hunter authored
      UBIFS fast path in write_begin may mark a page up to date
      and then discover that there may not be enough space to do
      the write, and so fall back to a slow path.  The slow path
      tries harder, but may still find no space - leaving the page
      marked up to date, when it is not.  This patch ensures that
      the page is marked not up to date in that case.
      
      The bug that this patch fixes becomes evident when the write
      is into a hole (sparse file) or is at the end of the file
      and a subsequent read is off the end of the file.  In both
      cases, the file system should return zeros but was instead
      returning the page that had not been written because the
      file system was out of space.
      Signed-off-by: default avatarAdrian Hunter <ext-adrian.hunter@nokia.com>
      Signed-off-by: default avatarArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
      f55aa591
  4. 08 Mar, 2009 2 commits
  5. 17 Feb, 2009 1 commit
  6. 09 Feb, 2009 1 commit
  7. 08 Feb, 2009 11 commits
  8. 07 Feb, 2009 18 commits
  9. 06 Feb, 2009 2 commits
    • David Howells's avatar
      CRED: Fix SUID exec regression · 0bf2f3ae
      David Howells authored
      The patch:
      
      	commit a6f76f23
      	CRED: Make execve() take advantage of copy-on-write credentials
      
      moved the place in which the 'safeness' of a SUID/SGID exec was performed to
      before de_thread() was called.  This means that LSM_UNSAFE_SHARE is now
      calculated incorrectly.  This flag is set if any of the usage counts for
      fs_struct, files_struct and sighand_struct are greater than 1 at the time the
      determination is made.  All of which are true for threads created by the
      pthread library.
      
      However, since we wish to make the security calculation before irrevocably
      damaging the process so that we can return it an error code in the case where
      we decide we want to reject the exec request on this basis, we have to make the
      determination before calling de_thread().
      
      So, instead, we count up the number of threads (CLONE_THREAD) that are sharing
      our fs_struct (CLONE_FS), files_struct (CLONE_FILES) and sighand_structs
      (CLONE_SIGHAND/CLONE_THREAD) with us.  These will be killed by de_thread() and
      so can be discounted by check_unsafe_exec().
      
      We do have to be careful because CLONE_THREAD does not imply FS or FILES.
      
      We _assume_ that there will be no extra references to these structs held by the
      threads we're going to kill.
      
      This can be tested with the attached pair of programs.  Build the two programs
      using the Makefile supplied, and run ./test1 as a non-root user.  If
      successful, you should see something like:
      
      	[dhowells@andromeda tmp]$ ./test1
      	--TEST1--
      	uid=4043, euid=4043 suid=4043
      	exec ./test2
      	--TEST2--
      	uid=4043, euid=0 suid=0
      	SUCCESS - Correct effective user ID
      
      and if unsuccessful, something like:
      
      	[dhowells@andromeda tmp]$ ./test1
      	--TEST1--
      	uid=4043, euid=4043 suid=4043
      	exec ./test2
      	--TEST2--
      	uid=4043, euid=4043 suid=4043
      	ERROR - Incorrect effective user ID!
      
      The non-root user ID you see will depend on the user you run as.
      
      [test1.c]
      #include <stdio.h>
      #include <stdlib.h>
      #include <unistd.h>
      #include <pthread.h>
      
      static void *thread_func(void *arg)
      {
      	while (1) {}
      }
      
      int main(int argc, char **argv)
      {
      	pthread_t tid;
      	uid_t uid, euid, suid;
      
      	printf("--TEST1--\n");
      	getresuid(&uid, &euid, &suid);
      	printf("uid=%d, euid=%d suid=%d\n", uid, euid, suid);
      
      	if (pthread_create(&tid, NULL, thread_func, NULL) < 0) {
      		perror("pthread_create");
      		exit(1);
      	}
      
      	printf("exec ./test2\n");
      	execlp("./test2", "test2", NULL);
      	perror("./test2");
      	_exit(1);
      }
      
      [test2.c]
      #include <stdio.h>
      #include <stdlib.h>
      #include <unistd.h>
      
      int main(int argc, char **argv)
      {
      	uid_t uid, euid, suid;
      
      	getresuid(&uid, &euid, &suid);
      	printf("--TEST2--\n");
      	printf("uid=%d, euid=%d suid=%d\n", uid, euid, suid);
      
      	if (euid != 0) {
      		fprintf(stderr, "ERROR - Incorrect effective user ID!\n");
      		exit(1);
      	}
      	printf("SUCCESS - Correct effective user ID\n");
      	exit(0);
      }
      
      [Makefile]
      CFLAGS = -D_GNU_SOURCE -Wall -Werror -Wunused
      all: test1 test2
      
      test1: test1.c
      	gcc $(CFLAGS) -o test1 test1.c -lpthread
      
      test2: test2.c
      	gcc $(CFLAGS) -o test2 test2.c
      	sudo chown root.root test2
      	sudo chmod +s test2
      Reported-by: default avatarDavid Smith <dsmith@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarDavid Smith <dsmith@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      0bf2f3ae
    • Dave Kleikamp's avatar
      vfs: Don't call attach_nobh_buffers() with an empty list · d4cf109f
      Dave Kleikamp authored
      This is a modification of a patch by Bill Pemberton <wfp5p@virginia.edu>
      
      nobh_write_end() could call attach_nobh_buffers() with head == NULL.
      This would result in a trap when attach_nobh_buffers() attempted to
      access bh->b_this_page.
      
      This can be illustrated by running the writev01 testcase from LTP on jfs.
      
      This error was introduced by commit 5b41e74a "vfs: fix data leak in
      nobh_write_end()".  That patch did not take into account that if
      PageMappedToDisk() is true upon entry to nobh_write_begin(), then no
      buffers will be allocated for the page.  In that case, we won't have to
      worry about a failed write leaving unitialized data in the page.
      
      Of course, head != NULL implies !page_has_buffers(page), so no need to
      test both.
      Signed-off-by: default avatarDave Kleikamp <shaggy@linux.vnet.ibm.com>
      Cc: Bill Pemberton <wfp5p@virginia.edu>
      Cc: Dmitri Monakhov <dmonakhov@openvz.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d4cf109f