Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jul 28, 2015
  1. Merge tag 'nfs-for-4.2-2' of git://…

    Pull NFS client bugfixes from Trond Myklebust:
     "Highlights include:
      Stable patches:
       - Fix a situation where the client uses the wrong (zero) stateid.
       - Fix a memory leak in nfs_do_recoalesce
       - Plug a memory leak when ->prepare_layoutcommit fails
       - Fix an Oops in the NFSv4 open code
       - Fix a backchannel deadlock
       - Fix a livelock in sunrpc when sendmsg fails due to low memory
       - Don't revalidate the mapping if both size and change attr are up to
       - Ensure we don't miss a file extension when doing pNFS
       - Several fixes to handle NFSv4.1 sequence operation status bits
       - Several pNFS layout return bugfixes"
    * tag 'nfs-for-4.2-2' of git:// (28 commits)
      nfs: Fix an oops caused by using other thread's stack space in ASYNC mode
      nfs: plug memory leak when ->prepare_layoutcommit fails
      SUNRPC: Report TCP errors to the caller
      sunrpc: translate -EAGAIN to -ENOBUFS when socket is writable.
      NFSv4.2: handle NFS-specific llseek errors
      NFS: Don't clear desc->pg_moreio in nfs_do_recoalesce()
      NFS: Fix a memory leak in nfs_do_recoalesce
      NFS: nfs_mark_for_revalidate should always set NFS_INO_REVAL_PAGECACHE
      NFS: Remove the "NFS_CAP_CHANGE_ATTR" capability
      NFS: Set NFS_INO_REVAL_PAGECACHE if the change attribute is uninitialised
      NFS: Don't revalidate the mapping if both size and change attr are up to date
      NFSv4/pnfs: Ensure we don't miss a file extension
      NFSv4: We must set NFS_OPEN_STATE flag in nfs_resync_open_stateid_locked
      SUNRPC: xprt_complete_bc_request must also decrement the free slot count
      SUNRPC: Fix a backchannel deadlock
      pNFS: Don't throw out valid layout segments
      pNFS: pnfs_roc_drain() fix a race with open
      pNFS: Fix races between return-on-close and layoutreturn.
      pNFS: pnfs_roc_drain should return 'true' when sleeping
      pNFS: Layoutreturn must invalidate all existing layout segments.
  2. @kinglongmee

    nfs: Fix an oops caused by using other thread's stack space in ASYNC …

    kinglongmee authored Trond Myklebust committed
    An oops caused by using other thread's stack space in sunrpc ASYNC sending thread.
    [ 9839.007187] ------------[ cut here ]------------
    [ 9839.007923] kernel BUG at fs/nfs/nfs4xdr.c:910!
    [ 9839.008069] invalid opcode: 0000 [#1] SMP
    [ 9839.008069] Modules linked in: blocklayoutdriver rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache snd_hda_codec_generic snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm joydev iosf_mbi crct10dif_pclmul snd_timer crc32_pclmul crc32c_intel ghash_clmulni_intel snd soundcore ppdev pvpanic parport_pc i2c_piix4 serio_raw virtio_balloon parport acpi_cpufreq nfsd nfs_acl lockd grace auth_rpcgss sunrpc qxl drm_kms_helper virtio_net virtio_console virtio_blk ttm drm virtio_pci virtio_ring virtio ata_generic pata_acpi
    [ 9839.008069] CPU: 0 PID: 308 Comm: kworker/0:1H Not tainted 4.0.0-0.rc4.git1.3.fc23.x86_64 #1
    [ 9839.008069] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    [ 9839.008069] Workqueue: rpciod rpc_async_schedule [sunrpc]
    [ 9839.008069] task: ffff8800d8b4d8e0 ti: ffff880036678000 task.ti: ffff880036678000
    [ 9839.008069] RIP: 0010:[<ffffffffa0339cc9>]  [<ffffffffa0339cc9>] reserve_space.part.73+0x9/0x10 [nfsv4]
    [ 9839.008069] RSP: 0018:ffff88003667ba58  EFLAGS: 00010246
    [ 9839.008069] RAX: 0000000000000000 RBX: 000000001fc15e18 RCX: ffff8800c0193800
    [ 9839.008069] RDX: ffff8800e4ae3f24 RSI: 000000001fc15e2c RDI: ffff88003667bcd0
    [ 9839.008069] RBP: ffff88003667ba58 R08: ffff8800d9173008 R09: 0000000000000003
    [ 9839.008069] R10: ffff88003667bcd0 R11: 000000000000000c R12: 0000000000010000
    [ 9839.008069] R13: ffff8800d9173350 R14: 0000000000000000 R15: ffff8800c0067b98
    [ 9839.008069] FS:  0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
    [ 9839.008069] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 9839.008069] CR2: 00007f988c9c8bb0 CR3: 00000000d99b6000 CR4: 00000000000407f0
    [ 9839.008069] Stack:
    [ 9839.008069]  ffff88003667bbc8 ffffffffa03412c5 00000000c6c55680 ffff880000000003
    [ 9839.008069]  0000000000000088 00000010c6c55680 0001000000000002 ffffffff816e87e9
    [ 9839.008069]  0000000000000000 00000000477290e2 ffff88003667bab8 ffffffff81327ba3
    [ 9839.008069] Call Trace:
    [ 9839.008069]  [<ffffffffa03412c5>] encode_attrs+0x435/0x530 [nfsv4]
    [ 9839.008069]  [<ffffffff816e87e9>] ? inet_sendmsg+0x69/0xb0
    [ 9839.008069]  [<ffffffff81327ba3>] ? selinux_socket_sendmsg+0x23/0x30
    [ 9839.008069]  [<ffffffff8164c1df>] ? do_sock_sendmsg+0x9f/0xc0
    [ 9839.008069]  [<ffffffff8164c278>] ? kernel_sendmsg+0x58/0x70
    [ 9839.008069]  [<ffffffffa011acc0>] ? xdr_reserve_space+0x20/0x170 [sunrpc]
    [ 9839.008069]  [<ffffffffa011acc0>] ? xdr_reserve_space+0x20/0x170 [sunrpc]
    [ 9839.008069]  [<ffffffffa0341b40>] ? nfs4_xdr_enc_open_noattr+0x130/0x130 [nfsv4]
    [ 9839.008069]  [<ffffffffa03419a5>] encode_open+0x2d5/0x340 [nfsv4]
    [ 9839.008069]  [<ffffffffa0341b40>] ? nfs4_xdr_enc_open_noattr+0x130/0x130 [nfsv4]
    [ 9839.008069]  [<ffffffffa011ab89>] ? xdr_encode_opaque+0x19/0x20 [sunrpc]
    [ 9839.008069]  [<ffffffffa0339cfb>] ? encode_string+0x2b/0x40 [nfsv4]
    [ 9839.008069]  [<ffffffffa0341bf3>] nfs4_xdr_enc_open+0xb3/0x140 [nfsv4]
    [ 9839.008069]  [<ffffffffa0110a4c>] rpcauth_wrap_req+0xac/0xf0 [sunrpc]
    [ 9839.008069]  [<ffffffffa01017db>] call_transmit+0x18b/0x2d0 [sunrpc]
    [ 9839.008069]  [<ffffffffa0101650>] ? call_decode+0x860/0x860 [sunrpc]
    [ 9839.008069]  [<ffffffffa0101650>] ? call_decode+0x860/0x860 [sunrpc]
    [ 9839.008069]  [<ffffffffa010caa0>] __rpc_execute+0x90/0x460 [sunrpc]
    [ 9839.008069]  [<ffffffffa010ce85>] rpc_async_schedule+0x15/0x20 [sunrpc]
    [ 9839.008069]  [<ffffffff810b452b>] process_one_work+0x1bb/0x410
    [ 9839.008069]  [<ffffffff810b47d3>] worker_thread+0x53/0x470
    [ 9839.008069]  [<ffffffff810b4780>] ? process_one_work+0x410/0x410
    [ 9839.008069]  [<ffffffff810b4780>] ? process_one_work+0x410/0x410
    [ 9839.008069]  [<ffffffff810ba7b8>] kthread+0xd8/0xf0
    [ 9839.008069]  [<ffffffff810ba6e0>] ? kthread_worker_fn+0x180/0x180
    [ 9839.008069]  [<ffffffff81786418>] ret_from_fork+0x58/0x90
    [ 9839.008069]  [<ffffffff810ba6e0>] ? kthread_worker_fn+0x180/0x180
    [ 9839.008069] Code: 00 00 48 c7 c7 21 fa 37 a0 e8 94 1c d6 e0 c6 05 d2 17 05 00 01 8b 03 eb d7 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 <0f> 0b 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5 41 54 53 89 f3
    [ 9839.008069] RIP  [<ffffffffa0339cc9>] reserve_space.part.73+0x9/0x10 [nfsv4]
    [ 9839.008069]  RSP <ffff88003667ba58>
    [ 9839.071114] ---[ end trace cc14c03adb522e94 ]---
    Signed-off-by: Kinglong Mee <>
    Signed-off-by: Trond Myklebust <>
  3. @jtlayton

    nfs: plug memory leak when ->prepare_layoutcommit fails

    jtlayton authored Trond Myklebust committed
    "data" is currently leaked when the prepare_layoutcommit operation
    returns an error. Put the cred before taking the spinlock in that
    case, take the lock and then goto out_unlock which will drop the
    lock and then free "data".
    Signed-off-by: Jeff Layton <>
    Signed-off-by: Trond Myklebust <>
Commits on Jul 27, 2015
  1. NFSv4.2: handle NFS-specific llseek errors

    J. Bruce Fields authored Trond Myklebust committed
    Handle NFS-specific llseek errors instead of letting them leak out to
    Reported-by: Benjamin Coddington <>
    Signed-off-by: J. Bruce Fields <>
    Signed-off-by: Trond Myklebust <>
  2. NFS: Don't clear desc->pg_moreio in nfs_do_recoalesce()

    Trond Myklebust authored
    Recoalescing does not affect whether or not we've already sent off
    I/O, and doing so means that we end up sending a bunch of synchronous
    for cases where we actually need to be using unstable writes.
    Signed-off-by: Trond Myklebust <>
  3. NFS: Fix a memory leak in nfs_do_recoalesce

    Trond Myklebust authored
    If the function exits early, then we must put those requests that were
    not processed back onto the &mirror->pg_list so they can be cleaned up
    by nfs_pgio_error().
    Fixes: a7d42dd ("nfs: add mirroring support to pgio layer")
    Cc: # v4.0+
    Signed-off-by: Trond Myklebust <>
Commits on Jul 25, 2015
  1. f2fs: call set_page_dirty to attach i_wb for cgroup

    Jaegeuk Kim authored
    The cgroup attaches inode->i_wb via mark_inode_dirty and when set_page_writeback
    is called, __inc_wb_stat() updates i_wb's stat.
    So, we need to explicitly call set_page_dirty->__mark_inode_dirty in prior to
    any writebacking pages.
    This patch should resolve the following kernel panic reported by Andreas Reis.
    --- Comment #2 from Andreas Reis <> ---
    BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
    IP: [<ffffffff8149deea>] __percpu_counter_add+0x1a/0x90
    PGD 2951ff067 PUD 2df43f067 PMD 0
    Oops: 0000 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 7 PID: 10356 Comm: gcc Tainted: G        W       4.2.0-1-cu #1
    Hardware name: Gigabyte Technology Co., Ltd. G1.Sniper M5/G1.Sniper M5, BIOS
    T01 02/03/2015
    task: ffff880295044f80 ti: ffff880295140000 task.ti: ffff880295140000
    RIP: 0010:[<ffffffff8149deea>]  [<ffffffff8149deea>]
    RSP: 0018:ffff880295143ac8  EFLAGS: 00010082
    RAX: 0000000000000003 RBX: ffffea000a526d40 RCX: 0000000000000001
    RDX: 0000000000000020 RSI: 0000000000000001 RDI: 0000000000000088
    RBP: ffff880295143ae8 R08: 0000000000000000 R09: ffff88008f69bb30
    R10: 00000000fffffffa R11: 0000000000000000 R12: 0000000000000088
    R13: 0000000000000001 R14: ffff88041d099000 R15: ffff880084a205d0
    FS:  00007f8549374700(0000) GS:ffff88042f3c0000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00000000000000a8 CR3: 000000033e1d5000 CR4: 00000000001406e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     0000000000000000 ffffea000a526d40 ffff880084a20738 ffff880084a20750
     ffff880295143b48 ffffffff811cc91e ffff880000000000 0000000000000296
     0000000000000000 ffff880417090198 0000000000000000 ffffea000a526d40
    Call Trace:
     [<ffffffff811cc91e>] __test_set_page_writeback+0xde/0x1d0
     [<ffffffff813fee87>] do_write_data_page+0xe7/0x3a0
     [<ffffffff813faeea>] gc_data_segment+0x5aa/0x640
     [<ffffffff813fb0b8>] do_garbage_collect+0x138/0x150
     [<ffffffff813fb3fe>] f2fs_gc+0x1be/0x3e0
     [<ffffffff81405541>] f2fs_balance_fs+0x81/0x90
     [<ffffffff813ee357>] f2fs_unlink+0x47/0x1d0
     [<ffffffff81239329>] vfs_unlink+0x109/0x1b0
     [<ffffffff8123e3d7>] do_unlinkat+0x287/0x2c0
     [<ffffffff8123ebc6>] SyS_unlink+0x16/0x20
     [<ffffffff81942e2e>] entry_SYSCALL_64_fastpath+0x12/0x71
    Code: 41 5e 5d c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55 49
    89 f5 41 54 49 89 fc 53 48 83 ec 08 65 ff 05 e6 d9 b6 7e <48> 8b 47 20 48 63 ca
    65 8b 18 48 63 db 48 01 f3 48 39 cb 7d 0a
    RIP  [<ffffffff8149deea>] __percpu_counter_add+0x1a/0x90
     RSP <ffff880295143ac8>
    CR2: 00000000000000a8
    ---[ end trace 5132449a58ed93a3 ]---
    note: gcc[10356] exited with preempt_count 2
    Signed-off-by: Jaegeuk Kim <>
  2. f2fs: handle error cases in move_encrypted_block

    Jaegeuk Kim authored
    This patch fixes some missing error handlers.
    Reviewed-by: Chao Yu <>
    Signed-off-by: Jaegeuk Kim <>
  3. Merge branch 'for-linus' of git://

    Pull block fixes from Jens Axboe:
     "Four smaller fixes for the current series.  This contains:
       - A fix for clones of discard bio's, that can cause data corruption.
         From Martin.
       - A fix for null_blk, where in certain queue modes it could access a
         request after it had been freed.  From Mike Krinkin.
       - An error handling leak fix for blkcg, from Tejun.
       - Also from Tejun, export of the functions that a file system needs
         to implement cgroup writeback support"
    * 'for-linus' of git://
      block: Do a full clone when splitting discard bios
      block: export bio_associate_*() and wbc_account_io()
      blkcg: fix gendisk reference leak in blkg_conf_prep()
      null_blk: fix use-after-free problem
Commits on Jul 23, 2015
  1. Merge branch 'for-linus' of git://…

    Pull namespace fixes from Eric Biederman:
     "While reading through the code of detach_mounts I realized the code
      was slightly off.  Testing it revealed two buggy corner cases that can
      send the code of detach_mounts into an infinite loop.
      Fixing the code to do the right thing removes the possibility of these
      user triggered infinite loops in the code"
    * 'for-linus' of git://
      mnt: In detach_mounts detach the appropriate unmounted mount
      mnt: Clarify and correct the disconnect logic in umount_tree
  2. @axboe

    block: export bio_associate_*() and wbc_account_io()

    Tejun Heo authored axboe committed
    bio_associate_blkcg(), bio_associate_current() and wbc_account_io()
    are used to implement cgroup writeback support for filesystems and
    thus need to be exported.  Export them.
    Signed-off-by: Tejun Heo <>
    Reported-by: Stephen Rothwell <>
    Signed-off-by: Jens Axboe <>
  3. @ebiederm

    mnt: In detach_mounts detach the appropriate unmounted mount

    ebiederm authored
    The handling of in detach_mounts of unmounted but connected mounts is
    buggy and can lead to an infinite loop.
    Correct the handling of unmounted mounts in detach_mount.  When the
    mountpoint of an unmounted but connected mount is connected to a
    dentry, and that dentry is deleted we need to disconnect that mount
    from the parent mount and the deleted dentry.
    Nothing changes for the unmounted and connected children.  They can be
    safely ignored.
    Fixes: ce07d89 mnt: Honor MNT_LOCKED when detaching mounts
    Signed-off-by: "Eric W. Biederman" <>
  4. @ebiederm

    mnt: Clarify and correct the disconnect logic in umount_tree

    ebiederm authored
    rmdir mntpoint will result in an infinite loop when there is
    a mount locked on the mountpoint in another mount namespace.
    This is because the logic to test to see if a mount should
    be disconnected in umount_tree is buggy.
    Move the logic to decide if a mount should remain connected to
    it's mountpoint into it's own function disconnect_mount so that
    clarity of expression instead of terseness of expression becomes
    a virtue.
    When the conditions where it is invalid to leave a mount connected
    are first ruled out, the logic for deciding if a mount should
    be disconnected becomes much clearer and simpler.
    Fixes: e0c9c0a mnt: Update detach_mounts to leave mounts connected
    Fixes: ce07d89 mnt: Honor MNT_LOCKED when detaching mounts
    Signed-off-by: "Eric W. Biederman" <>
Commits on Jul 22, 2015
  1. NFS: Remove the "NFS_CAP_CHANGE_ATTR" capability

    Trond Myklebust authored
    Setting the change attribute has been mandatory for all NFS versions, since
    commit 3a1556e ("NFSv2/v3: Simulate the change attribute"). We should
    therefore not have anything be conditional on it being set/unset.
    Signed-off-by: Trond Myklebust <>
  2. NFS: Set NFS_INO_REVAL_PAGECACHE if the change attribute is uninitial…

    Trond Myklebust authored
    We can't allow caching of data until the change attribute has been
    initialised correctly.
    Signed-off-by: Trond Myklebust <>
  3. NFS: Don't revalidate the mapping if both size and change attr are up…

    Trond Myklebust authored
    … to date
    If we've ensured that the size and the change attribute are both correct,
    then there is no point in marking those attributes as needing revalidation
    again. Only do so if we know the size is incorrect and was not updated.
    Fixes: f2467b6 ("NFS: Clear NFS_INO_REVAL_PAGECACHE when...")
    Signed-off-by: Trond Myklebust <>
  4. NFSv4/pnfs: Ensure we don't miss a file extension

    Trond Myklebust authored
    pNFS writes don't return attributes, however that doesn't mean that we
    should ignore the fact that they may be extending the file. This patch
    ensures that if a write is seen to extend the file, then we always set
    an attribute barrier, and update the cached file size.
    Signed-off-by: Trond Myklebust <>
  5. NFSv4: We must set NFS_OPEN_STATE flag in nfs_resync_open_stateid_locked

    Trond Myklebust authored
    Otherwise, nfs4_select_rw_stateid() will always return the zero stateid
    instead of the correct open stateid.
    Fixes: f95549c ("NFSv4: More CLOSE/OPEN races")
    Cc: # 4.0+
    Signed-off-by: Trond Myklebust <>
Commits on Jul 21, 2015
  1. Revert "fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()"

    This reverts commit a2673b6.
    Kinglong Mee reports a memory leak with that patch, and Jan Kara confirms:
     "Thanks for report! You are right that my patch introduces a race
      between fsnotify kthread and fsnotify_destroy_group() which can result
      in leaking inotify event on group destruction.
      I haven't yet decided whether the right fix is not to queue events for
      dying notification group (as that is pointless anyway) or whether we
      should just fix the original problem differently...  Whenever I look
      at fsnotify code mark handling I get lost in the maze of locks, lists,
      and subtle differences between how different notification systems
      handle notification marks :( I'll think about it over night"
    and after thinking about it, Jan says:
     "OK, I have looked into the code some more and I found another
      relatively simple way of fixing the original oops.  It will be IMHO
      better than trying to fixup this issue which has more potential for
      breakage.  I'll ask Linus to revert the fsnotify fix he already merged
      and send a new fix"
    Reported-by: Kinglong Mee <>
    Requested-by: Jan Kara <>
    Cc: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  2. Merge branch 'for_linus' of git://…

    Pull UDF fix from Jan Kara:
     "A fix for UDF corruption when certain disk-format feature is enabled"
    * 'for_linus' of git://
      udf: Don't corrupt unalloc spacetable when writing it
Commits on Jul 18, 2015
  1. Merge branch 'x86-urgent-for-linus' of git://…

    Pull x86 fixes from Ingo Molnar:
     "Two families of fixes:
       - Fix an FPU context related boot crash on newer x86 hardware with
         larger context sizes than what most people test.  To fix this
         without ugly kludges or extensive reverts we had to touch core task
         allocator, to allow x86 to determine the task size dynamically, at
         boot time.
         I've tested it on a number of x86 platforms, and I cross-built it
         to a handful of architectures:
                                            (warns)               (warns)
           testing     x86-64:  -git:  pass (    0),  -tip:  pass (    0)
           testing     x86-32:  -git:  pass (    0),  -tip:  pass (    0)
           testing        arm:  -git:  pass ( 1359),  -tip:  pass ( 1359)
           testing       cris:  -git:  pass ( 1031),  -tip:  pass ( 1031)
           testing       m32r:  -git:  pass ( 1135),  -tip:  pass ( 1135)
           testing       m68k:  -git:  pass ( 1471),  -tip:  pass ( 1471)
           testing       mips:  -git:  pass ( 1162),  -tip:  pass ( 1162)
           testing    mn10300:  -git:  pass ( 1058),  -tip:  pass ( 1058)
           testing     parisc:  -git:  pass ( 1846),  -tip:  pass ( 1846)
           testing      sparc:  -git:  pass ( 1185),  -tip:  pass ( 1185)
         ... so I hope the cross-arch impact 'none', as intended.
         (by Dave Hansen)
       - Fix various NMI handling related bugs unearthed by the big asm code
         rewrite and generally make the NMI code more robust and more
         maintainable while at it.  These changes are a bit late in the
         cycle, I hope they are still acceptable.
         (by Andy Lutomirski)"
    * 'x86-urgent-for-linus' of git://
      x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86
      x86/fpu, sched: Dynamically allocate 'struct fpu'
      x86/entry/64, x86/nmi/64: Add CONFIG_DEBUG_ENTRY NMI testing code
      x86/nmi/64: Make the "NMI executing" variable more consistent
      x86/nmi/64: Minor asm simplification
      x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection
      x86/nmi/64: Reorder nested NMI checks
      x86/nmi/64: Improve nested NMI comments
      x86/nmi/64: Switch stacks on userspace NMI entry
      x86/nmi/64: Remove asm code that saves CR2
      x86/nmi: Enable nested do_nmi() handling for 64-bit kernels
  2. Merge branch 'akpm' (patches from Andrew)

    Merge fixes from Andrew Morton:
     "25 fixes"
    * emailed patches from Andrew Morton <>: (25 commits)
      lib/decompress: set the compressor name to NULL on error
      mm/cma_debug: correct size input to bitmap function
      mm/cma_debug: fix debugging alloc/free interface
      mm/page_owner: set correct gfp_mask on page_owner
      mm/page_owner: fix possible access violation
      fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
      /proc/$PID/cmdline: fixup empty ARGV case
      dma-debug: skip debug_dma_assert_idle() when disabled
      hexdump: fix for non-aligned buffers
      checkpatch: fix long line messages about patch context
      mm: clean up per architecture MM hook header files
      MAINTAINERS: uclinux-h8-devel is moderated for non-subscribers
      mailmap: update Sudeep Holla's email id
      Update Viresh Kumar's email address
      mm, meminit: suppress unused memory variable warning
      configfs: fix kernel infoleak through user-controlled format string
      include, lib: add __printf attributes to several function prototypes
      s390/hugetlb: add hugepages_supported define
      mm: hugetlb: allow hugepages_supported to be architecture specific
      revert "s390/mm: make hugepages_supported a boot time decision"
  3. Merge branch 'for-linus-4.2' of git://…

    Pull btrfs fixes from Chris Mason:
     "These are all from Filipe, and cover a few problems we've had reported
      on the list recently (along with ones he found on his own)"
    * 'for-linus-4.2' of git://
      Btrfs: fix file corruption after cloning inline extents
      Btrfs: fix order by which delayed references are run
      Btrfs: fix list transaction->pending_ordered corruption
      Btrfs: fix memory leak in the extent_same ioctl
      Btrfs: fix shrinking truncate when the no_holes feature is enabled
  4. x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and u…

    Ingo Molnar authored
    …se it on x86
    Don't burden architectures without dynamic task_struct sizing
    with the overhead of dynamic sizing.
    Also optimize the x86 code a bit by caching task_struct_size.
    Acked-and-Tested-by: Dave Hansen <>
    Cc: Andy Lutomirski <>
    Cc: Borislav Petkov <>
    Cc: Brian Gerst <>
    Cc: Dave Hansen <>
    Cc: Denys Vlasenko <>
    Cc: Linus Torvalds <>
    Cc: Oleg Nesterov <>
    Cc: Peter Zijlstra <>
    Cc: Thomas Gleixner <>
    Signed-off-by: Ingo Molnar <>
  5. @hansendc

    x86/fpu, sched: Dynamically allocate 'struct fpu'

    hansendc authored Ingo Molnar committed
    The FPU rewrite removed the dynamic allocations of 'struct fpu'.
    But, this potentially wastes massive amounts of memory (2k per
    task on systems that do not have AVX-512 for instance).
    Instead of having a separate slab, this patch just appends the
    space that we need to the 'task_struct' which we dynamically
    allocate already.  This saves from doing an extra slab
    allocation at fork().
    The only real downside here is that we have to stick everything
    and the end of the task_struct.  But, I think the
    BUILD_BUG_ON()s I stuck in there should keep that from being too
    Signed-off-by: Dave Hansen <>
    Cc: Andy Lutomirski <>
    Cc: Borislav Petkov <>
    Cc: Brian Gerst <>
    Cc: Dave Hansen <>
    Cc: Denys Vlasenko <>
    Cc: H. Peter Anvin <>
    Cc: Linus Torvalds <>
    Cc: Oleg Nesterov <>
    Cc: Peter Zijlstra <>
    Cc: Thomas Gleixner <>
    Signed-off-by: Ingo Molnar <>
Commits on Jul 17, 2015
  1. @jankara

    fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()

    jankara authored committed
    fsnotify_clear_marks_by_group_flags() can race with
    fsnotify_destroy_marks() so when fsnotify_destroy_mark_locked() drops
    mark_mutex, a mark from the list iterated by
    fsnotify_clear_marks_by_group_flags() can be freed and we dereference free
    memory in the loop there.
    Fix the problem by keeping mark_mutex held in
    fsnotify_destroy_mark_locked().  The reason why we drop that mutex is that
    we need to call a ->freeing_mark() callback which may acquire mark_mutex
    again.  To avoid this and similar lock inversion issues, we move the call
    to ->freeing_mark() callback to the kthread destroying the mark.
    Signed-off-by: Jan Kara <>
    Reported-by: Ashish Sangwan <>
    Suggested-by: Lino Sanfilippo <>
    Cc: <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  2. /proc/$PID/cmdline: fixup empty ARGV case

    Alexey Dobriyan authored committed
    /proc/*/cmdline code checks if it should look at ENVP area by checking
    last byte of ARGV area:
    	rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0);
    	if (rv <= 0)
    		goto out_free_page;
    If ARGV is somehow made empty (by doing execve(..., NULL, ...) or
    manually setting ->arg_start and ->arg_end to equal values), the decision
    will be based on byte which doesn't even belong to ARGV/ENVP.
    So, quickly check if ARGV area is empty and report 0 to match previous
    Signed-off-by: Alexey Dobriyan <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  3. @fishilico

    configfs: fix kernel infoleak through user-controlled format string

    fishilico authored committed
    Some modules call config_item_init_type_name() and config_group_init_type_name()
    with parameter "name" directly controlled by userspace.  These two
    functions call config_item_set_name() with this name used as a format
    string, which can be used to leak information such as content of the
    stack to userspace.
    For example, make_netconsole_target() in netconsole module calls
    config_item_init_type_name() with the name of a newly-created directory.
    This means that the following commands give some unexpected output, with
    configfs mounted in /sys/kernel/config/ and on a system with a
    configured eth0 ethernet interface:
        # modprobe netconsole
        # mkdir /sys/kernel/config/netconsole/target_%lx
        # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
        # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled
        # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
        # dmesg |tail -n1
        [  142.697668] netconsole: target (target_ffffffffc0ae8080) is
        enabled, disable to update parameters
    The directory name is correct but %lx has been interpreted in the
    internal item name, displayed here in the error message used by
    store_dev_name() in drivers/net/netconsole.c.
    To fix this, update every caller of config_item_set_name to use "%s"
    when operating on untrusted input.
    This issue was found using -Wformat-security gcc flag, once a __printf
    attribute has been added to config_item_set_name().
    Signed-off-by: Nicolas Iooss <>
    Acked-by: Greg Kroah-Hartman <>
    Acked-by: Felipe Balbi <>
    Acked-by: Joel Becker <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
  4. @iaguis

    fs, proc: add help for CONFIG_PROC_CHILDREN

    iaguis authored committed
    The purpose of the option was documented in
    Documentation/filesystems/proc.txt but the help text was missing.
    Add small help text that also points to the documentation.
    Signed-off-by: Iago López Galeiras <>
    Reviewed-by: Jean Delvare <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
Commits on Jul 16, 2015
  1. Merge tag 'jfs-4.2' of git://

    Pull jfs fixes from David Kleikamp:
     "A couple trivial fixes and an error path fix"
    * tag 'jfs-4.2' of git://
      jfs: clean up jfs_rename and fix out of order unlock
      jfs: fix indentation on if statement
      jfs: removed a prohibited space after opening parenthesis
Commits on Jul 15, 2015
  1. Merge tag 'locks-v4.2-1' of git://

    Pull file locking updates from Jeff Layton:
     "I had thought that I was going to get away without a pull request this
      cycle.  There was a NFSv4 file locking problem that cropped up that I
      tried to fix in the NFSv4 code alone, but that fix has turned out to
      be problematic.  These patches fix this in the correct way.
      Note that this touches some NFSv4 code as well.  Ordinarily I'd wait
      for Trond to ACK this, but he's on holiday right now and the bug is
      rather nasty.  So I suggest we merge this and if he raises issues with
      it we can sort it out when he gets back"
    Acked-by: Bruce Fields <>
    Acked-by: Dan Williams <>
     [ +1 to this series fixing a 100% reproducible slab corruption +
       general protection fault in my nfs-root test environment. - Dan ]
    Acked-by: Anna Schumaker <>
    * tag 'locks-v4.2-1' of git://
      locks: inline posix_lock_file_wait and flock_lock_file_wait
      nfs4: have do_vfs_lock take an inode pointer
      locks: new helpers - flock_lock_inode_wait and posix_lock_inode_wait
      locks: have flock_lock_file take an inode pointer instead of a filp
      Revert "nfs: take extra reference to fl->fl_file when running a LOCKU operation"
  2. @kleikamp

    jfs: clean up jfs_rename and fix out of order unlock

    kleikamp authored
    The end of jfs_rename(), which is also used by the error paths,
    included a call to IWRITE_UNLOCK(new_ip) after labels out1, out2
    and out3. If we come in through these labels, IWRITE_LOCK() has not
    been called yet.
    In moving that call to the correct spot, I also moved some
    exceptional truncate code earlier as well, since the early error
    paths don't need to deal with it, and I renamed out4: to out_tx: so
    a future patch by Jan Kara doesn't need to deal with renumbering or
    confusing out-of-order labels.
    Signed-off-by: Dave Kleikamp <>
Commits on Jul 14, 2015
  1. @fdmanana

    Btrfs: fix file corruption after cloning inline extents

    fdmanana authored
    Using the clone ioctl (or extent_same ioctl, which calls the same extent
    cloning function as well) we end up allowing copy an inline extent from
    the source file into a non-zero offset of the destination file. This is
    something not expected and that the btrfs code is not prepared to deal
    with - all inline extents must be at a file offset equals to 0.
    For example, the following excerpt of a test case for fstests triggers
    a crash/BUG_ON() on a write operation after an inline extent is cloned
    into a non-zero offset:
      _scratch_mkfs >>$seqres.full 2>&1
      # Create our test files. File foo has the same 2K of data at offset 4K
      # as file bar has at its offset 0.
      $XFS_IO_PROG -f -s -c "pwrite -S 0xaa 0 4K" \
          -c "pwrite -S 0xbb 4k 2K" \
          -c "pwrite -S 0xcc 8K 4K" \
          $SCRATCH_MNT/foo | _filter_xfs_io
      # File bar consists of a single inline extent (2K size).
      $XFS_IO_PROG -f -s -c "pwrite -S 0xbb 0 2K" \
         $SCRATCH_MNT/bar | _filter_xfs_io
      # Now call the clone ioctl to clone the extent of file bar into file
      # foo at its offset 4K. This made file foo have an inline extent at
      # offset 4K, something which the btrfs code can not deal with in future
      # IO operations because all inline extents are supposed to start at an
      # offset of 0, resulting in all sorts of chaos.
      # So here we validate that clone ioctl returns an EOPNOTSUPP, which is
      # what it returns for other cases dealing with inlined extents.
      $CLONER_PROG -s 0 -d $((4 * 1024)) -l $((2 * 1024)) \
          $SCRATCH_MNT/bar $SCRATCH_MNT/foo
      # Because of the inline extent at offset 4K, the following write made
      # the kernel crash with a BUG_ON().
      $XFS_IO_PROG -c "pwrite -S 0xdd 6K 2K" $SCRATCH_MNT/foo | _filter_xfs_io
    The stack trace of the BUG_ON() triggered by the last write is:
      [152154.035903] ------------[ cut here ]------------
      [152154.036424] kernel BUG at mm/page-writeback.c:2286!
      [152154.036424] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      [152154.036424] Modules linked in: btrfs dm_flakey dm_mod crc32c_generic xor raid6_pq nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscache sunrpc loop fuse parport_pc acpi_cpu$
      [152154.036424] CPU: 2 PID: 17873 Comm: xfs_io Tainted: G        W       4.1.0-rc6-btrfs-next-11+ #2
      [152154.036424] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 04/01/2014
      [152154.036424] task: ffff880429f70990 ti: ffff880429efc000 task.ti: ffff880429efc000
      [152154.036424] RIP: 0010:[<ffffffff8111a9d5>]  [<ffffffff8111a9d5>] clear_page_dirty_for_io+0x1e/0x90
      [152154.036424] RSP: 0018:ffff880429effc68  EFLAGS: 00010246
      [152154.036424] RAX: 0200000000000806 RBX: ffffea0006a6d8f0 RCX: 0000000000000001
      [152154.036424] RDX: 0000000000000000 RSI: ffffffff81155d1b RDI: ffffea0006a6d8f0
      [152154.036424] RBP: ffff880429effc78 R08: ffff8801ce389fe0 R09: 0000000000000001
      [152154.036424] R10: 0000000000002000 R11: ffffffffffffffff R12: ffff8800200dce68
      [152154.036424] R13: 0000000000000000 R14: ffff8800200dcc88 R15: ffff8803d5736d80
      [152154.036424] FS:  00007fbf119f6700(0000) GS:ffff88043d280000(0000) knlGS:0000000000000000
      [152154.036424] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [152154.036424] CR2: 0000000001bdc000 CR3: 00000003aa555000 CR4: 00000000000006e0
      [152154.036424] Stack:
      [152154.036424]  ffff8803d5736d80 0000000000000001 ffff880429effcd8 ffffffffa04e97c1
      [152154.036424]  ffff880429effd68 ffff880429effd60 0000000000000001 ffff8800200dc9c8
      [152154.036424]  0000000000000001 ffff8800200dcc88 0000000000000000 0000000000001000
      [152154.036424] Call Trace:
      [152154.036424]  [<ffffffffa04e97c1>] lock_and_cleanup_extent_if_need+0x147/0x18d [btrfs]
      [152154.036424]  [<ffffffffa04ea82c>] __btrfs_buffered_write+0x245/0x4c8 [btrfs]
      [152154.036424]  [<ffffffffa04ed14b>] ? btrfs_file_write_iter+0x150/0x3e0 [btrfs]
      [152154.036424]  [<ffffffffa04ed15a>] ? btrfs_file_write_iter+0x15f/0x3e0 [btrfs]
      [152154.036424]  [<ffffffffa04ed2c7>] btrfs_file_write_iter+0x2cc/0x3e0 [btrfs]
      [152154.036424]  [<ffffffff81165a4a>] __vfs_write+0x7c/0xa5
      [152154.036424]  [<ffffffff81165f89>] vfs_write+0xa0/0xe4
      [152154.036424]  [<ffffffff81166855>] SyS_pwrite64+0x64/0x82
      [152154.036424]  [<ffffffff81465197>] system_call_fastpath+0x12/0x6f
      [152154.036424] Code: 48 89 c7 e8 0f ff ff ff 5b 41 5c 5d c3 0f 1f 44 00 00 55 48 89 e5 41 54 53 48 89 fb e8 ae ef 00 00 49 89 c4 48 8b 03 a8 01 75 02 <0f> 0b 4d 85 e4 74 59 49 8b 3c 2$
      [152154.036424] RIP  [<ffffffff8111a9d5>] clear_page_dirty_for_io+0x1e/0x90
      [152154.036424]  RSP <ffff880429effc68>
      [152154.242621] ---[ end trace e3d3376b23a57041 ]---
    Fix this by returning the error EOPNOTSUPP if an attempt to copy an
    inline extent into a non-zero offset happens, just like what is done for
    other scenarios that would require copying/splitting inline extents,
    which were introduced by the following commits:
       00fdf13 ("Btrfs: fix a crash of clone with inline extents's split")
       3f9e3df ("btrfs: replace error code from btrfs_drop_extents")
    Signed-off-by: Filipe Manana <>
Commits on Jul 13, 2015
  1. @jtlayton

    locks: inline posix_lock_file_wait and flock_lock_file_wait

    jtlayton authored
    They just call file_inode and then the corresponding *_inode_file_wait
    function. Just make them static inlines instead.
    Signed-off-by: Jeff Layton <>
  2. @jtlayton

    nfs4: have do_vfs_lock take an inode pointer

    jtlayton authored
    Now that we have file locking helpers that can deal with an inode
    instead of a filp, we can change the NFSv4 locking code to use that
    This should fix the case where we have a filp that is closed while flock
    or OFD locks are set on it, and the task is signaled so that it doesn't
    wait for the LOCKU reply to come in before the filp is freed. At that
    point we can end up with a use-after-free with the current code, which
    relies on dereferencing the fl_file in the lock request.
    Signed-off-by: Jeff Layton <>
    Reviewed-by: "J. Bruce Fields" <>
    Tested-by: "J. Bruce Fields" <>
Something went wrong with that request. Please try again.