Merge branch 'akpm' (patches from Andrew Morton)

Merge misc fixes from Andrew Morton: "10 fixes" * emailed patches from Andrew Morton <akpm@linux-foundation.org>: slab: fix nodeid bounds check for non-contiguous node IDs lib/genalloc.c: export devm_gen_pool_create() for modules mm: fix anon_vma_clone() error treatment mm: fix swapoff hang after page migration and fork fat: fix oops on corrupted vfat fs ipc/sem.c: fully initialize sem_array before making it visible drivers/input/evdev.c: don't kfree() a vmalloc address mm/vmpressure.c: fix race in vmpressure_work_fn() mm: frontswap: invalidate expired data on a dup-store failure mm: do not overwrite reserved pages counter at show_mem()

Merge branch 'akpm' (patches from Andrew Morton)
Merge misc fixes from Andrew Morton: "10 fixes" * emailed patches from Andrew Morton <akpm@linux-foundation.org>: slab: fix nodeid bounds check for non-contiguous node IDs lib/genalloc.c: export devm_gen_pool_create() for modules mm: fix anon_vma_clone() error treatment mm: fix swapoff hang after page migration and fork fat: fix oops on corrupted vfat fs ipc/sem.c: fully initialize sem_array before making it visible drivers/input/evdev.c: don't kfree() a vmalloc address mm/vmpressure.c: fix race in vmpressure_work_fn() mm: frontswap: invalidate expired data on a dup-store failure mm: do not overwrite reserved pages counter at show_mem()
Linus Torvalds
2 parents 3a18ca0613 7c3fbbdd04
Showing 11 changed files Side-by-side Diff
drivers/input/evdev.c
fs/fat/namei_vfat.c
ipc/sem.c
lib/genalloc.c
lib/show_mem.c
mm/frontswap.c
mm/memory.c
mm/mmap.c
mm/rmap.c
mm/slab.c
mm/vmpressure.c
@@ -421,7 +421,7 @@
  
  err_free_client:
 	evdev_detach_client(evdev, client);
-	kfree(client);
+	kvfree(client);
 	return error;
 }
  
@@ -736,7 +736,12 @@
 	}
  
 	alias = d_find_alias(inode);
-	if (alias && !vfat_d_anon_disconn(alias)) {
+	/*
+	 * Checking "alias->d_parent == dentry->d_parent" to make sure
+	 * FS is not corrupted (especially double linked dir).
+	 */
+	if (alias && alias->d_parent == dentry->d_parent &&
+	    !vfat_d_anon_disconn(alias)) {
 		/*
 		 * This inode has non anonymous-DCACHE_DISCONNECTED
 		 * dentry. This means, the user did ->lookup() by an
@@ -755,12 +760,9 @@
  
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
-	dentry->d_time = dentry->d_parent->d_inode->i_version;
-	dentry = d_splice_alias(inode, dentry);
-	if (dentry)
-		dentry->d_time = dentry->d_parent->d_inode->i_version;
-	return dentry;
-
+	if (!inode)
+		dentry->d_time = dir->i_version;
+	return d_splice_alias(inode, dentry);
 error:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
 	return ERR_PTR(err);
@@ -793,7 +795,6 @@
 	inode->i_mtime = inode->i_atime = inode->i_ctime = ts;
 	/* timestamp is already written, so mark_inode_dirty() is unneeded. */
  
-	dentry->d_time = dentry->d_parent->d_inode->i_version;
 	d_instantiate(dentry, inode);
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
@@ -824,6 +825,7 @@
 	clear_nlink(inode);
 	inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC;
 	fat_detach(inode);
+	dentry->d_time = dir->i_version;
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
  
@@ -849,6 +851,7 @@
 	clear_nlink(inode);
 	inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC;
 	fat_detach(inode);
+	dentry->d_time = dir->i_version;
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
  
@@ -889,7 +892,6 @@
 	inode->i_mtime = inode->i_atime = inode->i_ctime = ts;
 	/* timestamp is already written, so mark_inode_dirty() is unneeded. */
  
-	dentry->d_time = dentry->d_parent->d_inode->i_version;
 	d_instantiate(dentry, inode);
  
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
@@ -507,13 +507,6 @@
 		return retval;
 	}
  
-	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
-	if (id < 0) {
-		ipc_rcu_putref(sma, sem_rcu_free);
-		return id;
-	}
-	ns->used_sems += nsems;
-
 	sma->sem_base = (struct sem *) &sma[1];
  
 	for (i = 0; i < nsems; i++) {
@@ -528,6 +521,14 @@
 	INIT_LIST_HEAD(&sma->list_id);
 	sma->sem_nsems = nsems;
 	sma->sem_ctime = get_seconds();
+
+	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
+	if (id < 0) {
+		ipc_rcu_putref(sma, sem_rcu_free);
+		return id;
+	}
+	ns->used_sems += nsems;
+
 	sem_unlock(sma, -1);
 	rcu_read_unlock();
  
@@ -598,6 +598,7 @@
  
 	return pool;
 }
+EXPORT_SYMBOL(devm_gen_pool_create);
  
 /**
  * dev_get_gen_pool - Obtain the gen_pool (if any) for a device
@@ -28,7 +28,7 @@
 				continue;
  
 			total += zone->present_pages;
-			reserved = zone->present_pages - zone->managed_pages;
+			reserved += zone->present_pages - zone->managed_pages;
  
 			if (is_highmem_idx(zoneid))
 				highmem += zone->present_pages;
@@ -244,8 +244,10 @@
 		  the (older) page from frontswap
 		 */
 		inc_frontswap_failed_stores();
-		if (dup)
+		if (dup) {
 			__frontswap_clear(sis, offset);
+			frontswap_ops->invalidate_page(type, offset);
+		}
 	}
 	if (frontswap_writethrough_enabled)
 		/* report failure so swap also writes to swap device */
@@ -815,20 +815,20 @@
 		if (!pte_file(pte)) {
 			swp_entry_t entry = pte_to_swp_entry(pte);
  
-			if (swap_duplicate(entry) < 0)
-				return entry.val;
+			if (likely(!non_swap_entry(entry))) {
+				if (swap_duplicate(entry) < 0)
+					return entry.val;
  
-			/* make sure dst_mm is on swapoff's mmlist. */
-			if (unlikely(list_empty(&dst_mm->mmlist))) {
-				spin_lock(&mmlist_lock);
-				if (list_empty(&dst_mm->mmlist))
-					list_add(&dst_mm->mmlist,
-						 &src_mm->mmlist);
-				spin_unlock(&mmlist_lock);
-			}
-			if (likely(!non_swap_entry(entry)))
+				/* make sure dst_mm is on swapoff's mmlist. */
+				if (unlikely(list_empty(&dst_mm->mmlist))) {
+					spin_lock(&mmlist_lock);
+					if (list_empty(&dst_mm->mmlist))
+						list_add(&dst_mm->mmlist,
+							 &src_mm->mmlist);
+					spin_unlock(&mmlist_lock);
+				}
 				rss[MM_SWAPENTS]++;
-			else if (is_migration_entry(entry)) {
+			} else if (is_migration_entry(entry)) {
 				page = migration_entry_to_page(entry);
  
 				if (PageAnon(page))
@@ -776,8 +776,11 @@
 		 * shrinking vma had, to cover any anon pages imported.
 		 */
 		if (exporter && exporter->anon_vma && !importer->anon_vma) {
-			if (anon_vma_clone(importer, exporter))
-				return -ENOMEM;
+			int error;
+
+			error = anon_vma_clone(importer, exporter);
+			if (error)
+				return error;
 			importer->anon_vma = exporter->anon_vma;
 		}
 	}
@@ -2469,7 +2472,8 @@
 	if (err)
 		goto out_free_vma;
  
-	if (anon_vma_clone(new, vma))
+	err = anon_vma_clone(new, vma);
+	if (err)
 		goto out_free_mpol;
  
 	if (new->vm_file)
@@ -274,6 +274,7 @@
 {
 	struct anon_vma_chain *avc;
 	struct anon_vma *anon_vma;
+	int error;
  
 	/* Don't bother if the parent process has no anon_vma here. */
 	if (!pvma->anon_vma)
@@ -283,8 +284,9 @@
 	 * First, attach the new VMA to the parent VMA's anon_vmas,
 	 * so rmap can find non-COWed pages in child processes.
 	 */
-	if (anon_vma_clone(vma, pvma))
-		return -ENOMEM;
+	error = anon_vma_clone(vma, pvma);
+	if (error)
+		return error;
  
 	/* Then add our own anon_vma. */
 	anon_vma = anon_vma_alloc();
@@ -3076,7 +3076,7 @@
 	void *obj;
 	int x;
  
-	VM_BUG_ON(nodeid > num_online_nodes());
+	VM_BUG_ON(nodeid < 0 || nodeid >= MAX_NUMNODES);
 	n = get_node(cachep, nodeid);
 	BUG_ON(!n);
  
@@ -165,6 +165,7 @@
 	unsigned long scanned;
 	unsigned long reclaimed;
  
+	spin_lock(&vmpr->sr_lock);
 	/*
 	 * Several contexts might be calling vmpressure(), so it is
 	 * possible that the work was rescheduled again before the old
  
  
@@ -173,11 +174,12 @@
 	 * here. No need for any locks here since we don't care if
 	 * vmpr->reclaimed is in sync.
 	 */
-	if (!vmpr->scanned)
+	scanned = vmpr->scanned;
+	if (!scanned) {
+		spin_unlock(&vmpr->sr_lock);
 		return;
+	}
  
-	spin_lock(&vmpr->sr_lock);
-	scanned = vmpr->scanned;
 	reclaimed = vmpr->reclaimed;
 	vmpr->scanned = 0;
 	vmpr->reclaimed = 0;
...	...	@@ -421,7 +421,7 @@
421	421
422	422	err_free_client:
423	423	evdev_detach_client(evdev, client);
424		- kfree(client);
	424	+ kvfree(client);
425	425	return error;
426	426	}
427	427
...	...	@@ -736,7 +736,12 @@
736	736	}
737	737
738	738	alias = d_find_alias(inode);
739		- if (alias && !vfat_d_anon_disconn(alias)) {
	739	+ /*
	740	+ * Checking "alias->d_parent == dentry->d_parent" to make sure
	741	+ * FS is not corrupted (especially double linked dir).
	742	+ */
	743	+ if (alias && alias->d_parent == dentry->d_parent &&
	744	+ !vfat_d_anon_disconn(alias)) {
740	745	/*
741	746	* This inode has non anonymous-DCACHE_DISCONNECTED
742	747	* dentry. This means, the user did ->lookup() by an
...	...	@@ -755,12 +760,9 @@
755	760
756	761	out:
757	762	mutex_unlock(&MSDOS_SB(sb)->s_lock);
758		- dentry->d_time = dentry->d_parent->d_inode->i_version;
759		- dentry = d_splice_alias(inode, dentry);
760		- if (dentry)
761		- dentry->d_time = dentry->d_parent->d_inode->i_version;
762		- return dentry;
763		-
	763	+ if (!inode)
	764	+ dentry->d_time = dir->i_version;
	765	+ return d_splice_alias(inode, dentry);
764	766	error:
765	767	mutex_unlock(&MSDOS_SB(sb)->s_lock);
766	768	return ERR_PTR(err);
...	...	@@ -793,7 +795,6 @@
793	795	inode->i_mtime = inode->i_atime = inode->i_ctime = ts;
794	796	/* timestamp is already written, so mark_inode_dirty() is unneeded. */
795	797
796		- dentry->d_time = dentry->d_parent->d_inode->i_version;
797	798	d_instantiate(dentry, inode);
798	799	out:
799	800	mutex_unlock(&MSDOS_SB(sb)->s_lock);
...	...	@@ -824,6 +825,7 @@
824	825	clear_nlink(inode);
825	826	inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC;
826	827	fat_detach(inode);
	828	+ dentry->d_time = dir->i_version;
827	829	out:
828	830	mutex_unlock(&MSDOS_SB(sb)->s_lock);
829	831
...	...	@@ -849,6 +851,7 @@
849	851	clear_nlink(inode);
850	852	inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC;
851	853	fat_detach(inode);
	854	+ dentry->d_time = dir->i_version;
852	855	out:
853	856	mutex_unlock(&MSDOS_SB(sb)->s_lock);
854	857
...	...	@@ -889,7 +892,6 @@
889	892	inode->i_mtime = inode->i_atime = inode->i_ctime = ts;
890	893	/* timestamp is already written, so mark_inode_dirty() is unneeded. */
891	894
892		- dentry->d_time = dentry->d_parent->d_inode->i_version;
893	895	d_instantiate(dentry, inode);
894	896
895	897	mutex_unlock(&MSDOS_SB(sb)->s_lock);
...	...	@@ -507,13 +507,6 @@
507	507	return retval;
508	508	}
509	509
510		- id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
511		- if (id < 0) {
512		- ipc_rcu_putref(sma, sem_rcu_free);
513		- return id;
514		- }
515		- ns->used_sems += nsems;
516		-
517	510	sma->sem_base = (struct sem *) &sma[1];
518	511
519	512	for (i = 0; i < nsems; i++) {
...	...	@@ -528,6 +521,14 @@
528	521	INIT_LIST_HEAD(&sma->list_id);
529	522	sma->sem_nsems = nsems;
530	523	sma->sem_ctime = get_seconds();
	524	+
	525	+ id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
	526	+ if (id < 0) {
	527	+ ipc_rcu_putref(sma, sem_rcu_free);
	528	+ return id;
	529	+ }
	530	+ ns->used_sems += nsems;
	531	+
531	532	sem_unlock(sma, -1);
532	533	rcu_read_unlock();
533	534
...	...	@@ -598,6 +598,7 @@
598	598
599	599	return pool;
600	600	}
	601	+EXPORT_SYMBOL(devm_gen_pool_create);
601	602
602	603	/**
603	604	* dev_get_gen_pool - Obtain the gen_pool (if any) for a device
...	...	@@ -28,7 +28,7 @@
28	28	continue;
29	29
30	30	total += zone->present_pages;
31		- reserved = zone->present_pages - zone->managed_pages;
	31	+ reserved += zone->present_pages - zone->managed_pages;
32	32
33	33	if (is_highmem_idx(zoneid))
34	34	highmem += zone->present_pages;
...	...	@@ -244,8 +244,10 @@
244	244	the (older) page from frontswap
245	245	*/
246	246	inc_frontswap_failed_stores();
247		- if (dup)
	247	+ if (dup) {
248	248	__frontswap_clear(sis, offset);
	249	+ frontswap_ops->invalidate_page(type, offset);
	250	+ }
249	251	}
250	252	if (frontswap_writethrough_enabled)
251	253	/* report failure so swap also writes to swap device */
...	...	@@ -815,20 +815,20 @@
815	815	if (!pte_file(pte)) {
816	816	swp_entry_t entry = pte_to_swp_entry(pte);
817	817
818		- if (swap_duplicate(entry) < 0)
819		- return entry.val;
	818	+ if (likely(!non_swap_entry(entry))) {
	819	+ if (swap_duplicate(entry) < 0)
	820	+ return entry.val;
820	821
821		- /* make sure dst_mm is on swapoff's mmlist. */
822		- if (unlikely(list_empty(&dst_mm->mmlist))) {
823		- spin_lock(&mmlist_lock);
824		- if (list_empty(&dst_mm->mmlist))
825		- list_add(&dst_mm->mmlist,
826		- &src_mm->mmlist);
827		- spin_unlock(&mmlist_lock);
828		- }
829		- if (likely(!non_swap_entry(entry)))
	822	+ /* make sure dst_mm is on swapoff's mmlist. */
	823	+ if (unlikely(list_empty(&dst_mm->mmlist))) {
	824	+ spin_lock(&mmlist_lock);
	825	+ if (list_empty(&dst_mm->mmlist))
	826	+ list_add(&dst_mm->mmlist,
	827	+ &src_mm->mmlist);
	828	+ spin_unlock(&mmlist_lock);
	829	+ }
830	830	rss[MM_SWAPENTS]++;
831		- else if (is_migration_entry(entry)) {
	831	+ } else if (is_migration_entry(entry)) {
832	832	page = migration_entry_to_page(entry);
833	833
834	834	if (PageAnon(page))
...	...	@@ -776,8 +776,11 @@
776	776	* shrinking vma had, to cover any anon pages imported.
777	777	*/
778	778	if (exporter && exporter->anon_vma && !importer->anon_vma) {
779		- if (anon_vma_clone(importer, exporter))
780		- return -ENOMEM;
	779	+ int error;
	780	+
	781	+ error = anon_vma_clone(importer, exporter);
	782	+ if (error)
	783	+ return error;
781	784	importer->anon_vma = exporter->anon_vma;
782	785	}
783	786	}
...	...	@@ -2469,7 +2472,8 @@
2469	2472	if (err)
2470	2473	goto out_free_vma;
2471	2474
2472		- if (anon_vma_clone(new, vma))
	2475	+ err = anon_vma_clone(new, vma);
	2476	+ if (err)
2473	2477	goto out_free_mpol;
2474	2478
2475	2479	if (new->vm_file)
...	...	@@ -274,6 +274,7 @@
274	274	{
275	275	struct anon_vma_chain *avc;
276	276	struct anon_vma *anon_vma;
	277	+ int error;
277	278
278	279	/* Don't bother if the parent process has no anon_vma here. */
279	280	if (!pvma->anon_vma)
...	...	@@ -283,8 +284,9 @@
283	284	* First, attach the new VMA to the parent VMA's anon_vmas,
284	285	* so rmap can find non-COWed pages in child processes.
285	286	*/
286		- if (anon_vma_clone(vma, pvma))
287		- return -ENOMEM;
	287	+ error = anon_vma_clone(vma, pvma);
	288	+ if (error)
	289	+ return error;
288	290
289	291	/* Then add our own anon_vma. */
290	292	anon_vma = anon_vma_alloc();
...	...	@@ -3076,7 +3076,7 @@
3076	3076	void *obj;
3077	3077	int x;
3078	3078
3079		- VM_BUG_ON(nodeid > num_online_nodes());
	3079	+ VM_BUG_ON(nodeid < 0 \|\| nodeid >= MAX_NUMNODES);
3080	3080	n = get_node(cachep, nodeid);
3081	3081	BUG_ON(!n);
3082	3082