From abe2f41430770270a1512bf78f489284bfbdbd04 Mon Sep 17 00:00:00 2001
From: Alexey Korolev <akorolev@infradead.org>
Date: Mon, 14 Apr 2008 20:45:06 +0100
Subject: JFFS2 Fix of panics caused by wrong condition for hole frag creation
 in write_begin

This fixes a regression introduced in commit
205c109a7a96d9a3d8ffe64c4068b70811fef5e8 when switching to
write_begin/write_end operations in JFFS2.

The page offset is miscalculated, leading to corruption of the fragment
lists and subsequently to memory corruption and panics.

[ Side note: the bug is a fairly direct result of the naming.  Nick was
  likely misled by the use of "offs", since we tend to use the notion of
  "offset" not as an absolute position, but as an offset _within_ a page
  or allocation.

  Alternatively, a "pgoff_t" is a page index, but not a byte offset -
  our VM naming can be a bit confusing.

  So in this case, a VM person would likely have called this a "pos",
  not an "offs", or perhaps talked about byte offsets rather than page
  offsets (since it's counted in bytes, not pages).    - Linus ]

Signed-off-by: Alexey Korolev <akorolev@infradead.org>
Signed-off-by: Vasiliy Leonenko <vasiliy.leonenko@mail.ru>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 fs/jffs2/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'fs/jffs2')

diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
index f9c5dd6f4b64..dcc2734e0b5d 100644
--- a/fs/jffs2/file.c
+++ b/fs/jffs2/file.c
@@ -129,7 +129,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
 	struct inode *inode = mapping->host;
 	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
 	pgoff_t index = pos >> PAGE_CACHE_SHIFT;
-	uint32_t pageofs = pos & (PAGE_CACHE_SIZE - 1);
+	uint32_t pageofs = index << PAGE_CACHE_SHIFT;
 	int ret = 0;
 
 	pg = __grab_cache_page(mapping, index);
-- 
cgit v1.2.3


From 6188e10d38b8d7244ee7776d5f1f88c837b4b93f Mon Sep 17 00:00:00 2001
From: Matthew Wilcox <matthew@wil.cx>
Date: Fri, 18 Apr 2008 22:21:05 -0400
Subject: Convert asm/semaphore.h users to linux/semaphore.h

Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
---
 Documentation/DocBook/kernel-locking.tmpl | 6 +++---
 arch/ia64/kernel/salinfo.c                | 2 +-
 drivers/base/core.c                       | 2 +-
 drivers/char/snsc.h                       | 2 +-
 drivers/firewire/fw-device.c              | 3 ++-
 drivers/i2c/i2c-core.c                    | 2 +-
 drivers/ieee1394/nodemgr.c                | 2 +-
 drivers/infiniband/core/user_mad.c        | 2 +-
 drivers/infiniband/hw/mthca/mthca_dev.h   | 3 +--
 drivers/input/serio/hp_sdc_mlc.c          | 2 +-
 drivers/macintosh/adb.c                   | 2 +-
 drivers/macintosh/windfarm_smu_sat.c      | 2 +-
 drivers/net/3c527.c                       | 2 +-
 drivers/net/hamradio/6pack.c              | 2 +-
 drivers/s390/cio/qdio.c                   | 2 +-
 drivers/scsi/aacraid/commctrl.c           | 2 +-
 drivers/scsi/aacraid/commsup.c            | 2 +-
 drivers/scsi/aacraid/dpcsup.c             | 2 +-
 drivers/scsi/megaraid/megaraid_ioctl.h    | 2 +-
 drivers/scsi/qla2xxx/qla_def.h            | 2 +-
 drivers/watchdog/sc1200wdt.c              | 2 +-
 fs/jffs2/jffs2_fs_i.h                     | 2 +-
 fs/jffs2/jffs2_fs_sb.h                    | 2 +-
 fs/reiserfs/journal.c                     | 2 +-
 fs/xfs/linux-2.6/sema.h                   | 2 +-
 include/linux/device.h                    | 2 +-
 include/linux/fs.h                        | 2 +-
 include/linux/hil_mlc.h                   | 2 +-
 include/linux/i2o.h                       | 2 +-
 include/linux/memory.h                    | 3 +--
 include/linux/parport.h                   | 2 +-
 lib/kernel_lock.c                         | 2 +-
 32 files changed, 35 insertions(+), 36 deletions(-)

(limited to 'fs/jffs2')

diff --git a/Documentation/DocBook/kernel-locking.tmpl b/Documentation/DocBook/kernel-locking.tmpl
index 2e9d6b41f034..435413ca40dc 100644
--- a/Documentation/DocBook/kernel-locking.tmpl
+++ b/Documentation/DocBook/kernel-locking.tmpl
@@ -241,7 +241,7 @@
    </para>
    <para>
      The third type is a semaphore
-     (<filename class="headerfile">include/asm/semaphore.h</filename>): it
+     (<filename class="headerfile">include/linux/semaphore.h</filename>): it
      can have more than one holder at any time (the number decided at
      initialization time), although it is most commonly used as a
      single-holder lock (a mutex).  If you can't get a semaphore, your
@@ -290,7 +290,7 @@
      <para>
        If you have a data structure which is only ever accessed from
        user context, then you can use a simple semaphore
-       (<filename>linux/asm/semaphore.h</filename>) to protect it.  This 
+       (<filename>linux/linux/semaphore.h</filename>) to protect it.  This
        is the most trivial case: you initialize the semaphore to the number 
        of resources available (usually 1), and call
        <function>down_interruptible()</function> to grab the semaphore, and 
@@ -1656,7 +1656,7 @@ the amount of locking which needs to be done.
  #include &lt;linux/slab.h&gt;
  #include &lt;linux/string.h&gt;
 +#include &lt;linux/rcupdate.h&gt;
- #include &lt;asm/semaphore.h&gt;
+ #include &lt;linux/semaphore.h&gt;
  #include &lt;asm/errno.h&gt;
 
  struct object
diff --git a/arch/ia64/kernel/salinfo.c b/arch/ia64/kernel/salinfo.c
index 779c3cca206c..b11bb50a197a 100644
--- a/arch/ia64/kernel/salinfo.c
+++ b/arch/ia64/kernel/salinfo.c
@@ -44,8 +44,8 @@
 #include <linux/smp.h>
 #include <linux/timer.h>
 #include <linux/vmalloc.h>
+#include <linux/semaphore.h>
 
-#include <asm/semaphore.h>
 #include <asm/sal.h>
 #include <asm/uaccess.h>
 
diff --git a/drivers/base/core.c b/drivers/base/core.c
index 24198ad01976..7c4b36ccb1a0 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -20,7 +20,7 @@
 #include <linux/notifier.h>
 #include <linux/genhd.h>
 #include <linux/kallsyms.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 #include "base.h"
 #include "power/power.h"
diff --git a/drivers/char/snsc.h b/drivers/char/snsc.h
index 8a98169b60c1..4be62eda9fbc 100644
--- a/drivers/char/snsc.h
+++ b/drivers/char/snsc.h
@@ -22,8 +22,8 @@
 #include <linux/kobject.h>
 #include <linux/fs.h>
 #include <linux/cdev.h>
+#include <linux/semaphore.h>
 #include <asm/sn/types.h>
-#include <asm/semaphore.h>
 
 #define CHUNKSIZE 127
 
diff --git a/drivers/firewire/fw-device.c b/drivers/firewire/fw-device.c
index 2d01bc1b9752..d9c8daf7ae7d 100644
--- a/drivers/firewire/fw-device.c
+++ b/drivers/firewire/fw-device.c
@@ -26,7 +26,8 @@
 #include <linux/delay.h>
 #include <linux/idr.h>
 #include <linux/string.h>
-#include <asm/semaphore.h>
+#include <linux/rwsem.h>
+#include <linux/semaphore.h>
 #include <asm/system.h>
 #include <linux/ctype.h>
 #include "fw-transaction.h"
diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c
index 8b645c6b2cb5..e186df657119 100644
--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -35,8 +35,8 @@
 #include <linux/completion.h>
 #include <linux/hardirq.h>
 #include <linux/irqflags.h>
+#include <linux/semaphore.h>
 #include <asm/uaccess.h>
-#include <asm/semaphore.h>
 
 #include "i2c-core.h"
 
diff --git a/drivers/ieee1394/nodemgr.c b/drivers/ieee1394/nodemgr.c
index 70afa3786f3f..29d833e71cbf 100644
--- a/drivers/ieee1394/nodemgr.c
+++ b/drivers/ieee1394/nodemgr.c
@@ -18,8 +18,8 @@
 #include <linux/moduleparam.h>
 #include <linux/mutex.h>
 #include <linux/freezer.h>
+#include <linux/semaphore.h>
 #include <asm/atomic.h>
-#include <asm/semaphore.h>
 
 #include "csr.h"
 #include "highlevel.h"
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index 4e915104ac4c..be953e87bf93 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -46,9 +46,9 @@
 #include <linux/mutex.h>
 #include <linux/kref.h>
 #include <linux/compat.h>
+#include <linux/semaphore.h>
 
 #include <asm/uaccess.h>
-#include <asm/semaphore.h>
 
 #include <rdma/ib_mad.h>
 #include <rdma/ib_user_mad.h>
diff --git a/drivers/infiniband/hw/mthca/mthca_dev.h b/drivers/infiniband/hw/mthca/mthca_dev.h
index 0e842e023400..7bc32f8e377e 100644
--- a/drivers/infiniband/hw/mthca/mthca_dev.h
+++ b/drivers/infiniband/hw/mthca/mthca_dev.h
@@ -46,8 +46,7 @@
 #include <linux/timer.h>
 #include <linux/mutex.h>
 #include <linux/list.h>
-
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 #include "mthca_provider.h"
 #include "mthca_doorbell.h"
diff --git a/drivers/input/serio/hp_sdc_mlc.c b/drivers/input/serio/hp_sdc_mlc.c
index c45ea74d53e4..f1fd3b638a37 100644
--- a/drivers/input/serio/hp_sdc_mlc.c
+++ b/drivers/input/serio/hp_sdc_mlc.c
@@ -40,7 +40,7 @@
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/string.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 #define PREFIX "HP SDC MLC: "
 
diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c
index 28958101061f..20978205cd02 100644
--- a/drivers/macintosh/adb.c
+++ b/drivers/macintosh/adb.c
@@ -37,9 +37,9 @@
 #include <linux/device.h>
 #include <linux/kthread.h>
 #include <linux/platform_device.h>
+#include <linux/semaphore.h>
 
 #include <asm/uaccess.h>
-#include <asm/semaphore.h>
 #ifdef CONFIG_PPC
 #include <asm/prom.h>
 #include <asm/machdep.h>
diff --git a/drivers/macintosh/windfarm_smu_sat.c b/drivers/macintosh/windfarm_smu_sat.c
index f449d775cdf4..797918d0e59c 100644
--- a/drivers/macintosh/windfarm_smu_sat.c
+++ b/drivers/macintosh/windfarm_smu_sat.c
@@ -13,7 +13,7 @@
 #include <linux/init.h>
 #include <linux/wait.h>
 #include <linux/i2c.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 #include <asm/prom.h>
 #include <asm/smu.h>
 #include <asm/pmac_low_i2c.h>
diff --git a/drivers/net/3c527.c b/drivers/net/3c527.c
index b72b89d53ec8..fae295b6809c 100644
--- a/drivers/net/3c527.c
+++ b/drivers/net/3c527.c
@@ -103,8 +103,8 @@ DRV_NAME ".c:v" DRV_VERSION " " DRV_RELDATE " Richard Procter <rnp@paradise.net.
 #include <linux/ethtool.h>
 #include <linux/completion.h>
 #include <linux/bitops.h>
+#include <linux/semaphore.h>
 
-#include <asm/semaphore.h>
 #include <asm/uaccess.h>
 #include <asm/system.h>
 #include <asm/io.h>
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 0a9b75139e0f..1da55dd2a5a0 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -33,7 +33,7 @@
 #include <linux/init.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 #include <asm/atomic.h>
 
 #define SIXPACK_VERSION    "Revision: 0.3.0"
diff --git a/drivers/s390/cio/qdio.c b/drivers/s390/cio/qdio.c
index c359386708e9..10aa1e780801 100644
--- a/drivers/s390/cio/qdio.c
+++ b/drivers/s390/cio/qdio.c
@@ -38,11 +38,11 @@
 #include <linux/proc_fs.h>
 #include <linux/timer.h>
 #include <linux/mempool.h>
+#include <linux/semaphore.h>
 
 #include <asm/ccwdev.h>
 #include <asm/io.h>
 #include <asm/atomic.h>
-#include <asm/semaphore.h>
 #include <asm/timex.h>
 
 #include <asm/debug.h>
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index abef05146d75..5fd83deab36c 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -39,7 +39,7 @@
 #include <linux/blkdev.h>
 #include <linux/delay.h> /* ssleep prototype */
 #include <linux/kthread.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 #include <asm/uaccess.h>
 
 #include "aacraid.h"
diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
index 23a8e9f8dcb4..ef67816a6fe5 100644
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -41,11 +41,11 @@
 #include <linux/delay.h>
 #include <linux/kthread.h>
 #include <linux/interrupt.h>
+#include <linux/semaphore.h>
 #include <scsi/scsi.h>
 #include <scsi/scsi_host.h>
 #include <scsi/scsi_device.h>
 #include <scsi/scsi_cmnd.h>
-#include <asm/semaphore.h>
 
 #include "aacraid.h"
 
diff --git a/drivers/scsi/aacraid/dpcsup.c b/drivers/scsi/aacraid/dpcsup.c
index d1163ded132b..933f208eedba 100644
--- a/drivers/scsi/aacraid/dpcsup.c
+++ b/drivers/scsi/aacraid/dpcsup.c
@@ -36,7 +36,7 @@
 #include <linux/slab.h>
 #include <linux/completion.h>
 #include <linux/blkdev.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 #include "aacraid.h"
 
diff --git a/drivers/scsi/megaraid/megaraid_ioctl.h b/drivers/scsi/megaraid/megaraid_ioctl.h
index 706fa05a187a..05f6e4ec3453 100644
--- a/drivers/scsi/megaraid/megaraid_ioctl.h
+++ b/drivers/scsi/megaraid/megaraid_ioctl.h
@@ -18,7 +18,7 @@
 #define _MEGARAID_IOCTL_H_
 
 #include <linux/types.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 #include "mbox_defs.h"
 
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 094d95f0764c..299eccf6cabd 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -25,7 +25,7 @@
 #include <linux/firmware.h>
 #include <linux/aer.h>
 #include <linux/mutex.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 #include <scsi/scsi.h>
 #include <scsi/scsi_host.h>
diff --git a/drivers/watchdog/sc1200wdt.c b/drivers/watchdog/sc1200wdt.c
index 32ccd7c89c7d..35cddff7020f 100644
--- a/drivers/watchdog/sc1200wdt.c
+++ b/drivers/watchdog/sc1200wdt.c
@@ -38,8 +38,8 @@
 #include <linux/init.h>
 #include <linux/pnp.h>
 #include <linux/fs.h>
+#include <linux/semaphore.h>
 
-#include <asm/semaphore.h>
 #include <asm/io.h>
 #include <asm/uaccess.h>
 
diff --git a/fs/jffs2/jffs2_fs_i.h b/fs/jffs2/jffs2_fs_i.h
index 0b78fdc9773b..a841f4973a74 100644
--- a/fs/jffs2/jffs2_fs_i.h
+++ b/fs/jffs2/jffs2_fs_i.h
@@ -15,7 +15,7 @@
 #include <linux/version.h>
 #include <linux/rbtree.h>
 #include <linux/posix_acl.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 struct jffs2_inode_info {
 	/* We need an internal mutex similar to inode->i_mutex.
diff --git a/fs/jffs2/jffs2_fs_sb.h b/fs/jffs2/jffs2_fs_sb.h
index 3a2197f3c812..18fca2b9e531 100644
--- a/fs/jffs2/jffs2_fs_sb.h
+++ b/fs/jffs2/jffs2_fs_sb.h
@@ -16,7 +16,7 @@
 #include <linux/spinlock.h>
 #include <linux/workqueue.h>
 #include <linux/completion.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 #include <linux/timer.h>
 #include <linux/wait.h>
 #include <linux/list.h>
diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index bb05a3e51b93..060eb3f598e7 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -38,7 +38,7 @@
 #include <asm/system.h>
 
 #include <linux/time.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 #include <linux/vmalloc.h>
 #include <linux/reiserfs_fs.h>
diff --git a/fs/xfs/linux-2.6/sema.h b/fs/xfs/linux-2.6/sema.h
index 2009e6d922ce..3abe7e9ceb33 100644
--- a/fs/xfs/linux-2.6/sema.h
+++ b/fs/xfs/linux-2.6/sema.h
@@ -20,8 +20,8 @@
 
 #include <linux/time.h>
 #include <linux/wait.h>
+#include <linux/semaphore.h>
 #include <asm/atomic.h>
-#include <asm/semaphore.h>
 
 /*
  * sema_t structure just maps to struct semaphore in Linux kernel.
diff --git a/include/linux/device.h b/include/linux/device.h
index 2258d89bf523..c79b93e56fa0 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -20,7 +20,7 @@
 #include <linux/types.h>
 #include <linux/module.h>
 #include <linux/pm.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 #include <asm/atomic.h>
 #include <asm/device.h>
 
diff --git a/include/linux/fs.h b/include/linux/fs.h
index b84b848431f2..91e8dec9e42b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -287,9 +287,9 @@ extern int dir_notify_enable;
 #include <linux/pid.h>
 #include <linux/mutex.h>
 #include <linux/capability.h>
+#include <linux/semaphore.h>
 
 #include <asm/atomic.h>
-#include <asm/semaphore.h>
 #include <asm/byteorder.h>
 
 struct export_operations;
diff --git a/include/linux/hil_mlc.h b/include/linux/hil_mlc.h
index 8df29ca48a13..394a8405dd74 100644
--- a/include/linux/hil_mlc.h
+++ b/include/linux/hil_mlc.h
@@ -34,7 +34,7 @@
 #include <linux/hil.h>
 #include <linux/time.h>
 #include <linux/interrupt.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 #include <linux/serio.h>
 #include <linux/list.h>
 
diff --git a/include/linux/i2o.h b/include/linux/i2o.h
index 7da5b98d90e6..e92170dda245 100644
--- a/include/linux/i2o.h
+++ b/include/linux/i2o.h
@@ -33,9 +33,9 @@
 #include <linux/mempool.h>
 #include <linux/mutex.h>
 #include <linux/scatterlist.h>
+#include <linux/semaphore.h>	/* Needed for MUTEX init macros */
 
 #include <asm/io.h>
-#include <asm/semaphore.h>	/* Needed for MUTEX init macros */
 
 /* message queue empty */
 #define I2O_QUEUE_EMPTY		0xffffffff
diff --git a/include/linux/memory.h b/include/linux/memory.h
index 33f0ff0cf634..54d7866d9c0e 100644
--- a/include/linux/memory.h
+++ b/include/linux/memory.h
@@ -18,8 +18,7 @@
 #include <linux/sysdev.h>
 #include <linux/node.h>
 #include <linux/compiler.h>
-
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 struct memory_block {
 	unsigned long phys_index;
diff --git a/include/linux/parport.h b/include/linux/parport.h
index d1ad546c8c9e..dcb9e01a69ca 100644
--- a/include/linux/parport.h
+++ b/include/linux/parport.h
@@ -101,9 +101,9 @@ typedef enum {
 #include <linux/spinlock.h>
 #include <linux/wait.h>
 #include <linux/irqreturn.h>
+#include <linux/semaphore.h>
 #include <asm/system.h>
 #include <asm/ptrace.h>
-#include <asm/semaphore.h>
 
 /* Define this later. */
 struct parport;
diff --git a/lib/kernel_lock.c b/lib/kernel_lock.c
index fbc11a336bc5..cd3e82530b03 100644
--- a/lib/kernel_lock.c
+++ b/lib/kernel_lock.c
@@ -8,7 +8,7 @@
 #include <linux/smp_lock.h>
 #include <linux/module.h>
 #include <linux/kallsyms.h>
-#include <asm/semaphore.h>
+#include <linux/semaphore.h>
 
 /*
  * The 'big kernel semaphore'
-- 
cgit v1.2.3