Topic Text   Topic Comments (0)   Topic Properties   Topic Information merblich@aer...
Topic title: cve hardeing for 16 Thursday August 27, 2015 21:04:39

Download topic text | View in monospace font | Tab width set to 8 (change to 4)

Files in topic:  
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/arch/powerpc/kernel/signal_32.c,v  1.1.1.1   {+1,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/arch/powerpc/kernel/vdso.c,v  1.1.1.1   {+1,-1}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/drivers/connector/connector.c,v  1.1.1.1   {+18,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/drivers/net/r8169.c,v  1.1.1.1   {+2,-2}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/namei.c,v  1.1.1.1   {+21,-4}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/namespace.c,v  1.1.1.1   {+4,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/open.c,v  1.1.1.1   {+5,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/pipe.c,v  1.1.1.1   {+62,-30}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/proc/base.c,v  1.1.1.1.188.1   {+4,-2}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/sysfs/file.c,v  1.1.1.1   {+1,-1}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/include/linux/connector.h,v  1.1.1.1   {+6,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/include/linux/fs.h,v  1.4   {+2,-1}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/include/linux/sysctl.h,v  1.1.1.1.260.1   {+1,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/compat.c,v  1.1.1.1   {+6,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/compat_mq.c,v  1.1.1.1   {+5,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/sem.c,v  1.3   {+2,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/shm.c,v  1.3   {+7,-1}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/kernel/fork.c,v  1.4.80.1   {+7,-2}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/kernel/module.c,v  1.12.106.1   {+2,-2}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/kernel/signal.c,v  1.1.1.1   {+30,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/kernel/sys.c,v  1.8.50.1   {+11,-9}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/kernel/sysctl.c,v  1.1.1.1.260.1.24.1   {+18,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/mm/filemap.c,v  1.3   {+26,-8}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/mm/memory.c,v  1.1.1.1   {+13,-4}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/net/ipv6/ipv6_sockglue.c,v  1.2   {+14,-7}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/net/ipv6/sit.c,v  1.2   {+2,-1}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/net/packet/af_packet.c,v  1.2.68.3.72.1   {+2,-1}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/net/socket.c,v  1.1.1.1   {+1,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/net/tipc/socket.c,v  1.1.1.1   {+3,-1}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/security/keys/key.c,v  1.1.1.1   {+1,-0}
[Jump to] /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/security/keys/keyring.c,v  1.1.1.1   {+12,-0}

[Add General Comment] to topic.

File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/arch/powerpc/kernel/signal_32.c,v (Revision 1.1.1.1) [Add File Comment] [Top] [>>]
static int handle_rt_signal(unsigned lon static int handle_rt_signal(unsigned lon
 
Line 761 Line 761
761 goto badframe; 761 goto badframe;
762 regs->link = current->thread.vdso_base + vdso32_rt_sigtramp; 762 regs->link = current->thread.vdso_base + vdso32_rt_sigtramp;
763 } else { 763 } else {
764 if (save_user_regs(regs, frame, __NR_rt_sigreturn)) 764 if (save_user_regs(regs, frame, __NR_rt_sigreturn))
765 goto badframe; 765 goto badframe;
766 regs->link = (unsigned long) frame->tramp; 766 regs->link = (unsigned long) frame->tramp;
767 } 767 }
768 768
769 current->thread.fpscr.val = 0; /* turn off all fp exceptions */ 769 current->thread.fpscr.val = 0; /* turn off all fp exceptions */
770 770
771 if (put_user(regs->gpr[1], (u32 __user *)newsp)) 771 if (put_user(regs->gpr[1], (u32 __user *)newsp))
772 goto badframe; 772 goto badframe;
773 regs->gpr[1] = newsp; 773 regs->gpr[1] = newsp;
774 regs->gpr[3] = sig; 774 regs->gpr[3] = sig;
775 regs->gpr[4] = (unsigned long) &rt_sf->info; 775 regs->gpr[4] = (unsigned long) &rt_sf->info;
776 regs->gpr[5] = (unsigned long) &rt_sf->uc; 776 regs->gpr[5] = (unsigned long) &rt_sf->uc;
777 regs->gpr[6] = (unsigned long) rt_sf; 777 regs->gpr[6] = (unsigned long) rt_sf;
778 regs->nip = (unsigned long) ka->sa.sa_handler; 778 regs->nip = (unsigned long) ka->sa.sa_handler;
779 regs->trap = 0; 779 regs->trap = 0;
780 return 1; 780 return 1;
781 781
782 badframe: 782 badframe:
783 #ifdef DEBUG_SIG 783 #ifdef DEBUG_SIG
784 printk("badframe in handle_rt_signal, regs=%p frame=%p newsp=%lx\n", 784 printk("badframe in handle_rt_signal, regs=%p frame=%p newsp=%lx\n",
785 regs, frame, newsp); 785 regs, frame, newsp);
786 #endif 786 #endif
787 force_sigsegv(sig, current); 787 force_sigsegv(sig, current);
788 return 0; 788 return 0;
789 } 789 }
790 790
791 /* cve-2006-2448 */
791 static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int sig) 792 static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int sig)
792 { 793 {
793 sigset_t set; 794 sigset_t set;
794 struct mcontext __user *mcp; 795 struct mcontext __user *mcp;
795 796
796 if (get_sigset_t(&set, &ucp->uc_sigmask)) 797 if (get_sigset_t(&set, &ucp->uc_sigmask))
797 return -EFAULT; 798 return -EFAULT;
798 #ifdef CONFIG_PPC64 799 #ifdef CONFIG_PPC64
799 { 800 {
800 u32 cmcp; 801 u32 cmcp;
801 802
802 if (__get_user(cmcp, &ucp->uc_regs)) 803 if (__get_user(cmcp, &ucp->uc_regs))
803 return -EFAULT; 804 return -EFAULT;
804 mcp = (struct mcontext __user *)(u64)cmcp; 805 mcp = (struct mcontext __user *)(u64)cmcp;
805 /* no need to check access_ok(mcp), since mcp < 4GB */ 806 /* no need to check access_ok(mcp), since mcp < 4GB */
806 } 807 }
807 #else 808 #else
808 if (__get_user(mcp, &ucp->uc_regs)) 809 if (__get_user(mcp, &ucp->uc_regs))
809 return -EFAULT; 810 return -EFAULT;
810 if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp))) 811 if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp)))
811 return -EFAULT; 812 return -EFAULT;
812 #endif 813 #endif
813 restore_sigmask(&set); 814 restore_sigmask(&set);
814 if (restore_user_regs(regs, mcp, sig)) 815 if (restore_user_regs(regs, mcp, sig))
815 return -EFAULT; 816 return -EFAULT;
816 817
817 return 0; 818 return 0;
818 } 819 }
819 820
820 long sys_swapcontext(struct ucontext __user *old_ctx, 821 long sys_swapcontext(struct ucontext __user *old_ctx,
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/arch/powerpc/kernel/vdso.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
static struct vdso_patch_def vdso_patche static struct vdso_patch_def vdso_patche
 
Line 99 Line 99
99 99
100 /* 100 /*
101 * Some infos carried around for each of them during parsing at 101 * Some infos carried around for each of them during parsing at
102 * boot time. 102 * boot time.
103 */ 103 */
104 struct lib32_elfinfo 104 struct lib32_elfinfo
105 { 105 {
106 Elf32_Ehdr *hdr; /* ptr to ELF */ 106 Elf32_Ehdr *hdr; /* ptr to ELF */
107 Elf32_Sym *dynsym; /* ptr to .dynsym section */ 107 Elf32_Sym *dynsym; /* ptr to .dynsym section */
108 unsigned long dynsymsize; /* size of .dynsym section */ 108 unsigned long dynsymsize; /* size of .dynsym section */
109 char *dynstr; /* ptr to .dynstr section */ 109 char *dynstr; /* ptr to .dynstr section */
110 unsigned long text; /* offset of .text section in .so */ 110 unsigned long text; /* offset of .text section in .so */
111 }; 111 };
112 112
113 struct lib64_elfinfo 113 struct lib64_elfinfo
114 { 114 {
115 Elf64_Ehdr *hdr; 115 Elf64_Ehdr *hdr;
116 Elf64_Sym *dynsym; 116 Elf64_Sym *dynsym;
117 unsigned long dynsymsize; 117 unsigned long dynsymsize;
118 char *dynstr; 118 char *dynstr;
119 unsigned long text; 119 unsigned long text;
120 }; 120 };
121 121
122 122
123 #ifdef __DEBUG 123 #ifdef __DEBUG
124 static void dump_one_vdso_page(struct page *pg, struct page *upg) 124 static void dump_one_vdso_page(struct page *pg, struct page *upg)
125 { 125 {
126 printk("kpg: %p (c:%d,f:%08lx)", __va(page_to_pfn(pg) << PAGE_SHIFT), 126 printk("kpg: %p (c:%d,f:%08lx)", __va(page_to_pfn(pg) << PAGE_SHIFT),
127 page_count(pg), 127 page_count(pg),
128 pg->flags); 128 pg->flags);
129 if (upg/* && pg != upg*/) { 129 if (upg && !IS_ERR(upg) /* && pg != upg*/) { /* cve-2008-2372 */
130 printk(" upg: %p (c:%d,f:%08lx)", __va(page_to_pfn(upg) 130 printk(" upg: %p (c:%d,f:%08lx)", __va(page_to_pfn(upg)
131 << PAGE_SHIFT), 131 << PAGE_SHIFT),
132 page_count(upg), 132 page_count(upg),
133 upg->flags); 133 upg->flags);
134 } 134 }
135 printk("\n"); 135 printk("\n");
136 } 136 }
137 137
138 static void dump_vdso_pages(struct vm_area_struct * vma) 138 static void dump_vdso_pages(struct vm_area_struct * vma)
139 { 139 {
140 int i; 140 int i;
141 141
142 if (!vma || test_thread_flag(TIF_32BIT)) { 142 if (!vma || test_thread_flag(TIF_32BIT)) {
143 printk("vDSO32 @ %016lx:\n", (unsigned long)vdso32_kbase); 143 printk("vDSO32 @ %016lx:\n", (unsigned long)vdso32_kbase);
144 for (i=0; i<vdso32_pages; i++) { 144 for (i=0; i<vdso32_pages; i++) {
145 struct page *pg = virt_to_page(vdso32_kbase + 145 struct page *pg = virt_to_page(vdso32_kbase +
146 i*PAGE_SIZE); 146 i*PAGE_SIZE);
147 struct page *upg = (vma && vma->vm_mm) ? 147 struct page *upg = (vma && vma->vm_mm) ?
148 follow_page(vma, vma->vm_start + i*PAGE_SIZE, 0) 148 follow_page(vma, vma->vm_start + i*PAGE_SIZE, 0)
149 : NULL; 149 : NULL;
150 dump_one_vdso_page(pg, upg); 150 dump_one_vdso_page(pg, upg);
151 } 151 }
152 } 152 }
153 if (!vma || !test_thread_flag(TIF_32BIT)) { 153 if (!vma || !test_thread_flag(TIF_32BIT)) {
154 printk("vDSO64 @ %016lx:\n", (unsigned long)vdso64_kbase); 154 printk("vDSO64 @ %016lx:\n", (unsigned long)vdso64_kbase);
155 for (i=0; i<vdso64_pages; i++) { 155 for (i=0; i<vdso64_pages; i++) {
156 struct page *pg = virt_to_page(vdso64_kbase + 156 struct page *pg = virt_to_page(vdso64_kbase +
157 i*PAGE_SIZE); 157 i*PAGE_SIZE);
158 struct page *upg = (vma && vma->vm_mm) ? 158 struct page *upg = (vma && vma->vm_mm) ?
159 follow_page(vma, vma->vm_start + i*PAGE_SIZE, 0) 159 follow_page(vma, vma->vm_start + i*PAGE_SIZE, 0)
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/drivers/connector/connector.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
 
Line 6 Line 6
6 * 6 *
7 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by 8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or 9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version. 10 * (at your option) any later version.
11 * 11 *
12 * This program is distributed in the hope that it will be useful, 12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details. 15 * GNU General Public License for more details.
16 * 16 *
17 * You should have received a copy of the GNU General Public License 17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software 18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 */ 20 */
21 21
22 #include <linux/kernel.h> 22 #include <linux/kernel.h>
23 #include <linux/module.h> 23 #include <linux/module.h>
24 #include <linux/list.h> 24 #include <linux/list.h>
25 #include <linux/skbuff.h> 25 #include <linux/skbuff.h>
26 #include <linux/netlink.h> 26 #include <linux/netlink.h>
27 #include <linux/moduleparam.h> 27 #include <linux/moduleparam.h>
28 #include <linux/connector.h> 28 #include <linux/connector.h>
29 29
30 #include <net/sock.h> 30 #include <net/sock.h>
31 31
32 MODULE_LICENSE("GPL"); 32 MODULE_LICENSE("GPL");
33 MODULE_AUTHOR("Evgeniy Polyakov <johnpol@2ka.mipt.ru>"); 33 MODULE_AUTHOR("Evgeniy Polyakov <johnpol@2ka.mipt.ru>");
34 MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector."); 34 MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector.");
35 35
36 /* cve-2010-0410 : Delete buggy notification code */
37 /* AH : temp use a #ifdef NOTIF_XXX for review */
38
39 #ifdef NOTIF_XXX
36 static u32 cn_idx = CN_IDX_CONNECTOR; 40 static u32 cn_idx = CN_IDX_CONNECTOR;
37 static u32 cn_val = CN_VAL_CONNECTOR; 41 static u32 cn_val = CN_VAL_CONNECTOR;
38 42
39 module_param(cn_idx, uint, 0); 43 module_param(cn_idx, uint, 0);
40 module_param(cn_val, uint, 0); 44 module_param(cn_val, uint, 0);
41 MODULE_PARM_DESC(cn_idx, "Connector's main device idx."); 45 MODULE_PARM_DESC(cn_idx, "Connector's main device idx.");
42 MODULE_PARM_DESC(cn_val, "Connector's main device val."); 46 MODULE_PARM_DESC(cn_val, "Connector's main device val.");
43 47
44 static DECLARE_MUTEX(notify_lock); 48 static DECLARE_MUTEX(notify_lock);
45 static LIST_HEAD(notify_list); 49 static LIST_HEAD(notify_list);
50 #endif
46 51
47 static struct cn_dev cdev; 52 static struct cn_dev cdev;
48 53
49 int cn_already_initialized = 0; 54 int cn_already_initialized = 0;
50 55
51 /* 56 /*
52 * msg->seq and msg->ack are used to determine message genealogy. 57 * msg->seq and msg->ack are used to determine message genealogy.
53 * When someone sends message it puts there locally unique sequence 58 * When someone sends message it puts there locally unique sequence
54 * and random acknowledge numbers. Sequence number may be copied into 59 * and random acknowledge numbers. Sequence number may be copied into
55 * nlmsghdr->nlmsg_seq too. 60 * nlmsghdr->nlmsg_seq too.
56 * 61 *
57 * Sequence number is incremented with each message to be sent. 62 * Sequence number is incremented with each message to be sent.
58 * 63 *
59 * If we expect reply to our message then the sequence number in 64 * If we expect reply to our message then the sequence number in
60 * received message MUST be the same as in original message, and 65 * received message MUST be the same as in original message, and
61 * acknowledge number MUST be the same + 1. 66 * acknowledge number MUST be the same + 1.
62 * 67 *
63 * If we receive a message and its sequence number is not equal to the 68 * If we receive a message and its sequence number is not equal to the
64 * one we are expecting then it is a new message. 69 * one we are expecting then it is a new message.
65 * 70 *
66 * If we receive a message and its sequence number is the same as one 71 * If we receive a message and its sequence number is the same as one
67 * we are expecting but it's acknowledgement number is not equal to 72 * we are expecting but it's acknowledgement number is not equal to
68 * the acknowledgement number in the original message + 1, then it is 73 * the acknowledgement number in the original message + 1, then it is
69 * a new message. 74 * a new message.
70 * 75 *
71 */ 76 */
72 int cn_netlink_send(struct cn_msg *msg, u32 __group, gfp_t gfp_mask) 77 int cn_netlink_send(struct cn_msg *msg, u32 __group, gfp_t gfp_mask)
73 { 78 {
74 struct cn_callback_entry *__cbq; 79 struct cn_callback_entry *__cbq;
75 unsigned int size; 80 unsigned int size;
 
 
Line 220 Line 225
220 nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { 225 nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
221 kfree_skb(skb); 226 kfree_skb(skb);
222 goto out; 227 goto out;
223 } 228 }
224 229
225 len = NLMSG_ALIGN(nlh->nlmsg_len); 230 len = NLMSG_ALIGN(nlh->nlmsg_len);
226 if (len > skb->len) 231 if (len > skb->len)
227 len = skb->len; 232 len = skb->len;
228 233
229 err = __cn_rx_skb(skb, nlh); 234 err = __cn_rx_skb(skb, nlh);
230 if (err < 0) 235 if (err < 0)
231 kfree_skb(skb); 236 kfree_skb(skb);
232 } 237 }
233 238
234 out: 239 out:
235 kfree_skb(__skb); 240 kfree_skb(__skb);
236 } 241 }
237 242
238 /* 243 /*
239 * Netlink socket input callback - dequeues the skbs and calls the 244 * Netlink socket input callback - dequeues the skbs and calls the
240 * main netlink receiving function. 245 * main netlink receiving function.
241 */ 246 */
242 static void cn_input(struct sock *sk, int len) 247 static void cn_input(struct sock *sk, int len)
243 { 248 {
244 struct sk_buff *skb; 249 struct sk_buff *skb;
245 250
246 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) 251 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL)
247 cn_rx_skb(skb); 252 cn_rx_skb(skb);
248 } 253 }
249 254
255 #ifdef NOTIF_XXX
250 /* 256 /*
251 * Notification routing. 257 * Notification routing.
252 * 258 *
253 * Gets id and checks if there are notification request for it's idx 259 * Gets id and checks if there are notification request for it's idx
254 * and val. If there are such requests notify the listeners with the 260 * and val. If there are such requests notify the listeners with the
255 * given notify event. 261 * given notify event.
256 * 262 *
257 */ 263 */
258 static void cn_notify(struct cb_id *id, u32 notify_event) 264 static void cn_notify(struct cb_id *id, u32 notify_event)
259 { 265 {
260 struct cn_ctl_entry *ent; 266 struct cn_ctl_entry *ent;
261 267
262 down(&notify_lock); 268 down(&notify_lock);
263 list_for_each_entry(ent, &notify_list, notify_entry) { 269 list_for_each_entry(ent, &notify_list, notify_entry) {
264 int i; 270 int i;
265 struct cn_notify_req *req; 271 struct cn_notify_req *req;
266 struct cn_ctl_msg *ctl = ent->msg; 272 struct cn_ctl_msg *ctl = ent->msg;
267 int idx_found, val_found; 273 int idx_found, val_found;
268 274
269 idx_found = val_found = 0; 275 idx_found = val_found = 0;
270 276
271 req = (struct cn_notify_req *)ctl->data; 277 req = (struct cn_notify_req *)ctl->data;
272 for (i = 0; i < ctl->idx_notify_num; ++i, ++req) { 278 for (i = 0; i < ctl->idx_notify_num; ++i, ++req) {
273 if (id->idx >= req->first && 279 if (id->idx >= req->first &&
274 id->idx < req->first + req->range) { 280 id->idx < req->first + req->range) {
275 idx_found = 1; 281 idx_found = 1;
276 break; 282 break;
277 } 283 }
278 } 284 }
279 285
280 for (i = 0; i < ctl->val_notify_num; ++i, ++req) { 286 for (i = 0; i < ctl->val_notify_num; ++i, ++req) {
281 if (id->val >= req->first && 287 if (id->val >= req->first &&
282 id->val < req->first + req->range) { 288 id->val < req->first + req->range) {
283 val_found = 1; 289 val_found = 1;
284 break; 290 break;
285 } 291 }
286 } 292 }
287 293
288 if (idx_found && val_found) { 294 if (idx_found && val_found) {
289 struct cn_msg m = { .ack = notify_event, }; 295 struct cn_msg m = { .ack = notify_event, };
290 296
291 memcpy(&m.id, id, sizeof(m.id)); 297 memcpy(&m.id, id, sizeof(m.id));
292 cn_netlink_send(&m, ctl->group, GFP_KERNEL); 298 cn_netlink_send(&m, ctl->group, GFP_KERNEL);
293 } 299 }
294 } 300 }
295 up(&notify_lock); 301 up(&notify_lock);
296 } 302 }
303 #endif
297 304
298 /* 305 /*
299 * Callback add routing - adds callback with given ID and name. 306 * Callback add routing - adds callback with given ID and name.
300 * If there is registered callback with the same ID it will not be added. 307 * If there is registered callback with the same ID it will not be added.
301 * 308 *
302 * May sleep. 309 * May sleep.
303 */ 310 */
304 int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *)) 311 int cn_add_callback(struct cb_id *id, char *name, void (*callback)(void *))
305 { 312 {
306 int err; 313 int err;
307 struct cn_dev *dev = &cdev; 314 struct cn_dev *dev = &cdev;
308 315
309 err = cn_queue_add_callback(dev->cbdev, name, id, callback); 316 err = cn_queue_add_callback(dev->cbdev, name, id, callback);
310 if (err) 317 if (err)
311 return err; 318 return err;
312 319
320 #ifdef NOTIF_XXX
313 cn_notify(id, 0); 321 cn_notify(id, 0);
322 #endif
314 323
315 return 0; 324 return 0;
316 } 325 }
317 326
318 /* 327 /*
319 * Callback remove routing - removes callback 328 * Callback remove routing - removes callback
320 * with given ID. 329 * with given ID.
321 * If there is no registered callback with given 330 * If there is no registered callback with given
322 * ID nothing happens. 331 * ID nothing happens.
323 * 332 *
324 * May sleep while waiting for reference counter to become zero. 333 * May sleep while waiting for reference counter to become zero.
325 */ 334 */
326 void cn_del_callback(struct cb_id *id) 335 void cn_del_callback(struct cb_id *id)
327 { 336 {
328 struct cn_dev *dev = &cdev; 337 struct cn_dev *dev = &cdev;
329 338
330 cn_queue_del_callback(dev->cbdev, id); 339 cn_queue_del_callback(dev->cbdev, id);
331 cn_notify(id, 1); 340 cn_notify(id, 1);
332 } 341 }
333 342
343 #ifdef NOTIF_XXX
334 /* 344 /*
335 * Checks two connector's control messages to be the same. 345 * Checks two connector's control messages to be the same.
336 * Returns 1 if they are the same or if the first one is corrupted. 346 * Returns 1 if they are the same or if the first one is corrupted.
337 */ 347 */
338 static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2) 348 static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2)
339 { 349 {
340 int i; 350 int i;
341 struct cn_notify_req *req1, *req2; 351 struct cn_notify_req *req1, *req2;
342 352
343 if (m1->idx_notify_num != m2->idx_notify_num) 353 if (m1->idx_notify_num != m2->idx_notify_num)
344 return 0; 354 return 0;
345 355
346 if (m1->val_notify_num != m2->val_notify_num) 356 if (m1->val_notify_num != m2->val_notify_num)
347 return 0; 357 return 0;
348 358
349 if (m1->len != m2->len) 359 if (m1->len != m2->len)
350 return 0; 360 return 0;
351 361
352 if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) != 362 if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) !=
353 m1->len) 363 m1->len)
354 return 1; 364 return 1;
355 365
356 req1 = (struct cn_notify_req *)m1->data; 366 req1 = (struct cn_notify_req *)m1->data;
357 req2 = (struct cn_notify_req *)m2->data; 367 req2 = (struct cn_notify_req *)m2->data;
358 368
359 for (i = 0; i < m1->idx_notify_num; ++i) { 369 for (i = 0; i < m1->idx_notify_num; ++i) {
360 if (req1->first != req2->first || req1->range != req2->range) 370 if (req1->first != req2->first || req1->range != req2->range)
361 return 0; 371 return 0;
362 req1++; 372 req1++;
363 req2++; 373 req2++;
 
 
Line 405 Line 415
405 */ 415 */
406 if (ctl->group == 0) { 416 if (ctl->group == 0) {
407 struct cn_ctl_entry *n; 417 struct cn_ctl_entry *n;
408 418
409 down(&notify_lock); 419 down(&notify_lock);
410 list_for_each_entry_safe(ent, n, &notify_list, notify_entry) { 420 list_for_each_entry_safe(ent, n, &notify_list, notify_entry) {
411 if (cn_ctl_msg_equals(ent->msg, ctl)) { 421 if (cn_ctl_msg_equals(ent->msg, ctl)) {
412 list_del(&ent->notify_entry); 422 list_del(&ent->notify_entry);
413 kfree(ent); 423 kfree(ent);
414 } 424 }
415 } 425 }
416 up(&notify_lock); 426 up(&notify_lock);
417 427
418 return; 428 return;
419 } 429 }
420 430
421 size += sizeof(*ent); 431 size += sizeof(*ent);
422 432
423 ent = kzalloc(size, GFP_KERNEL); 433 ent = kzalloc(size, GFP_KERNEL);
424 if (!ent) 434 if (!ent)
425 return; 435 return;
426 436
427 ent->msg = (struct cn_ctl_msg *)(ent + 1); 437 ent->msg = (struct cn_ctl_msg *)(ent + 1);
428 438
429 memcpy(ent->msg, ctl, size - sizeof(*ent)); 439 memcpy(ent->msg, ctl, size - sizeof(*ent));
430 440
431 down(&notify_lock); 441 down(&notify_lock);
432 list_add(&ent->notify_entry, &notify_list); 442 list_add(&ent->notify_entry, &notify_list);
433 up(&notify_lock); 443 up(&notify_lock);
434 } 444 }
445 #endif
435 446
436 static int __init cn_init(void) 447 static int __init cn_init(void)
437 { 448 {
438 struct cn_dev *dev = &cdev; 449 struct cn_dev *dev = &cdev;
439 int err; 450 int err;
440 451
441 dev->input = cn_input; 452 dev->input = cn_input;
453 #ifdef NOTIF_XXX
442 dev->id.idx = cn_idx; 454 dev->id.idx = cn_idx;
443 dev->id.val = cn_val; 455 dev->id.val = cn_val;
456 #endif
444 457
445 dev->nls = netlink_kernel_create(NETLINK_CONNECTOR, 458 dev->nls = netlink_kernel_create(NETLINK_CONNECTOR,
446 CN_NETLINK_USERS + 0xf, 459 CN_NETLINK_USERS + 0xf,
447 dev->input, THIS_MODULE); 460 dev->input, THIS_MODULE);
448 if (!dev->nls) 461 if (!dev->nls)
449 return -EIO; 462 return -EIO;
450 463
451 dev->cbdev = cn_queue_alloc_dev("cqueue", dev->nls); 464 dev->cbdev = cn_queue_alloc_dev("cqueue", dev->nls);
452 if (!dev->cbdev) { 465 if (!dev->cbdev) {
453 if (dev->nls->sk_socket) 466 if (dev->nls->sk_socket)
454 sock_release(dev->nls->sk_socket); 467 sock_release(dev->nls->sk_socket);
455 return -EINVAL; 468 return -EINVAL;
456 } 469 }
457 470
471 #ifdef NOTIF_XXX
458 err = cn_add_callback(&dev->id, "connector", &cn_callback); 472 err = cn_add_callback(&dev->id, "connector", &cn_callback);
459 if (err) { 473 if (err) {
460 cn_queue_free_dev(dev->cbdev); 474 cn_queue_free_dev(dev->cbdev);
461 if (dev->nls->sk_socket) 475 if (dev->nls->sk_socket)
462 sock_release(dev->nls->sk_socket); 476 sock_release(dev->nls->sk_socket);
463 return -EINVAL; 477 return -EINVAL;
464 } 478 }
479 #endif
465 480
466 cn_already_initialized = 1; 481 cn_already_initialized = 1;
467 482
468 return 0; 483 return 0;
469 } 484 }
470 485
471 static void __exit cn_fini(void) 486 static void __exit cn_fini(void)
472 { 487 {
473 struct cn_dev *dev = &cdev; 488 struct cn_dev *dev = &cdev;
474 489
475 cn_already_initialized = 0; 490 cn_already_initialized = 0;
476 491
492
493 #ifdef NOTIF_XXX
477 cn_del_callback(&dev->id); 494 cn_del_callback(&dev->id);
495 #endif
478 cn_queue_free_dev(dev->cbdev); 496 cn_queue_free_dev(dev->cbdev);
479 if (dev->nls->sk_socket) 497 if (dev->nls->sk_socket)
480 sock_release(dev->nls->sk_socket); 498 sock_release(dev->nls->sk_socket);
481 } 499 }
482 500
483 module_init(cn_init); 501 module_init(cn_init);
484 module_exit(cn_fini); 502 module_exit(cn_fini);
485 503
486 EXPORT_SYMBOL_GPL(cn_add_callback); 504 EXPORT_SYMBOL_GPL(cn_add_callback);
487 EXPORT_SYMBOL_GPL(cn_del_callback); 505 EXPORT_SYMBOL_GPL(cn_del_callback);
488 EXPORT_SYMBOL_GPL(cn_netlink_send); 506 EXPORT_SYMBOL_GPL(cn_netlink_send);
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/drivers/net/r8169.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
VERSION 2.2LK <2005/01/25> VERSION 2.2LK <2005/01/25>
 
Line 99 Line 99
99 99
100 #ifdef CONFIG_R8169_NAPI 100 #ifdef CONFIG_R8169_NAPI
101 #define rtl8169_rx_skb netif_receive_skb 101 #define rtl8169_rx_skb netif_receive_skb
102 #define rtl8169_rx_hwaccel_skb vlan_hwaccel_receive_skb 102 #define rtl8169_rx_hwaccel_skb vlan_hwaccel_receive_skb
103 #define rtl8169_rx_quota(count, quota) min(count, quota) 103 #define rtl8169_rx_quota(count, quota) min(count, quota)
104 #else 104 #else
105 #define rtl8169_rx_skb netif_rx 105 #define rtl8169_rx_skb netif_rx
106 #define rtl8169_rx_hwaccel_skb vlan_hwaccel_rx 106 #define rtl8169_rx_hwaccel_skb vlan_hwaccel_rx
107 #define rtl8169_rx_quota(count, quota) count 107 #define rtl8169_rx_quota(count, quota) count
108 #endif 108 #endif
109 109
110 /* media options */ 110 /* media options */
111 #define MAX_UNITS 8 111 #define MAX_UNITS 8
112 static int media[MAX_UNITS] = { -1, -1, -1, -1, -1, -1, -1, -1 }; 112 static int media[MAX_UNITS] = { -1, -1, -1, -1, -1, -1, -1, -1 };
113 static int num_media = 0; 113 static int num_media = 0;
114 114
115 /* Maximum events (Rx packets, etc.) to handle at each interrupt. */ 115 /* Maximum events (Rx packets, etc.) to handle at each interrupt. */
116 static int max_interrupt_work = 20; 116 static int max_interrupt_work = 20;
117 117
118 /* Maximum number of multicast addresses to filter (vs. Rx-all-multicast). 118 /* Maximum number of multicast addresses to filter (vs. Rx-all-multicast).
119 The RTL chips use a 64 element hash table based on the Ethernet CRC. */ 119 The RTL chips use a 64 element hash table based on the Ethernet CRC. */
120 static int multicast_filter_limit = 32; 120 static int multicast_filter_limit = 32;
121 121
122 /* MAC address length */ 122 /* MAC address length */
123 #define MAC_ADDR_LEN 6 123 #define MAC_ADDR_LEN 6
124 124
125 #define RX_FIFO_THRESH 7 /* 7 means NO threshold, Rx buffer level before first PCI xfer. */ 125 #define RX_FIFO_THRESH 7 /* 7 means NO threshold, Rx buffer level before first PCI xfer. */
126 #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */ 126 #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
127 #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */ 127 #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
128 #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */ 128 #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
129 #define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */ 129 #define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... /*cve-2009-1389 */
130 #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */ 130 #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
131 #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */ 131 #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
132 132
133 #define R8169_REGS_SIZE 256 133 #define R8169_REGS_SIZE 256
134 #define R8169_NAPI_WEIGHT 64 134 #define R8169_NAPI_WEIGHT 64
135 #define NUM_TX_DESC 64 /* Number of Tx descriptor registers */ 135 #define NUM_TX_DESC 64 /* Number of Tx descriptor registers */
136 #define NUM_RX_DESC 256 /* Number of Rx descriptor registers */ 136 #define NUM_RX_DESC 256 /* Number of Rx descriptor registers */
137 #define RX_BUF_SIZE 1536 /* Rx Buffer size */ 137 #define RX_BUF_SIZE 1536 /* Rx Buffer size */
138 #define R8169_TX_RING_BYTES (NUM_TX_DESC * sizeof(struct TxDesc)) 138 #define R8169_TX_RING_BYTES (NUM_TX_DESC * sizeof(struct TxDesc))
139 #define R8169_RX_RING_BYTES (NUM_RX_DESC * sizeof(struct RxDesc)) 139 #define R8169_RX_RING_BYTES (NUM_RX_DESC * sizeof(struct RxDesc))
140 140
141 #define RTL8169_TX_TIMEOUT (6*HZ) 141 #define RTL8169_TX_TIMEOUT (6*HZ)
142 #define RTL8169_PHY_TIMEOUT (10*HZ) 142 #define RTL8169_PHY_TIMEOUT (10*HZ)
143 143
144 /* write/read MMIO register */ 144 /* write/read MMIO register */
145 #define RTL_W8(reg, val8) writeb ((val8), ioaddr + (reg)) 145 #define RTL_W8(reg, val8) writeb ((val8), ioaddr + (reg))
146 #define RTL_W16(reg, val16) writew ((val16), ioaddr + (reg)) 146 #define RTL_W16(reg, val16) writew ((val16), ioaddr + (reg))
147 #define RTL_W32(reg, val32) writel ((val32), ioaddr + (reg)) 147 #define RTL_W32(reg, val32) writel ((val32), ioaddr + (reg))
148 #define RTL_R8(reg) readb (ioaddr + (reg)) 148 #define RTL_R8(reg) readb (ioaddr + (reg))
149 #define RTL_R16(reg) readw (ioaddr + (reg)) 149 #define RTL_R16(reg) readw (ioaddr + (reg))
150 #define RTL_R32(reg) ((unsigned long) readl (ioaddr + (reg))) 150 #define RTL_R32(reg) ((unsigned long) readl (ioaddr + (reg)))
151 151
152 enum mac_version { 152 enum mac_version {
153 RTL_GIGA_MAC_VER_B = 0x00, 153 RTL_GIGA_MAC_VER_B = 0x00,
154 /* RTL_GIGA_MAC_VER_C = 0x03, */ 154 /* RTL_GIGA_MAC_VER_C = 0x03, */
155 RTL_GIGA_MAC_VER_D = 0x01, 155 RTL_GIGA_MAC_VER_D = 0x01,
156 RTL_GIGA_MAC_VER_E = 0x02, 156 RTL_GIGA_MAC_VER_E = 0x02,
157 RTL_GIGA_MAC_VER_X = 0x04 /* Greater than RTL_GIGA_MAC_VER_E */ 157 RTL_GIGA_MAC_VER_X = 0x04 /* Greater than RTL_GIGA_MAC_VER_E */
158 }; 158 };
159 159
 
 
Line 1777 Line 1777
1777 1777
1778 /* Reset the chipset */ 1778 /* Reset the chipset */
1779 RTL_W8(ChipCmd, CmdReset); 1779 RTL_W8(ChipCmd, CmdReset);
1780 1780
1781 /* PCI commit */ 1781 /* PCI commit */
1782 RTL_R8(ChipCmd); 1782 RTL_R8(ChipCmd);
1783 } 1783 }
1784 1784
1785 static void 1785 static void
1786 rtl8169_hw_start(struct net_device *dev) 1786 rtl8169_hw_start(struct net_device *dev)
1787 { 1787 {
1788 struct rtl8169_private *tp = netdev_priv(dev); 1788 struct rtl8169_private *tp = netdev_priv(dev);
1789 void __iomem *ioaddr = tp->mmio_addr; 1789 void __iomem *ioaddr = tp->mmio_addr;
1790 u32 i; 1790 u32 i;
1791 1791
1792 /* Soft reset the chip. */ 1792 /* Soft reset the chip. */
1793 RTL_W8(ChipCmd, CmdReset); 1793 RTL_W8(ChipCmd, CmdReset);
1794 1794
1795 /* Check that the chip has finished the reset. */ 1795 /* Check that the chip has finished the reset. */
1796 for (i = 1000; i > 0; i--) { 1796 for (i = 1000; i > 0; i--) {
1797 if ((RTL_R8(ChipCmd) & CmdReset) == 0) 1797 if ((RTL_R8(ChipCmd) & CmdReset) == 0)
1798 break; 1798 break;
1799 udelay(10); 1799 udelay(10);
1800 } 1800 }
1801 1801
1802 RTL_W8(Cfg9346, Cfg9346_Unlock); 1802 RTL_W8(Cfg9346, Cfg9346_Unlock);
1803 RTL_W8(ChipCmd, CmdTxEnb | CmdRxEnb); 1803 RTL_W8(ChipCmd, CmdTxEnb | CmdRxEnb);
1804 RTL_W8(EarlyTxThres, EarlyTxThld); 1804 RTL_W8(EarlyTxThres, EarlyTxThld);
1805 1805
1806 /* Low hurts. Let's disable the filtering. */ 1806 /* Low hurts. Let's disable the filtering. */
1807 RTL_W16(RxMaxSize, 16383); 1807 RTL_W16(RxMaxSize, 16383); /* cve-2009-1389 : Need new arg & split, Need to change?*/
1808 1808
1809 /* Set Rx Config register */ 1809 /* Set Rx Config register */
1810 i = rtl8169_rx_config | 1810 i = rtl8169_rx_config |
1811 (RTL_R32(RxConfig) & rtl_chip_info[tp->chipset].RxConfigMask); 1811 (RTL_R32(RxConfig) & rtl_chip_info[tp->chipset].RxConfigMask);
1812 RTL_W32(RxConfig, i); 1812 RTL_W32(RxConfig, i);
1813 1813
1814 /* Set DMA burst size and Interframe Gap Time */ 1814 /* Set DMA burst size and Interframe Gap Time */
1815 RTL_W32(TxConfig, 1815 RTL_W32(TxConfig,
1816 (TX_DMA_BURST << TxDMAShift) | (InterFrameGap << 1816 (TX_DMA_BURST << TxDMAShift) | (InterFrameGap <<
1817 TxInterFrameGapShift)); 1817 TxInterFrameGapShift));
1818 tp->cp_cmd |= RTL_R16(CPlusCmd); 1818 tp->cp_cmd |= RTL_R16(CPlusCmd);
1819 RTL_W16(CPlusCmd, tp->cp_cmd); 1819 RTL_W16(CPlusCmd, tp->cp_cmd);
1820 1820
1821 if ((tp->mac_version == RTL_GIGA_MAC_VER_D) || 1821 if ((tp->mac_version == RTL_GIGA_MAC_VER_D) ||
1822 (tp->mac_version == RTL_GIGA_MAC_VER_E)) { 1822 (tp->mac_version == RTL_GIGA_MAC_VER_E)) {
1823 dprintk(KERN_INFO PFX "Set MAC Reg C+CR Offset 0xE0. " 1823 dprintk(KERN_INFO PFX "Set MAC Reg C+CR Offset 0xE0. "
1824 "Bit-3 and bit-14 MUST be 1\n"); 1824 "Bit-3 and bit-14 MUST be 1\n");
1825 tp->cp_cmd |= (1 << 14) | PCIMulRW; 1825 tp->cp_cmd |= (1 << 14) | PCIMulRW;
1826 RTL_W16(CPlusCmd, tp->cp_cmd); 1826 RTL_W16(CPlusCmd, tp->cp_cmd);
1827 } 1827 }
1828 1828
1829 /* 1829 /*
1830 * Undocumented corner. Supposedly: 1830 * Undocumented corner. Supposedly:
1831 * (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets 1831 * (TxTimer << 12) | (TxPackets << 8) | (RxTimer << 4) | RxPackets
1832 */ 1832 */
1833 RTL_W16(IntrMitigate, 0x0000); 1833 RTL_W16(IntrMitigate, 0x0000);
1834 1834
1835 RTL_W32(TxDescStartAddrLow, ((u64) tp->TxPhyAddr & DMA_32BIT_MASK)); 1835 RTL_W32(TxDescStartAddrLow, ((u64) tp->TxPhyAddr & DMA_32BIT_MASK));
1836 RTL_W32(TxDescStartAddrHigh, ((u64) tp->TxPhyAddr >> 32)); 1836 RTL_W32(TxDescStartAddrHigh, ((u64) tp->TxPhyAddr >> 32));
1837 RTL_W32(RxDescAddrLow, ((u64) tp->RxPhyAddr & DMA_32BIT_MASK)); 1837 RTL_W32(RxDescAddrLow, ((u64) tp->RxPhyAddr & DMA_32BIT_MASK));
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/namei.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
static int exec_permission_lite(struct i static int exec_permission_lite(struct i
 
Line 409 Line 409
409 if (current->fsuid == inode->i_uid) 409 if (current->fsuid == inode->i_uid)
410 mode >>= 6; 410 mode >>= 6;
411 else if (in_group_p(inode->i_gid)) 411 else if (in_group_p(inode->i_gid))
412 mode >>= 3; 412 mode >>= 3;
413 413
414 if (mode & MAY_EXEC) 414 if (mode & MAY_EXEC)
415 goto ok; 415 goto ok;
416 416
417 if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE)) 417 if ((inode->i_mode & S_IXUGO) && capable(CAP_DAC_OVERRIDE))
418 goto ok; 418 goto ok;
419 419
420 if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE)) 420 if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_OVERRIDE))
421 goto ok; 421 goto ok;
422 422
423 if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH)) 423 if (S_ISDIR(inode->i_mode) && capable(CAP_DAC_READ_SEARCH))
424 goto ok; 424 goto ok;
425 425
426 return -EACCES; 426 return -EACCES;
427 ok: 427 ok:
428 return security_inode_permission(inode, MAY_EXEC, nd); 428 return security_inode_permission(inode, MAY_EXEC, nd);
429 } 429 }
430 430
431 /* 431 /*
432 * This is called when everything else fails, and we actually have 432 * This is called when everything else fails, and we actually have
433 * to go to the low-level filesystem to find out what we should do.. 433 * to go to the low-level filesystem to find out what we should do..
434 * 434 *
435 * We get the directory semaphore, and after getting that we also 435 * We get the directory semaphore, and after getting that we also
436 * make sure that nobody added the entry to the dcache in the meantime.. 436 * make sure that nobody added the entry to the dcache in the meantime..
437 * SMP-safe 437 * SMP-safe
438 */ 438 */
439 /* cve-2008-3275 */
439 static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd) 440 static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd)
440 { 441 {
441 struct dentry * result; 442 struct dentry * result;
442 struct inode *dir = parent->d_inode; 443 struct inode *dir = parent->d_inode;
443 444
444 mutex_lock(&dir->i_mutex); 445 mutex_lock(&dir->i_mutex);
445 /* 446 /*
446 * First re-do the cached lookup just in case it was created 447 * First re-do the cached lookup just in case it was created
447 * while we waited for the directory semaphore.. 448 * while we waited for the directory semaphore..
448 * 449 *
449 * FIXME! This could use version numbering or similar to 450 * FIXME! This could use version numbering or similar to
450 * avoid unnecessary cache lookups. 451 * avoid unnecessary cache lookups.
451 * 452 *
452 * The "dcache_lock" is purely to protect the RCU list walker 453 * The "dcache_lock" is purely to protect the RCU list walker
453 * from concurrent renames at this point (we mustn't get false 454 * from concurrent renames at this point (we mustn't get false
454 * negatives from the RCU list walk here, unlike the optimistic 455 * negatives from the RCU list walk here, unlike the optimistic
455 * fast walk). 456 * fast walk).
456 * 457 *
457 * so doing d_lookup() (with seqlock), instead of lockfree __d_lookup 458 * so doing d_lookup() (with seqlock), instead of lockfree __d_lookup
458 */ 459 */
459 result = d_lookup(parent, name); 460 result = d_lookup(parent, name);
460 if (!result) { 461 if (!result) {
461 struct dentry * dentry = d_alloc(parent, name); 462 struct dentry * dentry;
463
464 /* Don't create child dentry for a dead directory */
465 result = ERR_PTR(-ENOENT);
466 if (IS_DEADDIR(dir))
467 goto out_unlock;
468
469 dentry = d_alloc(parent, name);
462 result = ERR_PTR(-ENOMEM); 470 result = ERR_PTR(-ENOMEM);
463 if (dentry) { 471 if (dentry) {
464 result = dir->i_op->lookup(dir, dentry, nd); 472 result = dir->i_op->lookup(dir, dentry, nd);
465 if (result) 473 if (result)
466 dput(dentry); 474 dput(dentry);
467 else 475 else
468 result = dentry; 476 result = dentry;
469 } 477 }
478 out_unlock:
470 mutex_unlock(&dir->i_mutex); 479 mutex_unlock(&dir->i_mutex);
471 return result; 480 return result;
472 } 481 }
473 482
474 /* 483 /*
475 * Uhhuh! Nasty case: the cache was re-populated while 484 * Uhhuh! Nasty case: the cache was re-populated while
476 * we waited on the semaphore. Need to revalidate. 485 * we waited on the semaphore. Need to revalidate.
477 */ 486 */
478 mutex_unlock(&dir->i_mutex); 487 mutex_unlock(&dir->i_mutex);
479 if (result->d_op && result->d_op->d_revalidate) { 488 if (result->d_op && result->d_op->d_revalidate) {
480 if (!result->d_op->d_revalidate(result, nd) && !d_invalidate(result)) { 489 if (!result->d_op->d_revalidate(result, nd) && !d_invalidate(result)) {
481 dput(result); 490 dput(result);
482 result = ERR_PTR(-ENOENT); 491 result = ERR_PTR(-ENOENT);
483 } 492 }
484 } 493 }
485 return result; 494 return result;
486 } 495 }
487 496
488 static int __emul_lookup_dentry(const char *, struct nameidata *); 497 static int __emul_lookup_dentry(const char *, struct nameidata *);
489 498
490 /* SMP-safe */ 499 /* SMP-safe */
491 static __always_inline int 500 static __always_inline int
492 walk_init_root(const char *name, struct nameidata *nd) 501 walk_init_root(const char *name, struct nameidata *nd)
493 { 502 {
494 read_lock(&current->fs->lock); 503 read_lock(&current->fs->lock);
495 if (current->fs->altroot && !(nd->flags & LOOKUP_NOALT)) { 504 if (current->fs->altroot && !(nd->flags & LOOKUP_NOALT)) {
496 nd->mnt = mntget(current->fs->altrootmnt); 505 nd->mnt = mntget(current->fs->altrootmnt);
497 nd->dentry = dget(current->fs->altroot); 506 nd->dentry = dget(current->fs->altroot);
498 read_unlock(&current->fs->lock); 507 read_unlock(&current->fs->lock);
499 if (__emul_lookup_dentry(name,nd)) 508 if (__emul_lookup_dentry(name,nd))
 
 
Line 1186 Line 1195
1186 * @nd: pointer to nameidata 1195 * @nd: pointer to nameidata
1187 * @open_flags: open intent flags 1196 * @open_flags: open intent flags
1188 * @create_mode: create intent flags 1197 * @create_mode: create intent flags
1189 */ 1198 */
1190 static int path_lookup_create(int dfd, const char *name, 1199 static int path_lookup_create(int dfd, const char *name,
1191 unsigned int lookup_flags, struct nameidata *nd, 1200 unsigned int lookup_flags, struct nameidata *nd,
1192 int open_flags, int create_mode) 1201 int open_flags, int create_mode)
1193 { 1202 {
1194 return __path_lookup_intent_open(dfd, name, lookup_flags|LOOKUP_CREATE, 1203 return __path_lookup_intent_open(dfd, name, lookup_flags|LOOKUP_CREATE,
1195 nd, open_flags, create_mode); 1204 nd, open_flags, create_mode);
1196 } 1205 }
1197 1206
1198 int __user_path_lookup_open(const char __user *name, unsigned int lookup_flags, 1207 int __user_path_lookup_open(const char __user *name, unsigned int lookup_flags,
1199 struct nameidata *nd, int open_flags) 1208 struct nameidata *nd, int open_flags)
1200 { 1209 {
1201 char *tmp = getname(name); 1210 char *tmp = getname(name);
1202 int err = PTR_ERR(tmp); 1211 int err = PTR_ERR(tmp);
1203 1212
1204 if (!IS_ERR(tmp)) { 1213 if (!IS_ERR(tmp)) {
1205 err = __path_lookup_intent_open(AT_FDCWD, tmp, lookup_flags, nd, open_flags, 0); 1214 err = __path_lookup_intent_open(AT_FDCWD, tmp, lookup_flags, nd, open_flags, 0);
1206 putname(tmp); 1215 putname(tmp);
1207 } 1216 }
1208 return err; 1217 return err;
1209 } 1218 }
1210 1219
1211 /* 1220 /*
1212 * Restricted form of lookup. Doesn't follow links, single-component only, 1221 * Restricted form of lookup. Doesn't follow links, single-component only,
1213 * needs parent already locked. Doesn't follow mounts. 1222 * needs parent already locked. Doesn't follow mounts.
1214 * SMP-safe. 1223 * SMP-safe.
1215 */ 1224 */
1225 /* cve-2008-3275 */
1216 static struct dentry * __lookup_hash(struct qstr *name, struct dentry * base, struct nameidata *nd) 1226 static struct dentry * __lookup_hash(struct qstr *name, struct dentry * base, struct nameidata *nd)
1217 { 1227 {
1218 struct dentry * dentry; 1228 struct dentry * dentry;
1219 struct inode *inode; 1229 struct inode *inode;
1220 int err; 1230 int err;
1221 1231
1222 inode = base->d_inode; 1232 inode = base->d_inode;
1223 err = permission(inode, MAY_EXEC, nd); 1233 err = permission(inode, MAY_EXEC, nd);
1224 dentry = ERR_PTR(err); 1234 dentry = ERR_PTR(err);
1225 if (err) 1235 if (err)
1226 goto out; 1236 goto out;
1227 1237
1228 /* 1238 /*
1229 * See if the low-level filesystem might want 1239 * See if the low-level filesystem might want
1230 * to use its own hash.. 1240 * to use its own hash..
1231 */ 1241 */
1232 if (base->d_op && base->d_op->d_hash) { 1242 if (base->d_op && base->d_op->d_hash) {
1233 err = base->d_op->d_hash(base, name); 1243 err = base->d_op->d_hash(base, name);
1234 dentry = ERR_PTR(err); 1244 dentry = ERR_PTR(err);
1235 if (err < 0) 1245 if (err < 0)
1236 goto out; 1246 goto out;
1237 } 1247 }
1238 1248
1239 dentry = cached_lookup(base, name, nd); 1249 dentry = cached_lookup(base, name, nd);
1240 if (!dentry) { 1250 if (!dentry) {
1241 struct dentry *new = d_alloc(base, name); 1251 struct dentry *new;
1252
1253 /* Don't create child dentry for a dead directory. */
1254 dentry = ERR_PTR(-ENOENT);
1255 if (IS_DEADDIR(inode))
1256 goto out;
1257
1258 new = d_alloc(base, name);
1242 dentry = ERR_PTR(-ENOMEM); 1259 dentry = ERR_PTR(-ENOMEM);
1243 if (!new) 1260 if (!new)
1244 goto out; 1261 goto out;
1245 dentry = inode->i_op->lookup(inode, new, nd); 1262 dentry = inode->i_op->lookup(inode, new, nd);
1246 if (!dentry) 1263 if (!dentry)
1247 dentry = new; 1264 dentry = new;
1248 else 1265 else
1249 dput(new); 1266 dput(new);
1250 } 1267 }
1251 out: 1268 out:
1252 return dentry; 1269 return dentry;
1253 } 1270 }
1254 1271
1255 struct dentry * lookup_hash(struct nameidata *nd) 1272 struct dentry * lookup_hash(struct nameidata *nd)
1256 { 1273 {
1257 return __lookup_hash(&nd->last, nd->dentry, nd); 1274 return __lookup_hash(&nd->last, nd->dentry, nd);
1258 } 1275 }
1259 1276
1260 /* SMP-safe */ 1277 /* SMP-safe */
1261 struct dentry * lookup_one_len(const char * name, struct dentry * base, int len) 1278 struct dentry * lookup_one_len(const char * name, struct dentry * base, int len)
1262 { 1279 {
1263 unsigned long hash; 1280 unsigned long hash;
1264 struct qstr this; 1281 struct qstr this;
1265 unsigned int c; 1282 unsigned int c;
1266 1283
1267 this.name = name; 1284 this.name = name;
1268 this.len = len; 1285 this.len = len;
1269 if (!len) 1286 if (!len)
1270 goto access; 1287 goto access;
1271 1288
 
 
Line 1462 Line 1479
1462 1479
1463 if (error) 1480 if (error)
1464 return error; 1481 return error;
1465 1482
1466 if (!dir->i_op || !dir->i_op->create) 1483 if (!dir->i_op || !dir->i_op->create)
1467 return -EACCES; /* shouldn't it be ENOSYS? */ 1484 return -EACCES; /* shouldn't it be ENOSYS? */
1468 mode &= S_IALLUGO; 1485 mode &= S_IALLUGO;
1469 mode |= S_IFREG; 1486 mode |= S_IFREG;
1470 error = security_inode_create(dir, dentry, mode); 1487 error = security_inode_create(dir, dentry, mode);
1471 if (error) 1488 if (error)
1472 return error; 1489 return error;
1473 DQUOT_INIT(dir); 1490 DQUOT_INIT(dir);
1474 error = dir->i_op->create(dir, dentry, mode, nd); 1491 error = dir->i_op->create(dir, dentry, mode, nd);
1475 if (!error) 1492 if (!error)
1476 fsnotify_create(dir, dentry->d_name.name); 1493 fsnotify_create(dir, dentry->d_name.name);
1477 return error; 1494 return error;
1478 } 1495 }
1479 1496
1480 int may_open(struct nameidata *nd, int acc_mode, int flag) 1497 int may_open(struct nameidata *nd, int acc_mode, int flag)
1481 { 1498 {
1482 struct dentry *dentry = nd->dentry; 1499 struct dentry *dentry = nd->dentry;
1483 struct inode *inode = dentry->d_inode; 1500 struct inode *inode = dentry->d_inode;
1484 int error; 1501 int error;
1485 1502
1486 if (!inode) 1503 if (!inode)
1487 return -ENOENT; 1504 return -ENOENT;
1488 1505
1489 if (S_ISLNK(inode->i_mode)) 1506 if (S_ISLNK(inode->i_mode))
1490 return -ELOOP; 1507 return -ELOOP;
1491 1508
1492 if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE)) 1509 if (S_ISDIR(inode->i_mode) && (acc_mode & MAY_WRITE)) /* cve-2008-0001*/
1493 return -EISDIR; 1510 return -EISDIR;
1494 1511
1495 error = vfs_permission(nd, acc_mode); 1512 error = vfs_permission(nd, acc_mode);
1496 if (error) 1513 if (error)
1497 return error; 1514 return error;
1498 1515
1499 /* 1516 /*
1500 * FIFO's, sockets and device files are special: they don't 1517 * FIFO's, sockets and device files are special: they don't
1501 * actually live on the filesystem itself, and as such you 1518 * actually live on the filesystem itself, and as such you
1502 * can write to them even if the filesystem is read-only. 1519 * can write to them even if the filesystem is read-only.
1503 */ 1520 */
1504 if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { 1521 if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
1505 flag &= ~O_TRUNC; 1522 flag &= ~O_TRUNC;
1506 } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) { 1523 } else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) {
1507 if (nd->mnt->mnt_flags & MNT_NODEV) 1524 if (nd->mnt->mnt_flags & MNT_NODEV)
1508 return -EACCES; 1525 return -EACCES;
1509 1526
1510 flag &= ~O_TRUNC; 1527 flag &= ~O_TRUNC;
1511 } else if (IS_RDONLY(inode) && (flag & FMODE_WRITE)) 1528 } else if (IS_RDONLY(inode) && (acc_mode & MAY_WRITE)) /* cve-2008-0001*/
1512 return -EROFS; 1529 return -EROFS;
1513 /* 1530 /*
1514 * An append-only file must be opened in append mode for writing. 1531 * An append-only file must be opened in append mode for writing.
1515 */ 1532 */
1516 if (IS_APPEND(inode)) { 1533 if (IS_APPEND(inode)) {
1517 if ((flag & FMODE_WRITE) && !(flag & O_APPEND)) 1534 if ((flag & FMODE_WRITE) && !(flag & O_APPEND))
1518 return -EPERM; 1535 return -EPERM;
1519 if (flag & O_TRUNC) 1536 if (flag & O_TRUNC)
1520 return -EPERM; 1537 return -EPERM;
1521 } 1538 }
1522 1539
1523 /* O_NOATIME can only be set by the owner or superuser */ 1540 /* O_NOATIME can only be set by the owner or superuser */
1524 if (flag & O_NOATIME) 1541 if (flag & O_NOATIME)
1525 if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) 1542 if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER))
1526 return -EPERM; 1543 return -EPERM;
1527 1544
1528 /* 1545 /*
1529 * Ensure there are no outstanding leases on the file. 1546 * Ensure there are no outstanding leases on the file.
1530 */ 1547 */
1531 error = break_lease(inode, flag); 1548 error = break_lease(inode, flag);
1532 if (error) 1549 if (error)
1533 return error; 1550 return error;
1534 1551
1535 if (flag & O_TRUNC) { 1552 if (flag & O_TRUNC) {
1536 error = get_write_access(inode); 1553 error = get_write_access(inode);
1537 if (error) 1554 if (error)
1538 return error; 1555 return error;
1539 1556
1540 /* 1557 /*
1541 * Refuse to truncate files with mandatory locks held on them. 1558 * Refuse to truncate files with mandatory locks held on them.
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/namespace.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
static int graft_tree(struct vfsmount *m static int graft_tree(struct vfsmount *m
 
Line 819 Line 819
819 return -ENOTDIR; 819 return -ENOTDIR;
820 820
821 err = -ENOENT; 821 err = -ENOENT;
822 mutex_lock(&nd->dentry->d_inode->i_mutex); 822 mutex_lock(&nd->dentry->d_inode->i_mutex);
823 if (IS_DEADDIR(nd->dentry->d_inode)) 823 if (IS_DEADDIR(nd->dentry->d_inode))
824 goto out_unlock; 824 goto out_unlock;
825 825
826 err = security_sb_check_sb(mnt, nd); 826 err = security_sb_check_sb(mnt, nd);
827 if (err) 827 if (err)
828 goto out_unlock; 828 goto out_unlock;
829 829
830 err = -ENOENT; 830 err = -ENOENT;
831 if (IS_ROOT(nd->dentry) || !d_unhashed(nd->dentry)) 831 if (IS_ROOT(nd->dentry) || !d_unhashed(nd->dentry))
832 err = attach_recursive_mnt(mnt, nd, NULL); 832 err = attach_recursive_mnt(mnt, nd, NULL);
833 out_unlock: 833 out_unlock:
834 mutex_unlock(&nd->dentry->d_inode->i_mutex); 834 mutex_unlock(&nd->dentry->d_inode->i_mutex);
835 if (!err) 835 if (!err)
836 security_sb_post_addmount(mnt, nd); 836 security_sb_post_addmount(mnt, nd);
837 return err; 837 return err;
838 } 838 }
839 839
840 /* 840 /*
841 * recursively change the type of the mountpoint. 841 * recursively change the type of the mountpoint.
842 */ 842 */
843 static int do_change_type(struct nameidata *nd, int flag) 843 static int do_change_type(struct nameidata *nd, int flag)
844 { 844 {
845 struct vfsmount *m, *mnt = nd->mnt; 845 struct vfsmount *m, *mnt = nd->mnt;
846 int recurse = flag & MS_REC; 846 int recurse = flag & MS_REC;
847 int type = flag & ~MS_REC; 847 int type = flag & ~MS_REC;
848 848
849 /* cve-2008-2931 */
850 if (!capable(CAP_SYS_ADMIN))
851 return -EPERM;
852
849 if (nd->dentry != nd->mnt->mnt_root) 853 if (nd->dentry != nd->mnt->mnt_root)
850 return -EINVAL; 854 return -EINVAL;
851 855
852 down_write(&namespace_sem); 856 down_write(&namespace_sem);
853 spin_lock(&vfsmount_lock); 857 spin_lock(&vfsmount_lock);
854 for (m = mnt; m; m = (recurse ? next_mnt(m, mnt) : NULL)) 858 for (m = mnt; m; m = (recurse ? next_mnt(m, mnt) : NULL))
855 change_mnt_propagation(m, type); 859 change_mnt_propagation(m, type);
856 spin_unlock(&vfsmount_lock); 860 spin_unlock(&vfsmount_lock);
857 up_write(&namespace_sem); 861 up_write(&namespace_sem);
858 return 0; 862 return 0;
859 } 863 }
860 864
861 /* 865 /*
862 * do loopback mount. 866 * do loopback mount.
863 */ 867 */
864 static int do_loopback(struct nameidata *nd, char *old_name, int recurse) 868 static int do_loopback(struct nameidata *nd, char *old_name, int recurse)
865 { 869 {
866 struct nameidata old_nd; 870 struct nameidata old_nd;
867 struct vfsmount *mnt = NULL; 871 struct vfsmount *mnt = NULL;
868 int err = mount_is_safe(nd); 872 int err = mount_is_safe(nd);
869 if (err) 873 if (err)
870 return err; 874 return err;
871 if (!old_name || !*old_name) 875 if (!old_name || !*old_name)
872 return -EINVAL; 876 return -EINVAL;
873 err = path_lookup(old_name, LOOKUP_FOLLOW, &old_nd); 877 err = path_lookup(old_name, LOOKUP_FOLLOW, &old_nd);
874 if (err) 878 if (err)
875 return err; 879 return err;
876 880
877 down_write(&namespace_sem); 881 down_write(&namespace_sem);
878 err = -EINVAL; 882 err = -EINVAL;
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/open.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
asmlinkage long sys_fstatfs64(unsigned i asmlinkage long sys_fstatfs64(unsigned i
 
Line 186 Line 186
186 186
187 error = -EBADF; 187 error = -EBADF;
188 file = fget(fd); 188 file = fget(fd);
189 if (!file) 189 if (!file)
190 goto out; 190 goto out;
191 error = vfs_statfs64(file->f_dentry->d_inode->i_sb, &tmp); 191 error = vfs_statfs64(file->f_dentry->d_inode->i_sb, &tmp);
192 if (!error && copy_to_user(buf, &tmp, sizeof(tmp))) 192 if (!error && copy_to_user(buf, &tmp, sizeof(tmp)))
193 error = -EFAULT; 193 error = -EFAULT;
194 fput(file); 194 fput(file);
195 out: 195 out:
196 return error; 196 return error;
197 } 197 }
198 198
199 int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs, 199 int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
200 struct file *filp) 200 struct file *filp)
201 { 201 {
202 int err; 202 int err;
203 struct iattr newattrs; 203 struct iattr newattrs;
204 204
205 /* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */ 205 /* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
206 if (length < 0) 206 if (length < 0)
207 return -EINVAL; 207 return -EINVAL;
208 208
209 newattrs.ia_size = length; 209 newattrs.ia_size = length;
210 newattrs.ia_valid = ATTR_SIZE | time_attrs; 210 newattrs.ia_valid = ATTR_SIZE | time_attrs;
211 if (filp) { 211 if (filp) {
212 newattrs.ia_file = filp; 212 newattrs.ia_file = filp;
213 newattrs.ia_valid |= ATTR_FILE; 213 newattrs.ia_valid |= ATTR_FILE;
214 } 214 }
215 215
216 /* cve-2008-4210 : kernel.org 2007-05-09 */
217 /* AH: see filemap.c */
218 /* Remove suid/sgid on truncate too */
219 newattrs.ia_valid |= should_remove_suid(dentry);
220
216 mutex_lock(&dentry->d_inode->i_mutex); 221 mutex_lock(&dentry->d_inode->i_mutex);
217 err = notify_change(dentry, &newattrs); 222 err = notify_change(dentry, &newattrs);
218 mutex_unlock(&dentry->d_inode->i_mutex); 223 mutex_unlock(&dentry->d_inode->i_mutex);
219 return err; 224 return err;
220 } 225 }
221 226
222 static long do_sys_truncate(const char __user * path, loff_t length) 227 static long do_sys_truncate(const char __user * path, loff_t length)
223 { 228 {
224 struct nameidata nd; 229 struct nameidata nd;
225 struct inode * inode; 230 struct inode * inode;
226 int error; 231 int error;
227 232
228 error = -EINVAL; 233 error = -EINVAL;
229 if (length < 0) /* sorry, but loff_t says... */ 234 if (length < 0) /* sorry, but loff_t says... */
230 goto out; 235 goto out;
231 236
232 error = user_path_walk(path, &nd); 237 error = user_path_walk(path, &nd);
233 if (error) 238 if (error)
234 goto out; 239 goto out;
235 inode = nd.dentry->d_inode; 240 inode = nd.dentry->d_inode;
236 241
237 /* For directories it's -EISDIR, for other non-regulars - -EINVAL */ 242 /* For directories it's -EISDIR, for other non-regulars - -EINVAL */
238 error = -EISDIR; 243 error = -EISDIR;
239 if (S_ISDIR(inode->i_mode)) 244 if (S_ISDIR(inode->i_mode))
240 goto dput_and_out; 245 goto dput_and_out;
241 246
242 error = -EINVAL; 247 error = -EINVAL;
243 if (!S_ISREG(inode->i_mode)) 248 if (!S_ISREG(inode->i_mode))
244 goto dput_and_out; 249 goto dput_and_out;
245 250
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/pipe.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
pipe_poll(struct file *filp, poll_table pipe_poll(struct file *filp, poll_table
 
Line 421 Line 421
421 mask |= (nrbufs < PIPE_BUFFERS) ? POLLOUT | POLLWRNORM : 0; 421 mask |= (nrbufs < PIPE_BUFFERS) ? POLLOUT | POLLWRNORM : 0;
422 /* 422 /*
423 * Most Unices do not set POLLERR for FIFOs but on Linux they 423 * Most Unices do not set POLLERR for FIFOs but on Linux they
424 * behave exactly like pipes for poll(). 424 * behave exactly like pipes for poll().
425 */ 425 */
426 if (!PIPE_READERS(*inode)) 426 if (!PIPE_READERS(*inode))
427 mask |= POLLERR; 427 mask |= POLLERR;
428 } 428 }
429 429
430 return mask; 430 return mask;
431 } 431 }
432 432
433 static int 433 static int
434 pipe_release(struct inode *inode, int decr, int decw) 434 pipe_release(struct inode *inode, int decr, int decw)
435 { 435 {
436 mutex_lock(PIPE_MUTEX(*inode)); 436 mutex_lock(PIPE_MUTEX(*inode));
437 PIPE_READERS(*inode) -= decr; 437 PIPE_READERS(*inode) -= decr;
438 PIPE_WRITERS(*inode) -= decw; 438 PIPE_WRITERS(*inode) -= decw;
439 if (!PIPE_READERS(*inode) && !PIPE_WRITERS(*inode)) { 439 if (!PIPE_READERS(*inode) && !PIPE_WRITERS(*inode)) {
440 free_pipe_info(inode); 440 free_pipe_info(inode);
441 } else { 441 } else {
442 wake_up_interruptible(PIPE_WAIT(*inode)); 442 wake_up_interruptible(PIPE_WAIT(*inode));
443 kill_fasync(PIPE_FASYNC_READERS(*inode), SIGIO, POLL_IN); 443 kill_fasync(PIPE_FASYNC_READERS(*inode), SIGIO, POLL_IN);
444 kill_fasync(PIPE_FASYNC_WRITERS(*inode), SIGIO, POLL_OUT); 444 kill_fasync(PIPE_FASYNC_WRITERS(*inode), SIGIO, POLL_OUT);
445 } 445 }
446 mutex_unlock(PIPE_MUTEX(*inode)); 446 mutex_unlock(PIPE_MUTEX(*inode));
447 447
448 return 0; 448 return 0;
449 } 449 }
450 450
451 /* kernel.org: 2009-03-16 : fasync return values : AH sync with *32 */
451 static int 452 static int
452 pipe_read_fasync(int fd, struct file *filp, int on) 453 pipe_read_fasync(int fd, struct file *filp, int on)
453 { 454 {
454 struct inode *inode = filp->f_dentry->d_inode; 455 struct inode *inode = filp->f_dentry->d_inode;
455 int retval; 456 int retval;
456 457
457 mutex_lock(PIPE_MUTEX(*inode)); 458 mutex_lock(PIPE_MUTEX(*inode));
458 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_READERS(*inode)); 459 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_READERS(*inode));
459 mutex_unlock(PIPE_MUTEX(*inode)); 460 mutex_unlock(PIPE_MUTEX(*inode));
460 461
461 if (retval < 0) 462 return retval;
462 return retval;
463
464 return 0;
465 } 463 }
466 464
467 465
466 /* kernel.org: 2009-03-16 : fasync return values : AH sync with *32 */
468 static int 467 static int
469 pipe_write_fasync(int fd, struct file *filp, int on) 468 pipe_write_fasync(int fd, struct file *filp, int on)
470 { 469 {
471 struct inode *inode = filp->f_dentry->d_inode; 470 struct inode *inode = filp->f_dentry->d_inode;
472 int retval; 471 int retval;
473 472
474 mutex_lock(PIPE_MUTEX(*inode)); 473 mutex_lock(PIPE_MUTEX(*inode));
475 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_WRITERS(*inode)); 474 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_WRITERS(*inode));
476 mutex_unlock(PIPE_MUTEX(*inode)); 475 mutex_unlock(PIPE_MUTEX(*inode));
477 476
478 if (retval < 0) 477 return retval;
479 return retval;
480
481 return 0;
482 } 478 }
483 479
484 480
481 /* kernel.org: 2009-03-16 : fasync return values : AH sync with *32 */
482 /* kernel.org: 2009-03-12 : fix the error handling to prevent leak/crash */
485 static int 483 static int
486 pipe_rdwr_fasync(int fd, struct file *filp, int on) 484 pipe_rdwr_fasync(int fd, struct file *filp, int on)
487 { 485 {
488 struct inode *inode = filp->f_dentry->d_inode; 486 struct inode *inode = filp->f_dentry->d_inode;
489 int retval; 487 int retval;
490 488
491 mutex_lock(PIPE_MUTEX(*inode)); 489 mutex_lock(PIPE_MUTEX(*inode));
492 490
493 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_READERS(*inode)); 491 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_READERS(*inode));
494 492
495 if (retval >= 0) 493 if (retval >= 0) {
496 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_WRITERS(*inode)); 494 retval = fasync_helper(fd, filp, on, PIPE_FASYNC_WRITERS(*inode));
497 495
498 mutex_unlock(PIPE_MUTEX(*inode)); 496 if (retval < 0)
497 (void)fasync_helper(-1, filp, 0, /*&pipe->fasync_readers*/ PIPE_FASYNC_READERS(*inode));
498 }
499 499
500 if (retval < 0) 500 mutex_unlock(PIPE_MUTEX(*inode));
501 return retval;
502 501
503 return 0; 502 return retval;
504 } 503 }
505 504
506 505
507 static int 506 static int
508 pipe_read_release(struct inode *inode, struct file *filp) 507 pipe_read_release(struct inode *inode, struct file *filp)
509 { 508 {
510 pipe_read_fasync(-1, filp, 0); 509 pipe_read_fasync(-1, filp, 0);
511 return pipe_release(inode, 1, 0); 510 return pipe_release(inode, 1, 0);
512 } 511 }
513 512
514 static int 513 static int
515 pipe_write_release(struct inode *inode, struct file *filp) 514 pipe_write_release(struct inode *inode, struct file *filp)
516 { 515 {
517 pipe_write_fasync(-1, filp, 0); 516 pipe_write_fasync(-1, filp, 0);
518 return pipe_release(inode, 0, 1); 517 return pipe_release(inode, 0, 1);
519 } 518 }
520 519
521 static int 520 static int
522 pipe_rdwr_release(struct inode *inode, struct file *filp) 521 pipe_rdwr_release(struct inode *inode, struct file *filp)
523 { 522 {
524 int decr, decw; 523 int decr, decw;
525 524
526 pipe_rdwr_fasync(-1, filp, 0); 525 pipe_rdwr_fasync(-1, filp, 0);
527 decr = (filp->f_mode & FMODE_READ) != 0; 526 decr = (filp->f_mode & FMODE_READ) != 0;
528 decw = (filp->f_mode & FMODE_WRITE) != 0; 527 decw = (filp->f_mode & FMODE_WRITE) != 0;
529 return pipe_release(inode, decr, decw); 528 return pipe_release(inode, decr, decw);
530 } 529 }
531 530
531 /*
532 * Pipe Macros are hiding NULL pointer dereferences within opens
533 * kernel.org : 2006-04-11 : get rid of the PIPE macros
534 * cve-2009-3547 : kernel.org: 2009-10-21: null pointer derefernce
535 */
532 static int 536 static int
533 pipe_read_open(struct inode *inode, struct file *filp) 537 pipe_read_open(struct inode *inode, struct file *filp)
534 { 538 {
535 /* We could have perhaps used atomic_t, but this and friends 539 int ret = -ENOENT;
536 below are the only places. So it doesn't seem worthwhile. */ 540 mutex_lock(&inode->i_mutex);
537 mutex_lock(PIPE_MUTEX(*inode));
538 PIPE_READERS(*inode)++;
539 mutex_unlock(PIPE_MUTEX(*inode));
540 541
541 return 0; 542 if (inode->i_pipe) {
543 ret = 0;
544 inode->i_pipe->readers++;
545 }
546
547 mutex_unlock(&inode->i_mutex);
548
549 return ret;
542 } 550 }
543 551
552 /*
553 * Pipe Macros are hiding NULL pointer dereferences within opens
554 * kernel.org : 2006-04-11 : get rid of the PIPE macros
555 * cve-2009-3547 : kernel.org: 2009-10-21: null pointer derefernce
556 */
544 static int 557 static int
545 pipe_write_open(struct inode *inode, struct file *filp) 558 pipe_write_open(struct inode *inode, struct file *filp)
546 { 559 {
547 mutex_lock(PIPE_MUTEX(*inode)); 560 int ret = -ENOENT;
548 PIPE_WRITERS(*inode)++;
549 mutex_unlock(PIPE_MUTEX(*inode));
550 561
551 return 0; 562 mutex_lock(&inode->i_mutex);
563
564 if (inode->i_pipe) {
565 ret = 0;
566 inode->i_pipe->writers++;
567 }
568
569 mutex_unlock(&inode->i_mutex);
570
571 return ret;
552 } 572 }
553 573
574 /*
575 * Pipe Macros are hiding NULL pointer dereferences within opens
576 * kernel.org : 2006-04-11 : get rid of the PIPE macros
577 * cve-2009-3547 : kernel.org: 2009-10-21: null pointer derefernce
578 */
554 static int 579 static int
555 pipe_rdwr_open(struct inode *inode, struct file *filp) 580 pipe_rdwr_open(struct inode *inode, struct file *filp)
556 { 581 {
557 mutex_lock(PIPE_MUTEX(*inode)); 582 int ret = -ENOENT;
558 if (filp->f_mode & FMODE_READ)
559 PIPE_READERS(*inode)++;
560 if (filp->f_mode & FMODE_WRITE)
561 PIPE_WRITERS(*inode)++;
562 mutex_unlock(PIPE_MUTEX(*inode));
563 583
564 return 0; 584 mutex_lock(&inode->i_mutex);
585
586 if (inode->i_pipe) {
587 ret = 0;
588 if (filp->f_mode & FMODE_READ)
589 inode->i_pipe->readers++;
590 if (filp->f_mode & FMODE_WRITE)
591 inode->i_pipe->writers++;
592 }
593
594 mutex_unlock(&inode->i_mutex);
595
596 return ret;
565 } 597 }
566 598
567 /* 599 /*
568 * The file_operations structs are not static because they 600 * The file_operations structs are not static because they
569 * are also used in linux/fs/fifo.c to do operations on FIFOs. 601 * are also used in linux/fs/fifo.c to do operations on FIFOs.
570 */ 602 */
571 struct file_operations read_fifo_fops = { 603 struct file_operations read_fifo_fops = {
572 .llseek = no_llseek, 604 .llseek = no_llseek,
573 .read = pipe_read, 605 .read = pipe_read,
574 .readv = pipe_readv, 606 .readv = pipe_readv,
575 .write = bad_pipe_w, 607 .write = bad_pipe_w,
576 .poll = pipe_poll, 608 .poll = pipe_poll,
577 .ioctl = pipe_ioctl, 609 .ioctl = pipe_ioctl,
578 .open = pipe_read_open, 610 .open = pipe_read_open,
579 .release = pipe_read_release, 611 .release = pipe_read_release,
580 .fasync = pipe_read_fasync, 612 .fasync = pipe_read_fasync,
581 }; 613 };
582 614
583 struct file_operations write_fifo_fops = { 615 struct file_operations write_fifo_fops = {
584 .llseek = no_llseek, 616 .llseek = no_llseek,
585 .read = bad_pipe_r, 617 .read = bad_pipe_r,
586 .write = pipe_write, 618 .write = pipe_write,
587 .writev = pipe_writev, 619 .writev = pipe_writev,
588 .poll = pipe_poll, 620 .poll = pipe_poll,
589 .ioctl = pipe_ioctl, 621 .ioctl = pipe_ioctl,
590 .open = pipe_write_open, 622 .open = pipe_write_open,
591 .release = pipe_write_release, 623 .release = pipe_write_release,
592 .fasync = pipe_write_fasync, 624 .fasync = pipe_write_fasync,
593 }; 625 };
594 626
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/proc/base.c,v (Revision 1.1.1.1.188.1) [Add File Comment] [<<] [Top] [>>]
static int proc_pid_auxv(struct task_str static int proc_pid_auxv(struct task_str
 
Line 494 Line 494
494 */ 494 */
495 static int proc_pid_wchan(struct task_struct *task, char *buffer) 495 static int proc_pid_wchan(struct task_struct *task, char *buffer)
496 { 496 {
497 char *modname; 497 char *modname;
498 const char *sym_name; 498 const char *sym_name;
499 unsigned long wchan, size, offset; 499 unsigned long wchan, size, offset;
500 char namebuf[KSYM_NAME_LEN+1]; 500 char namebuf[KSYM_NAME_LEN+1];
501 501
502 wchan = get_wchan(task); 502 wchan = get_wchan(task);
503 503
504 sym_name = kallsyms_lookup(wchan, &size, &offset, &modname, namebuf); 504 sym_name = kallsyms_lookup(wchan, &size, &offset, &modname, namebuf);
505 if (sym_name) 505 if (sym_name)
506 return sprintf(buffer, "%s", sym_name); 506 return sprintf(buffer, "%s", sym_name);
507 return sprintf(buffer, "%lu", wchan); 507 return sprintf(buffer, "%lu", wchan);
508 } 508 }
509 #endif /* CONFIG_KALLSYMS */ 509 #endif /* CONFIG_KALLSYMS */
510 510
511 #ifdef CONFIG_SCHEDSTATS 511 #ifdef CONFIG_SCHEDSTATS
512 /* 512 /*
513 * Provides /proc/PID/schedstat 513 * Provides /proc/PID/schedstat
514 */ 514 */
515 static int proc_pid_schedstat(struct task_struct *task, char *buffer) 515 static int proc_pid_schedstat(struct task_struct *task, char *buffer)
516 { 516 {
517 return sprintf(buffer, "%lu %lu %lu\n", 517 return sprintf(buffer, "%lu %lu %lu\n",
518 task->sched_info.cpu_time, 518 task->sched_info.cpu_time,
519 task->sched_info.run_delay, 519 task->sched_info.run_delay,
520 task->sched_info.pcnt); 520 task->sched_info.pcnt);
521 } 521 }
522 #endif 522 #endif
523 523
524 /* cve-2010-1488 : kernel.org : 2010-04-01 : fix the unsafe usage .. */
524 /* The badness from the OOM killer */ 525 /* The badness from the OOM killer */
525 unsigned long badness(struct task_struct *p, unsigned long uptime); 526 unsigned long badness(struct task_struct *p, unsigned long uptime);
526 static int proc_oom_score(struct task_struct *task, char *buffer) 527 static int proc_oom_score(struct task_struct *task, char *buffer)
527 { 528 {
528 unsigned long points; 529 unsigned long points = 0;
529 struct timespec uptime; 530 struct timespec uptime;
530 531
531 do_posix_clock_monotonic_gettime(&uptime); 532 do_posix_clock_monotonic_gettime(&uptime);
532 points = badness(task, uptime.tv_sec); 533 if (pid_alive(task))
534 points = badness(task, uptime.tv_sec);
533 return sprintf(buffer, "%lu\n", points); 535 return sprintf(buffer, "%lu\n", points);
534 } 536 }
535 537
536 /************************************************************************/ 538 /************************************************************************/
537 /* Here the fs part begins */ 539 /* Here the fs part begins */
538 /************************************************************************/ 540 /************************************************************************/
539 541
540 /* permission checks */ 542 /* permission checks */
541 543
542 /* If the process being read is separated by chroot from the reading process, 544 /* If the process being read is separated by chroot from the reading process,
543 * don't let the reader access the threads. 545 * don't let the reader access the threads.
544 */ 546 */
545 static int proc_check_chroot(struct dentry *root, struct vfsmount *vfsmnt) 547 static int proc_check_chroot(struct dentry *root, struct vfsmount *vfsmnt)
546 { 548 {
547 struct dentry *de, *base; 549 struct dentry *de, *base;
548 struct vfsmount *our_vfsmnt, *mnt; 550 struct vfsmount *our_vfsmnt, *mnt;
549 int res = 0; 551 int res = 0;
550 read_lock(&current->fs->lock); 552 read_lock(&current->fs->lock);
551 our_vfsmnt = mntget(current->fs->rootmnt); 553 our_vfsmnt = mntget(current->fs->rootmnt);
552 base = dget(current->fs->root); 554 base = dget(current->fs->root);
553 read_unlock(&current->fs->lock); 555 read_unlock(&current->fs->lock);
554 556
555 spin_lock(&vfsmount_lock); 557 spin_lock(&vfsmount_lock);
556 de = root; 558 de = root;
557 mnt = vfsmnt; 559 mnt = vfsmnt;
558 560
559 while (vfsmnt != our_vfsmnt) { 561 while (vfsmnt != our_vfsmnt) {
560 if (vfsmnt == vfsmnt->mnt_parent) 562 if (vfsmnt == vfsmnt->mnt_parent)
561 goto out; 563 goto out;
562 de = vfsmnt->mnt_mountpoint; 564 de = vfsmnt->mnt_mountpoint;
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/fs/sysfs/file.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
sysfs_read_file(struct file *file, char sysfs_read_file(struct file *file, char
 
Line 156 Line 156
156 pr_debug("%s: count = %d, ppos = %lld, buf = %s\n", 156 pr_debug("%s: count = %d, ppos = %lld, buf = %s\n",
157 __FUNCTION__,count,*ppos,buffer->page); 157 __FUNCTION__,count,*ppos,buffer->page);
158 retval = flush_read_buffer(buffer,buf,count,ppos); 158 retval = flush_read_buffer(buffer,buf,count,ppos);
159 out: 159 out:
160 up(&buffer->sem); 160 up(&buffer->sem);
161 return retval; 161 return retval;
162 } 162 }
163 163
164 164
165 /** 165 /**
166 * fill_write_buffer - copy buffer from userspace. 166 * fill_write_buffer - copy buffer from userspace.
167 * @buffer: data buffer for file. 167 * @buffer: data buffer for file.
168 * @buf: data from user. 168 * @buf: data from user.
169 * @count: number of bytes in @userbuf. 169 * @count: number of bytes in @userbuf.
170 * 170 *
171 * Allocate @buffer->page if it hasn't been already, then 171 * Allocate @buffer->page if it hasn't been already, then
172 * copy the user-supplied buffer into it. 172 * copy the user-supplied buffer into it.
173 */ 173 */
174 174
175 static int 175 static int
176 fill_write_buffer(struct sysfs_buffer * buffer, const char __user * buf, size_t count) 176 fill_write_buffer(struct sysfs_buffer * buffer, const char __user * buf, size_t count)
177 { 177 {
178 int error; 178 int error;
179 179
180 if (!buffer->page) 180 if (!buffer->page)
181 buffer->page = (char *)get_zeroed_page(GFP_KERNEL); 181 buffer->page = (char *)get_zeroed_page(GFP_KERNEL);
182 if (!buffer->page) 182 if (!buffer->page)
183 return -ENOMEM; 183 return -ENOMEM;
184 184
185 if (count >= PAGE_SIZE) 185 if (count >= PAGE_SIZE)
186 count = PAGE_SIZE - 1; 186 count = PAGE_SIZE - 1; /* cve-2006-1055 */
187 error = copy_from_user(buffer->page,buf,count); 187 error = copy_from_user(buffer->page,buf,count);
188 buffer->needs_read_fill = 1; 188 buffer->needs_read_fill = 1;
189 return error ? -EFAULT : count; 189 return error ? -EFAULT : count;
190 } 190 }
191 191
192 192
193 /** 193 /**
194 * flush_write_buffer - push buffer to kobject. 194 * flush_write_buffer - push buffer to kobject.
195 * @dentry: dentry to the attribute 195 * @dentry: dentry to the attribute
196 * @buffer: data buffer for file. 196 * @buffer: data buffer for file.
197 * @count: number of bytes 197 * @count: number of bytes
198 * 198 *
199 * Get the correct pointers for the kobject and the attribute we're 199 * Get the correct pointers for the kobject and the attribute we're
200 * dealing with, then call the store() method for the attribute, 200 * dealing with, then call the store() method for the attribute,
201 * passing the buffer that we acquired in fill_write_buffer(). 201 * passing the buffer that we acquired in fill_write_buffer().
202 */ 202 */
203 203
204 static int 204 static int
205 flush_write_buffer(struct dentry * dentry, struct sysfs_buffer * buffer, size_t count) 205 flush_write_buffer(struct dentry * dentry, struct sysfs_buffer * buffer, size_t count)
206 { 206 {
207 struct attribute * attr = to_attr(dentry); 207 struct attribute * attr = to_attr(dentry);
208 struct kobject * kobj = to_kobj(dentry->d_parent); 208 struct kobject * kobj = to_kobj(dentry->d_parent);
209 struct sysfs_ops * ops = buffer->ops; 209 struct sysfs_ops * ops = buffer->ops;
210 210
211 return ops->store(kobj,attr,buffer->page,count); 211 return ops->store(kobj,attr,buffer->page,count);
212 } 212 }
213 213
214 214
215 /** 215 /**
216 * sysfs_write_file - write an attribute. 216 * sysfs_write_file - write an attribute.
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/include/linux/connector.h,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
 
Line 1 Line 1
1 /* 1 /*
2 * connector.h 2 * connector.h
3 * 3 *
4 * 2004-2005 Copyright (c) Evgeniy Polyakov <johnpol@2ka.mipt.ru> 4 * 2004-2005 Copyright (c) Evgeniy Polyakov <johnpol@2ka.mipt.ru>
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by 8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or 9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version. 10 * (at your option) any later version.
11 * 11 *
12 * This program is distributed in the hope that it will be useful, 12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details. 15 * GNU General Public License for more details.
16 * 16 *
17 * You should have received a copy of the GNU General Public License 17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software 18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 */ 20 */
21 21
22 #ifndef __CONNECTOR_H 22 #ifndef __CONNECTOR_H
23 #define __CONNECTOR_H 23 #define __CONNECTOR_H
24 24
25 #include <asm/types.h> 25 #include <asm/types.h>
26 26
27 #ifdef NOTIF_XXX
27 #define CN_IDX_CONNECTOR 0xffffffff 28 #define CN_IDX_CONNECTOR 0xffffffff
28 #define CN_VAL_CONNECTOR 0xffffffff 29 #define CN_VAL_CONNECTOR 0xffffffff
30 #endif
29 31
30 /* 32 /*
31 * Process Events connector unique ids -- used for message routing 33 * Process Events connector unique ids -- used for message routing
32 */ 34 */
33 #define CN_IDX_PROC 0x1 35 #define CN_IDX_PROC 0x1
34 #define CN_VAL_PROC 0x1 36 #define CN_VAL_PROC 0x1
35 #define CN_IDX_CIFS 0x2 37 #define CN_IDX_CIFS 0x2
36 #define CN_VAL_CIFS 0x1 38 #define CN_VAL_CIFS 0x1
37 39
38 #define CN_NETLINK_USERS 1 40 #define CN_NETLINK_USERS 1
39 41
40 /* 42 /*
41 * Maximum connector's message size. 43 * Maximum connector's message size.
42 */ 44 */
43 #define CONNECTOR_MAX_MSG_SIZE 1024 45 #define CONNECTOR_MAX_MSG_SIZE 1024
44 46
45 /* 47 /*
46 * idx and val are unique identifiers which 48 * idx and val are unique identifiers which
47 * are used for message routing and 49 * are used for message routing and
48 * must be registered in connector.h for in-kernel usage. 50 * must be registered in connector.h for in-kernel usage.
49 */ 51 */
50 52
51 struct cb_id { 53 struct cb_id {
52 __u32 idx; 54 __u32 idx;
53 __u32 val; 55 __u32 val;
54 }; 56 };
55 57
56 struct cn_msg { 58 struct cn_msg {
57 struct cb_id id; 59 struct cb_id id;
58 60
59 __u32 seq; 61 __u32 seq;
60 __u32 ack; 62 __u32 ack;
61 63
62 __u16 len; /* Length of the following data */ 64 __u16 len; /* Length of the following data */
63 __u16 flags; 65 __u16 flags;
64 __u8 data[0]; 66 __u8 data[0];
65 }; 67 };
66 68
69 #ifdef NOTIF_XXX
67 /* 70 /*
68 * Notify structure - requests notification about 71 * Notify structure - requests notification about
69 * registering/unregistering idx/val in range [first, first+range]. 72 * registering/unregistering idx/val in range [first, first+range].
70 */ 73 */
71 struct cn_notify_req { 74 struct cn_notify_req {
72 __u32 first; 75 __u32 first;
73 __u32 range; 76 __u32 range;
74 }; 77 };
75 78
76 /* 79 /*
77 * Main notification control message 80 * Main notification control message
78 * *_notify_num - number of appropriate cn_notify_req structures after 81 * *_notify_num - number of appropriate cn_notify_req structures after
79 * this struct. 82 * this struct.
80 * group - notification receiver's idx. 83 * group - notification receiver's idx.
81 * len - total length of the attached data. 84 * len - total length of the attached data.
82 */ 85 */
83 struct cn_ctl_msg { 86 struct cn_ctl_msg {
84 __u32 idx_notify_num; 87 __u32 idx_notify_num;
85 __u32 val_notify_num; 88 __u32 val_notify_num;
86 __u32 group; 89 __u32 group;
87 __u32 len; 90 __u32 len;
88 __u8 data[0]; 91 __u8 data[0];
89 }; 92 };
93 #endif
90 94
91 #ifdef __KERNEL__ 95 #ifdef __KERNEL__
92 96
93 #include <asm/atomic.h> 97 #include <asm/atomic.h>
94 98
95 #include <linux/list.h> 99 #include <linux/list.h>
96 #include <linux/workqueue.h> 100 #include <linux/workqueue.h>
97 101
98 #include <net/sock.h> 102 #include <net/sock.h>
99 103
100 #define CN_CBQ_NAMELEN 32 104 #define CN_CBQ_NAMELEN 32
101 105
102 struct cn_queue_dev { 106 struct cn_queue_dev {
103 atomic_t refcnt; 107 atomic_t refcnt;
104 unsigned char name[CN_CBQ_NAMELEN]; 108 unsigned char name[CN_CBQ_NAMELEN];
105 109
106 struct workqueue_struct *cn_queue; 110 struct workqueue_struct *cn_queue;
107 111
108 struct list_head queue_list; 112 struct list_head queue_list;
109 spinlock_t queue_lock; 113 spinlock_t queue_lock;
110 114
111 int netlink_groups; 115 int netlink_groups;
112 struct sock *nls; 116 struct sock *nls;
113 }; 117 };
114 118
115 struct cn_callback_id { 119 struct cn_callback_id {
116 unsigned char name[CN_CBQ_NAMELEN]; 120 unsigned char name[CN_CBQ_NAMELEN];
117 struct cb_id id; 121 struct cb_id id;
118 }; 122 };
119 123
120 struct cn_callback_data { 124 struct cn_callback_data {
121 void (*destruct_data) (void *); 125 void (*destruct_data) (void *);
122 void *ddata; 126 void *ddata;
123 127
124 void *callback_priv; 128 void *callback_priv;
125 void (*callback) (void *); 129 void (*callback) (void *);
126 130
127 void *free; 131 void *free;
128 }; 132 };
129 133
130 struct cn_callback_entry { 134 struct cn_callback_entry {
131 struct list_head callback_entry; 135 struct list_head callback_entry;
132 struct cn_callback *cb; 136 struct cn_callback *cb;
133 struct work_struct work; 137 struct work_struct work;
134 struct cn_queue_dev *pdev; 138 struct cn_queue_dev *pdev;
135 139
136 struct cn_callback_id id; 140 struct cn_callback_id id;
137 struct cn_callback_data data; 141 struct cn_callback_data data;
138 142
139 int seq, group; 143 int seq, group;
140 struct sock *nls; 144 struct sock *nls;
141 }; 145 };
142 146
147 #ifdef NOTIF_XXX
143 struct cn_ctl_entry { 148 struct cn_ctl_entry {
144 struct list_head notify_entry; 149 struct list_head notify_entry;
145 struct cn_ctl_msg *msg; 150 struct cn_ctl_msg *msg;
146 }; 151 };
152 #endif
147 153
148 struct cn_dev { 154 struct cn_dev {
149 struct cb_id id; 155 struct cb_id id;
150 156
151 u32 seq, groups; 157 u32 seq, groups;
152 struct sock *nls; 158 struct sock *nls;
153 void (*input) (struct sock * sk, int len); 159 void (*input) (struct sock * sk, int len);
154 160
155 struct cn_queue_dev *cbdev; 161 struct cn_queue_dev *cbdev;
156 }; 162 };
157 163
158 int cn_add_callback(struct cb_id *, char *, void (*callback) (void *)); 164 int cn_add_callback(struct cb_id *, char *, void (*callback) (void *));
159 void cn_del_callback(struct cb_id *); 165 void cn_del_callback(struct cb_id *);
160 int cn_netlink_send(struct cn_msg *, u32, gfp_t); 166 int cn_netlink_send(struct cn_msg *, u32, gfp_t);
161 167
162 int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *)); 168 int cn_queue_add_callback(struct cn_queue_dev *dev, char *name, struct cb_id *id, void (*callback)(void *));
163 void cn_queue_del_callback(struct cn_queue_dev *dev, struct cb_id *id); 169 void cn_queue_del_callback(struct cn_queue_dev *dev, struct cb_id *id);
164 170
165 struct cn_queue_dev *cn_queue_alloc_dev(char *name, struct sock *); 171 struct cn_queue_dev *cn_queue_alloc_dev(char *name, struct sock *);
166 void cn_queue_free_dev(struct cn_queue_dev *dev); 172 void cn_queue_free_dev(struct cn_queue_dev *dev);
167 173
168 int cn_cb_equal(struct cb_id *, struct cb_id *); 174 int cn_cb_equal(struct cb_id *, struct cb_id *);
169 175
170 void cn_queue_wrapper(void *data); 176 void cn_queue_wrapper(void *data);
171 177
172 extern int cn_already_initialized; 178 extern int cn_already_initialized;
173 179
174 #endif /* __KERNEL__ */ 180 #endif /* __KERNEL__ */
175 #endif /* __CONNECTOR_H */ 181 #endif /* __CONNECTOR_H */
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/include/linux/fs.h,v (Revision 1.4) [Add File Comment] [<<] [Top] [>>]
 
Line 1 Line 1
1 /* Foo (c) 1999 - created by John Smith 1 /* Foo (c) 1999 - created by John Smith
2 2
3 This program is free software; you can redistribute it 3 This program is free software; you can redistribute it
4 and/or modify it under the terms of the GNU General Public 4 and/or modify it under the terms of the GNU General Public
5 License as published by the Free Software Foundation; 5 License as published by the Free Software Foundation;
6 version 2 of the License. For a copy, see 6 version 2 of the License. For a copy, see
7 http://www.gnu.org/licenses/gpl-2.0.html. 7 http://www.gnu.org/licenses/gpl-2.0.html.
8 8
9 This program is distributed in the hope that it will be 9 This program is distributed in the hope that it will be
10 useful, but WITHOUT ANY WARRANTY; without even the implied 10 useful, but WITHOUT ANY WARRANTY; without even the implied
11 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 11 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
12 PURPOSE. See the GNU General Public License for more 12 PURPOSE. See the GNU General Public License for more
13 details. 13 details.
14 14
15 */ 15 */
16 16
17 /* Foo includes modifications created by Aerohive Networks, 17 /* Foo includes modifications created by Aerohive Networks,
18 Inc. (c) 2006-2011. 18 Inc. (c) 2006-2015.
19 19
20 This program, as modified by Aerohive Networks, Inc. is 20 This program, as modified by Aerohive Networks, Inc. is
21 distributed WITHOUT ANY WARRANTY; without even the implied 21 distributed WITHOUT ANY WARRANTY; without even the implied
22 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 22 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
23 PURPOSE. See sections 11 and 12 of the GNU General Public 23 PURPOSE. See sections 11 and 12 of the GNU General Public
24 License for more details. 24 License for more details.
25 25
26 */ 26 */
27 #ifndef _LINUX_FS_H 27 #ifndef _LINUX_FS_H
28 #define _LINUX_FS_H 28 #define _LINUX_FS_H
29 29
30 /* 30 /*
31 * This file has definitions for some important file table 31 * This file has definitions for some important file table
32 * structures etc. 32 * structures etc.
33 */ 33 */
34 34
35 #include <linux/config.h> 35 #include <linux/config.h>
36 #include <linux/limits.h> 36 #include <linux/limits.h>
37 #include <linux/ioctl.h> 37 #include <linux/ioctl.h>
38 38
39 /* 39 /*
40 * It's silly to have NR_OPEN bigger than NR_FILE, but you can change 40 * It's silly to have NR_OPEN bigger than NR_FILE, but you can change
41 * the file limit at runtime and only root can increase the per-process 41 * the file limit at runtime and only root can increase the per-process
42 * nr_file rlimit, so it's safe to set up a ridiculously high absolute 42 * nr_file rlimit, so it's safe to set up a ridiculously high absolute
43 * upper limit on files-per-process. 43 * upper limit on files-per-process.
44 * 44 *
45 * Some programs (notably those using select()) may have to be 45 * Some programs (notably those using select()) may have to be
46 * recompiled to take full advantage of the new limits.. 46 * recompiled to take full advantage of the new limits..
47 */ 47 */
48 48
 
 
Line 1545 Line 1545
1545 extern void generic_delete_inode(struct inode *inode); 1545 extern void generic_delete_inode(struct inode *inode);
1546 extern void generic_drop_inode(struct inode *inode); 1546 extern void generic_drop_inode(struct inode *inode);
1547 1547
1548 extern struct inode *ilookup5_nowait(struct super_block *sb, 1548 extern struct inode *ilookup5_nowait(struct super_block *sb,
1549 unsigned long hashval, int (*test)(struct inode *, void *), 1549 unsigned long hashval, int (*test)(struct inode *, void *),
1550 void *data); 1550 void *data);
1551 extern struct inode *ilookup5(struct super_block *sb, unsigned long hashval, 1551 extern struct inode *ilookup5(struct super_block *sb, unsigned long hashval,
1552 int (*test)(struct inode *, void *), void *data); 1552 int (*test)(struct inode *, void *), void *data);
1553 extern struct inode *ilookup(struct super_block *sb, unsigned long ino); 1553 extern struct inode *ilookup(struct super_block *sb, unsigned long ino);
1554 1554
1555 extern struct inode * iget5_locked(struct super_block *, unsigned long, int (*test)(struct inode *, void *), int (*set)(struct inode *, void *), void *); 1555 extern struct inode * iget5_locked(struct super_block *, unsigned long, int (*test)(struct inode *, void *), int (*set)(struct inode *, void *), void *);
1556 extern struct inode * iget_locked(struct super_block *, unsigned long); 1556 extern struct inode * iget_locked(struct super_block *, unsigned long);
1557 extern void unlock_new_inode(struct inode *); 1557 extern void unlock_new_inode(struct inode *);
1558 1558
1559 static inline struct inode *iget(struct super_block *sb, unsigned long ino) 1559 static inline struct inode *iget(struct super_block *sb, unsigned long ino)
1560 { 1560 {
1561 struct inode *inode = iget_locked(sb, ino); 1561 struct inode *inode = iget_locked(sb, ino);
1562 1562
1563 if (inode && (inode->i_state & I_NEW)) { 1563 if (inode && (inode->i_state & I_NEW)) {
1564 sb->s_op->read_inode(inode); 1564 sb->s_op->read_inode(inode);
1565 unlock_new_inode(inode); 1565 unlock_new_inode(inode);
1566 } 1566 }
1567 1567
1568 return inode; 1568 return inode;
1569 } 1569 }
1570 1570
1571 extern void __iget(struct inode * inode); 1571 extern void __iget(struct inode * inode);
1572 extern void clear_inode(struct inode *); 1572 extern void clear_inode(struct inode *);
1573 extern void destroy_inode(struct inode *); 1573 extern void destroy_inode(struct inode *);
1574 extern struct inode *new_inode(struct super_block *); 1574 extern struct inode *new_inode(struct super_block *);
1575 extern int should_remove_suid(struct dentry *); /* cve-2008-4210 : kernel.org: 2006-10-19 */
1575 extern int remove_suid(struct dentry *); 1576 extern int remove_suid(struct dentry *);
1576 extern void remove_dquot_ref(struct super_block *, int, struct list_head *); 1577 extern void remove_dquot_ref(struct super_block *, int, struct list_head *);
1577 extern struct semaphore iprune_sem; 1578 extern struct semaphore iprune_sem;
1578 1579
1579 extern void __insert_inode_hash(struct inode *, unsigned long hashval); 1580 extern void __insert_inode_hash(struct inode *, unsigned long hashval);
1580 extern void remove_inode_hash(struct inode *); 1581 extern void remove_inode_hash(struct inode *);
1581 static inline void insert_inode_hash(struct inode *inode) { 1582 static inline void insert_inode_hash(struct inode *inode) {
1582 __insert_inode_hash(inode, inode->i_ino); 1583 __insert_inode_hash(inode, inode->i_ino);
1583 } 1584 }
1584 1585
1585 extern struct file * get_empty_filp(void); 1586 extern struct file * get_empty_filp(void);
1586 extern void file_move(struct file *f, struct list_head *list); 1587 extern void file_move(struct file *f, struct list_head *list);
1587 extern void file_kill(struct file *f); 1588 extern void file_kill(struct file *f);
1588 struct bio; 1589 struct bio;
1589 extern void submit_bio(int, struct bio *); 1590 extern void submit_bio(int, struct bio *);
1590 extern int bdev_read_only(struct block_device *); 1591 extern int bdev_read_only(struct block_device *);
1591 extern int set_blocksize(struct block_device *, int); 1592 extern int set_blocksize(struct block_device *, int);
1592 extern int sb_set_blocksize(struct super_block *, int); 1593 extern int sb_set_blocksize(struct super_block *, int);
1593 extern int sb_min_blocksize(struct super_block *, int); 1594 extern int sb_min_blocksize(struct super_block *, int);
1594 1595
1595 extern int generic_file_mmap(struct file *, struct vm_area_struct *); 1596 extern int generic_file_mmap(struct file *, struct vm_area_struct *);
1596 extern int generic_file_readonly_mmap(struct file *, struct vm_area_struct *); 1597 extern int generic_file_readonly_mmap(struct file *, struct vm_area_struct *);
1597 extern int file_read_actor(read_descriptor_t * desc, struct page *page, unsigned long offset, unsigned long size); 1598 extern int file_read_actor(read_descriptor_t * desc, struct page *page, unsigned long offset, unsigned long size);
1598 extern int file_send_actor(read_descriptor_t * desc, struct page *page, unsigned long offset, unsigned long size); 1599 extern int file_send_actor(read_descriptor_t * desc, struct page *page, unsigned long offset, unsigned long size);
1599 extern ssize_t generic_file_read(struct file *, char __user *, size_t, loff_t *); 1600 extern ssize_t generic_file_read(struct file *, char __user *, size_t, loff_t *);
1600 int generic_write_checks(struct file *file, loff_t *pos, size_t *count, int isblk); 1601 int generic_write_checks(struct file *file, loff_t *pos, size_t *count, int isblk);
1601 extern ssize_t generic_file_write(struct file *, const char __user *, size_t, loff_t *); 1602 extern ssize_t generic_file_write(struct file *, const char __user *, size_t, loff_t *);
1602 extern ssize_t generic_file_aio_read(struct kiocb *, char __user *, size_t, loff_t); 1603 extern ssize_t generic_file_aio_read(struct kiocb *, char __user *, size_t, loff_t);
1603 extern ssize_t __generic_file_aio_read(struct kiocb *, const struct iovec *, unsigned long, loff_t *); 1604 extern ssize_t __generic_file_aio_read(struct kiocb *, const struct iovec *, unsigned long, loff_t *);
1604 extern ssize_t generic_file_aio_write(struct kiocb *, const char __user *, size_t, loff_t); 1605 extern ssize_t generic_file_aio_write(struct kiocb *, const char __user *, size_t, loff_t);
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/include/linux/sysctl.h,v (Revision 1.1.1.1.260.1) [Add File Comment] [<<] [Top] [>>]
 
Line 21 Line 21
21 #include <linux/kernel.h> 21 #include <linux/kernel.h>
22 #include <linux/types.h> 22 #include <linux/types.h>
23 #include <linux/compiler.h> 23 #include <linux/compiler.h>
24 24
25 struct file; 25 struct file;
26 struct completion; 26 struct completion;
27 27
28 #define CTL_MAXNAME 10 /* how many path components do we allow in a 28 #define CTL_MAXNAME 10 /* how many path components do we allow in a
29 call to sysctl? In other words, what is 29 call to sysctl? In other words, what is
30 the largest acceptable value for the nlen 30 the largest acceptable value for the nlen
31 member of a struct __sysctl_args to have? */ 31 member of a struct __sysctl_args to have? */
32 32
33 struct __sysctl_args { 33 struct __sysctl_args {
34 int __user *name; 34 int __user *name;
35 int nlen; 35 int nlen;
36 void __user *oldval; 36 void __user *oldval;
37 size_t __user *oldlenp; 37 size_t __user *oldlenp;
38 void __user *newval; 38 void __user *newval;
39 size_t newlen; 39 size_t newlen;
40 unsigned long __unused[4]; 40 unsigned long __unused[4];
41 }; 41 };
42 42
43 /* Define sysctl names first */ 43 /* Define sysctl names first */
44 44
45 /* Top-level names: */ 45 /* Top-level names: */
46 46
47 /* For internal pattern-matching use only: */ 47 /* For internal pattern-matching use only: */
48 #ifdef __KERNEL__ 48 #ifdef __KERNEL__
49 #define CTL_ANY -1 /* Matches any name */ 49 #define CTL_ANY -1 /* Matches any name */
50 #define CTL_NONE 0 50 #define CTL_NONE 0
51 #define CTL_UNNUMBERED CTL_NONE /* AH: for print-fatal-signals */
51 #endif 52 #endif
52 53
53 enum 54 enum
54 { 55 {
55 CTL_KERN=1, /* General kernel info and control */ 56 CTL_KERN=1, /* General kernel info and control */
56 CTL_VM=2, /* VM management */ 57 CTL_VM=2, /* VM management */
57 CTL_NET=3, /* Networking */ 58 CTL_NET=3, /* Networking */
58 CTL_PROC=4, /* Process info */ 59 CTL_PROC=4, /* Process info */
59 CTL_FS=5, /* Filesystems */ 60 CTL_FS=5, /* Filesystems */
60 CTL_DEBUG=6, /* Debugging */ 61 CTL_DEBUG=6, /* Debugging */
61 CTL_DEV=7, /* Devices */ 62 CTL_DEV=7, /* Devices */
62 CTL_BUS=8, /* Busses */ 63 CTL_BUS=8, /* Busses */
63 CTL_ABI=9, /* Binary emulation */ 64 CTL_ABI=9, /* Binary emulation */
64 CTL_CPU=10 /* CPU stuff (speed scaling, etc) */ 65 CTL_CPU=10 /* CPU stuff (speed scaling, etc) */
65 }; 66 };
66 67
67 /* CTL_BUS names: */ 68 /* CTL_BUS names: */
68 enum 69 enum
69 { 70 {
70 CTL_BUS_ISA=1 /* ISA */ 71 CTL_BUS_ISA=1 /* ISA */
71 }; 72 };
72 73
73 /* /proc/sys/fs/inotify/ */ 74 /* /proc/sys/fs/inotify/ */
74 enum 75 enum
75 { 76 {
76 INOTIFY_MAX_USER_INSTANCES=1, /* max instances per user */ 77 INOTIFY_MAX_USER_INSTANCES=1, /* max instances per user */
77 INOTIFY_MAX_USER_WATCHES=2, /* max watches per user */ 78 INOTIFY_MAX_USER_WATCHES=2, /* max watches per user */
78 INOTIFY_MAX_QUEUED_EVENTS=3 /* max queued events per instance */ 79 INOTIFY_MAX_QUEUED_EVENTS=3 /* max queued events per instance */
79 }; 80 };
80 81
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/compat.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
static inline int put_compat_semid64_ds( static inline int put_compat_semid64_ds(
 
Line 217 Line 217
217 err = __put_compat_ipc64_perm(&s64->sem_perm, &up64->sem_perm); 217 err = __put_compat_ipc64_perm(&s64->sem_perm, &up64->sem_perm);
218 err |= __put_user(s64->sem_otime, &up64->sem_otime); 218 err |= __put_user(s64->sem_otime, &up64->sem_otime);
219 err |= __put_user(s64->sem_ctime, &up64->sem_ctime); 219 err |= __put_user(s64->sem_ctime, &up64->sem_ctime);
220 err |= __put_user(s64->sem_nsems, &up64->sem_nsems); 220 err |= __put_user(s64->sem_nsems, &up64->sem_nsems);
221 return err; 221 return err;
222 } 222 }
223 223
224 static inline int put_compat_semid_ds(struct semid64_ds *s, 224 static inline int put_compat_semid_ds(struct semid64_ds *s,
225 struct compat_semid_ds __user *up) 225 struct compat_semid_ds __user *up)
226 { 226 {
227 int err; 227 int err;
228 228
229 if (!access_ok (VERIFY_WRITE, up, sizeof(*up))) 229 if (!access_ok (VERIFY_WRITE, up, sizeof(*up)))
230 err = -EFAULT; 230 err = -EFAULT;
231 err = __put_compat_ipc_perm(&s->sem_perm, &up->sem_perm); 231 err = __put_compat_ipc_perm(&s->sem_perm, &up->sem_perm);
232 err |= __put_user(s->sem_otime, &up->sem_otime); 232 err |= __put_user(s->sem_otime, &up->sem_otime);
233 err |= __put_user(s->sem_ctime, &up->sem_ctime); 233 err |= __put_user(s->sem_ctime, &up->sem_ctime);
234 err |= __put_user(s->sem_nsems, &up->sem_nsems); 234 err |= __put_user(s->sem_nsems, &up->sem_nsems);
235 return err; 235 return err;
236 } 236 }
237 237
238 long compat_sys_semctl(int first, int second, int third, void __user *uptr) 238 long compat_sys_semctl(int first, int second, int third, void __user *uptr)
239 { 239 {
240 union semun fourth; 240 union semun fourth;
241 u32 pad; 241 u32 pad;
242 int err, err2; 242 int err, err2;
243 struct semid64_ds s64; 243 struct semid64_ds s64;
244 struct semid64_ds __user *up64; 244 struct semid64_ds __user *up64;
245 int version = compat_ipc_parse_version(&third); 245 int version = compat_ipc_parse_version(&third);
246 246
247 memset(&s64, 0, sizeof(s64)); /* cve-2010-4073 : kernel.org : 2010-10-28 : init struct mem */
248
247 if (!uptr) 249 if (!uptr)
248 return -EINVAL; 250 return -EINVAL;
249 if (get_user(pad, (u32 __user *) uptr)) 251 if (get_user(pad, (u32 __user *) uptr))
250 return -EFAULT; 252 return -EFAULT;
251 if ((third & (~IPC_64)) == SETVAL) 253 if ((third & (~IPC_64)) == SETVAL)
252 fourth.val = (int) pad; 254 fourth.val = (int) pad;
253 else 255 else
254 fourth.__pad = compat_ptr(pad); 256 fourth.__pad = compat_ptr(pad);
255 switch (third & (~IPC_64)) { 257 switch (third & (~IPC_64)) {
256 case IPC_INFO: 258 case IPC_INFO:
257 case IPC_RMID: 259 case IPC_RMID:
258 case SEM_INFO: 260 case SEM_INFO:
259 case GETVAL: 261 case GETVAL:
260 case GETPID: 262 case GETPID:
261 case GETNCNT: 263 case GETNCNT:
262 case GETZCNT: 264 case GETZCNT:
263 case GETALL: 265 case GETALL:
264 case SETVAL: 266 case SETVAL:
265 case SETALL: 267 case SETALL:
266 err = sys_semctl(first, second, third, fourth); 268 err = sys_semctl(first, second, third, fourth);
267 break; 269 break;
268 270
269 case IPC_STAT: 271 case IPC_STAT:
270 case SEM_STAT: 272 case SEM_STAT:
271 up64 = compat_alloc_user_space(sizeof(s64)); 273 up64 = compat_alloc_user_space(sizeof(s64));
272 fourth.__pad = up64; 274 fourth.__pad = up64;
273 err = sys_semctl(first, second, third, fourth); 275 err = sys_semctl(first, second, third, fourth);
274 if (err < 0) 276 if (err < 0)
275 break; 277 break;
276 if (copy_from_user(&s64, up64, sizeof(s64))) 278 if (copy_from_user(&s64, up64, sizeof(s64)))
 
 
Line 405 Line 407
405 err |= __put_user(m64->msg_lrpid, &up64->msg_lrpid); 407 err |= __put_user(m64->msg_lrpid, &up64->msg_lrpid);
406 return err; 408 return err;
407 } 409 }
408 410
409 static inline int put_compat_msqid_ds(struct msqid64_ds *m, 411 static inline int put_compat_msqid_ds(struct msqid64_ds *m,
410 struct compat_msqid_ds __user *up) 412 struct compat_msqid_ds __user *up)
411 { 413 {
412 int err; 414 int err;
413 415
414 if (!access_ok(VERIFY_WRITE, up, sizeof(*up))) 416 if (!access_ok(VERIFY_WRITE, up, sizeof(*up)))
415 return -EFAULT; 417 return -EFAULT;
416 err = __put_compat_ipc_perm(&m->msg_perm, &up->msg_perm); 418 err = __put_compat_ipc_perm(&m->msg_perm, &up->msg_perm);
417 err |= __put_user(m->msg_stime, &up->msg_stime); 419 err |= __put_user(m->msg_stime, &up->msg_stime);
418 err |= __put_user(m->msg_rtime, &up->msg_rtime); 420 err |= __put_user(m->msg_rtime, &up->msg_rtime);
419 err |= __put_user(m->msg_ctime, &up->msg_ctime); 421 err |= __put_user(m->msg_ctime, &up->msg_ctime);
420 err |= __put_user(m->msg_cbytes, &up->msg_cbytes); 422 err |= __put_user(m->msg_cbytes, &up->msg_cbytes);
421 err |= __put_user(m->msg_qnum, &up->msg_qnum); 423 err |= __put_user(m->msg_qnum, &up->msg_qnum);
422 err |= __put_user(m->msg_qbytes, &up->msg_qbytes); 424 err |= __put_user(m->msg_qbytes, &up->msg_qbytes);
423 err |= __put_user(m->msg_lspid, &up->msg_lspid); 425 err |= __put_user(m->msg_lspid, &up->msg_lspid);
424 err |= __put_user(m->msg_lrpid, &up->msg_lrpid); 426 err |= __put_user(m->msg_lrpid, &up->msg_lrpid);
425 return err; 427 return err;
426 } 428 }
427 429
428 long compat_sys_msgctl(int first, int second, void __user *uptr) 430 long compat_sys_msgctl(int first, int second, void __user *uptr)
429 { 431 {
430 int err, err2; 432 int err, err2;
431 struct msqid64_ds m64; 433 struct msqid64_ds m64;
432 int version = compat_ipc_parse_version(&second); 434 int version = compat_ipc_parse_version(&second);
433 void __user *p; 435 void __user *p;
434 436
437 memset(&m64, 0, sizeof(m64)); /* cve-2010-4073 : kernel.org : 2010-10-28 : init struct mem */
438
435 switch (second & (~IPC_64)) { 439 switch (second & (~IPC_64)) {
436 case IPC_INFO: 440 case IPC_INFO:
437 case IPC_RMID: 441 case IPC_RMID:
438 case MSG_INFO: 442 case MSG_INFO:
439 err = sys_msgctl(first, second, uptr); 443 err = sys_msgctl(first, second, uptr);
440 break; 444 break;
441 445
442 case IPC_SET: 446 case IPC_SET:
443 if (version == IPC_64) { 447 if (version == IPC_64) {
444 err = get_compat_msqid64(&m64, uptr); 448 err = get_compat_msqid64(&m64, uptr);
445 } else { 449 } else {
446 err = get_compat_msqid(&m64, uptr); 450 err = get_compat_msqid(&m64, uptr);
447 } 451 }
448 if (err) 452 if (err)
449 break; 453 break;
450 p = compat_alloc_user_space(sizeof(m64)); 454 p = compat_alloc_user_space(sizeof(m64));
451 if (copy_to_user(p, &m64, sizeof(m64))) 455 if (copy_to_user(p, &m64, sizeof(m64)))
452 err = -EFAULT; 456 err = -EFAULT;
453 else 457 else
454 err = sys_msgctl(first, second, p); 458 err = sys_msgctl(first, second, p);
455 break; 459 break;
456 460
457 case IPC_STAT: 461 case IPC_STAT:
458 case MSG_STAT: 462 case MSG_STAT:
459 p = compat_alloc_user_space(sizeof(m64)); 463 p = compat_alloc_user_space(sizeof(m64));
460 err = sys_msgctl(first, second, p); 464 err = sys_msgctl(first, second, p);
461 if (err < 0) 465 if (err < 0)
462 break; 466 break;
463 if (copy_from_user(&m64, p, sizeof(m64))) 467 if (copy_from_user(&m64, p, sizeof(m64)))
464 err2 = -EFAULT; 468 err2 = -EFAULT;
 
 
Line 574 Line 578
574 err |= __put_user(smi->shmall, &up->shmall); 578 err |= __put_user(smi->shmall, &up->shmall);
575 return err; 579 return err;
576 } 580 }
577 581
578 static inline int put_compat_shm_info(struct shm_info __user *ip, 582 static inline int put_compat_shm_info(struct shm_info __user *ip,
579 struct compat_shm_info __user *uip) 583 struct compat_shm_info __user *uip)
580 { 584 {
581 int err; 585 int err;
582 struct shm_info si; 586 struct shm_info si;
583 587
584 if (!access_ok(VERIFY_WRITE, uip, sizeof(*uip)) || 588 if (!access_ok(VERIFY_WRITE, uip, sizeof(*uip)) ||
585 copy_from_user(&si, ip, sizeof(si))) 589 copy_from_user(&si, ip, sizeof(si)))
586 return -EFAULT; 590 return -EFAULT;
587 err = __put_user(si.used_ids, &uip->used_ids); 591 err = __put_user(si.used_ids, &uip->used_ids);
588 err |= __put_user(si.shm_tot, &uip->shm_tot); 592 err |= __put_user(si.shm_tot, &uip->shm_tot);
589 err |= __put_user(si.shm_rss, &uip->shm_rss); 593 err |= __put_user(si.shm_rss, &uip->shm_rss);
590 err |= __put_user(si.shm_swp, &uip->shm_swp); 594 err |= __put_user(si.shm_swp, &uip->shm_swp);
591 err |= __put_user(si.swap_attempts, &uip->swap_attempts); 595 err |= __put_user(si.swap_attempts, &uip->swap_attempts);
592 err |= __put_user(si.swap_successes, &uip->swap_successes); 596 err |= __put_user(si.swap_successes, &uip->swap_successes);
593 return err; 597 return err;
594 } 598 }
595 599
596 long compat_sys_shmctl(int first, int second, void __user *uptr) 600 long compat_sys_shmctl(int first, int second, void __user *uptr)
597 { 601 {
598 void __user *p; 602 void __user *p;
599 struct shmid64_ds s64; 603 struct shmid64_ds s64;
600 struct shminfo64 smi; 604 struct shminfo64 smi;
601 int err, err2; 605 int err, err2;
602 int version = compat_ipc_parse_version(&second); 606 int version = compat_ipc_parse_version(&second);
603 607
608 memset(&s64, 0, sizeof(s64)); /* cve-2010-4073 : kernel.org : 2010-10-28 : init struct mem */
609
604 switch (second & (~IPC_64)) { 610 switch (second & (~IPC_64)) {
605 case IPC_RMID: 611 case IPC_RMID:
606 case SHM_LOCK: 612 case SHM_LOCK:
607 case SHM_UNLOCK: 613 case SHM_UNLOCK:
608 err = sys_shmctl(first, second, uptr); 614 err = sys_shmctl(first, second, uptr);
609 break; 615 break;
610 616
611 case IPC_INFO: 617 case IPC_INFO:
612 p = compat_alloc_user_space(sizeof(smi)); 618 p = compat_alloc_user_space(sizeof(smi));
613 err = sys_shmctl(first, second, p); 619 err = sys_shmctl(first, second, p);
614 if (err < 0) 620 if (err < 0)
615 break; 621 break;
616 if (copy_from_user(&smi, p, sizeof(smi))) 622 if (copy_from_user(&smi, p, sizeof(smi)))
617 err2 = -EFAULT; 623 err2 = -EFAULT;
618 else if (version == IPC_64) 624 else if (version == IPC_64)
619 err2 = put_compat_shminfo64(&smi, uptr); 625 err2 = put_compat_shminfo64(&smi, uptr);
620 else 626 else
621 err2 = put_compat_shminfo(&smi, uptr); 627 err2 = put_compat_shminfo(&smi, uptr);
622 if (err2) 628 if (err2)
623 err = -EFAULT; 629 err = -EFAULT;
624 break; 630 break;
625 631
626 632
627 case IPC_SET: 633 case IPC_SET:
628 if (version == IPC_64) { 634 if (version == IPC_64) {
629 err = get_compat_shmid64_ds(&s64, uptr); 635 err = get_compat_shmid64_ds(&s64, uptr);
630 } else { 636 } else {
631 err = get_compat_shmid_ds(&s64, uptr); 637 err = get_compat_shmid_ds(&s64, uptr);
632 } 638 }
633 if (err) 639 if (err)
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/compat_mq.c,v (Revision 1.1.1.1) [Add File Comment] [<<] [Top] [>>]
static inline int get_compat_mq_attr(str static inline int get_compat_mq_attr(str
 
Line 26 Line 26
26 const struct compat_mq_attr __user *uattr) 26 const struct compat_mq_attr __user *uattr)
27 { 27 {
28 if (!access_ok(VERIFY_READ, uattr, sizeof *uattr)) 28 if (!access_ok(VERIFY_READ, uattr, sizeof *uattr))
29 return -EFAULT; 29 return -EFAULT;
30 30
31 return __get_user(attr->mq_flags, &uattr->mq_flags) 31 return __get_user(attr->mq_flags, &uattr->mq_flags)
32 | __get_user(attr->mq_maxmsg, &uattr->mq_maxmsg) 32 | __get_user(attr->mq_maxmsg, &uattr->mq_maxmsg)
33 | __get_user(attr->mq_msgsize, &uattr->mq_msgsize) 33 | __get_user(attr->mq_msgsize, &uattr->mq_msgsize)
34 | __get_user(attr->mq_curmsgs, &uattr->mq_curmsgs); 34 | __get_user(attr->mq_curmsgs, &uattr->mq_curmsgs);
35 } 35 }
36 36
37 static inline int put_compat_mq_attr(const struct mq_attr *attr, 37 static inline int put_compat_mq_attr(const struct mq_attr *attr,
38 struct compat_mq_attr __user *uattr) 38 struct compat_mq_attr __user *uattr)
39 { 39 {
40 if (clear_user(uattr, sizeof *uattr)) 40 if (clear_user(uattr, sizeof *uattr))
41 return -EFAULT; 41 return -EFAULT;
42 42
43 return __put_user(attr->mq_flags, &uattr->mq_flags) 43 return __put_user(attr->mq_flags, &uattr->mq_flags)
44 | __put_user(attr->mq_maxmsg, &uattr->mq_maxmsg) 44 | __put_user(attr->mq_maxmsg, &uattr->mq_maxmsg)
45 | __put_user(attr->mq_msgsize, &uattr->mq_msgsize) 45 | __put_user(attr->mq_msgsize, &uattr->mq_msgsize)
46 | __put_user(attr->mq_curmsgs, &uattr->mq_curmsgs); 46 | __put_user(attr->mq_curmsgs, &uattr->mq_curmsgs);
47 } 47 }
48 48
49 asmlinkage long compat_sys_mq_open(const char __user *u_name, 49 asmlinkage long compat_sys_mq_open(const char __user *u_name,
50 int oflag, compat_mode_t mode, 50 int oflag, compat_mode_t mode,
51 struct compat_mq_attr __user *u_attr) 51 struct compat_mq_attr __user *u_attr)
52 { 52 {
53 void __user *p = NULL; 53 void __user *p = NULL;
54 if (u_attr && oflag & O_CREAT) { 54 if (u_attr && oflag & O_CREAT) {
55 struct mq_attr attr; 55 struct mq_attr attr;
56
57 memset(&attr, 0, sizeof(attr)); /* cve-2010-4073 : kernel.org: 2010-10-28: init struct mem*/
58
56 p = compat_alloc_user_space(sizeof(attr)); 59 p = compat_alloc_user_space(sizeof(attr));
57 if (get_compat_mq_attr(&attr, u_attr) || 60 if (get_compat_mq_attr(&attr, u_attr) ||
58 copy_to_user(p, &attr, sizeof(attr))) 61 copy_to_user(p, &attr, sizeof(attr)))
59 return -EFAULT; 62 return -EFAULT;
60 } 63 }
61 return sys_mq_open(u_name, oflag, mode, p); 64 return sys_mq_open(u_name, oflag, mode, p);
62 } 65 }
63 66
64 static int compat_prepare_timeout(struct timespec __user * *p, 67 static int compat_prepare_timeout(struct timespec __user * *p,
65 const struct compat_timespec __user *u) 68 const struct compat_timespec __user *u)
66 { 69 {
67 struct timespec ts; 70 struct timespec ts;
68 if (!u) { 71 if (!u) {
69 *p = NULL; 72 *p = NULL;
70 return 0; 73 return 0;
71 } 74 }
72 *p = compat_alloc_user_space(sizeof(ts)); 75 *p = compat_alloc_user_space(sizeof(ts));
73 if (get_compat_timespec(&ts, u) || copy_to_user(*p, &ts, sizeof(ts))) 76 if (get_compat_timespec(&ts, u) || copy_to_user(*p, &ts, sizeof(ts)))
74 return -EFAULT; 77 return -EFAULT;
75 return 0; 78 return 0;
76 } 79 }
77 80
78 asmlinkage long compat_sys_mq_timedsend(mqd_t mqdes, 81 asmlinkage long compat_sys_mq_timedsend(mqd_t mqdes,
79 const char __user *u_msg_ptr, 82 const char __user *u_msg_ptr,
80 size_t msg_len, unsigned int msg_prio, 83 size_t msg_len, unsigned int msg_prio,
81 const struct compat_timespec __user *u_abs_timeout) 84 const struct compat_timespec __user *u_abs_timeout)
82 { 85 {
83 struct timespec __user *u_ts; 86 struct timespec __user *u_ts;
84 87
85 if (compat_prepare_timeout(&u_ts, u_abs_timeout)) 88 if (compat_prepare_timeout(&u_ts, u_abs_timeout))
 
 
Line 100 Line 103
100 103
101 return sys_mq_timedreceive(mqdes, u_msg_ptr, msg_len, 104 return sys_mq_timedreceive(mqdes, u_msg_ptr, msg_len,
102 u_msg_prio, u_ts); 105 u_msg_prio, u_ts);
103 } 106 }
104 107
105 asmlinkage long compat_sys_mq_notify(mqd_t mqdes, 108 asmlinkage long compat_sys_mq_notify(mqd_t mqdes,
106 const struct compat_sigevent __user *u_notification) 109 const struct compat_sigevent __user *u_notification)
107 { 110 {
108 struct sigevent __user *p = NULL; 111 struct sigevent __user *p = NULL;
109 if (u_notification) { 112 if (u_notification) {
110 struct sigevent n; 113 struct sigevent n;
111 p = compat_alloc_user_space(sizeof(*p)); 114 p = compat_alloc_user_space(sizeof(*p));
112 if (get_compat_sigevent(&n, u_notification)) 115 if (get_compat_sigevent(&n, u_notification))
113 return -EFAULT; 116 return -EFAULT;
114 if (n.sigev_notify == SIGEV_THREAD) 117 if (n.sigev_notify == SIGEV_THREAD)
115 n.sigev_value.sival_ptr = compat_ptr(n.sigev_value.sival_int); 118 n.sigev_value.sival_ptr = compat_ptr(n.sigev_value.sival_int);
116 if (copy_to_user(p, &n, sizeof(*p))) 119 if (copy_to_user(p, &n, sizeof(*p)))
117 return -EFAULT; 120 return -EFAULT;
118 } 121 }
119 return sys_mq_notify(mqdes, p); 122 return sys_mq_notify(mqdes, p);
120 } 123 }
121 124
122 asmlinkage long compat_sys_mq_getsetattr(mqd_t mqdes, 125 asmlinkage long compat_sys_mq_getsetattr(mqd_t mqdes,
123 const struct compat_mq_attr __user *u_mqstat, 126 const struct compat_mq_attr __user *u_mqstat,
124 struct compat_mq_attr __user *u_omqstat) 127 struct compat_mq_attr __user *u_omqstat)
125 { 128 {
126 struct mq_attr mqstat; 129 struct mq_attr mqstat;
127 struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p)); 130 struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
128 long ret; 131 long ret;
129 132
133 memset(&mqstat, 0, sizeof(mqstat)); /* cve-2010-4073 : kernel.org: 2010-10-28: init struct mem*/
134
130 if (u_mqstat) { 135 if (u_mqstat) {
131 if (get_compat_mq_attr(&mqstat, u_mqstat) || 136 if (get_compat_mq_attr(&mqstat, u_mqstat) ||
132 copy_to_user(p, &mqstat, sizeof(mqstat))) 137 copy_to_user(p, &mqstat, sizeof(mqstat)))
133 return -EFAULT; 138 return -EFAULT;
134 } 139 }
135 ret = sys_mq_getsetattr(mqdes, 140 ret = sys_mq_getsetattr(mqdes,
136 u_mqstat ? p : NULL, 141 u_mqstat ? p : NULL,
137 u_omqstat ? p + 1 : NULL); 142 u_omqstat ? p + 1 : NULL);
138 if (ret) 143 if (ret)
139 return ret; 144 return ret;
140 if (u_omqstat) { 145 if (u_omqstat) {
141 if (copy_from_user(&mqstat, p + 1, sizeof(mqstat)) || 146 if (copy_from_user(&mqstat, p + 1, sizeof(mqstat)) ||
142 put_compat_mq_attr(&mqstat, u_omqstat)) 147 put_compat_mq_attr(&mqstat, u_omqstat))
143 return -EFAULT; 148 return -EFAULT;
144 } 149 }
145 return 0; 150 return 0;
146 } 151 }
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/sem.c,v (Revision 1.3) [Add File Comment] [<<] [Top] [>>]
static void freeary (struct sem_array *s static void freeary (struct sem_array *s
 
Line 486 Line 486
486 struct sem_queue *n; 486 struct sem_queue *n;
487 /* lazy remove_from_queue: we are killing the whole queue */ 487 /* lazy remove_from_queue: we are killing the whole queue */
488 q->prev = NULL; 488 q->prev = NULL;
489 n = q->next; 489 n = q->next;
490 q->status = IN_WAKEUP; 490 q->status = IN_WAKEUP;
491 wake_up_process(q->sleeper); /* doesn't sleep */ 491 wake_up_process(q->sleeper); /* doesn't sleep */
492 smp_wmb(); 492 smp_wmb();
493 q->status = -EIDRM; /* hands-off q */ 493 q->status = -EIDRM; /* hands-off q */
494 q = n; 494 q = n;
495 } 495 }
496 496
497 /* Remove the semaphore set from the ID array*/ 497 /* Remove the semaphore set from the ID array*/
498 sma = sem_rmid(id); 498 sma = sem_rmid(id);
499 sem_unlock(sma); 499 sem_unlock(sma);
500 500
501 used_sems -= sma->sem_nsems; 501 used_sems -= sma->sem_nsems;
502 size = sizeof (*sma) + sma->sem_nsems * sizeof (struct sem); 502 size = sizeof (*sma) + sma->sem_nsems * sizeof (struct sem);
503 security_sem_free(sma); 503 security_sem_free(sma);
504 ipc_rcu_putref(sma); 504 ipc_rcu_putref(sma);
505 } 505 }
506 506
507 static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in, int version) 507 static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in, int version)
508 { 508 {
509 switch(version) { 509 switch(version) {
510 case IPC_64: 510 case IPC_64:
511 return copy_to_user(buf, in, sizeof(*in)); 511 return copy_to_user(buf, in, sizeof(*in));
512 case IPC_OLD: 512 case IPC_OLD:
513 { 513 {
514 struct semid_ds out; 514 struct semid_ds out;
515 515
516 memset(&out, 0, sizeof(out)); /* cve-2010-4083 : kernel.org : 2010-10-01: fix kernel stack leak */
517
516 ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm); 518 ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
517 519
518 out.sem_otime = in->sem_otime; 520 out.sem_otime = in->sem_otime;
519 out.sem_ctime = in->sem_ctime; 521 out.sem_ctime = in->sem_ctime;
520 out.sem_nsems = in->sem_nsems; 522 out.sem_nsems = in->sem_nsems;
521 523
522 return copy_to_user(buf, &out, sizeof(out)); 524 return copy_to_user(buf, &out, sizeof(out));
523 } 525 }
524 default: 526 default:
525 return -EINVAL; 527 return -EINVAL;
526 } 528 }
527 } 529 }
528 530
529 static int semctl_nolock(int semid, int semnum, int cmd, int version, union semun arg) 531 static int semctl_nolock(int semid, int semnum, int cmd, int version, union semun arg)
530 { 532 {
531 int err = -EINVAL; 533 int err = -EINVAL;
532 struct sem_array *sma; 534 struct sem_array *sma;
533 535
534 switch(cmd) { 536 switch(cmd) {
535 case IPC_INFO: 537 case IPC_INFO:
536 case SEM_INFO: 538 case SEM_INFO:
537 { 539 {
538 struct seminfo seminfo; 540 struct seminfo seminfo;
539 int max_id; 541 int max_id;
540 542
541 err = security_sem_semctl(NULL, cmd); 543 err = security_sem_semctl(NULL, cmd);
542 if (err) 544 if (err)
543 return err; 545 return err;
544 546
545 memset(&seminfo,0,sizeof(seminfo)); 547 memset(&seminfo,0,sizeof(seminfo));
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/ipc/shm.c,v (Revision 1.3) [Add File Comment] [<<] [Top] [>>]
 
Line 1 Line 1
1 /* Foo (c) 1999 - created by John Smith 1 /* Foo (c) 1999 - created by John Smith
2 2
3 This program is free software; you can redistribute it 3 This program is free software; you can redistribute it
4 and/or modify it under the terms of the GNU General Public 4 and/or modify it under the terms of the GNU General Public
5 License as published by the Free Software Foundation; 5 License as published by the Free Software Foundation;
6 version 2 of the License. For a copy, see 6 version 2 of the License. For a copy, see
7 http://www.gnu.org/licenses/gpl-2.0.html. 7 http://www.gnu.org/licenses/gpl-2.0.html.
8 8
9 This program is distributed in the hope that it will be 9 This program is distributed in the hope that it will be
10 useful, but WITHOUT ANY WARRANTY; without even the implied 10 useful, but WITHOUT ANY WARRANTY; without even the implied
11 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 11 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
12 PURPOSE. See the GNU General Public License for more 12 PURPOSE. See the GNU General Public License for more
13 details. 13 details.
14 14
15 */ 15 */
16 16
17 /* Foo includes modifications created by Aerohive Networks, 17 /* Foo includes modifications created by Aerohive Networks,
18 Inc. (c) 2006-2011. 18 Inc. (c) 2006-2015.
19 19
20 This program, as modified by Aerohive Networks, Inc. is 20 This program, as modified by Aerohive Networks, Inc. is
21 distributed WITHOUT ANY WARRANTY; without even the implied 21 distributed WITHOUT ANY WARRANTY; without even the implied
22 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 22 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
23 PURPOSE. See sections 11 and 12 of the GNU General Public 23 PURPOSE. See sections 11 and 12 of the GNU General Public
24 License for more details. 24 License for more details.
25 25
26 */ 26 */
27 /* 27 /*
28 * linux/ipc/shm.c 28 * linux/ipc/shm.c
29 * Copyright (C) 1992, 1993 Krishna Balasubramanian 29 * Copyright (C) 1992, 1993 Krishna Balasubramanian
30 * Many improvements/fixes by Bruno Haible. 30 * Many improvements/fixes by Bruno Haible.
31 * Replaced `struct shm_desc' by `struct vm_area_struct', July 1994. 31 * Replaced `struct shm_desc' by `struct vm_area_struct', July 1994.
32 * Fixed the shm swap deallocation (shm_unuse()), August 1998 Andrea Arcangeli. 32 * Fixed the shm swap deallocation (shm_unuse()), August 1998 Andrea Arcangeli.
33 * 33 *
34 * /proc/sysvipc/shm support (c) 1999 Dragos Acostachioaie <dragos@iname.com> 34 * /proc/sysvipc/shm support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
35 * BIGMEM support, Andrea Arcangeli <andrea@suse.de> 35 * BIGMEM support, Andrea Arcangeli <andrea@suse.de>
36 * SMP thread shm, Jean-Luc Boyard <jean-luc.boyard@siemens.fr> 36 * SMP thread shm, Jean-Luc Boyard <jean-luc.boyard@siemens.fr>
37 * HIGHMEM support, Ingo Molnar <mingo@redhat.com> 37 * HIGHMEM support, Ingo Molnar <mingo@redhat.com>
38 * Make shmmax, shmall, shmmni sysctl'able, Christoph Rohland <cr@sap.com> 38 * Make shmmax, shmall, shmmni sysctl'able, Christoph Rohland <cr@sap.com>
39 * Shared /dev/zero support, Kanoj Sarcar <kanoj@sgi.com> 39 * Shared /dev/zero support, Kanoj Sarcar <kanoj@sgi.com>
40 * Move the mm functionality over to mm/shmem.c, Christoph Rohland <cr@sap.com> 40 * Move the mm functionality over to mm/shmem.c, Christoph Rohland <cr@sap.com>
41 * 41 *
42 */ 42 */
43 43
44 #include <linux/config.h> 44 #include <linux/config.h>
45 #include <linux/slab.h> 45 #include <linux/slab.h>
46 #include <linux/mm.h> 46 #include <linux/mm.h>
47 #include <linux/hugetlb.h> 47 #include <linux/hugetlb.h>
48 #include <linux/shm.h> 48 #include <linux/shm.h>
 
 
Line 311 Line 311
311 } else { 311 } else {
312 shp = shm_lock(id); 312 shp = shm_lock(id);
313 if(shp==NULL) 313 if(shp==NULL)
314 BUG(); 314 BUG();
315 if (shp->shm_segsz < size) 315 if (shp->shm_segsz < size)
316 err = -EINVAL; 316 err = -EINVAL;
317 else if (ipcperms(&shp->shm_perm, shmflg)) 317 else if (ipcperms(&shp->shm_perm, shmflg))
318 err = -EACCES; 318 err = -EACCES;
319 else { 319 else {
320 int shmid = shm_buildid(id, shp->shm_perm.seq); 320 int shmid = shm_buildid(id, shp->shm_perm.seq);
321 err = security_shm_associate(shp, shmflg); 321 err = security_shm_associate(shp, shmflg);
322 if (!err) 322 if (!err)
323 err = shmid; 323 err = shmid;
324 } 324 }
325 shm_unlock(shp); 325 shm_unlock(shp);
326 } 326 }
327 up(&shm_ids.sem); 327 up(&shm_ids.sem);
328 328
329 return err; 329 return err;
330 } 330 }
331 331
332 static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version) 332 static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
333 { 333 {
334 switch(version) { 334 switch(version) {
335 case IPC_64: 335 case IPC_64:
336 return copy_to_user(buf, in, sizeof(*in)); 336 return copy_to_user(buf, in, sizeof(*in));
337 case IPC_OLD: 337 case IPC_OLD:
338 { 338 {
339 struct shmid_ds out; 339 struct shmid_ds out;
340 340
341 memset(&out, 0, sizeof(out)); /* cve-2010-4072 : kernel.org : 2010-10-30 : fix info leak*/
341 ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm); 342 ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
342 out.shm_segsz = in->shm_segsz; 343 out.shm_segsz = in->shm_segsz;
343 out.shm_atime = in->shm_atime; 344 out.shm_atime = in->shm_atime;
344 out.shm_dtime = in->shm_dtime; 345 out.shm_dtime = in->shm_dtime;
345 out.shm_ctime = in->shm_ctime; 346 out.shm_ctime = in->shm_ctime;
346 out.shm_cpid = in->shm_cpid; 347 out.shm_cpid = in->shm_cpid;
347 out.shm_lpid = in->shm_lpid; 348 out.shm_lpid = in->shm_lpid;
348 out.shm_nattch = in->shm_nattch; 349 out.shm_nattch = in->shm_nattch;
349 350
350 /* Use offsetof() instead of sizeof() since N32 userspace has a 351 /* Use offsetof() instead of sizeof() since N32 userspace has a
351 different size including the unused fields. This just copies 352 different size including the unused fields. This just copies
352 what is used. The old method would corrupt data after the 353 what is used. The old method would corrupt data after the
353 structure */ 354 structure */
354 return copy_to_user(buf, &out, offsetof(struct shmid_ds, shm_unused2)); 355 return copy_to_user(buf, &out, offsetof(struct shmid_ds, shm_unused2));
355 } 356 }
356 default: 357 default:
357 return -EINVAL; 358 return -EINVAL;
358 } 359 }
359 } 360 }
360 361
361 struct shm_setbuf { 362 struct shm_setbuf {
362 uid_t uid; 363 uid_t uid;
363 gid_t gid; 364 gid_t gid;
364 mode_t mode; 365 mode_t mode;
365 }; 366 };
366 367
367 static inline unsigned long copy_shmid_from_user(struct shm_setbuf *out, void __user *buf, int version) 368 static inline unsigned long copy_shmid_from_user(struct shm_setbuf *out, void __user *buf, int version)
368 { 369 {
369 switch(version) { 370 switch(version) {
370 case IPC_64: 371 case IPC_64:
 
 
Line 397 Line 398
397 return -EINVAL; 398 return -EINVAL;
398 } 399 }
399 } 400 }
400 401
401 static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version) 402 static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version)
402 { 403 {
403 switch(version) { 404 switch(version) {
404 case IPC_64: 405 case IPC_64:
405 return copy_to_user(buf, in, sizeof(*in)); 406 return copy_to_user(buf, in, sizeof(*in));
406 case IPC_OLD: 407 case IPC_OLD:
407 { 408 {
408 struct shminfo out; 409 struct shminfo out;
409 410
410 if(in->shmmax > INT_MAX) 411 if(in->shmmax > INT_MAX)
411 out.shmmax = INT_MAX; 412 out.shmmax = INT_MAX;
412 else 413 else
413 out.shmmax = (int)in->shmmax; 414 out.shmmax = (int)in->shmmax;
414 415
415 out.shmmin = in->shmmin; 416 out.shmmin = in->shmmin;
416 out.shmmni = in->shmmni; 417 out.shmmni = in->shmmni;
417 out.shmseg = in->shmseg; 418 out.shmseg = in->shmseg;
418 out.shmall = in->shmall; 419 out.shmall = in->shmall;
419 420
420 return copy_to_user(buf, &out, sizeof(out)); 421 return copy_to_user(buf, &out, sizeof(out));
421 } 422 }
422 default: 423 default:
423 return -EINVAL; 424 return -EINVAL;
424 } 425 }
425 } 426 }
426 427
428 /* cve-2009-0859 : lockup with !CONFIG_SHMEM */
427 static void shm_get_stat(unsigned long *rss, unsigned long *swp) 429 static void shm_get_stat(unsigned long *rss, unsigned long *swp)
428 { 430 {
429 int i; 431 int i;
430 432
431 *rss = 0; 433 *rss = 0;
432 *swp = 0; 434 *swp = 0;
433 435
434 for (i = 0; i <= shm_ids.max_id; i++) { 436 for (i = 0; i <= shm_ids.max_id; i++) {
435 struct shmid_kernel *shp; 437 struct shmid_kernel *shp;
436 struct inode *inode; 438 struct inode *inode;
437 439
438 shp = shm_get(i); 440 shp = shm_get(i);
439 if(!shp) 441 if(!shp)
440 continue; 442 continue;
441 443
442 inode = shp->shm_file->f_dentry->d_inode; 444 inode = shp->shm_file->f_dentry->d_inode;
443 445
444 if (is_file_hugepages(shp->shm_file)) { 446 if (is_file_hugepages(shp->shm_file)) {
445 struct address_space *mapping = inode->i_mapping; 447 struct address_space *mapping = inode->i_mapping;
446 *rss += (HPAGE_SIZE/PAGE_SIZE)*mapping->nrpages; 448 *rss += (HPAGE_SIZE/PAGE_SIZE)*mapping->nrpages;
447 } else { 449 } else {
450 #ifdef CONFIG_SHMEM
448 struct shmem_inode_info *info = SHMEM_I(inode); 451 struct shmem_inode_info *info = SHMEM_I(inode);
449 spin_lock(&info->lock); 452 spin_lock(&info->lock);
450 *rss += inode->i_mapping->nrpages; 453 *rss += inode->i_mapping->nrpages;
451 *swp += info->swapped; 454 *swp += info->swapped;
452 spin_unlock(&info->lock); 455 spin_unlock(&info->lock);
456 #else
457 *rss += inode->i_mapping->nrpages;
458 #endif
453 } 459 }
454 } 460 }
455 } 461 }
456 462
457 asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds __user *buf) 463 asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds __user *buf)
458 { 464 {
459 struct shm_setbuf setbuf; 465 struct shm_setbuf setbuf;
460 struct shmid_kernel *shp; 466 struct shmid_kernel *shp;
461 int err, version; 467 int err, version;
462 468
463 if (cmd < 0 || shmid < 0) { 469 if (cmd < 0 || shmid < 0) {
464 err = -EINVAL; 470 err = -EINVAL;
465 goto out; 471 goto out;
466 } 472 }
467 473
468 version = ipc_parse_version(&cmd); 474 version = ipc_parse_version(&cmd);
469 475
470 switch (cmd) { /* replace with proc interface ? */ 476 switch (cmd) { /* replace with proc interface ? */
471 case IPC_INFO: 477 case IPC_INFO:
472 { 478 {
473 struct shminfo64 shminfo; 479 struct shminfo64 shminfo;
474 480
475 err = security_shm_shmctl(NULL, cmd); 481 err = security_shm_shmctl(NULL, cmd);
476 if (err) 482 if (err)
477 return err; 483 return err;
478 484
479 memset(&shminfo,0,sizeof(shminfo)); 485 memset(&shminfo,0,sizeof(shminfo));
480 shminfo.shmmni = shminfo.shmseg = shm_ctlmni; 486 shminfo.shmmni = shminfo.shmseg = shm_ctlmni;
481 shminfo.shmmax = shm_ctlmax; 487 shminfo.shmmax = shm_ctlmax;
482 shminfo.shmall = shm_ctlall; 488 shminfo.shmall = shm_ctlall;
 
File /aerohive/aeroscvsrep/aeros/kernel/linux-2.6.16.26/kernel/fork.c,v (Revision 1.4.80.1) [Add File Comment] [<<] [Top] [>>]
 
Line 1 Line 1
1 /* Foo (c) 1999 - created by John Smith 1 /* Foo (c) 1999 - created by John Smith
2 2
3 This program is free software; you can redistribute it 3 This program is free software; you can redistribute it
4 and/or modify it under the terms of the GNU General Public 4 and/or modify it under the terms of the GNU General Public
5 License as published by the Free Software Foundation; 5 License as published by the Free Software Foundation;
6 version 2 of the License. For a copy, see 6 version 2 of the License. For a copy, see
7 http://www.gnu.org/licenses/gpl-2.0.html. 7 http://www.gnu.org/licenses/gpl-2.0.html.
8 8
9 This program is distributed in the hope that it will be 9 This program is distributed in the hope that it will be
10 useful, but WITHOUT ANY WARRANTY; without even the implied 10 useful, but WITHOUT ANY WARRANTY; without even the implied
11 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 11 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
12 PURPOSE. See the GNU General Public License for more 12 PURPOSE. See the GNU General Public License for more