Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-2.6.36.y 2010-12-09T21:32:37+00:00 2010-12-09T21:32:37+00:00 Vasiliy Kulikov segooon@gmail.com 2010-10-30T14:22:49+00:00 urn:sha1:f3aa864b00bbcd49327d7911f8c39a65e51e2ca9 commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream. The shmid_ds structure is copied to userland with shm_unused{,2,3} fields unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2010-05-28T02:05:02+00:00 Christoph Hellwig hch@lst.de 2010-05-26T15:53:25+00:00 urn:sha1:7ea8085910ef3dd4f3cad6845aaa2b580d39b115 Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2010-03-12T23:52:39+00:00 Jiri Slaby jslaby@suse.cz 2010-03-10T23:23:05+00:00 urn:sha1:f1eb1332b8f07e937add24c6fd2ac40b8737a2f4 Make sure compiler won't do weird things with limits. E.g. fetching them twice may return 2 different values after writable limits are implemented. I.e. either use rlimit helpers added in 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd ("resource: add helpers for fetching rlimits") or ACCESS_ONCE if not applicable. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-01-16T20:15:39+00:00 David Howells dhowells@redhat.com 2010-01-16T01:01:32+00:00 urn:sha1:ed5e5894b234ce4793d78078c026915b853e0678 Commit c4caa778157dbbf04116f0ac2111e389b5cd7a29 ("file ->get_unmapped_area() shouldn't duplicate work of get_unmapped_area()") broke SYSV SHM for NOMMU by taking away the pointer to shm_get_unmapped_area() from shm_file_operations. Put it back conditionally on CONFIG_MMU=n. file->f_ops->get_unmapped_area() is used to find out the base address for a mapping of a mappable chardev device or mappable memory-based file (such as a ramfs file). It needs to be called prior to file->f_ops->mmap() being called. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Greg Ungerer <gerg@snapgear.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2009-12-16T20:04:02+00:00 Linus Torvalds torvalds@linux-foundation.org 2009-12-16T20:04:02+00:00 urn:sha1:bac5e54c29f352d962a2447d22735316b347b9f1 * 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (38 commits) direct I/O fallback sync simplification ocfs: stop using do_sync_mapping_range cleanup blockdev_direct_IO locking make generic_acl slightly more generic sanitize xattr handler prototypes libfs: move EXPORT_SYMBOL for d_alloc_name vfs: force reval of target when following LAST_BIND symlinks (try #7) ima: limit imbalance msg Untangling ima mess, part 3: kill dead code in ima Untangling ima mess, part 2: deal with counters Untangling ima mess, part 1: alloc_file() O_TRUNC open shouldn't fail after file truncation ima: call ima_inode_free ima_inode_free IMA: clean up the IMA counts updating code ima: only insert at inode creation time ima: valid return code from ima_inode_alloc fs: move get_empty_filp() deffinition to internal.h Sanitize exec_permission_lite() Kill cached_lookup() and real_lookup() Kill path_lookup_open() ... Trivial conflicts in fs/direct-io.c 2009-12-16T17:16:47+00:00 Al Viro viro@zeniv.linux.org.uk 2009-12-16T09:53:03+00:00 urn:sha1:0552f879d45cecc35d8e372a591fc5ed863bca58 There are 2 groups of alloc_file() callers: * ones that are followed by ima_counts_get * ones giving non-regular files So let's pull that ima_counts_get() into alloc_file(); it's a no-op in case of non-regular files. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2009-12-16T17:16:42+00:00 Al Viro viro@zeniv.linux.org.uk 2009-08-08T20:52:35+00:00 urn:sha1:2c48b9c45579a9b5e3e74694eebf3d2451f3dbd3 ... and have the caller grab both mnt and dentry; kill leak in infiniband, while we are at it. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2009-12-16T15:20:09+00:00 Serge E. Hallyn serue@us.ibm.com 2009-12-16T00:47:27+00:00 urn:sha1:7d6feeb287c61aafa88f06345387b1188edf4b86 We have apparently had a memory leak since 7ca7e564e049d8b350ec9d958ff25eaa24226352 "ipc: store ipcs into IDRs" in 2007. The idr of which 3 exist for each ipc namespace is never freed. This patch simply frees them when the ipcns is freed. I don't believe any idr_remove() are done from rcu (and could therefore be delayed until after this idr_destroy()), so the patch should be safe. Some quick testing showed no harm, and the memory leak fixed. Caught by kmemleak. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2009-12-11T11:34:09+00:00 Al Viro viro@zeniv.linux.org.uk 2009-11-30T13:38:43+00:00 urn:sha1:c4caa778157dbbf04116f0ac2111e389b5cd7a29 ... we should call mm ->get_unmapped_area() instead and let our caller do the final checks. Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2009-09-27T18:39:25+00:00 Alexey Dobriyan adobriyan@gmail.com 2009-09-27T18:29:37+00:00 urn:sha1:f0f37e2f77731b3473fa6bd5ee53255d9a9cdb40 * mark struct vm_area_struct::vm_ops as const * mark vm_ops in AGP code But leave TTM code alone, something is fishy there with global vm_ops being used. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>