linux.git/drivers/char/applicom.c, branch v3.0 Linux kernel source tree drivers/char/applicom.c: fix information leak to userland 2010-10-28T01:03:14+00:00 Vasiliy Kulikov segooon@gmail.com 2010-10-27T22:34:21+00:00 19714a8af8fe8618a9beace1f7a3bb10d55d5e2f Structure st_loc is copied to userland with some fields unitialized. It leads to leaking of stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Structure st_loc is copied to userland with some fields unitialized.  It
leads to leaking of stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers: autoconvert trivial BKL users to private mutex 2010-10-05T13:01:04+00:00 Arnd Bergmann arnd@arndb.de 2010-06-02T12:28:52+00:00 613655fa39ff6957754fa8ceb8559980920eb8ee All these files use the big kernel lock in a trivial way to serialize their private file operations, typically resulting from an earlier semi-automatic pushdown from VFS. None of these drivers appears to want to lock against other code, and they all use the BKL as the top-level lock in their file operations, meaning that there is no lock-order inversion problem. Consequently, we can remove the BKL completely, replacing it with a per-file mutex in every case. Using a scripted approach means we can avoid typos. These drivers do not seem to be under active maintainance from my brief investigation. Apologies to those maintainers that I have missed. file=$1 name=$2 if grep -q lock_kernel ${file} ; then if grep -q 'include.*linux.mutex.h' ${file} ; then sed -i '/include.*<linux\/smp_lock.h>/d' ${file} else sed -i 's/include.*<linux\/smp_lock.h>.*$/include <linux\/mutex.h>/g' ${file} fi sed -i ${file} \ -e "/^#include.*linux.mutex.h/,$ { 1,/^\(static\|int\|long\)/ { /^\(static\|int\|long\)/istatic DEFINE_MUTEX(${name}_mutex); } }" \ -e "s/\(un\)*lock_kernel\>[ ]*()/mutex_\1lock(\&${name}_mutex)/g" \ -e '/[ ]*cycle_kernel_lock();/d' else sed -i -e '/include.*\<smp_lock.h\>/d' ${file} \ -e '/cycle_kernel_lock()/d' fi Signed-off-by: Arnd Bergmann <arnd@arndb.de> 
All these files use the big kernel lock in a trivial
way to serialize their private file operations,
typically resulting from an earlier semi-automatic
pushdown from VFS.

None of these drivers appears to want to lock against
other code, and they all use the BKL as the top-level
lock in their file operations, meaning that there
is no lock-order inversion problem.

Consequently, we can remove the BKL completely,
replacing it with a per-file mutex in every case.
Using a scripted approach means we can avoid
typos.

These drivers do not seem to be under active
maintainance from my brief investigation. Apologies
to those maintainers that I have missed.

file=$1
name=$2
if grep -q lock_kernel ${file} ; then
    if grep -q 'include.*linux.mutex.h' ${file} ; then
            sed -i '/include.*<linux\/smp_lock.h>/d' ${file}
    else
            sed -i 's/include.*<linux\/smp_lock.h>.*$/include <linux\/mutex.h>/g' ${file}
    fi
    sed -i ${file} \
        -e "/^#include.*linux.mutex.h/,$ {
                1,/^\(static\|int\|long\)/ {
                     /^\(static\|int\|long\)/istatic DEFINE_MUTEX(${name}_mutex);

} }"  \
    -e "s/\(un\)*lock_kernel\>[ ]*()/mutex_\1lock(\&${name}_mutex)/g" \
    -e '/[      ]*cycle_kernel_lock();/d'
else
    sed -i -e '/include.*\<smp_lock.h\>/d' ${file}  \
                -e '/cycle_kernel_lock()/d'
fi

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
drivers/char/applicom.c: use memdup_user 2010-05-27T16:12:50+00:00 Julia Lawall julia@diku.dk 2010-05-26T21:43:56+00:00 f67231f80126f4e08c79c7b2056989c5c89ad4c6 Use memdup_user when user data is immediately copied into the allocated region. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression from,to,size,flag; position p; identifier l1,l2; @@ - to = \(kmalloc@p\|kzalloc@p\)(size,flag); + to = memdup_user(from,size); if ( - to==NULL + IS_ERR(to) || ...) { <+... when != goto l1; - -ENOMEM + PTR_ERR(to) ...+> } - if (copy_from_user(to, from, size) != 0) { - <+... when != goto l2; - -EFAULT - ...+> - } // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Use memdup_user when user data is immediately copied into the
allocated region.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression from,to,size,flag;
position p;
identifier l1,l2;
@@

-  to = \(kmalloc@p\|kzalloc@p\)(size,flag);
+  to = memdup_user(from,size);
   if (
-      to==NULL
+      IS_ERR(to)
                 || ...) {
   <+... when != goto l1;
-  -ENOMEM
+  PTR_ERR(to)
   ...+>
   }
-  if (copy_from_user(to, from, size) != 0) {
-    <+... when != goto l2;
-    -EFAULT
-    ...+>
-  }
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers: Push down BKL into various drivers 2010-05-17T03:27:41+00:00 Arnd Bergmann arnd@arndb.de 2010-04-26T22:24:05+00:00 55929332c92e5d34d65a8f784604c92677ea3e15 These are the last remaining device drivers using the ->ioctl file operation in the drivers directory (except from v4l drivers). [fweisbec: drop i8k pushdown as it has been done from procfs pushdown branch already] Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> 
These are the last remaining device drivers using
the ->ioctl file operation in the drivers directory
(except from v4l drivers).

[fweisbec: drop i8k pushdown as it has been done from
procfs pushdown branch already]

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
tree-wide: Assorted spelling fixes 2010-02-09T10:13:56+00:00 Daniel Mack daniel@caiaq.de 2010-02-03T00:01:28+00:00 3ad2f3fbb961429d2aa627465ae4829758bc7e07 In particular, several occurances of funny versions of 'success', 'unknown', 'therefore', 'acknowledge', 'argument', 'achieve', 'address', 'beginning', 'desirable', 'separate' and 'necessary' are fixed. Signed-off-by: Daniel Mack <daniel@caiaq.de> Cc: Joe Perches <joe@perches.com> Cc: Junio C Hamano <gitster@pobox.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz> 
In particular, several occurances of funny versions of 'success',
'unknown', 'therefore', 'acknowledge', 'argument', 'achieve', 'address',
'beginning', 'desirable', 'separate' and 'necessary' are fixed.

Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Joe Perches <joe@perches.com>
Cc: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
headers: remove sched.h from interrupt.h 2009-10-11T18:20:58+00:00 Alexey Dobriyan adobriyan@gmail.com 2009-10-07T13:09:06+00:00 d43c36dc6b357fa1806800f18aa30123c747a6d1 After m68k's task_thread_info() doesn't refer to current, it's possible to remove sched.h from interrupt.h and not break m68k! Many thanks to Heiko Carstens for allowing this. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> 
After m68k's task_thread_info() doesn't refer to current,
it's possible to remove sched.h from interrupt.h and not break m68k!
Many thanks to Heiko Carstens for allowing this.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
applicom: Auto-load applicom module when device opened. 2009-04-06T21:36:30+00:00 Scott James Remnant scott@canonical.com 2009-04-06T16:32:58+00:00 14f8d3ff3141caa8bf8326381ab8e6ce06c564b8 The applicom module is missing the char-major-10-157 alias that would cause it to be auto-loaded when a device of that type is opened. This patch adds the alias. Signed-off-by: Scott James Remnant <scott@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
The applicom module is missing the char-major-10-157 alias that would
cause it to be auto-loaded when a device of that type is opened.  This
patch adds the alias.

Signed-off-by: Scott James Remnant <scott@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
applicom.c: fix apparently-broken code in do_ac_read() 2008-10-16T18:21:47+00:00 Andrew Morton akpm@linux-foundation.org 2008-10-16T05:04:18+00:00 bc20589bf1c63e4e8bee57855568458ba303306b The code scriblles over a local pointer whereas it appears to be trying to write to the memory at which that pointer points. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=11397 Nobody we know can test this change. Reported-by: Zvonimir Rakamaric <zrakamar@cs.ubc.ca> Cc: Jesse Barnes <jbarnes@virtuousgeek.org> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Jiri Slaby <jirislaby@gmail.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
The code scriblles over a local pointer whereas it appears to be trying
to write to the memory at which that pointer points.

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=11397

Nobody we know can test this change.

Reported-by: Zvonimir Rakamaric <zrakamar@cs.ubc.ca>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Jiri Slaby <jirislaby@gmail.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
applicom: Fix an unchecked user ioctl range and an error return 2008-10-13T16:51:44+00:00 Alan Cox alan@redhat.com 2008-10-13T09:45:17+00:00 a7be18d436f0c7007794965e5af29fa1ffff1e05 Closes bug #11408 by checking the card index range for command 0 Fixes the ioctl to return ENOTTY which is correct for unknown ioctls Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Closes bug #11408 by checking the card index range for command 0
Fixes the ioctl to return ENOTTY which is correct for unknown ioctls

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
char serial: switch drivers to ioremap_nocache 2008-04-30T15:29:48+00:00 Alan Cox alan@lxorguk.ukuu.org.uk 2008-04-30T07:54:19+00:00 24cb233520f01971d6d873cb52c64bbbb0665ac0 Simple search/replace except for synclink.c where I noticed a real bug and fixed it too. It was doing NULL + offset, then checking for NULL if the remap failed. Signed-off-by: Alan Cox <alan@redhat.com> Cc: Paul Fulghum <paulkf@microgate.com> Acked-by: Jiri Slaby <jirislaby@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Simple search/replace except for synclink.c where I noticed a real bug and
fixed it too.  It was doing NULL + offset, then checking for NULL if the remap
failed.

Signed-off-by: Alan Cox <alan@redhat.com>
Cc: Paul Fulghum <paulkf@microgate.com>
Acked-by: Jiri Slaby <jirislaby@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>