aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2009-03-24firewire: core: remove condition which is always falseStefan Richter
reread_bus_info_block() only gets to see devices whose config_rom_length is at least 6 (ROM header, bus info block, root directory header). Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: core: move some functionsStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: core: clean up includesStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: simplify a schedule_delayed_work wrapperStefan Richter
The kernel API documentation says that queue_delayed_work() returns 0 (only) if the work was already queued. The return codes of schedule_delayed_work() are not documented but the same. In init_iso_resource(), the work has never been queued yet, hence we can assume schedule_delayed_work() to be a guaranteed success there. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: add ioctls for iso resource management, amendmentStefan Richter
Some fixes: - Remove stale documentation. - Fix a != vs. == thinko that got in the way of channel management. - Try bandwidth deallocation even if channel deallocation failed. A simplification: - fw_cdev_allocate_iso_resource.channels is now ordered like libdc1394's dc1394_iso_allocate_channel() channels_allowed argument. By the way, I looked closer at cards from NEC, TI, and VIA, and noticed that they all don't implement IEEE 1394a behaviour which is meant to deviate from IEEE 1212's notion of lock compare-swap. This means that we have to do two lock transactions instead of one in many cases where one transaction would already succeed on a fully 1394a compliant IRM. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: increment fw_cdev_version, update documentationStefan Richter
Necessary due to Date: Tue, 22 Jul 2008 23:23:40 -0700 From: David Moore <dcm@acm.org> Subject: firewire: Include iso timestamp in headers when header_size > 4 Side note: The lack of upwards compatibility sounds worse than it is. All existing client implementations, libraw1394 and libdc1394, set header_size = 4. And since the ABI v1 behaviour does not offer any advantages over the new behaviour, we deliberately do not provide the old behaviour anymore. Also add documentation about the format of fw_cdev_get_cycle_timer which may be used in conjunction with the timestamp of iso packets but has a different format. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: shut down iso context before freeing the bufferStefan Richter
DMA must be halted before we DMA-unmap and free the DMA buffer. Since we cannot rely on the client to stop the context before it closes the fd, we have to reorder fw_iso_buffer_destroy vs. fw_iso_context_destroy. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: replace some spin_lock_irqsave by spin_lock_irqStefan Richter
All of these functions are entered with IRQs enabled. Hence the unconditional spin_unlock_irq can be used. Function: Caller context: dequeue_event() client process, via read(2) fill_bus_reset_event() fw-device.c update worqueue job release_client_resource() client process, via ioctl(2) fw_device_op_release() client process, via close(2) Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: extend transaction payload size checkStefan Richter
Make the size check of ioctl_send_request and ioctl_send_broadcast_request speed dependent. Also change the error return code from -EINVAL to -EIO to distinguish this from other errors concerning the ioctl parameters. Another payload size limit for which we don't check here though is the remote node's Bus_Info_Block.max_rec. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: restrict broadcast write requests to Units SpaceStefan Richter
We don't want random users write to Memory Space (e.g. PCs with physical DMA filters down) or to core CSRs like Reset_Start. This does not protect SBP-2 target CSRs. But properly behaving SBP-2 targets ignore broadcast write requests to these registers, and the maximum damage which can happen with laxer targets is DOS. But there are ways to create DOS situations anyway if there are devices with weak device file permissions (like audio/video devices) present at the same bus as an SBP-2 target. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: add ioctl for broadcast write requestsJay Fenlason, Stefan Richter
Write transactions to the broadcast node ID are a convenient way to trigger functions of multiple nodes at once. IIDC is a protocol which can make use of this if multiple cameras with same command_regs_base are connected at the same bus. Based on Date: Wed, 10 Sep 2008 11:32:16 -0400 From: Jay Fenlason <fenlason@redhat.com> Subject: [patch] SEND_BROADCAST_REQUEST Changes: ioctl_send_request() and ioctl_send_broadcast_request() now share code. Broadcast speed corrected to S100. Check for proper tcode. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: add ioctl to query maximum transmission speedStefan Richter
While the speed of asynchronous transactions is automatically chosen by the kernel, the speed of isochronous streams has to be chosen by the initiating client. In case of 1394a bus topologies, the maximum possible speed could be figured out with some effort by evaluation of the remote node's link speed field in the config ROM, the local node's link speed field, and the PHY speeds and topologic information in the local node's or IRM's topology map CSR. However, this does not work in case of 1394b buses. Hence add an ioctl to export the maximum speed which the kernel already determined. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: add ioctls for manual iso resource managementStefan Richter
This adds ioctls for allocation and deallocation of a channel or/and bandwidth without auto-reallocation and without auto-deallocation. The benefit of these ioctls is that libraw1394-style isochronous resource management can be implemented without write access to the IRM's character device file. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: add ioctls for isochronous resource managementJay Fenlason, Stefan Richter
Based on Date: Tue, 18 Nov 2008 11:41:27 -0500 From: Jay Fenlason <fenlason@redhat.com> Subject: [Patch V4] Add ISO resource management support with several changes to the ABI and implementation. Only the part of the ABI which enables auto-reallocation and auto-deallocation is included here. This implements ioctls for kernel-assisted allocation of isochronous channels and isochronous bandwidth. The benefits are: - The client does not have to have write access to the /dev/fw* device corresponding to the IRM. - The client does not have to perform reallocation after bus resets. - Channel and bandwidth are deallocated by the kernel if the file is closed before the client deallocated the resources. Thus resources are released even if the client crashes. It is anticipated that future in-kernel code (firewire-core IRM code; the firewire port of firedtv), will use the fw-iso.c portions of this code too. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Tested-by: David Moore <dcm@acm.org>
2009-03-24firewire: core: topology header fixStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: sort includesStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: unify names of struct types and of their instancesStefan Richter
to indicate that they are specializations of struct event or of struct client_resource, respectively. struct response was both an event and a client_resource; it is now split into struct outbound_transaction_resource and ~_event in order to document more explicitly which types of client resources exist. struct request and struct_request_event are renamed to struct inbound_transaction_resource and ~_event because requests and responses occur in outbound and in inbound transactions. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: reference-count client instancesStefan Richter
The lifetime of struct client instances must be longer than the lifetime of any client resource. This fixes a possible race between fw_device_op_release and transaction completions. It also prepares for new ioctls for isochronous resource management which will involve delayed processing of client resources. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Reviewed-by: David Moore <dcm@acm.org>
2009-03-24firewire: cdev: fix documentation of FW_CDEV_IOC_GET_INFOStefan Richter
The FW_CDEV_IOC_GET_INFO ioctl looks at client->device->config_rom, not at the local node's config ROM. We could fix the implementation or the documentation. I believe the way how it is currently implemented is more useful than the way how it is currently documented. In fact, libdc1394 uses the ABI already as implemented, not as documented. Hence let's change the documentation. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: prevent creation of multiple IR DMA contexts for the same channelStefan Richter
OHCI-1394 1.1 clause 10.4.3 says: "If more than one IR DMA context specifies receives for packets from the same isochronous channel, the context destination for that channel's packets is undefined." Any userspace client and in the future also kernelspace clients can allocate IR DMA contexts for any channel. We don't want them to interfere with each other, hence it is preferable to return -EBUSY if allocation of a second context for a channel is attempted. Notes: - This limitation is OHCI-1394 specific, therefore its proper place of implementation is down in the low-level driver. - Since the <linux/firewire-cdev.h> ABI simply maps one userspace iso client context to one hardware iso context, this OHCI-1394 limitation alas requires userspace to implement its own multiplexing of iso reception from the same channel and card to multiple clients when needed. - The limitation is independent of channel allocation at the IRM; the latter is really only important for the initiation of iso transmission but not of iso reception. - We don't need to do the same for IT DMA because OHCI-1394 does not have any ties between IT contexts and channels. Only the voluntary channel allocation protocol via the IRM, globally to the FireWire bus, can ensure proper isochronous transmit behaviour anyway. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: use list_first_entryStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: core: remove unused definitionsStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: remove line breaks before function namesStefan Richter
type function_name(parameters); is nice to look at but was not used consistently. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: standardize a variable nameStefan Richter
"ret" is the new "retval". Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: core: remove obsolete assertionsStefan Richter
This code never changes. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: core: remove outdated commentStefan Richter
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: address handler input validationStefan Richter
Like before my commit 1415d9189e8c59aa9c77a3bba419dcea062c145f, fw_core_add_address_handler() does not align the address region now. Instead the caller is required to pass valid parameters. Since one of the callers of fw_core_add_address_handler() is the cdev userspace interface, we now check for valid input. If the client is buggy, we give it a hint with -EINVAL. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: use an idr rather than a linked list for resourcesJay Fenlason
The current code uses a linked list and a counter for storing resources and the corresponding handle numbers. By changing to an idr we can be safe from counter wrap-around giving two resources the same handle. Furthermore, the deallocation ioctls now check whether the resource to be freed is of the intended type. Signed-off-by: Jay Fenlason <fenlason@redhat.com> Some rework by Stefan R: - The idr API documentation says we get an ID within 0...0x7fffffff. Hence we can rest assured that idr handles fit into cdev handles. - Fix some races. Add a client->in_shutdown flag for this purpose. - Add allocation retry to add_client_resource(). - It is possible to use idr_for_each() in fw_device_op_release(). - Fix ioctl_send_response() regression. - Small style changes. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: fix race of fw_device_op_release with bus resetStefan Richter
Unlink the client from the fw_device earlier in order to prevent bus reset events being added to client->event_list during shutdown. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: tcodes input validationStefan Richter
The behaviour of fw-transaction.c::fw_send_request is ill-defined for any other tcodes than read/ write/ lock request tcodes. Therefore prevent requests with wrong tcodes from entering the transaction layer. Maybe fw_send_request should check them itself, but I am not inclined to change it and fw_fill_request from void-valued functions to ones which return error codes and pass those up. Besides, maybe fw_send_request is going to support one more tcode than ioctl_send_request in the future (TCODE_STREAM_DATA). Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: cdev: documentation fixletStefan Richter
Reported-by: Jay Fenlason <fenlason@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: convert client_list_lock to mutexStefan Richter
So far it is only taken in non-atomic contexts. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: add a client_list_lockJay Fenlason
This adds a client_list_lock, which only protects the device's client_list, so that future versions of the driver can call code that takes the card->lock while holding the client_list_lock. Adding this lock is much simpler than adding __ versions of all the functions that the future version may need. The one ordering issue is to make sure code never takes the client_list_lock with card->lock held. Since client_list_lock is only used in three places, that isn't hard. Signed-off-by: Jay Fenlason <fenlason@redhat.com> Update fill_bus_reset_event() accordingly. Include linux/spinlock.h. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-24firewire: Include iso timestamp in headers when header_size > 4David Moore
Previously, when an iso context had header_size > 4, the iso header (len/tag/channel/tcode/sy) was passed to userspace followed by quadlets stripped from the payload. This patch changes the behavior: header_size = 8 now passes the header quadlet followed by the timestamp quadlet. When header_size > 8, quadlets are stripped from the payload. The header_size = 4 case remains identical. Since this alters the semantics of the API, the firewire API version needs to be bumped concurrently with this change. This change also refactors the header copying code slightly to be much easier to read. Signed-off-by: David Moore <dcm@acm.org> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2009-03-23Linux 2.6.29Linus Torvalds
2009-03-23Build with -fno-dwarf2-cfi-asmKyle McMartin
With a sufficiently new compiler and binutils, code which wasn't previously generating .eh_frame sections has begun to. Certain architectures (powerpc, in this case) may generate unexpected relocation formats in response to this, preventing modules from loading. While the new relocation types should probably be handled, revert to the previous behaviour with regards to generation of .eh_frame sections. (This was reported against Fedora, which appears to be the only distro doing any building against gcc-4.4 at present: RH bz#486545.) Signed-off-by: Kyle McMartin <kyle@redhat.com> Acked-by: Roland McGrath <roland@redhat.com> Cc: Alexandre Oliva <aoliva@redhat.com> Cc: Sam Ravnborg <sam@ravnborg.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-23trivial: fix orphan dates in ext2 documentationJody McIntyre
Revert the change to the orphan dates of Windows 95, DOS, compression. Add a new orphan date for OS/2. Signed-off-by: Jody McIntyre <scjody@sun.com> Acked-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (32 commits) ucc_geth: Fix oops when using fixed-link support dm9000: locking bugfix net: update dnet.c for bus_id removal dnet: DNET should depend on HAS_IOMEM dca: add missing copyright/license headers nl80211: Check that function pointer != NULL before using it sungem: missing net_device_ops be2net: fix to restore vlan ids into BE2 during a IF DOWN->UP cycle be2net: replenish when posting to rx-queue is starved in out of mem conditions bas_gigaset: correctly allocate USB interrupt transfer buffer smsc911x: reset last known duplex and carrier on open sh_eth: Fix mistake of the address of SH7763 sh_eth: Change handling of IRQ netns: oops in ip[6]_frag_reasm incrementing stats net: kfree(napi->skb) => kfree_skb net: fix sctp breakage ipv6: fix display of local and remote sit endpoints net: Document /proc/sys/net/core/netdev_budget tulip: fix crash on iface up with shirq debug virtio_net: Make virtio_net support carrier detection ...
2009-03-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6: sparc64: Fix crash with /proc/iomem sparc64: Reschedule KGDB capture to a software interrupt. sbus: Auto-load openprom module when device opened.
2009-03-23fix ptrace slownessMiklos Szeredi
This patch fixes bug #12208: Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=12208 Subject : uml is very slow on 2.6.28 host This turned out to be not a scheduler regression, but an already existing problem in ptrace being triggered by subtle scheduler changes. The problem is this: - task A is ptracing task B - task B stops on a trace event - task A is woken up and preempts task B - task A calls ptrace on task B, which does ptrace_check_attach() - this calls wait_task_inactive(), which sees that task B is still on the runq - task A goes to sleep for a jiffy - ... Since UML does lots of the above sequences, those jiffies quickly add up to make it slow as hell. This patch solves this by not rescheduling in read_unlock() after ptrace_stop() has woken up the tracer. Thanks to Oleg Nesterov and Ingo Molnar for the feedback. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> CC: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-23Merge branch 'merge' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/galak/powerpc * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/galak/powerpc: powerpc/mm: Fix Respect _PAGE_COHERENT on classic ppc32 SW TLB load machines
2009-03-23powerpc/mm: Fix Respect _PAGE_COHERENT on classic ppc32 SW TLB load machinesKumar Gala
Grant picked up the wrong version of "Respect _PAGE_COHERENT on classic ppc32 SW" (commit a4bd6a93c3f14691c8a29e53eb04dc734b27f0db) It was missing the code to actually deal with the fixup of _PAGE_COHERENT based on the CPU feature. Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
2009-03-22ucc_geth: Fix oops when using fixed-link supportAnton Vorontsov
commit b1c4a9dddf09fe99b8f88252718ac5b357363dc4 ("ucc_geth: Change uec phy id to the same format as gianfar's") introduced a regression in the ucc_geth driver that causes this oops when fixed-link is used: Unable to handle kernel paging request for data at address 0x00000000 Faulting instruction address: 0xc0151270 Oops: Kernel access of bad area, sig: 11 [#1] TMCUTU NIP: c0151270 LR: c0151270 CTR: c0017760 REGS: cf81fa60 TRAP: 0300 Not tainted (2.6.29-rc8) MSR: 00009032 <EE,ME,IR,DR> CR: 24024042 XER: 20000000 DAR: 00000000, DSISR: 20000000 TASK = cf81cba0[1] 'swapper' THREAD: cf81e000 GPR00: c0151270 cf81fb10 cf81cba0 00000000 c0272e20 c025f354 00001e80 cf86b08c GPR08: d1068200 cffffb74 06000000 d106c200 42024042 10085148 0fffd000 0ffc81a0 GPR16: 00000001 00000001 00000000 007ffeb0 00000000 0000c000 cf83f36c cf83f000 GPR24: 00000030 cf83f360 cf81fb20 00000000 d106c200 20000000 00001e80 cf83f360 NIP [c0151270] ucc_geth_open+0x330/0x1efc LR [c0151270] ucc_geth_open+0x330/0x1efc Call Trace: [cf81fb10] [c0151270] ucc_geth_open+0x330/0x1efc (unreliable) [cf81fba0] [c0187638] dev_open+0xbc/0x12c [cf81fbc0] [c0187e38] dev_change_flags+0x8c/0x1b0 This patch fixes the issue by removing offending (and somewhat duplicate) code from init_phy() routine, and changes _probe() function to use uec_mdio_bus_name(). Also, since we fully construct phy_bus_id in the _probe() routine, we no longer need ->phy_address and ->mdio_bus fields in ucc_geth_info structure. I wish the patch would be a bit shorter, but it seems like the only way to fix the issue in a sane way. Luckily, the patch has been tested with real PHYs and fixed-link, so no further regressions expected. Reported-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Tested-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-03-22dm9000: locking bugfixDavid Brownell
This fixes a locking bug in the dm9000 driver. It calls request_irq() without setting IRQF_DISABLED ... which is correct for handlers that support IRQ sharing, since that behavior is not guaranteed for shared IRQs. However, its IRQ handler then wrongly assumes that IRQs are blocked. So the fix just uses the right spinlock primitives in the IRQ handler. NOTE: this is a classic example of the type of bug which lockdep currently masks by forcibly setting IRQF_DISABLED on IRQ handlers that did not request that flag. Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-03-22net: update dnet.c for bus_id removalStephen Rothwell
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-03-22Merge git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild-fixesLinus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/sam/kbuild-fixes: kconfig: improve seed in randconfig kconfig: fix randconfig for choice blocks
2009-03-22Merge branch 'fix-includes' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu * 'fix-includes' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu: m68k: merge the non-MMU and MMU versions of siginfo.h m68k: use the MMU version of unistd.h for all m68k platforms m68k: merge the non-MMU and MMU versions of signal.h m68k: merge the non-MMU and MMU versions of ptrace.h m68k: use MMU version of setup.h for both MMU and non-MMU m68k: merge the non-MMU and MMU versions of sigcontext.h m68k: merge the non-MMU and MMU versions of swab.h m68k: merge the non-MMU and MMU versions of param.h
2009-03-22Update my email addressGertjan van Wingerde
Update all previous incarnations of my email address to the correct one. Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-22eCryptfs: NULL crypt_stat dereference during lookupTyler Hicks
If ecryptfs_encrypted_view or ecryptfs_xattr_metadata were being specified as mount options, a NULL pointer dereference of crypt_stat was possible during lookup. This patch moves the crypt_stat assignment into ecryptfs_lookup_and_interpose_lower(), ensuring that crypt_stat will not be NULL before we attempt to dereference it. Thanks to Dan Carpenter and his static analysis tool, smatch, for finding this bug. Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Acked-by: Dustin Kirkland <kirkland@canonical.com> Cc: Dan Carpenter <error27@gmail.com> Cc: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-22eCryptfs: Allocate a variable number of pages for file headersTyler Hicks
When allocating the memory used to store the eCryptfs header contents, a single, zeroed page was being allocated with get_zeroed_page(). However, the size of an eCryptfs header is either PAGE_CACHE_SIZE or ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is stored in the file's private_data->crypt_stat->num_header_bytes_at_front field. ecryptfs_write_metadata_to_contents() was using num_header_bytes_at_front to decide how many bytes should be written to the lower filesystem for the file header. Unfortunately, at least 8K was being written from the page, despite the chance of the single, zeroed page being smaller than 8K. This resulted in random areas of kernel memory being written between the 0x1000 and 0x1FFF bytes offsets in the eCryptfs file headers if PAGE_SIZE was 4K. This patch allocates a variable number of pages, calculated with num_header_bytes_at_front, and passes the number of allocated pages along to ecryptfs_write_metadata_to_contents(). Thanks to Florian Streibelt for reporting the data leak and working with me to find the problem. 2.6.28 is the only kernel release with this vulnerability. Corresponds to CVE-2009-0787 Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Acked-by: Dustin Kirkland <kirkland@canonical.com> Reviewed-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Eugene Teo <eugeneteo@kernel.sg> Cc: Greg KH <greg@kroah.com> Cc: dann frazier <dannf@dannf.org> Cc: Serge E. Hallyn <serue@us.ibm.com> Cc: Florian Streibelt <florian@f-streibelt.de> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>