GitHub/LineageOS/android_kernel_samsung_universal7580.git
13 years agoflex_array: allow 0 length elements
Eric Paris [Thu, 28 Apr 2011 19:55:52 +0000 (15:55 -0400)]
flex_array: allow 0 length elements

flex_arrays are supposed to be a replacement for:
kmalloc(num_elements * sizeof(element))

If kmalloc is given 0 num_elements or a 0 size element it will happily return
ZERO_SIZE_PTR.  Which looks like a valid allocation, but which will explode if
something actually try to use it.  The current flex_array code will return an
equivalent result if num_elements is 0, but will fail to work if
sizeof(element) is 0.  This patch allows allocation to work even for 0 size
elements.  It will cause flex_arrays to explode though if they are used.
Imitating the kmalloc behavior.

Based-on-patch-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dave Hansen <dave@linux.vnet.ibm.com>
13 years agoflex_arrays: allow zero length flex arrays
Eric Paris [Thu, 28 Apr 2011 19:55:52 +0000 (15:55 -0400)]
flex_arrays: allow zero length flex arrays

Just like kmalloc will allow one to allocate a 0 length segment of memory
flex arrays should do the same thing.  It should bomb if you try to use
something, but it should at least allow the allocation.

This is needed because when SELinux switched to using flex_arrays in 2.6.38
the inability to allocate a 0 length array resulted in SELinux policy load
returning -ENOSPC when previously it worked.

Based-on-patch-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Tested-by: Chris Richards <gizmo@giz-works.com>
Cc: stable@kernel.org [2.6.38+]
13 years agoflex_array: flex_array_prealloc takes a number of elements, not an end
Eric Paris [Thu, 28 Apr 2011 19:55:52 +0000 (15:55 -0400)]
flex_array: flex_array_prealloc takes a number of elements, not an end

Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly.  flex_arrays got introduced before
they had users.  When folks started using it, they ended up needing a
different API than was coded up originally.  This swaps over to the API that
folks apparently need.

Based-on-patch-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Tested-by: Chris Richards <gizmo@giz-works.com>
Acked-by: Dave Hansen <dave@linux.vnet.ibm.com>
Cc: stable@kernel.org [2.6.38+]
13 years agoSELinux: pass last path component in may_create
Eric Paris [Thu, 28 Apr 2011 19:11:21 +0000 (15:11 -0400)]
SELinux: pass last path component in may_create

New inodes are created in a two stage process.  We first will compute the
label on a new inode in security_inode_create() and check if the
operation is allowed.  We will then actually re-compute that same label and
apply it in security_inode_init_security().  The change to do new label
calculations based in part on the last component of the path name only
passed the path component information all the way down the
security_inode_init_security hook.  Down the security_inode_create hook the
path information did not make it past may_create.  Thus the two calculations
came up differently and the permissions check might not actually be against
the label that is created.  Pass and use the same information in both places
to harmonize the calculations and checks.

Reported-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSELinux: put name based create rules in a hashtable
Eric Paris [Thu, 28 Apr 2011 19:11:21 +0000 (15:11 -0400)]
SELinux: put name based create rules in a hashtable

To shorten the list we need to run if filename trans rules exist for the type
of the given parent directory I put them in a hashtable.  Given the policy we
are expecting to use in Fedora this takes the worst case list run from about
5,000 entries to 17.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoSELinux: generic hashtab entry counter
Eric Paris [Thu, 28 Apr 2011 19:11:21 +0000 (15:11 -0400)]
SELinux: generic hashtab entry counter

Instead of a hashtab entry counter function only useful for range
transition rules make a function generic for any hashtable to use.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoSELinux: calculate and print hashtab stats with a generic function
Eric Paris [Thu, 28 Apr 2011 19:11:21 +0000 (15:11 -0400)]
SELinux: calculate and print hashtab stats with a generic function

We have custom debug functions like rangetr_hash_eval and symtab_hash_eval
which do the same thing.  Just create a generic function that takes the name
of the hash table as an argument instead of having custom functions.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoSELinux: skip filename trans rules if ttype does not match parent dir
Eric Paris [Thu, 28 Apr 2011 19:11:21 +0000 (15:11 -0400)]
SELinux: skip filename trans rules if ttype does not match parent dir

Right now we walk to filename trans rule list for every inode that is
created.  First passes at policy using this facility creates around 5000
filename trans rules.  Running a list of 5000 entries every time is a bad
idea.  This patch adds a new ebitmap to policy which has a bit set for each
ttype that has at least 1 filename trans rule.  Thus when an inode is
created we can quickly determine if any rules exist for this parent
directory type and can skip the list if we know there is definitely no
relevant entry.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoSELinux: rename filename_compute_type argument to *type instead of *con
Eric Paris [Thu, 28 Apr 2011 19:11:20 +0000 (15:11 -0400)]
SELinux: rename filename_compute_type argument to *type instead of *con

filename_compute_type() takes as arguments the numeric value of the type of
the subject and target.  It does not take a context.  Thus the names are
misleading.  Fix the argument names.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoSELinux: fix comment to state filename_compute_type takes an objname not a qstr
Eric Paris [Thu, 28 Apr 2011 19:11:20 +0000 (15:11 -0400)]
SELinux: fix comment to state filename_compute_type takes an objname not a qstr

filename_compute_type used to take a qstr, but it now takes just a name.
Fix the comments to indicate it is an objname, not a qstr.

Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSMACK: smack_file_lock can use the struct path
Eric Paris [Mon, 25 Apr 2011 17:15:55 +0000 (13:15 -0400)]
SMACK: smack_file_lock can use the struct path

smack_file_lock has a struct path, so use that instead of only the
dentry.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
13 years agoLSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH
Eric Paris [Mon, 25 Apr 2011 17:10:27 +0000 (13:10 -0400)]
LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH

This patch separates and audit message that only contains a dentry from
one that contains a full path.  This allows us to make it harder to
misuse the interfaces or for the interfaces to be implemented wrong.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
13 years agoLSM: split LSM_AUDIT_DATA_FS into _PATH and _INODE
Eric Paris [Mon, 25 Apr 2011 16:54:27 +0000 (12:54 -0400)]
LSM: split LSM_AUDIT_DATA_FS into _PATH and _INODE

The lsm common audit code has wacky contortions making sure which pieces
of information are set based on if it was given a path, dentry, or
inode.  Split this into path and inode to get rid of some of the code
complexity.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
13 years agoSELINUX: Make selinux cache VFS RCU walks safe
Eric Paris [Fri, 22 Apr 2011 00:23:20 +0000 (17:23 -0700)]
SELINUX: Make selinux cache VFS RCU walks safe

Now that the security modules can decide whether they support the
dcache RCU walk or not it's possible to make selinux a bit more
RCU friendly.  The SELinux AVC and security server access decision
code is RCU safe.  A specific piece of the LSM audit code may not
be RCU safe.

This patch makes the VFS RCU walk retry if it would hit the non RCU
safe chunk of code.  It will normally just work under RCU.  This is
done simply by passing the VFS RCU state as a flag down into the
avc_audit() code and returning ECHILD there if it would have an issue.

Based-on-patch-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSECURITY: Move exec_permission RCU checks into security modules
Andi Kleen [Fri, 22 Apr 2011 00:23:19 +0000 (17:23 -0700)]
SECURITY: Move exec_permission RCU checks into security modules

Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
is enabled, even though just the standard capability module is active.
This is because security_inode_exec_permission unconditionally fails
RCU walks.

Move this decision to the low level security module. This requires
passing the RCU flags down the security hook. This way at least
the capability module and a few easy cases in selinux/smack work
with RCU walks with CONFIG_SECURITY=y

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSELinux: security_read_policy should take a size_t not ssize_t
Eric Paris [Wed, 20 Apr 2011 14:21:28 +0000 (10:21 -0400)]
SELinux: security_read_policy should take a size_t not ssize_t

The len should be an size_t but is a ssize_t.  Easy enough fix to silence
build warnings.  We have no need for signed-ness.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoSELinux: silence build warning when !CONFIG_BUG
Eric Paris [Wed, 20 Apr 2011 14:21:28 +0000 (10:21 -0400)]
SELinux: silence build warning when !CONFIG_BUG

If one builds a kernel without CONFIG_BUG there are a number of 'may be
used uninitialized' warnings.  Silence these by returning after the BUG().

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoSELinux: delete debugging printks from filename_trans rule processing
Eric Paris [Thu, 7 Apr 2011 18:46:59 +0000 (14:46 -0400)]
SELinux: delete debugging printks from filename_trans rule processing

The filename_trans rule processing has some printk(KERN_ERR ) messages
which were intended as debug aids in creating the code but weren't removed
before it was submitted.  Remove them.

Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoInitialize policydb.process_class eariler.
Harry Ciao [Thu, 7 Apr 2011 06:12:57 +0000 (14:12 +0800)]
Initialize policydb.process_class eariler.

Initialize policydb.process_class once all symtabs read from policy image,
so that it could be used to setup the role_trans.tclass field when a lower
version policy.X is loaded.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoselinux: Fix regression for Xorg
Stephen Smalley [Fri, 25 Mar 2011 14:13:43 +0000 (10:13 -0400)]
selinux: Fix regression for Xorg

Commit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the
handling of userspace object classes that is causing breakage for Xorg
when XSELinux is enabled.  Fix the bug by changing map_class() to return
SECCLASS_NULL when the class cannot be mapped to a kernel object class.

Reported-by: "Justin P. Mattock" <justinmattock@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoselinux: add type_transition with name extension support for selinuxfs
Kohei Kaigai [Fri, 1 Apr 2011 14:39:26 +0000 (15:39 +0100)]
selinux: add type_transition with name extension support for selinuxfs

The attached patch allows /selinux/create takes optional 4th argument
to support TYPE_TRANSITION with name extension for userspace object
managers.
If 4th argument is not supplied, it shall perform as existing kernel.
In fact, the regression test of SE-PostgreSQL works well on the patched
kernel.

Thanks,

Signed-off-by: KaiGai Kohei <kohei.kaigai@eu.nec.com>
[manually verify fuzz was not an issue, and it wasn't: eparis]
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSELinux: update git tree in MAINTAINERS
Eric Paris [Fri, 1 Apr 2011 21:09:41 +0000 (17:09 -0400)]
SELinux: update git tree in MAINTAINERS

update the git tree in MAINTAINERS

Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSELinux: Write class field in role_trans_write.
Harry Ciao [Fri, 25 Mar 2011 05:52:00 +0000 (13:52 +0800)]
SELinux: Write class field in role_trans_write.

If kernel policy version is >= 26, then write the class field of the
role_trans structure into the binary reprensentation.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSELinux: Compute role in newcontext for all classes
Harry Ciao [Fri, 25 Mar 2011 05:51:58 +0000 (13:51 +0800)]
SELinux: Compute role in newcontext for all classes

Apply role_transition rules for all kinds of classes.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoSELinux: Add class support to the role_trans structure
Harry Ciao [Fri, 25 Mar 2011 05:51:56 +0000 (13:51 +0800)]
SELinux: Add class support to the role_trans structure

If kernel policy version is >= 26, then the binary representation of
the role_trans structure supports specifying the class for the current
subject or the newly created object.

If kernel policy version is < 26, then the class field would be default
to the process class.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
13 years agoMerge branch 'master' of git://git.infradead.org/users/eparis/selinux into next
James Morris [Tue, 8 Mar 2011 00:38:10 +0000 (11:38 +1100)]
Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next

13 years agoKEYS: Add an iovec version of KEYCTL_INSTANTIATE
David Howells [Mon, 7 Mar 2011 15:06:20 +0000 (15:06 +0000)]
KEYS: Add an iovec version of KEYCTL_INSTANTIATE

Add a keyctl op (KEYCTL_INSTANTIATE_IOV) that is like KEYCTL_INSTANTIATE, but
takes an iovec array and concatenates the data in-kernel into one buffer.
Since the KEYCTL_INSTANTIATE copies the data anyway, this isn't too much of a
problem.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Add a new keyctl op to reject a key with a specified error code
David Howells [Mon, 7 Mar 2011 15:06:09 +0000 (15:06 +0000)]
KEYS: Add a new keyctl op to reject a key with a specified error code

Add a new keyctl op to reject a key with a specified error code.  This works
much the same as negating a key, and so keyctl_negate_key() is made a special
case of keyctl_reject_key().  The difference is that keyctl_negate_key()
selects ENOKEY as the error to be reported.

Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or
EKEYREJECTED, but this is not mandatory.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Add a key type op to permit the key description to be vetted
David Howells [Mon, 7 Mar 2011 15:05:59 +0000 (15:05 +0000)]
KEYS: Add a key type op to permit the key description to be vetted

Add a key type operation to permit the key type to vet the description of a new
key that key_alloc() is about to allocate.  The operation may reject the
description if it wishes with an error of its choosing.  If it does this, the
key will not be allocated.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Add an RCU payload dereference macro
David Howells [Mon, 7 Mar 2011 15:05:51 +0000 (15:05 +0000)]
KEYS: Add an RCU payload dereference macro

Add an RCU payload dereference macro as this seems to be a common piece of code
amongst key types that use RCU referenced payloads.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'master'; commit 'v2.6.38-rc7' into next
James Morris [Mon, 7 Mar 2011 23:55:06 +0000 (10:55 +1100)]
Merge branch 'master'; commit 'v2.6.38-rc7' into next

13 years agoMerge branch 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Mon, 7 Mar 2011 21:15:02 +0000 (13:15 -0800)]
Merge branch 'omap-fixes-for-linus' of git://git./linux/kernel/git/tmlind/linux-omap-2.6

* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
  omap: mailbox: resolve hang issue
  OMAP2+: PM: SmartReflex: fix memory leaks in Smartreflex driver
  arm: mach-omap2: smartreflex: fix another memory leak

13 years agoMerge branch 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6
Linus Torvalds [Mon, 7 Mar 2011 21:14:19 +0000 (13:14 -0800)]
Merge branch 'for-linus' of git://git390.marist.edu/linux-2.6

* 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6:
  [S390] tape: deadlock on system work queue
  [S390] keyboard: integer underflow bug
  [S390] xpram: remove __initdata attribute from module parameters

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
Linus Torvalds [Sun, 6 Mar 2011 18:44:49 +0000 (10:44 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: hda - Don't set to D3 in Cirrus errata init verbs
  ALSA: hda - add new Fermi 5xx codec IDs to snd-hda
  ASoC: WM8994: Ensure late enable events are processed for the ADCs
  ASoC: WM8994: Don't disable the AIF[1|2]CLK_ENA unconditionaly
  ASoC: Fix WM9081 platform data initialisation
  ALSA: hda - Fix unable to record issue on ASUS N82JV
  ALSA: HDA: Realtek: Fixup jack detection to input subsystem

13 years agovirtio: console: Don't access vqs if device was unplugged
Amit Shah [Fri, 4 Mar 2011 03:34:33 +0000 (14:04 +1030)]
virtio: console: Don't access vqs if device was unplugged

If a virtio-console device gets unplugged while a port is open, a
subsequent close() call on the port accesses vqs to free up buffers.
This can lead to a crash.

The buffers are already freed up as a result of the call to
unplug_ports() from virtcons_remove().  The fix is to simply not access
vq information if port->portdev is NULL.

Reported-by: juzhang <juzhang@redhat.com>
CC: stable@kernel.org
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMerge branch 'fix/asoc' into for-linus
Takashi Iwai [Sun, 6 Mar 2011 11:37:42 +0000 (12:37 +0100)]
Merge branch 'fix/asoc' into for-linus

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph...
Linus Torvalds [Sat, 5 Mar 2011 18:43:22 +0000 (10:43 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  ceph: no .snap inside of snapped namespace
  libceph: fix msgr standby handling
  libceph: fix msgr keepalive flag
  libceph: fix msgr backoff
  libceph: retry after authorization failure
  libceph: fix handling of short returns from get_user_pages
  ceph: do not clear I_COMPLETE from d_release
  ceph: do not set I_COMPLETE
  Revert "ceph: keep reference to parent inode on ceph_dentry"

13 years agomm: use correct numa policy node for transparent hugepages
Andi Kleen [Sat, 5 Mar 2011 01:36:32 +0000 (17:36 -0800)]
mm: use correct numa policy node for transparent hugepages

Pass down the correct node for a transparent hugepage allocation.  Most
callers continue to use the current node, however the hugepaged daemon
now uses the previous node of the first to be collapsed page instead.
This ensures that khugepaged does not mess up local memory for an
existing process which uses local policy.

The choice of node is somewhat primitive currently: it just uses the
node of the first page in the pmd range.  An alternative would be to
look at multiple pages and use the most popular node.  I used the
simplest variant for now which should work well enough for the case of
all pages being on the same node.

[akpm@linux-foundation.org: coding-style fixes]
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agomm: preserve original node for transparent huge page copies
Andi Kleen [Sat, 5 Mar 2011 01:36:31 +0000 (17:36 -0800)]
mm: preserve original node for transparent huge page copies

This makes a difference for LOCAL policy, where the node cannot be
determined from the policy itself, but has to be gotten from the original
page.

Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agomm: add alloc_page_vma_node()
Andi Kleen [Sat, 5 Mar 2011 01:36:30 +0000 (17:36 -0800)]
mm: add alloc_page_vma_node()

Add a alloc_page_vma_node that allows passing the "local" node in.  Used
in a followon patch.

Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agomm: change alloc_pages_vma to pass down the policy node for local policy
Andi Kleen [Sat, 5 Mar 2011 01:36:29 +0000 (17:36 -0800)]
mm: change alloc_pages_vma to pass down the policy node for local policy

Currently alloc_pages_vma() always uses the local node as policy node for
the LOCAL policy.  Pass this node down as an argument instead.

No behaviour change from this patch, but will be needed for followons.

Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoRapidIO: Update MAINTAINERS
Alexandre Bounine [Sat, 5 Mar 2011 01:36:28 +0000 (17:36 -0800)]
RapidIO: Update MAINTAINERS

Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agodrivers/video/backlight/ltv350qv.c: fix a memory leak
Axel Lin [Sat, 5 Mar 2011 01:36:27 +0000 (17:36 -0800)]
drivers/video/backlight/ltv350qv.c: fix a memory leak

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Haavard Skinnemoen <hskinnemoen@atmel.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMAINTAINERS: add maintainer of Samsung Mobile Machine support
Kyungmin Park [Sat, 5 Mar 2011 01:36:26 +0000 (17:36 -0800)]
MAINTAINERS: add maintainer of Samsung Mobile Machine support

Add maintainer of Samsung Mobile machine support.  Currently, Aquila,
Goni, Universal (C210), and Nuri board are supported.

Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Joe Perches <joe@perches.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agopps: make pps_gen_parport depend on BROKEN
Thomas Gleixner [Sat, 5 Mar 2011 01:36:23 +0000 (17:36 -0800)]
pps: make pps_gen_parport depend on BROKEN

This driver causes hard lockups, when the active clock soure is jiffies.

The reason is that it loops with interrupts disabled waiting for a
timestamp to be reached by polling getnstimeofday().  Though with a
jiffies clocksource, when that code runs on the same CPU which is
responsible for updating jiffies, then we loop in circles for ever
simply because the timer interrupt cannot update jiffies.  So both UP
and SMP can be affected.

There is no easy fix for that problem so make it depend on BROKEN for
now.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Alexander Gordeev <lasaine@lvk.cs.msu.su>
Cc: Rodolfo Giometti <giometti@linux.it>
Cc: john stultz <johnstul@us.ibm.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agodrivers/misc/bmp085.c: add MODULE_DEVICE_TABLE
Axel Lin [Sat, 5 Mar 2011 01:36:22 +0000 (17:36 -0800)]
drivers/misc/bmp085.c: add MODULE_DEVICE_TABLE

The device table is required to load modules based on modaliases.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Shubhrajyoti D <shubhrajyoti@ti.com>
Cc: Christoph Mair <christoph.mair@gmail.com>
Cc: Jonathan Cameron <jic23@cam.ac.uk>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agocpuset: add a missing unlock in cpuset_write_resmask()
Li Zefan [Sat, 5 Mar 2011 01:36:21 +0000 (17:36 -0800)]
cpuset: add a missing unlock in cpuset_write_resmask()

Don't forget to release cgroup_mutex if alloc_trial_cpuset() fails.

[akpm@linux-foundation.org: avoid multiple return points]
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Miao Xie <miaox@cn.fujitsu.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agodrivers/rtc/rtc-s3c.c: fix prototype for s3c_rtc_setaie()
Axel Lin [Sat, 5 Mar 2011 01:36:19 +0000 (17:36 -0800)]
drivers/rtc/rtc-s3c.c: fix prototype for s3c_rtc_setaie()

Fix s3c_rtc_setaie() prototype to eliminate the following compile
warning:

  drivers/rtc/rtc-s3c.c:383: warning: initialization from incompatible pointer type

(akpm: the rtc_class_ops.alarm_irq_enable() handler is being passed two
arguments where it expects just one, presumably with undesired effects)

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier...
Linus Torvalds [Sat, 5 Mar 2011 01:31:43 +0000 (17:31 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/vapier/blackfin

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin:
  Blackfin: iflush: update anomaly 05000491 workaround
  Blackfin: outs[lwb]: make sure count is greater than 0

13 years agoMerge branch 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sat, 5 Mar 2011 01:31:19 +0000 (17:31 -0800)]
Merge branch 'rmobile-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  ARM: mach-shmobile: mackerel: modify LCDC clock divider value
  ARM: mach-shmobile: ap4evb: modify LCDC clock divider value
  ARM: mach-shmobile: mackerel: fixup memory initialize for zboot
  ARM: mach-shmobile: ap4evb: fixup memory initialize for zboot
  ARM: mach-shmobile: Add sh73a0 MIPI-CSI and CEU clocks
  ARM: mach-shmobile: AG5EVM MIPI-DSI LCD reset delay fix

13 years agoMerge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sat, 5 Mar 2011 01:31:01 +0000 (17:31 -0800)]
Merge branch 'sh-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  sh: Change __nosave_XXX symbols to long
  sh: Flush executable pages in copy_user_highpage
  sh: Ensure ST40-300 BogoMIPS value is consistent
  sh: sh7750: Fix incompatible pointer type
  sh: sh7750: move machtypes.h to include/generated

13 years agoMerge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied...
Linus Torvalds [Sat, 5 Mar 2011 01:30:32 +0000 (17:30 -0800)]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/nouveau: allocate kernel's notifier object at end of block

13 years agonfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)
Neil Horman [Sat, 5 Mar 2011 00:26:03 +0000 (19:26 -0500)]
nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3)

The "bad_page()" page allocator sanity check was reported recently (call
chain as follows):

  bad_page+0x69/0x91
  free_hot_cold_page+0x81/0x144
  skb_release_data+0x5f/0x98
  __kfree_skb+0x11/0x1a
  tcp_ack+0x6a3/0x1868
  tcp_rcv_established+0x7a6/0x8b9
  tcp_v4_do_rcv+0x2a/0x2fa
  tcp_v4_rcv+0x9a2/0x9f6
  do_timer+0x2df/0x52c
  ip_local_deliver+0x19d/0x263
  ip_rcv+0x539/0x57c
  netif_receive_skb+0x470/0x49f
  :virtio_net:virtnet_poll+0x46b/0x5c5
  net_rx_action+0xac/0x1b3
  __do_softirq+0x89/0x133
  call_softirq+0x1c/0x28
  do_softirq+0x2c/0x7d
  do_IRQ+0xec/0xf5
  default_idle+0x0/0x50
  ret_from_intr+0x0/0xa
  default_idle+0x29/0x50
  cpu_idle+0x95/0xb8
  start_kernel+0x220/0x225
  _sinittext+0x22f/0x236

It occurs because an skb with a fraglist was freed from the tcp
retransmit queue when it was acked, but a page on that fraglist had
PG_Slab set (indicating it was allocated from the Slab allocator (which
means the free path above can't safely free it via put_page.

We tracked this back to an nfsv4 setacl operation, in which the nfs code
attempted to fill convert the passed in buffer to an array of pages in
__nfs4_proc_set_acl, which gets used by the skb->frags list in
xs_sendpages.  __nfs4_proc_set_acl just converts each page in the buffer
to a page struct via virt_to_page, but the vfs allocates the buffer via
kmalloc, meaning the PG_slab bit is set.  We can't create a buffer with
kmalloc and free it later in the tcp ack path with put_page, so we need
to either:

1) ensure that when we create the list of pages, no page struct has
   PG_Slab set

 or

2) not use a page list to send this data

Given that these buffers can be multiple pages and arbitrarily sized, I
think (1) is the right way to go.  I've written the below patch to
allocate a page from the buddy allocator directly and copy the data over
to it.  This ensures that we have a put_page free-able page for every
entry that winds up on an skb frag list, so it can be safely freed when
the frame is acked.  We do a put page on each entry after the
rpc_call_sync call so as to drop our own reference count to the page,
leaving only the ref count taken by tcp_sendpages.  This way the data
will be properly freed when the ack comes in

Successfully tested by myself to solve the above oops.

Note, as this is the result of a setacl operation that exceeded a page
of data, I think this amounts to a local DOS triggerable by an
uprivlidged user, so I'm CCing security on this as well.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Trond Myklebust <Trond.Myklebust@netapp.com>
CC: security@kernel.org
CC: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoceph: no .snap inside of snapped namespace
Sage Weil [Thu, 3 Mar 2011 21:44:35 +0000 (13:44 -0800)]
ceph: no .snap inside of snapped namespace

Otherwise you can do things like

# mkdir .snap/foo
# cd .snap/foo/.snap
# ls
<badness>

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix msgr standby handling
Sage Weil [Fri, 4 Mar 2011 20:25:05 +0000 (12:25 -0800)]
libceph: fix msgr standby handling

The standby logic used to be pretty dependent on the work requeueing
behavior that changed when we switched to WQ_NON_REENTRANT.  It was also
very fragile.

Restructure things so that:
 - We clear WRITE_PENDING when we set STANDBY.  This ensures we will
   requeue work when we wake up later.
 - con_work backs off if STANDBY is set.  There is nothing to do if we are
   in standby.
 - clear_standby() helper is called by both con_send() and con_keepalive(),
   the two actions that can wake us up again.  Move the connect_seq++
   logic here.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix msgr keepalive flag
Sage Weil [Thu, 3 Mar 2011 18:10:15 +0000 (10:10 -0800)]
libceph: fix msgr keepalive flag

There was some broken keepalive code using a dead variable.  Shift to using
the proper bit flag.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix msgr backoff
Sage Weil [Fri, 4 Mar 2011 20:24:28 +0000 (12:24 -0800)]
libceph: fix msgr backoff

With commit f363e45f we replaced a bunch of hacky workqueue mutual
exclusion logic with the WQ_NON_REENTRANT flag.  One pieces of fallout is
that the exponential backoff breaks in certain cases:

 * con_work attempts to connect.
 * we get an immediate failure, and the socket state change handler queues
   immediate work.
 * con_work calls con_fault, we decide to back off, but can't queue delayed
   work.

In this case, we add a BACKOFF bit to make con_work reschedule delayed work
next time it runs (which should be immediately).

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoMAINTAINERS: Update shaggy's email address
Dave Kleikamp [Fri, 4 Mar 2011 16:13:47 +0000 (10:13 -0600)]
MAINTAINERS: Update shaggy's email address

Signed-off-by: Dave Kleikamp <shaggy@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMark ptrace_{traceme,attach,detach} static
Linus Torvalds [Fri, 4 Mar 2011 17:23:30 +0000 (09:23 -0800)]
Mark ptrace_{traceme,attach,detach} static

They are only used inside kernel/ptrace.c, and have been for a long
time.  We don't want to go back to the bad-old-days when architectures
did things on their own, so make them static and private.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoBlackfin: iflush: update anomaly 05000491 workaround
Mike Frysinger [Wed, 2 Feb 2011 01:55:22 +0000 (01:55 +0000)]
Blackfin: iflush: update anomaly 05000491 workaround

Recent feedback from design says we need three NOPs in the hardware loop.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
13 years agoBlackfin: outs[lwb]: make sure count is greater than 0
Mike Frysinger [Wed, 26 Jan 2011 18:10:44 +0000 (18:10 +0000)]
Blackfin: outs[lwb]: make sure count is greater than 0

Some devices will use the outs* funcs with a length of zero, so make sure
we do not write any data in that case.

Reported-by: Gilbert Inho <gneny@edevice.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
13 years agoARM: mach-shmobile: mackerel: modify LCDC clock divider value
Kuninori Morimoto [Wed, 2 Mar 2011 09:05:21 +0000 (09:05 +0000)]
ARM: mach-shmobile: mackerel: modify LCDC clock divider value

mackerel WVGA LCDC panel expect 33.3MHz for dot-clock,
but current dot-clock was 50.0MHz.
This patch modify clock divider value.

Signed-off-by: Makoto Ueda <makoto.ueda.ub@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
13 years agoARM: mach-shmobile: ap4evb: modify LCDC clock divider value
Kuninori Morimoto [Wed, 2 Mar 2011 09:05:44 +0000 (09:05 +0000)]
ARM: mach-shmobile: ap4evb: modify LCDC clock divider value

ap4evb WVGA LCDC panel expect 33.3MHz for dot-clock,
but current dot-clock was 50.0MHz.
This patch modify clock divider value.

Signed-off-by: Makoto Ueda <makoto.ueda.ub@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
13 years agodrm/nouveau: allocate kernel's notifier object at end of block
Ben Skeggs [Thu, 3 Mar 2011 23:58:36 +0000 (09:58 +1000)]
drm/nouveau: allocate kernel's notifier object at end of block

The nv30/nv40 3d driver is about to start using DMA_FENCE from the 3D
object which, it turns out, doesn't like its DMA object to not be
aligned to a 4KiB boundary.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
Linus Torvalds [Thu, 3 Mar 2011 23:48:01 +0000 (15:48 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]

13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Thu, 3 Mar 2011 23:43:15 +0000 (15:43 -0800)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
  MAINTAINERS: Add Andy Gospodarek as co-maintainer.
  r8169: disable ASPM
  RxRPC: Fix v1 keys
  AF_RXRPC: Handle receiving ACKALL packets
  cnic: Fix lost interrupt on bnx2x
  cnic: Prevent status block race conditions with hardware
  net: dcbnl: check correct ops in dcbnl_ieee_set()
  e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
  igb: fix sparse warning
  e1000: fix sparse warning
  netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
  dccp: fix oops on Reset after close
  ipvs: fix dst_lock locking on dest update
  davinci_emac: Add Carrier Link OK check in Davinci RX Handler
  bnx2x: update driver version to 1.62.00-6
  bnx2x: properly calculate lro_mss
  bnx2x: perform statistics "action" before state transition.
  bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode).
  bnx2x: Fix ethtool -t link test for MF (non-pmf) devices.
  bnx2x: Fix nvram test for single port devices.
  ...

13 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
Linus Torvalds [Thu, 3 Mar 2011 23:42:35 +0000 (15:42 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block

* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
  block: kill loop_mutex
  blktrace: Remove blk_fill_rwbs_rq.
  block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
  block: add @force_kblockd to __blk_run_queue()
  block: fix kernel-doc format for blkdev_issue_zeroout
  blk-throttle: Do not use kblockd workqueue for throtl work

13 years agoMerge branch 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6
Linus Torvalds [Thu, 3 Mar 2011 23:37:59 +0000 (15:37 -0800)]
Merge branch 'i_nlink' of git://git./linux/kernel/git/viro/vfs-2.6

* 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  hfs: fix rename() over non-empty directory
  udf: fix i_nlink limit
  fix reiserfs mkdir() breakage
  exofs: i_nlink races in rename()
  nilfs2: i_nlink races in rename()
  minix: i_nlink races in rename()
  ufs: i_nlink races in rename()
  sysv: i_nlink races in rename()

13 years agoDNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
David Howells [Thu, 3 Mar 2011 11:28:58 +0000 (11:28 +0000)]
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]

When a DNS resolver key is instantiated with an error indication, attempts to
read that key will result in an oops because user_read() is expecting there to
be a payload - and there isn't one [CVE-2011-1076].

Give the DNS resolver key its own read handler that returns the error cached in
key->type_data.x[0] as an error rather than crashing.

Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
amount of data it prints, since the data is not necessarily NUL-terminated.

The buggy code was added in:

commit 4a2d789267e00b5a1175ecd2ddefcc78b83fbf09
Author: Wang Lei <wang840925@gmail.com>
Date:   Wed Aug 11 09:37:58 2010 +0100
Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]

This can trivially be reproduced by any user with the following program
compiled with -lkeyutils:

#include <stdlib.h>
#include <keyutils.h>
#include <err.h>
static char payload[] = "#dnserror=6";
int main()
{
key_serial_t key;
key = add_key("dns_resolver", "a", payload, sizeof(payload),
      KEY_SPEC_SESSION_KEYRING);
if (key == -1)
err(1, "add_key");
if (keyctl_read(key, NULL, 0) == -1)
err(1, "read_key");
return 0;
}

What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:

dns-break: read_key: No such device or address

but instead the kernel oopses.

This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
as both of those cut the data down below the NUL termination that must be
included in the data.  Without this dns_resolver_instantiate() will return
-EINVAL and the key will not be instantiated such that it can be read.

The oops looks like:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
PGD 3bdf8067 PUD 385b9067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
CPU 0
Modules linked in:

Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
Stack:
 ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
 ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
 [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
 [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
 RSP <ffff88003bf47f08>
CR2: 0000000000000010

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
cc: Wang Lei <wang840925@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agolibceph: retry after authorization failure
Sage Weil [Thu, 3 Mar 2011 20:14:53 +0000 (12:14 -0800)]
libceph: retry after authorization failure

If we mark the connection CLOSED we will give up trying to reconnect to
this server instance.  That is appropriate for things like a protocol
version mismatch that won't change until the server is restarted, at which
point we'll get a new addr and reconnect.  An authorization failure like
this is probably due to the server not properly rotating it's secret keys,
however, and should be treated as transient so that the normal backoff and
retry behavior kicks in.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agolibceph: fix handling of short returns from get_user_pages
Sage Weil [Thu, 3 Mar 2011 00:55:21 +0000 (16:55 -0800)]
libceph: fix handling of short returns from get_user_pages

get_user_pages() can return fewer pages than we ask for.  We were returning
a bogus pointer/error code in that case.  Instead, loop until we get all
the pages we want or get an error we can return to the caller.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoMAINTAINERS: Add Andy Gospodarek as co-maintainer.
Jay Vosburgh [Thu, 3 Mar 2011 10:43:10 +0000 (10:43 +0000)]
MAINTAINERS: Add Andy Gospodarek as co-maintainer.

Acked-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoSELinux: implement the new sb_remount LSM hook
Eric Paris [Thu, 3 Mar 2011 21:09:14 +0000 (16:09 -0500)]
SELinux: implement the new sb_remount LSM hook

For SELinux we do not allow security information to change during a remount
operation.  Thus this hook simply strips the security module options from
the data and verifies that those are the same options as exist on the
current superblock.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoLSM: Pass -o remount options to the LSM
Eric Paris [Thu, 3 Mar 2011 21:09:14 +0000 (16:09 -0500)]
LSM: Pass -o remount options to the LSM

The VFS mount code passes the mount options to the LSM.  The LSM will remove
options it understands from the data and the VFS will then pass the remaining
options onto the underlying filesystem.  This is how options like the
SELinux context= work.  The problem comes in that -o remount never calls
into LSM code.  So if you include an LSM specific option it will get passed
to the filesystem and will cause the remount to fail.  An example of where
this is a problem is the 'seclabel' option.  The SELinux LSM hook will
print this word in /proc/mounts if the filesystem is being labeled using
xattrs.  If you pass this word on mount it will be silently stripped and
ignored.  But if you pass this word on remount the LSM never gets called
and it will be passed to the FS.  The FS doesn't know what seclabel means
and thus should fail the mount.  For example an ext3 fs mounted over loop

# mount -o loop /tmp/fs /mnt/tmp
# cat /proc/mounts | grep /mnt/tmp
/dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0
# mount -o remount /mnt/tmp
mount: /mnt/tmp not mounted already, or bad option
# dmesg
EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value

This patch passes the remount mount options to an new LSM hook.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'for-linus' of git://oss.sgi.com/xfs/xfs
Linus Torvalds [Thu, 3 Mar 2011 20:44:22 +0000 (12:44 -0800)]
Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs

* 'for-linus' of git://oss.sgi.com/xfs/xfs:
  xfs: zero proper structure size for geometry calls

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke...
Linus Torvalds [Thu, 3 Mar 2011 20:42:48 +0000 (12:42 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/ryusuke/nilfs2

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2:
  nilfs2: fix regression that i-flag is not set on changeless checkpoints

13 years agoSELinux: Compute SID for the newly created socket
Harry Ciao [Wed, 2 Mar 2011 05:32:34 +0000 (13:32 +0800)]
SELinux: Compute SID for the newly created socket

The security context for the newly created socket shares the same
user, role and MLS attribute as its creator but may have a different
type, which could be specified by a type_transition rule in the relevant
policy package.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
[fix call to security_transition_sid to include qstr, Eric Paris]
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
13 years agoSELinux: Socket retains creator role and MLS attribute
Harry Ciao [Wed, 2 Mar 2011 05:32:33 +0000 (13:32 +0800)]
SELinux: Socket retains creator role and MLS attribute

The socket SID would be computed on creation and no longer inherit
its creator's SID by default. Socket may have a different type but
needs to retain the creator's role and MLS attribute in order not
to break labeled networking and network access control.

The kernel value for a class would be used to determine if the class
if one of socket classes. If security_compute_sid is called from
userspace the policy value for a class would be mapped to the relevant
kernel value first.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
13 years agoSELinux: Auto-generate security_is_socket_class
Harry Ciao [Wed, 2 Mar 2011 05:46:08 +0000 (13:46 +0800)]
SELinux: Auto-generate security_is_socket_class

The security_is_socket_class() is auto-generated by genheaders based
on classmap.h to reduce maintenance effort when a new class is defined
in SELinux kernel. The name for any socket class should be suffixed by
"socket" and doesn't contain more than one substr of "socket".

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
13 years agor8169: disable ASPM
Stanislaw Gruszka [Tue, 22 Feb 2011 02:00:11 +0000 (02:00 +0000)]
r8169: disable ASPM

For some time is known that ASPM is causing troubles on r8169, i.e. make
device randomly stop working without any errors in dmesg.

Currently Tomi Leppikangas reports that system with r8169 device hangs
with MCE errors when ASPM is enabled:
https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4

Lets disable ASPM for r8169 devices at all, to avoid problems with
r8169 PCIe devices at least for some users.

Reported-by: Tomi Leppikangas <tomi.leppikangas@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'for_2.6.38/pm-fixes' of ssh://master.kernel.org/pub/scm/linux/kernel...
Tony Lindgren [Thu, 3 Mar 2011 18:25:18 +0000 (10:25 -0800)]
Merge branch 'for_2.6.38/pm-fixes' of ssh:///linux/kernel/git/khilman/linux-omap-pm into devel-fixes

13 years agoomap: mailbox: resolve hang issue
Hari Kanigeri [Wed, 2 Mar 2011 22:14:18 +0000 (22:14 +0000)]
omap: mailbox: resolve hang issue

omap4 interrupt disable bits is different. On rx kfifo full, the mbox rx
interrupts wasn't getting disabled, and this is causing the rcm stress tests
to hang.

Signed-off-by: Hari Kanigeri <h-kanigeri2@ti.com>
Signed-off-by: Armando Uribe <x0095078@ti.com>
Signed-off-by: Fernando Guzman Lugo <fernando.lugo@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
13 years agoceph: do not clear I_COMPLETE from d_release
Sage Weil [Mon, 28 Feb 2011 20:49:15 +0000 (12:49 -0800)]
ceph: do not clear I_COMPLETE from d_release

First, this was racy anyway: d_release isn't called until well after the
dentry is unhashed.  Second, this runs afoul of the recent dcache change
that clears d_parent prior to calling d_release (949854d0), causing a NULL
pointer dereference.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoceph: do not set I_COMPLETE
Sage Weil [Mon, 28 Feb 2011 20:46:46 +0000 (12:46 -0800)]
ceph: do not set I_COMPLETE

Do not set the I_COMPLETE flag on directories until we resolve races with
dcache pruning.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years agoRevert "ceph: keep reference to parent inode on ceph_dentry"
Sage Weil [Mon, 28 Feb 2011 17:47:37 +0000 (09:47 -0800)]
Revert "ceph: keep reference to parent inode on ceph_dentry"

This reverts commit 97d79b403ef03f729883246208ef5d8a2ebc4d68.

This fails to account for d_parent changes due to rename or disconnected
dentries due to submounts or NFS reexports.

Signed-off-by: Sage Weil <sage@newdream.net>
13 years ago[S390] tape: deadlock on system work queue
Martin Schwidefsky [Thu, 3 Mar 2011 16:56:07 +0000 (17:56 +0100)]
[S390] tape: deadlock on system work queue

The 34xx and 3590 tape driver uses the system work queue to defer work
from the interrupt function to process context, e.g. a medium sense
after an unsolicited interrupt. The tape commands started by the work
handler need to be asynchronous, otherwise a deadlock on the system
work queue can occur.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
13 years ago[S390] keyboard: integer underflow bug
Dan Carpenter [Thu, 3 Mar 2011 16:56:06 +0000 (17:56 +0100)]
[S390] keyboard: integer underflow bug

The "ct" variable should be an unsigned int.  Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.

Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.

Cc: <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
13 years ago[S390] xpram: remove __initdata attribute from module parameters
Martin Schwidefsky [Thu, 3 Mar 2011 16:56:05 +0000 (17:56 +0100)]
[S390] xpram: remove __initdata attribute from module parameters

The module parameter 'devs' and 'sizes' are marked as __initdata. The
memory for the parameters are freed after module_init completed. This
can lead to kernel crashes in param_free_charp. Remove the __initdata
attribute to fix the problem.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
13 years agoblock: kill loop_mutex
Petr Uzel [Thu, 3 Mar 2011 16:48:50 +0000 (11:48 -0500)]
block: kill loop_mutex

Following steps lead to deadlock in kernel:

dd if=/dev/zero of=img bs=512 count=1000
losetup -f img
mkfs.ext2 /dev/loop0
mount -t ext2 -o loop /dev/loop0 mnt
umount mnt/

Stacktrace:
[<c102ec04>] irq_exit+0x36/0x59
[<c101502c>] smp_apic_timer_interrupt+0x6b/0x75
[<c127f639>] apic_timer_interrupt+0x31/0x38
[<c101df88>] mutex_spin_on_owner+0x54/0x5b
[<fe2250e9>] lo_release+0x12/0x67 [loop]
[<c10c4eae>] __blkdev_put+0x7c/0x10c
[<c10a4da5>] fput+0xd5/0x1aa
[<fe2250cf>] loop_clr_fd+0x1a9/0x1b1 [loop]
[<fe225110>] lo_release+0x39/0x67 [loop]
[<c10c4eae>] __blkdev_put+0x7c/0x10c
[<c10a59d9>] deactivate_locked_super+0x17/0x36
[<c10b6f37>] sys_umount+0x27e/0x2a5
[<c10b6f69>] sys_oldumount+0xb/0xe
[<c1002897>] sysenter_do_call+0x12/0x26
[<ffffffff>] 0xffffffff

Regression since 2a48fc0ab24241755dc9, which introduced the private
loop_mutex as part of the BKL removal process.

As per [1], the mutex can be safely removed.

[1] http://www.gossamer-threads.com/lists/linux/kernel/1341930

Addresses: https://bugzilla.novell.com/show_bug.cgi?id=669394
Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=29172

Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
Cc: stable@kernel.org
Reviewed-by: Nikanth Karthikesan <knikanth@suse.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
13 years agoblktrace: Remove blk_fill_rwbs_rq.
Tao Ma [Thu, 3 Mar 2011 15:53:20 +0000 (10:53 -0500)]
blktrace: Remove blk_fill_rwbs_rq.

If we enable trace events to trace block actions, We use
blk_fill_rwbs_rq to analyze the corresponding actions
in request's cmd_flags, but we only choose the minor 2 bits
from it, so most of other flags(e.g, REQ_SYNC) are missing.
For example, with a sync write we get:
write_test-2409  [001]   160.013869: block_rq_insert: 3,64 W 0 () 258135 + =
8 [write_test]

Since now we have integrated the flags of both bio and request,
it is safe to pass rq->cmd_flags directly to blk_fill_rwbs and
blk_fill_rwbs_rq isn't needed any more.

With this patch, after a sync write we get:
write_test-2417  [000]   226.603878: block_rq_insert: 3,64 WS 0 () 258135 +=
 8 [write_test]

Signed-off-by: Tao Ma <boyu.mt@taobao.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
13 years agoALSA: hda - Don't set to D3 in Cirrus errata init verbs
Takashi Iwai [Thu, 3 Mar 2011 13:54:19 +0000 (14:54 +0100)]
ALSA: hda - Don't set to D3 in Cirrus errata init verbs

The errata init verbs for CS42xx codecs contain the verbs to set
the power-state of SPDIF nodes to D3, which seem to break the SPDIF
output on some MacBooks.  Since this is executed during the power-up
initialization, we shouldn't turn them down there.

Reported-by: Arun Raghavan <arun.raghavan@collabora.co.uk>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 years agoALSA: hda - add new Fermi 5xx codec IDs to snd-hda
Richard Samson [Thu, 3 Mar 2011 11:46:13 +0000 (12:46 +0100)]
ALSA: hda - add new Fermi 5xx codec IDs to snd-hda

Added the missing HDMI codec IDs for new Nvidia stuff.
Note that ID 0x17 isn't assigned to anything so far, as suggested by
Stephen.

[Modified to get rid of 0x17 by tiwai]

Signed-off-by: Richard Samson <samson.richard@gmail.com>
Acked-by: Acked-By: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
13 years agohfs: fix rename() over non-empty directory
Al Viro [Thu, 3 Mar 2011 04:46:51 +0000 (23:46 -0500)]
hfs: fix rename() over non-empty directory

merge hfs_unlink() and hfs_rmdir(), while we are at it.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoudf: fix i_nlink limit
Al Viro [Wed, 2 Mar 2011 15:15:26 +0000 (10:15 -0500)]
udf: fix i_nlink limit

(256 << sizeof(x)) - 1 is not the maximal possible value of x...
In reality, the maximal allowed value for UDF FileLinkCount is
65535.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agofix reiserfs mkdir() breakage
Al Viro [Wed, 2 Mar 2011 14:35:13 +0000 (09:35 -0500)]
fix reiserfs mkdir() breakage

if directory has so many subdirectories that its link count is set
to 1 (i.e. "can't tell accurately") and reiserfs_new_inode() fails,
we shouldn't decrement the parent's link count in cleanup path;
that's what DEC_DIR_INODE_NLINK() is for.  As it is, we end up
with parent suddenly getting zero i_nlink, with very unpleasant
effects.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoexofs: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 21:42:38 +0000 (16:42 -0500)]
exofs: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agonilfs2: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 17:01:13 +0000 (12:01 -0500)]
nilfs2: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agominix: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 14:41:38 +0000 (09:41 -0500)]
minix: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoufs: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 14:40:21 +0000 (09:40 -0500)]
ufs: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agosysv: i_nlink races in rename()
Al Viro [Wed, 2 Mar 2011 14:38:45 +0000 (09:38 -0500)]
sysv: i_nlink races in rename()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>