Merge Upstream's stable 3.0.21 branch into msm-3.0
This consists 814 commits and some merge conflicts.
The merge conflicts are because of some local changes to
msm-3.0 as well as some conflicts between google's tree and
the upstream tree.
Conflicts:
arch/arm/kernel/head.S
drivers/bluetooth/ath3k.c
drivers/bluetooth/btusb.c
drivers/mmc/core/core.c
drivers/tty/serial/serial_core.c
drivers/usb/host/ehci-hub.c
drivers/usb/serial/qcserial.c
fs/namespace.c
fs/proc/base.c
Change-Id: I62e2edbe213f84915e27f8cd6e4f6ce23db22a21
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
Merge Google's Android tree into msm-3.0
This consists of the following conflicts and 42 commits:
Conflicts:
drivers/mmc/core/bus.c
drivers/rtc/class.c
drivers/usb/gadget/android.c
Most of the conflicts stem from the changes made to the
local msm-3.0 branch.
commit 1f8c5cecfe
Author: Heiko Stuebner <heiko@sntech.de>
Date: Wed Feb 1 10:33:01 2012 -0800
Input: evdev - fix variable initialisation
Commit 509f87c5f564 (evdev - do not block waiting for an event if
fd
is nonblock) created a code path were it was possible to use retval
uninitialized.
This could lead to the xorg evdev input driver getting corrupt data
and refusing to work with log messages like
AUO-Pixcir touchscreen: Read error: Success
sg060_keys: Read error: Success
AUO-Pixcir touchscreen: Read error: Success
sg060_keys: Read error: Success
(for drivers auo-pixcir-ts and gpio-keys).
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
drivers/input/evdev.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 4dc43d7079
Author: Arve Hjønnevåg <arve@android.com>
Date: Fri Oct 17 15:20:55 2008 -0700
Input: evdev - Add ioctl to block suspend while event queue is not empty.
Add an ioctl, EVIOCSSUSPENDBLOCK, to enable a wakelock that will block
suspend while the event queue is not empty. This allows userspace code to
process input events while the device appears to be asleep.
The current code holds the wakelock for up 5 seconds for every input
device and client. This can prevent suspend if sensor with a high data
rate is active, even when that sensor is not capable of waking the
device once it is suspended.
Change-Id: I624d66ef30a0b3abb543685c343382b8419b42b9
Signed-off-by: Arve Hjønnevåg <arve@android.com>
drivers/input/evdev.c | 53 +++++++++++++++++++++++++++++++++++++++++++-----
include/linux/input.h | 3 ++
2 files changed, 50 insertions(+), 6 deletions(-)
commit 7cc846069a
Author: Arve Hjønnevåg <arve@android.com>
Date: Mon Jan 23 17:15:45 2012 -0800
Input: evdev - Don't hold wakelock when no data is available to user-space
If there is no SYN_REPORT event in the buffer the buffer data is invisible
to user-space. The wakelock should not be held in this case.
Change-Id: Idae890ff0da8eb46a2cfce61a95b3a97252551ad
Signed-off-by: Arve Hjønnevåg <arve@android.com>
drivers/input/evdev.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
commit 0e80804a2e
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Jan 31 11:06:23 2012 -0800
net: wireless: bcmdhd: Increase pm_notify callback priority
Make pm_notify callback to be called the first on suspend/resume path to
ensure it will always be called.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_linux.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit dfc896e1c8
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Mon Jan 30 15:43:31 2012 -0800
net: wireless: bcmdhd: Fix crash on dhdsdio_probe_attach() failure
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_linux.c | 17 ++++++++++++++---
drivers/net/wireless/bcmdhd/dhd_sdio.c | 8 +++++++-
2 files changed, 21 insertions(+), 4 deletions(-)
commit 256a6b23be
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Mon Jan 30 13:03:19 2012 -0800
net: wireless: bcmdhd: Daemonize wl_event_handler
Daemonizing makes thread (besides other things) NON-FREEZABLE, and it will not
get fake signal on suspend to quicl down_interruptible()
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_linux.c | 13 -------------
drivers/net/wireless/bcmdhd/include/linuxver.h | 12 ++++++++++++
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 3 +++
3 files changed, 15 insertions(+), 13 deletions(-)
commit ff93146589
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Jan 24 13:59:40 2012 -0800
net: wireless: bcmdhd: Update to Version 5.90.195.23
- WFD fixes
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_cfg80211.c | 269 -------------------------
drivers/net/wireless/bcmdhd/dhd_linux.c | 2 +-
drivers/net/wireless/bcmdhd/dhd_sdio.c | 8 +-
drivers/net/wireless/bcmdhd/include/epivers.h | 8 +-
drivers/net/wireless/bcmdhd/siutils.c | 5 +
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 223 +++++++++++++++------
drivers/net/wireless/bcmdhd/wl_cfgp2p.c | 175 ++++++++++++++++-
drivers/net/wireless/bcmdhd/wl_cfgp2p.h | 37 ++--
8 files changed, 368 insertions(+), 359 deletions(-)
commit 96034c2006
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Jan 24 13:55:00 2012 -0800
net: wireless: bcmdhd: Update to Version 5.90.195.22
- Disable Ad-hoc support for cfg80211
- dhd_linux.c: Fix incorrect pid check
- Merge Android changes from Android tree
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/bcmsdh_linux.c | 24 ++------------------
drivers/net/wireless/bcmdhd/bcmsdh_sdmmc_linux.c | 25 +++++++++++++++------
drivers/net/wireless/bcmdhd/dhd_linux.c | 10 ++++----
drivers/net/wireless/bcmdhd/dhd_sdio.c | 11 +++++++--
drivers/net/wireless/bcmdhd/hndpmu.c | 16 ++++++++++++++
drivers/net/wireless/bcmdhd/include/bcmdevs.h | 2 +
drivers/net/wireless/bcmdhd/include/epivers.h | 8 +++---
drivers/net/wireless/bcmdhd/siutils.c | 3 ++
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 11 ++++++++-
9 files changed, 68 insertions(+), 42 deletions(-)
commit 494661a1ac
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Jan 24 13:47:47 2012 -0800
net: wireless: bcmdhd: Update to Version 5.90.195.19
- Add WFD changes
- Add extra locking for internal ioctl operations
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/Makefile | 4 +-
drivers/net/wireless/bcmdhd/bcmsdh_linux.c | 25 +-
drivers/net/wireless/bcmdhd/bcmsdh_sdmmc.c | 4 +-
drivers/net/wireless/bcmdhd/dhd.h | 10 +-
drivers/net/wireless/bcmdhd/dhd_cdc.c | 7 +-
drivers/net/wireless/bcmdhd/dhd_cfg80211.c | 862 ++++++++
drivers/net/wireless/bcmdhd/dhd_cfg80211.h | 42 +
drivers/net/wireless/bcmdhd/dhd_common.c | 7 +-
drivers/net/wireless/bcmdhd/dhd_linux.c | 103 +-
drivers/net/wireless/bcmdhd/dhd_linux_mon.c | 409 ----
drivers/net/wireless/bcmdhd/dhd_sdio.c | 4 +-
drivers/net/wireless/bcmdhd/include/dhdioctl.h | 3 +-
drivers/net/wireless/bcmdhd/include/epivers.h | 8 +-
drivers/net/wireless/bcmdhd/include/proto/802.11.h | 12 +-
drivers/net/wireless/bcmdhd/include/wlioctl.h | 19 +-
drivers/net/wireless/bcmdhd/wl_android.c | 22 +-
drivers/net/wireless/bcmdhd/wl_android.h | 2 +-
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 2142 ++++++--------------
drivers/net/wireless/bcmdhd/wl_cfg80211.h | 125 +-
drivers/net/wireless/bcmdhd/wl_cfgp2p.c | 245 ++-
drivers/net/wireless/bcmdhd/wl_cfgp2p.h | 27 +-
drivers/net/wireless/bcmdhd/wl_linux_mon.c | 409 ++++
drivers/net/wireless/bcmdhd/wldev_common.c | 69 +-
drivers/net/wireless/bcmdhd/wldev_common.h | 20 +-
24 files changed, 2485 insertions(+), 2095 deletions(-)
commit 1dddb0cc0d
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Jan 24 13:37:34 2012 -0800
net: wireless: bcmdhd: Update to Version 5.90.195.15
- Add WFD concurrent mode support
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/bcmevent.c | 8 +-
drivers/net/wireless/bcmdhd/bcmsdh_sdmmc_linux.c | 12 +-
drivers/net/wireless/bcmdhd/bcmutils.c | 4 +-
drivers/net/wireless/bcmdhd/dhd.h | 25 +-
drivers/net/wireless/bcmdhd/dhd_cdc.c | 9 +-
drivers/net/wireless/bcmdhd/dhd_common.c | 4 +-
drivers/net/wireless/bcmdhd/dhd_linux.c | 148 +++--
drivers/net/wireless/bcmdhd/dhd_linux_mon.c | 28 +-
drivers/net/wireless/bcmdhd/dhd_sdio.c | 27 +-
drivers/net/wireless/bcmdhd/dhd_wlfc.h | 12 +-
drivers/net/wireless/bcmdhd/hndpmu.c | 44 +-
drivers/net/wireless/bcmdhd/include/Makefile | 2 +-
drivers/net/wireless/bcmdhd/include/aidmp.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmcdc.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmdefs.h | 37 +-
drivers/net/wireless/bcmdhd/include/bcmdevs.h | 573 +++++++++++++-
drivers/net/wireless/bcmdhd/include/bcmendian.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmpcispi.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmperf.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmsdbus.h | 10 +-
drivers/net/wireless/bcmdhd/include/bcmsdh.h | 10 +-
drivers/net/wireless/bcmdhd/include/bcmsdh_sdmmc.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmsdpcm.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmsdspi.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmsdstd.h | 34 +-
drivers/net/wireless/bcmdhd/include/bcmspi.h | 2 +-
drivers/net/wireless/bcmdhd/include/bcmutils.h | 14 +-
drivers/net/wireless/bcmdhd/include/bcmwifi.h | 2 +-
drivers/net/wireless/bcmdhd/include/dhdioctl.h | 2 +-
drivers/net/wireless/bcmdhd/include/epivers.h | 14 +-
drivers/net/wireless/bcmdhd/include/hndpmu.h | 2 +-
.../net/wireless/bcmdhd/include/hndrte_armtrap.h | 2 +-
drivers/net/wireless/bcmdhd/include/hndrte_cons.h | 2 +-
drivers/net/wireless/bcmdhd/include/hndsoc.h | 2 +-
drivers/net/wireless/bcmdhd/include/htsf.h | 2 +-
drivers/net/wireless/bcmdhd/include/linux_osl.h | 2 +-
drivers/net/wireless/bcmdhd/include/linuxver.h | 6 +-
drivers/net/wireless/bcmdhd/include/miniopt.h | 2 +-
drivers/net/wireless/bcmdhd/include/msgtrace.h | 2 +-
drivers/net/wireless/bcmdhd/include/osl.h | 2 +-
.../wireless/bcmdhd/include/packed_section_end.h | 2 +-
.../wireless/bcmdhd/include/packed_section_start.h | 2 +-
drivers/net/wireless/bcmdhd/include/pcicfg.h | 28 +-
drivers/net/wireless/bcmdhd/include/proto/802.11.h | 317 +++++++-
.../net/wireless/bcmdhd/include/proto/802.11_bta.h | 2 +-
.../net/wireless/bcmdhd/include/proto/802.11e.h | 2 +-
drivers/net/wireless/bcmdhd/include/proto/802.1d.h | 2 +-
drivers/net/wireless/bcmdhd/include/proto/bcmeth.h | 2 +-
.../net/wireless/bcmdhd/include/proto/bcmevent.h | 9 +-
drivers/net/wireless/bcmdhd/include/proto/bcmip.h | 2 +-
.../net/wireless/bcmdhd/include/proto/bt_amp_hci.h | 2 +-
drivers/net/wireless/bcmdhd/include/proto/eapol.h | 2 +-
.../net/wireless/bcmdhd/include/proto/ethernet.h | 3 +-
drivers/net/wireless/bcmdhd/include/proto/p2p.h | 2 +-
drivers/net/wireless/bcmdhd/include/proto/sdspi.h | 2 +-
drivers/net/wireless/bcmdhd/include/proto/vlan.h | 2 +-
drivers/net/wireless/bcmdhd/include/proto/wpa.h | 12 +-
drivers/net/wireless/bcmdhd/include/sbchipc.h | 168 ++++-
drivers/net/wireless/bcmdhd/include/sbconfig.h | 2 +-
drivers/net/wireless/bcmdhd/include/sbhnddma.h | 6 +-
drivers/net/wireless/bcmdhd/include/sbpcmcia.h | 2 +-
drivers/net/wireless/bcmdhd/include/sbsdio.h | 2 +-
drivers/net/wireless/bcmdhd/include/sbsdpcmdev.h | 2 +-
drivers/net/wireless/bcmdhd/include/sbsocram.h | 2 +-
drivers/net/wireless/bcmdhd/include/sdio.h | 5 +-
drivers/net/wireless/bcmdhd/include/sdioh.h | 32 +-
drivers/net/wireless/bcmdhd/include/sdiovar.h | 2 +-
drivers/net/wireless/bcmdhd/include/siutils.h | 30 +-
drivers/net/wireless/bcmdhd/include/trxhdr.h | 3 +-
drivers/net/wireless/bcmdhd/include/typedefs.h | 5 +-
drivers/net/wireless/bcmdhd/include/wlfc_proto.h | 2 +-
drivers/net/wireless/bcmdhd/include/wlioctl.h | 87 ++-
drivers/net/wireless/bcmdhd/linux_osl.c | 23 +-
drivers/net/wireless/bcmdhd/siutils.c | 195 +++++-
drivers/net/wireless/bcmdhd/wl_android.c | 6 +-
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 875 ++++++++++++--------
drivers/net/wireless/bcmdhd/wl_cfg80211.h | 282 +++++---
drivers/net/wireless/bcmdhd/wl_cfgp2p.c | 165 ++++-
drivers/net/wireless/bcmdhd/wl_cfgp2p.h | 12 +-
drivers/net/wireless/bcmdhd/wl_iw.c | 110 +++-
drivers/net/wireless/bcmdhd/wl_iw.h | 17 +-
81 files changed, 2737 insertions(+), 752 deletions(-)
commit 52bdb6f543
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Mon Jan 23 12:47:21 2012 -0800
net: wireless: bcmdhd: Add WIPHY_FLAG_SUPPORTS_FW_ROAM flag
Adding this flag will allow NL80211_ATTR_ROAM_SUPPORT, and will set
WPA_DRIVER_FLAGS_BSS_SELECTION flag in wpa_supplicant
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
commit b1a94205e9
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Fri Jan 20 14:15:05 2012 -0800
net: wireless: bcmdhd: Fake PNO event to wake up the wpa_supplicant
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_linux.c | 4 +++-
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 20 ++++++++++++++++----
2 files changed, 19 insertions(+), 5 deletions(-)
commit 09701e3edf
Author: Scott Anderson <saa@google.com>
Date: Wed Jan 18 15:56:51 2012 -0800
usb: gadget: android: Honor CONFIG_USB_GADGET_VBUS_DRAW
The maximum current draw was hard coded to 500 mA. composite.c
has code that uses CONFIG_USB_GADGET_VBUS_DRAW to set the
bMaxPower and to set whether or not the device is self-powered if
they haven't been set. This change removes the code in android.c
to allow composite.c to set them.
Change-Id: I9db37922e91ee86e9e5c0e14519e119e5c41ca48
Signed-off-by: Scott Anderson <saa@google.com>
drivers/usb/gadget/android.c | 3 ---
1 files changed, 0 insertions(+), 3 deletions(-)
commit a6ccb73389
Author: Benoit Goby <benoit@android.com>
Date: Fri Jan 20 14:42:41 2012 -0800
usb: gadget: Fix usb string id allocation
Don't reset next_string_id every time the gadget is enabled, this makes
the next strings allocated overwrite strings allocated at probe time.
Instead, fix rndis not to allocate new string ids on every config bind.
Change-Id: Ied28ee416bb6f00c434c34176fe5b7f0dcb2b2d4
Signed-off-by: Benoit Goby <benoit@android.com>
drivers/usb/gadget/android.c | 1 -
drivers/usb/gadget/f_rndis.c | 12 +++++-------
drivers/usb/gadget/rndis.c | 11 +++++++++++
3 files changed, 16 insertions(+), 8 deletions(-)
commit 87159de9c3
Author: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Thu Aug 11 11:46:22 2011 +0300
nl80211/cfg80211: Make addition of new sinfo fields safer
Add a comment pointing out the use of enum station_info_flags for
all new struct station_info fields. In addition, memset the sinfo
buffer to zero before use on all paths in the current tree to avoid
leaving uninitialized pointers in the data.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
include/net/cfg80211.h | 5 +++++
net/mac80211/sta_info.c | 1 +
net/wireless/nl80211.c | 1 +
3 files changed, 7 insertions(+), 0 deletions(-)
commit d692df224b
Author: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon Aug 8 12:11:52 2011 +0300
cfg80211/nl80211: Send AssocReq IEs to user space in AP mode
When user space SME/MLME (e.g., hostapd) is not used in AP mode, the
IEs from the (Re)Association Request frame that was processed in
firmware need to be made available for user space (e.g., RSN IE for
hostapd). Allow this to be done with cfg80211_new_sta().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
include/net/cfg80211.h | 8 ++++++++
net/wireless/nl80211.c | 4 ++++
2 files changed, 12 insertions(+), 0 deletions(-)
commit d1e94136fc
Author: Dima Zavin <dima@android.com>
Date: Mon Jan 23 10:39:02 2012 -0800
misc: remove android pmem driver, it's obsolete.
Change-Id: I48d9778007e1e9eed2bb34e33ceee818c23afaa5
Signed-off-by: Dima Zavin <dima@android.com>
drivers/misc/Kconfig | 4 -
drivers/misc/Makefile | 1 -
drivers/misc/pmem.c | 1345 ------------------------------------------
include/linux/android_pmem.h | 93 ---
4 files changed, 0 insertions(+), 1443 deletions(-)
commit dac306d896
Author: Dima Zavin <dima@android.com>
Date: Thu Jan 19 09:51:07 2012 -0800
Revert "proc: enable writing to /proc/pid/mem"
This reverts commit 198214a7ee.
fs/proc/base.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
commit a65e28a014
Author: Dima Zavin <dima@android.com>
Date: Thu Jan 12 15:55:25 2012 -0800
ram_console: set CON_ANYTIME console flag
We want to ensure that we get all the console messages, even ones
that occur while the printing CPU is not yet online.
Change-Id: I1d2694d05ac9415669a92f38efdd8e71c927705b
Signed-off-by: Dima Zavin <dima@android.com>
drivers/staging/android/ram_console.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit f16e6fb3e3
Author: Benoit Goby <benoit@android.com>
Date: Thu Dec 15 18:40:37 2011 -0800
Revert "usb: gadget: rndis: don't use dev_get_stats"
This reverts commit ffdab0c0c4.
Not needed anymore in 2.6.39 and 3.0, dev_get_stats has been fixed
and may be called from atomic context. See:
1ac9ad1 net: remove dev_txq_stats_fold()
drivers/usb/gadget/rndis.c | 23 ++---------------------
1 files changed, 2 insertions(+), 21 deletions(-)
commit e1493f1544
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Mon Dec 19 10:24:09 2011 -0800
net: wireless: bcmdhd: Enable wlan access on resume for all sdio functions
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/bcmsdh_sdmmc_linux.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
commit bbd08c6e95
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Fri Dec 16 12:54:51 2011 -0800
net: wireless: bcmdhd: Fix P2P interface removal
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_linux.c | 3 ++
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 43 ++++++++++++++++++++++-------
drivers/net/wireless/bcmdhd/wl_cfg80211.h | 9 ++++--
3 files changed, 42 insertions(+), 13 deletions(-)
commit 37ff4411a5
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Thu Dec 15 12:12:20 2011 -0800
net: wireless: bcm4329: Fix pno_enable if disassociated
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcm4329/dhd_common.c | 43 ++++++++++++++++++++++++-----
1 files changed, 36 insertions(+), 7 deletions(-)
commit 599c8566fa
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Dec 13 17:39:48 2011 -0800
net: wireless: bcmdhd: Fix proper scan command even if request is NULL
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 16 ++++++++++------
1 files changed, 10 insertions(+), 6 deletions(-)
commit f227b88c89
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Dec 13 12:27:49 2011 -0800
net: wireless: bcmdhd: Decrease event wake_lock timeout to 1500 ms
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd.h | 4 ++--
drivers/net/wireless/bcmdhd/dhd_linux.c | 8 ++++----
drivers/net/wireless/bcmdhd/wl_iw.c | 2 +-
3 files changed, 7 insertions(+), 7 deletions(-)
commit ed3f356087
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Mon Dec 12 15:40:33 2011 -0800
net: wireless: bcmdhd: Fix getting arp_hostip table
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_common.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit c561cedf2b
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Tue Dec 6 16:27:37 2011 -0800
net: wireless: bcmdhd: Allow to push more packets to FW for Tx
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_sdio.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 4f36cb88d6
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Fri Dec 2 13:24:01 2011 -0800
net: wireless: bcmdhd: Fix scan crash in ibss mode
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit af16732d4c
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Fri Dec 2 13:10:47 2011 -0800
net: wireless: bcmdhd: Add FW reloading in case of FW hang
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_linux.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
commit 7caeacd6ed
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Wed Nov 30 12:49:02 2011 -0800
net: wireless: bcmdhd: Update to Version 5.90.125.94.1
- Return zeroed private command buffer
- Fix memory leak in wl_inform_single_bss()
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/dhd_common.c | 5 +++--
drivers/net/wireless/bcmdhd/dhd_linux_mon.c | 10 ++++++----
drivers/net/wireless/bcmdhd/include/epivers.h | 2 +-
drivers/net/wireless/bcmdhd/wl_android.c | 9 ++++++---
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 ++++++---
5 files changed, 22 insertions(+), 13 deletions(-)
commit 8d71d882e7
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Fri Nov 11 16:04:12 2011 -0800
net: wireless: bcmdhd: Use CONFIG_DHD_USE_STATIC_BUF for preallocated memory
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/net/wireless/bcmdhd/Kconfig | 7 +++
drivers/net/wireless/bcmdhd/bcmsdh_sdmmc.c | 16 ++++----
drivers/net/wireless/bcmdhd/dhd.h | 4 +-
drivers/net/wireless/bcmdhd/dhd_cdc.c | 4 +-
drivers/net/wireless/bcmdhd/dhd_linux.c | 4 +-
drivers/net/wireless/bcmdhd/dhd_sdio.c | 4 +-
drivers/net/wireless/bcmdhd/include/linux_osl.h | 2 +-
drivers/net/wireless/bcmdhd/linux_osl.c | 52 +++++++++++++----------
drivers/net/wireless/bcmdhd/wl_android.c | 7 ++-
9 files changed, 57 insertions(+), 43 deletions(-)
commit 35047200c4
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Mon Dec 19 12:32:21 2011 -0800
wireless: Protect regdomain change by mutex
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
net/wireless/reg.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
commit ea693bf7f8
Author: Dmitry Shmidt <dimitrysh@google.com>
Date: Fri Dec 16 17:52:18 2011 -0800
mmc: Set suspend/resume bus operations if CONFIG_PM_RUNTIME is used
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
drivers/mmc/core/bus.c | 24 +++++++-----------------
1 files changed, 7 insertions(+), 17 deletions(-)
commit dc1b634039
Author: Benoit Goby <benoit@android.com>
Date: Fri Dec 9 18:05:00 2011 -0800
usb: gadget: android: Don't allow changing the functions list if enabled
Change-Id: I3ad39b420ce79a8602a7eca1daac1f56b30bad5c
Signed-off-by: Benoit Goby <benoit@android.com>
drivers/usb/gadget/android.c | 28 ++++++++++++++++++++++++----
1 files changed, 24 insertions(+), 4 deletions(-)
commit e0de0a507d
Author: Benoit Goby <benoit@android.com>
Date: Tue Nov 29 13:49:27 2011 -0800
usb: gadget: android: Cancel pending ctrlrequest before disabling
Make sure there is no pending ctrlrequest before removing the config.
Otherwise the ctrlrequest complete callback could access structures
after they have been freed. Unbind cancels pending transfers but not
ep0 requests.
Bug: 5513065 5440193
Change-Id: I063c22bf5d104a3d2df71cf622409459fac5f27a
Signed-off-by: Benoit Goby <benoit@android.com>
drivers/usb/gadget/android.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
commit b86fd0b622
Author: Colin Cross <ccross@android.com>
Date: Tue Nov 29 16:37:07 2011 -0800
ARM: idle: call idle notifiers before stopping nohz tick
If an idle notifier modifies a timer, calling the notifier after
the sched tick has been stopped may leave the sched tick set too
early. Move teh idle notifier call before the call to
tick_nohz_stop_sched_tick.
Change-Id: I0db3284bec6d0193bc5e2a57650ab06bd8342319
Signed-off-by: Colin Cross <ccross@android.com>
arch/arm/kernel/process.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit 6a4a38525d
Author: Benoit Goby <benoit@android.com>
Date: Mon Nov 28 18:01:03 2011 -0800
usb: gadget: android: Reset next_string_id before enable
Reset next_string_id to 0 before enabling the gadget driver. Otherwise,
after a large number of enable/disable cycles, bind will fail
because we cannot allocate new string ids. String ids cannot be larger
than 254 per USB spec.
Change-Id: I44f5fece45008b7a0a18c025d4eb5ce842585c28
Signed-off-by: Benoit Goby <benoit@android.com>
drivers/usb/gadget/android.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
commit dbb18fb2c1
Author: hyungseoung.yoo <hyungseoung.yoo@samsung.com>
Date: Fri Nov 18 13:57:01 2011 +0900
Bluetooth: Keep master role when SCO or eSCO is active
This improves compatbility with a lot of headset / chipset
combinations. Ideally this should not be needed.
Change-Id: I8b676701e12e416aa7d60801b9d353b15d102709
Signed-off-by: hyungseoung.yoo <hyungseoung.yoo@samsung.com>
Signed-off-by: Jaikumar Ganesh <jaikumarg@android.com>
net/bluetooth/hci_event.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
commit 9d187300df
Author: Arve Hjønnevåg <arve@android.com>
Date: Tue Nov 22 14:56:50 2011 -0800
rtc: Fix some bugs that allowed accumulating time drift in suspend/resume
The current code checks if abs(delta_delta.tv_sec) is greater or
equal to two before it discards the old delta value, but this can
trigger at close to -1 seconds since -1.000000001 seconds is stored
as tv_sec -2 and tv_nsec 999999999 in a normalized timespec.
rtc_resume had an early return check if the rtc value had not changed
since rtc_suspend. This effectivly stops time for the duration of the
short sleep. Check if sleep_time is positive after all the adjustments
have been applied instead since this allows the old_system adjustment
in rtc_suspend to have an effect even for short sleep cycles.
Change-Id: I00b45c0349ec91a4bab9b41a126b377515427898
Signed-off-by: Arve Hjønnevåg <arve@android.com>
drivers/rtc/class.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
commit 452d440ab2
Author: Arve Hjønnevåg <arve@android.com>
Date: Tue Nov 22 15:28:27 2011 -0800
Fix "time: Catch invalid timespec sleep values in __timekeeping_inject_sleeptime" to compile on 3.0
Change-Id: I1225f279cda04dedbfb7f853f6b58f1032bd6d2b
kernel/time/timekeeping.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
commit cf70c6a400
Author: John Stultz <john.stultz@linaro.org>
Date: Wed Jun 1 18:18:09 2011 -0700
time: Catch invalid timespec sleep values in __timekeeping_inject_sleeptime
Arve suggested making sure we catch possible negative sleep time
intervals that could be passed into timekeeping_inject_sleeptime.
CC: Arve Hjønnevåg <arve@android.com>
CC: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: John Stultz <john.stultz@linaro.org>
kernel/time/timekeeping.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
commit 340ede3671
Author: John Stultz <john.stultz@linaro.org>
Date: Fri May 27 11:33:18 2011 -0700
rtc: Avoid accumulating time drift in suspend/resume
Because the RTC interface is only a second granular interface,
each time we read from the RTC for suspend/resume, we introduce a
half second (on average) of error.
In order to avoid this error accumulating as the system is suspended
over and over, this patch measures the time delta between the RTC
and the system CLOCK_REALTIME.
If the delta is less then 2 seconds from the last suspend, we compensate
by using the previous time delta (keeping it close). If it is larger
then 2 seconds, we assume the clock was set or has been changed, so we
do no correction and update the delta.
Note: If NTP is running, ths could seem to "fight" with the NTP corrected
time, where as if the system time was off by 1 second, and NTP slewed the
value in, a suspend/resume cycle could undo this correction, by trying to
restore the previous offset from the RTC. However, without this patch,
since each read could cause almost a full second worth of error, its
possible to get almost 2 seconds of error just from the suspend/resume
cycle alone, so this about equal to any offset added by the compensation.
Further on systems that suspend/resume frequently, this should keep time
closer then NTP could compensate for if the errors were allowed to
accumulate.
Credits to Arve Hjønnevåg for suggesting this solution.
This patch also improves some of the variable names and adds more clear
comments.
CC: Arve Hjønnevåg <arve@android.com>
CC: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: John Stultz <john.stultz@linaro.org>
drivers/rtc/class.c | 65 +++++++++++++++++++++++++++++++++++++-------------
1 files changed, 48 insertions(+), 17 deletions(-)
Change-Id: I16f522e7ee2b301cbdaea62d52d50d7249f565c2
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34 upstream.
ecryptfs_write() can enter an infinite loop when truncating a file to a
size larger than 4G. This only happens on architectures where size_t is
represented by 32 bits.
This was caused by a size_t overflow due to it incorrectly being used to
store the result of a calculation which uses potentially large values of
type loff_t.
[tyhicks@canonical.com: rewrite subject and commit message]
Signed-off-by: Li Wang <liwang@nudt.edu.cn>
Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 853a0c25baf96b028de1654bea1e0c8857eadf3d upstream.
When we hit EIO while writing LVID, the buffer uptodate bit is cleared.
This then results in an anoying warning from mark_buffer_dirty() when we
write the buffer again. So just set uptodate flag unconditionally.
Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6d08f2c7139790c268820a2e590795cb8333181a upstream.
Once /proc/pid/mem is opened, the memory can't be released until
mem_release() even if its owner exits.
Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
before access_remote_vm(), this verifies that this mm is still alive.
I am not sure what should mem_rw() return if atomic_inc_not_zero()
fails. With this patch it returns zero to match the "mm == NULL" case,
may be it should return -EINVAL like it did before e268337d.
Perhaps it makes sense to add the additional fatal_signal_pending()
check into the main loop, to ensure we do not hold this memory if
the target task was oom-killed.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 572d34b946bae070debd42db1143034d9687e13f upstream.
No functional changes, cleanup and preparation.
mem_read() and mem_write() are very similar. Move this code into the
new common helper, mem_rw(), which takes the additional "int write"
argument.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b1c770c273a4787069306fc82aab245e9ac72e9d upstream
When finding the longest extent in an AG, we read the value directly
out of the AGF buffer without endian conversion. This will give an
incorrect length, resulting in FITRIM operations potentially not
trimming everything that it should.
Note, for 3.0-stable this has been modified to apply to
fs/xfs/linux-2.6/xfs_discard.c instead of fs/xfs/xfs_discard.c. -bpm
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9b025eb3a89e041bab6698e3858706be2385d692 upstream.
Commit b52a360b forgot to call xfs_iunlock() when it detected corrupted
symplink and bailed out. Fix it by jumping to 'out' instead of doing return.
CC: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Alex Elder <elder@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 58ded24f0fcb85bddb665baba75892f6ad0f4b8a upstream.
If pages passed to the eCryptfs extent-based crypto functions are not
mapped and the module parameter ecryptfs_verbosity=1 was specified at
loading time, a NULL pointer dereference will occur.
Note that this wouldn't happen on a production system, as you wouldn't
pass ecryptfs_verbosity=1 on a production system. It leaks private
information to the system logs and is for debugging only.
The debugging info printed in these messages is no longer very useful
and rather than doing a kmap() in these debugging paths, it will be
better to simply remove the debugging paths completely.
https://launchpad.net/bugs/913651
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a261a03904849c3df50bd0300efb7fb3f865137d upstream.
Most filesystems call inode_change_ok() very early in ->setattr(), but
eCryptfs didn't call it at all. It allowed the lower filesystem to make
the call in its ->setattr() function. Then, eCryptfs would copy the
appropriate inode attributes from the lower inode to the eCryptfs inode.
This patch changes that and actually calls inode_change_ok() on the
eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
would happen earlier in ecryptfs_setattr(), but there are some possible
inode initialization steps that must happen first.
Since the call was already being made on the lower inode, the change in
functionality should be minimal, except for the case of a file extending
truncate call. In that case, inode_newsize_ok() was never being
called on the eCryptfs inode. Rather than inode_newsize_ok() catching
maximum file size errors early on, eCryptfs would encrypt zeroed pages
and write them to the lower filesystem until the lower filesystem's
write path caught the error in generic_write_checks(). This patch
introduces a new function, called ecryptfs_inode_newsize_ok(), which
checks if the new lower file size is within the appropriate limits when
the truncate operation will be growing the lower file.
In summary this change prevents eCryptfs truncate operations (and the
resulting page encryptions), which would exceed the lower filesystem
limits or FSIZE rlimits, from ever starting.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Li Wang <liwang@nudt.edu.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5e6f0d769017cc49207ef56996e42363ec26c1f0 upstream.
ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
page, zeroes out the appropriate portions, and then encrypts the page
before writing it to the lower filesystem. It was unkillable and due to
the lack of sparse file support could result in tying up a large portion
of system resources, while encrypting pages of zeros, with no way for
the truncate operation to be stopped from userspace.
This patch adds the ability for ecryptfs_write() to detect a pending
fatal signal and return as gracefully as possible. The intent is to
leave the lower file in a useable state, while still allowing a user to
break out of the encryption loop. If a pending fatal signal is detected,
the eCryptfs inode size is updated to reflect the modified inode size
and then -EINTR is returned.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 30373dc0c87ffef68d5628e77d56ffb1fa22e1ee upstream.
Print inode on metadata read failure. The only real
way of dealing with metadata read failures is to delete
the underlying file system file. Having the inode
allows one to 'find . -inum INODE`.
[tyhicks@canonical.com: Removed some minor not-for-stable parts]
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit db10e556518eb9d21ee92ff944530d84349684f4 upstream.
A malicious count value specified when writing to /dev/ecryptfs may
result in a a very large kernel memory allocation.
This patch peeks at the specified packet payload size, adds that to the
size of the packet headers and compares the result with the write count
value. The resulting maximum memory allocation size is approximately 532
bytes.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cleancache requires a small amount of code to be added
to a filesystem's implementation so that clean page
cache pages from a filesystem of that type may be
recognized and stored in/retrieved from cleancache.
Change-Id: I94c3fc8817ab66e2c54f7b2c6c474dd2321d9806
Signed-off-by: Larry Bassel <lbassel@codeaurora.org>
commit 1f5d78dc4823a85f112aaa2d0f17624f8c2a6c52 upstream.
We switch to dynamic debugging in commit
56e46742e8 but did not take into account that
now we do not control anymore whether a specific message is enabled or not.
So now we lock the "dbg_lock" and release it in every debugging macro, which
make them not so light-weight.
This commit removes the "dbg_lock" protection from the debugging macros to
fix the issue.
The downside is that now our DBGKEY() stuff is broken, but this is not
critical at all and will be fixed later.
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 85e72aa5384b1a614563ad63257ded0e91d1a620 upstream.
/proc/pid/clear_refs is used to clear the Referenced and YOUNG bits for
pages and corresponding page table entries of the task with PID pid, which
includes any special mappings inserted into the page tables in order to
provide things like vDSOs and user helper functions.
On ARM this causes a problem because the vectors page is mapped as a
global mapping and since ec706dab ("ARM: add a vma entry for the user
accessible vector page"), a VMA is also inserted into each task for this
page to aid unwinding through signals and syscall restarts. Since the
vectors page is required for handling faults, clearing the YOUNG bit (and
subsequently writing a faulting pte) means that we lose the vectors page
*globally* and cannot fault it back in. This results in a system deadlock
on the next exception.
To see this problem in action, just run:
$ echo 1 > /proc/self/clear_refs
on an ARM platform (as any user) and watch your system hang. I think this
has been the case since 2.6.37
This patch avoids clearing the aforementioned bits for reserved pages,
therefore leaving the vectors page intact on ARM. Since reserved pages
are not candidates for swap, this change should not have any impact on the
usefulness of clear_refs.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Reported-by: Moussa Ba <moussaba@micron.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Acked-by: Nicolas Pitre <nico@linaro.org>
Cc: Matt Mackall <mpm@selenic.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit fe0fe83585f88346557868a803a479dfaaa0688a upstream.
As mandated by the standard. In case of an IO error, a pNFS
objects layout driver must return it's layout. This is because
all device errors are reported to the server as part of the
layout return buffer.
This is implemented the same way PNFS_LAYOUTRET_ON_SETATTR
is done, through a bit flag on the pnfs_layoutdriver_type->flags
member. The flag is set by the layout driver that wants a
layout_return preformed at pnfs_ld_{write,read}_done in case
of an error.
(Though I have not defined a wrapper like pnfs_ld_layoutret_on_setattr
because this code is never called outside of pnfs.c and pnfs IO
paths)
Without this patch 3.[0-2] Kernels leak memory and have an annoying
WARN_ON after every IO error utilizing the pnfs-obj driver.
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 5c0b4129c07b902b27d3f3ebc087757f534a3abd upstream.
Some time along the way pNFS IO errors were switched to
communicate with a special iodata->pnfs_error member instead
of the regular RPC members. But objlayout was not switched
over.
Fix that!
Without this fix any IO error is hanged, because IO is not
switched to MDS and pages are never cleared or read.
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit e268337dfe26dfc7efd422a804dbb27977a3cccc upstream.
Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
robust, and it also doesn't match the permission checking of any of the
other related files.
This changes it to do the permission checks at open time, and instead of
tracking the process, it tracks the VM at the time of the open. That
simplifies the code a lot, but does mean that if you hold the file
descriptor open over an execve(), you'll continue to read from the _old_
VM.
That is different from our previous behavior, but much simpler. If
somebody actually finds a load where this matters, we'll need to revert
this commit.
I suspect that nobody will ever notice - because the process mapping
addresses will also have changed as part of the execve. So you cannot
actually usefully access the fd across a VM change simply because all
the offsets for IO would have changed too.
Reported-by: Jüri Aedla <asd@ut.ee>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit c3e0ef9a298e028a82ada28101ccd5cf64d209ee upstream.
For 32-bit architectures using standard jiffies the idletime calculation
in uptime_proc_show will quickly overflow. It takes (2^32 / HZ) seconds
of idle-time, or e.g. 12.45 days with no load on a quad-core with HZ=1000.
Switch to 64-bit calculations.
Cc: Michael Abbott <michael.abbott@diamond.ac.uk>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit eaf5f9073533cde21c7121c136f1c3f072d9cf59 upstream.
Two (or more) concurrent calls of shrink_dcache_parent() on the same dentry may
cause shrink_dcache_parent() to loop forever.
Here's what appears to happen:
1 - CPU0: select_parent(P) finds C and puts it on dispose list, returns 1
2 - CPU1: select_parent(P) locks P->d_lock
3 - CPU0: shrink_dentry_list() locks C->d_lock
dentry_kill(C) tries to lock P->d_lock but fails, unlocks C->d_lock
4 - CPU1: select_parent(P) locks C->d_lock,
moves C from dispose list being processed on CPU0 to the new
dispose list, returns 1
5 - CPU0: shrink_dentry_list() finds dispose list empty, returns
6 - Goto 2 with CPU0 and CPU1 switched
Basically select_parent() steals the dentry from shrink_dentry_list() and thinks
it found a new one, causing shrink_dentry_list() to think it's making progress
and loop over and over.
One way to trigger this is to make udev calls stat() on the sysfs file while it
is going away.
Having a file in /lib/udev/rules.d/ with only this one rule seems to the trick:
ATTR{vendor}=="0x8086", ATTR{device}=="0x10ca", ENV{PCI_SLOT_NAME}="%k", ENV{MATCHADDR}="$attr{address}", RUN+="/bin/true"
Then execute the following loop:
while true; do
echo -bond0 > /sys/class/net/bonding_masters
echo +bond0 > /sys/class/net/bonding_masters
echo -bond1 > /sys/class/net/bonding_masters
echo +bond1 > /sys/class/net/bonding_masters
done
One fix would be to check all callers and prevent concurrent calls to
shrink_dcache_parent(). But I think a better solution is to stop the
stealing behavior.
This patch adds a new dentry flag that is set when the dentry is added to the
dispose list. The flag is cleared in dentry_lru_del() in case the dentry gets a
new reference just before being pruned.
If the dentry has this flag, select_parent() will skip it and let
shrink_dentry_list() retry pruning it. With select_parent() skipping those
dentries there will not be the appearance of progress (new dentries found) when
there is none, hence shrink_dcache_parent() will not loop forever.
Set the flag is also set in prune_dcache_sb() for consistency as suggested by
Linus.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit fed474857efbed79cd390d0aee224231ca718f63 upstream.
Removing the parent of a watched file results in "kernel BUG at
fs/notify/mark.c:139".
To reproduce
add "-w /tmp/audit/dir/watched_file" to audit.rules
rm -rf /tmp/audit/dir
This is caused by fsnotify_destroy_mark() being called without an
extra reference taken by the caller.
Reported by Francesco Cosoleto here:
https://bugzilla.novell.com/show_bug.cgi?id=689860
Fix by removing the BUG_ON and adding a comment about not accessing mark after
the iput.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit d34315da9146253351146140ea4b277193ee5e5f upstream.
Patch 56e46742e8 broke UBIFS debugging messages:
before that commit when UBIFS debugging was enabled, users saw few useful
debugging messages after mount. However, that patch turned 'dbg_msg()' into
'pr_debug()', so to enable the debugging messages users have to enable them
first via /sys/kernel/debug/dynamic_debug/control, which is very impractical.
This commit makes 'dbg_msg()' to use 'printk()' instead of 'pr_debug()', just
as it was before the breakage.
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 8a0d551a59ac92d8ff048d6cb29d3a02073e81e8 upstream.
Setting the security context of a NFSv4 mount via the context= mount
option is currently broken. The NFSv4 codepath allocates a parsed
options struct, and then parses the mount options to fill it. It
eventually calls nfs4_remote_mount which calls security_init_mnt_opts.
That clobbers the lsm_opts struct that was populated earlier. This bug
also looks like it causes a small memory leak on each v4 mount where
context= is used.
Fix this by moving the initialization of the lsm_opts into
nfs_alloc_parsed_mount_data. Also, add a destructor for
nfs_parsed_mount_data to make it easier to free all of the allocations
hanging off of it, and to ensure that the security_free_mnt_opts is
called whenever security_init_mnt_opts is.
I believe this regression was introduced quite some time ago, probably
by commit c02d7adf.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.
Commit 503358ae01 ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.
sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex < 2) { ... }
This patch fixes two potential issues in the previous commit.
1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount. That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.
2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways. Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex == 0 || groups_per_flex == 1) {
We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original. GCC keeps the check, but
there is no guarantee that future versions will do the same.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 093019cf1b18dd31b2c3b77acce4e000e2cbc9ce upstream.
Commit fa8b18ed didn't prevent the integer overflow and possible
memory corruption. "count" can go negative and bypass the check.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit d2eb8c359309ec45d6bf5b147303ab8e13be86ea upstream.
During BKL removal in 2.6.38, conversion of files from in-ICB format to normal
format got broken. We call ->writepage with i_data_sem held but udf_get_block()
also acquires i_data_sem thus creating A-A deadlock.
We fix the problem by dropping i_data_sem before calling ->writepage() which is
safe since i_mutex still protects us against any changes in the file. Also fix
pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
i_data_sem before calling find_or_create_page().
Reported-by: Matthias Matiak <netzpython@mail-on.us>
Tested-by: Matthias Matiak <netzpython@mail-on.us>
Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 33c104d415e92a51aaf638dc3d93920cfa601e5c upstream.
WARN_ON_ONCE(IS_RDONLY(inode)) tends to trip when filesystem hits error and is
remounted read-only. This unnecessarily scares users (well, they should be
scared because of filesystem error, but the stack trace distracts them from the
right source of their fear ;-). We could as well just remove the WARN_ON but
it's not hard to fix it to not trip on filesystem with errors and not use more
cycles in the common case so that's what we do.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit a9e36da655e54545c3289b2a0700b5c443de0edd upstream.
This patch fixes a crash in reiserfs_delete_xattrs during umount.
When shrink_dcache_for_umount clears the dcache from
generic_shutdown_super, delayed evictions are forced to disk. If an
evicted inode has extended attributes associated with it, it will
need to walk the xattr tree to locate and remove them.
But since shrink_dcache_for_umount will BUG if it encounters active
dentries, the xattr tree must be released before it's called or it will
crash during every umount.
This patch forces the evictions to occur before generic_shutdown_super
by calling shrink_dcache_sb first. The additional evictions caused
by the removal of each associated xattr file and dir will be automatically
handled as they're added to the LRU list.
CC: reiserfs-devel@vger.kernel.org
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit a06d789b424190e9f59da391681f908486db2554 upstream.
When jqfmt mount option is not specified on remount, we mistakenly clear
s_jquota_fmt value stored in superblock. Fix the problem.
CC: reiserfs-devel@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commit be4f1ac828776bbc7868a68b465cd8eedb733cfd upstream.
Since Linux 2.6.36 the writeback code has introduces various measures for
live lock prevention during sync(). Unfortunately some of these are
actively harmful for the XFS model, where the inode gets marked dirty for
metadata from the data I/O handler.
The older_than_this checks that are now more strictly enforced since
writeback: avoid livelocking WB_SYNC_ALL writeback
by only calling into __writeback_inodes_sb and thus only sampling the
current cut off time once. But on a slow enough devices the previous
asynchronous sync pass might not have fully completed yet, and thus XFS
might mark metadata dirty only after that sampling of the cut off time for
the blocking pass already happened. I have not myself reproduced this
myself on a real system, but by introducing artificial delay into the
XFS I/O completion workqueues it can be reproduced easily.
Fix this by iterating over all XFS inodes in ->sync_fs and log all that
are dirty. This might log inode that only got redirtied after the
previous pass, but given how cheap delayed logging of inodes is it
isn't a major concern for performance.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Tested-by: Mark Tinguely <tinguely@sgi.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commit 0b8fd3033c308e4088760aa1d38ce77197b4e074 upstream.
If the writeback code writes back an inode because it has expired we currently
use the non-blockin ->write_inode path. This means any inode that is pinned
is skipped. With delayed logging and a workload that has very little log
traffic otherwise it is very likely that an inode that gets constantly
written to is always pinned, and thus we keep refusing to write it. The VM
writeback code at that point redirties it and doesn't try to write it again
for another 30 seconds. This means under certain scenarious time based
metadata writeback never happens.
Fix this by calling into xfs_log_inode for kupdate in addition to data
integrity syncs, and thus transfer the inode to the log ASAP.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Tested-by: Mark Tinguely <tinguely@sgi.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 111d489f0fb431f4ae85d96851fbf8d3248c09d8 upstream.
Currently, the code assumes that the SEQUENCE status bits are mutually
exclusive. They are not...
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 48706d0a91583d08c56e7ef2a7602d99c8d4133f upstream.
Fix two bugs in fuse_retrieve():
- retrieving more than one page would yield repeated instances of the
first page
- if more than FUSE_MAX_PAGES_PER_REQ pages were requested than the
request page array would overflow
fuse_retrieve() was added in 2.6.36 and these bugs had been there since the
beginning.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 5a0dc7365c240795bf190766eba7a27600be3b3e upstream.
We need to zero out part of a page which beyond EOF before setting uptodate,
otherwise, mapread or write will see non-zero data beyond EOF.
Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 13a79a4741d37fda2fbafb953f0f301dc007928f upstream.
If there is an unwritten but clean buffer in a page and there is a
dirty buffer after the buffer, then mpage_submit_io does not write the
dirty buffer out. As a result, da_writepages loops forever.
This patch fixes the problem by checking dirty flag.
Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit ea51d132dbf9b00063169c1159bee253d9649224 upstream.
If the pte mapping in generic_perform_write() is unmapped between
iov_iter_fault_in_readable() and iov_iter_copy_from_user_atomic(), the
"copied" parameter to ->end_write can be zero. ext4 couldn't cope with
it with delayed allocations enabled. This skips the i_disksize
enlargement logic if copied is zero and no new data was appeneded to
the inode.
gdb> bt
#0 0xffffffff811afe80 in ext4_da_should_update_i_disksize (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x1\
08000, len=0x1000, copied=0x0, page=0xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2467
#1 ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
#2 0xffffffff810d97f1 in generic_perform_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value o\
ptimized out>, pos=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2440
#3 generic_file_buffered_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value optimized out>, p\
os=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2482
#4 0xffffffff810db5d1 in __generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, ppos=0\
xffff88001e26be40) at mm/filemap.c:2600
#5 0xffffffff810db853 in generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=<value optimi\
zed out>, pos=<value optimized out>) at mm/filemap.c:2632
#6 0xffffffff811a71aa in ext4_file_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, pos=0x108000) a\
t fs/ext4/file.c:136
#7 0xffffffff811375aa in do_sync_write (filp=0xffff88003f606a80, buf=<value optimized out>, len=<value optimized out>, \
ppos=0xffff88001e26bf48) at fs/read_write.c:406
#8 0xffffffff81137e56 in vfs_write (file=0xffff88003f606a80, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x4\
000, pos=0xffff88001e26bf48) at fs/read_write.c:435
#9 0xffffffff8113816c in sys_write (fd=<value optimized out>, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x\
4000) at fs/read_write.c:487
#10 <signal handler called>
#11 0x00007f120077a390 in __brk_reservation_fn_dmi_alloc__ ()
#12 0x0000000000000000 in ?? ()
gdb> print offset
$22 = 0xffffffffffffffff
gdb> print idx
$23 = 0xffffffff
gdb> print inode->i_blkbits
$24 = 0xc
gdb> up
#1 ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
2512 if (ext4_da_should_update_i_disksize(page, end)) {
gdb> print start
$25 = 0x0
gdb> print end
$26 = 0xffffffffffffffff
gdb> print pos
$27 = 0x108000
gdb> print new_i_size
$28 = 0x108000
gdb> print ((struct ext4_inode_info *)((char *)inode-((int)(&((struct ext4_inode_info *)0)->vfs_inode))))->i_disksize
$29 = 0xd9000
gdb> down
2467 for (i = 0; i < idx; i++)
gdb> print i
$30 = 0xd44acbee
This is 100% reproducible with some autonuma development code tuned in
a very aggressive manner (not normal way even for knumad) which does
"exotic" changes to the ptes. It wouldn't normally trigger but I don't
see why it can't happen normally if the page is added to swap cache in
between the two faults leading to "copied" being zero (which then
hangs in ext4). So it should be fixed. Especially possible with lumpy
reclaim (albeit disabled if compaction is enabled) as that would
ignore the young bits in the ptes.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit fc6cb1cda5db7b2d24bf32890826214b857c728e upstream.
/proc/mounts was showing the mount option [no]init_inode_table when
the correct mount option that will be accepted by parse_options() is
[no]init_itable.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 859f57ca00805e6c482eef1a7ab073097d02c8ca upstream.
[slightly different from the upstream version because of a previous cleanup]
Currently xfs_attr_inactive causes a synchronous transactions if we are
removing a file that has any extents allocated to the attribute fork, and
thus makes XFS extremely slow at removing files with out of line extended
attributes. The code looks a like a relict from the days before the busy
extent list, but with the busy extent list we avoid reusing data and attr
extents that have been freed but not commited yet, so this code is just
as superflous as the synchronous transactions for data blocks.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reported-by: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Alex Elder <aelder@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit c29f7d457ac63311feb11928a866efd2fe153d74 upstream.
The i_ino field in the VFS inode is of type unsigned long and thus can't
hold the full 64-bit inode number on 32-bit kernels. We have the full
inode number in the XFS inode, so use that one for nfs exports. Note
that I've also switched the 32-bit file handles types to it, just to make
the code more consistent and copy & paste errors less likely to happen.
Reported-by: Guoquan Yang <ygq51@hotmail.com>
Reported-by: Hank Peng <pengxihan@gmail.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 434a964daa14b9db083ce20404a4a2add54d037a upstream.
Clement Lecigne reports a filesystem which causes a kernel oops in
hfs_find_init() trying to dereference sb->ext_tree which is NULL.
This proves to be because the filesystem has a corrupted MDB extent
record, where the extents file does not fit into the first three extents
in the file record (the first blocks).
In hfs_get_block() when looking up the blocks for the extent file
(HFS_EXT_CNID), it fails the first blocks special case, and falls
through to the extent code (which ultimately calls hfs_find_init())
which is in the process of being initialised.
Hfs avoids this scenario by always having the extents b-tree fitting
into the first blocks (the extents B-tree can't have overflow extents).
The fix is to check at mount time that the B-tree fits into first
blocks, i.e. fail if HFS_I(inode)->alloc_blocks >=
HFS_I(inode)->first_blocks
Note, the existing commit 47f365eb57 ("hfs: fix oops on mount with
corrupted btree extent records") becomes subsumed into this as a special
case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
acceptable for the catalog B-Tree file to grow beyond three extents,
with the remaining extent descriptors in the extents overfow.
This fixes CVE-2011-2203
Reported-by: Clement LECIGNE <clement.lecigne@netasq.com>
Signed-off-by: Phillip Lougher <plougher@redhat.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 8762202dd0d6e46854f786bdb6fb3780a1625efe upstream.
I hit a J_ASSERT(blocknr != 0) failure in cleanup_journal_tail() when
mounting a fsfuzzed ext3 image. It turns out that the corrupted ext3
image has s_first = 0 in journal superblock, and the 0 is passed to
journal->j_head in journal_reset(), then to blocknr in
cleanup_journal_tail(), in the end the J_ASSERT failed.
So validate s_first after reading journal superblock from disk in
journal_get_superblock() to ensure s_first is valid.
The following script could reproduce it:
fstype=ext3
blocksize=1024
img=$fstype.img
offset=0
found=0
magic="c0 3b 39 98"
dd if=/dev/zero of=$img bs=1M count=8
mkfs -t $fstype -b $blocksize -F $img
filesize=`stat -c %s $img`
while [ $offset -lt $filesize ]
do
if od -j $offset -N 4 -t x1 $img | grep -i "$magic";then
echo "Found journal: $offset"
found=1
break
fi
offset=`echo "$offset+$blocksize" | bc`
done
if [ $found -ne 1 ];then
echo "Magic \"$magic\" not found"
exit 1
fi
dd if=/dev/zero of=$img seek=$(($offset+23)) conv=notrunc bs=1 count=1
mkdir -p ./mnt
mount -o loop $img ./mnt
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: Moritz Mühlenhoff <jmm@inutil.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 02125a826459a6ad142f8d91c5b6357562f96615 upstream.
__d_path() API is asking for trouble and in case of apparmor d_namespace_path()
getting just that. The root cause is that when __d_path() misses the root
it had been told to look for, it stores the location of the most remote ancestor
in *root. Without grabbing references. Sure, at the moment of call it had
been pinned down by what we have in *path. And if we raced with umount -l, we
could have very well stopped at vfsmount/dentry that got freed as soon as
prepend_path() dropped vfsmount_lock.
It is safe to compare these pointers with pre-existing (and known to be still
alive) vfsmount and dentry, as long as all we are asking is "is it the same
address?". Dereferencing is not safe and apparmor ended up stepping into
that. d_namespace_path() really wants to examine the place where we stopped,
even if it's not connected to our namespace. As the result, it looked
at ->d_sb->s_magic of a dentry that might've been already freed by that point.
All other callers had been careful enough to avoid that, but it's really
a bad interface - it invites that kind of trouble.
The fix is fairly straightforward, even though it's bigger than I'd like:
* prepend_path() root argument becomes const.
* __d_path() is never called with NULL/NULL root. It was a kludge
to start with. Instead, we have an explicit function - d_absolute_root().
Same as __d_path(), except that it doesn't get root passed and stops where
it stops. apparmor and tomoyo are using it.
* __d_path() returns NULL on path outside of root. The main
caller is show_mountinfo() and that's precisely what we pass root for - to
skip those outside chroot jail. Those who don't want that can (and do)
use d_path().
* __d_path() root argument becomes const. Everyone agrees, I hope.
* apparmor does *NOT* try to use __d_path() or any of its variants
when it sees that path->mnt is an internal vfsmount. In that case it's
definitely not mounted anywhere and dentry_path() is exactly what we want
there. Handling of sysctl()-triggered weirdness is moved to that place.
* if apparmor is asked to do pathname relative to chroot jail
and __d_path() tells it we it's not in that jail, the sucker just calls
d_absolute_path() instead. That's the other remaining caller of __d_path(),
BTW.
* seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway -
the normal seq_file logics will take care of growing the buffer and redoing
the call of ->show() just fine). However, if it gets path not reachable
from root, it returns SEQ_SKIP. The only caller adjusted (i.e. stopped
ignoring the return value as it used to do).
Reviewed-by: John Johansen <john.johansen@canonical.com>
ACKed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit b53fc7c2974a50913f49e1d800fe904a28c338e3 upstream.
Fix the error message "directives may not be used inside a macro argument"
which appears when the kernel is compiled for the cris architecture.
Signed-off-by: Claudio Scordino <claudio@evidence.eu.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
