Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v2.6.39 2011-05-18T18:32:23Z 2011-05-18T18:32:23Z Grant Likely grant.likely@secretlab.ca 2011-05-18T17:19:24Z urn:sha1:b1608d69cb804e414d0887140ba08a9398e4e638 Commit b826291c, "drivercore/dt: add a match table pointer to struct device" added an of_match pointer to struct device to cache the of_match_table entry discovered at driver match time. This was unsafe because matching is not an atomic operation with probing a driver. If two or more drivers are attempted to be matched to a driver at the same time, then the cached matching entry pointer could get overwritten. This patch reverts the of_match cache pointer and reworks all users to call of_match_device() directly instead. Signed-off-by: Grant Likely <grant.likely@secretlab.ca> 2011-04-21T16:58:42Z Linus Torvalds torvalds@linux-foundation.org 2011-04-21T16:58:42Z urn:sha1:83425eee85c6235392e3fe865faf533a48b60ab3 * git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus: virtio: console: Enable call to hvc_remove() on console port remove virtio_pci: Prevent double-free of pci regions after device hot-unplug virtio: Decrement avail idx on buffer detach 2011-04-21T13:27:00Z Amit Shah amit.shah@redhat.com 2011-03-14T12:15:48Z urn:sha1:afa2689e19073cd2e762d0f2c1358fab1ab9f18c This call was disabled as hot-unplugging one virtconsole port led to another virtconsole port freezing. Upon testing it again, this now works, so enable it. In addition, a bug was found in qemu wherein removing a port of one type caused the guest output from another port to stop working. I doubt it was just this bug that caused it (since disabling the hvc_remove() call did allow other ports to continue working), but since it's all solved now, we're fine with hot-unplugging of virtconsole ports. Signed-off-by: Amit Shah <amit.shah@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> 2011-04-21T02:16:55Z Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:16Z urn:sha1:194b3da873fd334ef183806db751473512af29ce pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2011-04-21T01:51:04Z Vasiliy Kulikov segoon@openwall.com 2011-04-14T16:55:19Z urn:sha1:b522f02184b413955f3bc952e3776ce41edc6355 page_count is copied from userspace. agp_allocate_memory() tries to check whether this number is too big, but doesn't take into account the wrap case. Also agp_create_user_memory() doesn't check whether alloc_size is calculated from num_agp_pages variable without overflow. This may lead to allocation of too small buffer with following buffer overflow. Another problem in agp code is not addressed in the patch - kernel memory exhaustion (AGPIOC_RESERVE and AGPIOC_ALLOCATE ioctls). It is not checked whether requested pid is a pid of the caller (no check in agpioc_reserve_wrap()). Each allocation is limited to 16KB, though, there is no per-process limit. This might lead to OOM situation, which is not even solved in case of the caller death by OOM killer - the memory is allocated for another (faked) process. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Dave Airlie <airlied@redhat.com> 2011-03-31T14:26:23Z Lucas De Marchi lucas.demarchi@profusion.mobi 2011-03-31T01:57:33Z urn:sha1:25985edcedea6396277003854657b5f3cb31a628 Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi> 2011-03-29T16:45:34Z Peter Huewe huewe.external.infineon@googlemail.com 2011-03-29T11:31:25Z urn:sha1:1309d7afbed112f0e8e90be9af975550caa0076b This patch fixes information leakage to the userspace by initializing the data buffer to zero. Reported-by: Peter Huewe <huewe.external@infineon.com> Signed-off-by: Peter Huewe <huewe.external@infineon.com> Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com> [ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way deeper problems than a simple multiplication can fix. - Linus ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-03-24T02:46:40Z Changli Gao xiaosuo@gmail.com 2011-03-23T23:42:58Z urn:sha1:cfaf346cb2741ca648d83527df173b759381e607 Reduce the lines of code and simplify the logic. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-03-24T02:46:38Z Niranjana Vishwanathapura nvishwan@codeaurora.org 2011-03-23T23:42:55Z urn:sha1:73210a135b9dd53ba59beb4ced5a55633ae65b2f Add smd_pkt driver which provides device interface to smd packet ports. Signed-off-by: Niranjana Vishwanathapura <nvishwan@codeaurora.org> Cc: Brian Swetland <swetland@google.com> Cc: Greg KH <gregkh@suse.de> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: David Brown <davidb@codeaurora.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-03-24T02:46:38Z Sergey Senozhatsky sergey.senozhatsky@gmail.com 2011-03-23T23:42:54Z urn:sha1:0dcf334c44d99cd08515f4fc5cc9075abd92b2ff commit d2478521afc2022 ("char/ipmi: fix OOPS caused by pnp_unregister_driver on unregistered driver") introduced a section mismatch by calling __exit cleanup_ipmi_si from __devinit init_ipmi_si. Remove __exit annotation from cleanup_ipmi_si. Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Acked-by: Corey Minyard <cminyard@mvista.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>