Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Sep 7, 2009
  1. IMA: update ima_counts_put

    Mimi Zohar authored James Morris committed
    - As ima_counts_put() may be called after the inode has been freed,
    verify that the inode is not NULL, before dereferencing it.
    - Maintain the IMA file counters in may_open() properly, decrementing
    any counter increments on subsequent errors.
    Reported-by: Ciprian Docan <>
    Reported-by: J.R. Okajima <>
    Signed-off-by: Mimi Zohar <>
    Acked-by: Eric Paris <
    Signed-off-by: James Morris <>
Commits on Sep 5, 2009
  1. @torvalds

    Merge git://

    torvalds authored
    * git://
      JFFS2: add missing verify buffer allocation/deallocation
      mtd: nftl: fix offset alignments
      mtd: nftl: write support is broken
      mtd: m25p80: fix null pointer dereference bug
  2. @torvalds

    Merge branch 'for-linus' of git://

    torvalds authored
    * 'for-linus' of git://
      xfs: actually enable the swapext compat handler
  3. @torvalds

    Merge branch 'for-linus' of git://…

    torvalds authored
    * 'for-linus' of git://
      nilfs2: fix preempt count underflow in nilfs_btnode_prepare_change_key
  4. @torvalds

    ext2: fix unbalanced kmap()/kunmap()

    Nicolas Pitre authored torvalds committed
    In ext2_rename(), dir_page is acquired through ext2_dotdot().  It is
    then released through ext2_set_link() but only if old_dir != new_dir.
    Failing that, the pkmap reference count is never decremented and the
    page remains pinned forever.  Repeat that a couple times with highmem
    pages and all pkmap slots get exhausted, and every further kmap() calls
    end up stalling on the pkmap_map_wait queue at which point the whole
    system comes to a halt.
    Signed-off-by: Nicolas Pitre <>
    Acked-by: Theodore Ts'o <>
    Signed-off-by: Linus Torvalds <>
  5. @torvalds

    Merge branch 'upstream-linus' of git://…

    torvalds authored
    * 'upstream-linus' of git://
      ocfs2: ocfs2_write_begin_nolock() should handle len=0
      ocfs2: invalidate dentry if its dentry_lock isn't initialized.
  6. @utrace @torvalds

    exec: do not sleep in TASK_TRACED under ->cred_guard_mutex

    utrace authored torvalds committed
    Tom Horsley reports that his debugger hangs when it tries to read
    /proc/pid_of_tracee/maps, this happens since
    	"mm_for_maps: take ->cred_guard_mutex to fix the race with exec"
    commit in 2.6.31.
    But the root of the problem lies in the fact that do_execve() path calls
    tracehook_report_exec() which can stop if the tracer sets PT_TRACE_EXEC.
    The tracee must not sleep in TASK_TRACED holding this mutex.  Even if we
    remove ->cred_guard_mutex from mm_for_maps() and proc_pid_attr_write(),
    another task doing PTRACE_ATTACH should not hang until it is killed or the
    tracee resumes.
    With this patch do_execve() does not use ->cred_guard_mutex directly and
    we do not hold it throughout, instead:
    	- introduce prepare_bprm_creds() helper, it locks the mutex
    	  and calls prepare_exec_creds() to initialize bprm->cred.
    	- install_exec_creds() drops the mutex after commit_creds(),
    	  and thus before tracehook_report_exec()->ptrace_stop().
    	  or, if exec fails,
    	  free_bprm() drops this mutex when bprm->cred != NULL which
    	  indicates install_exec_creds() was not called.
    Reported-by: Tom Horsley <>
    Signed-off-by: Oleg Nesterov <>
    Acked-by: David Howells <>
    Cc: Roland McGrath <>
    Cc: James Morris <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
Commits on Sep 4, 2009
  1. ocfs2: ocfs2_write_begin_nolock() should handle len=0

    Sunil Mushran authored Joel Becker committed
    Bug introduced by mainline commit e743267
    The bug causes ocfs2_write_begin_nolock() to oops when len=0.
    Signed-off-by: Sunil Mushran <>
    Signed-off-by: Joel Becker <>
Commits on Sep 3, 2009
  1. @dwmw2

    JFFS2: add missing verify buffer allocation/deallocation

    Massimo Cirillo authored dwmw2 committed
    The function jffs2_nor_wbuf_flash_setup() doesn't allocate the verify buffer
    if CONFIG_JFFS2_FS_WBUF_VERIFY is defined, so causing a kernel panic when
    that macro is enabled and the verify function is called. Similarly the
    jffs2_nor_wbuf_flash_cleanup() must free the buffer if
    The following patch fixes the problem.
    The following patch applies to 2.6.30 kernel.
    Signed-off-by: Massimo Cirillo <>
    Signed-off-by: Artem Bityutskiy <>
    Signed-off-by: David Woodhouse <>
Commits on Sep 1, 2009
  1. xfs: actually enable the swapext compat handler

    Christoph Hellwig authored Felix Blyakher committed
    Fix a small typo in the compat ioctl handler that cause the swapext
    compat handler to never be called.
    Signed-off-by: Christoph Hellwig <>
    Reviewed-by: Torsten Kaiser <>
    Tested-by: Torsten Kaiser <>
    Reviewed-by: Eric Sandeen <>
    Reviewed-by: Felix Blyakher <>
    Signed-off-by: Felix Blyakher <>
  2. @raven-au @torvalds

    autofs4 - fix missed case when changing to use struct path

    raven-au authored torvalds committed
    In the recent change by Al Viro that changes verious subsystems
    to use "struct path" one case was missed in the autofs4 module
    which causes mounts to no longer expire.
    Signed-off-by: Ian Kent <>
    Signed-off-by: Linus Torvalds <>
Commits on Aug 31, 2009
  1. @konis

    nilfs2: fix preempt count underflow in nilfs_btnode_prepare_change_key

    konis authored
    This will fix the following preempt count underflow reported from
    users with the title "[NILFS users] segctord problem" (Message-ID:
    <> and Message-ID:
     WARNING: at kernel/sched.c:4890 sub_preempt_count+0x95/0xa0()
     Hardware name: HP Compaq 6530b (KR980UT#ABC)
     Modules linked in: bridge stp llc bnep rfcomm l2cap xfs exportfs nilfs2 cowloop loop vboxnetadp vboxnetflt vboxdrv btusb bluetooth uvcvideo videodev v4l1_compat v4l2_compat_ioctl32 arc4 snd_hda_codec_analog ecb iwlagn iwlcore rfkill lib80211 mac80211 snd_hda_intel snd_hda_codec ehci_hcd uhci_hcd usbcore snd_hwdep snd_pcm tg3 cfg80211 psmouse snd_timer joydev libphy ohci1394 snd_page_alloc hp_accel lis3lv02d ieee1394 led_class i915 drm i2c_algo_bit video backlight output i2c_core dm_crypt dm_mod
     Pid: 4197, comm: segctord Not tainted 2.6.30-gentoo-r4-64 #7
     Call Trace:
      [<ffffffff8023fa05>] ? sub_preempt_count+0x95/0xa0
      [<ffffffff802470f8>] warn_slowpath_common+0x78/0xd0
      [<ffffffff8024715f>] warn_slowpath_null+0xf/0x20
      [<ffffffff8023fa05>] sub_preempt_count+0x95/0xa0
      [<ffffffffa04ce4db>] nilfs_btnode_prepare_change_key+0x11b/0x190 [nilfs2]
      [<ffffffffa04d01ad>] nilfs_btree_assign_p+0x19d/0x1e0 [nilfs2]
      [<ffffffffa04d10ad>] nilfs_btree_assign+0xbd/0x130 [nilfs2]
      [<ffffffffa04cead7>] nilfs_bmap_assign+0x47/0x70 [nilfs2]
      [<ffffffffa04d9bc6>] nilfs_segctor_do_construct+0x956/0x20f0 [nilfs2]
      [<ffffffff805ac8e2>] ? _spin_unlock_irqrestore+0x12/0x40
      [<ffffffff803c06e0>] ? __up_write+0xe0/0x150
      [<ffffffff80262959>] ? up_write+0x9/0x10
      [<ffffffffa04ce9f3>] ? nilfs_bmap_test_and_clear_dirty+0x43/0x60 [nilfs2]
      [<ffffffffa04cd627>] ? nilfs_mdt_fetch_dirty+0x27/0x60 [nilfs2]
      [<ffffffffa04db5fc>] nilfs_segctor_construct+0x8c/0xd0 [nilfs2]
      [<ffffffffa04dc3dc>] nilfs_segctor_thread+0x15c/0x3a0 [nilfs2]
      [<ffffffffa04dbe20>] ? nilfs_construction_timeout+0x0/0x10 [nilfs2]
      [<ffffffff80252633>] ? add_timer+0x13/0x20
      [<ffffffff802370da>] ? __wake_up_common+0x5a/0x90
      [<ffffffff8025e960>] ? autoremove_wake_function+0x0/0x40
      [<ffffffffa04dc280>] ? nilfs_segctor_thread+0x0/0x3a0 [nilfs2]
      [<ffffffffa04dc280>] ? nilfs_segctor_thread+0x0/0x3a0 [nilfs2]
      [<ffffffff8025e556>] kthread+0x56/0x90
      [<ffffffff8020cdea>] child_rip+0xa/0x20
      [<ffffffff8025e500>] ? kthread+0x0/0x90
      [<ffffffff8020cde0>] ? child_rip+0x0/0x20
    This problem was caused due to a missing radix_tree_preload() call in
    the retry path of nilfs_btnode_prepare_change_key() function.
    Reported-by: Eric A <>
    Reported-by: Jerome Poulin <>
    Signed-off-by: Ryusuke Konishi <>
    Tested-by: Jerome Poulin <>
Commits on Aug 28, 2009
  1. @eparis

    inotify: update the group mask on mark addition

    eparis authored
    Seperating the addition and update of marks in inotify resulted in a
    regression in that inotify never gets events.  The inotify group mask is
    always 0.  This mask should be updated any time a new mark is added.
    Signed-off-by: Eric Paris <>
  2. @eparis

    inotify: fix length reporting and size checking

    eparis authored
    0db501b introduced a regresion in that it now sends a nul
    terminator but the length accounting when checking for space or
    reporting to userspace did not take this into account.  This corrects
    all of the rounding logic.
    Signed-off-by: Eric Paris <>
  3. @eparis

    inotify: do not send a block of zeros when no pathname is available

    Brian Rogers authored eparis committed
    When an event has no pathname, there's no need to pad it with a null byte and
    therefore generate an inotify_event sized block of zeros. This fixes a
    regression introduced by commit 0db501b where
    my system wouldn't finish booting because some process was being confused by
    Signed-off-by: Brian Rogers <>
    Signed-off-by: Eric Paris <>
  4. ocfs2: invalidate dentry if its dentry_lock isn't initialized.

    Tao Ma authored Joel Becker committed
    In commit a5a0a63, when
    ocfs2_attch_dentry_lock fails, we call an extra iput and reset
    dentry->d_fsdata to NULL. This resolve a bug, but it isn't
    completed and the dentry is still there. When we want to use
    it again, ocfs2_dentry_revalidate doesn't catch it and return
    true. That make future ocfs2_dentry_lock panic out.
    One bug is
    The resolution is to add a check for dentry->d_fsdata in
    revalidate process and return false if dentry->d_fsdata is NULL,
    so that a new ocfs2_lookup will be called again.
    Signed-off-by: Tao Ma <>
    Signed-off-by: Joel Becker <>
Commits on Aug 27, 2009
  1. @torvalds

    Merge branch 'for-linus' of git://

    torvalds authored
    * 'for-linus' of git://
      inotify: Ensure we alwasy write the terminating NULL.
      inotify: fix locking around inotify watching in the idr
      inotify: do not BUG on idr entries at inotify destruction
      inotify: seperate new watch creation updating existing watches
  2. @torvalds

    Merge branch 'for-linus' of git://…

    torvalds authored
    * 'for-linus' of git://
      9p: update documentation pointers
      9p: remove unnecessary v9fses->options which duplicates the mount string
      net/9p: insulate the client against an invalid error code sent by a 9p server
      9p: Add missing cast for the error return value in v9fs_get_inode
      9p: Remove redundant inode uid/gid assignment
      9p: Fix possible regressions when ->get_sb fails.
      9p: Fix v9fs show_options
      9p: Fix possible memleak in v9fs_inode_from fid.
      9p: minor comment fixes
      9p: Fix possible inode leak in v9fs_get_inode.
      9p: Check for error in return value of v9fs_fid_add
  3. @torvalds

    AFS: Stop readlink() on AFS crashing due to NULL 'file' ptr

    David Howells authored torvalds committed
    kAFS crashes when asked to read a symbolic link because page_getlink()
    passes a NULL file pointer to read_mapping_page(), but afs_readpage()
    expects a file pointer from which to extract a key.
    Modify afs_readpage() to request the appropriate key from the calling
    process's keyrings if a file struct is not supplied with one attached.
    Signed-off-by: David Howells <>
    Acked-by: Anton Blanchard <>
    Signed-off-by: Linus Torvalds <>
  4. @ebiederm @eparis

    inotify: Ensure we alwasy write the terminating NULL.

    ebiederm authored eparis committed
    Before the rewrite copy_event_to_user always wrote a terqminating '\0'
    byte to user space after the filename.  Since the rewrite that
    terminating byte was skipped if your filename is exactly a multiple of
    event_size.  Ouch!
    So add one byte to name_size before we round up and use clear_user to
    set userspace to zero like /dev/zero does instead of copying the
    strange nul_inotify_event.  I can't quite convince myself len_to_zero
    will never exceed 16 and even if it doesn't clear_user should be more
    efficient and a more accurate reflection of what the code is trying to
    Signed-off-by: Eric W. Biederman <>
    Signed-off-by: Eric Paris <>
  5. @eparis

    inotify: fix locking around inotify watching in the idr

    eparis authored
    The are races around the idr storage of inotify watches.  It's possible
    that a watch could be found from sys_inotify_rm_watch() in the idr, but it
    could be removed from the idr before that code does it's removal.  Move the
    locking and the refcnt'ing so that these have to happen atomically.
    Signed-off-by: Eric Paris <>
  6. @eparis

    inotify: do not BUG on idr entries at inotify destruction

    eparis authored
    If an inotify watch is left in the idr when an fsnotify group is destroyed
    this will lead to a BUG.  This is not a dangerous situation and really
    indicates a programming bug and leak of memory.  This patch changes it to
    use a WARN and a printk rather than killing people's boxes.
    Signed-off-by: Eric Paris <>
  7. @eparis

    inotify: seperate new watch creation updating existing watches

    eparis authored
    There is nothing known wrong with the inotify watch addition/modification
    but this patch seperates the two code paths to make them each easy to
    verify as correct.
    Signed-off-by: Eric Paris <>
Commits on Aug 25, 2009
  1. @torvalds

    Merge branch 'for_linus' of git://…

    torvalds authored
    * 'for_linus' of git://
      ext3: Improve error message that changing journaling mode on remount is not possible
      ext3: Update Kconfig description of EXT3_DEFAULTS_TO_ORDERED
Commits on Aug 24, 2009
  1. @torvalds

    NFSv4: Fix an infinite looping problem with the nfs4_state_manager

    Trond Myklebust authored torvalds committed
    Commit 76db6d9 (nfs41: add session setup
    to the state manager) introduces an infinite loop possibility in the NFSv4
    state manager. By first checking nfs4_has_session() before clearing the
    NFS4CLNT_SESSION_SETUP flag, it allows for a situation where someone sets
    that flag, but it never gets cleared, and so the state manager loops.
    In fact commit c3fad1b (nfs41: add session
    reset to state manager) causes this to happen every time we get a network
    partition error.
    Signed-off-by: Trond Myklebust <>
    Tested-by: Daniel J Blueman <>
    Signed-off-by: Linus Torvalds <>
  2. @torvalds

    Merge branch 'upstream-linus' of git://…

    torvalds authored
    * 'upstream-linus' of git://
      ocfs2/dlm: Wait on lockres instead of erroring cancel requests
      ocfs2: Add missing lock name
      ocfs2: Don't oops in ocfs2_kill_sb on a failed mount
      ocfs2: release the buffer head in ocfs2_do_truncate.
      ocfs2: Handle quota file corruption more gracefully
  3. @torvalds

    mm: fix hugetlb bug due to user_shm_unlock call

    Hugh Dickins authored torvalds committed
    2.6.30's commit 8a0bdec removed
    user_shm_lock() calls in hugetlb_file_setup() but left the
    user_shm_unlock call in shm_destroy().
    In detail:
    Assume that can_do_hugetlb_shm() returns true and hence user_shm_lock()
    is not called in hugetlb_file_setup(). However, user_shm_unlock() is
    called in any case in shm_destroy() and in the following
    atomic_dec_and_lock(&up->__count) in free_uid() is executed and if
    up->__count gets zero, also cleanup_user_struct() is scheduled.
    Note that sched_destroy_user() is empty if CONFIG_USER_SCHED is not set.
    However, the ref counter up->__count gets unexpectedly non-positive and
    the corresponding structs are freed even though there are live
    references to them, resulting in a kernel oops after a lots of
    shmget(SHM_HUGETLB)/shmctl(IPC_RMID) cycles and CONFIG_USER_SCHED set.
    Hugh changed Stefan's suggested patch: can_do_hugetlb_shm() at the
    time of shm_destroy() may give a different answer from at the time
    of hugetlb_file_setup().  And fixed newseg()'s no_id error path,
    which has missed user_shm_unlock() ever since it came in 2.6.9.
    Reported-by: Stefan Huber <>
    Signed-off-by: Hugh Dickins <>
    Tested-by: Stefan Huber <>
    Signed-off-by: Linus Torvalds <>
  4. @jankara

    ext3: Improve error message that changing journaling mode on remount …

    jankara authored
    …is not possible
    This patch makes the error message about changing journaling mode on remount
    more descriptive. Some people are going to hit this error now due to commit
    bbae8bc if they configure a kernel to default
    to data=writeback mode. The problem happens if they have data=ordered set for
    the root filesystem in /etc/fstab but not in the kernel command line (and they
    don't use initrd). Their filesystem then gets mounted as data=writeback by
    kernel but then their boot fails because init scripts won't be able to remount
    the filesystem rw. Better error message will hopefully make it easier for them
    to find the error in their setup and bother us less with error reports :).
    Signed-off-by: Jan Kara <>
  5. @tytso @jankara

    ext3: Update Kconfig description of EXT3_DEFAULTS_TO_ORDERED

    tytso authored jankara committed
    The old description for this configuration option was perhaps not
    completely balanced in terms of describing the tradeoffs of using a
    default of data=writeback vs. data=ordered.  Despite the fact that old
    description very strongly recomended disabling this feature, all of
    the major distributions have elected to preserve the existing 'legacy'
    default, which is a strong hint that it perhaps wasn't telling the
    whole story.
    This revised description has been vetted by a number of ext3
    developers as being better at informing the user about the tradeoffs
    of enabling or disabling this configuration feature.
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Jan Kara <>
  6. kernel_read: redefine offset type

    Mimi Zohar authored James Morris committed
    vfs_read() offset is defined as loff_t, but kernel_read()
    offset is only defined as unsigned long. Redefine
    kernel_read() offset as loff_t.
    Signed-off-by: Mimi Zohar <>
    Signed-off-by: James Morris <>
Commits on Aug 22, 2009
  1. @torvalds

    Re-introduce page mapping check in mark_buffer_dirty()

    torvalds authored
    In commit a8e7d49 ("Fix race in
    create_empty_buffers() vs __set_page_dirty_buffers()"), I removed a test
    for a NULL page mapping unintentionally when some of the code inside
    __set_page_dirty() was moved to the callers.
    That removal generally didn't matter, since a filesystem would serialize
    truncation (which clears the page mapping) against writing (which marks
    the buffer dirty), so locking at a higher level (either per-page or an
    inode at a time) should mean that the buffer page would be stable.  And
    indeed, nothing bad seemed to happen.
    Except it turns out that apparently reiserfs does something odd when
    under load and writing out the journal, and we have a number of bugzilla
    entries that look similar:

    and it looks like reiserfs depended on that check (the common theme
    seems to be "data=journal", and a journal writeback during a truncate).
    I suspect reiserfs should have some additional locking, but in the
    meantime this should get us back to the pre-2.6.29 behavior.
    Pattern-pointed-out-by: Roland Kletzing <>
    Cc: (2.6.29 and 2.6.30)
    Cc: Jeff Mahoney <>
    Cc: Nick Piggin <>
    Cc: Al Viro <>
    Signed-off-by: Linus Torvalds <>
Commits on Aug 21, 2009
  1. @torvalds

    Merge branch 'btrfs' of git://

    torvalds authored
    * 'btrfs' of git://
      btrfs: fix inode rbtree corruption
  2. btrfs: fix inode rbtree corruption

    From: Nick Piggin authored Jens Axboe committed
    Node may not be inserted over existing node. This causes inode tree
    corruption and I was seeing crashes in inode_tree_del which I can not
    reproduce after this patch.
    The other way to fix this would be to tie inode lifetime in the rbtree
    with inode while not in freeing state. I had a look at this but it is
    not so trivial at this point. At least this patch gets things working again.
    Signed-off-by: Nick Piggin <>
    Cc: Chris Mason <>
    Acked-by: Yan Zheng <>
    Signed-off-by: Jens Axboe <>
  3. @goldwynr

    ocfs2/dlm: Wait on lockres instead of erroring cancel requests

    goldwynr authored Joel Becker committed
    In case a downconvert is queued, and a flock receives a signal,
    BUG_ON(lockres->l_action != OCFS2_AST_INVALID) is triggered
    because a lock cancel triggers a dlmunlock while an AST is
    To avoid this, allow a LKM_CANCEL to pass through, and let it
    wait on __dlm_wait_on_lockres().
    Signed-off-by: Goldwyn Rodrigues <>
    Acked-off-by: Mark Fasheh <>
    Signed-off-by: Joel Becker <>
Commits on Aug 20, 2009
  1. @jankara

    ocfs2: Add missing lock name

    jankara authored Joel Becker committed
    There is missing name for NFSSync cluster lock. This makes lockdep unhappy
    because we end up passing NULL to lockdep when initializing lock key. Fix it.
    Signed-off-by: Jan Kara <>
    Signed-off-by: Joel Becker <>
Something went wrong with that request. Please try again.