Pull fbdev fixes from Tomi Valkeinen:
 "Minor fixes for amba-clcd and video DT bindings"

* tag 'fbdev-fixes-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux:
  video: ARM CLCD: Fix color model capabilities for DT platforms
  video: fix composite video connector compatible string

Pull drm fixes from Dave Airlie:
 "AST, i915, radeon and msm fixes, all over the place.

  All fixing build issues, regressions, oopses or failure to detect
  cards"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/ast: AST2000 cannot be detected correctly
  drm/ast: open key before detect chips
  drm/msm: don't crash if no msm.vram param
  drm/msm/hdmi: fix build break on non-CCF platforms
  drm/msm: Change nested function to static function
  drm/radeon/dpm: set the thermal type properly for special configs
  drm/radeon: reduce memory footprint for debugging
  drm/radeon: add connector quirk for fujitsu board
  drm/radeon: fix semaphore value init
  drm/radeon: only use me/pfp sync on evergreen+
  drm/i915: Wait for vblank before enabling the TV encoder
  drm/i915: Evict CS TLBs between batches
  drm/i915: Fix irq enable tracking in driver load
  drm/i915: Fix EIO/wedged handling in gem fault handler
  drm/i915: Prevent recursive deadlock on releasing a busy userptr

The DT-based panel capabilities selection was picking up
a subset of available modes based on hardware configuration.
This was wrong, as the capabilities describe available
memory models and adapt the display controller to them
that the RGB output is wired up correctly (as in: R and
B components are not swapped).

This patch fixes it by removing the unnecessary limitation.
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>

Type error and cause AST2000 cannot be detected correctly
Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Reviewed-by: Egbert Eich <eich@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

Some config settings like 3rd TX chips will not get correctly
if the extended reg is protected
Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Reviewed-by: Egbert Eich <eich@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>

Pull Ceph fixes from Sage Weil:
 "The main thing here is a set of three patches that fix a buffer
  overrun for large authentication tickets (sigh).

  There is also a trivial warning fix and an error path fix that are
  both regressions"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  libceph: do not hard code max auth ticket len
  libceph: add process_one_ticket() helper
  libceph: gracefully handle large reply messages from the mon
  rbd: fix error return code in rbd_dev_device_setup()
  rbd: avoid format-security warning inside alloc_workqueue()

Merge tag 'stable/for-linus-3.17-b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull Xen bug fixes from David Vrabel:
 - fix for PVHVM suspend/resume and migration
 - don't pointlessly retry certain ballooning ops
 - fix gntalloc when grefs have run out.
 - fix PV boot if KSALR is enable or very large modules are used.

* tag 'stable/for-linus-3.17-b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  x86/xen: don't copy bogus duplicate entries into kernel page tables
  xen/gntalloc: safely delete grefs in add_grefs() undo path
  xen/gntalloc: fix oops after runnning out of grant refs
  xen/balloon: cancel ballooning if adding new memory failed
  xen/manage: Always freeze/thaw processes when suspend/resuming

Pull powerpc fixes from Michael Ellerman:
 "Ben's travelling so this is my first attempt at a pull request.

  There's nothing too exciting.  The CONFIG_FHANDLE one is annoying, I
  know you love defconfig changes.  But we've had a couple of developers
  waste time debugging boxes that wouldn't boot, only to realise it's
  just that systemd needs CONFIG_FHANDLE and our defconfigs don't have
  it.

  The new syscalls seem to be working, I've run the selftests that
  exist, and also let trinity bash on them for a while"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
  powerpc: Wire up sys_seccomp(), sys_getrandom() and sys_memfd_create()
  powerpc: Make CONFIG_FHANDLE=y for all 64 bit powerpc defconfigs
  powerpc: use machine_subsys_initcall() for opal_hmi_handler_init()
  powerpc/perf: Fix ABIv2 kernel backtraces
  powerpc/pseries: Fix endian issues in memory hotplug

Pull ACPI and power management fixes from Rafael Wysocki:
 "These are regression fixes (cpufreq, ACPI battery) and fixes for stuff
  that never worked correctly (ACPI RTC operation region handler and PM
  domain implementation in the ACPI LPSS driver).

  Specifics:

   - Fix for the cpufreq Operation Performance Points (OPP) code where a
     recent commit added a kcalloc() call with an incorrect ordering of
     arguments.  From Anand Moon.

   - Reverts of two ACPI battery commits that caused incorrect
     diagnostic information to be printed to dmesg in some cases from
     Bjørn Mork.

   - Fix for the ACPI RTC operation region handler that applied the &
     operator to an argument already representing an address and that
     caused it to overwrite its own argument instead of writing to the
     address contained in it as expected.  From Chun-Yi Lee.

   - Fix for the PM domain implementation in the ACPI LPSS (Low-Power
     Subsystem) driver where one callback pointer pointed to a wrong
     routine and one was NULL, but it shouldn't.  From Fu Zhonghui"

* tag 'pm+acpi-3.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI / LPSS: complete PM entries for LPSS power domain
  Revert "ACPI / battery: fix wrong value of capacity_now reported when fully charged"
  Revert "ACPI / battery: Fix warning message in acpi_battery_get_state()"
  ACPI / RTC: Fix CMOS RTC opregion handler accesses to wrong addresses
  cpufreq / OPP: Fix the order of arguments for kcalloc()

Pull dmaengine fixes from Vinod Koul:
 "Two minor fixes.

  First one from Kuninori clarifying dmas bindings and second from Lars
  for fixing dma descriptor completion in non cyclic case"

* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
  dmaengine: jz4740: Fix non-cyclic descriptor completion
  dt/bindings: rcar-audmapp: tidyup dmas explanation

Pull two pin control fixes from Linus Walleij:
 - fix a warning about unbalanced IRQs on the Baytrail
 - update Tomasz Figa's address in MAINTAINERS

* tag 'pinctrl-v3.17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  MAINTAINERS: Tomasz has moved
  pinctrl: baytrail: resolve unbalanced IRQ wake disable warning

Pull input updates from Dmitry Torokhov:
 "An update to Synaptics PS/2 driver to handle "ForcePads" (currently
  found in HP EliteBook 1040 laptops), a change for Elan PS/2 driver to
  detect newer touchpads, bunch of devices get annotated as Trackpoint
  and/or Pointer to help userspace classify and handle them, plus
  assorted driver fixes"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: serport - add compat handling for SPIOCSTYPE ioctl
  Input: atmel_mxt_ts - fix double free of input device
  Input: synaptics - add support for ForcePads
  Input: matrix_keypad - use request_any_context_irq()
  Input: atmel_mxt_ts - downgrade warning about empty interrupts
  Input: wm971x - fix typo in module parameter description
  Input: cap1106 - fix register definition
  Input: add missing POINTER / DIRECT properties to a bunch of drivers
  Input: add INPUT_PROP_POINTING_STICK property
  Input: elantech - fix detection of touchpad on ASUS s301l

* acpi-rtc:
  ACPI / RTC: Fix CMOS RTC opregion handler accesses to wrong addresses

* acpi-lpss:
  ACPI / LPSS: complete PM entries for LPSS power domain

* acpi-battery:
  Revert "ACPI / battery: fix wrong value of capacity_now reported when fully charged"
  Revert "ACPI / battery: Fix warning message in acpi_battery_get_state()"

* pm-cpufreq:
  cpufreq / OPP: Fix the order of arguments for kcalloc()

A couple more little fixes:
 1) fix from llvm/clang folks
 2) fix build if common clock framework is not used
 3) if vram carveout is used, have default size for vram carveout

* 'msm-fixes-3.17-rc4' of git://people.freedesktop.org/~robclark/linux:
  drm/msm: don't crash if no msm.vram param
  drm/msm/hdmi: fix build break on non-CCF platforms
  drm/msm: Change nested function to static function

If VRAM carveout is used, due to no IOMMU, we should have a default
value for msm.vram so that we don't simply crash.
Reported-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>

Reported-by: Russell King <linux@arm.linux.org.uk>
Signed-off-by: Rob Clark <robdclark@gmail.com>

There is currently a nested function in Russel King's tree
for the msm HDMI driver.

The last nested function was removed from the Linux kernel
when the Thinkpad driver was fixed.

I believe nested functions are not desired upstream, and it
also breaks compilation with clang so here is a patch to
change the nested function into static function. The patch
works with both clang and gcc.
Signed-off-by: Mark Charlebois <charlebm@gmail.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>

more fixes for 3.17, almost all Cc: stable material.

* tag 'drm-intel-fixes-2014-09-10' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: Wait for vblank before enabling the TV encoder
  drm/i915: Evict CS TLBs between batches
  drm/i915: Fix irq enable tracking in driver load
  drm/i915: Fix EIO/wedged handling in gem fault handler
  drm/i915: Prevent recursive deadlock on releasing a busy userptr

Just a few fixes for radeon for 3.17.

* 'drm-fixes-3.17' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon/dpm: set the thermal type properly for special configs
  drm/radeon: reduce memory footprint for debugging
  drm/radeon: add connector quirk for fujitsu board
  drm/radeon: fix semaphore value init
  drm/radeon: only use me/pfp sync on evergreen+

We need to make sure to deqeueue the descriptor from the active list before
we call vchan_cookie_complete(). Also we need obviously only set chan->desc
to NULL after we stopped using it.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>

Merge misc fixes from Andrew Morton:
 "10 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  fs/notify: don't show f_handle if exportfs_encode_inode_fh failed
  fsnotify/fdinfo: use named constants instead of hardcoded values
  kcmp: fix standard comparison bug
  mm/mmap.c: use pr_emerg when printing BUG related information
  shm: add memfd.h to UAPI export list
  checkpatch: allow commit descriptions on separate line from commit id
  sh: get_user_pages_fast() must flush cache
  eventpoll: fix uninitialized variable in epoll_ctl
  kernel/printk/printk.c: fix faulty logic in the case of recursive printk
  mem-hotplug: let memblock skip the hotpluggable memory regions in __next_mem_range()

Currently we handle only ENOSPC.  In case of other errors the file_handle
variable isn't filled properly and we will show a part of stack.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

MAX_HANDLE_SZ is equal to 128, but currently the size of pad is only 64
bytes, so exportfs_encode_inode_fh can return an error.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

The C operator <= defines a perfectly fine total ordering on the set of
values representable in a long.  However, unlike its namesake in the
integers, it is not translation invariant, meaning that we do not have
"b <= c" iff "a+b <= a+c" for all a,b,c.

This means that it is always wrong to try to boil down the relationship
between two longs to a question about the sign of their difference,
because the resulting relation [a LEQ b iff a-b <= 0] is neither
anti-symmetric or transitive.  The former is due to -LONG_MIN==LONG_MIN
(take any two a,b with a-b = LONG_MIN; then a LEQ b and b LEQ a, but a !=
b).  The latter can either be seen observing that x LEQ x+1 for all x,
implying x LEQ x+1 LEQ x+2 ...  LEQ x-1 LEQ x; or more directly with the
simple example a=LONG_MIN, b=0, c=1, for which a-b < 0, b-c < 0, but a-c >
0.

Note that it makes absolutely no difference that a transmogrying bijection
has been applied before the comparison is done.  In fact, had the
obfuscation not been done, one could probably not observe the bug
(assuming all values being compared always lie in one half of the address
space, the mathematical value of a-b is always representable in a long).
As it stands, one can easily obtain three file descriptors exhibiting the
non-transitivity of kcmp().

Side note 1: I can't see that ensuring the MSB of the multiplier is
set serves any purpose other than obfuscating the obfuscating code.

Side note 2:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <assert.h>
#include <sys/syscall.h>

enum kcmp_type {
        KCMP_FILE,
        KCMP_VM,
        KCMP_FILES,
        KCMP_FS,
        KCMP_SIGHAND,
        KCMP_IO,
        KCMP_SYSVSEM,
        KCMP_TYPES,
};
pid_t pid;

int kcmp(pid_t pid1, pid_t pid2, int type,
	 unsigned long idx1, unsigned long idx2)
{
	return syscall(SYS_kcmp, pid1, pid2, type, idx1, idx2);
}
int cmp_fd(int fd1, int fd2)
{
	int c = kcmp(pid, pid, KCMP_FILE, fd1, fd2);
	if (c < 0) {
		perror("kcmp");
		exit(1);
	}
	assert(0 <= c && c < 3);
	return c;
}
int cmp_fdp(const void *a, const void *b)
{
	static const int normalize[] = {0, -1, 1};
	return normalize[cmp_fd(*(int*)a, *(int*)b)];
}
#define MAX 100 /* This is plenty; I've seen it trigger for MAX==3 */
int main(int argc, char *argv[])
{
	int r, s, count = 0;
	int REL[3] = {0,0,0};
	int fd[MAX];
	pid = getpid();
	while (count < MAX) {
		r = open("/dev/null", O_RDONLY);
		if (r < 0)
			break;
		fd[count++] = r;
	}
	printf("opened %d file descriptors\n", count);
	for (r = 0; r < count; ++r) {
		for (s = r+1; s < count; ++s) {
			REL[cmp_fd(fd[r], fd[s])]++;
		}
	}
	printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
	qsort(fd, count, sizeof(fd[0]), cmp_fdp);
	memset(REL, 0, sizeof(REL));

	for (r = 0; r < count; ++r) {
		for (s = r+1; s < count; ++s) {
			REL[cmp_fd(fd[r], fd[s])]++;
		}
	}
	printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
	return (REL[0] + REL[2] != 0);
}
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Make sure we actually see the output of validate_mm() and browse_rb()
before triggering a BUG().  pr_info isn't shown by default so the reason
for the BUG() isn't obvious.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

The new header file memfd.h from commit 9183df25 ("shm: add
memfd_create() syscall") should be exported.
Signed-off-by: David Drysdale <drysdale@google.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

The general form for commit id and description is

  'Commit <12+hexdigits> ("commit description/subject line")'

but commit logs often have relatively long commit ids and the commit
description emds on the next line like:

  Some explanation as to why commit <12+hexdigits>
  ("commit foo description/subject line") is improved.

Allow this form.
Signed-off-by: Joe Perches <joe@perches.com>
Suggested-by: Joe Lawrence <joe.lawrence@stratus.com>
Tested-by: Joe Lawrence <joe.lawrence@stratus.com>
Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

This patch avoids fuse hangs on sh4 by flushing the cache on
get_user_pages_fast().  This is not necessary a good thing to do, but
get_user_pages() does this, so get_user_pages_fast() should too.

Please note the patch for mips arch that addresses the similar problem:
  https://kernel.googlesource.com/pub/scm/linux/kernel/git/ralf/linux/+/linux-3.4.50%5E!/#F0

They basically simply disable get_user_pages_fast() at all, using a
fall-back to get_user_pages().  But my fix is different, it adds an
explicit cache flushes.
Signed-off-by: Stas Sergeev <stsp@users.sourceforge.net>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Kamal Dasu <kdasu.kdev@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

When calling epoll_ctl with operation EPOLL_CTL_DEL, structure epds is
not initialized but ep_take_care_of_epollwakeup reads its event field.
When this unintialized field has EPOLLWAKEUP bit set, a capability check
is done for CAP_BLOCK_SUSPEND in ep_take_care_of_epollwakeup.  This
produces unexpected messages in the audit log, such as (on a system
running SELinux):

    type=AVC msg=audit(1408212798.866:410): avc:  denied
    { block_suspend } for  pid=7754 comm="dbus-daemon" capability=36
    scontext=unconfined_u:unconfined_r:unconfined_t
    tcontext=unconfined_u:unconfined_r:unconfined_t
    tclass=capability2 permissive=1

    type=SYSCALL msg=audit(1408212798.866:410): arch=c000003e syscall=233
    success=yes exit=0 a0=3 a1=2 a2=9 a3=7fffd4d66ec0 items=0 ppid=1
    pid=7754 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
    fsgid=0 tty=(none) ses=3 comm="dbus-daemon"
    exe="/usr/bin/dbus-daemon"
    subj=unconfined_u:unconfined_r:unconfined_t key=(null)

("arch=c000003e syscall=233 a1=2" means "epoll_ctl(op=EPOLL_CTL_DEL)")

Remove use of epds in epoll_ctl when op == EPOLL_CTL_DEL.

Fixes: 4d7e30d9 ("epoll: Add a flag, EPOLLWAKEUP, to prevent suspend while epoll events are ready")
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Arve Hjønnevåg <arve@android.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

We shouldn't set text_len in the code path that detects printk recursion
because text_len corresponds to the length of the string inside textbuf.
A few lines down from the line

    text_len = strlen(recursion_msg);

is the line

    text_len += vscnprintf(text + text_len, ...);

So if printk detects recursion, it sets text_len to 29 (the length of
recursion_msg) and logs an error.  Then the message supplied by the
caller of printk is stored inside textbuf but offset by 29 bytes.  This
means that the output of the recursive call to printk will contain 29
bytes of garbage in front of it.

This defect is caused by commit 458df9fd ("printk: remove separate
printk_sched buffers and use printk buf instead") which turned the line

    text_len = vscnprintf(text, ...);

into

    text_len += vscnprintf(text + text_len, ...);

To fix this, this patch avoids setting text_len when logging the printk
recursion error.  This patch also marks unlikely() the branch leading up
to this code.

Fixes: 458df9fd ("printk: remove separate printk_sched buffers and use printk buf instead")
Signed-off-by: Patrick Palka <patrick@parcs.ath.cx>
Reviewed-by: Petr Mladek <pmladek@suse.cz>
Reviewed-by: Jan Kara <jack@suse.cz>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Let memblock skip the hotpluggable memory regions in __next_mem_range(),
it is used to to prevent memblock from allocating hotpluggable memory
for the kernel at early time. The code is the same as __next_mem_range_rev().

Clear hotpluggable flag before releasing free pages to the buddy
allocator.  If we don't clear hotpluggable flag in
free_low_memory_core_early(), the memory which marked hotpluggable flag
will not free to buddy allocator.  Because __next_mem_range() will skip
them.

free_low_memory_core_early
	for_each_free_mem_range
		for_each_mem_range
			__next_mem_range

[akpm@linux-foundation.org: fix warning]
Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Tang Chen <tangchen@cn.fujitsu.com>
Cc: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Cc: Wen Congyang <wency@cn.fujitsu.com>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Pull UDF fixes from Jan Kara:
 "Fixes for UDF handling of NFS handles and one fix for proper handling
  of corrupted media"

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  udf: saner calling conventions for udf_new_inode()
  udf: fix the udf_iget() vs. udf_new_inode() races
  udf: merge the pieces inserting a new non-directory object into directory
  udf: Set i_generation field
  udf: Properly detect stale inodes
  udf: Make udf_read_inode() and udf_iget() return error
  udf: Avoid infinite loop when processing indirect ICBs
  udf: Fold udf_fill_inode() into __udf_read_inode()
  udf: Avoid dir link count to go negative

When running a 32-bit inputattach utility in a 64-bit system, there will be
error code "inputattach: can't set device type". This is caused by the
serport device driver not supporting compat_ioctl, so that SPIOCSTYPE ioctl
fails.

Cc: stable@vger.kernel.org
Signed-off-by: John Sung <penmount.touch@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

[Nick Dyer: reworked to move free of input device into separate function
and only call in paths that require it.]
Signed-off-by: Nick Dyer <nick.dyer@itdev.co.uk>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

We hard code cephx auth ticket buffer size to 256 bytes.  This isn't
enough for any moderate setups and, in case tickets themselves are not
encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but
ceph_decode_copy() doesn't - it's just a memcpy() wrapper).  Since the
buffer is allocated dynamically anyway, allocated it a bit later, at
the point where we know how much is going to be needed.

Fixes: http://tracker.ceph.com/issues/8979

Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
Reviewed-by: Sage Weil <sage@redhat.com>

Add a helper for processing individual cephx auth tickets.  Needed for
the next commit, which deals with allocating ticket buffers.  (Most of
the diff here is whitespace - view with git diff -b).

Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
Reviewed-by: Sage Weil <sage@redhat.com>

We preallocate a few of the message types we get back from the mon.  If we
get a larger message than we are expecting, fall back to trying to allocate
a new one instead of blindly using the one we have.

CC: stable@vger.kernel.org
Signed-off-by: Sage Weil <sage@redhat.com>
Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com>

When RANDOMIZE_BASE (KASLR) is enabled; or the sum of all loaded
modules exceeds 512 MiB, then loading modules fails with a warning
(and hence a vmalloc allocation failure) because the PTEs for the
newly-allocated vmalloc address space are not zero.

  WARNING: CPU: 0 PID: 494 at linux/mm/vmalloc.c:128
           vmap_page_range_noflush+0x2a1/0x360()

This is caused by xen_setup_kernel_pagetables() copying
level2_kernel_pgt into level2_fixmap_pgt, overwriting many non-present
entries.

Without KASLR, the normal kernel image size only covers the first half
of level2_kernel_pgt and module space starts after that.

L4[511]->level3_kernel_pgt[510]->level2_kernel_pgt[  0..255]->kernel
                                                  [256..511]->module
                          [511]->level2_fixmap_pgt[  0..505]->module

This allows 512 MiB of of module vmalloc space to be used before
having to use the corrupted level2_fixmap_pgt entries.

With KASLR enabled, the kernel image uses the full PUD range of 1G and
module space starts in the level2_fixmap_pgt. So basically:

L4[511]->level3_kernel_pgt[510]->level2_kernel_pgt[0..511]->kernel
                          [511]->level2_fixmap_pgt[0..505]->module

And now no module vmalloc space can be used without using the corrupt
level2_fixmap_pgt entries.

Fix this by properly converting the level2_fixmap_pgt entries to MFNs,
and setting level1_fixmap_pgt as read-only.

A number of comments were also using the the wrong L3 offset for
level2_kernel_pgt.  These have been corrected.
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: stable@vger.kernel.org

I am leaving Samsung, so my current e-mail address is not going to work
any longer. Replace it with my private one. In addition, Sylwester
Nawrocki is being added as co-maintainer for Samsung clock drivers to
take some of the responsibilities, as I will be doing my part in my spare
time.
Signed-off-by: Tomasz Figa <t.figa@samsung.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>