<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/fs/proc, branch linux-2.6.29.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.29.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.29.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2009-05-08T22:45:11+00:00</updated>
<entry>
<title>mm: fix Committed_AS underflow on large NR_CPUS environment</title>
<updated>2009-05-08T22:45:11+00:00</updated>
<author>
<name>KOSAKI Motohiro</name>
<email>kosaki.motohiro@jp.fujitsu.com</email>
</author>
<published>2009-04-28T20:48:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=28441fac78d703b12b649eaf285576646a9f8b8f'/>
<id>urn:sha1:28441fac78d703b12b649eaf285576646a9f8b8f</id>
<content type='text'>
commit 00a62ce91e554198ef28234c91c36f850f5a3bc9 upstream

The Committed_AS field can underflow in certain situations:

&gt;         # while true; do cat /proc/meminfo  | grep _AS; sleep 1; done | uniq -c
&gt;               1 Committed_AS: 18446744073709323392 kB
&gt;              11 Committed_AS: 18446744073709455488 kB
&gt;               6 Committed_AS:    35136 kB
&gt;               5 Committed_AS: 18446744073709454400 kB
&gt;               7 Committed_AS:    35904 kB
&gt;               3 Committed_AS: 18446744073709453248 kB
&gt;               2 Committed_AS:    34752 kB
&gt;               9 Committed_AS: 18446744073709453248 kB
&gt;               8 Committed_AS:    34752 kB
&gt;               3 Committed_AS: 18446744073709320960 kB
&gt;               7 Committed_AS: 18446744073709454080 kB
&gt;               3 Committed_AS: 18446744073709320960 kB
&gt;               5 Committed_AS: 18446744073709454080 kB
&gt;               6 Committed_AS: 18446744073709320960 kB

Because NR_CPUS can be greater than 1000 and meminfo_proc_show() does
not check for underflow.

But NR_CPUS proportional isn't good calculation.  In general,
possibility of lock contention is proportional to the number of online
cpus, not theorical maximum cpus (NR_CPUS).

The current kernel has generic percpu-counter stuff.  using it is right
way.  it makes code simplify and percpu_counter_read_positive() don't
make underflow issue.

Reported-by: Dave Hansen &lt;dave@linux.vnet.ibm.com&gt;
Signed-off-by: KOSAKI Motohiro &lt;kosaki.motohiro@jp.fujitsu.com&gt;
Cc: Eric B Munson &lt;ebmunson@us.ibm.com&gt;
Cc: Mel Gorman &lt;mel@csn.ul.ie&gt;
Cc: Christoph Lameter &lt;cl@linux-foundation.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>proc: avoid information leaks to non-privileged processes</title>
<updated>2009-05-08T22:45:09+00:00</updated>
<author>
<name>Jake Edge</name>
<email>jake@lwn.net</email>
</author>
<published>2009-05-04T18:51:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=334ed22054b2ec8477e4409e214fc139cf937ef6'/>
<id>urn:sha1:334ed22054b2ec8477e4409e214fc139cf937ef6</id>
<content type='text'>
commit f83ce3e6b02d5e48b3a43b001390e2b58820389d upstream.

By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
only allow processes that can ptrace() a given process to see information
that might be used to bypass address space layout randomization (ASLR).
These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
as the non-symbolic output from /proc/pid/wchan.

ASLR can be bypassed by sampling eip as shown by the proof-of-concept
code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
(http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were
also noted as possibly usable information leaks as well.  The
start_stack address also leaks potentially useful information.

Cc: Stable Team &lt;stable@kernel.org&gt;
Signed-off-by: Jake Edge &lt;jake@lwn.net&gt;
Acked-by: Arjan van de Ven &lt;arjan@linux.intel.com&gt;
Acked-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>New locking/refcounting for fs_struct</title>
<updated>2009-05-08T22:45:08+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2009-03-30T11:20:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d093166dbab62418c468481891cdfbc70e3c73f9'/>
<id>urn:sha1:d093166dbab62418c468481891cdfbc70e3c73f9</id>
<content type='text'>
commit 498052bba55ecaff58db6a1436b0e25bfd75a7ff upstream.

* all changes of current-&gt;fs are done under task_lock and write_lock of
  old fs-&gt;lock
* refcount is not atomic anymore (same protection)
* its decrements are done when removing reference from current; at the
  same time we decide whether to free it.
* put_fs_struct() is gone
* new field - -&gt;in_exec.  Set by check_unsafe_exec() if we are trying to do
  execve() and only subthreads share fs_struct.  Cleared when finishing exec
  (success and failure alike).  Makes CLONE_FS fail with -EAGAIN if set.
* check_unsafe_exec() may fail with -EAGAIN if another execve() from subthread
  is in progress.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>fix setuid sometimes wouldn't</title>
<updated>2009-05-08T22:45:06+00:00</updated>
<author>
<name>Hugh Dickins</name>
<email>hugh@veritas.com</email>
</author>
<published>2009-03-28T23:21:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6560e7a44e83e8dd111c64e3ed77ad08d2550e23'/>
<id>urn:sha1:6560e7a44e83e8dd111c64e3ed77ad08d2550e23</id>
<content type='text'>
commit 7c2c7d993044cddc5010f6f429b100c63bc7dffb upstream.

check_unsafe_exec() also notes whether the fs_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/&lt;pid&gt;/cwd and /proc/&lt;pid&gt;/root lookups make transient
use of get_fs_struct(), which also raises that sharing count.

This might occasionally cause a setuid program not to change euid,
in the same way as happened with files-&gt;count (check_unsafe_exec
also looks at sighand-&gt;count, but /proc doesn't raise that one).

We'd prefer exec not to unshare fs_struct: so fix this in procfs,
replacing get_fs_struct() by get_fs_path(), which does path_get
while still holding task_lock, instead of raising fs-&gt;count.

Signed-off-by: Hugh Dickins &lt;hugh@veritas.com&gt;
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>pagemap: require aligned-length, non-null reads of /proc/pid/pagemap</title>
<updated>2009-05-08T22:45:04+00:00</updated>
<author>
<name>Vitaly Mayatskikh</name>
<email>v.mayatskih@gmail.com</email>
</author>
<published>2009-04-30T22:08:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=55a45cd2439a976ad1441db695b9a7c045d2dc0d'/>
<id>urn:sha1:55a45cd2439a976ad1441db695b9a7c045d2dc0d</id>
<content type='text'>
commit 0816178638c15ce5472d39d771a96860dff4141a upstream.

The intention of commit aae8679b0ebcaa92f99c1c3cb0cd651594a43915
("pagemap: fix bug in add_to_pagemap, require aligned-length reads of
/proc/pid/pagemap") was to force reads of /proc/pid/pagemap to be a
multiple of 8 bytes, but now it allows to read 0 bytes, which actually
puts some data to user's buffer.  According to POSIX, if count is zero,
read() should return zero and has no other results.

Signed-off-by: Vitaly Mayatskikh &lt;v.mayatskih@gmail.com&gt;
Cc: Thomas Tuttle &lt;ttuttle@google.com&gt;
Acked-by: Matt Mackall &lt;mpm@selenic.com&gt;
Cc: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Cc: &lt;stable@kernel.org&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>Avoid 64-bit "switch()" statements on 32-bit architectures</title>
<updated>2009-03-17T17:02:35+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2009-03-17T17:02:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ee568b25ee9e160b32d1aef73d8b2ee9c05d34db'/>
<id>urn:sha1:ee568b25ee9e160b32d1aef73d8b2ee9c05d34db</id>
<content type='text'>
Commit ee6f779b9e0851e2f7da292a9f58e0095edf615a ("filp-&gt;f_pos not
correctly updated in proc_task_readdir") changed the proc code to use
filp-&gt;f_pos directly, rather than through a temporary variable.  In the
process, that caused the operations to be done on the full 64 bits, even
though the offset is never that big.

That's all fine and dandy per se, but for some unfathomable reason gcc
generates absolutely horrid code when using 64-bit values in switch()
statements.  To the point of actually calling out to gcc helper
functions like __cmpdi2 rather than just doing the trivial comparisons
directly the way gcc does for normal compares.  At which point we get
link failures, because we really don't want to support that kind of
crazy code.

Fix this by just casting the f_pos value to "unsigned long", which
is plenty big enough for /proc, and avoids the gcc code generation issue.

Reported-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
Cc: Zhang Le &lt;r0bertz@gentoo.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>filp-&gt;f_pos not correctly updated in proc_task_readdir</title>
<updated>2009-03-16T14:51:33+00:00</updated>
<author>
<name>Zhang Le</name>
<email>r0bertz@gentoo.org</email>
</author>
<published>2009-03-16T06:44:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ee6f779b9e0851e2f7da292a9f58e0095edf615a'/>
<id>urn:sha1:ee6f779b9e0851e2f7da292a9f58e0095edf615a</id>
<content type='text'>
filp-&gt;f_pos only get updated at the end of the function. Thus d_off of those
dirents who are in the middle will be 0, and this will cause a problem in
glibc's readdir implementation, specifically endless loop. Because when overflow
occurs, f_pos will be set to next dirent to read, however it will be 0, unless
the next one is the last one. So it will start over again and again.

There is a sample program in man 2 gendents. This is the output of the program
running on a multithread program's task dir before this patch is applied:

  $ ./a.out /proc/3807/task
  --------------- nread=128 ---------------
  i-node#  file type  d_reclen  d_off   d_name
    506442  directory    16          1  .
    506441  directory    16          0  ..
    506443  directory    16          0  3807
    506444  directory    16          0  3809
    506445  directory    16          0  3812
    506446  directory    16          0  3861
    506447  directory    16          0  3862
    506448  directory    16          8  3863

This is the output after this patch is applied

  $ ./a.out /proc/3807/task
  --------------- nread=128 ---------------
  i-node#  file type  d_reclen  d_off   d_name
    506442  directory    16          1  .
    506441  directory    16          2  ..
    506443  directory    16          3  3807
    506444  directory    16          4  3809
    506445  directory    16          5  3812
    506446  directory    16          6  3861
    506447  directory    16          7  3862
    506448  directory    16          8  3863

Signed-off-by: Zhang Le &lt;r0bertz@gentoo.org&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>proc: fix kflags to uflags copying in /proc/kpageflags</title>
<updated>2009-03-11T14:43:33+00:00</updated>
<author>
<name>Wu Fengguang</name>
<email>fengguang.wu@intel.com</email>
</author>
<published>2009-03-11T01:00:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ad3bdefe877afb47480418fdb05ecd42842de65e'/>
<id>urn:sha1:ad3bdefe877afb47480418fdb05ecd42842de65e</id>
<content type='text'>
Fix kpf_copy_bit(src,dst) to be kpf_copy_bit(dst,src) to match the
actual call patterns, e.g. kpf_copy_bit(kflags, KPF_LOCKED, PG_locked).

This misplacement of src/dst only affected reporting of PG_writeback,
PG_reclaim and PG_buddy. For others kflags==uflags so not affected.

Signed-off-by: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Reviewed-by: KOSAKI Motohiro &lt;kosaki.motohiro@jp.fujitsu.com&gt;
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>proc: fix PG_locked reporting in /proc/kpageflags</title>
<updated>2009-02-24T18:17:58+00:00</updated>
<author>
<name>Helge Bahmann</name>
<email>helge.bahmann@secunet.com</email>
</author>
<published>2009-02-20T13:24:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e07a4b9217d1e97d2f3a62b6b070efdc61212110'/>
<id>urn:sha1:e07a4b9217d1e97d2f3a62b6b070efdc61212110</id>
<content type='text'>
Expr always evaluates to zero.

Cc: Matt Mackall &lt;mpm@selenic.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Alexey Dobriyan &lt;adobriyan@gmail.com&gt;
</content>
</entry>
<entry>
<title>proc: proc_get_inode should de_put when inode already initialized</title>
<updated>2009-02-24T02:25:32+00:00</updated>
<author>
<name>Krzysztof Sachanowicz</name>
<email>analyzer1@gmail.com</email>
</author>
<published>2009-02-23T21:21:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cac711211a039ae2e2dc6322ffb3c2279d093bf1'/>
<id>urn:sha1:cac711211a039ae2e2dc6322ffb3c2279d093bf1</id>
<content type='text'>
de_get is called before every proc_get_inode, but corresponding de_put is
called only when dropping last reference to an inode. This might cause
something like
remove_proc_entry: /proc/stats busy, count=14496
to be printed to the syslog.

The fix is to call de_put in case of an already initialized inode in
proc_get_inode.

Signed-off-by: Krzysztof Sachanowicz &lt;analyzer1@gmail.com&gt;
Tested-by: Marcin Pilipczuk &lt;marcin.pilipczuk@gmail.com&gt;
Acked-by: Al Viro &lt;viro@ZenIV.linux.org.uk&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
</feed>
