Catalin Marinas [Wed, 19 Sep 2012 11:01:52 +0000 (12:01 +0100)]
compat: fs: Generic compat_sys_sendfile implementation
This function is used by sparc, powerpc and arm64 for compat support.
The patch adds a generic implementation which calls do_sendfile()
directly and avoids set_fs().
The sparc architecture has wrappers for the sign extensions while
powerpc relies on the compiler to do the this. The patch adds wrappers
for powerpc to handle the u32->int type conversion.
compat_sys_sendfile64() can be replaced by a sys_sendfile() call since
compat_loff_t has the same size as off_t on a 64-bit system.
On powerpc, the patch also changes the 64-bit sendfile call from
sys_sendile64 to sys_sendfile.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: David S. Miller <davem@davemloft.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Kirill A. Shutemov [Wed, 26 Sep 2012 01:33:07 +0000 (11:33 +1000)]
fs: push rcu_barrier() from deactivate_locked_super() to filesystems
There's no reason to call rcu_barrier() on every
deactivate_locked_super(). We only need to make sure that all delayed rcu
free inodes are flushed before we destroy related cache.
Removing rcu_barrier() from deactivate_locked_super() affects some fast
paths. E.g. on my machine exit_group() of a last process in IPC
namespace takes 0.07538s. rcu_barrier() takes 0.05188s of that time.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 29 Aug 2012 20:31:33 +0000 (16:31 -0400)]
btrfs: reada_extent doesn't need kref for refcount
All increments and decrements are under the same spinlock - have to be,
since they need to protect the radix_tree it's found in. Just use
int, no need to wank with kref...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Alex Kelly [Thu, 27 Sep 2012 01:52:08 +0000 (21:52 -0400)]
coredump: move core dump functionality into its own file
This prepares for making core dump functionality optional.
The variable "suid_dumpable" and associated functions are left in fs/exec.c
because they're used elsewhere, such as in ptrace.
Signed-off-by: Alex Kelly <alex.page.kelly@gmail.com>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Denys Vlasenko [Wed, 26 Sep 2012 01:34:50 +0000 (11:34 +1000)]
coredump: prevent double-free on an error path in core dumper
In !CORE_DUMP_USE_REGSET case, if elf_note_info_init fails to allocate
memory for info->fields, it frees already allocated stuff and returns
error to its caller, fill_note_info. Which in turn returns error to its
caller, elf_core_dump. Which jumps to cleanup label and calls
free_note_info, which will happily try to free all info->fields again.
BOOM.
This is the fix.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Venu Byravarasu <vbyravarasu@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Al Viro [Thu, 27 Sep 2012 01:43:45 +0000 (21:43 -0400)]
usb/gadget: fix misannotations
__user * != * __user
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 27 Sep 2012 01:43:05 +0000 (21:43 -0400)]
fcntl: fix misannotations
__user * != * __user...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 27 Sep 2012 01:41:05 +0000 (21:41 -0400)]
ceph: don't abuse d_delete() on failure exits
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 27 Sep 2012 01:33:07 +0000 (21:33 -0400)]
hypfs: ->d_parent is never NULL or negative
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Alan Cox [Wed, 19 Sep 2012 14:49:51 +0000 (15:49 +0100)]
vfs: delete surplus inode NULL check
Each iteration of d_delete we reload inode from dentry->d_inode and
then call S_ISDIR(inode-i_mode), so inode cannot possibly be NULL
shortly afterwards unless something went horribly wrong.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 28 Aug 2012 16:52:22 +0000 (12:52 -0400)]
switch simple cases of fget_light to fdget
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 23:55:01 +0000 (19:55 -0400)]
new helpers: fdget()/fdput()
Signed-off-bs: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 21:55:17 +0000 (17:55 -0400)]
switch o2hb_region_dev_write() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 18:55:26 +0000 (14:55 -0400)]
proc_map_files_readdir(): don't bother with grabbing files
all we need is their ->f_mode, so just collect _that_
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 18:48:26 +0000 (14:48 -0400)]
make get_file() return its argument
simplifies a bunch of callers...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 18:21:39 +0000 (14:21 -0400)]
vhost_set_vring(): turn pollstart/pollstop into bool
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 17:02:21 +0000 (13:02 -0400)]
switch prctl_set_mm_exe_file() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 16:59:52 +0000 (12:59 -0400)]
switch xfs_find_handle() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 16:57:12 +0000 (12:57 -0400)]
switch xfs_swapext() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 16:54:13 +0000 (12:54 -0400)]
switch coda get_device_index() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 16:47:29 +0000 (12:47 -0400)]
switch infinibarf users of fget() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 16:14:05 +0000 (12:14 -0400)]
switch vfio_group_set_container() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 07:18:55 +0000 (03:18 -0400)]
switch btrfs_ioctl_clone() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 07:11:34 +0000 (03:11 -0400)]
switch mqueue syscalls to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 01:35:48 +0000 (21:35 -0400)]
switch SNDRV_PCM_IOCTL_LINK to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 01:32:02 +0000 (21:32 -0400)]
switch timerfd_[sg]ettime(2) to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 01:27:40 +0000 (21:27 -0400)]
switch epoll_wait(2) to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 01:20:24 +0000 (21:20 -0400)]
switch btrfs_ioctl_snap_create_transid() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 01:01:46 +0000 (21:01 -0400)]
switch EXT4_IOC_MOVE_EXT to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 28 Aug 2012 14:19:41 +0000 (10:19 -0400)]
export fget_light
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 01:00:03 +0000 (21:00 -0400)]
ext4: close struct file leak on EXT4_IOC_MOVE_EXT
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:41:49 +0000 (20:41 -0400)]
switch hpux_getdents() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:39:16 +0000 (20:39 -0400)]
switch itanic perfmonctl(2) to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:36:23 +0000 (20:36 -0400)]
switch osf_getdirentries() to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:30:57 +0000 (20:30 -0400)]
switch readahead(2) to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:27:09 +0000 (20:27 -0400)]
switch fadvise(2) to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:22:10 +0000 (20:22 -0400)]
switch fchmod(2) to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:15:40 +0000 (20:15 -0400)]
switch fallocate(2) to fget_light()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 27 Aug 2012 00:13:36 +0000 (20:13 -0400)]
switch ftruncate(2) to fget_light
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 26 Aug 2012 16:55:54 +0000 (12:55 -0400)]
namei.c: fix BS comment
get_write_access() is needed for nfsd, not binfmt_aout (the latter
has no business doing anything of that kind, of course)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 26 Aug 2012 15:01:04 +0000 (11:01 -0400)]
don't leak O_CLOEXEC into ->f_flags
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cyrill Gorcunov [Sun, 26 Aug 2012 14:28:20 +0000 (18:28 +0400)]
procfs: Convert /proc/pid/fdinfo/ handling routines to seq-file v2
This patch converts /proc/pid/fdinfo/ handling routines to seq-file which
is needed to extend seq operations and plug in auxiliary fdinfo provides
from subsystems like eventfd/eventpoll/fsnotify.
Note the proc_fd_link no longer call for proc_fd_info, simply because
the guts of proc_fd_info() got merged into ->show() of that seq_file
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cyrill Gorcunov [Thu, 23 Aug 2012 10:43:24 +0000 (14:43 +0400)]
procfs: Move /proc/pid/fd[info] handling code to fd.[ch]
This patch prepares the ground for further extension of
/proc/pid/fd[info] handling code by moving fdinfo handling
code into fs/proc/fd.c.
I think such move makes both fs/proc/base.c and fs/proc/fd.c
easier to read.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
CC: Al Viro <viro@ZenIV.linux.org.uk>
CC: Alexey Dobriyan <adobriyan@gmail.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: James Bottomley <jbottomley@parallels.com>
CC: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
CC: Alexey Dobriyan <adobriyan@gmail.com>
CC: Matthew Helsley <matt.helsley@gmail.com>
CC: "J. Bruce Fields" <bfields@fieldses.org>
CC: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 22 Aug 2012 22:42:10 +0000 (18:42 -0400)]
new helper: daemonize_descriptors()
descriptor-related parts of daemonize, done right. As the
result we simplify the locking rules for ->files - we
hold task_lock in *all* cases when we modify ->files.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 22 Aug 2012 02:50:49 +0000 (22:50 -0400)]
switch spufs/coredump to iterate_fd()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 22 Aug 2012 02:43:47 +0000 (22:43 -0400)]
do_coredump(): make sure that descriptor table isn't shared
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 22 Aug 2012 02:32:06 +0000 (22:32 -0400)]
new helper: iterate_fd()
iterates through the opened files in given descriptor table,
calling a supplied function; we stop once non-zero is returned.
Callback gets struct file *, descriptor number and const void *
argument passed to iterator. It is called with files->file_lock
held, so it is not allowed to block.
tty_io, netprio_cgroup and selinux flush_unauthorized_files()
converted to its use.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 22 Aug 2012 00:11:34 +0000 (20:11 -0400)]
make expand_files() and alloc_fd() static
no callers outside of fs/file.c left
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 22 Aug 2012 00:09:42 +0000 (20:09 -0400)]
take __{set,clear}_{open_fd,close_on_exec}() into fs/file.c
nobody uses those outside anymore.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 21 Aug 2012 16:26:45 +0000 (12:26 -0400)]
switch flush_unauthorized_files() to replace_fd()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 21 Aug 2012 16:11:46 +0000 (12:11 -0400)]
new helper: replace_fd()
analog of dup2(), except that it takes struct file * as source.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 21 Aug 2012 15:48:11 +0000 (11:48 -0400)]
take purely descriptor-related stuff from fcntl.c to file.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 21 Aug 2012 13:56:33 +0000 (09:56 -0400)]
take close-on-exec logics to fs/file.c, clean it up a bit
... and add cond_resched() there, while we are at it. We can
get large latencies as is...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 19 Aug 2012 17:00:49 +0000 (13:00 -0400)]
um: resurrect the right variant of mconsole_proc()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 19 Aug 2012 16:04:24 +0000 (12:04 -0400)]
take descriptor-related part of close() to file.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 16 Aug 2012 01:12:10 +0000 (21:12 -0400)]
take fget() and friends to fs/file.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 16 Aug 2012 01:06:33 +0000 (21:06 -0400)]
expose a low-level variant of fd_install() for binder
Similar situation to that of __alloc_fd(); do not use unless you
really have to. You should not touch any descriptor table other
than your own; it's a sure sign of a really bad API design.
As with __alloc_fd(), you *must* use a first-class reference to
struct files_struct; something obtained by get_files_struct(some task)
(let alone direct task->files) will not do. It must be either
current->files, or obtained by get_files_struct(current) by the
owner of that sucker and given to you.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 16 Aug 2012 01:03:26 +0000 (21:03 -0400)]
move put_unused_fd() and fd_install() to fs/file.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 16 Aug 2012 00:06:36 +0000 (20:06 -0400)]
trim free_fdtable_rcu()
embedded case isn't hit anymore
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 16 Aug 2012 00:00:58 +0000 (20:00 -0400)]
don't bother with call_rcu() in put_files_struct()
At that point nobody can see us anyway; everything that
looks at files_fdtable(files) is separated from the
guts of put_files_struct(files) - either since files is
current->files or because we fetched it under task_lock()
and hadn't dropped that yet, or because we'd bumped
files->count while holding task_lock()...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 15 Aug 2012 23:56:12 +0000 (19:56 -0400)]
move files_struct-related bits from kernel/exit.c to fs/file.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 12 Aug 2012 21:27:30 +0000 (17:27 -0400)]
new helper: __alloc_fd()
Essentially, alloc_fd() in a files_struct we own a reference to.
Most of the time wanting to use it is a sign of lousy API
design (such as android/binder). It's *not* a general-purpose
interface; better that than open-coding its guts, but again,
playing with other process' descriptor table is a sign of bad
design.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 12 Aug 2012 20:17:59 +0000 (16:17 -0400)]
take rlimit check to callers of expand_files()
... except for one in android, where the check is different
and already done in caller. No need to recalculate rlimit
many times in alloc_fd() either.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 19 Aug 2012 16:30:45 +0000 (12:30 -0400)]
fanotify: sanitize failure exits in copy_event_to_user()
* do copy_to_user() before prepare_for_access_response(); that kills
the need in remove_access_response().
* don't do fd_install() until we are past the last possible failure
exit. Don't use sys_close() on cleanup side - just put_unused_fd()
and fput(). Less racy that way...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 21 Aug 2012 13:40:46 +0000 (09:40 -0400)]
events: don't use get_unused_fd_flags() when get_unused_fd() will do
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 19 Aug 2012 16:17:29 +0000 (12:17 -0400)]
pipe(2) - race-free error recovery
don't mess with sys_close() if copy_to_user() fails; just postpone
fd_install() until we know it hasn't.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 15 Aug 2012 22:23:36 +0000 (18:23 -0400)]
binder: don't allow mmap() by process other than proc->tsk
we really shouldn't do get_files_struct() on a different process
and use it to modify the sucker later on.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 12 Aug 2012 22:04:37 +0000 (18:04 -0400)]
autofs4: don't open-code fd_install()
The only difference between autofs_dev_ioctl_fd_install() and
fd_install() is __set_close_on_exec() done by the latter. Just
use get_unused_fd_flags(O_CLOEXEC) to allocate the descriptor
and be done with that...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 12 Aug 2012 21:18:05 +0000 (17:18 -0400)]
make get_unused_fd_flags() a function
... and get_unused_fd() a macro around it
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sat, 18 Aug 2012 04:25:51 +0000 (00:25 -0400)]
unexport sock_map_fd(), switch to sock_alloc_file()
Both modular callers of sock_map_fd() had been buggy; sctp one leaks
descriptor and file if copy_to_user() fails, 9p one shouldn't be
exposing file in the descriptor table at all.
Switch both to sock_alloc_file(), export it, unexport sock_map_fd() and
make it static.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sat, 18 Aug 2012 03:54:15 +0000 (23:54 -0400)]
take descriptor handling from sock_alloc_file() to callers
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 27 Sep 2012 01:07:20 +0000 (21:07 -0400)]
Merge remote branch 'origin' into for-next
Linus Torvalds [Tue, 25 Sep 2012 21:20:29 +0000 (14:20 -0700)]
Merge git://git./linux/kernel/git/davem/net
Pull more networking fixes from David Miller:
1) Eric Dumazet discovered and fixed what turned out to be a family of
bugs. These functions were using pskb_may_pull() which might need
to reallocate the linear SKB data buffer, but the callers were not
expecting this possibility. The callers have cached pointers to the
packet header areas, and would need to reload them if we were to
continue using pskb_may_pull().
So they could end up reading garbage.
It's easier to just change these RAW4/RAW6/MIP6 routines to use
skb_header_pointer() instead of pskb_may_pull(), which won't modify
the linear SKB data area.
2) Dave Jone's syscall spammer caught a case where a non-TCP socket can
call down into the TCP keepalive code. The case basically involves
creating a raw socket with sk_protocol == IPPROTO_TCP, then calling
setsockopt(sock_fd, SO_KEEPALIVE, ...)
Fixed by Eric Dumazet.
3) Bluetooth devices do not get configured properly while being powered
on, resulting in always using legacy pairing instead of SSP. Fix
from Andrzej Kaczmarek.
4) Bluetooth cancels delayed work erroneously, put stricter checks in
place. From Andrei Emeltchenko.
5) Fix deadlock between cfg80211_mutex and reg_regdb_search_mutex in
cfg80211, from Luis R. Rodriguez.
6) Fix interrupt double release in iwlwifi, from Emmanuel Grumbach.
7) Missing module license in bcm87xx driver, from Peter Huewe.
8) Team driver can lose port changed events when adding devices to a
team, fix from Jiri Pirko.
9) Fix endless loop when trying ot unregister PPPOE device in zombie
state, from Xiaodong Xu.
10) batman-adv layer needs to set MAC address of software device
earlier, otherwise we call tt_local_add with it uninitialized.
11) Fix handling of KSZ8021 PHYs, it's matched currently by KS8051 but
that doesn't program the device properly. From Marek Vasut.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
ipv6: mip6: fix mip6_mh_filter()
ipv6: raw: fix icmpv6_filter()
net: guard tcp_set_keepalive() to tcp sockets
phy/micrel: Add missing header to micrel_phy.h
phy/micrel: Rename KS80xx to KSZ80xx
phy/micrel: Implement support for KSZ8021
batman-adv: Fix symmetry check / route flapping in multi interface setups
batman-adv: Fix change mac address of soft iface.
pppoe: drop PPPOX_ZOMBIEs in pppoe_release
team: send port changed when added
ipv4: raw: fix icmp_filter()
net/phy/bcm87xx: Add MODULE_LICENSE("GPL") to GPL driver
iwlwifi: don't double free the interrupt in failure path
cfg80211: fix possible circular lock on reg_regdb_search()
Bluetooth: Fix not removing power_off delayed work
Bluetooth: Fix freeing uninitialized delayed works
Bluetooth: mgmt: Fix enabling LE while powered off
Bluetooth: mgmt: Fix enabling SSP while powered off
Eric Dumazet [Tue, 25 Sep 2012 20:01:28 +0000 (22:01 +0200)]
ipv6: mip6: fix mip6_mh_filter()
mip6_mh_filter() should not modify its input, or else its caller
would need to recompute ipv6_hdr() if skb->head is reallocated.
Use skb_header_pointer() instead of pskb_may_pull()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 25 Sep 2012 17:24:02 +0000 (13:24 -0400)]
Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge
Included fixes:
- fix the behaviour of batman-adv in case of virtual interface MAC change event
- fix symmetric link check in neighbour selection
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 25 Sep 2012 07:03:40 +0000 (07:03 +0000)]
ipv6: raw: fix icmpv6_filter()
icmpv6_filter() should not modify its input, or else its caller
would need to recompute ipv6_hdr() if skb->head is reallocated.
Use skb_header_pointer() instead of pskb_may_pull() and
change the prototype to make clear both sk and skb are const.
Also, if icmpv6 header cannot be found, do not deliver the packet,
as we do in IPv4.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 25 Sep 2012 16:20:48 +0000 (09:20 -0700)]
Merge tag 'sh-for-linus' of git://github.com/pmundt/linux-sh
Pull SuperH fix from Paul Mundt:
"One last minute regression fix.."
* tag 'sh-for-linus' of git://github.com/pmundt/linux-sh:
sh: pfc: Fix up GPIO mux type reconfig case.
Linus Torvalds [Tue, 25 Sep 2012 16:00:02 +0000 (09:00 -0700)]
Merge branch 'akpm' (sundry from Andrew)
Merge misc fixes from Andrew Morton:
"One maintainer change and three bugfixes"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (4 commits)
c/r: prctl: fix build error for no-MMU case
lib/flex_proportions.c: fix corruption of denominator in flexible proportions
checksyscalls: fix "here document" handling
pwm-backlight: take over maintenance
Mark Salter [Tue, 25 Sep 2012 00:17:38 +0000 (17:17 -0700)]
c/r: prctl: fix build error for no-MMU case
Commit
1ad75b9e1628 ("c/r: prctl: add minimal address test to
PR_SET_MM") added some address checking to prctl_set_mm() used by
checkpoint-restore. This causes a build error for no-MMU systems:
kernel/sys.c: In function 'prctl_set_mm':
kernel/sys.c:1868:34: error: 'mmap_min_addr' undeclared (first use in this function)
The test for mmap_min_addr doesn't make a lot of sense for no-MMU code
as noted in commit
6e1415467614 ("NOMMU: Optimise away the
{dac_,}mmap_min_addr tests").
This patch defines mmap_min_addr as 0UL in the no-MMU case so that the
compiler will optimize away tests for "addr < mmap_min_addr".
Signed-off-by: Mark Salter <msalter@redhat.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: <stable@vger.kernel.org> [3.6.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jan Kara [Tue, 25 Sep 2012 00:17:35 +0000 (17:17 -0700)]
lib/flex_proportions.c: fix corruption of denominator in flexible proportions
When racing with CPU hotplug, percpu_counter_sum() can return negative
values for the number of observed events.
This confuses fprop_new_period(), which uses unsigned type and as a
result number of events is set to big *positive* number. From that
moment on, things go pear shaped and can result e.g. in division by
zero as denominator is later truncated to 32-bits.
This bug causes a divide-by-zero oops in bdi_dirty_limit() in Borislav's
3.6.0-rc6 based kernel.
Fix the issue by using a signed type in fprop_new_period(). That makes
us bail out from the function without doing anything (mistakenly)
thinking there are no events to age. That makes aging somewhat
inaccurate but getting accurate data would be rather hard.
Signed-off-by: Jan Kara <jack@suse.cz>
Reported-by: Borislav Petkov <bp@amd64.org>
Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Heiko Carstens [Tue, 25 Sep 2012 00:17:33 +0000 (17:17 -0700)]
checksyscalls: fix "here document" handling
"echo" doesn't read from stdin, therefore the checksyscalls script didn't
warn about not implemented system calls anymore since
29dc54c6
("checksyscalls: Use arch/x86/syscalls/syscall_32.tbl as source").
Use "cat" instead of "echo" which handles this correctly.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: H. Peter Anvin <hpa@linux.intel.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Thierry Reding [Tue, 25 Sep 2012 00:17:30 +0000 (17:17 -0700)]
pwm-backlight: take over maintenance
Since the pwm-backlight driver is lacking a proper maintainer and is the
heaviest user of the PWM framework I'm taking over maintenance.
Signed-off-by: Thierry Reding <thierry.reding@avionic-design.de>
Acked-by: Arun Murthy <arun.murthy@stericsson.com>
Cc: Matthew Garrett <mjg@redhat.com>
Cc: Robert Morell <rmorell@nvidia.com>
Cc: Dilan Lee <dilee@nvidia.com>
Cc: Axel Lin <axel.lin@gmail.com>
Cc: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: Alexandre Courbot <acourbot@nvidia.com>
Acked-by: Sachin Kamat <sachin.kamat@linaro.org>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Paul Mundt [Tue, 25 Sep 2012 02:51:05 +0000 (11:51 +0900)]
sh: pfc: Fix up GPIO mux type reconfig case.
Some drivers need to switch pin states between GPIO and pin function at
runtime, which was inadvertently broken in the pinctrl driver for GPIOs
being bound to a specific direction.
This fixes up the request path to ensure that previously configured GPIOs
don't cause us to inadvertently error out with an unsupported mux on
reconfig, which in practice is primarily aimed at trapping pull-up/down
users that have yet to be implemented under the new API.
Fixes up regressions in the TPU PWM driver, amongst others.
Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
David S. Miller [Tue, 25 Sep 2012 02:00:00 +0000 (22:00 -0400)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless
John W. Linville says:
====================
Please pull this last(?) batch of fixes intended for 3.6...
For the Bluetooth bits, Gustavo says this:
"Here goes probably my last update to 3.6. It includes the two patches
you were ok last week(from Andrzej Kaczmarek), those are critical
ones, and two other fixes one for a system crash and the other for
a missing lockdep annotation."
The referenced fixes from Andrzej prevent attempts to configure devices
that are powered-off.
Along with the Bluetooth fixes, there are a couple of 802.11 fixes.
Emmanuel Grumbach gives us an iwlwifi fix to prevent releasing an
interrupt twice. Luis R. Rodriguez provides a fix for a possible
circular lock dependency in the cfg80211 regulatory enforcement code.
All of these have been in linux-next for a few days. I hope they are
not too late to make the 3.6 release!
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Mon, 24 Sep 2012 23:17:17 +0000 (16:17 -0700)]
Merge git://git./linux/kernel/git/cmetcalf/linux-tile
Pull tile gxio ABI fix from Chris Metcalf:
"This fixes a last-minute change in the Tilera hypervisor ABI for TRIO
(PCI root complex) support. We've locked in this ABI going forward
and will make sure no further ABI changes like this occur."
* git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
tile: gxio iorpc numbering change for TRIO interface
Linus Torvalds [Mon, 24 Sep 2012 23:16:33 +0000 (16:16 -0700)]
Merge tag 'vfio-for-linus' of git://github.com/awilliam/linux-vfio
Pull vfio fixes from Alex Williamson:
"VFIO doc update and virqfd race fix"
* tag 'vfio-for-linus' of git://github.com/awilliam/linux-vfio:
vfio: Fix virqfd release race
vfio: Trivial Documentation correction
Linus Torvalds [Mon, 24 Sep 2012 23:14:34 +0000 (16:14 -0700)]
Merge tag 'stable/for-linus-3.6-rc7-tag' of git://git./linux/kernel/git/konrad/xen
Pull a Xen fix from Konrad Rzeszutek Wilk:
"It is a bug-fix when we run the initial PV guest on a AMD K8 machine
and have CONFIG_AMD_NUMA enabled and detect the NUMA topology from the
Northbridge.
We end up in the situation where the initial domain gets too much
information and gets confused and crashes - the fix is to restrict the
domain to get the information - and we do it by just disabling NUMA on
the PV guest (the hypervisor is still able to do its proper NUMA
allocations of guests).
It is OK to disable the PV guest from accessing NUMA data as right now
we do not inject any NUMA node information to the PV guests. When we
do get to that point, then this patch will have to be reverted."
* Disable PV NUMA support as we do not do anything with it (yet) and it
can cause bootup crashes on certain AMD machines.
* tag 'stable/for-linus-3.6-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen/boot: Disable NUMA for PV guests.
Linus Torvalds [Mon, 24 Sep 2012 23:13:49 +0000 (16:13 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/sage/ceph-client
Pull two ceph fixes from Sage Weil:
"The first fixes a leak in the rbd setup error path, and the second
fixes a more serious problem with mismatched kmap/kunmap that surfaced
after the recent refactoring work."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
libceph: only kunmap kmapped pages
rbd: drop dev reference on error in rbd_open()
Eric Dumazet [Mon, 24 Sep 2012 07:00:11 +0000 (07:00 +0000)]
net: guard tcp_set_keepalive() to tcp sockets
Its possible to use RAW sockets to get a crash in
tcp_set_keepalive() / sk_reset_timer()
Fix is to make sure socket is a SOCK_STREAM one.
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marek Vasut [Sun, 23 Sep 2012 16:58:51 +0000 (16:58 +0000)]
phy/micrel: Add missing header to micrel_phy.h
The license header was missing in micrel_phy.h . This patch adds
one.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David J. Choi <david.choi@micrel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marek Vasut [Sun, 23 Sep 2012 16:58:50 +0000 (16:58 +0000)]
phy/micrel: Rename KS80xx to KSZ80xx
There is no such part as KS8001, KS8041 or KS8051. There are only
KSZ8001, KSZ8041 and KSZ8051. Rename these parts as such to match
the Micrel naming.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David J. Choi <david.choi@micrel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Cc: Linux ARM kernel <linux-arm-kernel@lists.infradead.org>
Cc: Fabio Estevam <fabio.estevam@freescale.com>
Cc: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marek Vasut [Sun, 23 Sep 2012 16:58:49 +0000 (16:58 +0000)]
phy/micrel: Implement support for KSZ8021
The KSZ8021 PHY was previously caught by KS8051, which is not correct.
This PHY needs additional setup if it is strapped for address 0. In such
case an reserved bit must be written in the 0x16, "Operation Mode Strap
Override" register. According to the KS8051 datasheet, that bit means
"PHY Address 0 in non-broadcast" and it indeed behaves as such on KSZ8021.
The issue where the ethernet controller (Freescale FEC) did not communicate
with network is fixed by writing this bit as 1.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David J. Choi <david.choi@micrel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Chris Metcalf [Mon, 24 Sep 2012 18:57:58 +0000 (14:57 -0400)]
tile: gxio iorpc numbering change for TRIO interface
An ABI numbering change was made in the hypervisor for Tilera's 4.1
MDE release (just shipped). It's incompatible with the previous 4.0
release ABI numbering, so we track the new numbering going forward.
We plan to avoid modifying ABI numbering for these interfaces again.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Konrad Rzeszutek Wilk [Fri, 17 Aug 2012 14:22:37 +0000 (10:22 -0400)]
xen/boot: Disable NUMA for PV guests.
The hypervisor is in charge of allocating the proper "NUMA" memory
and dealing with the CPU scheduler to keep them bound to the proper
NUMA node. The PV guests (and PVHVM) have no inkling of where they
run and do not need to know that right now. In the future we will
need to inject NUMA configuration data (if a guest spans two or more
NUMA nodes) so that the kernel can make the right choices. But those
patches are not yet present.
In the meantime, disable the NUMA capability in the PV guest, which
also fixes a bootup issue. Andre says:
"we see Dom0 crashes due to the kernel detecting the NUMA topology not
by ACPI, but directly from the northbridge (CONFIG_AMD_NUMA).
This will detect the actual NUMA config of the physical machine, but
will crash about the mismatch with Dom0's virtual memory. Variation of
the theme: Dom0 sees what it's not supposed to see.
This happens with the said config option enabled and on a machine where
this scanning is still enabled (K8 and Fam10h, not Bulldozer class)
We have this dump then:
NUMA: Warning: node ids are out of bound, from=-1 to=-1 distance=10
Scanning NUMA topology in Northbridge 24
Number of physical nodes 4
Node 0 MemBase
0000000000000000 Limit
0000000040000000
Node 1 MemBase
0000000040000000 Limit
0000000138000000
Node 2 MemBase
0000000138000000 Limit
00000001f8000000
Node 3 MemBase
00000001f8000000 Limit
0000000238000000
Initmem setup node 0
0000000000000000-
0000000040000000
NODE_DATA [
000000003ffd9000 -
000000003fffffff]
Initmem setup node 1
0000000040000000-
0000000138000000
NODE_DATA [
0000000137fd9000 -
0000000137ffffff]
Initmem setup node 2
0000000138000000-
00000001f8000000
NODE_DATA [
00000001f095e000 -
00000001f0984fff]
Initmem setup node 3
00000001f8000000-
0000000238000000
Cannot find 159744 bytes in node 3
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
ffffffff81d220e6>] __alloc_bootmem_node+0x43/0x96
Pid: 0, comm: swapper Not tainted 3.3.6 #1 AMD Dinar/Dinar
RIP: e030:[<
ffffffff81d220e6>] [<
ffffffff81d220e6>] __alloc_bootmem_node+0x43/0x96
.. snip..
[<
ffffffff81d23024>] sparse_early_usemaps_alloc_node+0x64/0x178
[<
ffffffff81d23348>] sparse_init+0xe4/0x25a
[<
ffffffff81d16840>] paging_init+0x13/0x22
[<
ffffffff81d07fbb>] setup_arch+0x9c6/0xa9b
[<
ffffffff81683954>] ? printk+0x3c/0x3e
[<
ffffffff81d01a38>] start_kernel+0xe5/0x468
[<
ffffffff81d012cf>] x86_64_start_reservations+0xba/0xc1
[<
ffffffff81007153>] ? xen_setup_runstate_info+0x2c/0x36
[<
ffffffff81d050ee>] xen_start_kernel+0x565/0x56c
"
so we just disable NUMA scanning by setting numa_off=1.
CC: stable@vger.kernel.org
Reported-and-Tested-by: Andre Przywara <andre.przywara@amd.com>
Acked-by: Andre Przywara <andre.przywara@amd.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Linus Torvalds [Mon, 24 Sep 2012 01:10:57 +0000 (18:10 -0700)]
Linux 3.6-rc7
Linus Torvalds [Sun, 23 Sep 2012 22:40:58 +0000 (15:40 -0700)]
Merge branch 'rc-fixes' of git://git./linux/kernel/git/mmarek/kbuild
Pull kbuild fixes from Michal Marek:
"There are two more kbuild fixes for 3.6.
One fixes a race between x86's archscripts target and the rule
(re)building scripts/basic/fixdep. The second is a fix for the
previous attempt at fixing make firmware_install with make 3.82.
This new solution should work with any version of GNU make"
* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
x86/kbuild: archscripts depends on scripts_basic
firmware: fix directory creation rule matching with make 3.80
Linus Torvalds [Sun, 23 Sep 2012 21:50:15 +0000 (14:50 -0700)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/jdelvare/staging
Pull hwmon subsystem fixes from Jean Delvare.
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
hwmon: (fam15h_power) Tweak runavg_range on resume
hwmon: (coretemp) Use get_online_cpus to avoid races involving CPU hotplug
hwmon: (via-cputemp) Use get_online_cpus to avoid races involving CPU hotplug
Linus Torvalds [Sun, 23 Sep 2012 21:48:28 +0000 (14:48 -0700)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"This is a set of four essential fixes: two oops related (bnx2i,
virtio-scsi), one data corruption related (hpsa) and one failure to
boot due to interrupt routing issues (mpt2ss).
Signed-off-by: James Bottomley <JBottomley@Parallels.com>"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
[SCSI] hpsa: fix handling of protocol error
[SCSI] mpt2sas: Fix for issue - Unable to boot from the drive connected to HBA
[SCSI] bnx2i: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload
[SCSI] scsi: virtio-scsi: Fix address translation failure of HighMem pages used by sg list
Shaun Ruffell [Sun, 23 Sep 2012 01:26:38 +0000 (20:26 -0500)]
edac_mc: edac_mc_free() cannot assume mem_ctl_info is registered in sysfs.
Fix potential NULL pointer dereference in edac_unregister_sysfs() on
system boot introduced in 3.6-rc1.
Since commit
7a623c039 ("edac: rewrite the sysfs code to use struct
device") edac_mc_alloc() no longer initializes embedded kobjects in
struct mem_ctl_info. Therefore edac_mc_free() can no longer simply
decrement a kobject reference count to free the allocated memory unless
the memory controller driver module had also called edac_mc_add_mc().
Now edac_mc_free() will check if the newly embedded struct device has
been registered with sysfs before using either the standard device
release functions or freeing the data structures itself with logic
pulled out of the error path of edac_mc_alloc().
The BUG this patch resolves for me:
BUG: unable to handle kernel NULL pointer dereference at (null)
EIP is at __wake_up_common+0x1a/0x6a
Process modprobe (pid: 933, ti=
f3dc6000 task=
f3db9520 task.ti=
f3dc6000)
Call Trace:
complete_all+0x3f/0x50
device_pm_remove+0x23/0xa2
device_del+0x34/0x142
edac_unregister_sysfs+0x3b/0x5c [edac_core]
edac_mc_free+0x29/0x2f [edac_core]
e7xxx_probe1+0x268/0x311 [e7xxx_edac]
e7xxx_init_one+0x56/0x61 [e7xxx_edac]
local_pci_probe+0x13/0x15
...
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: Shaohui Xie <Shaohui.Xie@freescale.com>
Signed-off-by: Shaun Ruffell <sruffell@digium.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fengguang Wu [Sun, 23 Sep 2012 00:18:06 +0000 (08:18 +0800)]
edac_mc: fix messy kfree calls in the error path
coccinelle warns about:
+ drivers/edac/edac_mc.c:429:9-23: ERROR: reference preceded by free on line 429
421 if (mci->csrows) {
> 422 for (chn = 0; chn < tot_channels; chn++) {
423 csr = mci->csrows[chn];
424 if (csr) {
> 425 for (chn = 0; chn < tot_channels; chn++)
426 kfree(csr->channels[chn]);
427 kfree(csr);
428 }
> 429 kfree(mci->csrows[i]);
430 }
431 kfree(mci->csrows);
432 }
and that code block seem to mess things up in several ways (double free, memory
leak, out-of-bound reads etc.):
L422: The iterator "chn" and bound "tot_channels" are totally wrong. Should be
"row" and "tot_csrows" respectively. Which means either memory leak, or
out-of-bound reads (which if does not trigger an immediate page fault
error, will further lead to kfree() on random addresses).
L425: The inner loop is reusing the same iterator "chn" as the outer loop,
which could lead to premature end of the outer loop, and hence memory leak.
L429: The array index 'i' in mci->csrows[i] is a temporary value used in
previous loops, and won't change at all in the current loop. Which
means either out-of-bound read and possibly kfree(random number), or the
same mci->csrows[i] get freed once and again, and possibly double free
for the kfree(csr) in L427.
L426/L427: a kfree(csr->channels) is needed in between to avoid leaking the memory.
The buggy code was introduced by commit
de3910eb ("edac: change the mem
allocation scheme to make Documentation/kobject.txt happy") in the 3.6-rc1
merge window. Fix it by freeing up resources in this order:
free csrows[i]->channels[j]
free csrows[i]->channels
free csrows[i]
free csrows
CC: Mauro Carvalho Chehab <mchehab@redhat.com>
CC: Shaun Ruffell <sruffell@digium.com>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>