6 files changed, 57 insertions, 42 deletions

diff --git a/kernel/module-internal.h b/kernel/module-internal.h
index 6114a13419bd..24f9247b7d02 100644
--- a/kernel/module-internal.h
+++ b/kernel/module-internal.h
@@ -11,5 +11,4 @@
 
 extern struct key *modsign_keyring;
 
-extern int mod_verify_sig(const void *mod, unsigned long modlen,
-                          const void *sig, unsigned long siglen);
+extern int mod_verify_sig(const void *mod, unsigned long *_modlen);
diff --git a/kernel/module.c b/kernel/module.c
index 0e2da8695f8e..6085f5ef88ea 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2421,25 +2421,17 @@ static inline void kmemleak_load_module(const struct module *mod,
 
 #ifdef CONFIG_MODULE_SIG
 static int module_sig_check(struct load_info *info,
-                            const void *mod, unsigned long *len)
+                            const void *mod, unsigned long *_len)
 {
         int err = -ENOKEY;
-        const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
-        const void *p = mod, *end = mod + *len;
-
-        /* Poor man's memmem. */
-        while ((p = memchr(p, MODULE_SIG_STRING[0], end - p))) {
-                if (p + markerlen > end)
-                        break;
-
-                if (memcmp(p, MODULE_SIG_STRING, markerlen) == 0) {
-                        const void *sig = p + markerlen;
-                        /* Truncate module up to signature. */
-                        *len = p - mod;
-                        err = mod_verify_sig(mod, *len, sig, end - sig);
-                        break;
-                }
-                p++;
+        unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+        unsigned long len = *_len;
+
+        if (len > markerlen &&
+            memcmp(mod + len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+                /* We truncate the module to discard the signature */
+                *_len -= markerlen;
+                err = mod_verify_sig(mod, _len);
         }
 
         if (!err) {
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 6b09f6983ac0..d492a23df99c 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -183,27 +183,33 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
 /*
  * Verify the signature on a module.
  */
-int mod_verify_sig(const void *mod, unsigned long modlen,
-                   const void *sig, unsigned long siglen)
+int mod_verify_sig(const void *mod, unsigned long *_modlen)
 {
         struct public_key_signature *pks;
         struct module_signature ms;
         struct key *key;
-        size_t sig_len;
+        const void *sig;
+        size_t modlen = *_modlen, sig_len;
         int ret;
 
-        pr_devel("==>%s(,%lu,,%lu,)\n", __func__, modlen, siglen);
+        pr_devel("==>%s(,%lu)\n", __func__, modlen);
 
-        if (siglen <= sizeof(ms))
+        if (modlen <= sizeof(ms))
                 return -EBADMSG;
 
-        memcpy(&ms, sig + (siglen - sizeof(ms)), sizeof(ms));
-        siglen -= sizeof(ms);
+        memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
+        modlen -= sizeof(ms);
 
         sig_len = be32_to_cpu(ms.sig_len);
-        if (sig_len >= siglen ||
-            siglen - sig_len != (size_t)ms.signer_len + ms.key_id_len)
+        if (sig_len >= modlen)
                 return -EBADMSG;
+        modlen -= sig_len;
+        if ((size_t)ms.signer_len + ms.key_id_len >= modlen)
+                return -EBADMSG;
+        modlen -= (size_t)ms.signer_len + ms.key_id_len;
+
+        *_modlen = modlen;
+        sig = mod + modlen;
 
         /* For the moment, only support RSA and X.509 identifiers */
         if (ms.algo != PKEY_ALGO_RSA ||
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index 478bad2745e3..eb00be205811 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -133,19 +133,26 @@ struct pid_namespace *copy_pid_ns(unsigned long flags, struct pid_namespace *old
         return create_pid_namespace(old_ns);
 }
 
-void free_pid_ns(struct kref *kref)
+static void free_pid_ns(struct kref *kref)
 {
-        struct pid_namespace *ns, *parent;
+        struct pid_namespace *ns;
 
         ns = container_of(kref, struct pid_namespace, kref);
-
-        parent = ns->parent;
         destroy_pid_namespace(ns);
+}
 
-        if (parent != NULL)
-                put_pid_ns(parent);
+void put_pid_ns(struct pid_namespace *ns)
+{
+        struct pid_namespace *parent;
+
+        while (ns != &init_pid_ns) {
+                parent = ns->parent;
+                if (!kref_put(&ns->kref, free_pid_ns))
+                        break;
+                ns = parent;
+        }
 }
-EXPORT_SYMBOL_GPL(free_pid_ns);
+EXPORT_SYMBOL_GPL(put_pid_ns);
 
 void zap_pid_ns_processes(struct pid_namespace *pid_ns)
 {
diff --git a/kernel/printk.c b/kernel/printk.c
index 66a2ea37b576..22e070f3470a 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -87,6 +87,12 @@ static DEFINE_SEMAPHORE(console_sem);
 struct console *console_drivers;
 EXPORT_SYMBOL_GPL(console_drivers);
 
+#ifdef CONFIG_LOCKDEP
+static struct lockdep_map console_lock_dep_map = {
+        .name = "console_lock"
+};
+#endif
+
 /*
  * This is used for debugging the mess that is the VT code by
  * keeping track if we have the console semaphore held. It's
@@ -1890,7 +1896,6 @@ static int __cpuinit console_cpu_notify(struct notifier_block *self,
         switch (action) {
         case CPU_ONLINE:
         case CPU_DEAD:
-        case CPU_DYING:
         case CPU_DOWN_FAILED:
         case CPU_UP_CANCELED:
                 console_lock();
@@ -1909,12 +1914,14 @@ static int __cpuinit console_cpu_notify(struct notifier_block *self,
  */
 void console_lock(void)
 {
-        BUG_ON(in_interrupt());
+        might_sleep();
+
         down(&console_sem);
         if (console_suspended)
                 return;
         console_locked = 1;
         console_may_schedule = 1;
+        mutex_acquire(&console_lock_dep_map, 0, 0, _RET_IP_);
 }
 EXPORT_SYMBOL(console_lock);
 
@@ -1936,6 +1943,7 @@ int console_trylock(void)
         }
         console_locked = 1;
         console_may_schedule = 0;
+        mutex_acquire(&console_lock_dep_map, 0, 1, _RET_IP_);
         return 1;
 }
 EXPORT_SYMBOL(console_trylock);
@@ -2096,6 +2104,7 @@ skip:
                 local_irq_restore(flags);
         }
         console_locked = 0;
+        mutex_release(&console_lock_dep_map, 1, _RET_IP_);
 
         /* Release the exclusive_console once it is used */
         if (unlikely(exclusive_console))
diff --git a/kernel/sys.c b/kernel/sys.c
index c5cb5b99cb81..e6e0ece5f6a0 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem);
  * Work around broken programs that cannot handle "Linux 3.0".
  * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
  */
-static int override_release(char __user *release, int len)
+static int override_release(char __user *release, size_t len)
 {
         int ret = 0;
-        char buf[65];
 
         if (current->personality & UNAME26) {
-                char *rest = UTS_RELEASE;
+                const char *rest = UTS_RELEASE;
+                char buf[65] = { 0 };
                 int ndots = 0;
                 unsigned v;
+                size_t copy;
 
                 while (*rest) {
                         if (*rest == '.' && ++ndots >= 3)
@@ -1283,8 +1284,9 @@ static int override_release(char __user *release, int len)
                         rest++;
                 }
                 v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
-                snprintf(buf, len, "2.6.%u%s", v, rest);
-                ret = copy_to_user(release, buf, len);
+                copy = clamp_t(size_t, len, 1, sizeof(buf));
+                copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+                ret = copy_to_user(release, buf, copy + 1);
         }
         return ret;
 }