6 years agofix build on some compilers pandora-27-omap1
Grazvydas Ignotas [Fri, 28 Nov 2014 01:49:53 +0000 (03:49 +0200)]
fix build on some compilers

9 years agoInput: ads7846: allow at most 1 read at a time sz_old_beta2
Grazvydas Ignotas [Fri, 16 Mar 2012 23:22:12 +0000 (01:22 +0200)]
Input: ads7846: allow at most 1 read at a time

otherwise buffer overflows can happen, followed by a crash.

9 years agoInput: ads7846: always set timer
Grazvydas Ignotas [Mon, 12 Mar 2012 20:43:16 +0000 (22:43 +0200)]
Input: ads7846: always set timer

for the case display is suspended. If it's active, it will
override the old timer since it's delay is longer than display
vsync interval.

9 years agopandora misc: set up some required registers
Grazvydas Ignotas [Mon, 12 Mar 2012 20:04:32 +0000 (22:04 +0200)]
pandora misc: set up some required registers

to not rely on reset values, that other kernels can change.

Sriram [Fri, 29 Jan 2010 22:20:05 +0000 (14:20 -0800)]

OMAP platforms(like OMAP3530) include DSP or other co-processors
for media acceleration. when carving out memory for the
accelerators we can end up creating a hole in the memory map
of sort:
<kernel memory><hole(memory for accelerator)><kernel memory>

To handle such a memory configuration ARCH_HAS_HOLES_MEMORYMODEL
has to be enabled. For further information refer discussion at:

Signed-off-by: Sriramakrishnan <>
Signed-off-by: Tony Lindgren <>
9 years agoARM: Fix pfn_valid() for sparse memory
Russell King [Mon, 7 Sep 2009 14:06:42 +0000 (15:06 +0100)]
ARM: Fix pfn_valid() for sparse memory

On OMAP platforms, some people want to declare to segment up the memory
between the kernel and a separate application such that there is a hole
in the middle of the memory as far as Linux is concerned.  However,
they want to be able to mmap() the hole.

This currently causes problems, because update_mmu_cache() thinks that
there are valid struct pages for the "hole".  Fix this by making
pfn_valid() slightly more expensive, by checking whether the PFN is
contained within the meminfo array.

Signed-off-by: Russell King <>
Tested-by: Khasim Syed Mohammed <>
9 years ago[ARM] mem_init(): make highmem pages available for use
Nicolas Pitre [Wed, 17 Sep 2008 19:21:55 +0000 (15:21 -0400)]
[ARM] mem_init(): make highmem pages available for use

Signed-off-by: Nicolas Pitre <>
9 years ago[ARM] mem_init() cleanups
Nicolas Pitre [Wed, 17 Sep 2008 18:50:42 +0000 (14:50 -0400)]
[ARM] mem_init() cleanups

Make free_area() arguments pfn based, and return number of freed pages.
This will simplify highmem initialization later.

Also, codepages, datapages and initpages are actually codesize, datasize
and initsize.

Signed-off-by: Nicolas Pitre <>
Signed-off-by: Russell King <>
9 years ago[ARM] rationalize memory configuration code some more
Nicolas Pitre [Mon, 6 Oct 2008 17:24:40 +0000 (13:24 -0400)]
[ARM] rationalize memory configuration code some more

Currently there are two instances of struct meminfo: one in
kernel/setup.c marked __initdata, and another in mm/init.c with
permanent storage.  Let's keep only the later to directly populate
the permanent version from arm_add_memory().

Also move common validation tests between the MMU and non-MMU cases
into arm_add_memory() to remove some duplication.  Protection against
overflowing the membank array is also moved in there in order to cover
the kernel cmdline parsing path as well.

Signed-off-by: Nicolas Pitre <>
Signed-off-by: Russell King <>
9 years ago[ARM] mm: finish ARM sparsemem support
Russell King [Wed, 1 Oct 2008 15:58:32 +0000 (16:58 +0100)]
[ARM] mm: finish ARM sparsemem support

... including some comments about the ordering required to bring
sparsemem up.  You have to repeatedly guess, test, reguess, try
again and again to work out what the right ordering is.  Many
hours later...

Signed-off-by: Russell King <>
9 years ago[ARM] mm: provide helpers for accessing membanks
Russell King [Wed, 1 Oct 2008 15:56:15 +0000 (16:56 +0100)]
[ARM] mm: provide helpers for accessing membanks

Provide helpers for getting physical addresses or pfns from the
meminfo array, and use them.  Move for_each_nodebank() to
asm/setup.h alongside the meminfo structure definition.

Signed-off-by: Russell King <>
9 years ago[ARM] mm: move validation of membanks to one place
Russell King [Tue, 30 Sep 2008 18:29:25 +0000 (19:29 +0100)]
[ARM] mm: move validation of membanks to one place

The newly introduced sanity_check_meminfo() function should be
used to collect all validation of the meminfo array, which we
have in bootmem_init().  Move it there.

Signed-off-by: Russell King <>
9 years ago[ARM] clean up a load of old declarations
Russell King [Sat, 6 Sep 2008 10:23:30 +0000 (11:23 +0100)]
[ARM] clean up a load of old declarations

... some of which are now in linux/*.h headers.

Signed-off-by: Russell King <>
9 years ago[ARM] move initrd code from kernel/setup.c to mm/init.c
Russell King [Sat, 6 Sep 2008 09:57:03 +0000 (10:57 +0100)]
[ARM] move initrd code from kernel/setup.c to mm/init.c

This quietens some sparse warnings about phys_initrd_start and

Signed-off-by: Russell King <>
9 years ago[ARM] Double check memmap is actually valid with a memmap has unexpected holes V2
Mel Gorman [Wed, 13 May 2009 16:34:48 +0000 (17:34 +0100)]
[ARM] Double check memmap is actually valid with a memmap has unexpected holes V2

pfn_valid() is meant to be able to tell if a given PFN has valid memmap
associated with it or not. In FLATMEM, it is expected that holes always
have valid memmap as long as there is valid PFNs either side of the hole.
In SPARSEMEM, it is assumed that a valid section has a memmap for the
entire section.

However, ARM and maybe other embedded architectures in the future free
memmap backing holes to save memory on the assumption the memmap is never
used. The page_zone linkages are then broken even though pfn_valid()
returns true. A walker of the full memmap must then do this additional
check to ensure the memmap they are looking at is sane by making sure the
zone and PFN linkages are still valid. This is expensive, but walkers of
the full memmap are extremely rare.

This was caught before for FLATMEM and hacked around but it hits again for
SPARSEMEM because the page_zone linkages can look ok where the PFN linkages
are totally screwed. This looks like a hatchet job but the reality is that
any clean solution would end up consumning all the memory saved by punching
these unexpected holes in the memmap. For example, we tried marking the
memmap within the section invalid but the section size exceeds the size of
the hole in most cases so pfn_valid() starts returning false where valid
memmap exists. Shrinking the size of the section would increase memory
consumption offsetting the gains.

This patch identifies when an architecture is punching unexpected holes
in the memmap that the memory model cannot automatically detect and sets
ARCH_HAS_HOLES_MEMORYMODEL. At the moment, this is restricted to EP93xx
which is the model sub-architecture this has been reported on but may expand
later. When set, walkers of the full memmap must call memmap_valid_within()
for each PFN and passing in what it expects the page and zone to be for
that PFN. If it finds the linkages to be broken, it assumes the memmap is
invalid for that PFN.

Signed-off-by: Mel Gorman <>
Signed-off-by: Russell King <>
9 years agohsmmc: clear CLKISEL bit for mmc2
Grazvydas Ignotas [Tue, 27 Dec 2011 13:51:58 +0000 (15:51 +0200)]
hsmmc: clear CLKISEL bit for mmc2

newer u-boot sets it, we need to clear it again..

9 years agoARM: OMAP: Fix omap34xx revision detection for ES3.1
Tony Lindgren [Thu, 29 Jan 2009 16:57:16 +0000 (08:57 -0800)]
ARM: OMAP: Fix omap34xx revision detection for ES3.1

Fix omap34xx revision detection for ES3.1

Signed-off-by: Tony Lindgren <>
9 years agohsmmc: increase VMMC voltage to 3.15V
Grazvydas Ignotas [Sun, 25 Dec 2011 00:06:44 +0000 (02:06 +0200)]
hsmmc: increase VMMC voltage to 3.15V

ED reported SD card compatibility improvement with this.

9 years agoRevert "twl4030_bci_battery: Improved threshold setting"
Grazvydas Ignotas [Sat, 17 Dec 2011 20:30:14 +0000 (22:30 +0200)]
Revert "twl4030_bci_battery: Improved threshold setting"

This reverts commit 91b421c5a15ca356a06f9c2cb729902029bb03f3.
It was causing charge to stop prematurely for some users,
and not actually stopped charging for others when full anyway,
so reverting this.

9 years agoInput: ads7846: add read on vsync hack
Grazvydas Ignotas [Sun, 4 Dec 2011 14:26:50 +0000 (16:26 +0200)]
Input: ads7846: add read on vsync hack

solves lots of noise issues, but breaks TS when screen is blanked.
Something to fix sometime later I guess..

9 years agoInput: ads7846: make debounce_tol runtime configurable
Grazvydas Ignotas [Fri, 2 Dec 2011 22:29:58 +0000 (00:29 +0200)]
Input: ads7846: make debounce_tol runtime configurable

9 years agoDSS2: OMAPFB: allow to override framebuffer cache attrs
Grazvydas Ignotas [Mon, 14 Nov 2011 01:28:03 +0000 (03:28 +0200)]
DSS2: OMAPFB: allow to override framebuffer cache attrs

9 years agomm: make ARM cache attributes settable through mmap
Grazvydas Ignotas [Mon, 14 Nov 2011 01:11:51 +0000 (03:11 +0200)]
mm: make ARM cache attributes settable through mmap

non-standard, mostly for fun, we want to be hacking-friendly after all.

9 years agoMerge branch 'linux-2.6.27.y' into pandora-27-omap1
Grazvydas Ignotas [Sun, 13 Nov 2011 16:39:02 +0000 (18:39 +0200)]
Merge branch 'linux-2.6.27.y' into pandora-27-omap1

9 years ago[ARM] Convert ARMv6 and ARMv7 to use new memory types
Russell King [Sat, 6 Sep 2008 20:07:45 +0000 (21:07 +0100)]
[ARM] Convert ARMv6 and ARMv7 to use new memory types

Signed-off-by: Russell King <>
9 years ago[ARM] Convert Xscale and Xscale3 to use new memory types
Russell King [Sat, 6 Sep 2008 19:47:54 +0000 (20:47 +0100)]
[ARM] Convert Xscale and Xscale3 to use new memory types

Signed-off-by: Russell King <>
9 years ago[ARM] Convert set_pte_ext implementions to macros
Russell King [Sat, 6 Sep 2008 16:19:08 +0000 (17:19 +0100)]
[ARM] Convert set_pte_ext implementions to macros

There are actually only four separate implementations of set_pte_ext.
Use assembler macros to insert code for these into the proc-*.S files.

Signed-off-by: Russell King <>
9 years ago[ARM] Introduce new PTE memory type bits
Russell King [Sat, 6 Sep 2008 19:04:59 +0000 (20:04 +0100)]
[ARM] Introduce new PTE memory type bits

Provide L_PTE_MT_xxx definitions to describe the memory types that we
use in Linux/ARM.  These definitions are carefully picked such that:

1. their LSBs match what is required for pre-ARMv6 CPUs.
2. they all have a unique encoding, including after modification
   by build_mem_type_table() (the result being that some have more
   than one combination.)

Signed-off-by: Russell King <>
9 years ago[ARM] Re-jig Linux PTE bits to allow room for 4 memory type bits
Russell King [Sat, 6 Sep 2008 17:53:37 +0000 (18:53 +0100)]
[ARM] Re-jig Linux PTE bits to allow room for 4 memory type bits

Signed-off-by: Russell King <>
9 years agoDSS2: omapfb: accept memory shrink requests while in use
Grazvydas Ignotas [Wed, 14 Sep 2011 12:54:52 +0000 (15:54 +0300)]
DSS2: omapfb: accept memory shrink requests while in use

.. but do nothing. Not the best solution but should keep things
working with TV-out.

9 years agoDSS2: allow to change venc.type through sysfs
Grazvydas Ignotas [Tue, 13 Sep 2011 23:36:21 +0000 (02:36 +0300)]
DSS2: allow to change venc.type through sysfs

9 years agoDSS2: omapfb: allow configure ioctl on plane with multiple overlays
Grazvydas Ignotas [Tue, 13 Sep 2011 22:47:05 +0000 (01:47 +0300)]
DSS2: omapfb: allow configure ioctl on plane with multiple overlays

this will only set up first overlay, others are to be set up by using
other means (most likely sysfs).

10 years agotwl4030_bci_battery: add charge enable control
Grazvydas Ignotas [Mon, 20 Jun 2011 13:39:30 +0000 (16:39 +0300)]
twl4030_bci_battery: add charge enable control

10 years agotwl4030_bci_battery: fix DISABLE 1 goofage
Grazvydas Ignotas [Mon, 20 Jun 2011 13:36:41 +0000 (16:36 +0300)]
twl4030_bci_battery: fix DISABLE 1 goofage

10 years agotwl4030_bci_battery: Improved threshold setting
David Goldsmith [Mon, 20 Jun 2011 02:31:56 +0000 (04:31 +0200)]
twl4030_bci_battery: Improved threshold setting

10 years agoBCI: pass di pointer to avoid NULL pointer dereference later
Grazvydas Ignotas [Fri, 17 Jun 2011 12:31:44 +0000 (15:31 +0300)]
BCI: pass di pointer to avoid NULL pointer dereference later

10 years agoinput: vsense: round multipliers up
Grazvydas Ignotas [Fri, 10 Jun 2011 10:31:10 +0000 (13:31 +0300)]
input: vsense: round multipliers up

This will make read values consistent.

10 years agoupdate defconfig
Grazvydas Ignotas [Sun, 5 Jun 2011 16:55:09 +0000 (19:55 +0300)]
update defconfig

10 years agoARM: Expose some PMON registers through sysfs
Mans Rullgard [Sat, 28 Mar 2009 13:05:02 +0000 (13:05 +0000)]
ARM: Expose some PMON registers through sysfs

10 years agoARM: Add option to allow userspace access to performance counters
Mans Rullgard [Tue, 10 Nov 2009 00:52:56 +0000 (00:52 +0000)]
ARM: Add option to allow userspace access to performance counters

This adds an option to allow userspace access to the performance monitor
registers of the Cortex-A8.

Signed-off-by: Mans Rullgard <>
10 years agoARM: Add option to allow userspace PLE access
Mans Rullgard [Tue, 10 Nov 2009 00:41:54 +0000 (00:41 +0000)]
ARM: Add option to allow userspace PLE access

This adds a Kconfig option to allow userspace to access the L2 preload
engine (PLE) found in Cortex-A8.

Signed-off-by: Mans Rullgard <>
10 years agoARM: Expose some CPU control registers via sysfs
Mans Rullgard [Tue, 10 Nov 2009 00:39:21 +0000 (00:39 +0000)]
ARM: Expose some CPU control registers via sysfs

This creates sysfs files under /sys/devices/system/cpu/cpuN
exposing the values of the control register, auxiliary control
register, and L2 cache auxiliary control register.  Writing to
the files allows setting the value of bits which are safe to
change at any time.

Signed-off-by: Mans Rullgard <>
10 years agoModified charging logic to make it stop and start sooner, hopefully preventing puffing
David Goldsmith [Mon, 23 May 2011 14:54:41 +0000 (10:54 -0400)]
Modified charging logic to make it stop and start sooner, hopefully preventing puffing

[ cleaned up comments a bit]
Signed-off-by: David Goldsmith <>
10 years agocifs: never ignore uid/gid override
Grazvydas Ignotas [Fri, 11 Mar 2011 22:08:51 +0000 (00:08 +0200)]
cifs: never ignore uid/gid override

this is what newer CIFS does too.

10 years ago[CIFS] Use posix open on file open when server supports it
Steve French [Tue, 3 Mar 2009 18:00:34 +0000 (18:00 +0000)]
[CIFS] Use posix open on file open when server supports it

Signed-off-by: Steve French <>
10 years ago[CIFS] reopen file via newer posix open protocol operation if available
Steve French [Mon, 23 Feb 2009 20:43:11 +0000 (20:43 +0000)]
[CIFS] reopen file via newer posix open protocol operation if available

If the network connection crashes, and we have to reopen files, preferentially
use the newer cifs posix open protocol operation if the server supports it.

Signed-off-by: Steve French <>
10 years ago[CIFS] improve posix semantics of file create
Steve French [Fri, 20 Feb 2009 04:32:45 +0000 (04:32 +0000)]
[CIFS] improve posix semantics of file create

Samba server added support for a new posix open/create/mkdir operation
a year or so ago, and we added support to cifs for mkdir to use it,
but had not added the corresponding code to file create.

The following patch helps improve the performance of the cifs create
path (to Samba and servers which support the cifs posix protocol
extensions).  Using Connectathon basic test1, with 2000 files, the
performance improved about 15%, and also helped reduce network traffic
(17% fewer SMBs sent over the wire) due to saving a network round trip
for the SetPathInfo on every file create.

It should also help the semantics (and probably the performance) of
write (e.g. when posix byte range locks are on the file) on file
handles opened with posix create, and adds support for a few flags
which would have to be ignored otherwise.

Signed-off-by: Steve French <>
10 years agoCRED: Wrap task credential accesses in the CIFS filesystem
David Howells [Thu, 13 Nov 2008 23:38:47 +0000 (10:38 +1100)]
CRED: Wrap task credential accesses in the CIFS filesystem

Wrap access to task credentials so that they can be separated more easily from
the task_struct during the introduction of COW creds.

Change most current->(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().

Change some task->e?[ug]id to task_e?[ug]id().  In some places it makes more
sense to use RCU directly rather than a convenient wrapper; these will be
addressed by later patches.

Signed-off-by: David Howells <>
Reviewed-by: James Morris <>
Acked-by: Serge Hallyn <>
Cc: Steve French <>
Signed-off-by: James Morris <>
10 years agocifs: posix fill in inode needed by posix open
Jeff Layton [Wed, 11 Feb 2009 13:08:28 +0000 (08:08 -0500)]
cifs: posix fill in inode needed by posix open

function needed to prepare for posix open

Signed-off-by: Jeff Layton <>
Signed-off-by: Steve French <>
10 years agocifs: properly handle case where CIFSGetSrvInodeNumber fails
Jeff Layton [Wed, 11 Feb 2009 13:08:26 +0000 (08:08 -0500)]
cifs: properly handle case where CIFSGetSrvInodeNumber fails

...if it does then we pass a pointer to an unintialized variable for
the inode number to cifs_new_inode. Have it pass a NULL pointer instead.

Also tweak the function prototypes to reduce the amount of casting.

Signed-off-by: Jeff Layton <>
Signed-off-by: Steve French <>
10 years agocifs: refactor new_inode() calls and inode initialization
Jeff Layton [Tue, 10 Feb 2009 12:33:57 +0000 (07:33 -0500)]
cifs: refactor new_inode() calls and inode initialization

Move new inode creation into a separate routine and refactor the
callers to take advantage of it.

Signed-off-by: Jeff Layton <>
Signed-off-by: Steve French <>
10 years ago[CIFS] some cleanup to dir.c prior to addition of posix_open
Steve French [Mon, 19 Jan 2009 02:38:35 +0000 (02:38 +0000)]
[CIFS] some cleanup to dir.c prior to addition of posix_open

Signed-off-by: Steve French <>
10 years agommc_block: do not DMA to stack
Ben Dooks [Mon, 8 Jun 2009 22:33:57 +0000 (23:33 +0100)]
mmc_block: do not DMA to stack

In the write recovery routine, the data to get from the card
is allocated from the stack. The DMA mapping documentation says
explicitly stack memory is not mappable by any of the DMA calls.

Change to using kmalloc() to allocate the memory for the result
from the card and then free it once we've finished with the

[ Changed to GFP_KERNEL allocation - Pierre Ossman ]

Signed-off-by: Ben Dooks <>
Signed-off-by: Pierre Ossman <>
10 years agommc_block: be prepared for oversized requests
Pierre Ossman [Fri, 10 Apr 2009 15:52:57 +0000 (17:52 +0200)]
mmc_block: be prepared for oversized requests

The block layer does not support very low sector count restrictions
so we need to be prepared to handle bigger requests than we can send
directly to the controller.

Problem found by Manuel Lauss.

Signed-off-by: Pierre Ossman <>
10 years agommc_block: ensure all sectors that do not have errors are read
Adrian Hunter [Wed, 31 Dec 2008 17:21:17 +0000 (18:21 +0100)]
mmc_block: ensure all sectors that do not have errors are read

If a card encounters an ECC error while reading a sector it will
timeout.  Instead of reporting the entire I/O request as having
an error, redo the I/O one sector at a time so that all readable
sectors are provided to the upper layers.

Signed-off-by: Adrian Hunter <>
Signed-off-by: Pierre Ossman <>
10 years agommc_block: print better error messages
Adrian Hunter [Thu, 16 Oct 2008 09:55:25 +0000 (12:55 +0300)]
mmc_block: print better error messages

Add command response and card status to error

Signed-off-by: Adrian Hunter <>
Signed-off-by: Pierre Ossman <>
10 years agommc_block: hard code 512 byte block size
Pierre Ossman [Sun, 31 Aug 2008 12:10:08 +0000 (14:10 +0200)]
mmc_block: hard code 512 byte block size

We use 512 byte blocks on all cards, and newer cards support nothing
else, so hard code it and make the code less complex.

Signed-off-by: Pierre Ossman <>
10 years agommc_block: inform block layer about sector count restriction
Pierre Ossman [Sat, 16 Aug 2008 19:34:02 +0000 (21:34 +0200)]
mmc_block: inform block layer about sector count restriction

Make sure we consider the maximum block count when we tell the block
layer about the maximum sector count. That way we don't have to chop
up the request ourselves.

Signed-off-by: Pierre Ossman <>
10 years agoarm: hack: set correct cacheline size
Grazvydas Ignotas [Mon, 31 Jan 2011 23:47:31 +0000 (01:47 +0200)]
arm: hack: set correct cacheline size

later kernels detect this, we'll hardcode it here like this.

10 years ago[ARM] 5534/1: kmalloc must return a cache line aligned buffer
Martin Fuzzey [Mon, 1 Jun 2009 08:19:37 +0000 (09:19 +0100)]
[ARM] 5534/1: kmalloc must return a cache line aligned buffer

Define ARCH_KMALLOC_MINALIGN in asm/cache.h
At the request of Russell also move ARCH_SLAB_MINALIGN to this file.

Signed-off-by: Martin Fuzzey <>
Signed-off-by: Russell King <>
10 years agopull in some macros for newer SGX
Grazvydas Ignotas [Sat, 22 Jan 2011 16:53:08 +0000 (18:53 +0200)]
pull in some macros for newer SGX

10 years agoAssume worst case hardware setting and reset it on boot
Urja Rannikko [Mon, 1 Nov 2010 22:36:01 +0000 (00:36 +0200)]
Assume worst case hardware setting and reset it on boot

This should prevent stuff like in the
"Overclocking Broke My Pandora" thread.

Signed-off-by: Urja Rannikko <>
10 years agoLinux v2.6.27.57
Greg Kroah-Hartman [Thu, 9 Dec 2010 21:24:40 +0000 (13:24 -0800)]

10 years agoeconet: fix CVE-2010-3850
Phil Blundell [Wed, 24 Nov 2010 19:49:53 +0000 (11:49 -0800)]
econet: fix CVE-2010-3850

commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.

Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.

Signed-off-by: Phil Blundell <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoeconet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
Phil Blundell [Wed, 24 Nov 2010 19:49:19 +0000 (11:49 -0800)]
econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.

Later parts of econet_sendmsg() rely on saddr != NULL, so return early
with EINVAL if NULL was passed otherwise an oops may occur.

Signed-off-by: Phil Blundell <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agox25: Prevent crashing when parsing bad X.25 facilities
Dan Rosenberg [Fri, 12 Nov 2010 20:44:42 +0000 (12:44 -0800)]
x25: Prevent crashing when parsing bad X.25 facilities

commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.

Now with improved comma support.

On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow.  Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.

This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.

Signed-off-by: Dan Rosenberg <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoV4L/DVB: ivtvfb: prevent reading uninitialized stack memory
Dan Rosenberg [Wed, 15 Sep 2010 21:44:22 +0000 (18:44 -0300)]
V4L/DVB: ivtvfb: prevent reading uninitialized stack memory

commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 upstream.

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "reserved" member of
the fb_vblank struct declared on the stack is not altered or zeroed
before being copied back to the user.  This patch takes care of it.

Signed-off-by: Dan Rosenberg <>
Signed-off-by: Andy Walls <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agocan-bcm: fix minor heap overflow
Oliver Hartkopp [Wed, 10 Nov 2010 12:10:30 +0000 (12:10 +0000)]
can-bcm: fix minor heap overflow

commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream.

On 64-bit platforms the ASCII representation of a pointer may be up to 17
bytes long. This patch increases the length of the buffer accordingly.

Reported-by: Dan Rosenberg <>
Signed-off-by: Oliver Hartkopp <>
CC: Linus Torvalds <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agomemory corruption in X.25 facilities parsing
andrew hendry [Wed, 3 Nov 2010 12:54:53 +0000 (12:54 +0000)]
memory corruption in X.25 facilities parsing

commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.

Signed-of-by: Andrew Hendry <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agox25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
John Hughes [Thu, 8 Apr 2010 04:29:25 +0000 (21:29 -0700)]
x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.

commit f5eb917b861828da18dc28854308068c66d1449a upstream.

Here is a patch to stop X.25 examining fields beyond the end of the packet.

For example, when a simple CALL ACCEPTED was received:

10 10 0f

x25_parse_facilities was attempting to decode the FACILITIES field, but this
packet contains no facilities field.

Signed-off-by: John Hughes <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoipv6: conntrack: Add member of user to nf_ct_frag6_queue structure
Shan Wei [Tue, 26 Jan 2010 02:40:38 +0000 (02:40 +0000)]
ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure

commit c92b544bd5d8e7ed7d81c77bbecab6df2a95aa53 upstream.

The commit 0b5ccb2(title:ipv6: reassembly: use seperate reassembly queues for
conntrack and local delivery) has broken the saddr&&daddr member of
nf_ct_frag6_queue when creating new queue.  And then hash value
generated by nf_hashfn() was not equal with that generated by fq_find().
So, a new received fragment can't be inserted to right queue.

The patch fixes the bug with adding member of user to nf_ct_frag6_queue structure.

Signed-off-by: Shan Wei <>
Acked-by: Patrick McHardy <>
Signed-off-by: David S. Miller <>
Cc: Pascal Hambourg <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agonet: Truncate recvfrom and sendto length to INT_MAX.
Linus Torvalds [Sat, 30 Oct 2010 23:43:10 +0000 (16:43 -0700)]
net: Truncate recvfrom and sendto length to INT_MAX.

commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.

Signed-off-by: Linus Torvalds <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agotcp: Fix race in tcp_poll
Tom Marshall [Mon, 20 Sep 2010 22:42:05 +0000 (15:42 -0700)]
tcp: Fix race in tcp_poll

[ Upstream commit a4d258036ed9b2a1811c3670c6099203a0f284a0 ]

If a RST comes in immediately after checking sk->sk_err, tcp_poll will
return POLLIN but not POLLOUT.  Fix this by checking sk->sk_err at the end
of tcp_poll.  Additionally, ensure the correct order of operations on SMP
machines with memory barriers.

Signed-off-by: Tom Marshall <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoLimit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.
Robin Holt [Wed, 20 Oct 2010 02:03:37 +0000 (02:03 +0000)]
Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.

[ Upstream fixed this in a different way as parts of the commits:
8d987e5c7510 (net: avoid limits overflow)
a9febbb4bd13 (sysctl: min/max bounds are optional)
27b3d80a7b6a (sysctl: fix min/max handling in __do_proc_doulongvec_minmax())
 -DaveM ]

On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and
sysctl_sctp_mem[2] can integer overflow.  Set limit such that they are
maximized without overflowing.

Signed-off-by: Robin Holt <>
To: "David S. Miller" <>
Cc: Willy Tarreau <>
Cc: Alexey Kuznetsov <>
Cc: "Pekka Savola (ipv6)" <>
Cc: James Morris <>
Cc: Hideaki YOSHIFUJI <>
Cc: Patrick McHardy <>
Cc: Vlad Yasevich <>
Cc: Sridhar Samudrala <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agonet: Fix the condition passed to sk_wait_event()
Nagendra Tomar [Sat, 2 Oct 2010 23:45:06 +0000 (23:45 +0000)]
net: Fix the condition passed to sk_wait_event()

[ Upstream commit 482964e56e1320cb7952faa1932d8ecf59c4bf75 ]

This patch fixes the condition (3rd arg) passed to sk_wait_event() in
sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
causes the following soft lockup in tcp_sendmsg() when the global tcp
memory pool has exhausted.

>>> snip <<<

localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
localhost kernel: CPU 3:
localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200]  [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
localhost kernel:
localhost kernel: Call Trace:
localhost kernel:  [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel:  [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
localhost kernel:  [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
localhost kernel:  [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel:  [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
localhost kernel:  [vfs_write+0x185/0x190] vfs_write+0x185/0x190
localhost kernel:  [sys_write+0x50/0x90] sys_write+0x50/0x90
localhost kernel:  [system_call+0x7e/0x83] system_call+0x7e/0x83

>>> snip <<<

What is happening is, that the sk_wait_event() condition passed from
sk_stream_wait_memory() evaluates to true for the case of tcp global memory
exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
which causes sk_wait_event() to *not* call schedule_timeout().
Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
This causes the caller to again try allocation, which again fails and again
calls sk_stream_wait_memory(), and so on.

[ Bug introduced by commit c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088
  ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]

Signed-off-by: Nagendra Singh Tomar <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agorose: Fix signedness issues wrt. digi count.
David S. Miller [Mon, 20 Sep 2010 22:40:35 +0000 (15:40 -0700)]
rose: Fix signedness issues wrt. digi count.

[ Upstream commit 9828e6e6e3f19efcb476c567b9999891d051f52f ]

Just use explicit casts, since we really can't change the
types of structures exported to userspace which have been
around for 15 years or so.

Reported-by: Dan Rosenberg <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agonet: Fix IPv6 PMTU disc. w/ asymmetric routes
Maciej ┼╗enczykowski [Sun, 3 Oct 2010 21:49:00 +0000 (14:49 -0700)]
net: Fix IPv6 PMTU disc. w/ asymmetric routes

[ Upstream commit ae878ae280bea286ff2b1e1cb6e609dd8cb4501d ]

Signed-off-by: Maciej ┼╗enczykowski <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoxfrm4: strip ECN and IP Precedence bits in policy lookup
Ulrich Weber [Mon, 1 Nov 2010 15:23:04 +0000 (08:23 -0700)]
xfrm4: strip ECN and IP Precedence bits in policy lookup

[ Upstream commit 94e2238969e89f5112297ad2a00103089dde7e8f ]

dont compare ECN and IP Precedence bits in find_bundle
and use ECN bit stripped TOS value in xfrm_lookup

Signed-off-by: Ulrich Weber <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agonet: clear heap allocations for privileged ethtool actions
Kees Cook [Mon, 1 Nov 2010 15:19:00 +0000 (08:19 -0700)]
net: clear heap allocations for privileged ethtool actions

[ Upstream commit b00916b189d13a615ff05c9242201135992fcda3 ]

Several other ethtool functions leave heap uncleared (potentially) by
drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
are well controlled. In some situations (e.g. unchecked error conditions),
the heap will remain unchanged in areas before copying back to userspace.
Note that these are less of an issue since these all require CAP_NET_ADMIN.

Signed-off-by: Kees Cook <>
Acked-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoARM: 6482/2: Fix find_next_zero_bit and related assembly
James Jones [Tue, 23 Nov 2010 23:21:37 +0000 (00:21 +0100)]
ARM: 6482/2: Fix find_next_zero_bit and related assembly

commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream.

The find_next_bit, find_first_bit, find_next_zero_bit
and find_first_zero_bit functions were not properly
clamping to the maxbit argument at the bit level. They
were instead only checking maxbit at the byte level.
To fix this, add a compare and a conditional move
instruction to the end of the common bit-within-the-
byte code used by all the functions and be sure not to
clobber the maxbit argument before it is used.

Reviewed-by: Nicolas Pitre <>
Tested-by: Stephen Warren <>
Signed-off-by: James Jones <>
Signed-off-by: Russell King <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoDECnet: don't leak uninitialized stack byte
Dan Rosenberg [Tue, 23 Nov 2010 11:02:13 +0000 (11:02 +0000)]
DECnet: don't leak uninitialized stack byte

commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.

A single uninitialized padding byte is leaked to userspace.

Signed-off-by: Dan Rosenberg <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodo_exit(): make sure that we run with get_fs() == USER_DS
Nelson Elhage [Thu, 2 Dec 2010 22:31:21 +0000 (14:31 -0800)]
do_exit(): make sure that we run with get_fs() == USER_DS

commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream.

If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit().  do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.

This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing.  I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.

A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.

Let's just stick it in do_exit instead.

[ update code comment]
Signed-off-by: Nelson Elhage <>
Cc: KOSAKI Motohiro <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoacpi-cpufreq: fix a memleak when unloading driver
Zhang Rui [Tue, 12 Oct 2010 01:09:37 +0000 (09:09 +0800)]
acpi-cpufreq: fix a memleak when unloading driver

commit dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream.

We didn't free per_cpu(acfreq_data, cpu)->freq_table
when acpi_freq driver is unloaded.

Resulting in the following messages in /sys/kernel/debug/kmemleak:

unreferenced object 0xf6450e80 (size 64):
  comm "modprobe", pid 1066, jiffies 4294677317 (age 19290.453s)
  hex dump (first 32 bytes):
    00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00  ......$.......$.
    02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00  .....j.......5..
    [<c123ba97>] kmemleak_alloc+0x27/0x50
    [<c109f96f>] __kmalloc+0xcf/0x110
    [<f9da97ee>] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq]
    [<c11cd8d2>] cpufreq_add_dev+0x142/0x3a0
    [<c11920b7>] sysdev_driver_register+0x97/0x110
    [<c11cce56>] cpufreq_register_driver+0x86/0x140
    [<f9dad080>] 0xf9dad080
    [<c1001130>] do_one_initcall+0x30/0x160
    [<c10626e9>] sys_init_module+0x99/0x1e0
    [<c1002d97>] sysenter_do_call+0x12/0x26
    [<ffffffff>] 0xffffffff

Tested-by: Toralf Forster <>
Signed-off-by: Zhang Rui <>
Signed-off-by: Len Brown <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: misc: trancevibrator: fix up a sysfs attribute permission
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:34:26 +0000 (11:34 -0800)]
USB: misc: trancevibrator: fix up a sysfs attribute permission

commit d489a4b3926bad571d404ca6508f6744b9602776 upstream.

It should not be writable by any user.

Reported-by: Linus Torvalds <>
Cc: Sam Hocevar <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: misc: usbled: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:35:49 +0000 (11:35 -0800)]
USB: misc: usbled: fix up some sysfs attribute permissions

commit 48f115470e68d443436b76b22dad63ffbffd6b97 upstream.

They should not be writable by any user.

Reported-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: misc: cypress_cy7c63: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:32:38 +0000 (11:32 -0800)]
USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions

commit c990600d340641150f7270470a64bd99a5c0b225 upstream.

They should not be writable by any user.

Reported-by: Linus Torvalds <>
Cc: Oliver Bock <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: atm: ueagle-atm: fix up some permissions on the sysfs files
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:11:45 +0000 (11:11 -0800)]
USB: atm: ueagle-atm: fix up some permissions on the sysfs files

commit e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream.

Some of the sysfs files had the incorrect permissions.  Some didn't make
sense at all (writable for a file that you could not write to?)

Reported-by: Linus Torvalds <>
Cc: Matthieu Castet <>
Cc: Stanislaw Gruszka <>
Cc: Damien Bergamini <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: storage: sierra_ms: fix sysfs file attribute
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:17:52 +0000 (11:17 -0800)]
USB: storage: sierra_ms: fix sysfs file attribute

commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream.

A non-writable sysfs file shouldn't have writable attributes.

Reported-by: Linus Torvalds <>
Cc: Kevin Lloyd <>
Cc: Matthew Dharm <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: EHCI: fix obscure race in ehci_endpoint_disable
Alan Stern [Tue, 16 Nov 2010 15:57:37 +0000 (10:57 -0500)]
USB: EHCI: fix obscure race in ehci_endpoint_disable

commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.

This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
When an async URB is unlinked, the corresponding QH is removed from
the async list.  If the QH's endpoint is then disabled while the URB
is being given back, ehci_endpoint_disable() won't find the QH on the
async list, causing it to believe that the QH has been lost.  This
will lead to a memory leak at best and quite possibly to an oops.

The solution is to trust usbcore not to lose track of endpoints.  If
the QH isn't on the async list then it doesn't need to be taken off
the list, but the driver should still wait for the QH to become IDLE
before disabling it.

In theory this fixes Bugzilla #20182.  In fact the race is so rare
that it's not possible to tell whether the bug is still present.
However, adding delays and making other changes to force the race
seems to show that the patch works.

Signed-off-by: Alan Stern <>
Reported-by: Stefan Richter <>
CC: David Brownell <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: core: fix information leak to userland
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:28 +0000 (17:41 +0300)]
usb: core: fix information leak to userland

commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.

Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized.  It leads to leaking of contents of
kernel stack memory.

Signed-off-by: Vasiliy Kulikov <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: misc: iowarrior: fix information leak to userland
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:31 +0000 (17:41 +0300)]
usb: misc: iowarrior: fix information leak to userland

commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.

Structure iowarrior_info is copied to userland with padding byted
between "serial" and "revision" fields uninitialized.  It leads to
leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <>
Acked-by: Kees Cook <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: misc: sisusbvga: fix information leak to userland
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:35 +0000 (17:41 +0300)]
usb: misc: sisusbvga: fix information leak to userland

commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.

Structure sisusb_info is copied to userland with "sisusb_reserved" field
uninitialized.  It leads to leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agolibata: fix NULL sdev dereference race in atapi_qc_complete()
Tejun Heo [Mon, 1 Nov 2010 10:39:19 +0000 (11:39 +0100)]
libata: fix NULL sdev dereference race in atapi_qc_complete()

commit 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 upstream.

SCSI commands may be issued between __scsi_add_device() and dev->sdev
assignment, so it's unsafe for ata_qc_complete() to dereference
dev->sdev->locked without checking whether it's NULL or not.  Fix it.

Signed-off-by: Tejun Heo <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agobio: take care not overflow page count when mapping/copying user data
Jens Axboe [Wed, 10 Nov 2010 13:36:25 +0000 (14:36 +0100)]
bio: take care not overflow page count when mapping/copying user data

commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.

If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.

Reported-by: Dan Rosenberg <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoeCryptfs: Clear LOOKUP_OPEN flag when creating lower file
Tyler Hicks [Thu, 23 Sep 2010 07:35:04 +0000 (02:35 -0500)]
eCryptfs: Clear LOOKUP_OPEN flag when creating lower file

commit 2e21b3f124eceb6ab5a07c8a061adce14ac94e14 upstream.

eCryptfs was passing the LOOKUP_OPEN flag through to the lower file
system, even though ecryptfs_create() doesn't support the flag. A valid
filp for the lower filesystem could be returned in the nameidata if the
lower file system's create() function supported LOOKUP_OPEN, possibly
resulting in unencrypted writes to the lower file.

However, this is only a potential problem in filesystems (FUSE, NFS,
CIFS, CEPH, 9p) that eCryptfs isn't known to support today.

Reported-by: Kevin Buhr
Signed-off-by: Tyler Hicks <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodrivers/char/vt_ioctl.c: fix VT_OPENQRY error value
Graham Gower [Wed, 27 Oct 2010 22:33:00 +0000 (15:33 -0700)]
drivers/char/vt_ioctl.c: fix VT_OPENQRY error value

commit 1e0ad2881d50becaeea70ec696a80afeadf944d2 upstream.

When all VT's are in use, VT_OPENQRY casts -1 to unsigned char before
returning it to userspace as an int.  VT255 is not the next available

Signed-off-by: Graham Gower <>
Cc: Greg KH <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agosys_semctl: fix kernel stack leakage
Dan Rosenberg [Thu, 30 Sep 2010 22:15:31 +0000 (15:15 -0700)]
sys_semctl: fix kernel stack leakage

commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream.

The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.

The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.

The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.

Signed-off-by: Dan Rosenberg <>
Cc: Manfred Spraul <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoipc: shm: fix information leak to userland
Vasiliy Kulikov [Sat, 30 Oct 2010 14:22:49 +0000 (18:22 +0400)]
ipc: shm: fix information leak to userland

commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream.

The shmid_ds structure is copied to userland with shm_unused{,2,3}
fields unitialized.  It leads to leaking of contents of kernel stack

Signed-off-by: Vasiliy Kulikov <>
Acked-by: Al Viro <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoipc: initialize structure memory to zero for compat functions
Dan Rosenberg [Wed, 27 Oct 2010 22:34:17 +0000 (15:34 -0700)]
ipc: initialize structure memory to zero for compat functions

commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream.

This takes care of leaking uninitialized kernel stack memory to
userspace from non-zeroed fields in structs in compat ipc functions.

Signed-off-by: Dan Rosenberg <>
Cc: Manfred Spraul <>
Cc: Arnd Bergmann <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agomm: fix is_mem_section_removable() page_order BUG_ON check
KAMEZAWA Hiroyuki [Tue, 26 Oct 2010 21:22:08 +0000 (14:22 -0700)]
mm: fix is_mem_section_removable() page_order BUG_ON check

commit 572438f9b52236bd8938b1647cc15e027d27ef55 upstream.

page_order() is called by memory hotplug's user interface to check the
section is removable or not.  (is_mem_section_removable())

It calls page_order() withoug holding zone->lock.
So, even if the caller does

if (PageBuddy(page))
ret = page_order(page) ...
The caller may hit BUG_ON().

For fixing this, there are 2 choices.
  1. add zone->lock.
  2. remove BUG_ON().

is_mem_section_removable() is used for some "advice" and doesn't need to
be 100% accurate.  This is_removable() can be called via user program..
We don't want to take this important lock for long by user's request.  So,
this patch removes BUG_ON().

Signed-off-by: KAMEZAWA Hiroyuki <>
Acked-by: Wu Fengguang <>
Acked-by: Michal Hocko <>
Acked-by: Mel Gorman <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>