1. 12 Aug, 2015 40 commits
    • Arne Fitzenreiter's avatar
      libata: add ATA_HORKAGE_NOTRIM · 7ceea41b
      Arne Fitzenreiter authored
      commit 71d126fd upstream.
      
      Some devices lose data on TRIM whether queued or not.  This patch adds
      a horkage to disable TRIM.
      
      tj: Collapsed unnecessary if() nesting.
      Signed-off-by: default avatarArne Fitzenreiter <arne_f@ipfire.org>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Drop change to show_ata_dev_trim()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7ceea41b
    • Aleksei Mamlin's avatar
      libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER · 3d27f59a
      Aleksei Mamlin authored
      commit 08c85d2a upstream.
      
      Enabling AA on HP 250GB SATA disk VB0250EAVER causes errors:
      
      [    3.788362] ata3.00: failed to enable AA (error_mask=0x1)
      [    3.789243] ata3.00: failed to enable AA (error_mask=0x1)
      
      Add the ATA_HORKAGE_BROKEN_FPDMA_AA for this specific harddisk.
      
      tj: Collected FPDMA_AA entries and updated comment.
      Signed-off-by: default avatarAleksei Mamlin <mamlinav@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3d27f59a
    • Lior Amsalem's avatar
      ata: pmp: add quirk for Marvell 4140 SATA PMP · 7967fd4d
      Lior Amsalem authored
      commit 945b4744 upstream.
      
      This commit adds the necessary quirk to make the Marvell 4140 SATA PMP
      work properly. This PMP doesn't like SRST on port number 4 (the host
      port) so this commit marks this port as not supporting SRST.
      Signed-off-by: default avatarLior Amsalem <alior@marvell.com>
      Reviewed-by: default avatarNadav Haklai <nadavh@marvell.com>
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7967fd4d
    • Wengang Wang's avatar
      rds: rds_ib_device.refcount overflow · 67164064
      Wengang Wang authored
      commit 4fabb594 upstream.
      
      Fixes: 3e0249f9 ("RDS/IB: add refcount tracking to struct rds_ib_device")
      
      There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
      failed(mr pool running out). this lead to the refcount overflow.
      
      A complain in line 117(see following) is seen. From vmcore:
      s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev->refcount is -2147475448.
      That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
      to return ERR_PTR(-EAGAIN).
      
      115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
      116 {
      117         BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
      118         if (atomic_dec_and_test(&rds_ibdev->refcount))
      119                 queue_work(rds_wq, &rds_ibdev->free_work);
      120 }
      
      fix is to drop refcount when rds_ib_alloc_fmr failed.
      Signed-off-by: default avatarWengang Wang <wen.gang.wang@oracle.com>
      Reviewed-by: default avatarHaggai Eran <haggaie@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      67164064
    • Filipe Manana's avatar
      Btrfs: fix file corruption after cloning inline extents · ea1f6701
      Filipe Manana authored
      commit ed958762 upstream.
      
      Using the clone ioctl (or extent_same ioctl, which calls the same extent
      cloning function as well) we end up allowing copy an inline extent from
      the source file into a non-zero offset of the destination file. This is
      something not expected and that the btrfs code is not prepared to deal
      with - all inline extents must be at a file offset equals to 0.
      
      For example, the following excerpt of a test case for fstests triggers
      a crash/BUG_ON() on a write operation after an inline extent is cloned
      into a non-zero offset:
      
        _scratch_mkfs >>$seqres.full 2>&1
        _scratch_mount
      
        # Create our test files. File foo has the same 2K of data at offset 4K
        # as file bar has at its offset 0.
        $XFS_IO_PROG -f -s -c "pwrite -S 0xaa 0 4K" \
            -c "pwrite -S 0xbb 4k 2K" \
            -c "pwrite -S 0xcc 8K 4K" \
            $SCRATCH_MNT/foo | _filter_xfs_io
      
        # File bar consists of a single inline extent (2K size).
        $XFS_IO_PROG -f -s -c "pwrite -S 0xbb 0 2K" \
           $SCRATCH_MNT/bar | _filter_xfs_io
      
        # Now call the clone ioctl to clone the extent of file bar into file
        # foo at its offset 4K. This made file foo have an inline extent at
        # offset 4K, something which the btrfs code can not deal with in future
        # IO operations because all inline extents are supposed to start at an
        # offset of 0, resulting in all sorts of chaos.
        # So here we validate that clone ioctl returns an EOPNOTSUPP, which is
        # what it returns for other cases dealing with inlined extents.
        $CLONER_PROG -s 0 -d $((4 * 1024)) -l $((2 * 1024)) \
            $SCRATCH_MNT/bar $SCRATCH_MNT/foo
      
        # Because of the inline extent at offset 4K, the following write made
        # the kernel crash with a BUG_ON().
        $XFS_IO_PROG -c "pwrite -S 0xdd 6K 2K" $SCRATCH_MNT/foo | _filter_xfs_io
      
        status=0
        exit
      
      The stack trace of the BUG_ON() triggered by the last write is:
      
        [152154.035903] ------------[ cut here ]------------
        [152154.036424] kernel BUG at mm/page-writeback.c:2286!
        [152154.036424] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
        [152154.036424] Modules linked in: btrfs dm_flakey dm_mod crc32c_generic xor raid6_pq nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscache sunrpc loop fuse parport_pc acpi_cpu$
        [152154.036424] CPU: 2 PID: 17873 Comm: xfs_io Tainted: G        W       4.1.0-rc6-btrfs-next-11+ #2
        [152154.036424] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20150316_085822-nilsson.home.kraxel.org 04/01/2014
        [152154.036424] task: ffff880429f70990 ti: ffff880429efc000 task.ti: ffff880429efc000
        [152154.036424] RIP: 0010:[<ffffffff8111a9d5>]  [<ffffffff8111a9d5>] clear_page_dirty_for_io+0x1e/0x90
        [152154.036424] RSP: 0018:ffff880429effc68  EFLAGS: 00010246
        [152154.036424] RAX: 0200000000000806 RBX: ffffea0006a6d8f0 RCX: 0000000000000001
        [152154.036424] RDX: 0000000000000000 RSI: ffffffff81155d1b RDI: ffffea0006a6d8f0
        [152154.036424] RBP: ffff880429effc78 R08: ffff8801ce389fe0 R09: 0000000000000001
        [152154.036424] R10: 0000000000002000 R11: ffffffffffffffff R12: ffff8800200dce68
        [152154.036424] R13: 0000000000000000 R14: ffff8800200dcc88 R15: ffff8803d5736d80
        [152154.036424] FS:  00007fbf119f6700(0000) GS:ffff88043d280000(0000) knlGS:0000000000000000
        [152154.036424] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [152154.036424] CR2: 0000000001bdc000 CR3: 00000003aa555000 CR4: 00000000000006e0
        [152154.036424] Stack:
        [152154.036424]  ffff8803d5736d80 0000000000000001 ffff880429effcd8 ffffffffa04e97c1
        [152154.036424]  ffff880429effd68 ffff880429effd60 0000000000000001 ffff8800200dc9c8
        [152154.036424]  0000000000000001 ffff8800200dcc88 0000000000000000 0000000000001000
        [152154.036424] Call Trace:
        [152154.036424]  [<ffffffffa04e97c1>] lock_and_cleanup_extent_if_need+0x147/0x18d [btrfs]
        [152154.036424]  [<ffffffffa04ea82c>] __btrfs_buffered_write+0x245/0x4c8 [btrfs]
        [152154.036424]  [<ffffffffa04ed14b>] ? btrfs_file_write_iter+0x150/0x3e0 [btrfs]
        [152154.036424]  [<ffffffffa04ed15a>] ? btrfs_file_write_iter+0x15f/0x3e0 [btrfs]
        [152154.036424]  [<ffffffffa04ed2c7>] btrfs_file_write_iter+0x2cc/0x3e0 [btrfs]
        [152154.036424]  [<ffffffff81165a4a>] __vfs_write+0x7c/0xa5
        [152154.036424]  [<ffffffff81165f89>] vfs_write+0xa0/0xe4
        [152154.036424]  [<ffffffff81166855>] SyS_pwrite64+0x64/0x82
        [152154.036424]  [<ffffffff81465197>] system_call_fastpath+0x12/0x6f
        [152154.036424] Code: 48 89 c7 e8 0f ff ff ff 5b 41 5c 5d c3 0f 1f 44 00 00 55 48 89 e5 41 54 53 48 89 fb e8 ae ef 00 00 49 89 c4 48 8b 03 a8 01 75 02 <0f> 0b 4d 85 e4 74 59 49 8b 3c 2$
        [152154.036424] RIP  [<ffffffff8111a9d5>] clear_page_dirty_for_io+0x1e/0x90
        [152154.036424]  RSP <ffff880429effc68>
        [152154.242621] ---[ end trace e3d3376b23a57041 ]---
      
      Fix this by returning the error EOPNOTSUPP if an attempt to copy an
      inline extent into a non-zero offset happens, just like what is done for
      other scenarios that would require copying/splitting inline extents,
      which were introduced by the following commits:
      
         00fdf13a ("Btrfs: fix a crash of clone with inline extents's split")
         3f9e3df8 ("btrfs: replace error code from btrfs_drop_extents")
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      [bwh: Backported to 3.2: test new_key.offset as last_dest_end isn't defined
       in this function]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ea1f6701
    • Heiko Carstens's avatar
      s390/process: fix sfpc inline assembly · b411a8a3
      Heiko Carstens authored
      commit e47994dd upstream.
      
      The sfpc inline assembly within execve_tail() may incorrectly set bits
      28-31 of the sfpc instruction to a value which is not zero.
      These bits however are currently unused and therefore should be zero
      so we won't get surprised if these bits will be used in the future.
      
      Therefore remove the second operand from the inline assembly.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b411a8a3
    • Al Viro's avatar
      9p: don't leave a half-initialized inode sitting around · 755a4743
      Al Viro authored
      commit 0a73d0a2 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      755a4743
    • Julian Anastasov's avatar
      net: call rcu_read_lock early in process_backlog · 9191ab2f
      Julian Anastasov authored
      commit 2c17d27c upstream.
      
      Incoming packet should be either in backlog queue or
      in RCU read-side section. Otherwise, the final sequence of
      flush_backlog() and synchronize_net() may miss packets
      that can run without device reference:
      
      CPU 1                  CPU 2
                             skb->dev: no reference
                             process_backlog:__skb_dequeue
                             process_backlog:local_irq_enable
      
      on_each_cpu for
      flush_backlog =>       IPI(hardirq): flush_backlog
                             - packet not found in backlog
      
                             CPU delayed ...
      synchronize_net
      - no ongoing RCU
      read-side sections
      
      netdev_run_todo,
      rcu_barrier: no
      ongoing callbacks
                             __netif_receive_skb_core:rcu_read_lock
                             - too late
      free dev
                             process packet for freed dev
      
      Fixes: 6e583ce5 ("net: eliminate refcounting in backlog queue")
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2:
       - Adjust context
       - No need to rename the label in __netif_receive_skb()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9191ab2f
    • Julian Anastasov's avatar
      net: do not process device backlog during unregistration · 78b6803a
      Julian Anastasov authored
      commit e9e4dd32 upstream.
      
      commit 381c759d ("ipv4: Avoid crashing in ip_error")
      fixes a problem where processed packet comes from device
      with destroyed inetdev (dev->ip_ptr). This is not expected
      because inetdev_destroy is called in NETDEV_UNREGISTER
      phase and packets should not be processed after
      dev_close_many() and synchronize_net(). Above fix is still
      required because inetdev_destroy can be called for other
      reasons. But it shows the real problem: backlog can keep
      packets for long time and they do not hold reference to
      device. Such packets are then delivered to upper levels
      at the same time when device is unregistered.
      Calling flush_backlog after NETDEV_UNREGISTER_FINAL still
      accounts all packets from backlog but before that some packets
      continue to be delivered to upper levels long after the
      synchronize_net call which is supposed to wait the last
      ones. Also, as Eric pointed out, processed packets, mostly
      from other devices, can continue to add new packets to backlog.
      
      Fix the problem by moving flush_backlog early, after the
      device driver is stopped and before the synchronize_net() call.
      Then use netif_running check to make sure we do not add more
      packets to backlog. We have to do it in enqueue_to_backlog
      context when the local IRQ is disabled. As result, after the
      flush_backlog and synchronize_net sequence all packets
      should be accounted.
      
      Thanks to Eric W. Biederman for the test script and his
      valuable feedback!
      Reported-by: default avatarVittorio Gambaletta <linuxbugs@vittgam.net>
      Fixes: 6e583ce5 ("net: eliminate refcounting in backlog queue")
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      78b6803a
    • Kirill A. Shutemov's avatar
      mm: avoid setting up anonymous pages into file mapping · e2506476
      Kirill A. Shutemov authored
      commit 6b7339f4 upstream.
      
      Reading page fault handler code I've noticed that under right
      circumstances kernel would map anonymous pages into file mappings: if
      the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated
      on ->mmap(), kernel would handle page fault to not populated pte with
      do_anonymous_page().
      
      Let's change page fault handler to use do_anonymous_page() only on
      anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not
      shared.
      
      For file mappings without vm_ops->fault() or shred VMA without vm_ops,
      page fault on pte_none() entry would lead to SIGBUS.
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Willy Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e2506476
    • Daniel Borkmann's avatar
      rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver · 350ae75a
      Daniel Borkmann authored
      commit 4f7d2cdf upstream.
      
      Jason Gunthorpe reported that since commit c02db8c6 ("rtnetlink: make
      SR-IOV VF interface symmetric"), we don't verify IFLA_VF_INFO attributes
      anymore with respect to their policy, that is, ifla_vfinfo_policy[].
      
      Before, they were part of ifla_policy[], but they have been nested since
      placed under IFLA_VFINFO_LIST, that contains the attribute IFLA_VF_INFO,
      which is another nested attribute for the actual VF attributes such as
      IFLA_VF_MAC, IFLA_VF_VLAN, etc.
      
      Despite the policy being split out from ifla_policy[] in this commit,
      it's never applied anywhere. nla_for_each_nested() only does basic nla_ok()
      testing for struct nlattr, but it doesn't know about the data context and
      their requirements.
      
      Fix, on top of Jason's initial work, does 1) parsing of the attributes
      with the right policy, and 2) using the resulting parsed attribute table
      from 1) instead of the nla_for_each_nested() loop (just like we used to
      do when still part of ifla_policy[]).
      
      Reference: http://thread.gmane.org/gmane.linux.network/368913
      Fixes: c02db8c6 ("rtnetlink: make SR-IOV VF interface symmetric")
      Reported-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
      Cc: Greg Rose <gregory.v.rose@intel.com>
      Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
      Cc: Rony Efraim <ronye@mellanox.com>
      Cc: Vlad Zolotarov <vladz@cloudius-systems.com>
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Cc: Thomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarVlad Zolotarov <vladz@cloudius-systems.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2:
       - Drop unsupported attributes
       - Use ndo_set_vf_tx_rate operation, not ndo_set_vf_rate]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      350ae75a
    • Zhao Junwang's avatar
      drm: add a check for x/y in drm_mode_setcrtc · 270f4921
      Zhao Junwang authored
      commit 01447e9f upstream.
      
      legacy setcrtc ioctl does take a 32 bit value which might indeed
      overflow
      
      the checks of crtc_req->x > INT_MAX and crtc_req->y > INT_MAX aren't
      needed any more with this
      
      v2: -polish the annotation according to Daniel's comment
      
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarZhao Junwang <zhjwpku@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      270f4921
    • Ville Syrjälä's avatar
      drm: Check crtc x and y coordinates · fe3215cc
      Ville Syrjälä authored
      commit 1d97e915 upstream.
      
      The crtc x/y panning coordinates are stored as signed integers
      internally. The user provides them as unsigned, so we should check
      that the user provided values actually fit in the internal datatypes.
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fe3215cc
    • Martin Schwidefsky's avatar
      s390/sclp: clear upper register halves in _sclp_print_early · 436bd506
      Martin Schwidefsky authored
      commit f9c87a6f upstream.
      
      If the kernel is compiled with gcc 5.1 and the XZ compression option
      the decompress_kernel function calls _sclp_print_early in 64-bit mode
      while the content of the upper register half of %r6 is non-zero.
      This causes a specification exception on the servc instruction in
      _sclp_servc.
      
      The _sclp_print_early function saves and restores the upper registers
      halves but it fails to clear them for the 31-bit code of the mini sclp
      driver.
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      436bd506
    • Joe Thornber's avatar
      dm btree: silence lockdep lock inversion in dm_btree_del() · a62b33ee
      Joe Thornber authored
      commit 1c751879 upstream.
      
      Allocate memory using GFP_NOIO when deleting a btree.  dm_btree_del()
      can be called via an ioctl and we don't want to recurse into the FS or
      block layer.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a62b33ee
    • Peter Sanford's avatar
      USB: cp210x: add ID for Aruba Networks controllers · 0dca2ecb
      Peter Sanford authored
      commit f98a7aa8 upstream.
      
      Add the USB serial console device ID for Aruba Networks 7xxx series
      controllers which have a USB port for their serial console.
      Signed-off-by: default avatarPeter Sanford <peter@sanford.io>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0dca2ecb
    • Joe Thornber's avatar
      dm thin: allocate the cell_sort_array dynamically · 24e67c60
      Joe Thornber authored
      commit a822c83e upstream.
      
      Given the pool's cell_sort_array holds 8192 pointers it triggers an
      order 5 allocation via kmalloc.  This order 5 allocation is prone to
      failure as system memory gets more fragmented over time.
      
      Fix this by allocating the cell_sort_array using vmalloc.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      [bwh: Backported to 3.2: make a similar change in prison_{create,destroy}()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      24e67c60
    • Dennis Yang's avatar
      dm btree remove: fix bug in redistribute3 · c44d39ea
      Dennis Yang authored
      commit 4c7e3093 upstream.
      
      redistribute3() shares entries out across 3 nodes.  Some entries were
      being moved the wrong way, breaking the ordering.  This manifested as a
      BUG() in dm-btree-remove.c:shift() when entries were removed from the
      btree.
      
      For additional context see:
      https://www.redhat.com/archives/dm-devel/2015-May/msg00113.htmlSigned-off-by: default avatarDennis Yang <shinrairis@gmail.com>
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c44d39ea
    • Michal Hocko's avatar
      ext4: replace open coded nofail allocation in ext4_free_blocks() · 1de7ce2b
      Michal Hocko authored
      commit 7444a072 upstream.
      
      ext4_free_blocks is looping around the allocation request and mimics
      __GFP_NOFAIL behavior without any allocation fallback strategy. Let's
      remove the open coded loop and replace it with __GFP_NOFAIL. Without the
      flag the allocator has no way to find out never-fail requirement and
      cannot help in any way.
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2:
       - Adjust context
       - s/ext4_free_data_cachep/ext4_free_ext_cachep/]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1de7ce2b
    • Al Viro's avatar
      9p: forgetting to cancel request on interrupted zero-copy RPC · c45a8130
      Al Viro authored
      commit a84b69cb upstream.
      
      If we'd already sent a request and decide to abort it, we *must*
      issue TFLUSH properly and not just blindly reuse the tag, or
      we'll get seriously screwed when response eventually arrives
      and we confuse it for response to later request that had reused
      the same tag.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c45a8130
    • Radim Krčmář's avatar
      KVM: x86: properly restore LVT0 · 20ca0fb6
      Radim Krčmář authored
      commit db138562 upstream.
      
      Legacy NMI watchdog didn't work after migration/resume, because
      vapics_in_nmi_mode was left at 0.
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - s/kvm_apic_get_reg/apic_get_reg/]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      20ca0fb6
    • Radim Krčmář's avatar
      KVM: x86: make vapics_in_nmi_mode atomic · 1fba7ba2
      Radim Krčmář authored
      commit 42720138 upstream.
      
      Writes were a bit racy, but hard to turn into a bug at the same time.
      (Particularly because modern Linux doesn't use this feature anymore.)
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      [Actually the next patch makes it much, much easier to trigger the race
       so I'm including this one for stable@ as well. - Paolo]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1fba7ba2
    • Florian Westphal's avatar
      netfilter: bridge: don't leak skb in error paths · f17199d8
      Florian Westphal authored
      commit dd302b59 upstream.
      
      br_nf_dev_queue_xmit must free skb in its error path.
      NF_DROP is misleading -- its an okfn, not a netfilter hook.
      
      Fixes: 462fb2af ("bridge : Sanitize skb before it enters the IP stack")
      Fixes: efb6de9b ("netfilter: bridge: forward IPv6 fragmented packets")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      [bwh: Backported to 3.2:
       - Adjust filename
       - Drop IPv6 changes]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f17199d8
    • Nikolay Borisov's avatar
      ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp · d612a04d
      Nikolay Borisov authored
      commit c45653c3 upstream.
      
      Switch ext4 to using sb_getblk_gfp with GFP_NOFS added to fix possible
      deadlocks in the page writeback path.
      Signed-off-by: default avatarNikolay Borisov <kernel@kyup.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d612a04d
    • Nikolay Borisov's avatar
      bufferhead: Add _gfp version for sb_getblk() · 786d7b3d
      Nikolay Borisov authored
      commit bd7ade3c upstream.
      
      sb_getblk() is used during ext4 (and possibly other FSes) writeback
      paths. Sometimes such path require allocating memory and guaranteeing
      that such allocation won't block. Currently, however, there is no way
      to provide user flags for sb_getblk which could lead to deadlocks.
      
      This patch implements a sb_getblk_gfp with the only difference it can
      accept user-provided GFP flags.
      Signed-off-by: default avatarNikolay Borisov <kernel@kyup.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      786d7b3d
    • Gioh Kim's avatar
      fs/buffer.c: support buffer cache allocations with gfp modifiers · 74e9374e
      Gioh Kim authored
      commit 3b5e6454 upstream.
      
      A buffer cache is allocated from movable area because it is referred
      for a while and released soon.  But some filesystems are taking buffer
      cache for a long time and it can disturb page migration.
      
      New APIs are introduced to allocate buffer cache with user specific
      flag.  *_gfp APIs are for user want to set page allocation flag for
      page cache allocation.  And *_unmovable APIs are for the user wants to
      allocate page cache from non-movable area.
      Signed-off-by: default avatarGioh Kim <gioh.kim@lge.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      [bwh: Prerequisite for "bufferhead: Add _gfp version for sb_getblk()".
       Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      74e9374e
    • Lv Zheng's avatar
      ACPICA: Tables: Fix an issue that FACS initialization is performed twice · 2cae492e
      Lv Zheng authored
      commit c04be184 upstream.
      
      ACPICA commit 90f5332a15e9d9ba83831ca700b2b9f708274658
      
      This patch adds a new FACS initialization flag for acpi_tb_initialize().
      acpi_enable_subsystem() might be invoked several times in OS bootup process,
      and we don't want FACS initialization to be invoked twice. Lv Zheng.
      
      Link: https://github.com/acpica/acpica/commit/90f5332aSigned-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Signed-off-by: default avatarBob Moore <robert.moore@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2cae492e
    • Dominic Sacré's avatar
      ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4 · 58e21827
      Dominic Sacré authored
      commit 0689a86a upstream.
      
      The Steinberg MI2 and MI4 interfaces are compatible with the USB class
      audio spec, but the MIDI part of the devices is reported as a vendor
      specific interface.
      
      This patch adds entries to quirks-table.h to recognize the MIDI
      endpoints. Audio functionality was already working and is unaffected by
      this change.
      Signed-off-by: default avatarDominic Sacré <dominic.sacre@gmx.de>
      Signed-off-by: default avatarAlbert Huitsing <albert@huitsing.nl>
      Acked-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      58e21827
    • Miklos Szeredi's avatar
      fuse: initialize fc->release before calling it · 1a713f98
      Miklos Szeredi authored
      commit 0ad0b325 upstream.
      
      fc->release is called from fuse_conn_put() which was used in the error
      cleanup before fc->release was initialized.
      
      [Jeremiah Mahler <jmmahler@gmail.com>: assign fc->release after calling
      fuse_conn_init(fc) instead of before.]
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Fixes: a325f9b9 ("fuse: update fuse_conn_init() and separate out fuse_conn_kill()")
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1a713f98
    • Ilya Dryomov's avatar
      crush: fix a bug in tree bucket decode · f34a986b
      Ilya Dryomov authored
      commit 82cd003a upstream.
      
      struct crush_bucket_tree::num_nodes is u8, so ceph_decode_8_safe()
      should be used.  -Wconversion catches this, but I guess it went
      unnoticed in all the noise it spews.  The actual problem (at least for
      common crushmaps) isn't the u32 -> u8 truncation though - it's the
      advancement by 4 bytes instead of 1 in the crushmap buffer.
      
      Fixes: http://tracker.ceph.com/issues/2759Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarJosh Durgin <jdurgin@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f34a986b
    • Filipe Manana's avatar
      Btrfs: fix race between caching kthread and returning inode to inode cache · 3e05b16a
      Filipe Manana authored
      commit ae9d8f17 upstream.
      
      While the inode cache caching kthread is calling btrfs_unpin_free_ino(),
      we could have a concurrent call to btrfs_return_ino() that adds a new
      entry to the root's free space cache of pinned inodes. This concurrent
      call does not acquire the fs_info->commit_root_sem before adding a new
      entry if the caching state is BTRFS_CACHE_FINISHED, which is a problem
      because the caching kthread calls btrfs_unpin_free_ino() after setting
      the caching state to BTRFS_CACHE_FINISHED and therefore races with
      the task calling btrfs_return_ino(), which is adding a new entry, while
      the former (caching kthread) is navigating the cache's rbtree, removing
      and freeing nodes from the cache's rbtree without acquiring the spinlock
      that protects the rbtree.
      
      This race resulted in memory corruption due to double free of struct
      btrfs_free_space objects because both tasks can end up doing freeing the
      same objects. Note that adding a new entry can result in merging it with
      other entries in the cache, in which case those entries are freed.
      This is particularly important as btrfs_free_space structures are also
      used for the block group free space caches.
      
      This memory corruption can be detected by a debugging kernel, which
      reports it with the following trace:
      
      [132408.501148] slab error in verify_redzone_free(): cache `btrfs_free_space': double free detected
      [132408.505075] CPU: 15 PID: 12248 Comm: btrfs-ino-cache Tainted: G        W       4.1.0-rc5-btrfs-next-10+ #1
      [132408.505075] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20150316_085822-nilsson.home.kraxel.org 04/01/2014
      [132408.505075]  ffff880023e7d320 ffff880163d73cd8 ffffffff8145eec7 ffffffff81095dce
      [132408.505075]  ffff880009735d40 ffff880163d73ce8 ffffffff81154e1e ffff880163d73d68
      [132408.505075]  ffffffff81155733 ffffffffa054a95a ffff8801b6099f00 ffffffffa0505b5f
      [132408.505075] Call Trace:
      [132408.505075]  [<ffffffff8145eec7>] dump_stack+0x4f/0x7b
      [132408.505075]  [<ffffffff81095dce>] ? console_unlock+0x356/0x3a2
      [132408.505075]  [<ffffffff81154e1e>] __slab_error.isra.28+0x25/0x36
      [132408.505075]  [<ffffffff81155733>] __cache_free+0xe2/0x4b6
      [132408.505075]  [<ffffffffa054a95a>] ? __btrfs_add_free_space+0x2f0/0x343 [btrfs]
      [132408.505075]  [<ffffffffa0505b5f>] ? btrfs_unpin_free_ino+0x8e/0x99 [btrfs]
      [132408.505075]  [<ffffffff810f3b30>] ? time_hardirqs_off+0x15/0x28
      [132408.505075]  [<ffffffff81084d42>] ? trace_hardirqs_off+0xd/0xf
      [132408.505075]  [<ffffffff811563a1>] ? kfree+0xb6/0x14e
      [132408.505075]  [<ffffffff811563d0>] kfree+0xe5/0x14e
      [132408.505075]  [<ffffffffa0505b5f>] btrfs_unpin_free_ino+0x8e/0x99 [btrfs]
      [132408.505075]  [<ffffffffa0505e08>] caching_kthread+0x29e/0x2d9 [btrfs]
      [132408.505075]  [<ffffffffa0505b6a>] ? btrfs_unpin_free_ino+0x99/0x99 [btrfs]
      [132408.505075]  [<ffffffff8106698f>] kthread+0xef/0xf7
      [132408.505075]  [<ffffffff810f3b08>] ? time_hardirqs_on+0x15/0x28
      [132408.505075]  [<ffffffff810668a0>] ? __kthread_parkme+0xad/0xad
      [132408.505075]  [<ffffffff814653d2>] ret_from_fork+0x42/0x70
      [132408.505075]  [<ffffffff810668a0>] ? __kthread_parkme+0xad/0xad
      [132408.505075] ffff880023e7d320: redzone 1:0x9f911029d74e35b, redzone 2:0x9f911029d74e35b.
      [132409.501654] slab: double free detected in cache 'btrfs_free_space', objp ffff880023e7d320
      [132409.503355] ------------[ cut here ]------------
      [132409.504241] kernel BUG at mm/slab.c:2571!
      
      Therefore fix this by having btrfs_unpin_free_ino() acquire the lock
      that protects the rbtree while doing the searches and removing entries.
      
      Fixes: 1c70d8fb ("Btrfs: fix inode caching vs tree log")
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3e05b16a
    • Filipe Manana's avatar
      Btrfs: use kmem_cache_free when freeing entry in inode cache · c6bbfa52
      Filipe Manana authored
      commit c3f4a168 upstream.
      
      The free space entries are allocated using kmem_cache_zalloc(),
      through __btrfs_add_free_space(), therefore we should use
      kmem_cache_free() and not kfree() to avoid any confusion and
      any potential problem. Looking at the kfree() definition at
      mm/slab.c it has the following comment:
      
        /*
         * (...)
         *
         * Don't free memory not originally allocated by kmalloc()
         * or you will run into trouble.
         */
      
      So better be safe and use kmem_cache_free().
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.cz>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c6bbfa52
    • Chris Wilson's avatar
      agp/intel: Fix typo in needs_ilk_vtd_wa() · 66af8054
      Chris Wilson authored
      commit 8b572a42 upstream.
      
      In needs_ilk_vtd_wa(), we pass in the GPU device but compared it against
      the ids for the mobile GPU and the mobile host bridge. That latter is
      impossible and so likely was just a typo for the desktop GPU device id
      (which is also buggy).
      
      Fixes commit da88a5f7
      Author: Chris Wilson <chris@chris-wilson.co.uk>
      Date:   Wed Feb 13 09:31:53 2013 +0000
      
          drm/i915: Disable WC PTE updates to w/a buggy IOMMU on ILK
      Reported-by: default avatarTing-Wei Lan <lantw44@gmail.com>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91127
      References: https://bugzilla.freedesktop.org/show_bug.cgi?id=60391Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      66af8054
    • Chris Metcalf's avatar
      __bitmap_parselist: fix bug in empty string handling · 09162950
      Chris Metcalf authored
      commit 2528a8b8 upstream.
      
      bitmap_parselist("", &mask, nmaskbits) will erroneously set bit zero in
      the mask.  The same bug is visible in cpumask_parselist() since it is
      layered on top of the bitmask code, e.g.  if you boot with "isolcpus=",
      you will actually end up with cpu zero isolated.
      
      The bug was introduced in commit 4b060420 ("bitmap, irq: add
      smp_affinity_list interface to /proc/irq") when bitmap_parselist() was
      generalized to support userspace as well as kernelspace.
      
      Fixes: 4b060420 ("bitmap, irq: add smp_affinity_list interface to /proc/irq")
      Signed-off-by: default avatarChris Metcalf <cmetcalf@ezchip.com>
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      09162950
    • Steven Rostedt (Red Hat)'s avatar
      tracing/filter: Do not allow infix to exceed end of string · 7cc2315e
      Steven Rostedt (Red Hat) authored
      commit 6b88f44e upstream.
      
      While debugging a WARN_ON() for filtering, I found that it is possible
      for the filter string to be referenced after its end. With the filter:
      
       # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter
      
      The filter_parse() function can call infix_get_op() which calls
      infix_advance() that updates the infix filter pointers for the cnt
      and tail without checking if the filter is already at the end, which
      will put the cnt to zero and the tail beyond the end. The loop then calls
      infix_next() that has
      
      	ps->infix.cnt--;
      	return ps->infix.string[ps->infix.tail++];
      
      The cnt will now be below zero, and the tail that is returned is
      already passed the end of the filter string. So far the allocation
      of the filter string usually has some buffer that is zeroed out, but
      if the filter string is of the exact size of the allocated buffer
      there's no guarantee that the charater after the nul terminating
      character will be zero.
      
      Luckily, only root can write to the filter.
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7cc2315e
    • Steven Rostedt (Red Hat)'s avatar
      tracing/filter: Do not WARN on operand count going below zero · b43dd359
      Steven Rostedt (Red Hat) authored
      commit b4875bbe upstream.
      
      When testing the fix for the trace filter, I could not come up with
      a scenario where the operand count goes below zero, so I added a
      WARN_ON_ONCE(cnt < 0) to the logic. But there is legitimate case
      that it can happen (although the filter would be wrong).
      
       # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter
      
      That is, a single operation without any operands will hit the path
      where the WARN_ON_ONCE() can trigger. Although this is harmless,
      and the filter is reported as a error. But instead of spitting out
      a warning to the kernel dmesg, just fail nicely and report it via
      the proper channels.
      
      Link: http://lkml.kernel.org/r/558C6082.90608@oracle.comReported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b43dd359
    • Pali Rohár's avatar
      dell-laptop: Fix allocating & freeing SMI buffer page · 0f133f3c
      Pali Rohár authored
      commit b8830a4e upstream.
      
      This commit fix kernel crash when probing for rfkill devices in dell-laptop
      driver failed. Function free_page() was incorrectly used on struct page *
      instead of virtual address of SMI buffer.
      
      This commit also simplify allocating page for SMI buffer by using
      __get_free_page() function instead of sequential call of functions
      alloc_page() and page_address().
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.cz>
      Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0f133f3c
    • Catalin Marinas's avatar
      mm: kmemleak: allow safe memory scanning during kmemleak disabling · 3bc68ffc
      Catalin Marinas authored
      commit c5f3b1a5 upstream.
      
      The kmemleak scanning thread can run for minutes.  Callbacks like
      kmemleak_free() are allowed during this time, the race being taken care
      of by the object->lock spinlock.  Such lock also prevents a memory block
      from being freed or unmapped while it is being scanned by blocking the
      kmemleak_free() -> ...  -> __delete_object() function until the lock is
      released in scan_object().
      
      When a kmemleak error occurs (e.g.  it fails to allocate its metadata),
      kmemleak_enabled is set and __delete_object() is no longer called on
      freed objects.  If kmemleak_scan is running at the same time,
      kmemleak_free() no longer waits for the object scanning to complete,
      allowing the corresponding memory block to be freed or unmapped (in the
      case of vfree()).  This leads to kmemleak_scan potentially triggering a
      page fault.
      
      This patch separates the kmemleak_free() enabling/disabling from the
      overall kmemleak_enabled nob so that we can defer the disabling of the
      object freeing tracking until the scanning thread completed.  The
      kmemleak_free_part() is deliberately ignored by this patch since this is
      only called during boot before the scanning thread started.
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Reported-by: default avatarVignesh Radhakrishnan <vigneshr@codeaurora.org>
      Tested-by: default avatarVignesh Radhakrishnan <vigneshr@codeaurora.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Drop changes to kmemleak_free_percpu()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3bc68ffc
    • Alexey Brodkin's avatar
      stmmac: troubleshoot unexpected bits in des0 & des1 · 6ee65539
      Alexey Brodkin authored
      commit f1590670 upstream.
      
      Current implementation of descriptor init procedure only takes
      care about setting/clearing ownership flag in "des0"/"des1"
      fields while it is perfectly possible to get unexpected bits
      set because of the following factors:
      
       [1] On driver probe underlying memory allocated with
           dma_alloc_coherent() might not be zeroed and so
           it will be filled with garbage.
      
       [2] During driver operation some bits could be set by SD/MMC
           controller (for example error flags etc).
      
      And unexpected and/or randomly set flags in "des0"/"des1"
      fields may lead to unpredictable behavior of GMAC DMA block.
      
      This change addresses both items above with:
      
       [1] Use of dma_zalloc_coherent() instead of simple
           dma_alloc_coherent() to make sure allocated memory is
           zeroed. That shouldn't affect performance because
           this allocation only happens once on driver probe.
      
       [2] Do explicit zeroing of both "des0" and "des1" fields
           of all buffer descriptors during initialization of
           DMA transfer.
      
      And while at it fixed identation of dma_free_coherent()
      counterpart as well.
      Signed-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: arc-linux-dev@synopsys.com
      Cc: linux-kernel@vger.kernel.org
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2:
       - Adjust context, indentation
       - Normal and extended descriptors are allocated in the same place here]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Acked-by: default avatarAlexey Brodkin <Alexey.Brodkin@synopsys.com>
      6ee65539
    • Jan Kara's avatar
      fs: Fix S_NOSEC handling · 40ce76dd
      Jan Kara authored
      commit 2426f391 upstream.
      
      file_remove_suid() could mistakenly set S_NOSEC inode bit when root was
      modifying the file. As a result following writes to the file by ordinary
      user would avoid clearing suid or sgid bits.
      
      Fix the bug by checking actual mode bits before setting S_NOSEC.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      40ce76dd