Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Sep 27, 2010
  1. @gregkh


    gregkh authored
  2. @gregkh

    x86: Add memory modify constraints to xchg() and cmpxchg()

    H. Peter Anvin authored gregkh committed
    commit 113fc5a upstream.
    [ Backport to .32 by Tomáš Janoušek <> ]
    xchg() and cmpxchg() modify their memory operands, not merely read
    them.  For some versions of gcc the "memory" clobber has apparently
    dealt with the situation, but not for all.
    Originally-by: Linus Torvalds <>
    Signed-off-by: H. Peter Anvin <>
    Cc: Glauber Costa <>
    Cc: Avi Kivity <>
    Cc: Peter Palfrader <>
    Cc: Greg KH <>
    Cc: Alan Cox <>
    Cc: Zachary Amsden <>
    Cc: Marcelo Tosatti <>
    LKML-Reference: <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @gregkh

    alpha: Fix printk format errors

    Michael Cree authored gregkh committed
    commit 3e07336 upstream.
    When compiling alpha generic build get errors such as:
    arch/alpha/kernel/err_marvel.c: In function ‘marvel_print_err_cyc’:
    arch/alpha/kernel/err_marvel.c:119: error: format ‘%ld’ expects type ‘long int’, but argument 6 has type ‘u64’
    Replaced a number of %ld format specifiers with %lld since u64
    is unsigned long long.
    Signed-off-by: Michael Cree <>
    Signed-off-by: Matt Turner <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @gregkh

    sis-agp: Remove SIS 760, handled by amd64-agp

    Ben Hutchings authored gregkh committed
    commit d831692 upstream.
    SIS 760 is listed in the device tables for both amd64-agp and sis-agp.
    amd64-agp is apparently preferable since it has workarounds for some
    BIOS misconfigurations that sis-agp doesn't handle.
    Signed-off-by: Ben Hutchings <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @ralfbaechle @gregkh

    MIPS: Sibyte: Fix M3 TLB exception handler workaround.

    ralfbaechle authored gregkh committed
    commit 3d45285 upstream.
    The M3 workaround needs to cmpare the region and VPN2 fields only.
    Signed-off-by: Ralf Baechle <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @bzolnier @gregkh

    pata_pdc202xx_old: fix UDMA mode for PDC2026x chipsets

    bzolnier authored gregkh committed
    commit 750e519 upstream.
    PDC2026x chipsets need the same treatment as PDC20246 one.
    This is completely untested but will hopefully fix UDMA issues
    that people have been reporting against pata_pdc202xx_old for
    the last couple of years.
    Signed-off-by: Bartlomiej Zolnierkiewicz <>
    Signed-off-by: Jeff Garzik <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @bzolnier @gregkh

    pata_pdc202xx_old: fix UDMA mode for Promise UDMA33 cards

    bzolnier authored gregkh committed
    commit a75032e upstream.
    On Monday 04 January 2010 02:30:24 pm Russell King wrote:
    > Found the problem - getting rid of the read of the alt status register
    > after the command has been written fixes the UDMA CRC errors on write:
    > @@ -676,7 +676,8 @@ void ata_sff_exec_command(struct ata_port *ap, const struct
    > ata_taskfile *tf)
    >         DPRINTK("ata%u: cmd 0x%X\n", ap->print_id, tf->command);
    >         iowrite8(tf->command, ap->ioaddr.command_addr);
    > -       ata_sff_pause(ap);
    > +       ndelay(400);
    > +//     ata_sff_pause(ap);
    >  }
    >  EXPORT_SYMBOL_GPL(ata_sff_exec_command);
    > This rather makes sense.  The PDC20247 handles the UDMA part of the
    > protocol.  It has no way to tell the PDC20246 to wait while it suspends
    > UDMA, so that a normal register access can take place - the 246 ploughs
    > on with the register access without any regard to the state of the 247.
    > If the drive immediately starts the UDMA protocol after a write to the
    > command register (as it probably will for the DMA WRITE command), then
    > we'll be accessing the taskfile in the middle of the UDMA setup, which
    > can't be good.  It's certainly a violation of the ATA specs.
    Fix it by adding custom ->sff_exec_command method for UDMA33 chipsets.
    Debugged-by: Russell King <>
    Signed-off-by: Bartlomiej Zolnierkiewicz <>
    Signed-off-by: Jeff Garzik <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @ralfbaechle @gregkh

    MIPS: uasm: Add OR instruction.

    ralfbaechle authored gregkh committed
    commit 5808184 upstream.
    This is needed for the fix of the M3 workaround.
    Signed-off-by: Ralf Baechle <>
    [Backported by Aurelien Jarno <>]
    Signed-off-by: Greg Kroah-Hartman <>
  9. @gregkh

    MIPS: Set io_map_base for several PCI bridges lacking it

    Ben Hutchings authored gregkh committed
    commit 8faf2e6 upstream.
    Several MIPS platforms don't set pci_controller::io_map_base for their
    PCI bridges.  This results in a panic in pci_iomap().  (The panic is
    conditional on CONFIG_PCI_DOMAINS, but that is now enabled for all PCI
    MIPS systems.)
    Signed-off-by: Ben Hutchings <>
    Cc: Martin Michlmayr <>
    Cc: Aurelien Jarno <>
    Signed-off-by: Ralf Baechle <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @gregkh

    MIPS: Quit using undefined behavior of ADDU in 64-bit atomic operations.

    David Daney authored gregkh committed
    commit f2a6827 upstream.
    For 64-bit, we must use DADDU and DSUBU.
    Signed-off-by: David Daney <>
    Signed-off-by: Ralf Baechle <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. @dtor @gregkh

    Input: add compat support for sysfs and /proc capabilities output

    dtor authored gregkh committed
    commit 15e184a upstream.
    Input core displays capabilities bitmasks in form of one or more longs printed
    in hex form and separated by spaces. Unfortunately it does not work well
    for 32-bit applications running on 64-bit kernels since applications expect
    that number is "worth" only 32 bits when kernel advances by 64 bits.
    Fix that by ensuring that output produced for compat tasks uses 32-bit units.
    Reported-and-tested-by: Michael Tokarev <>
    Signed-off-by: Dmitry Torokhov <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @eparis @gregkh

    inotify: fix inotify oneshot support

    eparis authored gregkh committed
    commit ff31100 upstream.
    During the large inotify rewrite to fsnotify I completely dropped support
    for IN_ONESHOT.  Reimplement that support.
    Signed-off-by: Eric Paris <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @linvjw @gregkh

    hostap_pci: set dev->base_addr during probe

    linvjw authored gregkh committed
    commit 0f4da2d upstream.
    "hostap: Protect against initialization interrupt" (which reinstated
    "wireless: hostap, fix oops due to early probing interrupt")
    reintroduced Bug 16111.  This is because hostap_pci wasn't setting
    dev->base_addr, which is now checked in prism2_interrupt.  As a result,
    initialization was failing for PCI-based hostap devices.  This corrects
    that oversight.
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
  14. @herbertx @gregkh

    gro: Fix bogus gso_size on the first fraglist entry

    herbertx authored gregkh committed
    commit 622e0ca upstream.
    When GRO produces fraglist entries, and the resulting skb hits
    an interface that is incapable of TSO but capable of FRAGLIST,
    we end up producing a bogus packet with gso_size non-zero.
    This was reported in the field with older versions of KVM that
    did not set the TSO bits on tuntap.
    This patch fixes that.
    Reported-by: Igor Zhang <>
    Signed-off-by: Herbert Xu <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  15. @aurel32 @gregkh

    clocksource: sh_tmu: compute mult and shift before registration

    aurel32 authored gregkh committed
    commit 66f4912 upstream.
    Since commit 9896246 ("nohz: Prevent
    clocksource wrapping during idle"), the CPU of an R2D board never goes
    to idle. This commit assumes that mult and shift are assigned before
    the clocksource is registered. As a consequence the safe maximum sleep
    time is negative and the CPU never goes into idle.
    This patch fixes the problem by moving mult and shift initialization
    from sh_tmu_clocksource_enable() to sh_tmu_register_clocksource().
    Signed-off-by: Aurelien Jarno <>
    Signed-off-by: Paul Mundt <>
    Signed-off-by: Greg Kroah-Hartman <>
  16. @oberpar @gregkh

    dasd: use correct label location for diag fba disks

    oberpar authored gregkh committed
    commit cffab6b upstream.
    Partition boundary calculation fails for DASD FBA disks under the
    following conditions:
    - disk is formatted with CMS FORMAT with a blocksize of more than
      512 bytes
    - all of the disk is reserved to a single CMS file using CMS RESERVE
    - the disk is accessed using the DIAG mode of the DASD driver
    Under these circumstances, the partition detection code tries to
    read the CMS label block containing partition-relevant information
    from logical block offset 1, while it is in fact located at physical
    block offset 1.
    Fix this problem by using the correct CMS label block location
    depending on the device type as determined by the DASD SENSE ID
    Signed-off-by: Peter Oberparleiter <>
    Signed-off-by: Martin Schwidefsky <>
    [bwh: Adjust for 2.6.32]
    Signed-off-by: Greg Kroah-Hartman <>
  17. @jkivilin @gregkh

    asix: fix setting mac address for AX88772

    jkivilin authored gregkh committed
    commit 7f29a3b upstream.
    Setting new MAC address only worked when device was set to promiscuous mode.
    Fix MAC address by writing new address to device using undocumented command
    AX_CMD_READ_NODE_ID+1. Patch is tested with AX88772 device.
    Signed-off-by: Jussi Kivilinna <>
    Acked-by: David Hollis <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  18. @gregkh

    3c503: Fix IRQ probing

    Ben Hutchings authored gregkh committed
    commit b0cf4df upstream.
    The driver attempts to select an IRQ for the NIC automatically by
    testing which of the supported IRQs are available and then probing
    each available IRQ with probe_irq_{on,off}().  There are obvious race
    conditions here, besides which:
    1. The test for availability is done by passing a NULL handler, which
       now always returns -EINVAL, thus the device cannot be opened:
    2. probe_irq_off() will report only the first ISA IRQ handled,
       potentially leading to a false negative.
    There was another bug that meant it ignored all error codes from
    request_irq() except -EBUSY, so it would 'succeed' despite this
    (possibly causing conflicts with other ISA devices).  This was fixed
    by ab08999 'WARNING: some
    request_irq() failures ignored in el2_open()', which exposed bug 1.
    This patch:
    1. Replaces the use of probe_irq_{on,off}() with a real interrupt handler
    2. Adds a delay before checking the interrupt-seen flag
    3. Disables interrupts on all failure paths
    4. Distinguishes error codes from the second request_irq() call,
       consistently with the first
    Compile-tested only.
    Signed-off-by: Ben Hutchings <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  19. @gregkh

    sctp: Do not reset the packet during sctp_packet_config().

    Vlad Yasevich authored gregkh committed
    commit 4bdab43 upstream.
    sctp_packet_config() is called when getting the packet ready
    for appending of chunks.  The function should not touch the
    current state, since it's possible to ping-pong between two
    transports when sending, and that can result packet corruption
    followed by skb overlfow crash.
    Reported-by: Thomas Dreibholz <>
    Signed-off-by: Vlad Yasevich <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  20. @gregkh

    Fix unprotected access to task credentials in waitid()

    Daniel J Blueman authored gregkh committed
    commit f362b73 upstream.
    Using a program like the following:
    	#include <stdlib.h>
    	#include <unistd.h>
    	#include <sys/types.h>
    	#include <sys/wait.h>
    	int main() {
    		id_t id;
    		siginfo_t infop;
    		pid_t res;
    		id = fork();
    		if (id == 0) { sleep(1); exit(0); }
    		kill(id, SIGSTOP);
    		waitid(P_PID, id, &infop, WCONTINUED);
    		return 0;
    to call waitid() on a stopped process results in access to the child task's
    credentials without the RCU read lock being held - which may be replaced in the
    meantime - eliciting the following warning:
    	[ INFO: suspicious rcu_dereference_check() usage. ]
    	kernel/exit.c:1460 invoked rcu_dereference_check() without protection!
    	other info that might help us debug this:
    	rcu_scheduler_active = 1, debug_locks = 1
    	2 locks held by waitid02/22252:
    	 #0:  (tasklist_lock){.?.?..}, at: [<ffffffff81061ce5>] do_wait+0xc5/0x310
    	 #1:  (&(&sighand->siglock)->rlock){-.-...}, at: [<ffffffff810611da>]
    	stack backtrace:
    	Pid: 22252, comm: waitid02 Not tainted 2.6.35-323cd+ #3
    	Call Trace:
    	 [<ffffffff81095da4>] lockdep_rcu_dereference+0xa4/0xc0
    	 [<ffffffff81061b31>] wait_consider_task+0xaf1/0xbe0
    	 [<ffffffff81061d15>] do_wait+0xf5/0x310
    	 [<ffffffff810620b6>] sys_waitid+0x86/0x1f0
    	 [<ffffffff8105fce0>] ? child_wait_callback+0x0/0x70
    	 [<ffffffff81003282>] system_call_fastpath+0x16/0x1b
    This is fixed by holding the RCU read lock in wait_task_continued() to ensure
    that the task's current credentials aren't destroyed between us reading the
    cred pointer and us reading the UID from those credentials.
    Furthermore, protect wait_task_stopped() in the same way.
    We don't need to keep holding the RCU read lock once we've read the UID from
    the credentials as holding the RCU read lock doesn't stop the target task from
    changing its creds under us - so the credentials may be outdated immediately
    after we've read the pointer, lock or no lock.
    Signed-off-by: Daniel J Blueman <>
    Signed-off-by: David Howells <>
    Acked-by: Paul E. McKenney <>
    Acked-by: Oleg Nesterov <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  21. @gregkh

    guard page for stacks that grow upwards

    Luck, Tony authored gregkh committed
    commit 8ca3eb0 upstream.
    pa-risc and ia64 have stacks that grow upwards. Check that
    they do not run into other mappings. By making VM_GROWSUP
    0x0 on architectures that do not ever use it, we can avoid
    some unpleasant #ifdefs in check_stack_guard_page().
    Signed-off-by: Tony Luck <>
    Signed-off-by: Linus Torvalds <>
    Cc: dann frazier <>
    Signed-off-by: Greg Kroah-Hartman <>
  22. @gormanm @gregkh

    mm: page allocator: update free page counters after pages are placed …

    gormanm authored gregkh committed
    …on the free list
    commit 72853e2 upstream.
    When allocating a page, the system uses NR_FREE_PAGES counters to
    determine if watermarks would remain intact after the allocation was made.
    This check is made without interrupts disabled or the zone lock held and
    so is race-prone by nature.  Unfortunately, when pages are being freed in
    batch, the counters are updated before the pages are added on the list.
    During this window, the counters are misleading as the pages do not exist
    yet.  When under significant pressure on systems with large numbers of
    CPUs, it's possible for processes to make progress even though they should
    have been stalled.  This is particularly problematic if a number of the
    processes are using GFP_ATOMIC as the min watermark can be accidentally
    breached and in extreme cases, the system can livelock.
    This patch updates the counters after the pages have been added to the
    list.  This makes the allocator more cautious with respect to preserving
    the watermarks and mitigates livelock possibilities.
    [ avoid modifying incoming args]
    Signed-off-by: Mel Gorman <>
    Reviewed-by: Rik van Riel <>
    Reviewed-by: Minchan Kim <>
    Reviewed-by: KAMEZAWA Hiroyuki <>
    Reviewed-by: Christoph Lameter <>
    Reviewed-by: KOSAKI Motohiro <>
    Acked-by: Johannes Weiner <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  23. @gregkh

    mm: page allocator: calculate a better estimate of NR_FREE_PAGES when…

    Christoph Lameter authored gregkh committed
    … memory is low and kswapd is awake
    commit aa45484 upstream.
    Ordinarily watermark checks are based on the vmstat NR_FREE_PAGES as it is
    cheaper than scanning a number of lists.  To avoid synchronization
    overhead, counter deltas are maintained on a per-cpu basis and drained
    both periodically and when the delta is above a threshold.  On large CPU
    systems, the difference between the estimated and real value of
    NR_FREE_PAGES can be very high.  If NR_FREE_PAGES is much higher than
    number of real free page in buddy, the VM can allocate pages below min
    watermark, at worst reducing the real number of pages to zero.  Even if
    the OOM killer kills some victim for freeing memory, it may not free
    memory if the exit path requires a new page resulting in livelock.
    This patch introduces a zone_page_state_snapshot() function (courtesy of
    Christoph) that takes a slightly more accurate view of an arbitrary vmstat
    counter.  It is used to read NR_FREE_PAGES while kswapd is awake to avoid
    the watermark being accidentally broken.  The estimate is not perfect and
    may result in cache line bounces but is expected to be lighter than the
    IPI calls necessary to continually drain the per-cpu counters while kswapd
    is awake.
    Signed-off-by: Christoph Lameter <>
    Signed-off-by: Mel Gorman <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  24. @gormanm @gregkh

    mm: page allocator: drain per-cpu lists after direct reclaim allocati…

    gormanm authored gregkh committed
    …on fails
    commit 9ee493c upstream.
    When under significant memory pressure, a process enters direct reclaim
    and immediately afterwards tries to allocate a page.  If it fails and no
    further progress is made, it's possible the system will go OOM.  However,
    on systems with large amounts of memory, it's possible that a significant
    number of pages are on per-cpu lists and inaccessible to the calling
    process.  This leads to a process entering direct reclaim more often than
    it should increasing the pressure on the system and compounding the
    This patch notes that if direct reclaim is making progress but allocations
    are still failing that the system is already under heavy pressure.  In
    this case, it drains the per-cpu lists and tries the allocation a second
    time before continuing.
    Signed-off-by: Mel Gorman <>
    Reviewed-by: Minchan Kim <>
    Reviewed-by: KAMEZAWA Hiroyuki <>
    Reviewed-by: KOSAKI Motohiro <>
    Reviewed-by: Christoph Lameter <>
    Cc: Dave Chinner <>
    Cc: Wu Fengguang <>
    Cc: David Rientjes <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  25. @gregkh

    cxgb3: fix hot plug removal crash

    Divy Le Ray authored gregkh committed
    commit a6f018e upstream.
    queue restart tasklets need to be stopped after napi handlers are stopped
    since the latter can restart them.  So stop them after stopping napi.
    Signed-off-by: Divy Le Ray <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Brandon Philips <>
    Signed-off-by: Greg Kroah-Hartman <>
  26. @noglitch @gregkh

    AT91: change dma resource index

    noglitch authored gregkh committed
    commit 8d2602e upstream.
    Reported-by: Dan Liang <>
    Signed-off-by: Nicolas Ferre <>
    Signed-off-by: Greg Kroah-Hartman <>
  27. @gregkh

    bnx2: Fix hang during rmmod bnx2.

    Michael Chan authored gregkh committed
    commit f048fa9 upstream.
    The regression is caused by:
    commit 4327ba4
        bnx2: Fix netpoll crash.
    If ->open() and ->close() are called multiple times, the same napi structs
    will be added to dev->napi_list multiple times, corrupting the dev->napi_list.
    This causes free_netdev() to hang during rmmod.
    We fix this by calling netif_napi_del() during ->close().
    Also, bnx2_init_napi() must not be in the __devinit section since it is
    called by ->open().
    Signed-off-by: Michael Chan <>
    Signed-off-by: Benjamin Li <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  28. @gregkh

    bnx2: Fix netpoll crash.

    Benjamin Li authored gregkh committed
    commit 4327ba4 upstream.
    The bnx2 driver calls netif_napi_add() for all the NAPI structs during
    ->probe() time but not all of them will be used if we're not in MSI-X
    mode.  This creates a problem for netpoll since it will poll all the
    NAPI structs in the dev_list whether or not they are scheduled, resulting
    in a crash when we access structure fields not initialized for that vector.
    We fix it by moving the netif_napi_add() call to ->open() after the number
    of IRQ vectors has been determined.
    Signed-off-by: Benjamin Li <>
    Signed-off-by: Michael Chan <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  29. @zhang-rui @gregkh

    ACPI: disable _OSI(Windows 2009) on Asus K50IJ

    zhang-rui authored gregkh committed
    commit 81074e9 upstream.
    Fix a win7 compability issue on Asus K50IJ.
    Here is the _BCM method of this laptop:
                        Method (_BCM, 1, NotSerialized)
                            If (LGreaterEqual (OSFG, OSVT))
                                If (LNotEqual (OSFG, OSW7))
                                    Store (One, BCMD)
                                    Store (GCBL (Arg0), Local0)
                                    Subtract (0x0F, Local0, LBTN)
                                    ^^^SBRG.EC0.STBR ()
                                    DBGR (0x0B, Zero, Zero, Arg0)
                                    Store (Arg0, LBTN)
                                    ^^^SBRG.EC0.STBR ()
    LBTN is used to store the index of the brightness level in the _BCL.
    GCBL is a method that convert the percentage value to the index value.
    If _OSI(Windows 2009) is not disabled, LBTN is stored a percentage
    value which is surely beyond the end of _BCL package.
    Signed-off-by: Zhang Rui <>
    Signed-off-by: Len Brown <>
    Cc: maximilian attems <>
    Cc: Paolo Ornati <>
    Signed-off-by: Greg Kroah-Hartman <>
  30. @gregkh

    drivers/video/via/ioctl.c: prevent reading uninitialized stack memory

    Dan Rosenberg authored gregkh committed
    commit b4aaa78 upstream.
    The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
    bytes of uninitialized stack memory, because the "reserved" member of
    the viafb_ioctl_info struct declared on the stack is not altered or
    zeroed before being copied back to the user.  This patch takes care of
    Signed-off-by: Dan Rosenberg <>
    Signed-off-by: Florian Tobias Schandinat <>
    Signed-off-by: Greg Kroah-Hartman <>
  31. @djrbliss @gregkh

    xfs: prevent reading uninitialized stack memory

    djrbliss authored gregkh committed
    commit a122eb2 upstream.
    The XFS_IOC_FSGETXATTR ioctl allows unprivileged users to read 12
    bytes of uninitialized stack memory, because the fsxattr struct
    declared on the stack in xfs_ioc_fsgetxattr() does not alter (or zero)
    the 12-byte fsx_pad member before copying it back to the user.  This
    patch takes care of it.
    Signed-off-by: Dan Rosenberg <>
    Reviewed-by: Eric Sandeen <>
    Signed-off-by: Alex Elder <>
    Cc: dann frazier <>
    Signed-off-by: Greg Kroah-Hartman <>
  32. @gregkh

    KEYS: Fix bug in keyctl_session_to_parent() if parent has no session …

    David Howells authored gregkh committed
    commit 3d96406 upstream.
    Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership
    of the parent process's session keyring whether or not the parent has a session
    keyring [CVE-2010-2960].
    This results in the following oops:
      BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
      IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
      Call Trace:
       [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
       [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
       [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
       [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
    if the parent process has no session keyring.
    If the system is using pam_keyinit then it mostly protected against this as all
    processes derived from a login will have inherited the session keyring created
    by pam_keyinit during the log in procedure.
    To test this, pam_keyinit calls need to be commented out in /etc/pam.d/.
    Reported-by: Tavis Ormandy <>
    Signed-off-by: David Howells <>
    Acked-by: Tavis Ormandy <>
    Cc: dann frazier <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  33. @gregkh

    KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()

    David Howells authored gregkh committed
    commit 9d1ac65 upstream.
    There's an protected access to the parent process's credentials in the middle
    of keyctl_session_to_parent().  This results in the following RCU warning:
      [ INFO: suspicious rcu_dereference_check() usage. ]
      security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!
      other info that might help us debug this:
      rcu_scheduler_active = 1, debug_locks = 0
      1 lock held by keyctl-session-/2137:
       #0:  (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236
      stack backtrace:
      Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
      Call Trace:
       [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
       [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
       [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
       [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b
    The code should take the RCU read lock to make sure the parents credentials
    don't go away, even though it's holding a spinlock and has IRQ disabled.
    Signed-off-by: David Howells <>
    Signed-off-by: Linus Torvalds <>
    Cc: dann frazier <>
    Signed-off-by: Greg Kroah-Hartman <>
  34. @ptesarik @gregkh

    IA64: Optimize ticket spinlocks in fsys_rt_sigprocmask

    ptesarik authored gregkh committed
    commit 2d2b690 upstream.
    Tony's fix (f574c84) has a small bug,
    it incorrectly uses "r3" as a scratch register in the first of the two
    unlock paths ... it is also inefficient.  Optimize the fast path again.
    Signed-off-by: Petr Tesarik <>
    Signed-off-by: Tony Luck <>
    Signed-off-by: Greg Kroah-Hartman <>
  35. @gregkh

    IA64: fix siglock

    Tony Luck authored gregkh committed
    commit f574c84 upstream.
    When ia64 converted to using ticket locks, an inline implementation
    of trylock/unlock in fsys.S was missed.  This was not noticed because
    in most circumstances it simply resulted in using the slow path because
    the siglock was apparently not available (under old spinlock rules).
    Problems occur when the ticket spinlock has value 0x0 (when first
    initialised, or when it wraps around). At this point the fsys.S
    code acquires the lock (changing the 0x0 to 0x1. If another process
    attempts to get the lock at this point, it will change the value from
    0x1 to 0x2 (using new ticket lock rules). Then the fsys.S code will
    free the lock using old spinlock rules by writing 0x0 to it. From
    here a variety of bad things can happen.
    Signed-off-by: Tony Luck <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.