lwn.git/arch, branch v2.6.13.2

[PATCH] lost fput in 32bit ioctl on x86-64

2005-09-17T01:01:55+00:00

This patch adds lost fput in 32bit tiocgdev ioctl on x86-64 I believe this is a security issues, since user can fget() file as many times as he wants to. So file refcounter can be overlapped and first fput() will free resources though there will be still structures pointing to the file, mnt, dentry etc. Also fput() sets f_dentry and f_vfsmnt to NULL, so other file users will OOPS. The oops can be done under files_lock and others, so this is really exploitable DoS on SMP. Didn't checked it on practice actually. (chrisw: Update to use fget_light/fput_light) Signed-Off-By: Kirill Korotaev Signed-Off-By: Maxim Giryaev Signed-off-by: Chris Wright

[PATCH] x86: pci_assign_unassigned_resources() update

2005-09-10T02:42:51+00:00

I had some time to think about PCI assign issues in 2.6.13-rc series. The major problem here is that we call pci_assign_unassigned_resources() way too early - at subsys_initcall level. Therefore we give no chances to ACPI and PnP routines (called at fs_initcall level) to reserve their respective resources properly, as the comments in drivers/pnp/system.c and drivers/acpi/motherboard.c suggest: /** * Reserve motherboard resources after PCI claim BARs, * but before PCI assign resources for uninitialized PCI devices */ So I moved the pci_assign_unassigned_resources() call to pcibios_assign_resources() (fs_initcall), which should hopefully fix a lot of problems and make PCIBIOS_MIN_IO tweaks unnecessary. Other changes: - remove resource assignment code from pcibios_assign_resources(), since it duplicates pci_assign_unassigned_resources() functionality and actually does nothing in 2.6.13; - modify ROM assignment code as per Ben's suggestion: try to use firmware settings by default (if PCI_ASSIGN_ROMS is not set); - set CARDBUS_IO_SIZE back to 4K as it's a wonderful stress test for various setups. Confirmed by Tero Roponen (who had problems with the 4kB CardBus IO size previously). Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman

[PATCH] mmaper_kern.c fixes [buffer overruns]

2005-08-27T17:11:40+00:00

- copy_from_user() can fail; ->write() must check its return value. - severe buffer overruns both in ->read() and ->write() - lseek to the end (i.e. to mmapper_size) and if (count + *ppos > mmapper_size) count = count + *ppos - mmapper_size; will do absolutely nothing. Then it will call copy_to_user(buf,&v_buf[*ppos],count); with obvious results (similar for ->write()). Fixed by turning read to simple_read_from_buffer() and by doing normal limiting of count in ->write(). - gratitious lock_kernel() in ->mmap() - it's useless there. - lots of gratuitous includes. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds

[PATCH] arm: fix IXP4xx flash resource range

2005-08-27T02:37:12+00:00

We are currently reserving one byte more than actually needed by the flash device and overlapping into the next I/O expansion bus window. This a) causes us to allocate an extra page of VM due to ARM ioremap() alignment code and b) could cause problems if another driver tries to request the next expansion bus window. Signed-off-by: Deepak Saxena Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] x86_64: Tell VM about holes in nodes

2005-08-27T02:37:12+00:00

Some nodes can have large holes on x86-64. This fixes problems with the VM allowing too many dirty pages because it overestimates the number of available RAM in a node. In extreme cases you can end up with all RAM filled with dirty pages which can lead to deadlocks and other nasty behaviour. This patch just tells the VM about the known holes from e820. Reserved (like the kernel text or mem_map) is still not taken into account, but that should be only a few percent error now. Small detail is that the flat setup uses the NUMA free_area_init_node() now too because it offers more flexibility. (akpm: lotsa thanks to Martin for working this problem out) Cc: Martin Bligh Signed-off-by: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[PATCH] ppc32 8xx: fix m8xx_ide_init() #ifdef

2005-08-26T23:31:46+00:00

Be more precise on deciding whether to call m8xx_ide_init() at m8xx_setup.c:platform_init(). Compilation fails if CONFIG_BLK_DEV_IDE is defined but CONFIG_BLK_DEV_MPC8xx_IDE isnt. Signed-off-by: Marcelo Tosatti Signed-off-by: Linus Torvalds

[PATCH] Export pcibios_bus_to_resource

2005-08-24T17:22:44+00:00

pcibios_bus_to_resource is exported on all architectures except ia64 and sparc. Add exports for the two missing architectures. Needed when Yenta socket support is compiled as a module. Signed-off-by: Keith Owens Signed-off-by: Linus Torvalds

[PATCH] x86_64: update defconfig - reenable fusion

2005-08-24T17:22:44+00:00

I mistakedly disabled fusion support in an earlier update. Fusion is commonly used on many x86-64 systems, so this was a problem. This patch fixes that. Signed-off-by: And Kleen Signed-off-by: Linus Torvalds

[PATCH] ppc64: Export machine_power_off for therm_pm72 module

2005-08-24T16:41:35+00:00

This patch puts back the export of machine_power_off() that was removed by some janitor as it's used for emergency shutdown by the G5 thermal control driver. Wether that driver should use kernel_power_off() instead is debatable and a post-2.6.13 decision. In the meantime, please commit that patch that fixes the driver for now. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Linus Torvalds

[PATCH] x86_64: Don't oops at boot when empty Opteron node has IO

2005-08-24T02:59:39+00:00

The code to detect IO links on Opteron would not check if the node had actually memory. This could lead to pci_bus_to_node returning an invalid node, which might cause crashes later when dma_alloc_coherent passes it to page_alloc_node(). The bug has been there forever but for some reason it is causing now crashes. Signed-off-by: Andi Kleen Signed-off-by: Linus Torvalds