1. 12 Sep, 2014 11 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 7ed641be
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "Filipe is doing a careful pass through fsync problems, and these are
        the fixes so far.  I'll have one more for rc6 that we're still
        testing.
      
        My big commit is fixing up some inode hash races that Al Viro found
        (thanks Al)"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: use insert_inode_locked4 for inode creation
        Btrfs: fix fsync data loss after a ranged fsync
        Btrfs: kfree()ing ERR_PTRs
        Btrfs: fix crash while doing a ranged fsync
        Btrfs: fix corruption after write/fsync failure + fsync + log recovery
        Btrfs: fix autodefrag with compression
      7ed641be
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 9925cc13
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "Just a couple of stragglers here:
      
         - fix an issue migrating interrupts on CPU hotplug
         - fix a potential information leak of TLS registers across an exec
           (Nathan has sent a corresponding patch for arch/arm/ to rmk)"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: flush TLS registers during exec
        arm64: use irq_set_affinity with force=false when migrating irqs
      9925cc13
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v3.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 753a6cb7
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
       - two fixes for issues found by Coverity
       - various fixes for the ARM SMMU driver
       - a warning fix for the FSL PAMU driver
      
      * tag 'iommu-fixes-v3.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/fsl: Fix warning resulting from adding PCI device twice
        iommu/arm-smmu: fix corner cases in address size calculations
        iommu/arm-smmu: fix decimal printf format specifiers prefixed with 0x
        iommu/arm-smmu: Do not access non-existing S2CR registers
        iommu/arm-smmu: fix s2cr and smr teardown on device detach from domain
        iommu/arm-smmu: remove pgtable_page_{c,d}tor()
        iommu/arm-smmu: fix programming of SMMU_CBn_TCR for stage 1
        iommu/arm-smmu: avoid calling request_irq in atomic context
        iommu/vt-d: Check return value of acpi_bus_get_device()
        iommu/core: Make iommu_group_get_for_dev() more robust
      753a6cb7
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 96ea975b
      Linus Torvalds authored
      Pull assoc array garbage collection fix from James Morris.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        KEYS: Fix termination condition in assoc array garbage collection
      96ea975b
    • Linus Torvalds's avatar
      Merge tag 'fbdev-fixes-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux · 5874cfed
      Linus Torvalds authored
      Pull fbdev fixes from Tomi Valkeinen:
       "Minor fixes for amba-clcd and video DT bindings"
      
      * tag 'fbdev-fixes-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux:
        video: ARM CLCD: Fix color model capabilities for DT platforms
        video: fix composite video connector compatible string
      5874cfed
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 850ebc0c
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "AST, i915, radeon and msm fixes, all over the place.
      
        All fixing build issues, regressions, oopses or failure to detect
        cards"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/ast: AST2000 cannot be detected correctly
        drm/ast: open key before detect chips
        drm/msm: don't crash if no msm.vram param
        drm/msm/hdmi: fix build break on non-CCF platforms
        drm/msm: Change nested function to static function
        drm/radeon/dpm: set the thermal type properly for special configs
        drm/radeon: reduce memory footprint for debugging
        drm/radeon: add connector quirk for fujitsu board
        drm/radeon: fix semaphore value init
        drm/radeon: only use me/pfp sync on evergreen+
        drm/i915: Wait for vblank before enabling the TV encoder
        drm/i915: Evict CS TLBs between batches
        drm/i915: Fix irq enable tracking in driver load
        drm/i915: Fix EIO/wedged handling in gem fault handler
        drm/i915: Prevent recursive deadlock on releasing a busy userptr
      850ebc0c
    • David Howells's avatar
      KEYS: Fix termination condition in assoc array garbage collection · 95389b08
      David Howells authored
      This fixes CVE-2014-3631.
      
      It is possible for an associative array to end up with a shortcut node at the
      root of the tree if there are more than fan-out leaves in the tree, but they
      all crowd into the same slot in the lowest level (ie. they all have the same
      first nibble of their index keys).
      
      When assoc_array_gc() returns back up the tree after scanning some leaves, it
      can fall off of the root and crash because it assumes that the back pointer
      from a shortcut (after label ascend_old_tree) must point to a normal node -
      which isn't true of a shortcut node at the root.
      
      Should we find we're ascending rootwards over a shortcut, we should check to
      see if the backpointer is zero - and if it is, we have completed the scan.
      
      This particular bug cannot occur if the root node is not a shortcut - ie. if
      you have fewer than 17 keys in a keyring or if you have at least two keys that
      sit into separate slots (eg. a keyring and a non keyring).
      
      This can be reproduced by:
      
      	ring=`keyctl newring bar @s`
      	for ((i=1; i<=18; i++)); do last_key=`keyctl newring foo$i $ring`; done
      	keyctl timeout $last_key 2
      
      Doing this:
      
      	echo 3 >/proc/sys/kernel/keys/gc_delay
      
      first will speed things up.
      
      If we do fall off of the top of the tree, we get the following oops:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
      IP: [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
      PGD dae15067 PUD cfc24067 PMD 0
      Oops: 0000 [#1] SMP
      Modules linked in: xt_nat xt_mark nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_ni
      CPU: 0 PID: 26011 Comm: kworker/0:1 Not tainted 3.14.9-200.fc20.x86_64 #1
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      Workqueue: events key_garbage_collector
      task: ffff8800918bd580 ti: ffff8800aac14000 task.ti: ffff8800aac14000
      RIP: 0010:[<ffffffff8136cea7>] [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
      RSP: 0018:ffff8800aac15d40  EFLAGS: 00010206
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800aaecacc0
      RDX: ffff8800daecf440 RSI: 0000000000000001 RDI: ffff8800aadc2bc0
      RBP: ffff8800aac15da8 R08: 0000000000000001 R09: 0000000000000003
      R10: ffffffff8136ccc7 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000070 R15: 0000000000000001
      FS:  0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000018 CR3: 00000000db10d000 CR4: 00000000000006f0
      Stack:
       ffff8800aac15d50 0000000000000011 ffff8800aac15db8 ffffffff812e2a70
       ffff880091a00600 0000000000000000 ffff8800aadc2bc3 00000000cd42c987
       ffff88003702df20 ffff88003702dfa0 0000000053b65c09 ffff8800aac15fd8
      Call Trace:
       [<ffffffff812e2a70>] ? keyring_detect_cycle_iterator+0x30/0x30
       [<ffffffff812e3e75>] keyring_gc+0x75/0x80
       [<ffffffff812e1424>] key_garbage_collector+0x154/0x3c0
       [<ffffffff810a67b6>] process_one_work+0x176/0x430
       [<ffffffff810a744b>] worker_thread+0x11b/0x3a0
       [<ffffffff810a7330>] ? rescuer_thread+0x3b0/0x3b0
       [<ffffffff810ae1a8>] kthread+0xd8/0xf0
       [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
       [<ffffffff816ffb7c>] ret_from_fork+0x7c/0xb0
       [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
      Code: 08 4c 8b 22 0f 84 bf 00 00 00 41 83 c7 01 49 83 e4 fc 41 83 ff 0f 4c 89 65 c0 0f 8f 5a fe ff ff 48 8b 45 c0 4d 63 cf 49 83 c1 02 <4e> 8b 34 c8 4d 85 f6 0f 84 be 00 00 00 41 f6 c6 01 0f 84 92
      RIP  [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
       RSP <ffff8800aac15d40>
      CR2: 0000000000000018
      ---[ end trace 1129028a088c0cbd ]---
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarDon Zickus <dzickus@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      95389b08
    • Pawel Moll's avatar
      video: ARM CLCD: Fix color model capabilities for DT platforms · e4cf39ea
      Pawel Moll authored
      The DT-based panel capabilities selection was picking up
      a subset of available modes based on hardware configuration.
      This was wrong, as the capabilities describe available
      memory models and adapt the display controller to them
      that the RGB output is wired up correctly (as in: R and
      B components are not swapped).
      
      This patch fixes it by removing the unnecessary limitation.
      Signed-off-by: default avatarPawel Moll <pawel.moll@arm.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      e4cf39ea
    • Y.C. Chen's avatar
      drm/ast: AST2000 cannot be detected correctly · 83502a5d
      Y.C. Chen authored
      Type error and cause AST2000 cannot be detected correctly
      Signed-off-by: default avatarY.C. Chen <yc_chen@aspeedtech.com>
      Reviewed-by: default avatarEgbert Eich <eich@suse.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      83502a5d
    • Y.C. Chen's avatar
      drm/ast: open key before detect chips · 8f372e25
      Y.C. Chen authored
      Some config settings like 3rd TX chips will not get correctly
      if the extended reg is protected
      Signed-off-by: default avatarY.C. Chen <yc_chen@aspeedtech.com>
      Reviewed-by: default avatarEgbert Eich <eich@suse.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      8f372e25
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · c73f6fdf
      Linus Torvalds authored
      Pull Ceph fixes from Sage Weil:
       "The main thing here is a set of three patches that fix a buffer
        overrun for large authentication tickets (sigh).
      
        There is also a trivial warning fix and an error path fix that are
        both regressions"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        libceph: do not hard code max auth ticket len
        libceph: add process_one_ticket() helper
        libceph: gracefully handle large reply messages from the mon
        rbd: fix error return code in rbd_dev_device_setup()
        rbd: avoid format-security warning inside alloc_workqueue()
      c73f6fdf
  2. 11 Sep, 2014 16 commits
  3. 10 Sep, 2014 13 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (fixes from Andrew Morton) · 584f1ada
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "10 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        fs/notify: don't show f_handle if exportfs_encode_inode_fh failed
        fsnotify/fdinfo: use named constants instead of hardcoded values
        kcmp: fix standard comparison bug
        mm/mmap.c: use pr_emerg when printing BUG related information
        shm: add memfd.h to UAPI export list
        checkpatch: allow commit descriptions on separate line from commit id
        sh: get_user_pages_fast() must flush cache
        eventpoll: fix uninitialized variable in epoll_ctl
        kernel/printk/printk.c: fix faulty logic in the case of recursive printk
        mem-hotplug: let memblock skip the hotpluggable memory regions in __next_mem_range()
      584f1ada
    • Andrey Vagin's avatar
      fs/notify: don't show f_handle if exportfs_encode_inode_fh failed · 7e882481
      Andrey Vagin authored
      Currently we handle only ENOSPC.  In case of other errors the file_handle
      variable isn't filled properly and we will show a part of stack.
      Signed-off-by: default avatarAndrey Vagin <avagin@openvz.org>
      Acked-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7e882481
    • Andrey Vagin's avatar
      fsnotify/fdinfo: use named constants instead of hardcoded values · 1fc98d11
      Andrey Vagin authored
      MAX_HANDLE_SZ is equal to 128, but currently the size of pad is only 64
      bytes, so exportfs_encode_inode_fh can return an error.
      Signed-off-by: default avatarAndrey Vagin <avagin@openvz.org>
      Acked-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1fc98d11
    • Rasmus Villemoes's avatar
      kcmp: fix standard comparison bug · acbbe6fb
      Rasmus Villemoes authored
      The C operator <= defines a perfectly fine total ordering on the set of
      values representable in a long.  However, unlike its namesake in the
      integers, it is not translation invariant, meaning that we do not have
      "b <= c" iff "a+b <= a+c" for all a,b,c.
      
      This means that it is always wrong to try to boil down the relationship
      between two longs to a question about the sign of their difference,
      because the resulting relation [a LEQ b iff a-b <= 0] is neither
      anti-symmetric or transitive.  The former is due to -LONG_MIN==LONG_MIN
      (take any two a,b with a-b = LONG_MIN; then a LEQ b and b LEQ a, but a !=
      b).  The latter can either be seen observing that x LEQ x+1 for all x,
      implying x LEQ x+1 LEQ x+2 ...  LEQ x-1 LEQ x; or more directly with the
      simple example a=LONG_MIN, b=0, c=1, for which a-b < 0, b-c < 0, but a-c >
      0.
      
      Note that it makes absolutely no difference that a transmogrying bijection
      has been applied before the comparison is done.  In fact, had the
      obfuscation not been done, one could probably not observe the bug
      (assuming all values being compared always lie in one half of the address
      space, the mathematical value of a-b is always representable in a long).
      As it stands, one can easily obtain three file descriptors exhibiting the
      non-transitivity of kcmp().
      
      Side note 1: I can't see that ensuring the MSB of the multiplier is
      set serves any purpose other than obfuscating the obfuscating code.
      
      Side note 2:
      #include <stdio.h>
      #include <stdlib.h>
      #include <string.h>
      #include <fcntl.h>
      #include <unistd.h>
      #include <assert.h>
      #include <sys/syscall.h>
      
      enum kcmp_type {
              KCMP_FILE,
              KCMP_VM,
              KCMP_FILES,
              KCMP_FS,
              KCMP_SIGHAND,
              KCMP_IO,
              KCMP_SYSVSEM,
              KCMP_TYPES,
      };
      pid_t pid;
      
      int kcmp(pid_t pid1, pid_t pid2, int type,
      	 unsigned long idx1, unsigned long idx2)
      {
      	return syscall(SYS_kcmp, pid1, pid2, type, idx1, idx2);
      }
      int cmp_fd(int fd1, int fd2)
      {
      	int c = kcmp(pid, pid, KCMP_FILE, fd1, fd2);
      	if (c < 0) {
      		perror("kcmp");
      		exit(1);
      	}
      	assert(0 <= c && c < 3);
      	return c;
      }
      int cmp_fdp(const void *a, const void *b)
      {
      	static const int normalize[] = {0, -1, 1};
      	return normalize[cmp_fd(*(int*)a, *(int*)b)];
      }
      #define MAX 100 /* This is plenty; I've seen it trigger for MAX==3 */
      int main(int argc, char *argv[])
      {
      	int r, s, count = 0;
      	int REL[3] = {0,0,0};
      	int fd[MAX];
      	pid = getpid();
      	while (count < MAX) {
      		r = open("/dev/null", O_RDONLY);
      		if (r < 0)
      			break;
      		fd[count++] = r;
      	}
      	printf("opened %d file descriptors\n", count);
      	for (r = 0; r < count; ++r) {
      		for (s = r+1; s < count; ++s) {
      			REL[cmp_fd(fd[r], fd[s])]++;
      		}
      	}
      	printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
      	qsort(fd, count, sizeof(fd[0]), cmp_fdp);
      	memset(REL, 0, sizeof(REL));
      
      	for (r = 0; r < count; ++r) {
      		for (s = r+1; s < count; ++s) {
      			REL[cmp_fd(fd[r], fd[s])]++;
      		}
      	}
      	printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
      	return (REL[0] + REL[2] != 0);
      }
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      acbbe6fb
    • Sasha Levin's avatar
      mm/mmap.c: use pr_emerg when printing BUG related information · 8542bdfc
      Sasha Levin authored
      Make sure we actually see the output of validate_mm() and browse_rb()
      before triggering a BUG().  pr_info isn't shown by default so the reason
      for the BUG() isn't obvious.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8542bdfc
    • David Drysdale's avatar
      shm: add memfd.h to UAPI export list · b01d0720
      David Drysdale authored
      The new header file memfd.h from commit 9183df25 ("shm: add
      memfd_create() syscall") should be exported.
      Signed-off-by: default avatarDavid Drysdale <drysdale@google.com>
      Reviewed-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Cc: Hugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b01d0720
    • Joe Perches's avatar
      checkpatch: allow commit descriptions on separate line from commit id · 66881735
      Joe Perches authored
      The general form for commit id and description is
      
        'Commit <12+hexdigits> ("commit description/subject line")'
      
      but commit logs often have relatively long commit ids and the commit
      description emds on the next line like:
      
        Some explanation as to why commit <12+hexdigits>
        ("commit foo description/subject line") is improved.
      
      Allow this form.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Suggested-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      Tested-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      Suggested-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      66881735
    • Stas Sergeev's avatar
      sh: get_user_pages_fast() must flush cache · caac7e6d
      Stas Sergeev authored
      This patch avoids fuse hangs on sh4 by flushing the cache on
      get_user_pages_fast().  This is not necessary a good thing to do, but
      get_user_pages() does this, so get_user_pages_fast() should too.
      
      Please note the patch for mips arch that addresses the similar problem:
        https://kernel.googlesource.com/pub/scm/linux/kernel/git/ralf/linux/+/linux-3.4.50%5E!/#F0
      
      They basically simply disable get_user_pages_fast() at all, using a
      fall-back to get_user_pages().  But my fix is different, it adds an
      explicit cache flushes.
      Signed-off-by: default avatarStas Sergeev <stsp@users.sourceforge.net>
      Cc: Geert Uytterhoeven <geert+renesas@glider.be>
      Cc: Kamal Dasu <kdasu.kdev@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      caac7e6d
    • Nicolas Iooss's avatar
      eventpoll: fix uninitialized variable in epoll_ctl · c680e41b
      Nicolas Iooss authored
      When calling epoll_ctl with operation EPOLL_CTL_DEL, structure epds is
      not initialized but ep_take_care_of_epollwakeup reads its event field.
      When this unintialized field has EPOLLWAKEUP bit set, a capability check
      is done for CAP_BLOCK_SUSPEND in ep_take_care_of_epollwakeup.  This
      produces unexpected messages in the audit log, such as (on a system
      running SELinux):
      
          type=AVC msg=audit(1408212798.866:410): avc:  denied
          { block_suspend } for  pid=7754 comm="dbus-daemon" capability=36
          scontext=unconfined_u:unconfined_r:unconfined_t
          tcontext=unconfined_u:unconfined_r:unconfined_t
          tclass=capability2 permissive=1
      
          type=SYSCALL msg=audit(1408212798.866:410): arch=c000003e syscall=233
          success=yes exit=0 a0=3 a1=2 a2=9 a3=7fffd4d66ec0 items=0 ppid=1
          pid=7754 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
          fsgid=0 tty=(none) ses=3 comm="dbus-daemon"
          exe="/usr/bin/dbus-daemon"
          subj=unconfined_u:unconfined_r:unconfined_t key=(null)
      
      ("arch=c000003e syscall=233 a1=2" means "epoll_ctl(op=EPOLL_CTL_DEL)")
      
      Remove use of epds in epoll_ctl when op == EPOLL_CTL_DEL.
      
      Fixes: 4d7e30d9 ("epoll: Add a flag, EPOLLWAKEUP, to prevent suspend while epoll events are ready")
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Arve Hjønnevåg <arve@android.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c680e41b
    • Patrick Palka's avatar
      kernel/printk/printk.c: fix faulty logic in the case of recursive printk · 000a7d66
      Patrick Palka authored
      We shouldn't set text_len in the code path that detects printk recursion
      because text_len corresponds to the length of the string inside textbuf.
      A few lines down from the line
      
          text_len = strlen(recursion_msg);
      
      is the line
      
          text_len += vscnprintf(text + text_len, ...);
      
      So if printk detects recursion, it sets text_len to 29 (the length of
      recursion_msg) and logs an error.  Then the message supplied by the
      caller of printk is stored inside textbuf but offset by 29 bytes.  This
      means that the output of the recursive call to printk will contain 29
      bytes of garbage in front of it.
      
      This defect is caused by commit 458df9fd ("printk: remove separate
      printk_sched buffers and use printk buf instead") which turned the line
      
          text_len = vscnprintf(text, ...);
      
      into
      
          text_len += vscnprintf(text + text_len, ...);
      
      To fix this, this patch avoids setting text_len when logging the printk
      recursion error.  This patch also marks unlikely() the branch leading up
      to this code.
      
      Fixes: 458df9fd ("printk: remove separate printk_sched buffers and use printk buf instead")
      Signed-off-by: default avatarPatrick Palka <patrick@parcs.ath.cx>
      Reviewed-by: default avatarPetr Mladek <pmladek@suse.cz>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      000a7d66
    • Xishi Qiu's avatar
      mem-hotplug: let memblock skip the hotpluggable memory regions in __next_mem_range() · 0a313a99
      Xishi Qiu authored
      Let memblock skip the hotpluggable memory regions in __next_mem_range(),
      it is used to to prevent memblock from allocating hotpluggable memory
      for the kernel at early time. The code is the same as __next_mem_range_rev().
      
      Clear hotpluggable flag before releasing free pages to the buddy
      allocator.  If we don't clear hotpluggable flag in
      free_low_memory_core_early(), the memory which marked hotpluggable flag
      will not free to buddy allocator.  Because __next_mem_range() will skip
      them.
      
      free_low_memory_core_early
      	for_each_free_mem_range
      		for_each_mem_range
      			__next_mem_range
      
      [akpm@linux-foundation.org: fix warning]
      Signed-off-by: default avatarXishi Qiu <qiuxishi@huawei.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Cc: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
      Cc: Wen Congyang <wency@cn.fujitsu.com>
      Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0a313a99
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 7ec62d42
      Linus Torvalds authored
      Pull UDF fixes from Jan Kara:
       "Fixes for UDF handling of NFS handles and one fix for proper handling
        of corrupted media"
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        udf: saner calling conventions for udf_new_inode()
        udf: fix the udf_iget() vs. udf_new_inode() races
        udf: merge the pieces inserting a new non-directory object into directory
        udf: Set i_generation field
        udf: Properly detect stale inodes
        udf: Make udf_read_inode() and udf_iget() return error
        udf: Avoid infinite loop when processing indirect ICBs
        udf: Fold udf_fill_inode() into __udf_read_inode()
        udf: Avoid dir link count to go negative
      7ec62d42
    • John Sung's avatar
      Input: serport - add compat handling for SPIOCSTYPE ioctl · a80d8b02
      John Sung authored
      When running a 32-bit inputattach utility in a 64-bit system, there will be
      error code "inputattach: can't set device type". This is caused by the
      serport device driver not supporting compat_ioctl, so that SPIOCSTYPE ioctl
      fails.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohn Sung <penmount.touch@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      a80d8b02