* [3.13.y.z extended stable] Linux 3.13.11.6 stable review
@ 2014-08-08 20:37 Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 001/259] ACPI / PAD: call schedule() when need_resched() is true Kamal Mostafa
` (258 more replies)
0 siblings, 259 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Kamal Mostafa
This is the start of the review cycle for the Linux 3.13.11.6 stable kernel.
This version contains 259 new patches, summarized below. The new patches are
posted as replies to this message and also available in this git branch:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;h=linux-3.13.y-review;a=shortlog
git://kernel.ubuntu.com/ubuntu/linux.git linux-3.13.y-review
The review period for version 3.13.11.6 will be open for the next three days.
To report a problem, please reply to the relevant follow-up patch message.
For more information about the Linux 3.13.y.z extended stable kernel version,
see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .
-Kamal
--
Makefile | 2 +
arch/arm/Kconfig | 1 +
arch/arm/crypto/aesbs-glue.c | 10 +-
arch/arm/mach-omap2/mux.c | 6 +-
arch/arm/mm/mmu.c | 6 +-
arch/arm/xen/grant-table.c | 5 +
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/memory.h | 2 +
arch/arm64/mm/flush.c | 3 +-
arch/mips/kvm/kvm_mips.c | 1 +
arch/parisc/include/uapi/asm/signal.h | 2 -
arch/parisc/kernel/hardware.c | 3 +-
arch/parisc/kernel/sys_parisc32.c | 46 ++-----
arch/parisc/kernel/syscall_table.S | 2 +-
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/perf_event_server.h | 3 +-
arch/powerpc/perf/core-book3s.c | 24 +++-
arch/powerpc/perf/power8-pmu.c | 2 +-
arch/s390/kernel/ptrace.c | 12 +-
arch/sparc/Kconfig | 1 +
arch/sparc/net/bpf_jit_comp.c | 8 +-
arch/x86/Kconfig | 1 +
arch/x86/boot/header.S | 26 +++-
arch/x86/boot/tools/build.c | 37 +++++-
arch/x86/crypto/sha512_ssse3_glue.c | 2 +-
arch/x86/include/asm/kvm_host.h | 4 +-
arch/x86/include/asm/ptrace.h | 16 +++
arch/x86/kernel/cpu/perf_event_intel.c | 9 ++
arch/x86/kernel/entry_32.S | 9 +-
arch/x86/kernel/tsc.c | 4 +-
arch/x86/xen/grant-table.c | 148 +++++++++++++--------
arch/xtensa/kernel/vectors.S | 158 ++++++++++++++++++----
arch/xtensa/kernel/vmlinux.lds.S | 4 +-
block/blk-cgroup.c | 7 +
block/blk-tag.c | 33 +----
block/compat_ioctl.c | 1 +
crypto/af_alg.c | 2 +
crypto/crypto_user.c | 2 +-
drivers/acpi/ac.c | 130 +++++++++++++++++-
drivers/acpi/acpi_pad.c | 9 +-
drivers/acpi/battery.c | 27 +++-
drivers/acpi/ec.c | 128 +++++++++---------
drivers/ata/ahci.c | 1 +
drivers/ata/libata-core.c | 12 +-
drivers/base/platform.c | 21 ++-
drivers/bluetooth/hci_h5.c | 1 +
drivers/clk/clk-s2mps11.c | 7 +-
drivers/clk/spear/spear3xx_clock.c | 2 +-
drivers/connector/cn_proc.c | 2 +-
drivers/cpufreq/Makefile | 2 +-
drivers/cpufreq/cpufreq.c | 6 +-
drivers/cpufreq/intel_pstate.c | 35 +++--
drivers/crypto/caam/jr.c | 8 +-
drivers/gpu/drm/i915/i915_gem_stolen.c | 44 +++++++
drivers/gpu/drm/i915/i915_irq.c | 11 +-
drivers/gpu/drm/i915/i915_reg.h | 3 +
drivers/gpu/drm/qxl/qxl_irq.c | 3 +
drivers/gpu/drm/radeon/atombios_dp.c | 2 +-
drivers/gpu/drm/radeon/atombios_encoders.c | 10 +-
drivers/gpu/drm/radeon/ci_dpm.c | 2 +-
drivers/gpu/drm/radeon/cik.c | 2 +
drivers/gpu/drm/radeon/cikd.h | 2 +-
drivers/gpu/drm/radeon/cypress_dpm.c | 2 +-
drivers/gpu/drm/radeon/evergreen.c | 9 +-
drivers/gpu/drm/radeon/ni_dpm.c | 2 +-
drivers/gpu/drm/radeon/r600.c | 1 +
drivers/gpu/drm/radeon/radeon_display.c | 5 +
drivers/gpu/drm/radeon/rv770_dpm.c | 6 -
drivers/gpu/drm/radeon/si.c | 1 +
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 1 -
drivers/hv/connection.c | 8 +-
drivers/hwmon/adm1021.c | 14 +-
drivers/hwmon/adm1029.c | 3 +
drivers/hwmon/adm1031.c | 8 +-
drivers/hwmon/adt7470.c | 6 +-
drivers/hwmon/amc6821.c | 2 +-
drivers/hwmon/da9052-hwmon.c | 2 +-
drivers/hwmon/da9055-hwmon.c | 2 +-
drivers/hwmon/emc2103.c | 15 +--
drivers/hwmon/smsc47m192.c | 4 +-
drivers/iio/accel/bma180.c | 8 +-
drivers/iio/adc/ti_am335x_adc.c | 2 +-
drivers/iio/industrialio-buffer.c | 2 +-
drivers/iio/industrialio-event.c | 3 +
drivers/iio/inkern.c | 6 +-
drivers/input/input.c | 6 +-
drivers/irqchip/irq-gic.c | 6 +-
drivers/irqchip/spear-shirq.c | 2 +-
drivers/md/dm-bufio.c | 2 +-
drivers/md/dm-cache-metadata.c | 9 ++
drivers/md/dm-cache-target.c | 13 +-
drivers/md/dm-io.c | 22 ++--
drivers/md/dm-thin-metadata.c | 9 ++
drivers/md/dm.c | 15 ++-
drivers/md/md.c | 13 ++
drivers/media/dvb-frontends/tda10071.c | 6 +-
drivers/media/usb/gspca/pac7302.c | 1 +
drivers/media/usb/hdpvr/hdpvr-video.c | 6 +-
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +-
drivers/mtd/devices/elm.c | 2 +
drivers/net/can/c_can/c_can_platform.c | 3 +-
drivers/net/can/slcan.c | 41 ++++--
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +-
drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
drivers/net/ethernet/intel/igb/e1000_82575.c | 7 +
drivers/net/ethernet/intel/igb/e1000_defines.h | 18 +--
drivers/net/ethernet/intel/igb/e1000_hw.h | 3 +
drivers/net/ethernet/intel/igb/e1000_i210.c | 66 ++++++++++
drivers/net/ethernet/intel/igb/e1000_i210.h | 12 ++
drivers/net/ethernet/intel/igb/e1000_regs.h | 1 +
drivers/net/ethernet/intel/igb/igb_main.c | 16 +++
drivers/net/ethernet/marvell/mvneta.c | 4 +-
drivers/net/ethernet/mellanox/mlx4/main.c | 168 ++++++++++++++----------
drivers/net/ethernet/mellanox/mlx4/mlx4.h | 1 +
drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 1 +
drivers/net/ethernet/renesas/sh_eth.c | 31 +++--
drivers/net/ethernet/renesas/sh_eth.h | 2 -
drivers/net/ethernet/sfc/io.h | 7 +
drivers/net/ethernet/sfc/tx.c | 22 +++-
drivers/net/ethernet/sun/sunvnet.c | 20 ++-
drivers/net/macvlan.c | 1 -
drivers/net/ppp/pppoe.c | 2 +-
drivers/net/slip/slip.c | 36 +++--
drivers/net/slip/slip.h | 1 +
drivers/net/team/team.c | 7 +-
drivers/net/usb/huawei_cdc_ncm.c | 10 +-
drivers/net/usb/qmi_wwan.c | 10 +-
drivers/net/vxlan.c | 7 +-
drivers/net/wireless/ath/ath9k/xmit.c | 9 ++
drivers/net/wireless/iwlwifi/dvm/rxon.c | 12 --
drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c | 7 +-
drivers/net/wireless/iwlwifi/pcie/drv.c | 3 +-
drivers/net/wireless/mwifiex/main.c | 1 +
drivers/of/irq.c | 22 ++++
drivers/parport/Kconfig | 12 +-
drivers/phy/phy-core.c | 7 +-
drivers/rapidio/devices/tsi721_dma.c | 8 +-
drivers/scsi/ibmvscsi/ibmvscsi.c | 13 +-
drivers/scsi/scsi_error.c | 2 +-
drivers/scsi/scsi_lib.c | 8 ++
drivers/scsi/scsi_netlink.c | 2 +-
drivers/scsi/sd.c | 5 +-
drivers/scsi/virtio_scsi.c | 26 +++-
drivers/staging/iio/adc/ad7291.c | 4 +-
drivers/staging/vt6655/bssdb.c | 2 +-
drivers/staging/vt6655/device_main.c | 7 +-
drivers/target/target_core_rd.c | 2 +-
drivers/thermal/thermal_hwmon.c | 33 ++---
drivers/usb/chipidea/udc.c | 11 +-
drivers/usb/core/hub.c | 19 +++
drivers/usb/gadget/f_fs.c | 12 +-
drivers/usb/host/xhci-hub.c | 5 +-
drivers/usb/host/xhci-ring.c | 9 +-
drivers/usb/host/xhci.c | 10 +-
drivers/usb/musb/musb_am335x.c | 23 +---
drivers/usb/musb/musb_cppi41.c | 2 +-
drivers/usb/musb/ux500.c | 1 -
drivers/usb/serial/cp210x.c | 1 +
drivers/usb/serial/ftdi_sio.c | 12 +-
drivers/usb/serial/ftdi_sio_ids.h | 9 +-
drivers/usb/serial/option.c | 28 +++-
drivers/usb/storage/scsiglue.c | 4 +
drivers/usb/storage/unusual_devs.h | 7 +
drivers/xen/balloon.c | 12 +-
drivers/xen/grant-table.c | 5 +
drivers/xen/manage.c | 5 +-
fs/aio.c | 7 +
fs/coredump.c | 2 +-
fs/ext4/extents_status.c | 4 +-
fs/ext4/ialloc.c | 14 +-
fs/ext4/indirect.c | 20 ++-
fs/ext4/mballoc.c | 4 +-
fs/ext4/super.c | 9 +-
fs/fuse/dir.c | 7 +-
fs/fuse/inode.c | 20 ++-
fs/jbd2/transaction.c | 5 +-
fs/namei.c | 3 +-
fs/nfsd/nfs4proc.c | 9 --
fs/nfsd/nfs4xdr.c | 13 +-
fs/proc/stat.c | 22 +---
fs/quota/dquot.c | 2 +
fs/seq_file.c | 30 +++--
include/linux/if_team.h | 1 +
include/linux/libata.h | 1 +
include/linux/mm.h | 2 +
include/linux/netlink.h | 14 +-
include/linux/of_irq.h | 5 +
include/linux/printk.h | 6 +-
include/linux/ptrace.h | 3 +
include/linux/sock_diag.h | 2 +-
include/linux/usb_usual.h | 6 +-
include/net/inetpeer.h | 9 +-
include/net/sock.h | 21 +--
include/scsi/scsi_device.h | 1 +
include/xen/grant_table.h | 1 +
kernel/Kconfig.locks | 5 +-
kernel/audit.c | 4 +-
kernel/cpuset.c | 8 +-
kernel/events/core.c | 2 +-
kernel/power/process.c | 1 +
kernel/printk/printk.c | 2 +-
kernel/sched/core.c | 2 +-
kernel/sched/debug.c | 2 +-
kernel/sched/rt.c | 2 +-
kernel/time/alarmtimer.c | 20 ++-
kernel/time/clockevents.c | 10 +-
kernel/time/sched_clock.c | 4 +-
kernel/trace/ftrace.c | 4 +-
kernel/trace/ring_buffer.c | 4 -
kernel/trace/trace.c | 22 +++-
kernel/trace/trace_clock.c | 9 +-
kernel/workqueue.c | 3 +-
lib/lz4/lz4_decompress.c | 6 +-
lib/nlattr.c | 4 +-
mm/hugetlb.c | 1 +
mm/memcontrol.c | 4 +
mm/mempolicy.c | 2 -
mm/page-writeback.c | 6 +-
mm/page_alloc.c | 32 +++--
mm/shmem.c | 104 +++++++++++++--
mm/slab_common.c | 2 +-
mm/util.c | 10 ++
net/8021q/vlan_core.c | 5 +-
net/8021q/vlan_dev.c | 13 +-
net/appletalk/ddp.c | 3 -
net/bridge/br_input.c | 4 +-
net/bridge/br_private.h | 7 +
net/bridge/br_vlan.c | 28 ++++
net/can/gw.c | 4 +-
net/compat.c | 9 +-
net/core/dev.c | 11 +-
net/core/dst.c | 16 ++-
net/core/iovec.c | 6 +-
net/core/rtnetlink.c | 43 ++++--
net/core/skbuff.c | 3 +-
net/core/sock.c | 49 +++++++
net/core/sock_diag.c | 4 +-
net/dcb/dcbnl.c | 2 +-
net/decnet/dn_dev.c | 4 +-
net/decnet/dn_fib.c | 4 +-
net/decnet/netfilter/dn_rtmsg.c | 2 +-
net/dns_resolver/dns_query.c | 4 +-
net/ipv4/datagram.c | 20 ++-
net/ipv4/icmp.c | 2 -
net/ipv4/igmp.c | 10 +-
net/ipv4/ip_options.c | 4 +
net/ipv4/ip_tunnel.c | 12 +-
net/ipv4/ipip.c | 5 +-
net/ipv4/route.c | 15 ++-
net/ipv4/tcp.c | 3 +-
net/ipv4/tcp_input.c | 21 ++-
net/ipv4/tcp_output.c | 6 +-
net/ipv4/udp.c | 4 +
net/ipv6/ip6_tunnel.c | 1 +
net/ipv6/output_core.c | 11 +-
net/ipv6/sit.c | 5 +-
net/l2tp/l2tp_ppp.c | 4 +-
net/mac80211/iface.c | 1 -
net/mac80211/tx.c | 26 ++--
net/netfilter/ipvs/ip_vs_core.c | 15 ++-
net/netfilter/nfnetlink.c | 3 +-
net/netlink/af_netlink.c | 84 +++++++++++-
net/netlink/genetlink.c | 2 +-
net/packet/diag.c | 7 +-
net/phonet/pn_netlink.c | 8 +-
net/sched/act_api.c | 2 +-
net/sched/cls_api.c | 2 +-
net/sched/sch_api.c | 6 +-
net/sctp/associola.c | 2 +-
net/sctp/sysctl.c | 46 +++----
net/sctp/ulpevent.c | 122 +++--------------
net/tipc/bcast.c | 1 +
net/tipc/netlink.c | 2 +-
net/wireless/trace.h | 3 +-
net/xfrm/xfrm_user.c | 2 +-
security/apparmor/include/apparmor.h | 1 -
security/apparmor/lib.c | 14 --
sound/pci/hda/hda_intel.c | 10 +-
sound/pci/hda/patch_hdmi.c | 57 +++++++-
tools/usb/ffs-test.c | 4 +-
virt/kvm/ioapic.c | 2 +-
281 files changed, 2358 insertions(+), 1090 deletions(-)
Aaron Lu (1):
thermal: hwmon: Make the check for critical temp valid consistent
Abbas Raza (1):
usb: chipidea: udc: Disable auto ZLP generation on ep0
Adam Thomson (1):
iio: of_iio_channel_get_by_name() returns non-null pointers for error legs
Al Viro (1):
nick kvfree() from apparmor
Alan Stern (1):
usb-storage/SCSI: Add broken_fua blacklist flag
Alex Deucher (8):
drm/radeon/dpm: fix typo in vddci setup for eg/btc
drm/radeon/dpm: fix vddci setup typo on cayman
drm/radeon/cik: fix typo in EOP packet
drm/radeon/dp: return -EIO for flags not zero case
drm/radeon: fix typo in golden register setup on evergreen
drm/radeon: fix typo in ci_stop_dpm()
drm/radeon: avoid leaking edid data
drm/radeon: set default bl level to something reasonable
Alexandre Bounine (1):
rapidio/tsi721_dma: fix failure to obtain transaction descriptor
Alexandre Demers (1):
drm/radeon/dpm: Reenabling SS on Cayman
Alexei Starovoitov (2):
net: filter: fix typo in sparc BPF JIT
net: filter: fix sparc32 typo
Amitkumar Karwar (1):
mwifiex: fix Tx timeout issue
Anand Avati (1):
fuse: ignore entry-timeout on LOOKUP_REVAL
Andras Kovacs (1):
USB: cp210x: add support for Corsair usb dongle
Andrey Ryabinin (1):
net: sendmsg: fix NULL pointer dereference
Andrey Utkin (1):
appletalk: Fix socket referencing in skb
Anssi Hannula (1):
dm cache: fix race affecting dirty block count
Anton Blanchard (1):
powerpc/perf: Never program book3s PMCs with values >= 0x80000000
Antti Palosaari (1):
[media] tda10071: force modulation to QPSK on DVB-S
Axel Lin (5):
hwmon: (amc6821) Fix permissions for temp2_input
hwmon: (adm1029) Ensure the fan_div cache is updated in set_fan_div
hwmon: (adm1021) Fix cache problem when writing temperature limits
hwmon: (da9052) Don't use dash in the name attribute
hwmon: (da9055) Don't use dash in the name attribute
Ben Dooks (1):
sh_eth: use RNC mode for packet reception
Ben Hutchings (1):
dns_resolver: Null-terminate the right string
Ben Pfaff (1):
netlink: Fix handling of error from netlink_dump().
Benjamin LaHaise (1):
aio: protect reqs_available updates from changes in interrupt handlers
Bernd Wachter (2):
usb: option: Add ID for Telewell TW-LTE 4G v2
net: qmi_wwan: Add ID for Telewell TW-LTE 4G v2
Bert Vermeulen (1):
USB: ftdi_sio: Add extra PID.
Bjørn Mork (5):
usb: option: add/modify Olivetti Olicard modems
net: qmi_wwan: add Olivetti Olicard modems
net: huawei_cdc_ncm: increase command buffer size
net: qmi_wwan: add two Sierra Wireless/Netgear devices
net: huawei_cdc_ncm: add "subclass 3" devices
Brian King (2):
ibmvscsi: Abort init sequence during error recovery
ibmvscsi: Add memory barriers for send / receive
Chris Wilson (1):
drm/i915: Reorder the semaphore deadlock check, again
Christian König (1):
drm/radeon: fix irq ring buffer overflow handling
Christoph Hellwig (1):
block: don't assume last put of shared tags is for the host
Christoph Paasch (1):
tcp: Fix divide by zero when pushing during tcp-repair
Christoph Schulz (1):
net: pppoe: use correct channel MTU when using Multilink PPP
Colin Cross (1):
arm64: implement TASK_SIZE_OF
Cong Wang (1):
vxlan: use dev->needed_headroom instead of dev->hard_header_len
Cristian Stoica (1):
crypto: caam - fix memleak in caam_jr module
Dan Carpenter (2):
staging: iio/ad7291: fix error code in ad7291_probe()
qlcnic: info leak in qlcnic_dcb_peer_app_info()
Daniel Borkmann (3):
net: sctp: propagate sysctl errors from proc_do* properly
net: sctp: check proc_dointvec result in proc_sctp_do_auth
net: sctp: fix information leaks in ulpevent layer
David R. Piegdon (1):
ARM: OMAP2+: Fix parser-bug in platform muxing code
David Rientjes (1):
mm, thp: do not allow thp faults to avoid cpuset restrictions
David Vrabel (3):
x86/xen: safely map and unmap grant frames when in atomic context
xen/manage: fix potential deadlock when resuming the console
xen/balloon: set ballooned out pages as invalid in p2m
Deng-Cheng Zhu (1):
MIPS: KVM: Fix memory leak on VCPU
Dirk Brandewie (2):
intel_pstate: Fix setting VID
intel_pstate: don't touch turbo bit if turbo disabled or unavailable.
Dmitry Popov (2):
ipip, sit: fix ipv4_{update_pmtu,redirect} calls
ip_tunnel: fix ip_tunnel_lookup
Dmitry Torokhov (1):
Input: fix defuzzing logic
Edward Allcutt (1):
ipv4: icmp: Fix pMTU handling for rare case
Eliad Peller (1):
cfg80211: fix mic_failure tracing
Emmanuel Grumbach (2):
iwlwifi: dvm: don't enable CTS to self
iwlwifi: mvm: disable CTS to Self
Eric Dumazet (10):
net: fix inet_getid() and ipv6_select_ident() bugs
net: force a list_del() in unregister_netdevice_many()
ipv4: fix a race in ip4_datagram_release_cb()
udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup
ipv4: fix dst race in sk_dst_get()
ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix
net: fix sparse warning in sk_dst_set()
vlan: free percpu stats in device destructor
bnx2x: fix possible panic under memory stress
ipv4: fix buffer overflow in ip_options_compile()
Eric Sandeen (1):
ext4: disable synchronous transaction batching if max_batch_time==0
Eric W. Biederman (6):
netlink: Rename netlink_capable netlink_allowed
net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump
net: Add variants of capable for use on on sockets
net: Add variants of capable for use on netlink messages
net: Use netlink_ns_capable to verify the permisions of netlink messages
netlink: Only check file credentials for implicit destinations
Ezequiel Garcia (1):
usb: musb: Fix panic upon musb_am335x module removal
Felix Fietkau (1):
ath9k: fix aggregation session lockup
Gavin Guo (1):
usb: Check if port status is equal to RxDetect
George Cherian (1):
can: c_can_platform: Fix raminit, use devm_ioremap() instead of devm_ioremap_resource()
Greg Kroah-Hartman (1):
lz4: add overrun checks to lz4_uncompress_unknownoutputsize()
Greg Thelen (1):
dm bufio: fully initialize shrinker
Grygorii Strashko (1):
of/irq: do irq resolution in platform_get_irq_byname()
Gu Zheng (1):
cpuset,mempolicy: fix sleeping function called from invalid context
Guenter Roeck (5):
hwmon: (adm1031) Fix writes to limit registers
hwmon: (emc2103) Clamp limits instead of bailing out
platform_get_irq: Revert to platform_get_resource if of_irq_get fails
hwmon: (adt7470) Fix writes to temperature limit registers
hwmon: (smsc47m192) Fix temperature limit and vrm write operations
HATAYAMA Daisuke (1):
perf/x86/intel: ignore CondChgd bit to avoid false NMI handling
Hans Verkuil (1):
[media] hdpvr: fix two audio bugs
Hans de Goede (1):
[media] gspca_pac7302: Add new usb-id for Genius i-Look 317
Heiko Carstens (2):
/proc/stat: convert to single_open_size()
fs/seq_file: fallback to vmalloc allocation
Helge Deller (3):
parisc: add serial ports of C8000/1GHz machine to hardware database
parisc: fix fanotify_mark() syscall on 32bit compat kernel
parisc: drop unused defines and header includes
Hugh Dickins (3):
shmem: fix faulting into a hole while it's punched
shmem: fix faulting into a hole, not taking i_mutex
shmem: fix splicing from a hole while it's punched
J. Bruce Fields (1):
nfsd: fix rare symlink decoding bug
James Bottomley (1):
scsi: handle flush errors properly
Jan Kara (3):
ext4: Fix buffer double free in ext4_alloc_branch()
ext4: Fix hole punching for files with indirect blocks
timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks
Jan Kardell (1):
iio: ti_am335x_adc: Fix: Use same step id at FIFOs both ends
Jason Wang (1):
drm/qxl: return IRQ_NONE if it was not our irq
Jerome Glisse (1):
drm/radeon: fix cut and paste issue for hawaii.
Jiri Olsa (1):
perf: Do not allow optimized switch for non-cloned events
Jiri Pirko (1):
team: fix mtu setting
Joe Thornber (1):
dm io: fix a race condition in the wake up code for sync_io
Joel Stanley (2):
powerpc/perf: Add PPMU_ARCH_207S define
powerpc/perf: Clear MMCR2 when enabling PMU
Johan Hovold (1):
USB: ftdi_sio: fix null deref at port probe
Johannes Berg (1):
Revert "mac80211: move "bufferable MMPDU" check to fix AP mode scan"
John David Anglin (1):
parisc: Remove SA_RESTORER define
John Stultz (2):
alarmtimer: Fix bug where relative alarm timers were treated as absolute
printk: rename printk_sched to printk_deferred
Jon Cooper (1):
sfc: PIO:Restrict to 64bit arch and use 64-bit writes.
Jon Paul Maloy (1):
tipc: clear 'next'-pointer of message fragments before reassembly
Jussi Kivilinna (1):
crypto: sha512_ssse3 - fix byte count to bit count conversion
K. Y. Srinivasan (1):
Drivers: hv: vmbus: Fix a bug in the channel callback dispatch code
Kevin Hao (1):
libata: support the ata host which implements a queue depth less than 32
Krzysztof Kozlowski (1):
clk: s2mps11: Fix double free corruption during driver unbind
Lan Tianyu (2):
Revert "ACPI / AC: Remove AC's proc directory."
ACPI / battery: Retry to get battery information if failed during probing
Lars-Peter Clausen (1):
iio: buffer: Fix demux table creation
Li RongQing (1):
8021q: fix a potential memory leak
Linus Torvalds (1):
Fix gcc-4.9.0 miscompilation of load_balance() in scheduler
Linus Walleij (1):
usb: musb: ux500: don't propagate the OF node
Loic Poulain (1):
Bluetooth: Ignore H5 non-link packets in non-active state
Loic Prylli (1):
net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush
Lu Baolu (1):
xhci: clear root port wake on bits if controller isn't wake-up capable
Lv Zheng (4):
ACPI / EC: Avoid race condition related to advance_transaction()
ACPI / EC: Add asynchronous command byte write support
ACPI / EC: Remove duplicated ec_wait_ibf0() waiter
ACPI / EC: Fix race condition in ec_transaction_completed()
Malcolm Priestley (2):
staging: vt6655: Fix Warning on boot handle_irq_event_percpu.
staging: vt6655: Fix disassociated messages every 10 seconds
Manuel Schölling (1):
dns_resolver: assure that dns_query() result is null-terminated
Martin Lau (1):
ring-buffer: Fix polling on trace_pipe
Martin Schwidefsky (1):
s390/ptrace: fix PSW mask check
Mateusz Guzik (1):
sched: Fix possible divide by zero in avg_atom() calculation
Mathias Nyman (2):
xhci: Use correct SLOT ID when handling a reset device command
xhci: correct burst count field for isoc transfers on 1.0 xhci hosts
Matthias Brugger (1):
irqchip: gic: Add support for cortex a7 compatible string
Max Filippov (1):
xtensa: add fixup for double exception raised in window overflow
Maxim Patlasov (1):
mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()
Maxime Bizon (1):
workqueue: fix dev_set_uevent_suppress() imbalance
Mengdong Lin (3):
ALSA: hda/hdmi - apply all Haswell fix-ups to Broadwell display codec
ALSA: hda - verify pin:converter connection on unsol event for HSW and VLV
ALSA: hda - verify pin:cvt connection on preparing a stream for Intel HDMI codec
Michael Brown (1):
x86/efi: Include a .bss section within the PE/COFF headers
Michael Ellerman (1):
powerpc/perf: Fix MMCR2 handling for EBB
Michal Hocko (1):
memcg: oom_notify use-after-free fix
Michal Nazarewicz (3):
usb: gadget: f_fs: fix NULL pointer dereference when there are no strings
tools: ffs-test: fix header values endianess
mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER
Michal Schmidt (2):
netlink: rate-limit leftover bytes warning and print process name
rtnetlink: fix userspace API breakage for iproute2 < v3.9.0
Michal Sojka (1):
USB: serial: ftdi_sio: Add Infineon Triboard
Mike Snitzer (2):
dm thin metadata: do not allow the data block size to change
dm cache metadata: do not allow the data block size to change
Miklos Szeredi (2):
fuse: timeout comparison fix
fuse: handle large user and group ID
Mikulas Patocka (4):
dm: allocate a special workqueue for deferred device removal
slab_common: fix the check for duplicate slab names
block: provide compat ioctl for BLKZEROOUT
crypto: arm-aes - fix encryption of unaligned data
Milan Broz (1):
crypto: af_alg - properly label AF_ALG socket
Nadav Amit (1):
KVM: x86: Increase the number of fixed MTRR regs to 10
Naoya Horiguchi (1):
mm: hugetlb: fix copy_hugetlb_page_range()
Neal Cardwell (1):
tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb
NeilBrown (1):
md: flush writes before starting a recovery.
Nicholas Bellinger (1):
target: Explicitly clear ramdisk_mcp backend pages
Niu Yawei (1):
quota: missing lock in dqcache_shrink_scan()
Oliver Neukum (1):
USB: option: add device ID for SpeedUp SU9800 usb 3g modem
Oren Givon (1):
iwlwifi: update the 7265 series HW IDs
Paolo Bonzini (4):
KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)
KVM: x86: preserve the high 32-bits of the PAT register
virtio-scsi: avoid cancelling uninitialized work items
virtio-scsi: fix various bad behavior on aborted requests
Peter Chen (1):
usb: chipidea: udc: delete td from req's td list at ep_dequeue
Peter Christensen (1):
ipvs: Fix panic due to non-linear skb
Peter Meerwald (2):
iio:bma180: Fix scale factors to report correct acceleration units
iio:bma180: Missing check for frequency fractional part
Peter Zijlstra (2):
x86, tsc: Fix cpufreq lockup
locking/mutex: Disable optimistic spinning on some architectures
Prabhakar Lad (1):
cpufreq: Makefile: fix compilation for davinci platform
Randy Dunlap (1):
parport: fix menu breakage
Rickard Strandqvist (1):
[media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio
Roger Quadros (1):
phy: core: Fix error path in phy_create()
Romain Degez (1):
ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode)
Russell King (1):
ARM: fix alignment of keystone page table fixup
Sasha Levin (1):
net/l2tp: don't fall back on UDP [get|set]sockopt
Sergei Shtylyov (1):
sh_eth: fix SH7619/771x support
Silesh C V (1):
coredump: fix the setting of PF_DUMPCORE
Sowmini Varadhan (1):
sunvnet: clean up objects created in vnet_new() on vnet_exit()
Srinivas Pandruvada (1):
iio:core: Handle error when mask type is not separate
Stefan Assmann (1):
igb: do a reset on SR-IOV re-init if device is down
Stephen Boyd (1):
sched_clock: Avoid corrupting hrtimer tree during suspend
Steve Capper (1):
arm64: mm: Make icache synchronisation logic huge page aware
Steven Rostedt (Red Hat) (2):
tracing: Remove ftrace_stop/start() from reading the trace file
tracing: Fix graph tracer with stack tracer on other archs
Suresh Reddy (1):
be2net: set EQ DB clear-intr bit in be_open()
Sven Wegener (1):
x86_32, entry: Store badsys error code in %eax
Takashi Iwai (2):
PM / sleep: Fix request_firmware() error at resume
ALSA: hda - Fix broken PM due to incomplete i915 initialization
Ted Juan (1):
mtd: devices: elm: fix elm_context_save() and elm_context_restore() functions
Tejun Heo (3):
ptrace,x86: force IRET path after a ptrace_stop()
blkcg: don't call into policy draining if root_blkg is already gone
libata: introduce ata_host->n_tags to avoid oops on SAS controllers
Theodore Ts'o (4):
ext4: fix unjournalled bg descriptor while initializing inode bitmap
ext4: clarify error count warning messages
ext4: clarify ext4_error message in ext4_mb_generate_buddy_error()
ext4: fix a potential deadlock in __ext4_es_shrink()
Thomas Fitzsimmons (1):
net: mvneta: Fix big endian issue in mvneta_txq_desc_csum()
Thomas Gleixner (3):
irqchip: spear_shirq: Fix interrupt offset
usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq
clk: spear3xx: Use proper control register offset
Thomas Hellstrom (1):
drm/vmwgfx: Fix incorrect write to read-only register v2:
Thomas Petazzoni (1):
net: mvneta: fix operation in 10 Mbit/s mode
Todd Fujinaka (1):
igb: Workaround for i210 Errata 25: Slow System Clock
Tom Gundersen (1):
net: tunnels - enable module autoloading
Tomasz Figa (1):
irqchip: gic: Fix core ID calculation when topology is read from DT
Tony Camuso (1):
ACPI / PAD: call schedule() when need_resched() is true
Tony Luck (1):
tracing: Fix wraparound problems in "uptime" trace clock
Toshiaki Makita (1):
bridge: Prevent insertion of FDB entry with disallowed vlan
Tyler Hall (2):
slip: Fix deadlock in write_wakeup
slcan: Port write_wakeup deadlock fix from slip
Ulrich Obergfell (1):
scsi_error: fix invalid setting of host byte
Vasily Averin (1):
fs: umount on symlink leaks mnt count
Ville Syrjälä (1):
drm/i915: Don't clobber the GTT when it's within stolen memory
Vincent Minet (1):
intel_pstate: Set CPU number before accessing MSRs
Viresh Kumar (1):
cpufreq: move policy kobj to policy->cpu at resume
Wang, Yu (1):
xhci: Fix runtime suspended xhci from blocking system suspend.
Wei Yang (2):
net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset
net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()
Wei-Chun Chao (1):
net: fix UDP tunnel GSO of frag_list GRO packets
Xufeng Zhang (1):
sctp: Fix sk_ack_backlog wrap-around problem
Yasuaki Ishimatsu (1):
workqueue: zero cpumask of wq_numa_possible_cpumask on init
Yuchung Cheng (2):
tcp: fix cwnd undo on DSACK in F-RTO
tcp: fix false undo corner cases
dingtianhong (1):
igmp: fix the problem when mc leave group
zhangwei(Jovi) (2):
tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs
tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs
^ permalink raw reply [flat|nested] 264+ messages in thread
* [PATCH 3.13 001/259] ACPI / PAD: call schedule() when need_resched() is true
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 002/259] KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) Kamal Mostafa
` (257 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tony Camuso, Rafael J. Wysocki, Leann Ogasawara, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Camuso <tcamuso@redhat.com>
commit 5b59c69ec54849f23b51d18b0a609c4f793bc35a upstream.
The purpose of the acpi_pad driver is to implement the "processor power
aggregator" device as described in the ACPI 4.0 spec section 8.5. It
takes requests from the BIOS (via ACPI) to put a specified number of
CPUs into idle, in order to save power, until further notice.
It does this by creating high-priority threads that try to keep the CPUs
in a high C-state (using the monitor/mwait CPU instructions). The
mwait() call is in a loop that checks periodically if the thread should
end and a few other things.
It was discovered through testing that the power_saving threads were
causing the system to consume more power than the system was consuming
before the threads were created. A counter in the main loop of
power_saving_thread() revealed that it was spinning. The mwait()
instruction was not keeping the CPU in a high C state very much if at
all.
Here is a simplification of the loop in function power_saving_thread() in
drivers/acpi/acpi_pad.c
while (!kthread_should_stop()) {
:
try_to_freeze()
:
while (!need_resched()) {
:
if (!need_resched())
__mwait(power_saving_mwait_eax, 1);
:
if (jiffies > expire_time) {
do_sleep = 1;
break;
}
}
}
If need_resched() returns true, then mwait() is not called. It was
returning true because of things like timer interrupts, as in the
following sequence.
hrtimer_interrupt->__run_hrtimer->tick_sched_timer-> update_process_times->
rcu_check_callbacks->rcu_pending->__rcu_pending->set_need_resched
Kernels 3.5.0-rc2+ do not exhibit this problem, because a patch to
try_to_freeze() in include/linux/freezer.h introduces a call to
might_sleep(), which ultimately calls schedule() to clear the reschedule
flag and allows the the loop to execute the call to mwait().
However, the changes to try_to_freeze are unrelated to acpi_pad, and it
does not seem like a good idea to rely on an unrelated patch in a
function that could later be changed and reintroduce this bug.
Therefore, it seems better to make an explicit call to schedule() in the
outer loop when the need_resched flag is set.
Reported-and-tested-by: Stuart Hayes <stuart_hayes@dell.com>
Signed-off-by: Tony Camuso <tcamuso@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/acpi/acpi_pad.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c
index fc6008f..2c67e59 100644
--- a/drivers/acpi/acpi_pad.c
+++ b/drivers/acpi/acpi_pad.c
@@ -219,8 +219,15 @@ static int power_saving_thread(void *data)
* borrow CPU time from this CPU and cause RT task use > 95%
* CPU time. To make 'avoid starvation' work, takes a nap here.
*/
- if (do_sleep)
+ if (unlikely(do_sleep))
schedule_timeout_killable(HZ * idle_pct / 100);
+
+ /* If an external event has set the need_resched flag, then
+ * we need to deal with it, or this loop will continue to
+ * spin without calling __mwait().
+ */
+ if (unlikely(need_resched()))
+ schedule();
}
exit_round_robin(tsk_index);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 002/259] KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 001/259] ACPI / PAD: call schedule() when need_resched() is true Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 003/259] target: Explicitly clear ramdisk_mcp backend pages Kamal Mostafa
` (256 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Paolo Bonzini, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 5678de3f15010b9022ee45673f33bcfc71d47b60 upstream.
QE reported that they got the BUG_ON in ioapic_service to trigger.
I cannot reproduce it, but there are two reasons why this could happen.
The less likely but also easiest one, is when kvm_irq_delivery_to_apic
does not deliver to any APIC and returns -1.
Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
function is never reached. However, you can target the similar loop in
kvm_irq_delivery_to_apic_fast; just program a zero logical destination
address into the IOAPIC, or an out-of-range physical destination address.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
virt/kvm/ioapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
index 2d68297..39dc5bc 100644
--- a/virt/kvm/ioapic.c
+++ b/virt/kvm/ioapic.c
@@ -306,7 +306,7 @@ static int ioapic_deliver(struct kvm_ioapic *ioapic, int irq, bool line_status)
BUG_ON(ioapic->rtc_status.pending_eoi != 0);
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe,
ioapic->rtc_status.dest_map);
- ioapic->rtc_status.pending_eoi = ret;
+ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
} else
ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 003/259] target: Explicitly clear ramdisk_mcp backend pages
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 001/259] ACPI / PAD: call schedule() when need_resched() is true Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 002/259] KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 004/259] sctp: Fix sk_ack_backlog wrap-around problem Kamal Mostafa
` (255 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jorge Daniel Sequeira Matias, Nicholas Bellinger, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
[Note that a different patch to address the same issue went in during
v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
don't strictly apply to fixing the bug.]
This patch changes rd_allocate_sgl_table() to explicitly clear
ramdisk_mcp backend memory pages by passing __GFP_ZERO into
alloc_pages().
This addresses a potential security issue where reading from a
ramdisk_mcp could return sensitive information, and follows what
>= v3.15 does to explicitly clear ramdisk_mcp memory at backend
device initialization time.
Reported-by: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
Cc: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Reference: CVE-2014-4027
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/target/target_core_rd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
index 4ffe5f2..a97107c 100644
--- a/drivers/target/target_core_rd.c
+++ b/drivers/target/target_core_rd.c
@@ -178,7 +178,7 @@ static int rd_build_device_space(struct rd_dev *rd_dev)
- 1;
for (j = 0; j < sg_per_table; j++) {
- pg = alloc_pages(GFP_KERNEL, 0);
+ pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
if (!pg) {
pr_err("Unable to allocate scatterlist"
" pages for struct rd_dev_sg_table\n");
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 004/259] sctp: Fix sk_ack_backlog wrap-around problem
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (2 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 003/259] target: Explicitly clear ramdisk_mcp backend pages Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 005/259] mm: hugetlb: fix copy_hugetlb_page_range() Kamal Mostafa
` (254 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Xufeng Zhang, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Xufeng Zhang <xufeng.zhang@windriver.com>
commit d3217b15a19a4779c39b212358a5c71d725822ee upstream.
Consider the scenario:
For a TCP-style socket, while processing the COOKIE_ECHO chunk in
sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
a new association would be created in sctp_unpack_cookie(), but afterwards,
some processing maybe failed, and sctp_association_free() will be called to
free the previously allocated association, in sctp_association_free(),
sk_ack_backlog value is decremented for this socket, since the initial
value for sk_ack_backlog is 0, after the decrement, it will be 65535,
a wrap-around problem happens, and if we want to establish new associations
afterward in the same socket, ABORT would be triggered since sctp deem the
accept queue as full.
Fix this issue by only decrementing sk_ack_backlog for associations in
the endpoint's list.
Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reference: CVE-2014-4667
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/sctp/associola.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 31ed008..6524fa8 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -372,7 +372,7 @@ void sctp_association_free(struct sctp_association *asoc)
/* Only real associations count against the endpoint, so
* don't bother for if this is a temporary association.
*/
- if (!asoc->temp) {
+ if (!list_empty(&asoc->asocs)) {
list_del(&asoc->asocs);
/* Decrement the backlog value for a TCP-style listening
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 005/259] mm: hugetlb: fix copy_hugetlb_page_range()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (3 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 004/259] sctp: Fix sk_ack_backlog wrap-around problem Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 006/259] x86_32, entry: Store badsys error code in %eax Kamal Mostafa
` (253 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Naoya Horiguchi, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
commit 0253d634e0803a8376a0d88efee0bf523d8673f9 upstream.
Commit 4a705fef9862 ("hugetlb: fix copy_hugetlb_page_range() to handle
migration/hwpoisoned entry") changed the order of
huge_ptep_set_wrprotect() and huge_ptep_get(), which leads to breakage
in some workloads like hugepage-backed heap allocation via libhugetlbfs.
This patch fixes it.
The test program for the problem is shown below:
$ cat heap.c
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#define HPS 0x200000
int main() {
int i;
char *p = malloc(HPS);
memset(p, '1', HPS);
for (i = 0; i < 5; i++) {
if (!fork()) {
memset(p, '2', HPS);
p = malloc(HPS);
memset(p, '3', HPS);
free(p);
return 0;
}
}
sleep(1);
free(p);
return 0;
}
$ export HUGETLB_MORECORE=yes ; export HUGETLB_NO_PREFAULT= ; hugectl --heap ./heap
Fixes 4a705fef9862 ("hugetlb: fix copy_hugetlb_page_range() to handle
migration/hwpoisoned entry"), so is applicable to -stable kernels which
include it.
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reported-by: Guillaume Morin <guillaume@morinfr.org>
Suggested-by: Guillaume Morin <guillaume@morinfr.org>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/hugetlb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 1984a3d..d821a7e 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2421,6 +2421,7 @@ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
} else {
if (cow)
huge_ptep_set_wrprotect(src, addr, src_pte);
+ entry = huge_ptep_get(src_pte);
ptepage = pte_page(entry);
get_page(ptepage);
page_dup_rmap(ptepage);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 006/259] x86_32, entry: Store badsys error code in %eax
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (4 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 005/259] mm: hugetlb: fix copy_hugetlb_page_range() Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 007/259] shmem: fix faulting into a hole while it's punched Kamal Mostafa
` (252 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sven Wegener, H. Peter Anvin, Andy Lutomirski, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Wegener <sven.wegener@stealer.net>
commit 8142b215501f8b291a108a202b3a053a265b03dd upstream.
Commit 554086d ("x86_32, entry: Do syscall exit work on badsys
(CVE-2014-4508)") introduced a regression in the x86_32 syscall entry
code, resulting in syscall() not returning proper errors for undefined
syscalls on CPUs supporting the sysenter feature.
The following code:
> int result = syscall(666);
> printf("result=%d errno=%d error=%s\n", result, errno, strerror(errno));
results in:
> result=666 errno=0 error=Success
Obviously, the syscall return value is the called syscall number, but it
should have been an ENOSYS error. When run under ptrace it behaves
correctly, which makes it hard to debug in the wild:
> result=-1 errno=38 error=Function not implemented
The %eax register is the return value register. For debugging via ptrace
the syscall entry code stores the complete register context on the
stack. The badsys handlers only store the ENOSYS error code in the
ptrace register set and do not set %eax like a regular syscall handler
would. The old resume_userspace call chain contains code that clobbers
%eax and it restores %eax from the ptrace registers afterwards. The same
goes for the ptrace-enabled call chain. When ptrace is not used, the
syscall return value is the passed-in syscall number from the untouched
%eax register.
Use %eax as the return value register in syscall_badsys and
sysenter_badsys, like a real syscall handler does, and have the caller
push the value onto the stack for ptrace access.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Link: http://lkml.kernel.org/r/alpine.LNX.2.11.1407221022380.31021@titan.int.lan.stealer.net
Reviewed-and-tested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/entry_32.S | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 6491353..c87810b 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -433,8 +433,8 @@ sysenter_do_call:
cmpl $(NR_syscalls), %eax
jae sysenter_badsys
call *sys_call_table(,%eax,4)
- movl %eax,PT_EAX(%esp)
sysenter_after_call:
+ movl %eax,PT_EAX(%esp)
LOCKDEP_SYS_EXIT
DISABLE_INTERRUPTS(CLBR_ANY)
TRACE_IRQS_OFF
@@ -514,6 +514,7 @@ ENTRY(system_call)
jae syscall_badsys
syscall_call:
call *sys_call_table(,%eax,4)
+syscall_after_call:
movl %eax,PT_EAX(%esp) # store the return value
syscall_exit:
LOCKDEP_SYS_EXIT
@@ -683,12 +684,12 @@ syscall_fault:
END(syscall_fault)
syscall_badsys:
- movl $-ENOSYS,PT_EAX(%esp)
- jmp syscall_exit
+ movl $-ENOSYS,%eax
+ jmp syscall_after_call
END(syscall_badsys)
sysenter_badsys:
- movl $-ENOSYS,PT_EAX(%esp)
+ movl $-ENOSYS,%eax
jmp sysenter_after_call
END(syscall_badsys)
CFI_ENDPROC
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 007/259] shmem: fix faulting into a hole while it's punched
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (5 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 006/259] x86_32, entry: Store badsys error code in %eax Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 008/259] shmem: fix faulting into a hole, not taking i_mutex Kamal Mostafa
` (251 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Hugh Dickins, Dave Jones, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugh Dickins <hughd@google.com>
commit f00cdc6df7d7cfcabb5b740911e6788cb0802bdb upstream.
Trinity finds that mmap access to a hole while it's punched from shmem
can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE)
from completing, until the reader chooses to stop; with the puncher's
hold on i_mutex locking out all other writers until it can complete.
It appears that the tmpfs fault path is too light in comparison with its
hole-punching path, lacking an i_data_sem to obstruct it; but we don't
want to slow down the common case.
Extend shmem_fallocate()'s existing range notification mechanism, so
shmem_fault() can refrain from faulting pages into the hole while it's
punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
faulting when not).
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 52 insertions(+), 4 deletions(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index 902a148..3f151d1 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt;
#define SHORT_SYMLINK_LEN 128
/*
- * shmem_fallocate and shmem_writepage communicate via inode->i_private
- * (with i_mutex making sure that it has only one user at a time):
- * we would prefer not to enlarge the shmem inode just for that.
+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via
+ * inode->i_private (with i_mutex making sure that it has only one user at
+ * a time): we would prefer not to enlarge the shmem inode just for that.
*/
struct shmem_falloc {
+ int mode; /* FALLOC_FL mode currently operating */
pgoff_t start; /* start of range currently being fallocated */
pgoff_t next; /* the next page offset to be fallocated */
pgoff_t nr_falloced; /* how many new pages have been fallocated */
@@ -826,6 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
spin_lock(&inode->i_lock);
shmem_falloc = inode->i_private;
if (shmem_falloc &&
+ !shmem_falloc->mode &&
index >= shmem_falloc->start &&
index < shmem_falloc->next)
shmem_falloc->nr_unswapped++;
@@ -1300,6 +1302,44 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
int error;
int ret = VM_FAULT_LOCKED;
+ /*
+ * Trinity finds that probing a hole which tmpfs is punching can
+ * prevent the hole-punch from ever completing: which in turn
+ * locks writers out with its hold on i_mutex. So refrain from
+ * faulting pages into the hole while it's being punched, and
+ * wait on i_mutex to be released if vmf->flags permits.
+ */
+ if (unlikely(inode->i_private)) {
+ struct shmem_falloc *shmem_falloc;
+
+ spin_lock(&inode->i_lock);
+ shmem_falloc = inode->i_private;
+ if (!shmem_falloc ||
+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
+ vmf->pgoff < shmem_falloc->start ||
+ vmf->pgoff >= shmem_falloc->next)
+ shmem_falloc = NULL;
+ spin_unlock(&inode->i_lock);
+ /*
+ * i_lock has protected us from taking shmem_falloc seriously
+ * once return from shmem_fallocate() went back up that stack.
+ * i_lock does not serialize with i_mutex at all, but it does
+ * not matter if sometimes we wait unnecessarily, or sometimes
+ * miss out on waiting: we just need to make those cases rare.
+ */
+ if (shmem_falloc) {
+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+ up_read(&vma->vm_mm->mmap_sem);
+ mutex_lock(&inode->i_mutex);
+ mutex_unlock(&inode->i_mutex);
+ return VM_FAULT_RETRY;
+ }
+ /* cond_resched? Leave that to GUP or return to user */
+ return VM_FAULT_NOPAGE;
+ }
+ }
+
error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
if (error)
return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS);
@@ -1815,18 +1855,26 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
mutex_lock(&inode->i_mutex);
+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
+
if (mode & FALLOC_FL_PUNCH_HOLE) {
struct address_space *mapping = file->f_mapping;
loff_t unmap_start = round_up(offset, PAGE_SIZE);
loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
+ shmem_falloc.start = unmap_start >> PAGE_SHIFT;
+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
+ spin_lock(&inode->i_lock);
+ inode->i_private = &shmem_falloc;
+ spin_unlock(&inode->i_lock);
+
if ((u64)unmap_end > (u64)unmap_start)
unmap_mapping_range(mapping, unmap_start,
1 + unmap_end - unmap_start, 0);
shmem_truncate_range(inode, offset, offset + len - 1);
/* No need to unmap again: hole-punching leaves COWed pages */
error = 0;
- goto out;
+ goto undone;
}
/* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 008/259] shmem: fix faulting into a hole, not taking i_mutex
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (6 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 007/259] shmem: fix faulting into a hole while it's punched Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 009/259] shmem: fix splicing from a hole while it's punched Kamal Mostafa
` (250 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Hugh Dickins, Vlastimil Babka, Konstantin Khlebnikov,
Johannes Weiner, Lukas Czerner, Dave Jones, Andrew Morton,
Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugh Dickins <hughd@google.com>
commit 8e205f779d1443a94b5ae81aa359cb535dd3021e upstream.
Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's
punched") was buggy: Sasha sent a lockdep report to remind us that
grabbing i_mutex in the fault path is a no-no (write syscall may already
hold i_mutex while faulting user buffer).
We tried a completely different approach (see following patch) but that
proved inadequate: good enough for a rational workload, but not good
enough against trinity - which forks off so many mappings of the object
that contention on i_mmap_mutex while hole-puncher holds i_mutex builds
into serious starvation when concurrent faults force the puncher to fall
back to single-page unmap_mapping_range() searches of the i_mmap tree.
So return to the original umbrella approach, but keep away from i_mutex
this time. We really don't want to bloat every shmem inode with a new
mutex or completion, just to protect this unlikely case from trinity.
So extend the original with wait_queue_head on stack at the hole-punch
end, and wait_queue item on the stack at the fault end.
This involves further use of i_lock to guard against the races: lockdep
has been happy so far, and I see fs/inode.c:unlock_new_inode() holds
i_lock around wake_up_bit(), which is comparable to what we do here.
i_lock is more convenient, but we could switch to shmem's info->lock.
This issue has been tagged with CVE-2014-4171, which will require commit
f00cdc6df7d7 and this and the following patch to be backported: we
suggest to 3.1+, though in fact the trinity forkbomb effect might go
back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might
not, since much has changed, with i_mmap_mutex a spinlock before 3.0.
Anyone running trinity on 3.0 and earlier? I don't think we need care.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Lukas Czerner <lczerner@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/shmem.c | 78 +++++++++++++++++++++++++++++++++++++++++---------------------
1 file changed, 52 insertions(+), 26 deletions(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index 3f151d1..f83d9db 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -85,7 +85,7 @@ static struct vfsmount *shm_mnt;
* a time): we would prefer not to enlarge the shmem inode just for that.
*/
struct shmem_falloc {
- int mode; /* FALLOC_FL mode currently operating */
+ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */
pgoff_t start; /* start of range currently being fallocated */
pgoff_t next; /* the next page offset to be fallocated */
pgoff_t nr_falloced; /* how many new pages have been fallocated */
@@ -827,7 +827,7 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
spin_lock(&inode->i_lock);
shmem_falloc = inode->i_private;
if (shmem_falloc &&
- !shmem_falloc->mode &&
+ !shmem_falloc->waitq &&
index >= shmem_falloc->start &&
index < shmem_falloc->next)
shmem_falloc->nr_unswapped++;
@@ -1306,38 +1306,58 @@ static int shmem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
* Trinity finds that probing a hole which tmpfs is punching can
* prevent the hole-punch from ever completing: which in turn
* locks writers out with its hold on i_mutex. So refrain from
- * faulting pages into the hole while it's being punched, and
- * wait on i_mutex to be released if vmf->flags permits.
+ * faulting pages into the hole while it's being punched. Although
+ * shmem_undo_range() does remove the additions, it may be unable to
+ * keep up, as each new page needs its own unmap_mapping_range() call,
+ * and the i_mmap tree grows ever slower to scan if new vmas are added.
+ *
+ * It does not matter if we sometimes reach this check just before the
+ * hole-punch begins, so that one fault then races with the punch:
+ * we just need to make racing faults a rare case.
+ *
+ * The implementation below would be much simpler if we just used a
+ * standard mutex or completion: but we cannot take i_mutex in fault,
+ * and bloating every shmem inode for this unlikely case would be sad.
*/
if (unlikely(inode->i_private)) {
struct shmem_falloc *shmem_falloc;
spin_lock(&inode->i_lock);
shmem_falloc = inode->i_private;
- if (!shmem_falloc ||
- shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE ||
- vmf->pgoff < shmem_falloc->start ||
- vmf->pgoff >= shmem_falloc->next)
- shmem_falloc = NULL;
- spin_unlock(&inode->i_lock);
- /*
- * i_lock has protected us from taking shmem_falloc seriously
- * once return from shmem_fallocate() went back up that stack.
- * i_lock does not serialize with i_mutex at all, but it does
- * not matter if sometimes we wait unnecessarily, or sometimes
- * miss out on waiting: we just need to make those cases rare.
- */
- if (shmem_falloc) {
+ if (shmem_falloc &&
+ shmem_falloc->waitq &&
+ vmf->pgoff >= shmem_falloc->start &&
+ vmf->pgoff < shmem_falloc->next) {
+ wait_queue_head_t *shmem_falloc_waitq;
+ DEFINE_WAIT(shmem_fault_wait);
+
+ ret = VM_FAULT_NOPAGE;
if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
!(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+ /* It's polite to up mmap_sem if we can */
up_read(&vma->vm_mm->mmap_sem);
- mutex_lock(&inode->i_mutex);
- mutex_unlock(&inode->i_mutex);
- return VM_FAULT_RETRY;
+ ret = VM_FAULT_RETRY;
}
- /* cond_resched? Leave that to GUP or return to user */
- return VM_FAULT_NOPAGE;
+
+ shmem_falloc_waitq = shmem_falloc->waitq;
+ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
+ TASK_UNINTERRUPTIBLE);
+ spin_unlock(&inode->i_lock);
+ schedule();
+
+ /*
+ * shmem_falloc_waitq points into the shmem_fallocate()
+ * stack of the hole-punching task: shmem_falloc_waitq
+ * is usually invalid by the time we reach here, but
+ * finish_wait() does not dereference it in that case;
+ * though i_lock needed lest racing with wake_up_all().
+ */
+ spin_lock(&inode->i_lock);
+ finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
+ spin_unlock(&inode->i_lock);
+ return ret;
}
+ spin_unlock(&inode->i_lock);
}
error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret);
@@ -1855,13 +1875,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
mutex_lock(&inode->i_mutex);
- shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE;
-
if (mode & FALLOC_FL_PUNCH_HOLE) {
struct address_space *mapping = file->f_mapping;
loff_t unmap_start = round_up(offset, PAGE_SIZE);
loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
+ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
+ shmem_falloc.waitq = &shmem_falloc_waitq;
shmem_falloc.start = unmap_start >> PAGE_SHIFT;
shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
spin_lock(&inode->i_lock);
@@ -1873,8 +1893,13 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
1 + unmap_end - unmap_start, 0);
shmem_truncate_range(inode, offset, offset + len - 1);
/* No need to unmap again: hole-punching leaves COWed pages */
+
+ spin_lock(&inode->i_lock);
+ inode->i_private = NULL;
+ wake_up_all(&shmem_falloc_waitq);
+ spin_unlock(&inode->i_lock);
error = 0;
- goto undone;
+ goto out;
}
/* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
@@ -1890,6 +1915,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset,
goto out;
}
+ shmem_falloc.waitq = NULL;
shmem_falloc.start = start;
shmem_falloc.next = start;
shmem_falloc.nr_falloced = 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 009/259] shmem: fix splicing from a hole while it's punched
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (7 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 008/259] shmem: fix faulting into a hole, not taking i_mutex Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 010/259] net: fix UDP tunnel GSO of frag_list GRO packets Kamal Mostafa
` (249 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Hugh Dickins, Konstantin Khlebnikov, Johannes Weiner,
Lukas Czerner, Dave Jones, Andrew Morton, Linus Torvalds,
Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugh Dickins <hughd@google.com>
commit b1a366500bd537b50c3aad26dc7df083ec03a448 upstream.
shmem_fault() is the actual culprit in trinity's hole-punch starvation,
and the most significant cause of such problems: since a page faulted is
one that then appears page_mapped(), needing unmap_mapping_range() and
i_mmap_mutex to be unmapped again.
But it is not the only way in which a page can be brought into a hole in
the radix_tree while that hole is being punched; and Vlastimil's testing
implies that if enough other processors are busy filling in the hole,
then shmem_undo_range() can be kept from completing indefinitely.
shmem_file_splice_read() is the main other user of SGP_CACHE, which can
instantiate shmem pagecache pages in the read-only case (without holding
i_mutex, so perhaps concurrently with a hole-punch). Probably it's
silly not to use SGP_READ already (using the ZERO_PAGE for holes): which
ought to be safe, but might bring surprises - not a change to be rushed.
shmem_read_mapping_page_gfp() is an internal interface used by
drivers/gpu/drm GEM (and next by uprobes): it should be okay. And
shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when
called internally by the kernel (perhaps for a stacking filesystem,
which might rely on holes to be reserved): it's unclear whether it could
be provoked to keep hole-punch busy or not.
We could apply the same umbrella as now used in shmem_fault() to
shmem_file_splice_read() and the others; but it looks ugly, and use over
a range raises questions - should it actually be per page? can these get
starved themselves?
The origin of this part of the problem is my v3.1 commit d0823576bf4b
("mm: pincer in truncate_inode_pages_range"), once it was duplicated
into shmem.c. It seemed like a nice idea at the time, to ensure
(barring RCU lookup fuzziness) that there's an instant when the entire
hole is empty; but the indefinitely repeated scans to ensure that make
it vulnerable.
Revert that "enhancement" to hole-punch from shmem_undo_range(), but
retain the unproblematic rescanning when it's truncating; add a couple
of comments there.
Remove the "indices[0] >= end" test: that is now handled satisfactorily
by the inner loop, and mem_cgroup_uncharge_start()/end() are too light
to be worth avoiding here.
But if we do not always loop indefinitely, we do need to handle the case
of swap swizzled back to page before shmem_free_swap() gets it: add a
retry for that case, as suggested by Konstantin Khlebnikov; and for the
case of page swizzled back to swap, as suggested by Johannes Weiner.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Suggested-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Lukas Czerner <lczerner@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ luis: backported to 3.11: used hughd's backport to 3.10.50 ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/shmem.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index f83d9db..de64924 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -534,22 +534,19 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
return;
index = start;
- for ( ; ; ) {
+ while (index < end) {
cond_resched();
pvec.nr = shmem_find_get_pages_and_swap(mapping, index,
min(end - index, (pgoff_t)PAGEVEC_SIZE),
pvec.pages, indices);
if (!pvec.nr) {
- if (index == start || unfalloc)
+ /* If all gone or hole-punch or unfalloc, we're done */
+ if (index == start || end != -1)
break;
+ /* But if truncating, restart to make sure all gone */
index = start;
continue;
}
- if ((index == start || unfalloc) && indices[0] >= end) {
- shmem_deswap_pagevec(&pvec);
- pagevec_release(&pvec);
- break;
- }
mem_cgroup_uncharge_start();
for (i = 0; i < pagevec_count(&pvec); i++) {
struct page *page = pvec.pages[i];
@@ -561,8 +558,12 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
if (radix_tree_exceptional_entry(page)) {
if (unfalloc)
continue;
- nr_swaps_freed += !shmem_free_swap(mapping,
- index, page);
+ if (shmem_free_swap(mapping, index, page)) {
+ /* Swap was replaced by page: retry */
+ index--;
+ break;
+ }
+ nr_swaps_freed++;
continue;
}
@@ -571,6 +572,11 @@ static void shmem_undo_range(struct inode *inode, loff_t lstart, loff_t lend,
if (page->mapping == mapping) {
VM_BUG_ON(PageWriteback(page));
truncate_inode_page(mapping, page);
+ } else {
+ /* Page was replaced by swap: retry */
+ unlock_page(page);
+ index--;
+ break;
}
}
unlock_page(page);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 010/259] net: fix UDP tunnel GSO of frag_list GRO packets
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (8 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 009/259] shmem: fix splicing from a hole while it's punched Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 011/259] ipvs: Fix panic due to non-linear skb Kamal Mostafa
` (248 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Wei-Chun Chao, David S. Miller, Dave Chiluk, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei-Chun Chao <weichunc@plumgrid.com>
commit 5882a07c72093dc3a18e2d2b129fb200686bb6ee upstream.
This patch fixes a kernel BUG_ON in skb_segment. It is hit when
testing two VMs on openvswitch with one VM acting as VXLAN gateway.
During VXLAN packet GSO, skb_segment is called with skb->data
pointing to inner TCP payload. skb_segment calls skb_network_protocol
to retrieve the inner protocol. skb_network_protocol actually expects
skb->data to point to MAC and it calls pskb_may_pull with ETH_HLEN.
This ends up pulling in ETH_HLEN data from header tail. As a result,
pskb_trim logic is skipped and BUG_ON is hit later.
Move skb_push in front of skb_network_protocol so that skb->data
lines up properly.
kernel BUG at net/core/skbuff.c:2999!
Call Trace:
[<ffffffff816ac412>] tcp_gso_segment+0x122/0x410
[<ffffffff816bc74c>] inet_gso_segment+0x13c/0x390
[<ffffffff8164b39b>] skb_mac_gso_segment+0x9b/0x170
[<ffffffff816b3658>] skb_udp_tunnel_segment+0xd8/0x390
[<ffffffff816b3c00>] udp4_ufo_fragment+0x120/0x140
[<ffffffff816bc74c>] inet_gso_segment+0x13c/0x390
[<ffffffff8109d742>] ? default_wake_function+0x12/0x20
[<ffffffff8164b39b>] skb_mac_gso_segment+0x9b/0x170
[<ffffffff8164b4d0>] __skb_gso_segment+0x60/0xc0
[<ffffffff8164b6b3>] dev_hard_start_xmit+0x183/0x550
[<ffffffff8166c91e>] sch_direct_xmit+0xfe/0x1d0
[<ffffffff8164bc94>] __dev_queue_xmit+0x214/0x4f0
[<ffffffff8164bf90>] dev_queue_xmit+0x10/0x20
[<ffffffff81687edb>] ip_finish_output+0x66b/0x890
[<ffffffff81688a58>] ip_output+0x58/0x90
[<ffffffff816c628f>] ? fib_table_lookup+0x29f/0x350
[<ffffffff816881c9>] ip_local_out_sk+0x39/0x50
[<ffffffff816cbfad>] iptunnel_xmit+0x10d/0x130
[<ffffffffa0212200>] vxlan_xmit_skb+0x1d0/0x330 [vxlan]
[<ffffffffa02a3919>] vxlan_tnl_send+0x129/0x1a0 [openvswitch]
[<ffffffffa02a2cd6>] ovs_vport_send+0x26/0xa0 [openvswitch]
[<ffffffffa029931e>] do_output+0x2e/0x50 [openvswitch]
Signed-off-by: Wei-Chun Chao <weichunc@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backported from commit 5882a07c72093dc3a18e2d2b129fb200686bb6ee)
Signed-off-by: Dave Chiluk <chiluk@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/skbuff.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f45d60d..f7eca05 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2785,12 +2785,13 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
int i = 0;
int pos;
+ __skb_push(head_skb, doffset);
proto = skb_network_protocol(head_skb);
if (unlikely(!proto))
return ERR_PTR(-EINVAL);
csum = !!can_checksum_protocol(features, proto);
- __skb_push(head_skb, doffset);
+
headroom = skb_headroom(head_skb);
pos = skb_headlen(head_skb);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 011/259] ipvs: Fix panic due to non-linear skb
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (9 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 010/259] net: fix UDP tunnel GSO of frag_list GRO packets Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 012/259] ALSA: hda/hdmi - apply all Haswell fix-ups to Broadwell display codec Kamal Mostafa
` (247 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Christensen, Simon Horman, Chris J Arges, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Christensen <pch@ordbogen.com>
commit f44a5f45f544561302e855e7bd104e5f506ec01b upstream.
Receiving a ICMP response to an IPIP packet in a non-linear skb could
cause a kernel panic in __skb_pull.
The problem was introduced in
commit f2edb9f7706dcb2c0d9a362b2ba849efe3a97f5e ("ipvs: implement
passive PMTUD for IPIP packets").
Signed-off-by: Peter Christensen <pch@ordbogen.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Cc: Chris J Arges <chris.j.arges@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/netfilter/ipvs/ip_vs_core.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 4f26ee4..3d2d2c8 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1392,15 +1392,19 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
if (ipip) {
__be32 info = ic->un.gateway;
+ __u8 type = ic->type;
+ __u8 code = ic->code;
/* Update the MTU */
if (ic->type == ICMP_DEST_UNREACH &&
ic->code == ICMP_FRAG_NEEDED) {
struct ip_vs_dest *dest = cp->dest;
u32 mtu = ntohs(ic->un.frag.mtu);
+ __be16 frag_off = cih->frag_off;
/* Strip outer IP and ICMP, go to IPIP header */
- __skb_pull(skb, ihl + sizeof(_icmph));
+ if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
+ goto ignore_ipip;
offset2 -= ihl + sizeof(_icmph);
skb_reset_network_header(skb);
IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
@@ -1408,7 +1412,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
ipv4_update_pmtu(skb, dev_net(skb->dev),
mtu, 0, 0, 0, 0);
/* Client uses PMTUD? */
- if (!(cih->frag_off & htons(IP_DF)))
+ if (!(frag_off & htons(IP_DF)))
goto ignore_ipip;
/* Prefer the resulting PMTU */
if (dest) {
@@ -1427,12 +1431,13 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
/* Strip outer IP, ICMP and IPIP, go to IP header of
* original request.
*/
- __skb_pull(skb, offset2);
+ if (pskb_pull(skb, offset2) == NULL)
+ goto ignore_ipip;
skb_reset_network_header(skb);
IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
&ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
- ic->type, ic->code, ntohl(info));
- icmp_send(skb, ic->type, ic->code, info);
+ type, code, ntohl(info));
+ icmp_send(skb, type, code, info);
/* ICMP can be shorter but anyways, account it */
ip_vs_out_stats(cp, skb);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 012/259] ALSA: hda/hdmi - apply all Haswell fix-ups to Broadwell display codec
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (10 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 011/259] ipvs: Fix panic due to non-linear skb Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 013/259] ALSA: hda - verify pin:converter connection on unsol event for HSW and VLV Kamal Mostafa
` (246 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mengdong Lin, Takashi Iwai, David Henningsson, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mengdong Lin <mengdong.lin@intel.com>
commit 75dcbe4dc251ebc28cdf0797b85774cdf53a4d29 upstream.
Broadwell and Haswell have the same behavior on display audio. So this patch
defines is_haswell_plus() to include codecs for both Haswell and its successor
Broadwell, and apply all Haswell fix-ups to Broadwell.
Signed-off-by: Mengdong Lin <mengdong.lin@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/pci/hda/patch_hdmi.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 2f66de6..65d6dc0 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -46,6 +46,9 @@ module_param(static_hdmi_pcm, bool, 0644);
MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info");
#define is_haswell(codec) ((codec)->vendor_id == 0x80862807)
+#define is_broadwell(codec) ((codec)->vendor_id == 0x80862808)
+#define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec))
+
#define is_valleyview(codec) ((codec)->vendor_id == 0x80862882)
struct hdmi_spec_per_cvt {
@@ -1114,7 +1117,7 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec,
if (!channels)
return;
- if (is_haswell(codec))
+ if (is_haswell_plus(codec))
snd_hda_codec_write(codec, pin_nid, 0,
AC_VERB_SET_AMP_GAIN_MUTE,
AMP_OUT_UNMUTE);
@@ -1295,7 +1298,7 @@ static int hdmi_setup_stream(struct hda_codec *codec, hda_nid_t cvt_nid,
struct hdmi_spec *spec = codec->spec;
int err;
- if (is_haswell(codec))
+ if (is_haswell_plus(codec))
haswell_verify_D0(codec, cvt_nid, pin_nid);
err = spec->ops.pin_hbr_setup(codec, pin_nid, is_hbr_format(format));
@@ -1436,7 +1439,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,
mux_idx);
/* configure unused pins to choose other converters */
- if (is_haswell(codec) || is_valleyview(codec))
+ if (is_haswell_plus(codec) || is_valleyview(codec))
intel_not_share_assigned_cvt(codec, per_pin->pin_nid, mux_idx);
snd_hda_spdif_ctls_assign(codec, pin_idx, per_cvt->cvt_nid);
@@ -1626,7 +1629,7 @@ static int hdmi_add_pin(struct hda_codec *codec, hda_nid_t pin_nid)
if (get_defcfg_connect(config) == AC_JACK_PORT_NONE)
return 0;
- if (is_haswell(codec))
+ if (is_haswell_plus(codec))
intel_haswell_fixup_connect_list(codec, pin_nid);
pin_idx = spec->num_pins;
@@ -2297,7 +2300,7 @@ static int patch_generic_hdmi(struct hda_codec *codec)
codec->spec = spec;
hdmi_array_init(spec, 4);
- if (is_haswell(codec)) {
+ if (is_haswell_plus(codec)) {
intel_haswell_enable_all_pins(codec, true);
intel_haswell_fixup_enable_dp12(codec);
}
@@ -2308,7 +2311,7 @@ static int patch_generic_hdmi(struct hda_codec *codec)
return -EINVAL;
}
codec->patch_ops = generic_hdmi_patch_ops;
- if (is_haswell(codec)) {
+ if (is_haswell_plus(codec)) {
codec->patch_ops.set_power_state = haswell_set_power_state;
codec->dp_mst = true;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 013/259] ALSA: hda - verify pin:converter connection on unsol event for HSW and VLV
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (11 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 012/259] ALSA: hda/hdmi - apply all Haswell fix-ups to Broadwell display codec Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 014/259] ALSA: hda - verify pin:cvt connection on preparing a stream for Intel HDMI codec Kamal Mostafa
` (245 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mengdong Lin, Takashi Iwai, David Henningsson, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mengdong Lin <mengdong.lin@intel.com>
commit b4f75aea553a2146bbdd159c397a2ac42cbb9902 upstream.
This patch will verify the pin's coverter selection for an active stream
when an unsol event reports this pin becomes available again after a display
mode change or hot-plug event.
For Haswell+ and Valleyview: display mode change or hot-plug can change the
transcoder:port connection and make all the involved audio pins share the 1st
converter. So the stream using 1st convertor will flow to multiple pins
but active streams using other converters will fail. This workaround
is to assure the pin selects the right conveter and an assigned converter is
not shared by other unused pins.
Signed-off-by: Mengdong Lin <mengdong.lin@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/pci/hda/patch_hdmi.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 65d6dc0..5cef6e1 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1576,10 +1576,18 @@ static bool hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll)
* Re-setup pin and infoframe. This is needed e.g. when
* - sink is first plugged-in (infoframe is not set up if !monitor_present)
* - transcoder can change during stream playback on Haswell
+ * and this can make HW reset converter selection on a pin.
*/
- if (eld->eld_valid && !old_eld_valid && per_pin->setup)
+ if (eld->eld_valid && !old_eld_valid && per_pin->setup) {
+ if (is_haswell_plus(codec) || is_valleyview(codec)) {
+ intel_verify_pin_cvt_connect(codec, per_pin);
+ intel_not_share_assigned_cvt(codec, pin_nid,
+ per_pin->mux_idx);
+ }
+
hdmi_setup_audio_infoframe(codec, per_pin,
per_pin->non_pcm);
+ }
}
if (eld_changed)
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 014/259] ALSA: hda - verify pin:cvt connection on preparing a stream for Intel HDMI codec
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (12 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 013/259] ALSA: hda - verify pin:converter connection on unsol event for HSW and VLV Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 015/259] x86/xen: safely map and unmap grant frames when in atomic context Kamal Mostafa
` (244 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mengdong Lin, Takashi Iwai, David Henningsson, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mengdong Lin <mengdong.lin@intel.com>
commit 2df6742f613840a0b0a1590fb28f7af5b058a673 upstream.
This is a temporary fix for some Intel HDMI codecs to avoid no sound output for
a resuming playback after S3.
After S3, the audio driver restores pin:cvt connection selections by
snd_hda_codec_resume_cache(). However this can happen before the gfx side is
ready and such connect selection is overlooked by HW. After gfx is ready, the
pins make the default selection again. And this will cause multiple pins share
a same convertor and mute control will affect each other. Thus a resumed audio
playback become silent after S3.
This patch verifies pin:cvt connection on preparing a stream, to assure the pin
selects the right convetor and an assigned convertor is not shared by other
unused pins. Apply this fix-up on Haswell, Broadwell and Valleyview (Baytrail).
We need this temporary fix before a reliable software communication channel is
established between audio and gfx, to sync audio/gfx operations.
Signed-off-by: Mengdong Lin <mengdong.lin@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/pci/hda/patch_hdmi.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 5cef6e1..9c67b07 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -68,6 +68,7 @@ struct hdmi_spec_per_pin {
hda_nid_t pin_nid;
int num_mux_nids;
hda_nid_t mux_nids[HDA_MAX_CONNECTIONS];
+ int mux_idx;
hda_nid_t cvt_nid;
struct hda_codec *codec;
@@ -1343,6 +1344,8 @@ static int hdmi_choose_cvt(struct hda_codec *codec,
if (cvt_idx == spec->num_cvts)
return -ENODEV;
+ per_pin->mux_idx = mux_idx;
+
if (cvt_id)
*cvt_id = cvt_idx;
if (mux_id)
@@ -1351,6 +1354,22 @@ static int hdmi_choose_cvt(struct hda_codec *codec,
return 0;
}
+/* Assure the pin select the right convetor */
+static void intel_verify_pin_cvt_connect(struct hda_codec *codec,
+ struct hdmi_spec_per_pin *per_pin)
+{
+ hda_nid_t pin_nid = per_pin->pin_nid;
+ int mux_idx, curr;
+
+ mux_idx = per_pin->mux_idx;
+ curr = snd_hda_codec_read(codec, pin_nid, 0,
+ AC_VERB_GET_CONNECT_SEL, 0);
+ if (curr != mux_idx)
+ snd_hda_codec_write_cache(codec, pin_nid, 0,
+ AC_VERB_SET_CONNECT_SEL,
+ mux_idx);
+}
+
/* Intel HDMI workaround to fix audio routing issue:
* For some Intel display codecs, pins share the same connection list.
* So a conveter can be selected by multiple pins and playback on any of these
@@ -1775,6 +1794,19 @@ static int generic_hdmi_playback_pcm_prepare(struct hda_pcm_stream *hinfo,
bool non_pcm;
int pinctl;
+ if (is_haswell_plus(codec) || is_valleyview(codec)) {
+ /* Verify pin:cvt selections to avoid silent audio after S3.
+ * After S3, the audio driver restores pin:cvt selections
+ * but this can happen before gfx is ready and such selection
+ * is overlooked by HW. Thus multiple pins can share a same
+ * default convertor and mute control will affect each other,
+ * which can cause a resumed audio playback become silent
+ * after S3.
+ */
+ intel_verify_pin_cvt_connect(codec, per_pin);
+ intel_not_share_assigned_cvt(codec, pin_nid, per_pin->mux_idx);
+ }
+
non_pcm = check_non_pcm_per_cvt(codec, cvt_nid);
mutex_lock(&per_pin->lock);
per_pin->channels = substream->runtime->channels;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 015/259] x86/xen: safely map and unmap grant frames when in atomic context
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (13 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 014/259] ALSA: hda - verify pin:cvt connection on preparing a stream for Intel HDMI codec Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 016/259] ext4: Fix buffer double free in ext4_alloc_branch() Kamal Mostafa
` (243 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David Vrabel, Konrad Rzeszutek Wilk, Stefan Bader, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
commit b7dd0e350e0bd4c0fddcc9b8958342700b00b168 upstream.
arch_gnttab_map_frames() and arch_gnttab_unmap_frames() are called in
atomic context but were calling alloc_vm_area() which might sleep.
Also, if a driver attempts to allocate a grant ref from an interrupt
and the table needs expanding, then the CPU may already by in lazy MMU
mode and apply_to_page_range() will BUG when it tries to re-enable
lazy MMU mode.
These two functions are only used in PV guests.
Introduce arch_gnttab_init() to allocates the virtual address space in
advance.
Avoid the use of apply_to_page_range() by using saving and using the
array of PTE addresses from the alloc_vm_area() call (which ensures
that the required page tables are pre-allocated).
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
[ David Vrabel: Backported to 3.13.10. ]
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/xen/grant-table.c | 5 ++
arch/x86/xen/grant-table.c | 148 ++++++++++++++++++++++++++++-----------------
drivers/xen/grant-table.c | 5 ++
include/xen/grant_table.h | 1 +
4 files changed, 102 insertions(+), 57 deletions(-)
diff --git a/arch/arm/xen/grant-table.c b/arch/arm/xen/grant-table.c
index 859a9bb..91cf08b 100644
--- a/arch/arm/xen/grant-table.c
+++ b/arch/arm/xen/grant-table.c
@@ -51,3 +51,8 @@ int arch_gnttab_map_status(uint64_t *frames, unsigned long nr_gframes,
{
return -ENOSYS;
}
+
+int arch_gnttab_init(unsigned long nr_shared, unsigned long nr_status)
+{
+ return 0;
+}
diff --git a/arch/x86/xen/grant-table.c b/arch/x86/xen/grant-table.c
index 3a5f55d..4d2c9bf 100644
--- a/arch/x86/xen/grant-table.c
+++ b/arch/x86/xen/grant-table.c
@@ -36,92 +36,126 @@
#include <linux/sched.h>
#include <linux/mm.h>
+#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <xen/interface/xen.h>
#include <xen/page.h>
#include <xen/grant_table.h>
+#include <xen/xen.h>
#include <asm/pgtable.h>
-static int map_pte_fn(pte_t *pte, struct page *pmd_page,
- unsigned long addr, void *data)
-{
- unsigned long **frames = (unsigned long **)data;
-
- set_pte_at(&init_mm, addr, pte, mfn_pte((*frames)[0], PAGE_KERNEL));
- (*frames)++;
- return 0;
-}
-
-/*
- * This function is used to map shared frames to store grant status. It is
- * different from map_pte_fn above, the frames type here is uint64_t.
- */
-static int map_pte_fn_status(pte_t *pte, struct page *pmd_page,
- unsigned long addr, void *data)
-{
- uint64_t **frames = (uint64_t **)data;
-
- set_pte_at(&init_mm, addr, pte, mfn_pte((*frames)[0], PAGE_KERNEL));
- (*frames)++;
- return 0;
-}
-
-static int unmap_pte_fn(pte_t *pte, struct page *pmd_page,
- unsigned long addr, void *data)
-{
-
- set_pte_at(&init_mm, addr, pte, __pte(0));
- return 0;
-}
+static struct gnttab_vm_area {
+ struct vm_struct *area;
+ pte_t **ptes;
+} gnttab_shared_vm_area, gnttab_status_vm_area;
int arch_gnttab_map_shared(unsigned long *frames, unsigned long nr_gframes,
unsigned long max_nr_gframes,
void **__shared)
{
- int rc;
void *shared = *__shared;
+ unsigned long addr;
+ unsigned long i;
+
+ if (shared == NULL)
+ *__shared = shared = gnttab_shared_vm_area.area->addr;
- if (shared == NULL) {
- struct vm_struct *area =
- alloc_vm_area(PAGE_SIZE * max_nr_gframes, NULL);
- BUG_ON(area == NULL);
- shared = area->addr;
- *__shared = shared;
+ addr = (unsigned long)shared;
+
+ for (i = 0; i < nr_gframes; i++) {
+ set_pte_at(&init_mm, addr, gnttab_shared_vm_area.ptes[i],
+ mfn_pte(frames[i], PAGE_KERNEL));
+ addr += PAGE_SIZE;
}
- rc = apply_to_page_range(&init_mm, (unsigned long)shared,
- PAGE_SIZE * nr_gframes,
- map_pte_fn, &frames);
- return rc;
+ return 0;
}
int arch_gnttab_map_status(uint64_t *frames, unsigned long nr_gframes,
unsigned long max_nr_gframes,
grant_status_t **__shared)
{
- int rc;
grant_status_t *shared = *__shared;
+ unsigned long addr;
+ unsigned long i;
+
+ if (shared == NULL)
+ *__shared = shared = gnttab_status_vm_area.area->addr;
- if (shared == NULL) {
- /* No need to pass in PTE as we are going to do it
- * in apply_to_page_range anyhow. */
- struct vm_struct *area =
- alloc_vm_area(PAGE_SIZE * max_nr_gframes, NULL);
- BUG_ON(area == NULL);
- shared = area->addr;
- *__shared = shared;
+ addr = (unsigned long)shared;
+
+ for (i = 0; i < nr_gframes; i++) {
+ set_pte_at(&init_mm, addr, gnttab_status_vm_area.ptes[i],
+ mfn_pte(frames[i], PAGE_KERNEL));
+ addr += PAGE_SIZE;
}
- rc = apply_to_page_range(&init_mm, (unsigned long)shared,
- PAGE_SIZE * nr_gframes,
- map_pte_fn_status, &frames);
- return rc;
+ return 0;
}
void arch_gnttab_unmap(void *shared, unsigned long nr_gframes)
{
- apply_to_page_range(&init_mm, (unsigned long)shared,
- PAGE_SIZE * nr_gframes, unmap_pte_fn, NULL);
+ pte_t **ptes;
+ unsigned long addr;
+ unsigned long i;
+
+ if (shared == gnttab_status_vm_area.area->addr)
+ ptes = gnttab_status_vm_area.ptes;
+ else
+ ptes = gnttab_shared_vm_area.ptes;
+
+ addr = (unsigned long)shared;
+
+ for (i = 0; i < nr_gframes; i++) {
+ set_pte_at(&init_mm, addr, ptes[i], __pte(0));
+ addr += PAGE_SIZE;
+ }
+}
+
+static int arch_gnttab_valloc(struct gnttab_vm_area *area, unsigned nr_frames)
+{
+ area->ptes = kmalloc(sizeof(pte_t *) * nr_frames, GFP_KERNEL);
+ if (area->ptes == NULL)
+ return -ENOMEM;
+
+ area->area = alloc_vm_area(PAGE_SIZE * nr_frames, area->ptes);
+ if (area->area == NULL) {
+ kfree(area->ptes);
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
+static void arch_gnttab_vfree(struct gnttab_vm_area *area)
+{
+ free_vm_area(area->area);
+ kfree(area->ptes);
+}
+
+int arch_gnttab_init(unsigned long nr_shared, unsigned long nr_status)
+{
+ int ret;
+
+ if (!xen_pv_domain())
+ return 0;
+
+ ret = arch_gnttab_valloc(&gnttab_shared_vm_area, nr_shared);
+ if (ret < 0)
+ return ret;
+
+ /*
+ * Always allocate the space for the status frames in case
+ * we're migrated to a host with V2 support.
+ */
+ ret = arch_gnttab_valloc(&gnttab_status_vm_area, nr_status);
+ if (ret < 0)
+ goto err;
+
+ return 0;
+ err:
+ arch_gnttab_vfree(&gnttab_shared_vm_area);
+ return -ENOMEM;
}
diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index aa846a4..b983a99 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -1250,6 +1250,11 @@ int gnttab_init(void)
}
}
+ ret = arch_gnttab_init(boot_max_nr_grant_frames,
+ nr_status_frames(boot_max_nr_grant_frames));
+ if (ret < 0)
+ goto ini_nomem;
+
if (gnttab_setup() < 0) {
ret = -ENODEV;
goto ini_nomem;
diff --git a/include/xen/grant_table.h b/include/xen/grant_table.h
index 694dcaf..bbb6c50 100644
--- a/include/xen/grant_table.h
+++ b/include/xen/grant_table.h
@@ -170,6 +170,7 @@ gnttab_set_unmap_op(struct gnttab_unmap_grant_ref *unmap, phys_addr_t addr,
unmap->dev_bus_addr = 0;
}
+int arch_gnttab_init(unsigned long nr_shared, unsigned long nr_status);
int arch_gnttab_map_shared(xen_pfn_t *frames, unsigned long nr_gframes,
unsigned long max_nr_gframes,
void **__shared);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 016/259] ext4: Fix buffer double free in ext4_alloc_branch()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (14 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 015/259] x86/xen: safely map and unmap grant frames when in atomic context Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 017/259] ARM: OMAP2+: Fix parser-bug in platform muxing code Kamal Mostafa
` (242 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jan Kara, Theodore Ts'o, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit c5c7b8ddfbf8cb3b2291e515a34ab1b8982f5a2d upstream.
Error recovery in ext4_alloc_branch() calls ext4_forget() even for
buffer corresponding to indirect block it did not allocate. This leads
to brelse() being called twice for that buffer (once from ext4_forget()
and once from cleanup in ext4_ind_map_blocks()) leading to buffer use
count misaccounting. Eventually (but often much later because there
are other users of the buffer) we will see messages like:
VFS: brelse: Trying to free free buffer
Another manifestation of this problem is an error:
JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh);
inconsistent data on disk
The fix is easy - don't forget buffer we did not allocate. Also add an
explanatory comment because the indexing at ext4_alloc_branch() is
somewhat subtle.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ext4/indirect.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c
index 594009f..3b91d24 100644
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -389,7 +389,13 @@ static int ext4_alloc_branch(handle_t *handle, struct inode *inode,
return 0;
failed:
for (; i >= 0; i--) {
- if (i != indirect_blks && branch[i].bh)
+ /*
+ * We want to ext4_forget() only freshly allocated indirect
+ * blocks. Buffer for new_blocks[i-1] is at branch[i].bh and
+ * buffer at branch[0].bh is indirect block / inode already
+ * existing before ext4_alloc_branch() was called.
+ */
+ if (i > 0 && i != indirect_blks && branch[i].bh)
ext4_forget(handle, 1, inode, branch[i].bh,
branch[i].bh->b_blocknr);
ext4_free_blocks(handle, inode, NULL, new_blocks[i],
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 017/259] ARM: OMAP2+: Fix parser-bug in platform muxing code
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (15 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 016/259] ext4: Fix buffer double free in ext4_alloc_branch() Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 018/259] KVM: x86: Increase the number of fixed MTRR regs to 10 Kamal Mostafa
` (241 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David R. Piegdon, Tony Lindgren, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "David R. Piegdon" <lkml@p23q.org>
commit c021f241f4fab2bb4fc4120a38a828a03dd3f970 upstream.
Fix a parser-bug in the omap2 muxing code where muxtable-entries will be
wrongly selected if the requested muxname is a *prefix* of their
m0-entry and they have a matching mN-entry. Fix by additionally checking
that the length of the m0_entry is equal.
For example muxing of "dss_data2.dss_data2" on omap32xx will fail
because the prefix "dss_data2" will match the mux-entries "dss_data2" as
well as "dss_data20", with the suffix "dss_data2" matching m0 (for
dss_data2) and m4 (for dss_data20). Thus both are recognized as signal
path candidates:
Relevant muxentries from mux34xx.c:
_OMAP3_MUXENTRY(DSS_DATA20, 90,
"dss_data20", NULL, "mcspi3_somi", "dss_data2",
"gpio_90", NULL, NULL, "safe_mode"),
_OMAP3_MUXENTRY(DSS_DATA2, 72,
"dss_data2", NULL, NULL, NULL,
"gpio_72", NULL, NULL, "safe_mode"),
This will result in a failure to mux the pin at all:
_omap_mux_get_by_name: Multiple signal paths (2) for dss_data2.dss_data2
Patch should apply to linus' latest master down to rather old linux-2.6
trees.
Signed-off-by: David R. Piegdon <lkml@p23q.org>
[tony@atomide.com: updated description to include full description]
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/mach-omap2/mux.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-omap2/mux.c b/arch/arm/mach-omap2/mux.c
index 48094b5..b12a4f9 100644
--- a/arch/arm/mach-omap2/mux.c
+++ b/arch/arm/mach-omap2/mux.c
@@ -183,8 +183,10 @@ static int __init _omap_mux_get_by_name(struct omap_mux_partition *partition,
m0_entry = mux->muxnames[0];
/* First check for full name in mode0.muxmode format */
- if (mode0_len && strncmp(muxname, m0_entry, mode0_len))
- continue;
+ if (mode0_len)
+ if (strncmp(muxname, m0_entry, mode0_len) ||
+ (strlen(m0_entry) != mode0_len))
+ continue;
/* Then check for muxmode only */
for (i = 0; i < OMAP_MUX_NR_MODES; i++) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 018/259] KVM: x86: Increase the number of fixed MTRR regs to 10
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (16 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 017/259] ARM: OMAP2+: Fix parser-bug in platform muxing code Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 019/259] KVM: x86: preserve the high 32-bits of the PAT register Kamal Mostafa
` (240 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Nadav Amit, Paolo Bonzini, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Nadav Amit <namit@cs.technion.ac.il>
commit 682367c494869008eb89ef733f196e99415ae862 upstream.
Recent Intel CPUs have 10 variable range MTRRs. Since operating systems
sometime make assumptions on CPUs while they ignore capability MSRs, it is
better for KVM to be consistent with recent CPUs. Reporting more MTRRs than
actually supported has no functional implications.
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/include/asm/kvm_host.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index ae5d783..2a01832 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -99,7 +99,7 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
#define KVM_REFILL_PAGES 25
#define KVM_MAX_CPUID_ENTRIES 80
#define KVM_NR_FIXED_MTRR_REGION 88
-#define KVM_NR_VAR_MTRR 8
+#define KVM_NR_VAR_MTRR 10
#define ASYNC_PF_PER_VCPU 64
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 019/259] KVM: x86: preserve the high 32-bits of the PAT register
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (17 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 018/259] KVM: x86: Increase the number of fixed MTRR regs to 10 Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 020/259] usb: musb: ux500: don't propagate the OF node Kamal Mostafa
` (239 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Paolo Bonzini, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 7cb060a91c0efc5ff94f83c6df3ed705e143cdb9 upstream.
KVM does not really do much with the PAT, so this went unnoticed for a
long time. It is exposed however if you try to do rdmsr on the PAT
register.
Reported-by: Valentine Sinitsyn <valentine.sinitsyn@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/include/asm/kvm_host.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 2a01832..c16aef8 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -462,7 +462,7 @@ struct kvm_vcpu_arch {
bool nmi_injected; /* Trying to inject an NMI this entry */
struct mtrr_state_type mtrr_state;
- u32 pat;
+ u64 pat;
int switch_db_regs;
unsigned long db[KVM_NR_DB_REGS];
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 020/259] usb: musb: ux500: don't propagate the OF node
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (18 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 019/259] KVM: x86: preserve the high 32-bits of the PAT register Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 021/259] usb: gadget: f_fs: fix NULL pointer dereference when there are no strings Kamal Mostafa
` (238 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Arnd Bergmann, Linus Walleij, Felipe Balbi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 82363cf2eeafeea6ba88849f5e2febdc8a05943f upstream.
There is a regression in the upcoming v3.16-rc1, that is caused
by a problem that has been around for a while but now finally
hangs the system. The bootcrawl looks like this:
pinctrl-nomadik soc:pinctrl: pin GPIO256_AF28 already
requested by a03e0000.usb_per5; cannot claim for musb-hdrc.0.auto
pinctrl-nomadik soc:pinctrl: pin-256 (musb-hdrc.0.auto) status -22
pinctrl-nomadik soc:pinctrl: could not request pin 256
(GPIO256_AF28) from group usb_a_1 on device pinctrl-nomadik
musb-hdrc musb-hdrc.0.auto: Error applying setting, reverse
things back
HS USB OTG: no transceiver configured
musb-hdrc musb-hdrc.0.auto: musb_init_controller failed
with status -517
platform musb-hdrc.0.auto: Driver musb-hdrc requests
probe deferral
(...)
The ux500 MUSB driver propagates the OF node to the dynamically
created musb-hdrc device, which is incorrect as it makes the OF
core believe there are two devices spun from the very same
DT node, which confuses other parts of the device core, notably
the pin control subsystem, which will try to apply all the pin
control settings also to the HDRC device as it gets
instantiated. (The OMAP2430 for example, does not set the
of_node member.)
Cc: Arnd Bergmann <arnd@arndb.de>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/musb/ux500.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/usb/musb/ux500.c b/drivers/usb/musb/ux500.c
index 122446b..ebef58d 100644
--- a/drivers/usb/musb/ux500.c
+++ b/drivers/usb/musb/ux500.c
@@ -275,7 +275,6 @@ static int ux500_probe(struct platform_device *pdev)
musb->dev.parent = &pdev->dev;
musb->dev.dma_mask = &pdev->dev.coherent_dma_mask;
musb->dev.coherent_dma_mask = pdev->dev.coherent_dma_mask;
- musb->dev.of_node = pdev->dev.of_node;
glue->dev = &pdev->dev;
glue->musb = musb;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 021/259] usb: gadget: f_fs: fix NULL pointer dereference when there are no strings
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (19 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 020/259] usb: musb: ux500: don't propagate the OF node Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 022/259] staging: iio/ad7291: fix error code in ad7291_probe() Kamal Mostafa
` (237 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Nazarewicz, Felipe Balbi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Nazarewicz <mina86@mina86.com>
commit f0688c8b81d2ea239c3fb0b848f623b579238d99 upstream.
If the descriptors do not need any strings and user space sends empty
set of strings, the ffs->stringtabs field remains NULL. Thus
*ffs->stringtabs in functionfs_bind leads to a NULL pointer
dereferenece.
The bug was introduced by commit [fd7c9a007f: “use usb_string_ids_n()”].
While at it, remove double initialisation of lang local variable in
that function.
ffs->strings_count does not need to be checked in any way since in
the above scenario it will remain zero and usb_string_ids_n() is
a no-operation when colled with 0 argument.
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/gadget/f_fs.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 241fc87..dfa83df 100644
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -1389,11 +1389,13 @@ static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev)
ffs->ep0req->context = ffs;
lang = ffs->stringtabs;
- for (lang = ffs->stringtabs; *lang; ++lang) {
- struct usb_string *str = (*lang)->strings;
- int id = first_id;
- for (; str->s; ++id, ++str)
- str->id = id;
+ if (lang) {
+ for (; *lang; ++lang) {
+ struct usb_string *str = (*lang)->strings;
+ int id = first_id;
+ for (; str->s; ++id, ++str)
+ str->id = id;
+ }
}
ffs->gadget = cdev->gadget;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 022/259] staging: iio/ad7291: fix error code in ad7291_probe()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (20 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 021/259] usb: gadget: f_fs: fix NULL pointer dereference when there are no strings Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 023/259] iio: of_iio_channel_get_by_name() returns non-null pointers for error legs Kamal Mostafa
` (236 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dan Carpenter, Jonathan Cameron, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit b70e19c222a64018d308ebc80333575aff9f4e51 upstream.
We should be returning a negative error code instead of success here.
This would have been detected by GCC, except that the "ret" variable was
initialized with a bogus value to disable GCC's uninitialized variable
warnings. I've cleaned that up, as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/staging/iio/adc/ad7291.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/iio/adc/ad7291.c b/drivers/staging/iio/adc/ad7291.c
index d13f8ae..6c88359 100644
--- a/drivers/staging/iio/adc/ad7291.c
+++ b/drivers/staging/iio/adc/ad7291.c
@@ -465,7 +465,7 @@ static int ad7291_probe(struct i2c_client *client,
struct ad7291_platform_data *pdata = client->dev.platform_data;
struct ad7291_chip_info *chip;
struct iio_dev *indio_dev;
- int ret = 0;
+ int ret;
indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*chip));
if (!indio_dev)
@@ -475,7 +475,7 @@ static int ad7291_probe(struct i2c_client *client,
if (pdata && pdata->use_external_ref) {
chip->reg = devm_regulator_get(&client->dev, "vref");
if (IS_ERR(chip->reg))
- return ret;
+ return PTR_ERR(chip->reg);
ret = regulator_enable(chip->reg);
if (ret)
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 023/259] iio: of_iio_channel_get_by_name() returns non-null pointers for error legs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (21 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 022/259] staging: iio/ad7291: fix error code in ad7291_probe() Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 024/259] irqchip: spear_shirq: Fix interrupt offset Kamal Mostafa
` (235 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Adam Thomson, Jonathan Cameron, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
commit a2c12493ed7e63a18cef33a71686d12ffcd6600e upstream.
Currently in the inkern.c code for IIO framework, the function
of_iio_channel_get_by_name() will return a non-NULL pointer when
it cannot find a channel using of_iio_channel_get() and when it
tries to search for 'io-channel-ranges' property and fails. This
is incorrect behaviour as the function which calls this expects
a NULL pointer for failure. This patch rectifies the issue.
Signed-off-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/inkern.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index 0cf5f8e..1e8e94d 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -183,7 +183,7 @@ static struct iio_channel *of_iio_channel_get_by_name(struct device_node *np,
else if (name && index >= 0) {
pr_err("ERROR: could not get IIO channel %s:%s(%i)\n",
np->full_name, name ? name : "", index);
- return chan;
+ return NULL;
}
/*
@@ -193,8 +193,9 @@ static struct iio_channel *of_iio_channel_get_by_name(struct device_node *np,
*/
np = np->parent;
if (np && !of_get_property(np, "io-channel-ranges", NULL))
- break;
+ return NULL;
}
+
return chan;
}
@@ -317,6 +318,7 @@ struct iio_channel *iio_channel_get(struct device *dev,
if (channel != NULL)
return channel;
}
+
return iio_channel_get_sys(name, channel_name);
}
EXPORT_SYMBOL_GPL(iio_channel_get);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 024/259] irqchip: spear_shirq: Fix interrupt offset
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (22 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 023/259] iio: of_iio_channel_get_by_name() returns non-null pointers for error legs Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 025/259] USB: option: add device ID for SpeedUp SU9800 usb 3g modem Kamal Mostafa
` (234 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Thomas Gleixner, Jason Cooper, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 4f4366033945419b0c52118c29d3057d7c558765 upstream.
The ras3 block on spear320 claims to have 3 interrupts. In fact it has
one and 6 reserved interrupts. Account the 6 reserved to this block so
it has 7 interrupts total. That matches the datasheet and the device
tree entries.
Broken since commit 80515a5a(ARM: SPEAr3xx: shirq: simplify and move
the shared irq multiplexor to DT). Testing is overrated....
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20140619212712.872379208@linutronix.de
Fixes: 80515a5a2e3c ('ARM: SPEAr3xx: shirq: simplify and move the shared irq multiplexor to DT')
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/irqchip/spear-shirq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/spear-shirq.c b/drivers/irqchip/spear-shirq.c
index 8527743..391b9ce 100644
--- a/drivers/irqchip/spear-shirq.c
+++ b/drivers/irqchip/spear-shirq.c
@@ -125,7 +125,7 @@ static struct spear_shirq spear320_shirq_ras2 = {
};
static struct spear_shirq spear320_shirq_ras3 = {
- .irq_nr = 3,
+ .irq_nr = 7,
.irq_bit_off = 0,
.invalid_irq = 1,
.regs = {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 025/259] USB: option: add device ID for SpeedUp SU9800 usb 3g modem
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (23 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 024/259] irqchip: spear_shirq: Fix interrupt offset Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 026/259] USB: ftdi_sio: fix null deref at port probe Kamal Mostafa
` (233 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oliver Neukum, Johan Hovold, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.de>
commit 1cab4c68e339086cdaff7535848e878e8f261fca upstream.
Reported by Alif Mubarak Ahmad:
This device vendor and product id is 1c9e:9800
It is working as serial interface with generic usbserial driver.
I thought it is more suitable to use usbserial option driver, which has
better capability distinguishing between modem serial interface and
micro sd storage interface.
[ johan: style changes ]
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Tested-by: Alif Mubarak Ahmad <alive4ever@live.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 948a19f..407396d 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -352,6 +352,9 @@ static void option_instat_callback(struct urb *urb);
/* Zoom */
#define ZOOM_PRODUCT_4597 0x9607
+/* SpeedUp SU9800 usb 3g modem */
+#define SPEEDUP_PRODUCT_SU9800 0x9800
+
/* Haier products */
#define HAIER_VENDOR_ID 0x201e
#define HAIER_PRODUCT_CE100 0x2009
@@ -1577,6 +1580,7 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
.driver_info = (kernel_ulong_t)&four_g_w14_blacklist
},
+ { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
{ USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
{ USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
{ USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) },
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 026/259] USB: ftdi_sio: fix null deref at port probe
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (24 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 025/259] USB: option: add device ID for SpeedUp SU9800 usb 3g modem Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 027/259] usb: option: add/modify Olivetti Olicard modems Kamal Mostafa
` (232 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Johan Hovold, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit aea1ae8760314e072bf1b773521e9de5d5dda10d upstream.
Fix NULL-pointer dereference when probing an interface with no
endpoints.
These devices have two bulk endpoints per interface, but this avoids
crashing the kernel if a user forces a non-FTDI device to be probed.
Note that the iterator variable was made unsigned in order to avoid
a maybe-uninitialized compiler warning for ep_desc after the loop.
Fixes: 895f28badce9 ("USB: ftdi_sio: fix hi-speed device packet size
calculation")
Reported-by: Mike Remski <mremski@mutualink.net>
Tested-by: Mike Remski <mremski@mutualink.net>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/ftdi_sio.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index f009887..244c00f 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1567,14 +1567,17 @@ static void ftdi_set_max_packet_size(struct usb_serial_port *port)
struct usb_device *udev = serial->dev;
struct usb_interface *interface = serial->interface;
- struct usb_endpoint_descriptor *ep_desc = &interface->cur_altsetting->endpoint[1].desc;
+ struct usb_endpoint_descriptor *ep_desc;
unsigned num_endpoints;
- int i;
+ unsigned i;
num_endpoints = interface->cur_altsetting->desc.bNumEndpoints;
dev_info(&udev->dev, "Number of endpoints %d\n", num_endpoints);
+ if (!num_endpoints)
+ return;
+
/* NOTE: some customers have programmed FT232R/FT245R devices
* with an endpoint size of 0 - not good. In this case, we
* want to override the endpoint descriptor setting and use a
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 027/259] usb: option: add/modify Olivetti Olicard modems
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (25 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 026/259] USB: ftdi_sio: fix null deref at port probe Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 028/259] scsi_error: fix invalid setting of host byte Kamal Mostafa
` (231 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bjørn Mork, Johan Hovold, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
commit b0ebef36e93703e59003ad6a1a20227e47714417 upstream.
Adding a couple of Olivetti modems and blacklisting the net
function on a couple which are already supported.
Reported-by: Lars Melin <larsm17@gmail.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/option.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 407396d..7438f67 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -375,8 +375,12 @@ static void option_instat_callback(struct urb *urb);
/* Olivetti products */
#define OLIVETTI_VENDOR_ID 0x0b3c
#define OLIVETTI_PRODUCT_OLICARD100 0xc000
+#define OLIVETTI_PRODUCT_OLICARD120 0xc001
+#define OLIVETTI_PRODUCT_OLICARD140 0xc002
#define OLIVETTI_PRODUCT_OLICARD145 0xc003
+#define OLIVETTI_PRODUCT_OLICARD155 0xc004
#define OLIVETTI_PRODUCT_OLICARD200 0xc005
+#define OLIVETTI_PRODUCT_OLICARD160 0xc00a
#define OLIVETTI_PRODUCT_OLICARD500 0xc00b
/* Celot products */
@@ -1615,15 +1619,21 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDMNET) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) }, /* HC28 enumerates with Siemens or Cinterion VID depending on FW revision */
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
-
- { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100) },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD120),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD140),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD145) },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD155),
+ .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200),
- .driver_info = (kernel_ulong_t)&net_intf6_blacklist
- },
+ .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD160),
+ .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD500),
- .driver_info = (kernel_ulong_t)&net_intf4_blacklist
- },
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
{ USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/
{ USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM600) },
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 028/259] scsi_error: fix invalid setting of host byte
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (26 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 027/259] usb: option: add/modify Olivetti Olicard modems Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 029/259] xhci: Use correct SLOT ID when handling a reset device command Kamal Mostafa
` (230 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ulrich Obergfell, Paolo Bonzini, Christoph Hellwig, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulrich Obergfell <uobergfe@redhat.com>
commit 8922a908908ff947f1f211e07e2e97f1169ad3cb upstream.
After scsi_try_to_abort_cmd returns, the eh_abort_handler may have
already found that the command has completed in the device, causing
the host_byte to be nonzero (e.g. it could be DID_ABORT). When
this happens, ORing DID_TIME_OUT into the host byte will corrupt
the result field and initiate an unwanted command retry.
Fix this by using set_host_byte instead, following the model of
commit 2082ebc45af9c9c648383b8cde0dc1948eadbf31.
Signed-off-by: Ulrich Obergfell <uobergfe@redhat.com>
[Fix all instances according to review comments. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
[ kamal: backport to 3.13-stable (only one instance of this) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/scsi_error.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index e8bee9f..09f930d 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -161,7 +161,7 @@ enum blk_eh_timer_return scsi_times_out(struct request *req)
else if (host->hostt->eh_timed_out)
rtn = host->hostt->eh_timed_out(scmd);
- scmd->result |= DID_TIME_OUT << 16;
+ set_host_byte(scmd, DID_TIME_OUT);
if (unlikely(rtn == BLK_EH_NOT_HANDLED &&
!scsi_eh_scmd_add(scmd, SCSI_EH_CANCEL_CMD)))
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 029/259] xhci: Use correct SLOT ID when handling a reset device command
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (27 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 028/259] scsi_error: fix invalid setting of host byte Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 030/259] xhci: correct burst count field for isoc transfers on 1.0 xhci hosts Kamal Mostafa
` (229 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 6fcfb0d682a8212d321a6131adc94daf0905992a upstream.
Command completion events normally include command completion status,
SLOT_ID, and a pointer to the original command. Reset device command
completion SLOT_ID may be zero according to xhci specs 4.6.11.
VIA controllers set the SLOT_ID to zero, triggering a WARN_ON in the
command completion handler.
Use the SLOT ID found from the original command instead.
This patch should be applied to stable kernels since 3.13 that contain
the commit 20e7acb13ff48fbc884d5918c3697c27de63922a
"xhci: use completion event's slot id rather than dig it out of command"
Reported-by: Saran Neti <sarannmr@gmail.com>
Tested-by: Saran Neti <sarannmr@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci-ring.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 82b5967..da3a91b 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1592,8 +1592,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
xhci_handle_cmd_reset_ep(xhci, slot_id, cmd_trb, cmd_comp_code);
break;
case TRB_RESET_DEV:
- WARN_ON(slot_id != TRB_TO_SLOT_ID(
- le32_to_cpu(cmd_trb->generic.field[3])));
+ /* SLOT_ID field in reset device cmd completion event TRB is 0.
+ * Use the SLOT_ID from the command TRB instead (xhci 4.6.11)
+ */
+ slot_id = TRB_TO_SLOT_ID(
+ le32_to_cpu(cmd_trb->generic.field[3]));
xhci_handle_cmd_reset_dev(xhci, slot_id, event);
break;
case TRB_NEC_GET_FW:
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 030/259] xhci: correct burst count field for isoc transfers on 1.0 xhci hosts
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (28 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 029/259] xhci: Use correct SLOT ID when handling a reset device command Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 031/259] xhci: clear root port wake on bits if controller isn't wake-up capable Kamal Mostafa
` (228 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 3213b151387df0b95f4eada104f68eb1c1409cb3 upstream.
The transfer burst count (TBC) field in xhci 1.0 hosts should be set
to the number of bursts needed to transfer all packets in a isoc TD.
Supported values are 0-2 (1 to 3 bursts per service interval).
Formula for TBC calculation is given in xhci spec section 4.11.2.3:
TBC = roundup( Transfer Descriptor Packet Count / Max Burst Size +1 ) - 1
This patch should be applied to stable kernels since 3.0 that contain
the commit 5cd43e33b9519143f06f507dd7cbee6b7a621885
"xhci 1.0: Set transfer burst count field."
Suggested-by: ShiChun Ma <masc2008@qq.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci-ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index da3a91b..d0d906f 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -3680,7 +3680,7 @@ static unsigned int xhci_get_burst_count(struct xhci_hcd *xhci,
return 0;
max_burst = urb->ep->ss_ep_comp.bMaxBurst;
- return roundup(total_packet_count, max_burst + 1) - 1;
+ return DIV_ROUND_UP(total_packet_count, max_burst + 1) - 1;
}
/*
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 031/259] xhci: clear root port wake on bits if controller isn't wake-up capable
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (29 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 030/259] xhci: correct burst count field for isoc transfers on 1.0 xhci hosts Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 032/259] xhci: Fix runtime suspended xhci from blocking system suspend Kamal Mostafa
` (227 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lu Baolu, Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit ff8cbf250b448aac35589f6075082c3fcad8a8fe upstream.
When xHCI PCI host is suspended, if do_wakeup is false in xhci_pci_suspend,
xhci_bus_suspend needs to clear all root port wake on bits. Otherwise some Intel
platforms may get a spurious wakeup, even if PCI PME# is disabled.
This patch should be back-ported to kernels as old as 2.6.37, that
contains the commit 9777e3ce907d4cb5a513902a87ecd03b52499569
"USB: xHCI: bus power management implementation".
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci-hub.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index 805f234..d0997e3 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -21,6 +21,7 @@
*/
#include <linux/gfp.h>
+#include <linux/device.h>
#include <asm/unaligned.h>
#include "xhci.h"
@@ -1144,7 +1145,9 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
* including the USB 3.0 roothub, but only if CONFIG_PM_RUNTIME
* is enabled, so also enable remote wake here.
*/
- if (hcd->self.root_hub->do_remote_wakeup) {
+ if (hcd->self.root_hub->do_remote_wakeup
+ && device_may_wakeup(hcd->self.controller)) {
+
if (t1 & PORT_CONNECT) {
t2 |= PORT_WKOC_E | PORT_WKDISC_E;
t2 &= ~PORT_WKCONN_E;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 032/259] xhci: Fix runtime suspended xhci from blocking system suspend.
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (30 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 031/259] xhci: clear root port wake on bits if controller isn't wake-up capable Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 033/259] ibmvscsi: Abort init sequence during error recovery Kamal Mostafa
` (226 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Wang, Yu, Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Wang, Yu" <yu.y.wang@intel.com>
commit d6236f6d1d885aa19d1cd7317346fe795227a3cc upstream.
The system suspend flow as following:
1, Freeze all user processes and kenrel threads.
2, Try to suspend all devices.
2.1, If pci device is in RPM suspended state, then pci driver will try
to resume it to RPM active state in the prepare stage.
2.2, xhci_resume function calls usb_hcd_resume_root_hub to queue two
workqueue items to resume usb2&usb3 roothub devices.
2.3, Call suspend callbacks of devices.
2.3.1, All suspend callbacks of all hcd's children, including
roothub devices are called.
2.3.2, Finally, hcd_pci_suspend callback is called.
Due to workqueue threads were already frozen in step 1, the workqueue
items can't be scheduled, and the roothub devices can't be resumed in
this flow. The HCD_FLAG_WAKEUP_PENDING flag which is set in
usb_hcd_resume_root_hub won't be cleared. Finally,
hcd_pci_suspend will return -EBUSY, and system suspend fails.
The reason why this issue doesn't show up very often is due to that
choose_wakeup will be called in step 2.3.1. In step 2.3.1, if
udev->do_remote_wakeup is not equal to device_may_wakeup(&udev->dev), then
udev will resume to RPM active for changing the wakeup settings. This
has been a lucky hit which hides this issue.
For some special xHCI controllers which have no USB2 port, then roothub
will not match hub driver due to probe failed. Then its
do_remote_wakeup will be set to zero, and we won't be as lucky.
xhci driver doesn't need to resume roothub devices everytime like in
the above case. It's only needed when there are pending event TRBs.
This patch should be back-ported to kernels as old as 3.2, that
contains the commit f69e3120df82391a0ee8118e0a156239a06b2afb
"USB: XHCI: resume root hubs when the controller resumes"
Signed-off-by: Wang, Yu <yu.y.wang@intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
[use readl() instead of removed xhci_readl(), reword commit message -Mathias]
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 07a3077..8f1b31b 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -926,7 +926,7 @@ int xhci_suspend(struct xhci_hcd *xhci)
*/
int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
{
- u32 command, temp = 0;
+ u32 command, temp = 0, status;
struct usb_hcd *hcd = xhci_to_hcd(xhci);
struct usb_hcd *secondary_hcd;
int retval = 0;
@@ -1045,8 +1045,12 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
done:
if (retval == 0) {
- usb_hcd_resume_root_hub(hcd);
- usb_hcd_resume_root_hub(xhci->shared_hcd);
+ /* Resume root hubs only when have pending events. */
+ status = readl(&xhci->op_regs->status);
+ if (status & STS_EINT) {
+ usb_hcd_resume_root_hub(hcd);
+ usb_hcd_resume_root_hub(xhci->shared_hcd);
+ }
}
/*
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 033/259] ibmvscsi: Abort init sequence during error recovery
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (31 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 032/259] xhci: Fix runtime suspended xhci from blocking system suspend Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 034/259] ibmvscsi: Add memory barriers for send / receive Kamal Mostafa
` (225 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Brian King, Christoph Hellwig, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian King <brking@linux.vnet.ibm.com>
commit 9ee755974bea2f9880e517ec985dc9dede1b3a36 upstream.
If a CRQ reset is triggered for some reason while in the middle
of performing VSCSI adapter initialization, we don't want to
call the done function for the initialization MAD commands as
this will only result in two threads attempting initialization
at the same time, resulting in failures.
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Acked-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/ibmvscsi/ibmvscsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c
index fa76440..c3d4991 100644
--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
+++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
@@ -797,7 +797,8 @@ static void purge_requests(struct ibmvscsi_host_data *hostdata, int error_code)
evt->hostdata->dev);
if (evt->cmnd_done)
evt->cmnd_done(evt->cmnd);
- } else if (evt->done)
+ } else if (evt->done && evt->crq.format != VIOSRP_MAD_FORMAT &&
+ evt->iu.srp.login_req.opcode != SRP_LOGIN_REQ)
evt->done(evt);
free_event_struct(&evt->hostdata->pool, evt);
spin_lock_irqsave(hostdata->host->host_lock, flags);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 034/259] ibmvscsi: Add memory barriers for send / receive
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (32 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 033/259] ibmvscsi: Abort init sequence during error recovery Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 035/259] virtio-scsi: avoid cancelling uninitialized work items Kamal Mostafa
` (224 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Brian King, Christoph Hellwig, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian King <brking@linux.vnet.ibm.com>
commit 7114aae02742d6b5c5a0d39a41deb61d415d3717 upstream.
Add a memory barrier prior to sending a new command to the VIOS
to ensure the VIOS does not receive stale data in the command buffer.
Also add a memory barrier when processing the CRQ for completed commands.
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Acked-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/ibmvscsi/ibmvscsi.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c
index c3d4991..c5bb0e0 100644
--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
+++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
@@ -185,6 +185,11 @@ static struct viosrp_crq *crq_queue_next_crq(struct crq_queue *queue)
if (crq->valid & 0x80) {
if (++queue->cur == queue->size)
queue->cur = 0;
+
+ /* Ensure the read of the valid bit occurs before reading any
+ * other bits of the CRQ entry
+ */
+ rmb();
} else
crq = NULL;
spin_unlock_irqrestore(&queue->lock, flags);
@@ -203,6 +208,11 @@ static int ibmvscsi_send_crq(struct ibmvscsi_host_data *hostdata,
{
struct vio_dev *vdev = to_vio_dev(hostdata->dev);
+ /*
+ * Ensure the command buffer is flushed to memory before handing it
+ * over to the VIOS to prevent it from fetching any stale data.
+ */
+ mb();
return plpar_hcall_norets(H_SEND_CRQ, vdev->unit_address, word1, word2);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 035/259] virtio-scsi: avoid cancelling uninitialized work items
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (33 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 034/259] ibmvscsi: Add memory barriers for send / receive Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 036/259] virtio-scsi: fix various bad behavior on aborted requests Kamal Mostafa
` (223 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Paolo Bonzini, Christoph Hellwig, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit cdda0e5acbb78f7b777049f8c27899e5c5bb368f upstream.
Calling the workqueue interface on uninitialized work items isn't a
good idea even if they're zeroed. It's not failing catastrophically only
through happy accidents.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/virtio_scsi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index db3b494..a91a135 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -291,6 +291,8 @@ static void virtscsi_ctrl_done(struct virtqueue *vq)
virtscsi_vq_done(vscsi, &vscsi->ctrl_vq, virtscsi_complete_free);
};
+static void virtscsi_handle_event(struct work_struct *work);
+
static int virtscsi_kick_event(struct virtio_scsi *vscsi,
struct virtio_scsi_event_node *event_node)
{
@@ -298,6 +300,7 @@ static int virtscsi_kick_event(struct virtio_scsi *vscsi,
struct scatterlist sg;
unsigned long flags;
+ INIT_WORK(&event_node->work, virtscsi_handle_event);
sg_init_one(&sg, &event_node->event, sizeof(struct virtio_scsi_event));
spin_lock_irqsave(&vscsi->event_vq.vq_lock, flags);
@@ -415,7 +418,6 @@ static void virtscsi_complete_event(struct virtio_scsi *vscsi, void *buf)
{
struct virtio_scsi_event_node *event_node = buf;
- INIT_WORK(&event_node->work, virtscsi_handle_event);
schedule_work(&event_node->work);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 036/259] virtio-scsi: fix various bad behavior on aborted requests
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (34 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 035/259] virtio-scsi: avoid cancelling uninitialized work items Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 037/259] MIPS: KVM: Fix memory leak on VCPU Kamal Mostafa
` (222 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Paolo Bonzini, Christoph Hellwig, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 8faeb529b2dabb9df691d614dda18910a43d05c9 upstream.
Even though the virtio-scsi spec guarantees that all requests related
to the TMF will have been completed by the time the TMF itself completes,
the request queue's callback might not have run yet. This causes requests
to be completed more than once, and as a result triggers a variety of
BUGs or oopses.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Venkatesh Srinivas <venkateshs@google.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/virtio_scsi.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index a91a135..8490aa4 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -273,6 +273,16 @@ static void virtscsi_req_done(struct virtqueue *vq)
virtscsi_vq_done(vscsi, req_vq, virtscsi_complete_cmd);
};
+static void virtscsi_poll_requests(struct virtio_scsi *vscsi)
+{
+ int i, num_vqs;
+
+ num_vqs = vscsi->num_queues;
+ for (i = 0; i < num_vqs; i++)
+ virtscsi_vq_done(vscsi, &vscsi->req_vqs[i],
+ virtscsi_complete_cmd);
+}
+
static void virtscsi_complete_free(struct virtio_scsi *vscsi, void *buf)
{
struct virtio_scsi_cmd *cmd = buf;
@@ -607,6 +617,18 @@ static int virtscsi_tmf(struct virtio_scsi *vscsi, struct virtio_scsi_cmd *cmd)
cmd->resp.tmf.response == VIRTIO_SCSI_S_FUNCTION_SUCCEEDED)
ret = SUCCESS;
+ /*
+ * The spec guarantees that all requests related to the TMF have
+ * been completed, but the callback might not have run yet if
+ * we're using independent interrupts (e.g. MSI). Poll the
+ * virtqueues once.
+ *
+ * In the abort case, sc->scsi_done will do nothing, because
+ * the block layer must have detected a timeout and as a result
+ * REQ_ATOM_COMPLETE has been set.
+ */
+ virtscsi_poll_requests(vscsi);
+
out:
mempool_free(cmd, virtscsi_cmd_pool);
return ret;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 037/259] MIPS: KVM: Fix memory leak on VCPU
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (35 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 036/259] virtio-scsi: fix various bad behavior on aborted requests Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 038/259] ext4: Fix hole punching for files with indirect blocks Kamal Mostafa
` (221 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Deng-Cheng Zhu, Paolo Bonzini, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Deng-Cheng Zhu <dengcheng.zhu@imgtec.com>
commit 8c9eb041cf76038eb3b62ee259607eec9b89f48d upstream.
kvm_arch_vcpu_free() is called in 2 code paths:
1) kvm_vm_ioctl()
kvm_vm_ioctl_create_vcpu()
kvm_arch_vcpu_destroy()
kvm_arch_vcpu_free()
2) kvm_put_kvm()
kvm_destroy_vm()
kvm_arch_destroy_vm()
kvm_mips_free_vcpus()
kvm_arch_vcpu_free()
Neither of the paths handles VCPU free. We need to do it in
kvm_arch_vcpu_free() corresponding to the memory allocation in
kvm_arch_vcpu_create().
Signed-off-by: Deng-Cheng Zhu <dengcheng.zhu@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kvm/kvm_mips.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c
index 3dfbe82..7a8b440 100644
--- a/arch/mips/kvm/kvm_mips.c
+++ b/arch/mips/kvm/kvm_mips.c
@@ -395,6 +395,7 @@ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
if (vcpu->arch.kseg0_commpage)
kfree(vcpu->arch.kseg0_commpage);
+ kfree(vcpu);
}
void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 038/259] ext4: Fix hole punching for files with indirect blocks
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (36 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 037/259] MIPS: KVM: Fix memory leak on VCPU Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 039/259] usb: musb: Fix panic upon musb_am335x module removal Kamal Mostafa
` (220 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jan Kara, Theodore Ts'o, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit a93cd4cf86466caa49cfe64607bea7f0bde3f916 upstream.
Hole punching code for files with indirect blocks wrongly computed
number of blocks which need to be cleared when traversing the indirect
block tree. That could result in punching more blocks than actually
requested and thus effectively cause a data loss. For example:
fallocate -n -p 10240000 4096
will punch the range 10240000 - 12632064 instead of the range 1024000 -
10244096. Fix the calculation.
Fixes: 8bad6fc813a3a5300f51369c39d315679fd88c72
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ext4/indirect.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c
index 3b91d24..e6574d7 100644
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -1318,16 +1318,24 @@ static int free_hole_blocks(handle_t *handle, struct inode *inode,
blk = *i_data;
if (level > 0) {
ext4_lblk_t first2;
+ ext4_lblk_t count2;
+
bh = sb_bread(inode->i_sb, le32_to_cpu(blk));
if (!bh) {
EXT4_ERROR_INODE_BLOCK(inode, le32_to_cpu(blk),
"Read failure");
return -EIO;
}
- first2 = (first > offset) ? first - offset : 0;
+ if (first > offset) {
+ first2 = first - offset;
+ count2 = count;
+ } else {
+ first2 = 0;
+ count2 = count - (offset - first);
+ }
ret = free_hole_blocks(handle, inode, bh,
(__le32 *)bh->b_data, level - 1,
- first2, count - offset,
+ first2, count2,
inode->i_sb->s_blocksize >> 2);
if (ret) {
brelse(bh);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 039/259] usb: musb: Fix panic upon musb_am335x module removal
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (37 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 038/259] ext4: Fix hole punching for files with indirect blocks Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 040/259] usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq Kamal Mostafa
` (219 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ezequiel Garcia, Felipe Balbi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
commit 7adb5c876e9c0677078a1e1094c6eafd29c30b74 upstream.
At probe time, the musb_am335x driver register its childs by
calling of_platform_populate(), which registers all childs in
the devicetree hierarchy recursively.
On the other side, the driver's remove() function uses of_device_unregister()
to remove each child of musb_am335x's.
However, when musb_dsps is loaded, its devices are attached to the musb_am335x
device as musb_am335x childs. Hence, musb_am335x remove() will attempt to
unregister the devices registered by musb_dsps, which produces a kernel panic.
In other words, the childs in the "struct device" hierarchy are not the same
as the childs in the "devicetree" hierarchy.
Ideally, we should enforce the removal of the devices registered by
musb_am335x *only*, instead of all its child devices. However, because of the
recursive nature of of_platform_populate, this doesn't seem possible.
Therefore, as the only solution at hand, this commit disables musb_am335x
driver removal capability, preventing it from being ever removed. This was
originally suggested by Sebastian Siewior:
https://www.mail-archive.com/linux-omap@vger.kernel.org/msg104946.html
And for reference, here's the panic upon module removal:
musb-hdrc musb-hdrc.0.auto: remove, state 4
usb usb1: USB disconnect, device number 1
musb-hdrc musb-hdrc.0.auto: USB bus 1 deregistered
Unable to handle kernel NULL pointer dereference at virtual address 0000008c
pgd = de11c000
[0000008c] *pgd=9e174831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] ARM
Modules linked in: musb_am335x(-) musb_dsps musb_hdrc usbcore usb_common
CPU: 0 PID: 623 Comm: modprobe Not tainted 3.15.0-rc4-00001-g24efd13 #69
task: de1b7500 ti: de122000 task.ti: de122000
PC is at am335x_shutdown+0x10/0x28
LR is at am335x_shutdown+0xc/0x28
pc : [<c0327798>] lr : [<c0327794>] psr: a0000013
sp : de123df8 ip : 00000004 fp : 00028f00
r10: 00000000 r9 : de122000 r8 : c000e6c4
r7 : de0e3c10 r6 : de0e3800 r5 : de624010 r4 : de1ec750
r3 : de0e3810 r2 : 00000000 r1 : 00000001 r0 : 00000000
Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 10c5387d Table: 9e11c019 DAC: 00000015
Process modprobe (pid: 623, stack limit = 0xde122240)
Stack: (0xde123df8 to 0xde124000)
3de0: de0e3810 bf054488
3e00: bf05444c de624010 60000013 bf043650 000012fc de624010 de0e3810 bf043a20
3e20: de0e3810 bf04b240 c0635b88 c02ca37c c02ca364 c02c8db0 de1b7500 de0e3844
3e40: de0e3810 c02c8e28 c0635b88 de02824c de0e3810 c02c884c de0e3800 de0e3810
3e60: de0e3818 c02c5b20 bf05417c de0e3800 de0e3800 c0635b88 de0f2410 c02ca838
3e80: bf05417c de0e3800 bf055438 c02ca8cc de0e3c10 bf054194 de0e3c10 c02ca37c
3ea0: c02ca364 c02c8db0 de1b7500 de0e3c44 de0e3c10 c02c8e28 c0635b88 de02824c
3ec0: de0e3c10 c02c884c de0e3c10 de0e3c10 de0e3c18 c02c5b20 de0e3c10 de0e3c10
3ee0: 00000000 bf059000 a0000013 c02c5bc0 00000000 bf05900c de0e3c10 c02c5c48
3f00: de0dd0c0 de1ec970 de0f2410 bf05929c de0f2444 bf05902c de0f2410 c02ca37c
3f20: c02ca364 c02c8db0 bf05929c de0f2410 bf05929c c02c94c8 bf05929c 00000000
3f40: 00000800 c02c8ab4 bf0592e0 c007fc40 c00dd820 6273756d 336d615f 00783533
3f60: c064a0ac de1b7500 de122000 de1b7500 c000e590 00000001 c000e6c4 c0060160
3f80: 00028e70 00028e70 00028ea4 00000081 60000010 00028e70 00028e70 00028ea4
3fa0: 00000081 c000e500 00028e70 00028e70 00028ea4 00000800 becb59f8 00027608
3fc0: 00028e70 00028e70 00028ea4 00000081 00000001 00000001 00000000 00028f00
3fe0: b6e6b6f0 becb59d4 000160e8 b6e6b6fc 60000010 00028ea4 00000000 00000000
[<c0327798>] (am335x_shutdown) from [<bf054488>] (dsps_musb_exit+0x3c/0x4c [musb_dsps])
[<bf054488>] (dsps_musb_exit [musb_dsps]) from [<bf043650>] (musb_shutdown+0x80/0x90 [musb_hdrc])
[<bf043650>] (musb_shutdown [musb_hdrc]) from [<bf043a20>] (musb_remove+0x24/0x68 [musb_hdrc])
[<bf043a20>] (musb_remove [musb_hdrc]) from [<c02ca37c>] (platform_drv_remove+0x18/0x1c)
[<c02ca37c>] (platform_drv_remove) from [<c02c8db0>] (__device_release_driver+0x70/0xc8)
[<c02c8db0>] (__device_release_driver) from [<c02c8e28>] (device_release_driver+0x20/0x2c)
[<c02c8e28>] (device_release_driver) from [<c02c884c>] (bus_remove_device+0xdc/0x10c)
[<c02c884c>] (bus_remove_device) from [<c02c5b20>] (device_del+0x104/0x198)
[<c02c5b20>] (device_del) from [<c02ca838>] (platform_device_del+0x14/0x9c)
[<c02ca838>] (platform_device_del) from [<c02ca8cc>] (platform_device_unregister+0xc/0x20)
[<c02ca8cc>] (platform_device_unregister) from [<bf054194>] (dsps_remove+0x18/0x38 [musb_dsps])
[<bf054194>] (dsps_remove [musb_dsps]) from [<c02ca37c>] (platform_drv_remove+0x18/0x1c)
[<c02ca37c>] (platform_drv_remove) from [<c02c8db0>] (__device_release_driver+0x70/0xc8)
[<c02c8db0>] (__device_release_driver) from [<c02c8e28>] (device_release_driver+0x20/0x2c)
[<c02c8e28>] (device_release_driver) from [<c02c884c>] (bus_remove_device+0xdc/0x10c)
[<c02c884c>] (bus_remove_device) from [<c02c5b20>] (device_del+0x104/0x198)
[<c02c5b20>] (device_del) from [<c02c5bc0>] (device_unregister+0xc/0x20)
[<c02c5bc0>] (device_unregister) from [<bf05900c>] (of_remove_populated_child+0xc/0x14 [musb_am335x])
[<bf05900c>] (of_remove_populated_child [musb_am335x]) from [<c02c5c48>] (device_for_each_child+0x44/0x70)
[<c02c5c48>] (device_for_each_child) from [<bf05902c>] (am335x_child_remove+0x18/0x30 [musb_am335x])
[<bf05902c>] (am335x_child_remove [musb_am335x]) from [<c02ca37c>] (platform_drv_remove+0x18/0x1c)
[<c02ca37c>] (platform_drv_remove) from [<c02c8db0>] (__device_release_driver+0x70/0xc8)
[<c02c8db0>] (__device_release_driver) from [<c02c94c8>] (driver_detach+0xb4/0xb8)
[<c02c94c8>] (driver_detach) from [<c02c8ab4>] (bus_remove_driver+0x4c/0xa0)
[<c02c8ab4>] (bus_remove_driver) from [<c007fc40>] (SyS_delete_module+0x128/0x1cc)
[<c007fc40>] (SyS_delete_module) from [<c000e500>] (ret_fast_syscall+0x0/0x48)
Fixes: 97238b35d5bb ("usb: musb: dsps: use proper child nodes")
Acked-by: George Cherian <george.cherian@ti.com>
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/musb/musb_am335x.c | 23 ++++++-----------------
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git a/drivers/usb/musb/musb_am335x.c b/drivers/usb/musb/musb_am335x.c
index 8be9b02..aada337 100644
--- a/drivers/usb/musb/musb_am335x.c
+++ b/drivers/usb/musb/musb_am335x.c
@@ -20,21 +20,6 @@ err:
return ret;
}
-static int of_remove_populated_child(struct device *dev, void *d)
-{
- struct platform_device *pdev = to_platform_device(dev);
-
- of_device_unregister(pdev);
- return 0;
-}
-
-static int am335x_child_remove(struct platform_device *pdev)
-{
- device_for_each_child(&pdev->dev, NULL, of_remove_populated_child);
- pm_runtime_disable(&pdev->dev);
- return 0;
-}
-
static const struct of_device_id am335x_child_of_match[] = {
{ .compatible = "ti,am33xx-usb" },
{ },
@@ -43,13 +28,17 @@ MODULE_DEVICE_TABLE(of, am335x_child_of_match);
static struct platform_driver am335x_child_driver = {
.probe = am335x_child_probe,
- .remove = am335x_child_remove,
.driver = {
.name = "am335x-usb-childs",
.of_match_table = am335x_child_of_match,
},
};
-module_platform_driver(am335x_child_driver);
+static int __init am335x_child_init(void)
+{
+ return platform_driver_register(&am335x_child_driver);
+}
+module_init(am335x_child_init);
+
MODULE_DESCRIPTION("AM33xx child devices");
MODULE_LICENSE("GPL v2");
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 040/259] usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (38 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 039/259] usb: musb: Fix panic upon musb_am335x module removal Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 041/259] nfsd: fix rare symlink decoding bug Kamal Mostafa
` (218 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Thomas Gleixner, Felipe Balbi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit c58d80f523ffc15ef4d062fc7aeb03793fe39701 upstream.
Some TI chips raise the DMA complete interrupt before the actual
transfer has been completed. The code tries to busy wait for a few
microseconds and if that fails it arms an hrtimer to recheck. So far
so good, but that has the following issue:
CPU 0 CPU1
start_next_transfer(RQ1);
DMA interrupt
if (premature_irq(RQ1))
if (!hrtimer_active(timer))
hrtimer_start(timer);
hrtimer expires
timer->state = CALLBACK_RUNNING;
timer->fn()
cppi41_recheck_tx_req()
complete_request(RQ1);
if (requests_pending())
start_next_transfer(RQ2);
DMA interrupt
if (premature_irq(RQ2))
if (!hrtimer_active(timer))
hrtimer_start(timer);
timer->state = INACTIVE;
The premature interrupt of request2 on CPU1 does not arm the timer and
therefor the request completion never happens because it checks for
!hrtimer_active(). hrtimer_active() evaluates:
timer->state != HRTIMER_STATE_INACTIVE
which of course evaluates to true in the above case as timer->state is
CALLBACK_RUNNING.
That's clearly documented:
* A timer is active, when it is enqueued into the rbtree or the
* callback function is running or it's in the state of being migrated
* to another cpu.
But that's not what the code wants to check. The code wants to check
whether the timer is queued, i.e. whether its armed and waiting for
expiry.
We have a helper function for this: hrtimer_is_queued(). This
evaluates:
timer->state & HRTIMER_STATE_QUEUED
So in the above case this evaluates to false and therefor forces the
DMA interrupt on CPU1 to call hrtimer_start().
Use hrtimer_is_queued() instead of hrtimer_active() and evrything is
good.
Reported-by: Torben Hohn <torbenh@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/musb/musb_cppi41.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/musb/musb_cppi41.c b/drivers/usb/musb/musb_cppi41.c
index a12bd30..4a5af5c 100644
--- a/drivers/usb/musb/musb_cppi41.c
+++ b/drivers/usb/musb/musb_cppi41.c
@@ -266,7 +266,7 @@ static void cppi41_dma_callback(void *private_data)
}
list_add_tail(&cppi41_channel->tx_check,
&controller->early_tx_list);
- if (!hrtimer_active(&controller->early_tx)) {
+ if (!hrtimer_is_queued(&controller->early_tx)) {
hrtimer_start_range_ns(&controller->early_tx,
ktime_set(0, 140 * NSEC_PER_USEC),
40 * NSEC_PER_USEC,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 041/259] nfsd: fix rare symlink decoding bug
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (39 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 040/259] usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 042/259] tools: ffs-test: fix header values endianess Kamal Mostafa
` (217 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: J. Bruce Fields, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "J. Bruce Fields" <bfields@redhat.com>
commit 76f47128f9b33af1e96819746550d789054c9664 upstream.
An NFS operation that creates a new symlink includes the symlink data,
which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
of zero-padding as required to reach a 4-byte boundary.
The vfs, on the other hand, wants null-terminated data.
The simple way to handle this would be by copying the data into a newly
allocated buffer with space for the final null.
The current nfsd_symlink code tries to be more clever by skipping that
step in the (likely) case where the byte following the string is already
0.
But that assumes that the byte following the string is ours to look at.
In fact, it might be the first byte of a page that we can't read, or of
some object that another task might modify.
Worse, the NFSv4 code tries to fix the problem by actually writing to
that byte.
In the NFSv2/v3 cases this actually appears to be safe:
- nfs3svc_decode_symlinkargs explicitly null-terminates the data
(after first checking its length and copying it to a new
page).
- NFSv2 limits symlinks to 1k. The buffer holding the rpc
request is always at least a page, and the link data (and
previous fields) have maximum lengths that prevent the request
from reaching the end of a page.
In the NFSv4 case the CREATE op is potentially just one part of a long
compound so can end up on the end of a page if you're unlucky.
The minimal fix here is to copy and null-terminate in the NFSv4 case.
The nfsd_symlink() interface here seems too fragile, though. It should
really either do the copy itself every time or just require a
null-terminated string.
Reported-by: Jeff Layton <jlayton@primarydata.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/nfsd/nfs4proc.c | 9 ---------
fs/nfsd/nfs4xdr.c | 13 ++++++++++++-
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index b9e7844..08c8e02 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -610,15 +610,6 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
switch (create->cr_type) {
case NF4LNK:
- /* ugh! we have to null-terminate the linktext, or
- * vfs_symlink() will choke. it is always safe to
- * null-terminate by brute force, since at worst we
- * will overwrite the first byte of the create namelen
- * in the XDR buffer, which has already been extracted
- * during XDR decode.
- */
- create->cr_linkname[create->cr_linklen] = 0;
-
status = nfsd_symlink(rqstp, &cstate->current_fh,
create->cr_name, create->cr_namelen,
create->cr_linkname, create->cr_linklen,
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 78310f0..ab38bc4 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -594,7 +594,18 @@ nfsd4_decode_create(struct nfsd4_compoundargs *argp, struct nfsd4_create *create
READ_BUF(4);
READ32(create->cr_linklen);
READ_BUF(create->cr_linklen);
- SAVEMEM(create->cr_linkname, create->cr_linklen);
+ /*
+ * The VFS will want a null-terminated string, and
+ * null-terminating in place isn't safe since this might
+ * end on a page boundary:
+ */
+ create->cr_linkname =
+ kmalloc(create->cr_linklen + 1, GFP_KERNEL);
+ if (!create->cr_linkname)
+ return nfserr_jukebox;
+ memcpy(create->cr_linkname, p, create->cr_linklen);
+ create->cr_linkname[create->cr_linklen] = '\0';
+ defer_free(argp, kfree, create->cr_linkname);
break;
case NF4BLK:
case NF4CHR:
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 042/259] tools: ffs-test: fix header values endianess
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (40 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 041/259] nfsd: fix rare symlink decoding bug Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 043/259] usb-storage/SCSI: Add broken_fua blacklist flag Kamal Mostafa
` (216 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Nazarewicz, Felipe Balbi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Nazarewicz <mina86@mina86.com>
commit f35f71244da6e51db4e1f2c7e318581f498ececf upstream.
It appears that no one ever run ffs-test on a big-endian machine,
since it used cpu-endianess for fs_count and hs_count fields which
should be in little-endian format. Fix by wrapping the numbers in
cpu_to_le32.
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
tools/usb/ffs-test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/usb/ffs-test.c b/tools/usb/ffs-test.c
index fe1e66b..a87e99f 100644
--- a/tools/usb/ffs-test.c
+++ b/tools/usb/ffs-test.c
@@ -116,8 +116,8 @@ static const struct {
.header = {
.magic = cpu_to_le32(FUNCTIONFS_DESCRIPTORS_MAGIC),
.length = cpu_to_le32(sizeof descriptors),
- .fs_count = 3,
- .hs_count = 3,
+ .fs_count = cpu_to_le32(3),
+ .hs_count = cpu_to_le32(3),
},
.fs_descs = {
.intf = {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 043/259] usb-storage/SCSI: Add broken_fua blacklist flag
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (41 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 042/259] tools: ffs-test: fix header values endianess Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 044/259] drm/radeon/dpm: fix typo in vddci setup for eg/btc Kamal Mostafa
` (215 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alan Stern, Matthew Dharm, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit b14bf2d0c0358140041d1c1805a674376964d0e0 upstream.
Some buggy JMicron USB-ATA bridges don't know how to translate the FUA
bit in READs or WRITEs. This patch adds an entry in unusual_devs.h
and a blacklist flag to tell the sd driver not to use FUA.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Michael Büsch <m@bues.ch>
Tested-by: Michael Büsch <m@bues.ch>
Acked-by: James Bottomley <James.Bottomley@HansenPartnership.com>
CC: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ kamal: backport to 3.13-stable (sd_printk; context) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/sd.c | 5 ++++-
drivers/usb/storage/scsiglue.c | 4 ++++
drivers/usb/storage/unusual_devs.h | 7 +++++++
include/linux/usb_usual.h | 6 ++++--
include/scsi/scsi_device.h | 1 +
5 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 410be82..8ee2f56 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2454,7 +2454,10 @@ sd_read_cache_type(struct scsi_disk *sdkp, unsigned char *buffer)
}
sdkp->DPOFUA = (data.device_specific & 0x10) != 0;
- if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw) {
+ if (sdp->broken_fua) {
+ sd_printk(KERN_NOTICE, sdkp, "Disabling FUA\n");
+ sdkp->DPOFUA = 0;
+ } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw) {
sd_printk(KERN_NOTICE, sdkp,
"Uses READ/WRITE(6), disabling FUA\n");
sdkp->DPOFUA = 0;
diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
index 9d38ddc..866b5df 100644
--- a/drivers/usb/storage/scsiglue.c
+++ b/drivers/usb/storage/scsiglue.c
@@ -256,6 +256,10 @@ static int slave_configure(struct scsi_device *sdev)
if (us->fflags & US_FL_WRITE_CACHE)
sdev->wce_default_on = 1;
+ /* A few buggy USB-ATA bridges don't understand FUA */
+ if (us->fflags & US_FL_BROKEN_FUA)
+ sdev->broken_fua = 1;
+
} else {
/* Non-disk-type devices don't need to blacklist any pages
diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
index 042c83b0..e2d0050 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1936,6 +1936,13 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x0201,
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_IGNORE_RESIDUE ),
+/* Reported by Michael Büsch <m@bues.ch> */
+UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0114,
+ "JMicron",
+ "USB to ATA/ATAPI Bridge",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_BROKEN_FUA ),
+
/* Reported by Alexandre Oliva <oliva@lsd.ic.unicamp.br>
* JMicron responds to USN and several other SCSI ioctls with a
* residue that causes subsequent I/O requests to fail. */
diff --git a/include/linux/usb_usual.h b/include/linux/usb_usual.h
index 6303568..b2a709b 100644
--- a/include/linux/usb_usual.h
+++ b/include/linux/usb_usual.h
@@ -67,8 +67,10 @@
/* Initial READ(10) (and others) must be retried */ \
US_FLAG(WRITE_CACHE, 0x00200000) \
/* Write Cache status is not available */ \
- US_FLAG(NEEDS_CAP16, 0x00400000)
- /* cannot handle READ_CAPACITY_10 */
+ US_FLAG(NEEDS_CAP16, 0x00400000) \
+ /* cannot handle READ_CAPACITY_10 */ \
+ US_FLAG(BROKEN_FUA, 0x01000000) \
+ /* Cannot handle FUA in WRITE or READ CDBs */ \
#define US_FLAG(name, value) US_FL_##name = value ,
enum { US_DO_ALL_FLAGS };
diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
index d65fbec..8e6b70f 100644
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -167,6 +167,7 @@ struct scsi_device {
unsigned is_visible:1; /* is the device visible in sysfs */
unsigned wce_default_on:1; /* Cache is ON by default */
unsigned no_dif:1; /* T10 PI (DIF) should be disabled */
+ unsigned broken_fua:1; /* Don't set FUA bit */
atomic_t disk_events_disable_depth; /* disable depth for disk events */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 044/259] drm/radeon/dpm: fix typo in vddci setup for eg/btc
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (42 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 043/259] usb-storage/SCSI: Add broken_fua blacklist flag Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 045/259] drm/radeon/dpm: fix vddci setup typo on cayman Kamal Mostafa
` (214 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit e07929810f0a19ddd756558290c7d72827cbfcd9 upstream.
We were using the vddc mask rather than the vddci mask.
Bug:
https://bugzilla.kernel.org/show_bug.cgi?id=79071
Possibly also fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=68571
Noticed-by: Jonathan Howard <jonathan@unbiased.name>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/cypress_dpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c
index 920e1e4..b5a0077 100644
--- a/drivers/gpu/drm/radeon/cypress_dpm.c
+++ b/drivers/gpu/drm/radeon/cypress_dpm.c
@@ -1551,7 +1551,7 @@ int cypress_populate_smc_voltage_tables(struct radeon_device *rdev,
table->voltageMaskTable.highMask[RV770_SMC_VOLTAGEMASK_VDDCI] = 0;
table->voltageMaskTable.lowMask[RV770_SMC_VOLTAGEMASK_VDDCI] =
- cpu_to_be32(eg_pi->vddc_voltage_table.mask_low);
+ cpu_to_be32(eg_pi->vddci_voltage_table.mask_low);
}
return 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 045/259] drm/radeon/dpm: fix vddci setup typo on cayman
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (43 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 044/259] drm/radeon/dpm: fix typo in vddci setup for eg/btc Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 046/259] tracing: Remove ftrace_stop/start() from reading the trace file Kamal Mostafa
` (213 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit b0880e87c1fd038b84498944f52e52c3e86ebe59 upstream.
We were using the vddc mask rather than the vddci mask.
Bug:
https://bugzilla.kernel.org/show_bug.cgi?id=79071
May also fix:
https://bugs.freedesktop.org/show_bug.cgi?id=69723
Noticed by: Dieter Nützel <Dieter@nuetzel-hh.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/ni_dpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c
index 1ee58a3..8c7059d 100644
--- a/drivers/gpu/drm/radeon/ni_dpm.c
+++ b/drivers/gpu/drm/radeon/ni_dpm.c
@@ -1313,7 +1313,7 @@ static void ni_populate_smc_voltage_tables(struct radeon_device *rdev,
table->voltageMaskTable.highMask[NISLANDS_SMC_VOLTAGEMASK_VDDCI] = 0;
table->voltageMaskTable.lowMask[NISLANDS_SMC_VOLTAGEMASK_VDDCI] =
- cpu_to_be32(eg_pi->vddc_voltage_table.mask_low);
+ cpu_to_be32(eg_pi->vddci_voltage_table.mask_low);
}
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 046/259] tracing: Remove ftrace_stop/start() from reading the trace file
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (44 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 045/259] drm/radeon/dpm: fix vddci setup typo on cayman Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 047/259] usb: chipidea: udc: delete td from req's td list at ep_dequeue Kamal Mostafa
` (212 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Steven Rostedt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 099ed151675cd1d2dbeae1dac697975f6a68716d upstream.
Disabling reading and writing to the trace file should not be able to
disable all function tracing callbacks. There's other users today
(like kprobes and perf). Reading a trace file should not stop those
from happening.
Reviewed-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/trace/trace.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 0a360ce..9250479 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1328,7 +1328,6 @@ void tracing_start(void)
arch_spin_unlock(&ftrace_max_lock);
- ftrace_start();
out:
raw_spin_unlock_irqrestore(&global_trace.start_lock, flags);
}
@@ -1375,7 +1374,6 @@ void tracing_stop(void)
struct ring_buffer *buffer;
unsigned long flags;
- ftrace_stop();
raw_spin_lock_irqsave(&global_trace.start_lock, flags);
if (global_trace.stop_count++)
goto out;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 047/259] usb: chipidea: udc: delete td from req's td list at ep_dequeue
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (45 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 046/259] tracing: Remove ftrace_stop/start() from reading the trace file Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 048/259] drm/radeon/cik: fix typo in EOP packet Kamal Mostafa
` (211 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Andrzej Pietrasiewicz, Peter Chen, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@freescale.com>
commit e4adcff09ca39ecbcc4851d40d0f0a5458e7b77a upstream.
We need to delete un-finished td from current request's td list
at ep_dequeue API, otherwise, this non-user td will be remained
at td list before this request is freed. So if we do ep_queue->
ep_dequeue->ep_queue sequence, when the complete interrupt for
the second ep_queue comes, we search td list for this request,
the first td (added by the first ep_queue) will be handled, and
its status is still active, so we will consider the this transfer
still not be completed, but in fact, it has completed. It causes
the peripheral side considers it never receives current data for
this transfer.
We met this problem when do "Error Recovery Test - Device Configured"
test item for USBCV2 MSC test, the host has never received ACK for
the IN token for CSW due to peripheral considers it does not get this
CBW, the USBCV test log like belows:
--------------------------------------------------------------------------
INFO
Issuing BOT MSC Reset, reset should always succeed
INFO
Retrieving status on CBW endpoint
INFO
CBW endpoint status = 0x0
INFO
Retrieving status on CSW endpoint
INFO
CSW endpoint status = 0x0
INFO
Issuing required command (Test Unit Ready) to verify device has recovered
INFO
Issuing CBW (attempt #1):
INFO
|----- CBW LUN = 0x0
INFO
|----- CBW Flags = 0x0
INFO
|----- CBW Data Transfer Length = 0x0
INFO
|----- CBW CDB Length = 0x6
INFO
|----- CBW CDB-00 = 0x0
INFO
|----- CBW CDB-01 = 0x0
INFO
|----- CBW CDB-02 = 0x0
INFO
|----- CBW CDB-03 = 0x0
INFO
|----- CBW CDB-04 = 0x0
INFO
|----- CBW CDB-05 = 0x0
INFO
Issuing CSW : try 1
INFO
CSW Bulk Request timed out!
ERROR
Failed CSW phase : should have been success or stall
FAIL
(5.3.4) The CSW status value must be 0x00, 0x01, or 0x02.
ERROR
BOTCommonMSCRequest failed: error=80004000
Cc: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/chipidea/udc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
index 27ff872..71d0d35 100644
--- a/drivers/usb/chipidea/udc.c
+++ b/drivers/usb/chipidea/udc.c
@@ -1326,6 +1326,7 @@ static int ep_dequeue(struct usb_ep *ep, struct usb_request *req)
struct ci_hw_ep *hwep = container_of(ep, struct ci_hw_ep, ep);
struct ci_hw_req *hwreq = container_of(req, struct ci_hw_req, req);
unsigned long flags;
+ struct td_node *node, *tmpnode;
if (ep == NULL || req == NULL || hwreq->req.status != -EALREADY ||
hwep->ep.desc == NULL || list_empty(&hwreq->queue) ||
@@ -1336,6 +1337,12 @@ static int ep_dequeue(struct usb_ep *ep, struct usb_request *req)
hw_ep_flush(hwep->ci, hwep->num, hwep->dir);
+ list_for_each_entry_safe(node, tmpnode, &hwreq->tds, td) {
+ dma_pool_free(hwep->td_pool, node->ptr, node->dma);
+ list_del(&node->td);
+ kfree(node);
+ }
+
/* pop request */
list_del_init(&hwreq->queue);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 048/259] drm/radeon/cik: fix typo in EOP packet
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (46 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 047/259] usb: chipidea: udc: delete td from req's td list at ep_dequeue Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 049/259] md: flush writes before starting a recovery Kamal Mostafa
` (210 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit b397207b7475afa9df2f94541f978100ff1ea47e upstream.
Volatile bit was in the wrong location. This bit is
not used at the moment.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/cikd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/cikd.h b/drivers/gpu/drm/radeon/cikd.h
index e33f8d1..a62f51f 100644
--- a/drivers/gpu/drm/radeon/cikd.h
+++ b/drivers/gpu/drm/radeon/cikd.h
@@ -1734,12 +1734,12 @@
#define EOP_TC_WB_ACTION_EN (1 << 15) /* L2 */
#define EOP_TCL1_ACTION_EN (1 << 16)
#define EOP_TC_ACTION_EN (1 << 17) /* L2 */
+#define EOP_TCL2_VOLATILE (1 << 24)
#define EOP_CACHE_POLICY(x) ((x) << 25)
/* 0 - LRU
* 1 - Stream
* 2 - Bypass
*/
-#define EOP_TCL2_VOLATILE (1 << 27)
#define DATA_SEL(x) ((x) << 29)
/* 0 - discard
* 1 - send low 32bit data
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 049/259] md: flush writes before starting a recovery.
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (47 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 048/259] drm/radeon/cik: fix typo in EOP packet Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 050/259] drm/vmwgfx: Fix incorrect write to read-only register v2: Kamal Mostafa
` (209 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: NeilBrown, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
commit 133d4527eab8d199a62eee6bd433f0776842df2e upstream.
When we write to a degraded array which has a bitmap, we
make sure the relevant bit in the bitmap remains set when
the write completes (so a 're-add' can quickly rebuilt a
temporarily-missing device).
If, immediately after such a write starts, we incorporate a spare,
commence recovery, and skip over the region where the write is
happening (because the 'needs recovery' flag isn't set yet),
then that write will not get to the new device.
Once the recovery finishes the new device will be trusted, but will
have incorrect data, leading to possible corruption.
We cannot set the 'needs recovery' flag when we start the write as we
do not know easily if the write will be "degraded" or not. That
depends on details of the particular raid level and particular write
request.
This patch fixes a corruption issue of long standing and so it
suitable for any -stable kernel. It applied correctly to 3.0 at
least and will minor editing to earlier kernels.
Reported-by: Bill <billstuff2001@sbcglobal.net>
Tested-by: Bill <billstuff2001@sbcglobal.net>
Link: http://lkml.kernel.org/r/53A518BB.60709@sbcglobal.net
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/md.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index aa0eba3..09377ba 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -7468,6 +7468,19 @@ void md_do_sync(struct md_thread *thread)
rdev->recovery_offset < j)
j = rdev->recovery_offset;
rcu_read_unlock();
+
+ /* If there is a bitmap, we need to make sure all
+ * writes that started before we added a spare
+ * complete before we start doing a recovery.
+ * Otherwise the write might complete and (via
+ * bitmap_endwrite) set a bit in the bitmap after the
+ * recovery has checked that bit and skipped that
+ * region.
+ */
+ if (mddev->bitmap) {
+ mddev->pers->quiesce(mddev, 1);
+ mddev->pers->quiesce(mddev, 0);
+ }
}
printk(KERN_INFO "md: %s of RAID array %s\n", desc, mdname(mddev));
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 050/259] drm/vmwgfx: Fix incorrect write to read-only register v2:
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (48 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 049/259] md: flush writes before starting a recovery Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 051/259] mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER Kamal Mostafa
` (208 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Christopher Friedt, Thomas Hellstrom, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellstrom <thellstrom@vmware.com>
commit 4e578080ed3262ed2c3985868539bc66218d25c0 upstream.
Commit "drm/vmwgfx: correct fb_fix_screeninfo.line_length", while fixing a
vmwgfx fbdev bug, also writes the pitch to a supposedly read-only register:
SVGA_REG_BYTES_PER_LINE, while it should be (and also in fact is) written to
SVGA_REG_PITCHLOCK.
This patch is Cc'd stable because of the unknown effects writing to this
register might have, particularly on older device versions.
v2: Updated log message.
Cc: Christopher Friedt <chrisfriedt@gmail.com>
Tested-by: Christopher Friedt <chrisfriedt@gmail.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
index 021b522..1b0f34b 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
@@ -179,7 +179,6 @@ static int vmw_fb_set_par(struct fb_info *info)
vmw_write(vmw_priv, SVGA_REG_DISPLAY_POSITION_Y, info->var.yoffset);
vmw_write(vmw_priv, SVGA_REG_DISPLAY_WIDTH, info->var.xres);
vmw_write(vmw_priv, SVGA_REG_DISPLAY_HEIGHT, info->var.yres);
- vmw_write(vmw_priv, SVGA_REG_BYTES_PER_LINE, info->fix.line_length);
vmw_write(vmw_priv, SVGA_REG_DISPLAY_ID, SVGA_ID_INVALID);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 051/259] mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (49 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 050/259] drm/vmwgfx: Fix incorrect write to read-only register v2: Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 052/259] /proc/stat: convert to single_open_size() Kamal Mostafa
` (207 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Nazarewicz, Mel Gorman, David Rientjes, Marek Szyprowski,
Catalin Marinas, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Nazarewicz <mina86@mina86.com>
commit dc78327c0ea7da5186d8cbc1647bd6088c5c9fa5 upstream.
With a kernel configured with ARM64_64K_PAGES && !TRANSPARENT_HUGEPAGE,
the following is triggered at early boot:
SMP: Total of 8 processors activated.
devtmpfs: initialized
Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = fffffe0000050000
[00000008] *pgd=00000043fba00003, *pmd=00000043fba00003, *pte=00e0000078010407
Internal error: Oops: 96000006 [#1] SMP
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.15.0-rc864k+ #44
task: fffffe03bc040000 ti: fffffe03bc080000 task.ti: fffffe03bc080000
PC is at __list_add+0x10/0xd4
LR is at free_one_page+0x270/0x638
...
Call trace:
__list_add+0x10/0xd4
free_one_page+0x26c/0x638
__free_pages_ok.part.52+0x84/0xbc
__free_pages+0x74/0xbc
init_cma_reserved_pageblock+0xe8/0x104
cma_init_reserved_areas+0x190/0x1e4
do_one_initcall+0xc4/0x154
kernel_init_freeable+0x204/0x2a8
kernel_init+0xc/0xd4
This happens because init_cma_reserved_pageblock() calls
__free_one_page() with pageblock_order as page order but it is bigger
than MAX_ORDER. This in turn causes accesses past zone->free_list[].
Fix the problem by changing init_cma_reserved_pageblock() such that it
splits pageblock into individual MAX_ORDER pages if pageblock is bigger
than a MAX_ORDER page.
In cases where !CONFIG_HUGETLB_PAGE_SIZE_VARIABLE, which is all
architectures expect for ia64, powerpc and tile at the moment, the
“pageblock_order > MAX_ORDER†condition will be optimised out since both
sides of the operator are constants. In cases where pageblock size is
variable, the performance degradation should not be significant anyway
since init_cma_reserved_pageblock() is called only at boot time at most
MAX_CMA_AREAS times which by default is eight.
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Reported-by: Mark Salter <msalter@redhat.com>
Tested-by: Mark Salter <msalter@redhat.com>
Tested-by: Christopher Covington <cov@codeaurora.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/page_alloc.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 856d95c..c4133b4 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -785,9 +785,21 @@ void __init init_cma_reserved_pageblock(struct page *page)
set_page_count(p, 0);
} while (++p, --i);
- set_page_refcounted(page);
set_pageblock_migratetype(page, MIGRATE_CMA);
- __free_pages(page, pageblock_order);
+
+ if (pageblock_order >= MAX_ORDER) {
+ i = pageblock_nr_pages;
+ p = page;
+ do {
+ set_page_refcounted(p);
+ __free_pages(p, MAX_ORDER - 1);
+ p += MAX_ORDER_NR_PAGES;
+ } while (i -= MAX_ORDER_NR_PAGES);
+ } else {
+ set_page_refcounted(page);
+ __free_pages(page, pageblock_order);
+ }
+
adjust_managed_page_count(page, pageblock_nr_pages);
}
#endif
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 052/259] /proc/stat: convert to single_open_size()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (50 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 051/259] mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 053/259] nick kvfree() from apparmor Kamal Mostafa
` (206 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Heiko Carstens, Ian Kent, Hendrik Brueckner, Thorsten Diehl,
Andrea Righi, Christoph Hellwig, Al Viro, Stefan Bader,
Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <heiko.carstens@de.ibm.com>
commit f74373a5cc7a0155d232c4e999648c7a95435bb2 upstream.
These two patches are supposed to "fix" failed order-4 memory
allocations which have been observed when reading /proc/stat. The
problem has been observed on s390 as well as on x86.
To address the problem change the seq_file memory allocations to
fallback to use vmalloc, so that allocations also work if memory is
fragmented.
This approach seems to be simpler and less intrusive than changing
/proc/stat to use an interator. Also it "fixes" other users as well,
which use seq_file's single_open() interface.
This patch (of 2):
Use seq_file's single_open_size() to preallocate a buffer that is large
enough to hold the whole output, instead of open coding it. Also
calculate the requested size using the number of online cpus instead of
possible cpus, since the size of the output only depends on the number
of online cpus.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Ian Kent <raven@themaw.net>
Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Cc: Thorsten Diehl <thorsten.diehl@de.ibm.com>
Cc: Andrea Righi <andrea@betterlinux.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/proc/stat.c | 22 ++--------------------
1 file changed, 2 insertions(+), 20 deletions(-)
diff --git a/fs/proc/stat.c b/fs/proc/stat.c
index 1cf86c0..ccc657e 100644
--- a/fs/proc/stat.c
+++ b/fs/proc/stat.c
@@ -184,29 +184,11 @@ static int show_stat(struct seq_file *p, void *v)
static int stat_open(struct inode *inode, struct file *file)
{
- size_t size = 1024 + 128 * num_possible_cpus();
- char *buf;
- struct seq_file *m;
- int res;
+ size_t size = 1024 + 128 * num_online_cpus();
/* minimum size to display an interrupt count : 2 bytes */
size += 2 * nr_irqs;
-
- /* don't ask for more than the kmalloc() max size */
- if (size > KMALLOC_MAX_SIZE)
- size = KMALLOC_MAX_SIZE;
- buf = kmalloc(size, GFP_KERNEL);
- if (!buf)
- return -ENOMEM;
-
- res = single_open(file, show_stat, NULL);
- if (!res) {
- m = file->private_data;
- m->buf = buf;
- m->size = ksize(buf);
- } else
- kfree(buf);
- return res;
+ return single_open_size(file, show_stat, NULL, size);
}
static const struct file_operations proc_stat_operations = {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 053/259] nick kvfree() from apparmor
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (51 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 052/259] /proc/stat: convert to single_open_size() Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 054/259] fs/seq_file: fallback to vmalloc allocation Kamal Mostafa
` (205 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Al Viro, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 39f1f78d53b9bcbca91967380c5f0f2305a5c55f upstream.
too many places open-code it
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ kamal: picked for 3.13-stable for backport convenience ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/linux/mm.h | 2 ++
mm/util.c | 10 ++++++++++
security/apparmor/include/apparmor.h | 1 -
security/apparmor/lib.c | 14 --------------
4 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 5360b82..4506b84 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -352,6 +352,8 @@ static inline int is_vmalloc_or_module_addr(const void *x)
}
#endif
+extern void kvfree(const void *addr);
+
static inline void compound_lock(struct page *page)
{
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
diff --git a/mm/util.c b/mm/util.c
index 808f375..8636d3d 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -9,6 +9,7 @@
#include <linux/swapops.h>
#include <linux/mman.h>
#include <linux/hugetlb.h>
+#include <linux/vmalloc.h>
#include <asm/uaccess.h>
@@ -386,6 +387,15 @@ unsigned long vm_mmap(struct file *file, unsigned long addr,
}
EXPORT_SYMBOL(vm_mmap);
+void kvfree(const void *addr)
+{
+ if (is_vmalloc_addr(addr))
+ vfree(addr);
+ else
+ kfree(addr);
+}
+EXPORT_SYMBOL(kvfree);
+
struct address_space *page_mapping(struct page *page)
{
struct address_space *mapping = page->mapping;
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index 8fb1488..97130f8 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -66,7 +66,6 @@ extern int apparmor_initialized __initdata;
char *aa_split_fqname(char *args, char **ns_name);
void aa_info_message(const char *str);
void *__aa_kvmalloc(size_t size, gfp_t flags);
-void kvfree(void *buffer);
static inline void *kvmalloc(size_t size)
{
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 6968992..c1827e0 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -104,17 +104,3 @@ void *__aa_kvmalloc(size_t size, gfp_t flags)
}
return buffer;
}
-
-/**
- * kvfree - free an allocation do by kvmalloc
- * @buffer: buffer to free (MAYBE_NULL)
- *
- * Free a buffer allocated by kvmalloc
- */
-void kvfree(void *buffer)
-{
- if (is_vmalloc_addr(buffer))
- vfree(buffer);
- else
- kfree(buffer);
-}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 054/259] fs/seq_file: fallback to vmalloc allocation
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (52 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 053/259] nick kvfree() from apparmor Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 055/259] lz4: add overrun checks to lz4_uncompress_unknownoutputsize() Kamal Mostafa
` (204 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Heiko Carstens, Ian Kent, Hendrik Brueckner, Thorsten Diehl,
Andrea Righi, Christoph Hellwig, Al Viro, Stefan Bader,
Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <heiko.carstens@de.ibm.com>
commit 058504edd02667eef8fac9be27ab3ea74332e9b4 upstream.
There are a couple of seq_files which use the single_open() interface.
This interface requires that the whole output must fit into a single
buffer.
E.g. for /proc/stat allocation failures have been observed because an
order-4 memory allocation failed due to memory fragmentation. In such
situations reading /proc/stat is not possible anymore.
Therefore change the seq_file code to fallback to vmalloc allocations
which will usually result in a couple of order-0 allocations and hence
also work if memory is fragmented.
For reference a call trace where reading from /proc/stat failed:
sadc: page allocation failure: order:4, mode:0x1040d0
CPU: 1 PID: 192063 Comm: sadc Not tainted 3.10.0-123.el7.s390x #1
[...]
Call Trace:
show_stack+0x6c/0xe8
warn_alloc_failed+0xd6/0x138
__alloc_pages_nodemask+0x9da/0xb68
__get_free_pages+0x2e/0x58
kmalloc_order_trace+0x44/0xc0
stat_open+0x5a/0xd8
proc_reg_open+0x8a/0x140
do_dentry_open+0x1bc/0x2c8
finish_open+0x46/0x60
do_last+0x382/0x10d0
path_openat+0xc8/0x4f8
do_filp_open+0x46/0xa8
do_sys_open+0x114/0x1f0
sysc_tracego+0x14/0x1a
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Tested-by: David Rientjes <rientjes@google.com>
Cc: Ian Kent <raven@themaw.net>
Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Cc: Thorsten Diehl <thorsten.diehl@de.ibm.com>
Cc: Andrea Righi <andrea@betterlinux.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/seq_file.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/fs/seq_file.c b/fs/seq_file.c
index 1d641bb..3857b72 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -8,8 +8,10 @@
#include <linux/fs.h>
#include <linux/export.h>
#include <linux/seq_file.h>
+#include <linux/vmalloc.h>
#include <linux/slab.h>
#include <linux/cred.h>
+#include <linux/mm.h>
#include <asm/uaccess.h>
#include <asm/page.h>
@@ -30,6 +32,16 @@ static void seq_set_overflow(struct seq_file *m)
m->count = m->size;
}
+static void *seq_buf_alloc(unsigned long size)
+{
+ void *buf;
+
+ buf = kmalloc(size, GFP_KERNEL | __GFP_NOWARN);
+ if (!buf && size > PAGE_SIZE)
+ buf = vmalloc(size);
+ return buf;
+}
+
/**
* seq_open - initialize sequential file
* @file: file we initialize
@@ -96,7 +108,7 @@ static int traverse(struct seq_file *m, loff_t offset)
return 0;
}
if (!m->buf) {
- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
+ m->buf = seq_buf_alloc(m->size = PAGE_SIZE);
if (!m->buf)
return -ENOMEM;
}
@@ -135,9 +147,9 @@ static int traverse(struct seq_file *m, loff_t offset)
Eoverflow:
m->op->stop(m, p);
- kfree(m->buf);
+ kvfree(m->buf);
m->count = 0;
- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
+ m->buf = seq_buf_alloc(m->size <<= 1);
return !m->buf ? -ENOMEM : -EAGAIN;
}
@@ -192,7 +204,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
/* grab buffer if we didn't have one */
if (!m->buf) {
- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
+ m->buf = seq_buf_alloc(m->size = PAGE_SIZE);
if (!m->buf)
goto Enomem;
}
@@ -232,9 +244,9 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
if (m->count < m->size)
goto Fill;
m->op->stop(m, p);
- kfree(m->buf);
+ kvfree(m->buf);
m->count = 0;
- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
+ m->buf = seq_buf_alloc(m->size <<= 1);
if (!m->buf)
goto Enomem;
m->version = 0;
@@ -350,7 +362,7 @@ EXPORT_SYMBOL(seq_lseek);
int seq_release(struct inode *inode, struct file *file)
{
struct seq_file *m = file->private_data;
- kfree(m->buf);
+ kvfree(m->buf);
kfree(m);
return 0;
}
@@ -605,13 +617,13 @@ EXPORT_SYMBOL(single_open);
int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
void *data, size_t size)
{
- char *buf = kmalloc(size, GFP_KERNEL);
+ char *buf = seq_buf_alloc(size);
int ret;
if (!buf)
return -ENOMEM;
ret = single_open(file, show, data);
if (ret) {
- kfree(buf);
+ kvfree(buf);
return ret;
}
((struct seq_file *)file->private_data)->buf = buf;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 055/259] lz4: add overrun checks to lz4_uncompress_unknownoutputsize()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (53 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 054/259] fs/seq_file: fallback to vmalloc allocation Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 056/259] ptrace,x86: force IRET path after a ptrace_stop() Kamal Mostafa
` (203 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Don A. Bailey, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4a3a99045177369700c60d074c0e525e8093b0fc upstream.
Jan points out that I forgot to make the needed fixes to the
lz4_uncompress_unknownoutputsize() function to mirror the changes done
in lz4_decompress() with regards to potential pointer overflows.
The only in-kernel user of this function is the zram code, which only
takes data from a valid compressed buffer that it made itself, so it's
not a big issue. But due to external kernel modules using this
function, it's better to be safe here.
Reported-by: Jan Beulich <JBeulich@suse.com>
Cc: "Don A. Bailey" <donb@securitymouse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
lib/lz4/lz4_decompress.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index b74da44..7a85967 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
int s = 255;
while ((ip < iend) && (s == 255)) {
s = *ip++;
+ if (unlikely(length > (size_t)(length + s)))
+ goto _output_error;
length += s;
}
}
@@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
if (length == ML_MASK) {
while (ip < iend) {
int s = *ip++;
+ if (unlikely(length > (size_t)(length + s)))
+ goto _output_error;
length += s;
if (s == 255)
continue;
@@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
/* write overflow error detected */
_output_error:
- return (int) (-(((char *) ip) - source));
+ return -1;
}
int lz4_decompress(const unsigned char *src, size_t *src_len,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 056/259] ptrace,x86: force IRET path after a ptrace_stop()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (54 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 055/259] lz4: add overrun checks to lz4_uncompress_unknownoutputsize() Kamal Mostafa
@ 2014-08-08 20:37 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 057/259] arm64: mm: Make icache synchronisation logic huge page aware Kamal Mostafa
` (202 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:37 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tejun Heo, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a upstream.
The 'sysret' fastpath does not correctly restore even all regular
registers, much less any segment registers or reflags values. That is
very much part of why it's faster than 'iret'.
Normally that isn't a problem, because the normal ptrace() interface
catches the process using the signal handler infrastructure, which
always returns with an iret.
However, some paths can get caught using ptrace_event() instead of the
signal path, and for those we need to make sure that we aren't going to
return to user space using 'sysret'. Otherwise the modifications that
may have been done to the register set by the tracer wouldn't
necessarily take effect.
Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from
arch_ptrace_stop_needed() which is invoked from ptrace_stop().
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/include/asm/ptrace.h | 16 ++++++++++++++++
include/linux/ptrace.h | 3 +++
2 files changed, 19 insertions(+)
diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
index 942a086..68e9f00 100644
--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -232,6 +232,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
#define ARCH_HAS_USER_SINGLE_STEP_INFO
+/*
+ * When hitting ptrace_stop(), we cannot return using SYSRET because
+ * that does not restore the full CPU state, only a minimal set. The
+ * ptracer can change arbitrary register values, which is usually okay
+ * because the usual ptrace stops run off the signal delivery path which
+ * forces IRET; however, ptrace_event() stops happen in arbitrary places
+ * in the kernel and don't force IRET path.
+ *
+ * So force IRET path after a ptrace stop.
+ */
+#define arch_ptrace_stop_needed(code, info) \
+({ \
+ set_thread_flag(TIF_NOTIFY_RESUME); \
+ false; \
+})
+
struct user_desc;
extern int do_get_thread_area(struct task_struct *p, int idx,
struct user_desc __user *info);
diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
index 077904c..cc79eff 100644
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -334,6 +334,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk,
* calling arch_ptrace_stop() when it would be superfluous. For example,
* if the thread has not been back to user mode since the last stop, the
* thread state might indicate that nothing needs to be done.
+ *
+ * This is guaranteed to be invoked once before a task stops for ptrace and
+ * may include arch-specific operations necessary prior to a ptrace stop.
*/
#define arch_ptrace_stop_needed(code, info) (0)
#endif
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 057/259] arm64: mm: Make icache synchronisation logic huge page aware
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (55 preceding siblings ...)
2014-08-08 20:37 ` [PATCH 3.13 056/259] ptrace,x86: force IRET path after a ptrace_stop() Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 058/259] workqueue: fix dev_set_uevent_suppress() imbalance Kamal Mostafa
` (201 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Steve Capper, Catalin Marinas, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve Capper <steve.capper@linaro.org>
commit 923b8f5044da753e4985ab15c1374ced2cdf616c upstream.
The __sync_icache_dcache routine will only flush the dcache for the
first page of a compound page, potentially leading to stale icache
data residing further on in a hugetlb page.
This patch addresses this issue by taking into consideration the
order of the page when flushing the dcache.
Reported-by: Mark Brown <broonie@linaro.org>
Tested-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Steve Capper <steve.capper@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm64/mm/flush.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/mm/flush.c b/arch/arm64/mm/flush.c
index e4193e3..0d64089 100644
--- a/arch/arm64/mm/flush.c
+++ b/arch/arm64/mm/flush.c
@@ -79,7 +79,8 @@ void __sync_icache_dcache(pte_t pte, unsigned long addr)
return;
if (!test_and_set_bit(PG_dcache_clean, &page->flags)) {
- __flush_dcache_area(page_address(page), PAGE_SIZE);
+ __flush_dcache_area(page_address(page),
+ PAGE_SIZE << compound_order(page));
__flush_icache_all();
} else if (icache_is_aivivt()) {
__flush_icache_all();
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 058/259] workqueue: fix dev_set_uevent_suppress() imbalance
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (56 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 057/259] arm64: mm: Make icache synchronisation logic huge page aware Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 059/259] cpuset,mempolicy: fix sleeping function called from invalid context Kamal Mostafa
` (200 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Maxime Bizon, Tejun Heo, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Bizon <mbizon@freebox.fr>
commit bddbceb688c6d0decaabc7884fede319d02f96c8 upstream.
Uevents are suppressed during attributes registration, but never
restored, so kobject_uevent() does nothing.
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 226223ab3c4118ddd10688cc2c131135848371ab
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/workqueue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 1b23f5b..61212c9 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3415,6 +3415,7 @@ int workqueue_sysfs_register(struct workqueue_struct *wq)
}
}
+ dev_set_uevent_suppress(&wq_dev->dev, false);
kobject_uevent(&wq_dev->dev.kobj, KOBJ_ADD);
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 059/259] cpuset,mempolicy: fix sleeping function called from invalid context
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (57 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 058/259] workqueue: fix dev_set_uevent_suppress() imbalance Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 060/259] crypto: sha512_ssse3 - fix byte count to bit count conversion Kamal Mostafa
` (199 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Gu Zheng, Tejun Heo, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Gu Zheng <guz.fnst@cn.fujitsu.com>
commit 391acf970d21219a2a5446282d3b20eace0c0d7a upstream.
When runing with the kernel(3.15-rc7+), the follow bug occurs:
[ 9969.258987] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:586
[ 9969.359906] in_atomic(): 1, irqs_disabled(): 0, pid: 160655, name: python
[ 9969.441175] INFO: lockdep is turned off.
[ 9969.488184] CPU: 26 PID: 160655 Comm: python Tainted: G A 3.15.0-rc7+ #85
[ 9969.581032] Hardware name: FUJITSU-SV PRIMEQUEST 1800E/SB, BIOS PRIMEQUEST 1000 Series BIOS Version 1.39 11/16/2012
[ 9969.706052] ffffffff81a20e60 ffff8803e941fbd0 ffffffff8162f523 ffff8803e941fd18
[ 9969.795323] ffff8803e941fbe0 ffffffff8109995a ffff8803e941fc58 ffffffff81633e6c
[ 9969.884710] ffffffff811ba5dc ffff880405c6b480 ffff88041fdd90a0 0000000000002000
[ 9969.974071] Call Trace:
[ 9970.003403] [<ffffffff8162f523>] dump_stack+0x4d/0x66
[ 9970.065074] [<ffffffff8109995a>] __might_sleep+0xfa/0x130
[ 9970.130743] [<ffffffff81633e6c>] mutex_lock_nested+0x3c/0x4f0
[ 9970.200638] [<ffffffff811ba5dc>] ? kmem_cache_alloc+0x1bc/0x210
[ 9970.272610] [<ffffffff81105807>] cpuset_mems_allowed+0x27/0x140
[ 9970.344584] [<ffffffff811b1303>] ? __mpol_dup+0x63/0x150
[ 9970.409282] [<ffffffff811b1385>] __mpol_dup+0xe5/0x150
[ 9970.471897] [<ffffffff811b1303>] ? __mpol_dup+0x63/0x150
[ 9970.536585] [<ffffffff81068c86>] ? copy_process.part.23+0x606/0x1d40
[ 9970.613763] [<ffffffff810bf28d>] ? trace_hardirqs_on+0xd/0x10
[ 9970.683660] [<ffffffff810ddddf>] ? monotonic_to_bootbased+0x2f/0x50
[ 9970.759795] [<ffffffff81068cf0>] copy_process.part.23+0x670/0x1d40
[ 9970.834885] [<ffffffff8106a598>] do_fork+0xd8/0x380
[ 9970.894375] [<ffffffff81110e4c>] ? __audit_syscall_entry+0x9c/0xf0
[ 9970.969470] [<ffffffff8106a8c6>] SyS_clone+0x16/0x20
[ 9971.030011] [<ffffffff81642009>] stub_clone+0x69/0x90
[ 9971.091573] [<ffffffff81641c29>] ? system_call_fastpath+0x16/0x1b
The cause is that cpuset_mems_allowed() try to take
mutex_lock(&callback_mutex) under the rcu_read_lock(which was hold in
__mpol_dup()). And in cpuset_mems_allowed(), the access to cpuset is
under rcu_read_lock, so in __mpol_dup, we can reduce the rcu_read_lock
protection region to protect the access to cpuset only in
current_cpuset_is_being_rebound(). So that we can avoid this bug.
This patch is a temporary solution that just addresses the bug
mentioned above, can not fix the long-standing issue about cpuset.mems
rebinding on fork():
"When the forker's task_struct is duplicated (which includes
->mems_allowed) and it races with an update to cpuset_being_rebound
in update_tasks_nodemask() then the task's mems_allowed doesn't get
updated. And the child task's mems_allowed can be wrong if the
cpuset's nodemask changes before the child has been added to the
cgroup's tasklist."
Signed-off-by: Gu Zheng <guz.fnst@cn.fujitsu.com>
Acked-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/cpuset.c | 8 +++++++-
mm/mempolicy.c | 2 --
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/kernel/cpuset.c b/kernel/cpuset.c
index 5ae9f95..0b29c52 100644
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -1236,7 +1236,13 @@ done:
int current_cpuset_is_being_rebound(void)
{
- return task_cs(current) == cpuset_being_rebound;
+ int ret;
+
+ rcu_read_lock();
+ ret = task_cs(current) == cpuset_being_rebound;
+ rcu_read_unlock();
+
+ return ret;
}
static int update_relax_domain_level(struct cpuset *cs, s64 val)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 65c7674..b742d37 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2173,7 +2173,6 @@ struct mempolicy *__mpol_dup(struct mempolicy *old)
} else
*new = *old;
- rcu_read_lock();
if (current_cpuset_is_being_rebound()) {
nodemask_t mems = cpuset_mems_allowed(current);
if (new->flags & MPOL_F_REBINDING)
@@ -2181,7 +2180,6 @@ struct mempolicy *__mpol_dup(struct mempolicy *old)
else
mpol_rebind_policy(new, &mems, MPOL_REBIND_ONCE);
}
- rcu_read_unlock();
atomic_set(&new->refcnt, 1);
return new;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 060/259] crypto: sha512_ssse3 - fix byte count to bit count conversion
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (58 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 059/259] cpuset,mempolicy: fix sleeping function called from invalid context Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 061/259] thermal: hwmon: Make the check for critical temp valid consistent Kamal Mostafa
` (198 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jussi Kivilinna, Herbert Xu, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
commit cfe82d4f45c7cc39332a2be7c4c1d3bf279bbd3d upstream.
Byte-to-bit-count computation is only partly converted to big-endian and is
mixing in CPU-endian values. Problem was noticed by sparce with warning:
CHECK arch/x86/crypto/sha512_ssse3_glue.c
arch/x86/crypto/sha512_ssse3_glue.c:144:19: warning: restricted __be64 degrades to integer
arch/x86/crypto/sha512_ssse3_glue.c:144:17: warning: incorrect type in assignment (different base types)
arch/x86/crypto/sha512_ssse3_glue.c:144:17: expected restricted __be64 <noident>
arch/x86/crypto/sha512_ssse3_glue.c:144:17: got unsigned long long
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/crypto/sha512_ssse3_glue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/crypto/sha512_ssse3_glue.c b/arch/x86/crypto/sha512_ssse3_glue.c
index f30cd10..8626b03 100644
--- a/arch/x86/crypto/sha512_ssse3_glue.c
+++ b/arch/x86/crypto/sha512_ssse3_glue.c
@@ -141,7 +141,7 @@ static int sha512_ssse3_final(struct shash_desc *desc, u8 *out)
/* save number of bits */
bits[1] = cpu_to_be64(sctx->count[0] << 3);
- bits[0] = cpu_to_be64(sctx->count[1] << 3) | sctx->count[0] >> 61;
+ bits[0] = cpu_to_be64(sctx->count[1] << 3 | sctx->count[0] >> 61);
/* Pad out to 112 mod 128 and append length */
index = sctx->count[0] & 0x7f;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 061/259] thermal: hwmon: Make the check for critical temp valid consistent
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (59 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 060/259] crypto: sha512_ssse3 - fix byte count to bit count conversion Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-09 16:51 ` edubezval
2014-08-08 20:38 ` [PATCH 3.13 062/259] clk: s2mps11: Fix double free corruption during driver unbind Kamal Mostafa
` (197 subsequent siblings)
258 siblings, 1 reply; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Aaron Lu, Zhang Rui, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Lu <aaron.lu@intel.com>
commit e8db5d6736a712a3e2280c0e31f4b301d85172d8 upstream.
On 05/21/2014 04:22 PM, Aaron Lu wrote:
> On 05/21/2014 01:57 PM, Kui Zhang wrote:
>> Hello,
>>
>> I get following error when rmmod thermal.
>>
>> rmmod thermal
>> Killed
While dealing with this problem, I found another problem that also
results in a kernel crash on thermal module removal:
From: Aaron Lu <aaron.lu@intel.com>
Date: Wed, 21 May 2014 16:05:38 +0800
Subject: [PATCH] thermal: hwmon: Make the check for critical temp valid consistent
We used the tz->ops->get_crit_temp && !tz->ops->get_crit_temp(tz, temp)
to decide if we need to create the temp_crit attribute file but we just
check if tz->ops->get_crit_temp exists to decide if we need to remove
that attribute file. Some ACPI thermal zone doesn't have a valid critical
trip point and that would result in removing a non-existent device file
on thermal module unload.
Signed-off-by: Aaron Lu <aaron.lu@intel.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/thermal/thermal_hwmon.c | 33 ++++++++++++++++++---------------
1 file changed, 18 insertions(+), 15 deletions(-)
diff --git a/drivers/thermal/thermal_hwmon.c b/drivers/thermal/thermal_hwmon.c
index fdb0719..1967bee 100644
--- a/drivers/thermal/thermal_hwmon.c
+++ b/drivers/thermal/thermal_hwmon.c
@@ -140,6 +140,12 @@ thermal_hwmon_lookup_temp(const struct thermal_hwmon_device *hwmon,
return NULL;
}
+static bool thermal_zone_crit_temp_valid(struct thermal_zone_device *tz)
+{
+ unsigned long temp;
+ return tz->ops->get_crit_temp && !tz->ops->get_crit_temp(tz, &temp);
+}
+
int thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
{
struct thermal_hwmon_device *hwmon;
@@ -189,21 +195,18 @@ int thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
if (result)
goto free_temp_mem;
- if (tz->ops->get_crit_temp) {
- unsigned long temperature;
- if (!tz->ops->get_crit_temp(tz, &temperature)) {
- snprintf(temp->temp_crit.name,
- sizeof(temp->temp_crit.name),
+ if (thermal_zone_crit_temp_valid(tz)) {
+ snprintf(temp->temp_crit.name,
+ sizeof(temp->temp_crit.name),
"temp%d_crit", hwmon->count);
- temp->temp_crit.attr.attr.name = temp->temp_crit.name;
- temp->temp_crit.attr.attr.mode = 0444;
- temp->temp_crit.attr.show = temp_crit_show;
- sysfs_attr_init(&temp->temp_crit.attr.attr);
- result = device_create_file(hwmon->device,
- &temp->temp_crit.attr);
- if (result)
- goto unregister_input;
- }
+ temp->temp_crit.attr.attr.name = temp->temp_crit.name;
+ temp->temp_crit.attr.attr.mode = 0444;
+ temp->temp_crit.attr.show = temp_crit_show;
+ sysfs_attr_init(&temp->temp_crit.attr.attr);
+ result = device_create_file(hwmon->device,
+ &temp->temp_crit.attr);
+ if (result)
+ goto unregister_input;
}
mutex_lock(&thermal_hwmon_list_lock);
@@ -250,7 +253,7 @@ void thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz)
}
device_remove_file(hwmon->device, &temp->temp_input.attr);
- if (tz->ops->get_crit_temp)
+ if (thermal_zone_crit_temp_valid(tz))
device_remove_file(hwmon->device, &temp->temp_crit.attr);
mutex_lock(&thermal_hwmon_list_lock);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 062/259] clk: s2mps11: Fix double free corruption during driver unbind
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (60 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 061/259] thermal: hwmon: Make the check for critical temp valid consistent Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 063/259] hwmon: (amc6821) Fix permissions for temp2_input Kamal Mostafa
` (196 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Krzysztof Kozlowski, Mike Turquette, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
commit 2a96dfa49c83a2a7cbdb11382976aaa6b2636764 upstream.
After unbinding the driver memory was corrupted by double free of
clk_lookup structure. This lead to OOPS when re-binding the driver
again.
The driver allocated memory for 'clk_lookup' with devm_kzalloc. During
driver removal this memory was freed twice: once by clkdev_drop() and
second by devm code.
Kernel panic log:
[ 30.839284] Unable to handle kernel paging request at virtual address 5f343173
[ 30.846476] pgd = dee14000
[ 30.849165] [5f343173] *pgd=00000000
[ 30.852703] Internal error: Oops: 805 [#1] PREEMPT SMP ARM
[ 30.858166] Modules linked in:
[ 30.861208] CPU: 0 PID: 1 Comm: bash Not tainted 3.16.0-rc2-00239-g94bdf617b07e-dirty #40
[ 30.869364] task: df478000 ti: df480000 task.ti: df480000
[ 30.874752] PC is at clkdev_add+0x2c/0x38
[ 30.878738] LR is at clkdev_add+0x18/0x38
[ 30.882732] pc : [<c0350908>] lr : [<c03508f4>] psr: 60000013
[ 30.882732] sp : df481e78 ip : 00000001 fp : c0700ed8
[ 30.894187] r10: 0000000c r9 : 00000000 r8 : c07b0e3c
[ 30.899396] r7 : 00000002 r6 : df45f9d0 r5 : df421390 r4 : c0700d6c
[ 30.905906] r3 : 5f343173 r2 : c0700d84 r1 : 60000013 r0 : c0700d6c
[ 30.912417] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 30.919534] Control: 10c53c7d Table: 5ee1406a DAC: 00000015
[ 30.925262] Process bash (pid: 1, stack limit = 0xdf480240)
[ 30.930817] Stack: (0xdf481e78 to 0xdf482000)
[ 30.935159] 1e60: 00001000 df6de610
[ 30.943321] 1e80: df7f4558 c0355650 c05ec6ec c0700eb0 df6de600 df7f4510 dec9d69c 00000014
[ 30.951480] 1ea0: 00167b48 df6de610 c0700e30 c0713518 00000000 c0700e30 dec9d69c 00000006
[ 30.959639] 1ec0: 00167b48 c02c1b7c c02c1b64 df6de610 c07aff48 c02c0420 c06fb150 c047cc20
[ 30.967798] 1ee0: df6de610 df6de610 c0700e30 df6de644 c06fb150 0000000c dec9d690 c02bef90
[ 30.975957] 1f00: dec9c6c0 dece4c00 df481f80 dece4c00 0000000c c02be73c 0000000c c016ca8c
[ 30.984116] 1f20: c016ca48 00000000 00000000 c016c1f4 00000000 00000000 b6f18000 df481f80
[ 30.992276] 1f40: df7f66c0 0000000c df480000 df480000 b6f18000 c011094c df47839c 60000013
[ 31.000435] 1f60: 00000000 00000000 df7f66c0 df7f66c0 0000000c df480000 b6f18000 c0110dd4
[ 31.008594] 1f80: 00000000 00000000 0000000c b6ec05d8 0000000c b6f18000 00000004 c000f2a8
[ 31.016753] 1fa0: 00001000 c000f0e0 b6ec05d8 0000000c 00000001 b6f18000 0000000c 00000000
[ 31.024912] 1fc0: b6ec05d8 0000000c b6f18000 00000004 0000000c 00000001 00000000 00167b48
[ 31.033071] 1fe0: 00000000 bed83a80 b6e004f0 b6e5122c 60000010 00000001 ffffffff ffffffff
[ 31.041248] [<c0350908>] (clkdev_add) from [<c0355650>] (s2mps11_clk_probe+0x2b4/0x3b4)
[ 31.049223] [<c0355650>] (s2mps11_clk_probe) from [<c02c1b7c>] (platform_drv_probe+0x18/0x48)
[ 31.057728] [<c02c1b7c>] (platform_drv_probe) from [<c02c0420>] (driver_probe_device+0x13c/0x384)
[ 31.066579] [<c02c0420>] (driver_probe_device) from [<c02bef90>] (bind_store+0x88/0xd8)
[ 31.074564] [<c02bef90>] (bind_store) from [<c02be73c>] (drv_attr_store+0x20/0x2c)
[ 31.082118] [<c02be73c>] (drv_attr_store) from [<c016ca8c>] (sysfs_kf_write+0x44/0x48)
[ 31.090016] [<c016ca8c>] (sysfs_kf_write) from [<c016c1f4>] (kernfs_fop_write+0xc0/0x17c)
[ 31.098176] [<c016c1f4>] (kernfs_fop_write) from [<c011094c>] (vfs_write+0xa0/0x1c4)
[ 31.105899] [<c011094c>] (vfs_write) from [<c0110dd4>] (SyS_write+0x40/0x8c)
[ 31.112931] [<c0110dd4>] (SyS_write) from [<c000f0e0>] (ret_fast_syscall+0x0/0x3c)
[ 31.120481] Code: e2842018 e584501c e1a00004 e885000c (e5835000)
[ 31.126596] ---[ end trace efad45bfa3a61b05 ]---
[ 31.131181] Kernel panic - not syncing: Fatal exception
[ 31.136368] CPU1: stopping
[ 31.139054] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G D 3.16.0-rc2-00239-g94bdf617b07e-dirty #40
[ 31.148697] [<c0016480>] (unwind_backtrace) from [<c0012950>] (show_stack+0x10/0x14)
[ 31.156419] [<c0012950>] (show_stack) from [<c0480db8>] (dump_stack+0x80/0xcc)
[ 31.163622] [<c0480db8>] (dump_stack) from [<c001499c>] (handle_IPI+0x130/0x15c)
[ 31.170998] [<c001499c>] (handle_IPI) from [<c000862c>] (gic_handle_irq+0x60/0x68)
[ 31.178549] [<c000862c>] (gic_handle_irq) from [<c0013480>] (__irq_svc+0x40/0x70)
[ 31.186009] Exception stack(0xdf4bdf88 to 0xdf4bdfd0)
[ 31.191046] df80: ffffffed 00000000 00000000 00000000 df4bc000 c06d042c
[ 31.199207] dfa0: 00000000 ffffffed c06d03c0 00000000 c070c288 00000000 00000000 df4bdfd0
[ 31.207363] dfc0: c0010324 c0010328 60000013 ffffffff
[ 31.212402] [<c0013480>] (__irq_svc) from [<c0010328>] (arch_cpu_idle+0x28/0x30)
[ 31.219783] [<c0010328>] (arch_cpu_idle) from [<c005f150>] (cpu_startup_entry+0x2c4/0x3f0)
[ 31.228027] [<c005f150>] (cpu_startup_entry) from [<400086c4>] (0x400086c4)
[ 31.234968] ---[ end Kernel panic - not syncing: Fatal exception
Fixes: 7cc560dea415 ("clk: s2mps11: Add support for s2mps11")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Yadwinder Singh Brar <yadi.brar@samsung.com>
Signed-off-by: Mike Turquette <mturquette@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/clk/clk-s2mps11.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/clk/clk-s2mps11.c b/drivers/clk/clk-s2mps11.c
index 27c83e4..611b936 100644
--- a/drivers/clk/clk-s2mps11.c
+++ b/drivers/clk/clk-s2mps11.c
@@ -190,16 +190,13 @@ static int s2mps11_clk_probe(struct platform_device *pdev)
goto err_reg;
}
- s2mps11_clk->lookup = devm_kzalloc(&pdev->dev,
- sizeof(struct clk_lookup), GFP_KERNEL);
+ s2mps11_clk->lookup = clkdev_alloc(s2mps11_clk->clk,
+ s2mps11_name(s2mps11_clk), NULL);
if (!s2mps11_clk->lookup) {
ret = -ENOMEM;
goto err_lup;
}
- s2mps11_clk->lookup->con_id = s2mps11_name(s2mps11_clk);
- s2mps11_clk->lookup->clk = s2mps11_clk->clk;
-
clkdev_add(s2mps11_clk->lookup);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 063/259] hwmon: (amc6821) Fix permissions for temp2_input
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (61 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 062/259] clk: s2mps11: Fix double free corruption during driver unbind Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 064/259] hwmon: (adm1029) Ensure the fan_div cache is updated in set_fan_div Kamal Mostafa
` (195 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Axel Lin, Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Axel Lin <axel.lin@ingics.com>
commit df86754b746e9a0ff6f863f690b1c01d408e3cdc upstream.
temp2_input should not be writable, fix it.
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/amc6821.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/amc6821.c b/drivers/hwmon/amc6821.c
index eea8172..9f2be3d 100644
--- a/drivers/hwmon/amc6821.c
+++ b/drivers/hwmon/amc6821.c
@@ -704,7 +704,7 @@ static SENSOR_DEVICE_ATTR(temp1_max_alarm, S_IRUGO,
get_temp_alarm, NULL, IDX_TEMP1_MAX);
static SENSOR_DEVICE_ATTR(temp1_crit_alarm, S_IRUGO,
get_temp_alarm, NULL, IDX_TEMP1_CRIT);
-static SENSOR_DEVICE_ATTR(temp2_input, S_IRUGO | S_IWUSR,
+static SENSOR_DEVICE_ATTR(temp2_input, S_IRUGO,
get_temp, NULL, IDX_TEMP2_INPUT);
static SENSOR_DEVICE_ATTR(temp2_min, S_IRUGO | S_IWUSR, get_temp,
set_temp, IDX_TEMP2_MIN);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 064/259] hwmon: (adm1029) Ensure the fan_div cache is updated in set_fan_div
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (62 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 063/259] hwmon: (amc6821) Fix permissions for temp2_input Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 065/259] hwmon: (adm1021) Fix cache problem when writing temperature limits Kamal Mostafa
` (194 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Axel Lin, Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Axel Lin <axel.lin@ingics.com>
commit 1035a9e3e9c76b64a860a774f5b867d28d34acc2 upstream.
Writing to fanX_div does not clear the cache. As a result, reading
from fanX_div may return the old value for up to two seconds
after writing a new value.
This patch ensures the fan_div cache is updated in set_fan_div().
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/adm1029.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hwmon/adm1029.c b/drivers/hwmon/adm1029.c
index 9ee5e06..39441e5 100644
--- a/drivers/hwmon/adm1029.c
+++ b/drivers/hwmon/adm1029.c
@@ -232,6 +232,9 @@ static ssize_t set_fan_div(struct device *dev,
/* Update the value */
reg = (reg & 0x3F) | (val << 6);
+ /* Update the cache */
+ data->fan_div[attr->index] = reg;
+
/* Write value */
i2c_smbus_write_byte_data(client,
ADM1029_REG_FAN_DIV[attr->index], reg);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 065/259] hwmon: (adm1021) Fix cache problem when writing temperature limits
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (63 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 064/259] hwmon: (adm1029) Ensure the fan_div cache is updated in set_fan_div Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 066/259] ext4: fix unjournalled bg descriptor while initializing inode bitmap Kamal Mostafa
` (193 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Axel Lin, Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Axel Lin <axel.lin@ingics.com>
commit c024044d4da2c9c3b32933b4235df1e409293b84 upstream.
The module test script for the adm1021 driver exposes a cache problem
when writing temperature limits. temp_min and temp_max are expected
to be stored in milli-degrees C but are stored in degrees C.
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/adm1021.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/hwmon/adm1021.c b/drivers/hwmon/adm1021.c
index 29dd9f7..233b374 100644
--- a/drivers/hwmon/adm1021.c
+++ b/drivers/hwmon/adm1021.c
@@ -185,7 +185,7 @@ static ssize_t set_temp_max(struct device *dev,
struct i2c_client *client = to_i2c_client(dev);
struct adm1021_data *data = i2c_get_clientdata(client);
long temp;
- int err;
+ int reg_val, err;
err = kstrtol(buf, 10, &temp);
if (err)
@@ -193,10 +193,11 @@ static ssize_t set_temp_max(struct device *dev,
temp /= 1000;
mutex_lock(&data->update_lock);
- data->temp_max[index] = clamp_val(temp, -128, 127);
+ reg_val = clamp_val(temp, -128, 127);
+ data->temp_max[index] = reg_val * 1000;
if (!read_only)
i2c_smbus_write_byte_data(client, ADM1021_REG_TOS_W(index),
- data->temp_max[index]);
+ reg_val);
mutex_unlock(&data->update_lock);
return count;
@@ -210,7 +211,7 @@ static ssize_t set_temp_min(struct device *dev,
struct i2c_client *client = to_i2c_client(dev);
struct adm1021_data *data = i2c_get_clientdata(client);
long temp;
- int err;
+ int reg_val, err;
err = kstrtol(buf, 10, &temp);
if (err)
@@ -218,10 +219,11 @@ static ssize_t set_temp_min(struct device *dev,
temp /= 1000;
mutex_lock(&data->update_lock);
- data->temp_min[index] = clamp_val(temp, -128, 127);
+ reg_val = clamp_val(temp, -128, 127);
+ data->temp_min[index] = reg_val * 1000;
if (!read_only)
i2c_smbus_write_byte_data(client, ADM1021_REG_THYST_W(index),
- data->temp_min[index]);
+ reg_val);
mutex_unlock(&data->update_lock);
return count;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 066/259] ext4: fix unjournalled bg descriptor while initializing inode bitmap
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (64 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 065/259] hwmon: (adm1021) Fix cache problem when writing temperature limits Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 067/259] ext4: clarify error count warning messages Kamal Mostafa
` (192 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Theodore Ts'o, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 61c219f5814277ecb71d64cb30297028d6665979 upstream.
The first time that we allocate from an uninitialized inode allocation
bitmap, if the block allocation bitmap is also uninitalized, we need
to get write access to the block group descriptor before we start
modifying the block group descriptor flags and updating the free block
count, etc. Otherwise, there is the potential of a bad journal
checksum (if journal checksums are enabled), and of the file system
becoming inconsistent if we crash at exactly the wrong time.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ext4/ialloc.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index 0ee59a6..64bb32f1 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -851,6 +851,13 @@ got:
goto out;
}
+ BUFFER_TRACE(group_desc_bh, "get_write_access");
+ err = ext4_journal_get_write_access(handle, group_desc_bh);
+ if (err) {
+ ext4_std_error(sb, err);
+ goto out;
+ }
+
/* We may have to initialize the block bitmap if it isn't already */
if (ext4_has_group_desc_csum(sb) &&
gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
@@ -887,13 +894,6 @@ got:
}
}
- BUFFER_TRACE(group_desc_bh, "get_write_access");
- err = ext4_journal_get_write_access(handle, group_desc_bh);
- if (err) {
- ext4_std_error(sb, err);
- goto out;
- }
-
/* Update the relevant bg descriptor fields */
if (ext4_has_group_desc_csum(sb)) {
int free;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 067/259] ext4: clarify error count warning messages
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (65 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 066/259] ext4: fix unjournalled bg descriptor while initializing inode bitmap Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 068/259] ext4: clarify ext4_error message in ext4_mb_generate_buddy_error() Kamal Mostafa
` (191 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Pavel Machek, Theodore Ts'o, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit ae0f78de2c43b6fadd007c231a352b13b5be8ed2 upstream.
Make it clear that values printed are times, and that it is error
since last fsck. Also add note about fsck version required.
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ext4/super.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 710fed2..a81a3da 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2793,10 +2793,11 @@ static void print_daily_error_info(unsigned long arg)
es = sbi->s_es;
if (es->s_error_count)
- ext4_msg(sb, KERN_NOTICE, "error count: %u",
+ /* fsck newer than v1.41.13 is needed to clean this condition. */
+ ext4_msg(sb, KERN_NOTICE, "error count since last fsck: %u",
le32_to_cpu(es->s_error_count));
if (es->s_first_error_time) {
- printk(KERN_NOTICE "EXT4-fs (%s): initial error at %u: %.*s:%d",
+ printk(KERN_NOTICE "EXT4-fs (%s): initial error at time %u: %.*s:%d",
sb->s_id, le32_to_cpu(es->s_first_error_time),
(int) sizeof(es->s_first_error_func),
es->s_first_error_func,
@@ -2810,7 +2811,7 @@ static void print_daily_error_info(unsigned long arg)
printk("\n");
}
if (es->s_last_error_time) {
- printk(KERN_NOTICE "EXT4-fs (%s): last error at %u: %.*s:%d",
+ printk(KERN_NOTICE "EXT4-fs (%s): last error at time %u: %.*s:%d",
sb->s_id, le32_to_cpu(es->s_last_error_time),
(int) sizeof(es->s_last_error_func),
es->s_last_error_func,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 068/259] ext4: clarify ext4_error message in ext4_mb_generate_buddy_error()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (66 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 067/259] ext4: clarify error count warning messages Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 069/259] ext4: disable synchronous transaction batching if max_batch_time==0 Kamal Mostafa
` (190 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Theodore Ts'o, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 94d4c066a4ff170a2671b1a9b153febbf36796f6 upstream.
We are spending a lot of time explaining to users what this error
means. Let's try to improve the message to avoid this problem.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ext4/mballoc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 08ddfda..502f0fd 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -751,8 +751,8 @@ void ext4_mb_generate_buddy(struct super_block *sb,
if (free != grp->bb_free) {
ext4_grp_locked_error(sb, group, 0, 0,
- "%u clusters in bitmap, %u in gd; "
- "block bitmap corrupt.",
+ "block bitmap and bg descriptor "
+ "inconsistent: %u vs %u free clusters",
free, grp->bb_free);
/*
* If we intend to continue, we consider group descriptor
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 069/259] ext4: disable synchronous transaction batching if max_batch_time==0
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (67 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 068/259] ext4: clarify ext4_error message in ext4_mb_generate_buddy_error() Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 070/259] Revert "ACPI / AC: Remove AC's proc directory." Kamal Mostafa
` (189 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Sandeen, Theodore Ts'o, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Sandeen <sandeen@redhat.com>
commit 5dd214248f94d430d70e9230bda72f2654ac88a8 upstream.
The mount manpage says of the max_batch_time option,
This optimization can be turned off entirely
by setting max_batch_time to 0.
But the code doesn't do that. So fix the code to do
that.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ext4/super.c | 2 --
fs/jbd2/transaction.c | 5 ++++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index a81a3da..25b327e 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1519,8 +1519,6 @@ static int handle_mount_opt(struct super_block *sb, char *opt, int token,
arg = JBD2_DEFAULT_MAX_COMMIT_AGE;
sbi->s_commit_interval = HZ * arg;
} else if (token == Opt_max_batch_time) {
- if (arg == 0)
- arg = EXT4_DEF_MAX_BATCH_TIME;
sbi->s_max_batch_time = arg;
} else if (token == Opt_min_batch_time) {
sbi->s_min_batch_time = arg;
diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
index 60bb365..f8a5d6a 100644
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1590,9 +1590,12 @@ int jbd2_journal_stop(handle_t *handle)
* to perform a synchronous write. We do this to detect the
* case where a single process is doing a stream of sync
* writes. No point in waiting for joiners in that case.
+ *
+ * Setting max_batch_time to 0 disables this completely.
*/
pid = current->pid;
- if (handle->h_sync && journal->j_last_sync_writer != pid) {
+ if (handle->h_sync && journal->j_last_sync_writer != pid &&
+ journal->j_max_batch_time) {
u64 commit_time, trans_time;
journal->j_last_sync_writer = pid;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 070/259] Revert "ACPI / AC: Remove AC's proc directory."
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (68 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 069/259] ext4: disable synchronous transaction batching if max_batch_time==0 Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 071/259] intel_pstate: Fix setting VID Kamal Mostafa
` (188 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lan Tianyu, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lan Tianyu <tianyu.lan@intel.com>
commit e63f6e28dda6de3de2392ddca321e211fd860925 upstream.
Revert commit ab0fd674d6ce (ACPI / AC: Remove AC's proc directory.),
because some old tools (e.g. kpowersave from kde 3.5.10) are still
using /proc/acpi/ac_adapter.
Fixes: ab0fd674d6ce (ACPI / AC: Remove AC's proc directory.)
Reported-and-tested-by: Sorin Manolache <sorinm@gmail.com>
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/acpi/ac.c | 130 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 128 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/ac.c b/drivers/acpi/ac.c
index cfcfd89..26e7e2f 100644
--- a/drivers/acpi/ac.c
+++ b/drivers/acpi/ac.c
@@ -30,6 +30,10 @@
#include <linux/types.h>
#include <linux/dmi.h>
#include <linux/delay.h>
+#ifdef CONFIG_ACPI_PROCFS_POWER
+#include <linux/proc_fs.h>
+#include <linux/seq_file.h>
+#endif
#include <linux/platform_device.h>
#include <linux/power_supply.h>
#include <acpi/acpi_bus.h>
@@ -52,6 +56,7 @@ MODULE_AUTHOR("Paul Diefenbaugh");
MODULE_DESCRIPTION("ACPI AC Adapter Driver");
MODULE_LICENSE("GPL");
+
static int acpi_ac_add(struct acpi_device *device);
static int acpi_ac_remove(struct acpi_device *device);
static void acpi_ac_notify(struct acpi_device *device, u32 event);
@@ -67,6 +72,13 @@ static int acpi_ac_resume(struct device *dev);
#endif
static SIMPLE_DEV_PM_OPS(acpi_ac_pm, NULL, acpi_ac_resume);
+#ifdef CONFIG_ACPI_PROCFS_POWER
+extern struct proc_dir_entry *acpi_lock_ac_dir(void);
+extern void *acpi_unlock_ac_dir(struct proc_dir_entry *acpi_ac_dir);
+static int acpi_ac_open_fs(struct inode *inode, struct file *file);
+#endif
+
+
static int ac_sleep_before_get_state_ms;
static struct acpi_driver acpi_ac_driver = {
@@ -90,6 +102,16 @@ struct acpi_ac {
#define to_acpi_ac(x) container_of(x, struct acpi_ac, charger)
+#ifdef CONFIG_ACPI_PROCFS_POWER
+static const struct file_operations acpi_ac_fops = {
+ .owner = THIS_MODULE,
+ .open = acpi_ac_open_fs,
+ .read = seq_read,
+ .llseek = seq_lseek,
+ .release = single_release,
+};
+#endif
+
/* --------------------------------------------------------------------------
AC Adapter Management
-------------------------------------------------------------------------- */
@@ -142,6 +164,83 @@ static enum power_supply_property ac_props[] = {
POWER_SUPPLY_PROP_ONLINE,
};
+#ifdef CONFIG_ACPI_PROCFS_POWER
+/* --------------------------------------------------------------------------
+ FS Interface (/proc)
+ -------------------------------------------------------------------------- */
+
+static struct proc_dir_entry *acpi_ac_dir;
+
+static int acpi_ac_seq_show(struct seq_file *seq, void *offset)
+{
+ struct acpi_ac *ac = seq->private;
+
+
+ if (!ac)
+ return 0;
+
+ if (acpi_ac_get_state(ac)) {
+ seq_puts(seq, "ERROR: Unable to read AC Adapter state\n");
+ return 0;
+ }
+
+ seq_puts(seq, "state: ");
+ switch (ac->state) {
+ case ACPI_AC_STATUS_OFFLINE:
+ seq_puts(seq, "off-line\n");
+ break;
+ case ACPI_AC_STATUS_ONLINE:
+ seq_puts(seq, "on-line\n");
+ break;
+ default:
+ seq_puts(seq, "unknown\n");
+ break;
+ }
+
+ return 0;
+}
+
+static int acpi_ac_open_fs(struct inode *inode, struct file *file)
+{
+ return single_open(file, acpi_ac_seq_show, PDE_DATA(inode));
+}
+
+static int acpi_ac_add_fs(struct acpi_ac *ac)
+{
+ struct proc_dir_entry *entry = NULL;
+
+ printk(KERN_WARNING PREFIX "Deprecated procfs I/F for AC is loaded,"
+ " please retry with CONFIG_ACPI_PROCFS_POWER cleared\n");
+ if (!acpi_device_dir(ac->device)) {
+ acpi_device_dir(ac->device) =
+ proc_mkdir(acpi_device_bid(ac->device), acpi_ac_dir);
+ if (!acpi_device_dir(ac->device))
+ return -ENODEV;
+ }
+
+ /* 'state' [R] */
+ entry = proc_create_data(ACPI_AC_FILE_STATE,
+ S_IRUGO, acpi_device_dir(ac->device),
+ &acpi_ac_fops, ac);
+ if (!entry)
+ return -ENODEV;
+ return 0;
+}
+
+static int acpi_ac_remove_fs(struct acpi_ac *ac)
+{
+
+ if (acpi_device_dir(ac->device)) {
+ remove_proc_entry(ACPI_AC_FILE_STATE,
+ acpi_device_dir(ac->device));
+ remove_proc_entry(acpi_device_bid(ac->device), acpi_ac_dir);
+ acpi_device_dir(ac->device) = NULL;
+ }
+
+ return 0;
+}
+#endif
+
/* --------------------------------------------------------------------------
Driver Model
-------------------------------------------------------------------------- */
@@ -222,6 +321,11 @@ static int acpi_ac_add(struct acpi_device *device)
goto end;
ac->charger.name = acpi_device_bid(device);
+#ifdef CONFIG_ACPI_PROCFS_POWER
+ result = acpi_ac_add_fs(ac);
+ if (result)
+ goto end;
+#endif
ac->charger.type = POWER_SUPPLY_TYPE_MAINS;
ac->charger.properties = ac_props;
ac->charger.num_properties = ARRAY_SIZE(ac_props);
@@ -235,8 +339,12 @@ static int acpi_ac_add(struct acpi_device *device)
ac->state ? "on-line" : "off-line");
end:
- if (result)
+ if (result) {
+#ifdef CONFIG_ACPI_PROCFS_POWER
+ acpi_ac_remove_fs(ac);
+#endif
kfree(ac);
+ }
dmi_check_system(ac_dmi_table);
return result;
@@ -277,6 +385,10 @@ static int acpi_ac_remove(struct acpi_device *device)
if (ac->charger.dev)
power_supply_unregister(&ac->charger);
+#ifdef CONFIG_ACPI_PROCFS_POWER
+ acpi_ac_remove_fs(ac);
+#endif
+
kfree(ac);
return 0;
@@ -289,9 +401,20 @@ static int __init acpi_ac_init(void)
if (acpi_disabled)
return -ENODEV;
+#ifdef CONFIG_ACPI_PROCFS_POWER
+ acpi_ac_dir = acpi_lock_ac_dir();
+ if (!acpi_ac_dir)
+ return -ENODEV;
+#endif
+
+
result = acpi_bus_register_driver(&acpi_ac_driver);
- if (result < 0)
+ if (result < 0) {
+#ifdef CONFIG_ACPI_PROCFS_POWER
+ acpi_unlock_ac_dir(acpi_ac_dir);
+#endif
return -ENODEV;
+ }
return 0;
}
@@ -299,6 +422,9 @@ static int __init acpi_ac_init(void)
static void __exit acpi_ac_exit(void)
{
acpi_bus_unregister_driver(&acpi_ac_driver);
+#ifdef CONFIG_ACPI_PROCFS_POWER
+ acpi_unlock_ac_dir(acpi_ac_dir);
+#endif
}
module_init(acpi_ac_init);
module_exit(acpi_ac_exit);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 071/259] intel_pstate: Fix setting VID
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (69 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 070/259] Revert "ACPI / AC: Remove AC's proc directory." Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 072/259] intel_pstate: don't touch turbo bit if turbo disabled or unavailable Kamal Mostafa
` (187 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dirk Brandewie, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dirk Brandewie <dirk.j.brandewie@intel.com>
commit c16ed06024a6e699c332831dd50d8276744e3de8 upstream.
Commit 21855ff5 (intel_pstate: Set turbo VID for BayTrail) introduced
setting the turbo VID which is required to prevent a machine check on
some Baytrail SKUs under heavy graphics based workloads. The
docmumentation update that brought the requirement to light also
changed the bit mask used for enumerating P state and VID values from
0x7f to 0x3f.
This change returns the mask value to 0x7f.
Tested with the Intel NUC DN2820FYK,
BIOS version FYBYT10H.86A.0034.2014.0513.1413 with v3.16-rc1 and
v3.14.8 kernel versions.
Fixes: 21855ff5 (intel_pstate: Set turbo VID for BayTrail)
Link: https://bugzilla.kernel.org/show_bug.cgi?id=77951
Reported-and-tested-by: Rune Reterson <rune@megahurts.dk>
Reported-and-tested-by: Eric Eickmeyer <erich@ericheickmeyer.com>
Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/cpufreq/intel_pstate.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index bbfb81f..37ef477 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -361,21 +361,21 @@ static int byt_get_min_pstate(void)
{
u64 value;
rdmsrl(BYT_RATIOS, value);
- return (value >> 8) & 0x3F;
+ return (value >> 8) & 0x7F;
}
static int byt_get_max_pstate(void)
{
u64 value;
rdmsrl(BYT_RATIOS, value);
- return (value >> 16) & 0x3F;
+ return (value >> 16) & 0x7F;
}
static int byt_get_turbo_pstate(void)
{
u64 value;
rdmsrl(BYT_TURBO_RATIOS, value);
- return value & 0x3F;
+ return value & 0x7F;
}
static void byt_set_pstate(struct cpudata *cpudata, int pstate)
@@ -409,8 +409,8 @@ static void byt_get_vid(struct cpudata *cpudata)
rdmsrl(BYT_VIDS, value);
- cpudata->vid.min = int_tofp((value >> 8) & 0x3f);
- cpudata->vid.max = int_tofp((value >> 16) & 0x3f);
+ cpudata->vid.min = int_tofp((value >> 8) & 0x7f);
+ cpudata->vid.max = int_tofp((value >> 16) & 0x7f);
cpudata->vid.ratio = div_fp(
cpudata->vid.max - cpudata->vid.min,
int_tofp(cpudata->pstate.max_pstate -
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 072/259] intel_pstate: don't touch turbo bit if turbo disabled or unavailable.
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (70 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 071/259] intel_pstate: Fix setting VID Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 073/259] intel_pstate: Set CPU number before accessing MSRs Kamal Mostafa
` (186 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dirk Brandewie, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dirk Brandewie <dirk.j.brandewie@intel.com>
commit dd5fbf70f96dbfd7ee432096a1f979b2b3267856 upstream.
If turbo is disabled in the BIOS bit 38 should be set in
MSR_IA32_MISC_ENABLE register per section 14.3.2.1 of the SDM Vol 3
document 325384-050US Feb 2014. If this bit is set do *not* attempt
to disable trubo via the MSR_IA32_PERF_CTL register. On some systems
trying to disable turbo via MSR_IA32_PERF_CTL will cause subsequent
writes to MSR_IA32_PERF_CTL not take affect, in fact reading
MSR_IA32_PERF_CTL will not show the IDA/Turbo DISENGAGE bit(32) as
set. A write of bit 32 to zero returns to normal operation.
Also deal with the case where the processor does not support
turbo and the BIOS does not report the fact in MSR_IA32_MISC_ENABLE
but does report the max and turbo P states as the same value.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=64251
Signed-off-by: Dirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/cpufreq/intel_pstate.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index 37ef477..fbfdde1 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -132,6 +132,7 @@ static struct pstate_funcs pstate_funcs;
struct perf_limits {
int no_turbo;
+ int turbo_disabled;
int max_perf_pct;
int min_perf_pct;
int32_t max_perf;
@@ -291,7 +292,10 @@ static ssize_t store_no_turbo(struct kobject *a, struct attribute *b,
if (ret != 1)
return -EINVAL;
limits.no_turbo = clamp_t(int, input, 0 , 1);
-
+ if (limits.turbo_disabled) {
+ pr_warn("Turbo disabled by BIOS or unavailable on processor\n");
+ limits.no_turbo = limits.turbo_disabled;
+ }
return count;
}
@@ -385,7 +389,7 @@ static void byt_set_pstate(struct cpudata *cpudata, int pstate)
u32 vid;
val = pstate << 8;
- if (limits.no_turbo)
+ if (limits.no_turbo && !limits.turbo_disabled)
val |= (u64)1 << 32;
vid_fp = cpudata->vid.min + mul_fp(
@@ -452,7 +456,7 @@ static void core_set_pstate(struct cpudata *cpudata, int pstate)
u64 val;
val = pstate << 8;
- if (limits.no_turbo)
+ if (limits.no_turbo && !limits.turbo_disabled)
val |= (u64)1 << 32;
wrmsrl(MSR_IA32_PERF_CTL, val);
@@ -732,7 +736,7 @@ static int intel_pstate_set_policy(struct cpufreq_policy *policy)
limits.min_perf = int_tofp(1);
limits.max_perf_pct = 100;
limits.max_perf = int_tofp(1);
- limits.no_turbo = 0;
+ limits.no_turbo = limits.turbo_disabled;
return 0;
}
limits.min_perf_pct = (policy->min * 100) / policy->cpuinfo.max_freq;
@@ -772,6 +776,7 @@ static int intel_pstate_cpu_init(struct cpufreq_policy *policy)
{
struct cpudata *cpu;
int rc;
+ u64 misc_en;
rc = intel_pstate_init_cpu(policy->cpu);
if (rc)
@@ -779,8 +784,13 @@ static int intel_pstate_cpu_init(struct cpufreq_policy *policy)
cpu = all_cpu_data[policy->cpu];
- if (!limits.no_turbo &&
- limits.min_perf_pct == 100 && limits.max_perf_pct == 100)
+ rdmsrl(MSR_IA32_MISC_ENABLE, misc_en);
+ if (misc_en & MSR_IA32_MISC_ENABLE_TURBO_DISABLE ||
+ cpu->pstate.max_pstate == cpu->pstate.turbo_pstate) {
+ limits.turbo_disabled = 1;
+ limits.no_turbo = 1;
+ }
+ if (limits.min_perf_pct == 100 && limits.max_perf_pct == 100)
policy->policy = CPUFREQ_POLICY_PERFORMANCE;
else
policy->policy = CPUFREQ_POLICY_POWERSAVE;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 073/259] intel_pstate: Set CPU number before accessing MSRs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (71 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 072/259] intel_pstate: don't touch turbo bit if turbo disabled or unavailable Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 074/259] USB: cp210x: add support for Corsair usb dongle Kamal Mostafa
` (185 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Vincent Minet, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Minet <vincent@vincent-minet.net>
commit 179e8471673ce0249cd4ecda796008f7757e5bad upstream.
Ensure that cpu->cpu is set before writing MSR_IA32_PERF_CTL during CPU
initialization. Otherwise only cpu0 has its P-state set and all other
cores are left with their values unchanged.
In most cases, this is not too serious because the P-states will be set
correctly when the timer function is run. But when the default governor
is set to performance, the per-CPU current_pstate stays the same forever
and no attempts are made to write the MSRs again.
Signed-off-by: Vincent Minet <vincent@vincent-minet.net>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ kamal: backport to 3.13-stable (context) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/cpufreq/intel_pstate.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index fbfdde1..2d26563 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -685,6 +685,7 @@ static int intel_pstate_init_cpu(unsigned int cpunum)
cpu = all_cpu_data[cpunum];
+ cpu->cpu = cpunum;
intel_pstate_get_cpu_pstates(cpu);
if (!cpu->pstate.current_pstate) {
all_cpu_data[cpunum] = NULL;
@@ -692,8 +693,6 @@ static int intel_pstate_init_cpu(unsigned int cpunum)
return -ENODATA;
}
- cpu->cpu = cpunum;
-
init_timer_deferrable(&cpu->timer);
cpu->timer.function = intel_pstate_timer_func;
cpu->timer.data =
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 074/259] USB: cp210x: add support for Corsair usb dongle
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (72 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 073/259] intel_pstate: Set CPU number before accessing MSRs Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 075/259] usb: option: Add ID for Telewell TW-LTE 4G v2 Kamal Mostafa
` (184 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Andras Kovacs, Johan Hovold, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andras Kovacs <andras@sth.sze.hu>
commit b9326057a3d8447f5d2e74a7b521ccf21add2ec0 upstream.
Corsair USB Dongles are shipped with Corsair AXi series PSUs.
These are cp210x serial usb devices, so make driver detect these.
I have a program, that can get information from these PSUs.
Tested with 2 different dongles shipped with Corsair AX860i and
AX1200i units.
Signed-off-by: Andras Kovacs <andras@sth.sze.hu>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 71873ca..1db213a 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -153,6 +153,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
+ { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
{ USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
{ USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */
{ USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 075/259] usb: option: Add ID for Telewell TW-LTE 4G v2
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (73 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 074/259] USB: cp210x: add support for Corsair usb dongle Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 076/259] ACPI / EC: Avoid race condition related to advance_transaction() Kamal Mostafa
` (183 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bernd Wachter, Johan Hovold, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Wachter <bernd.wachter@jolla.com>
commit 3d28bd840b2d3981cd28caf5fe1df38f1344dd60 upstream.
Add ID of the Telewell 4G v2 hardware to option driver to get legacy
serial interface working
Signed-off-by: Bernd Wachter <bernd.wachter@jolla.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 7438f67..04d3eef 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1487,6 +1487,8 @@ static const struct usb_device_id option_ids[] = {
.driver_info = (kernel_ulong_t)&net_intf2_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1426, 0xff, 0xff, 0xff), /* ZTE MF91 */
.driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G v2 */
+ .driver_info = (kernel_ulong_t)&net_intf2_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 076/259] ACPI / EC: Avoid race condition related to advance_transaction()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (74 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 075/259] usb: option: Add ID for Telewell TW-LTE 4G v2 Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 077/259] ACPI / EC: Add asynchronous command byte write support Kamal Mostafa
` (182 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lv Zheng, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lv Zheng <lv.zheng@intel.com>
commit 66b42b78bc1e816f92b662e8888c89195e4199e1 upstream.
The advance_transaction() will be invoked from the IRQ context GPE handler
and the task context ec_poll(). The handling of this function is locked so
that the EC state machine are ensured to be advanced sequentially.
But there is a problem. Before invoking advance_transaction(), EC_SC(R) is
read. Then for advance_transaction(), there could be race condition around
the lock from both contexts. The first one reading the register could fail
this race and when it passes the stale register value to the state machine
advancement code, the hardware condition is totally different from when
the register is read. And the hardware accesses determined from the wrong
hardware status can break the EC state machine. And there could be cases
that the functionalities of the platform firmware are seriously affected.
For example:
1. When 2 EC_DATA(W) writes compete the IBF=0, the 2nd EC_DATA(W) write may
be invalid due to IBF=1 after the 1st EC_DATA(W) write. Then the
hardware will either refuse to respond a next EC_SC(W) write of the next
command or discard the current WR_EC command when it receives a EC_SC(W)
write of the next command.
2. When 1 EC_SC(W) write and 1 EC_DATA(W) write compete the IBF=0, the
EC_DATA(W) write may be invalid due to IBF=1 after the EC_SC(W) write.
The next EC_DATA(R) could never be responded by the hardware. This is
the root cause of the reported issue.
Fix this issue by moving the EC_SC(R) access into the lock so that we can
ensure that the state machine is advanced consistently.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=70891
Link: https://bugzilla.kernel.org/show_bug.cgi?id=63931
Link: https://bugzilla.kernel.org/show_bug.cgi?id=59911
Reported-and-tested-by: Gareth Williams <gareth@garethwilliams.me.uk>
Reported-and-tested-by: Hans de Goede <jwrdegoede@fedoraproject.org>
Reported-by: Barton Xu <tank.xuhan@gmail.com>
Tested-by: Steffen Weber <steffen.weber@gmail.com>
Tested-by: Arthur Chen <axchen@nvidia.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/acpi/ec.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index 98e9985..a2de920 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -173,12 +173,15 @@ static void start_transaction(struct acpi_ec *ec)
acpi_ec_write_cmd(ec, ec->curr->command);
}
-static void advance_transaction(struct acpi_ec *ec, u8 status)
+static void advance_transaction(struct acpi_ec *ec)
{
unsigned long flags;
struct transaction *t;
+ u8 status;
spin_lock_irqsave(&ec->lock, flags);
+ pr_debug("===== %s =====\n", in_interrupt() ? "IRQ" : "TASK");
+ status = acpi_ec_read_status(ec);
t = ec->curr;
if (!t)
goto unlock;
@@ -241,7 +244,7 @@ static int ec_poll(struct acpi_ec *ec)
msecs_to_jiffies(1)))
return 0;
}
- advance_transaction(ec, acpi_ec_read_status(ec));
+ advance_transaction(ec);
} while (time_before(jiffies, delay));
pr_debug("controller reset, restart transaction\n");
spin_lock_irqsave(&ec->lock, flags);
@@ -661,11 +664,8 @@ static u32 acpi_ec_gpe_handler(acpi_handle gpe_device,
u32 gpe_number, void *data)
{
struct acpi_ec *ec = data;
- u8 status = acpi_ec_read_status(ec);
-
- pr_debug("~~~> interrupt, status:0x%02x\n", status);
- advance_transaction(ec, status);
+ advance_transaction(ec);
if (ec_transaction_done(ec) &&
(acpi_ec_read_status(ec) & ACPI_EC_FLAG_IBF) == 0) {
wake_up(&ec->wait);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 077/259] ACPI / EC: Add asynchronous command byte write support
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (75 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 076/259] ACPI / EC: Avoid race condition related to advance_transaction() Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 078/259] ACPI / EC: Remove duplicated ec_wait_ibf0() waiter Kamal Mostafa
` (181 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lv Zheng, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lv Zheng <lv.zheng@intel.com>
commit f92fca0060fc4dc9227342d0072d75df98c1e5a5 upstream.
Move the first command byte write into advance_transaction() so that all
EC register accesses that can affect the command processing state machine
can happen in this asynchronous state machine advancement function.
The advance_transaction() function then can be a complete implementation
of an asyncrhonous transaction for a single command so that:
1. The first command byte can be written in the interrupt context;
2. The command completion waiter can also be used to wait the first command
byte's timeout;
3. In BURST mode, the follow-up command bytes can be written in the
interrupt context directly, so that it doesn't need to return to the
task context. Returning to the task context reduces the throughput of
the BURST mode and in the worst cases where the system workload is very
high, this leads to the hardware driven automatic BURST mode exit.
In order not to increase memory consumption, convert 'done' into 'flags'
to contain multiple indications:
1. ACPI_EC_COMMAND_COMPLETE: converting from original 'done' condition,
indicating the completion of the command transaction.
2. ACPI_EC_COMMAND_POLL: indicating the availability of writing the first
command byte. A new command can utilize this flag to compete for the
right of accessing the underlying hardware. There is a follow-up bug
fix that has utilized this new flag.
The 2 flags are important because it also reflects a key concept of IO
programs' design used in the system softwares. Normally an IO program
running in the kernel should first be implemented in the asynchronous way.
And the 2 flags are the most common way to implement its synchronous
operations on top of the asynchronous operations:
1. POLL: This flag can be used to block until the asynchronous operations
can happen.
2. COMPLETE: This flag can be used to block until the asynchronous
operations have completed.
By constructing code cleanly in this way, many difficult problems can be
solved smoothly.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=70891
Link: https://bugzilla.kernel.org/show_bug.cgi?id=63931
Link: https://bugzilla.kernel.org/show_bug.cgi?id=59911
Reported-and-tested-by: Gareth Williams <gareth@garethwilliams.me.uk>
Reported-and-tested-by: Hans de Goede <jwrdegoede@fedoraproject.org>
Reported-by: Barton Xu <tank.xuhan@gmail.com>
Tested-by: Steffen Weber <steffen.weber@gmail.com>
Tested-by: Arthur Chen <axchen@nvidia.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/acpi/ec.c | 83 ++++++++++++++++++++++++++++++++-----------------------
1 file changed, 48 insertions(+), 35 deletions(-)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index a2de920..3455e45 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -79,6 +79,9 @@ enum {
EC_FLAGS_BLOCKED, /* Transactions are blocked */
};
+#define ACPI_EC_COMMAND_POLL 0x01 /* Available for command byte */
+#define ACPI_EC_COMMAND_COMPLETE 0x02 /* Completed last byte */
+
/* ec.c is compiled in acpi namespace so this shows up as acpi.ec_delay param */
static unsigned int ec_delay __read_mostly = ACPI_EC_DELAY;
module_param(ec_delay, uint, 0644);
@@ -114,7 +117,7 @@ struct transaction {
u8 ri;
u8 wlen;
u8 rlen;
- bool done;
+ u8 flags;
};
struct acpi_ec *boot_ec, *first_ec;
@@ -155,63 +158,68 @@ static inline void acpi_ec_write_data(struct acpi_ec *ec, u8 data)
outb(data, ec->data_addr);
}
-static int ec_transaction_done(struct acpi_ec *ec)
+static int ec_transaction_completed(struct acpi_ec *ec)
{
unsigned long flags;
int ret = 0;
spin_lock_irqsave(&ec->lock, flags);
- if (!ec->curr || ec->curr->done)
+ if (!ec->curr || (ec->curr->flags & ACPI_EC_COMMAND_COMPLETE))
ret = 1;
spin_unlock_irqrestore(&ec->lock, flags);
return ret;
}
-static void start_transaction(struct acpi_ec *ec)
-{
- ec->curr->irq_count = ec->curr->wi = ec->curr->ri = 0;
- ec->curr->done = false;
- acpi_ec_write_cmd(ec, ec->curr->command);
-}
-
static void advance_transaction(struct acpi_ec *ec)
{
- unsigned long flags;
struct transaction *t;
u8 status;
- spin_lock_irqsave(&ec->lock, flags);
pr_debug("===== %s =====\n", in_interrupt() ? "IRQ" : "TASK");
status = acpi_ec_read_status(ec);
t = ec->curr;
if (!t)
- goto unlock;
- if (t->wlen > t->wi) {
- if ((status & ACPI_EC_FLAG_IBF) == 0)
- acpi_ec_write_data(ec,
- t->wdata[t->wi++]);
- else
- goto err;
- } else if (t->rlen > t->ri) {
- if ((status & ACPI_EC_FLAG_OBF) == 1) {
- t->rdata[t->ri++] = acpi_ec_read_data(ec);
- if (t->rlen == t->ri)
- t->done = true;
+ goto err;
+ if (t->flags & ACPI_EC_COMMAND_POLL) {
+ if (t->wlen > t->wi) {
+ if ((status & ACPI_EC_FLAG_IBF) == 0)
+ acpi_ec_write_data(ec, t->wdata[t->wi++]);
+ else
+ goto err;
+ } else if (t->rlen > t->ri) {
+ if ((status & ACPI_EC_FLAG_OBF) == 1) {
+ t->rdata[t->ri++] = acpi_ec_read_data(ec);
+ if (t->rlen == t->ri)
+ t->flags |= ACPI_EC_COMMAND_COMPLETE;
+ } else
+ goto err;
+ } else if (t->wlen == t->wi &&
+ (status & ACPI_EC_FLAG_IBF) == 0)
+ t->flags |= ACPI_EC_COMMAND_COMPLETE;
+ return;
+ } else {
+ if ((status & ACPI_EC_FLAG_IBF) == 0) {
+ acpi_ec_write_cmd(ec, t->command);
+ t->flags |= ACPI_EC_COMMAND_POLL;
} else
goto err;
- } else if (t->wlen == t->wi &&
- (status & ACPI_EC_FLAG_IBF) == 0)
- t->done = true;
- goto unlock;
+ return;
+ }
err:
/*
* If SCI bit is set, then don't think it's a false IRQ
* otherwise will take a not handled IRQ as a false one.
*/
- if (in_interrupt() && !(status & ACPI_EC_FLAG_SCI))
- ++t->irq_count;
+ if (!(status & ACPI_EC_FLAG_SCI)) {
+ if (in_interrupt() && t)
+ ++t->irq_count;
+ }
+}
-unlock:
- spin_unlock_irqrestore(&ec->lock, flags);
+static void start_transaction(struct acpi_ec *ec)
+{
+ ec->curr->irq_count = ec->curr->wi = ec->curr->ri = 0;
+ ec->curr->flags = 0;
+ advance_transaction(ec);
}
static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data);
@@ -236,15 +244,17 @@ static int ec_poll(struct acpi_ec *ec)
/* don't sleep with disabled interrupts */
if (EC_FLAGS_MSI || irqs_disabled()) {
udelay(ACPI_EC_MSI_UDELAY);
- if (ec_transaction_done(ec))
+ if (ec_transaction_completed(ec))
return 0;
} else {
if (wait_event_timeout(ec->wait,
- ec_transaction_done(ec),
+ ec_transaction_completed(ec),
msecs_to_jiffies(1)))
return 0;
}
+ spin_lock_irqsave(&ec->lock, flags);
advance_transaction(ec);
+ spin_unlock_irqrestore(&ec->lock, flags);
} while (time_before(jiffies, delay));
pr_debug("controller reset, restart transaction\n");
spin_lock_irqsave(&ec->lock, flags);
@@ -663,10 +673,13 @@ static int ec_check_sci(struct acpi_ec *ec, u8 state)
static u32 acpi_ec_gpe_handler(acpi_handle gpe_device,
u32 gpe_number, void *data)
{
+ unsigned long flags;
struct acpi_ec *ec = data;
+ spin_lock_irqsave(&ec->lock, flags);
advance_transaction(ec);
- if (ec_transaction_done(ec) &&
+ spin_unlock_irqrestore(&ec->lock, flags);
+ if (ec_transaction_completed(ec) &&
(acpi_ec_read_status(ec) & ACPI_EC_FLAG_IBF) == 0) {
wake_up(&ec->wait);
ec_check_sci(ec, acpi_ec_read_status(ec));
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 078/259] ACPI / EC: Remove duplicated ec_wait_ibf0() waiter
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (76 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 077/259] ACPI / EC: Add asynchronous command byte write support Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 079/259] ACPI / EC: Fix race condition in ec_transaction_completed() Kamal Mostafa
` (180 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lv Zheng, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lv Zheng <lv.zheng@intel.com>
commit 9b80f0f73ae1583c22325ede341c74195847618c upstream.
After we've added the first command byte write into advance_transaction(),
the IBF=0 waiter is duplicated with the command completion waiter
implemented in the ec_poll() because:
If IBF=1 blocked the first command byte write invoked in the task
context ec_poll(), it would be kicked off upon IBF=0 interrupt or timed
out and retried again in the task context.
Remove this seperate and duplicate IBF=0 waiter. By doing so we can
reduce the overall number of times to access the EC_SC(R) status
register.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=70891
Link: https://bugzilla.kernel.org/show_bug.cgi?id=63931
Link: https://bugzilla.kernel.org/show_bug.cgi?id=59911
Reported-and-tested-by: Gareth Williams <gareth@garethwilliams.me.uk>
Reported-and-tested-by: Hans de Goede <jwrdegoede@fedoraproject.org>
Reported-by: Barton Xu <tank.xuhan@gmail.com>
Tested-by: Steffen Weber <steffen.weber@gmail.com>
Tested-by: Arthur Chen <axchen@nvidia.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/acpi/ec.c | 27 +--------------------------
1 file changed, 1 insertion(+), 26 deletions(-)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index 3455e45..fe88e42 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -286,23 +286,6 @@ static int acpi_ec_transaction_unlocked(struct acpi_ec *ec,
return ret;
}
-static int ec_check_ibf0(struct acpi_ec *ec)
-{
- u8 status = acpi_ec_read_status(ec);
- return (status & ACPI_EC_FLAG_IBF) == 0;
-}
-
-static int ec_wait_ibf0(struct acpi_ec *ec)
-{
- unsigned long delay = jiffies + msecs_to_jiffies(ec_delay);
- /* interrupt wait manually if GPE mode is not active */
- while (time_before(jiffies, delay))
- if (wait_event_timeout(ec->wait, ec_check_ibf0(ec),
- msecs_to_jiffies(1)))
- return 0;
- return -ETIME;
-}
-
static int acpi_ec_transaction(struct acpi_ec *ec, struct transaction *t)
{
int status;
@@ -323,12 +306,6 @@ static int acpi_ec_transaction(struct acpi_ec *ec, struct transaction *t)
goto unlock;
}
}
- if (ec_wait_ibf0(ec)) {
- pr_err("input buffer is not empty, "
- "aborting transaction\n");
- status = -ETIME;
- goto end;
- }
pr_debug("transaction start (cmd=0x%02x, addr=0x%02x)\n",
t->command, t->wdata ? t->wdata[0] : 0);
/* disable GPE during transaction if storm is detected */
@@ -352,7 +329,6 @@ static int acpi_ec_transaction(struct acpi_ec *ec, struct transaction *t)
set_bit(EC_FLAGS_GPE_STORM, &ec->flags);
}
pr_debug("transaction end\n");
-end:
if (ec->global_lock)
acpi_release_global_lock(glk);
unlock:
@@ -679,8 +655,7 @@ static u32 acpi_ec_gpe_handler(acpi_handle gpe_device,
spin_lock_irqsave(&ec->lock, flags);
advance_transaction(ec);
spin_unlock_irqrestore(&ec->lock, flags);
- if (ec_transaction_completed(ec) &&
- (acpi_ec_read_status(ec) & ACPI_EC_FLAG_IBF) == 0) {
+ if (ec_transaction_completed(ec)) {
wake_up(&ec->wait);
ec_check_sci(ec, acpi_ec_read_status(ec));
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 079/259] ACPI / EC: Fix race condition in ec_transaction_completed()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (77 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 078/259] ACPI / EC: Remove duplicated ec_wait_ibf0() waiter Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 080/259] ACPI / battery: Retry to get battery information if failed during probing Kamal Mostafa
` (179 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lv Zheng, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lv Zheng <lv.zheng@intel.com>
commit c0d653412fc8450370167a3268b78fc772ff9c87 upstream.
There is a race condition in ec_transaction_completed().
When ec_transaction_completed() is called in the GPE handler, it could
return true because of (ec->curr == NULL). Then the wake_up() invocation
could complete the next command unexpectedly since there is no lock between
the 2 invocations. With the previous cleanup, the IBF=0 waiter race need
not be handled any more. It's now safe to return a flag from
advance_condition() to indicate the requirement of wakeup, the flag is
returned from a locked context.
The ec_transaction_completed() is now only invoked by the ec_poll() where
the ec->curr is ensured to be different from NULL.
After cleaning up, the EVT_SCI=1 check should be moved out of the wakeup
condition so that an EVT_SCI raised with (ec->curr == NULL) can trigger a
QR_SC command.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=70891
Link: https://bugzilla.kernel.org/show_bug.cgi?id=63931
Link: https://bugzilla.kernel.org/show_bug.cgi?id=59911
Reported-and-tested-by: Gareth Williams <gareth@garethwilliams.me.uk>
Reported-and-tested-by: Hans de Goede <jwrdegoede@fedoraproject.org>
Reported-by: Barton Xu <tank.xuhan@gmail.com>
Tested-by: Steffen Weber <steffen.weber@gmail.com>
Tested-by: Arthur Chen <axchen@nvidia.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/acpi/ec.c | 30 +++++++++++++++++-------------
1 file changed, 17 insertions(+), 13 deletions(-)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index fe88e42..3b20294 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -163,16 +163,17 @@ static int ec_transaction_completed(struct acpi_ec *ec)
unsigned long flags;
int ret = 0;
spin_lock_irqsave(&ec->lock, flags);
- if (!ec->curr || (ec->curr->flags & ACPI_EC_COMMAND_COMPLETE))
+ if (ec->curr && (ec->curr->flags & ACPI_EC_COMMAND_COMPLETE))
ret = 1;
spin_unlock_irqrestore(&ec->lock, flags);
return ret;
}
-static void advance_transaction(struct acpi_ec *ec)
+static bool advance_transaction(struct acpi_ec *ec)
{
struct transaction *t;
u8 status;
+ bool wakeup = false;
pr_debug("===== %s =====\n", in_interrupt() ? "IRQ" : "TASK");
status = acpi_ec_read_status(ec);
@@ -188,21 +189,25 @@ static void advance_transaction(struct acpi_ec *ec)
} else if (t->rlen > t->ri) {
if ((status & ACPI_EC_FLAG_OBF) == 1) {
t->rdata[t->ri++] = acpi_ec_read_data(ec);
- if (t->rlen == t->ri)
+ if (t->rlen == t->ri) {
t->flags |= ACPI_EC_COMMAND_COMPLETE;
+ wakeup = true;
+ }
} else
goto err;
} else if (t->wlen == t->wi &&
- (status & ACPI_EC_FLAG_IBF) == 0)
+ (status & ACPI_EC_FLAG_IBF) == 0) {
t->flags |= ACPI_EC_COMMAND_COMPLETE;
- return;
+ wakeup = true;
+ }
+ return wakeup;
} else {
if ((status & ACPI_EC_FLAG_IBF) == 0) {
acpi_ec_write_cmd(ec, t->command);
t->flags |= ACPI_EC_COMMAND_POLL;
} else
goto err;
- return;
+ return wakeup;
}
err:
/*
@@ -213,13 +218,14 @@ err:
if (in_interrupt() && t)
++t->irq_count;
}
+ return wakeup;
}
static void start_transaction(struct acpi_ec *ec)
{
ec->curr->irq_count = ec->curr->wi = ec->curr->ri = 0;
ec->curr->flags = 0;
- advance_transaction(ec);
+ (void)advance_transaction(ec);
}
static int acpi_ec_sync_query(struct acpi_ec *ec, u8 *data);
@@ -253,7 +259,7 @@ static int ec_poll(struct acpi_ec *ec)
return 0;
}
spin_lock_irqsave(&ec->lock, flags);
- advance_transaction(ec);
+ (void)advance_transaction(ec);
spin_unlock_irqrestore(&ec->lock, flags);
} while (time_before(jiffies, delay));
pr_debug("controller reset, restart transaction\n");
@@ -653,12 +659,10 @@ static u32 acpi_ec_gpe_handler(acpi_handle gpe_device,
struct acpi_ec *ec = data;
spin_lock_irqsave(&ec->lock, flags);
- advance_transaction(ec);
- spin_unlock_irqrestore(&ec->lock, flags);
- if (ec_transaction_completed(ec)) {
+ if (advance_transaction(ec))
wake_up(&ec->wait);
- ec_check_sci(ec, acpi_ec_read_status(ec));
- }
+ spin_unlock_irqrestore(&ec->lock, flags);
+ ec_check_sci(ec, acpi_ec_read_status(ec));
return ACPI_INTERRUPT_HANDLED | ACPI_REENABLE_GPE;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 080/259] ACPI / battery: Retry to get battery information if failed during probing
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (78 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 079/259] ACPI / EC: Fix race condition in ec_transaction_completed() Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 081/259] hwmon: (adm1031) Fix writes to limit registers Kamal Mostafa
` (178 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lan Tianyu, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lan Tianyu <tianyu.lan@intel.com>
commit 75646e758a0ecbed5024454507d5be5b9ea9dcbf upstream.
Some machines (eg. Lenovo Z480) ECs are not stable during boot up
and causes battery driver fails to be loaded due to failure of getting
battery information from EC sometimes. After several retries, the
operation will work. This patch is to retry to get battery information 5
times if the first try fails.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=75581
Reported-and-tested-by: naszar <naszar@ya.ru>
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ kamal: backport to 3.13-stable: acpi_battery_update takes 1 arg ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/acpi/battery.c | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index 17dc8a9..2928e95 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -34,6 +34,7 @@
#include <linux/dmi.h>
#include <linux/slab.h>
#include <linux/suspend.h>
+#include <linux/delay.h>
#include <asm/unaligned.h>
#ifdef CONFIG_ACPI_PROCFS_POWER
@@ -1071,6 +1072,28 @@ static struct dmi_system_id bat_dmi_table[] = {
{},
};
+/*
+ * Some machines'(E,G Lenovo Z480) ECs are not stable
+ * during boot up and this causes battery driver fails to be
+ * probed due to failure of getting battery information
+ * from EC sometimes. After several retries, the operation
+ * may work. So add retry code here and 20ms sleep between
+ * every retries.
+ */
+static int acpi_battery_update_retry(struct acpi_battery *battery)
+{
+ int retry, ret;
+
+ for (retry = 5; retry; retry--) {
+ ret = acpi_battery_update(battery);
+ if (!ret)
+ break;
+
+ msleep(20);
+ }
+ return ret;
+}
+
static int acpi_battery_add(struct acpi_device *device)
{
int result = 0;
@@ -1089,9 +1112,11 @@ static int acpi_battery_add(struct acpi_device *device)
mutex_init(&battery->sysfs_lock);
if (acpi_has_method(battery->device->handle, "_BIX"))
set_bit(ACPI_BATTERY_XINFO_PRESENT, &battery->flags);
- result = acpi_battery_update(battery);
+
+ result = acpi_battery_update_retry(battery);
if (result)
goto fail;
+
#ifdef CONFIG_ACPI_PROCFS_POWER
result = acpi_battery_add_fs(device);
#endif
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 081/259] hwmon: (adm1031) Fix writes to limit registers
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (79 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 080/259] ACPI / battery: Retry to get battery information if failed during probing Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 082/259] workqueue: zero cpumask of wq_numa_possible_cpumask on init Kamal Mostafa
` (177 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Axel Lin, Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 145e74a4e5022225adb84f4e5d4fff7938475c35 upstream.
Upper limit for write operations to temperature limit registers
was clamped to a fractional value. However, limit registers do
not support fractional values. As a result, upper limits of 127.5
degrees C or higher resulted in a rounded limit of 128 degrees C.
Since limit registers are signed, this was stored as -128 degrees C.
Clamp limits to (-55, +127) degrees C to solve the problem.
Value on writes to auto_temp[12]_min and auto_temp[12]_max were not
clamped at all, but masked. As a result, out-of-range writes resulted
in a more or less arbitrary limit. Clamp those attributes to (0, 127)
degrees C for more predictable results.
Cc: Axel Lin <axel.lin@ingics.com>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/adm1031.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/hwmon/adm1031.c b/drivers/hwmon/adm1031.c
index 253ea39..bdceca0 100644
--- a/drivers/hwmon/adm1031.c
+++ b/drivers/hwmon/adm1031.c
@@ -365,6 +365,7 @@ set_auto_temp_min(struct device *dev, struct device_attribute *attr,
if (ret)
return ret;
+ val = clamp_val(val, 0, 127000);
mutex_lock(&data->update_lock);
data->auto_temp[nr] = AUTO_TEMP_MIN_TO_REG(val, data->auto_temp[nr]);
adm1031_write_value(client, ADM1031_REG_AUTO_TEMP(nr),
@@ -394,6 +395,7 @@ set_auto_temp_max(struct device *dev, struct device_attribute *attr,
if (ret)
return ret;
+ val = clamp_val(val, 0, 127000);
mutex_lock(&data->update_lock);
data->temp_max[nr] = AUTO_TEMP_MAX_TO_REG(val, data->auto_temp[nr],
data->pwm[nr]);
@@ -696,7 +698,7 @@ static ssize_t set_temp_min(struct device *dev, struct device_attribute *attr,
if (ret)
return ret;
- val = clamp_val(val, -55000, nr == 0 ? 127750 : 127875);
+ val = clamp_val(val, -55000, 127000);
mutex_lock(&data->update_lock);
data->temp_min[nr] = TEMP_TO_REG(val);
adm1031_write_value(client, ADM1031_REG_TEMP_MIN(nr),
@@ -717,7 +719,7 @@ static ssize_t set_temp_max(struct device *dev, struct device_attribute *attr,
if (ret)
return ret;
- val = clamp_val(val, -55000, nr == 0 ? 127750 : 127875);
+ val = clamp_val(val, -55000, 127000);
mutex_lock(&data->update_lock);
data->temp_max[nr] = TEMP_TO_REG(val);
adm1031_write_value(client, ADM1031_REG_TEMP_MAX(nr),
@@ -738,7 +740,7 @@ static ssize_t set_temp_crit(struct device *dev, struct device_attribute *attr,
if (ret)
return ret;
- val = clamp_val(val, -55000, nr == 0 ? 127750 : 127875);
+ val = clamp_val(val, -55000, 127000);
mutex_lock(&data->update_lock);
data->temp_crit[nr] = TEMP_TO_REG(val);
adm1031_write_value(client, ADM1031_REG_TEMP_CRIT(nr),
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 082/259] workqueue: zero cpumask of wq_numa_possible_cpumask on init
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (80 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 081/259] hwmon: (adm1031) Fix writes to limit registers Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 083/259] hwmon: (emc2103) Clamp limits instead of bailing out Kamal Mostafa
` (176 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Yasuaki Ishimatsu, Tejun Heo, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
commit 5a6024f1604eef119cf3a6fa413fe0261a81a8f3 upstream.
When hot-adding and onlining CPU, kernel panic occurs, showing following
call trace.
BUG: unable to handle kernel paging request at 0000000000001d08
IP: [<ffffffff8114acfd>] __alloc_pages_nodemask+0x9d/0xb10
PGD 0
Oops: 0000 [#1] SMP
...
Call Trace:
[<ffffffff812b8745>] ? cpumask_next_and+0x35/0x50
[<ffffffff810a3283>] ? find_busiest_group+0x113/0x8f0
[<ffffffff81193bc9>] ? deactivate_slab+0x349/0x3c0
[<ffffffff811926f1>] new_slab+0x91/0x300
[<ffffffff815de95a>] __slab_alloc+0x2bb/0x482
[<ffffffff8105bc1c>] ? copy_process.part.25+0xfc/0x14c0
[<ffffffff810a3c78>] ? load_balance+0x218/0x890
[<ffffffff8101a679>] ? sched_clock+0x9/0x10
[<ffffffff81105ba9>] ? trace_clock_local+0x9/0x10
[<ffffffff81193d1c>] kmem_cache_alloc_node+0x8c/0x200
[<ffffffff8105bc1c>] copy_process.part.25+0xfc/0x14c0
[<ffffffff81114d0d>] ? trace_buffer_unlock_commit+0x4d/0x60
[<ffffffff81085a80>] ? kthread_create_on_node+0x140/0x140
[<ffffffff8105d0ec>] do_fork+0xbc/0x360
[<ffffffff8105d3b6>] kernel_thread+0x26/0x30
[<ffffffff81086652>] kthreadd+0x2c2/0x300
[<ffffffff81086390>] ? kthread_create_on_cpu+0x60/0x60
[<ffffffff815f20ec>] ret_from_fork+0x7c/0xb0
[<ffffffff81086390>] ? kthread_create_on_cpu+0x60/0x60
In my investigation, I found the root cause is wq_numa_possible_cpumask.
All entries of wq_numa_possible_cpumask is allocated by
alloc_cpumask_var_node(). And these entries are used without initializing.
So these entries have wrong value.
When hot-adding and onlining CPU, wq_update_unbound_numa() is called.
wq_update_unbound_numa() calls alloc_unbound_pwq(). And alloc_unbound_pwq()
calls get_unbound_pool(). In get_unbound_pool(), worker_pool->node is set
as follow:
3592 /* if cpumask is contained inside a NUMA node, we belong to that node */
3593 if (wq_numa_enabled) {
3594 for_each_node(node) {
3595 if (cpumask_subset(pool->attrs->cpumask,
3596 wq_numa_possible_cpumask[node])) {
3597 pool->node = node;
3598 break;
3599 }
3600 }
3601 }
But wq_numa_possible_cpumask[node] does not have correct cpumask. So, wrong
node is selected. As a result, kernel panic occurs.
By this patch, all entries of wq_numa_possible_cpumask are allocated by
zalloc_cpumask_var_node to initialize them. And the panic disappeared.
Signed-off-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Reviewed-by: Lai Jiangshan <laijs@cn.fujitsu.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: bce903809ab3 ("workqueue: add wq_numa_tbl_len and wq_numa_possible_cpumask[]")
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/workqueue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 61212c9..92cac4b 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -5025,7 +5025,7 @@ static void __init wq_numa_init(void)
BUG_ON(!tbl);
for_each_node(node)
- BUG_ON(!alloc_cpumask_var_node(&tbl[node], GFP_KERNEL,
+ BUG_ON(!zalloc_cpumask_var_node(&tbl[node], GFP_KERNEL,
node_online(node) ? node : NUMA_NO_NODE));
for_each_possible_cpu(cpu) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 083/259] hwmon: (emc2103) Clamp limits instead of bailing out
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (81 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 082/259] workqueue: zero cpumask of wq_numa_possible_cpumask on init Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 084/259] arm64: implement TASK_SIZE_OF Kamal Mostafa
` (175 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit f6c2dd20108c35e30e2c1f3c6142d189451a626b upstream.
It is customary to clamp limits instead of bailing out with an error
if a configured limit is out of the range supported by the driver.
This simplifies limit configuration, since the user will not typically
know chip and/or driver specific limits.
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/emc2103.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/drivers/hwmon/emc2103.c b/drivers/hwmon/emc2103.c
index 2c137b2..5790246 100644
--- a/drivers/hwmon/emc2103.c
+++ b/drivers/hwmon/emc2103.c
@@ -250,9 +250,7 @@ static ssize_t set_temp_min(struct device *dev, struct device_attribute *da,
if (result < 0)
return result;
- val = DIV_ROUND_CLOSEST(val, 1000);
- if ((val < -63) || (val > 127))
- return -EINVAL;
+ val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -63, 127);
mutex_lock(&data->update_lock);
data->temp_min[nr] = val;
@@ -274,9 +272,7 @@ static ssize_t set_temp_max(struct device *dev, struct device_attribute *da,
if (result < 0)
return result;
- val = DIV_ROUND_CLOSEST(val, 1000);
- if ((val < -63) || (val > 127))
- return -EINVAL;
+ val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -63, 127);
mutex_lock(&data->update_lock);
data->temp_max[nr] = val;
@@ -390,15 +386,14 @@ static ssize_t set_fan_target(struct device *dev, struct device_attribute *da,
{
struct emc2103_data *data = emc2103_update_device(dev);
struct i2c_client *client = to_i2c_client(dev);
- long rpm_target;
+ unsigned long rpm_target;
- int result = kstrtol(buf, 10, &rpm_target);
+ int result = kstrtoul(buf, 10, &rpm_target);
if (result < 0)
return result;
/* Datasheet states 16384 as maximum RPM target (table 3.2) */
- if ((rpm_target < 0) || (rpm_target > 16384))
- return -EINVAL;
+ rpm_target = clamp_val(rpm_target, 0, 16384);
mutex_lock(&data->update_lock);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 084/259] arm64: implement TASK_SIZE_OF
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (82 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 083/259] hwmon: (emc2103) Clamp limits instead of bailing out Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 085/259] iio: ti_am335x_adc: Fix: Use same step id at FIFOs both ends Kamal Mostafa
` (174 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Colin Cross, Catalin Marinas, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Cross <ccross@android.com>
commit fa2ec3ea10bd377f9d55772b1dab65178425a1a2 upstream.
include/linux/sched.h implements TASK_SIZE_OF as TASK_SIZE if it
is not set by the architecture headers. TASK_SIZE uses the
current task to determine the size of the virtual address space.
On a 64-bit kernel this will cause reading /proc/pid/pagemap of a
64-bit process from a 32-bit process to return EOF when it reads
past 0xffffffff.
Implement TASK_SIZE_OF exactly the same as TASK_SIZE with
test_tsk_thread_flag instead of test_thread_flag.
Signed-off-by: Colin Cross <ccross@android.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm64/include/asm/memory.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h
index 3776217..acc3efa 100644
--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@@ -56,6 +56,8 @@
#define TASK_SIZE_32 UL(0x100000000)
#define TASK_SIZE (test_thread_flag(TIF_32BIT) ? \
TASK_SIZE_32 : TASK_SIZE_64)
+#define TASK_SIZE_OF(tsk) (test_tsk_thread_flag(tsk, TIF_32BIT) ? \
+ TASK_SIZE_32 : TASK_SIZE_64)
#else
#define TASK_SIZE TASK_SIZE_64
#endif /* CONFIG_COMPAT */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 085/259] iio: ti_am335x_adc: Fix: Use same step id at FIFOs both ends
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (83 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 084/259] arm64: implement TASK_SIZE_OF Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 086/259] cpufreq: Makefile: fix compilation for davinci platform Kamal Mostafa
` (173 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jan Kardell, Jonathan Cameron, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kardell <jan.kardell@telliq.com>
commit baa3c65298c089a9014b4e523a14ec2885cca1bc upstream.
Since AI lines could be selected at will (linux-3.11) the sending
and receiving ends of the FIFO does not agree about what step is used
for a line. It only works if the last lines are used, like 5,6,7,
and fails if ie 2,4,6 is selected in DT.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
Tested-by: Zubair Lutfullah <zubair.lutfullah@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/adc/ti_am335x_adc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ti_am335x_adc.c b/drivers/iio/adc/ti_am335x_adc.c
index d4d7482..6721a43 100644
--- a/drivers/iio/adc/ti_am335x_adc.c
+++ b/drivers/iio/adc/ti_am335x_adc.c
@@ -342,7 +342,7 @@ static int tiadc_read_raw(struct iio_dev *indio_dev,
if (time_after(jiffies, timeout))
return -EAGAIN;
}
- map_val = chan->channel + TOTAL_CHANNELS;
+ map_val = adc_dev->channel_step[chan->scan_index];
/*
* When the sub-system is first enabled,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 086/259] cpufreq: Makefile: fix compilation for davinci platform
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (84 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 085/259] iio: ti_am335x_adc: Fix: Use same step id at FIFOs both ends Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 087/259] drm/i915: Don't clobber the GTT when it's within stolen memory Kamal Mostafa
` (172 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lad, Prabhakar, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Prabhakar Lad <prabhakar.csengg@gmail.com>
commit 5a90af67c2126fe1d04ebccc1f8177e6ca70d3a9 upstream.
Since commtit 8a7b1227e303 (cpufreq: davinci: move cpufreq driver to
drivers/cpufreq) this added dependancy only for CONFIG_ARCH_DAVINCI_DA850
where as davinci_cpufreq_init() call is used by all davinci platform.
This patch fixes following build error:
arch/arm/mach-davinci/built-in.o: In function `davinci_init_late':
:(.init.text+0x928): undefined reference to `davinci_cpufreq_init'
make: *** [vmlinux] Error 1
Fixes: 8a7b1227e303 (cpufreq: davinci: move cpufreq driver to drivers/cpufreq)
Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/cpufreq/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cpufreq/Makefile b/drivers/cpufreq/Makefile
index 7494565..dac58f6 100644
--- a/drivers/cpufreq/Makefile
+++ b/drivers/cpufreq/Makefile
@@ -47,7 +47,7 @@ obj-$(CONFIG_ARM_BIG_LITTLE_CPUFREQ) += arm_big_little.o
# LITTLE drivers, so that it is probed last.
obj-$(CONFIG_ARM_DT_BL_CPUFREQ) += arm_big_little_dt.o
-obj-$(CONFIG_ARCH_DAVINCI_DA850) += davinci-cpufreq.o
+obj-$(CONFIG_ARCH_DAVINCI) += davinci-cpufreq.o
obj-$(CONFIG_UX500_SOC_DB8500) += dbx500-cpufreq.o
obj-$(CONFIG_ARM_EXYNOS_CPUFREQ) += exynos-cpufreq.o
obj-$(CONFIG_ARM_EXYNOS4210_CPUFREQ) += exynos4210-cpufreq.o
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 087/259] drm/i915: Don't clobber the GTT when it's within stolen memory
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (85 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 086/259] cpufreq: Makefile: fix compilation for davinci platform Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 088/259] Drivers: hv: vmbus: Fix a bug in the channel callback dispatch code Kamal Mostafa
` (171 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ville Syrjälä, Daniel Vetter, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
commit f1e1c2129b79cfdaf07bca37c5a10569fe021abe upstream.
On most gen2-4 platforms the GTT can be (or maybe always is?)
inside the stolen memory region. If that's the case, reduce the
size of the stolen memory appropriately to make make sure we
don't clobber the GTT.
v2: Deal with gen4 36 bit physical address
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80151
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/i915/i915_gem_stolen.c | 44 ++++++++++++++++++++++++++++++++++
drivers/gpu/drm/i915/i915_reg.h | 3 +++
2 files changed, 47 insertions(+)
diff --git a/drivers/gpu/drm/i915/i915_gem_stolen.c b/drivers/gpu/drm/i915/i915_gem_stolen.c
index 4a699d2..6471872 100644
--- a/drivers/gpu/drm/i915/i915_gem_stolen.c
+++ b/drivers/gpu/drm/i915/i915_gem_stolen.c
@@ -74,6 +74,50 @@ static unsigned long i915_stolen_to_physical(struct drm_device *dev)
if (base == 0)
return 0;
+ /* make sure we don't clobber the GTT if it's within stolen memory */
+ if (INTEL_INFO(dev)->gen <= 4 && !IS_G33(dev) && !IS_G4X(dev)) {
+ struct {
+ u32 start, end;
+ } stolen[2] = {
+ { .start = base, .end = base + dev_priv->gtt.stolen_size, },
+ { .start = base, .end = base + dev_priv->gtt.stolen_size, },
+ };
+ u64 gtt_start, gtt_end;
+
+ gtt_start = I915_READ(PGTBL_CTL);
+ if (IS_GEN4(dev))
+ gtt_start = (gtt_start & PGTBL_ADDRESS_LO_MASK) |
+ (gtt_start & PGTBL_ADDRESS_HI_MASK) << 28;
+ else
+ gtt_start &= PGTBL_ADDRESS_LO_MASK;
+ gtt_end = gtt_start + gtt_total_entries(dev_priv->gtt) * 4;
+
+ if (gtt_start >= stolen[0].start && gtt_start < stolen[0].end)
+ stolen[0].end = gtt_start;
+ if (gtt_end > stolen[1].start && gtt_end <= stolen[1].end)
+ stolen[1].start = gtt_end;
+
+ /* pick the larger of the two chunks */
+ if (stolen[0].end - stolen[0].start >
+ stolen[1].end - stolen[1].start) {
+ base = stolen[0].start;
+ dev_priv->gtt.stolen_size = stolen[0].end - stolen[0].start;
+ } else {
+ base = stolen[1].start;
+ dev_priv->gtt.stolen_size = stolen[1].end - stolen[1].start;
+ }
+
+ if (stolen[0].start != stolen[1].start ||
+ stolen[0].end != stolen[1].end) {
+ DRM_DEBUG_KMS("GTT within stolen memory at 0x%llx-0x%llx\n",
+ (unsigned long long) gtt_start,
+ (unsigned long long) gtt_end - 1);
+ DRM_DEBUG_KMS("Stolen memory adjusted to 0x%x-0x%x\n",
+ base, base + (u32) dev_priv->gtt.stolen_size - 1);
+ }
+ }
+
+
/* Verify that nothing else uses this physical address. Stolen
* memory should be reserved by the BIOS and hidden from the
* kernel. So if the region is already marked as busy, something
diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
index 9a1a96a..7047e35 100644
--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -628,6 +628,9 @@
/*
* Instruction and interrupt control regs
*/
+#define PGTBL_CTL 0x02020
+#define PGTBL_ADDRESS_LO_MASK 0xfffff000 /* bits [31:12] */
+#define PGTBL_ADDRESS_HI_MASK 0x000000f0 /* bits [35:32] (gen4) */
#define PGTBL_ER 0x02024
#define RENDER_RING_BASE 0x02000
#define BSD_RING_BASE 0x04000
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 088/259] Drivers: hv: vmbus: Fix a bug in the channel callback dispatch code
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (86 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 087/259] drm/i915: Don't clobber the GTT when it's within stolen memory Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 089/259] USB: ftdi_sio: Add extra PID Kamal Mostafa
` (170 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: K. Y. Srinivasan, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "K. Y. Srinivasan" <kys@microsoft.com>
commit affb1aff300ddee54df307812b38f166e8a865ef upstream.
Starting with Win8, we have implemented several optimizations to improve the
scalability and performance of the VMBUS transport between the Host and the
Guest. Some of the non-performance critical services cannot leverage these
optimization since they only read and process one message at a time.
Make adjustments to the callback dispatch code to account for the way
non-performance critical drivers handle reading of the channel.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hv/connection.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
index 05827ec..ce5a9f2 100644
--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -319,9 +319,13 @@ static void process_chn_event(u32 relid)
*/
do {
- hv_begin_read(&channel->inbound);
+ if (read_state)
+ hv_begin_read(&channel->inbound);
channel->onchannel_callback(arg);
- bytes_to_read = hv_end_read(&channel->inbound);
+ if (read_state)
+ bytes_to_read = hv_end_read(&channel->inbound);
+ else
+ bytes_to_read = 0;
} while (read_state && (bytes_to_read != 0));
} else {
pr_err("no channel callback for relid - %u\n", relid);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 089/259] USB: ftdi_sio: Add extra PID.
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (87 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 088/259] Drivers: hv: vmbus: Fix a bug in the channel callback dispatch code Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 090/259] crypto: caam - fix memleak in caam_jr module Kamal Mostafa
` (169 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bert Vermeulen, Johan Hovold, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bert Vermeulen <bert@biot.com>
commit 5a7fbe7e9ea0b1b9d7ffdba64db1faa3a259164c upstream.
This patch adds PID 0x0003 to the VID 0x128d (Testo). At least the
Testo 435-4 uses this, likely other gear as well.
Signed-off-by: Bert Vermeulen <bert@biot.com>
Cc: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/ftdi_sio.c | 3 ++-
drivers/usb/serial/ftdi_sio_ids.h | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 244c00f..2a077ea 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -721,7 +721,8 @@ static struct usb_device_id id_table_combined [] = {
{ USB_DEVICE(FTDI_VID, FTDI_ACG_HFDUAL_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_YEI_SERVOCENTER31_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_THORLABS_PID) },
- { USB_DEVICE(TESTO_VID, TESTO_USB_INTERFACE_PID) },
+ { USB_DEVICE(TESTO_VID, TESTO_1_PID) },
+ { USB_DEVICE(TESTO_VID, TESTO_3_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_GAMMA_SCOUT_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_TACTRIX_OPENPORT_13M_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_TACTRIX_OPENPORT_13S_PID) },
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index 500474c..106cc16 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -798,7 +798,8 @@
* Submitted by Colin Leroy
*/
#define TESTO_VID 0x128D
-#define TESTO_USB_INTERFACE_PID 0x0001
+#define TESTO_1_PID 0x0001
+#define TESTO_3_PID 0x0003
/*
* Mobility Electronics products.
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 090/259] crypto: caam - fix memleak in caam_jr module
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (88 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 089/259] USB: ftdi_sio: Add extra PID Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 091/259] dm: allocate a special workqueue for deferred device removal Kamal Mostafa
` (168 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Cristian Stoica, Herbert Xu, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Cristian Stoica <cristian.stoica@freescale.com>
commit 0378c9a855bfa395f595fbfb049707093e270f69 upstream.
This patch fixes a memory leak that appears when caam_jr module is unloaded.
Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/crypto/caam/jr.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/crypto/caam/jr.c b/drivers/crypto/caam/jr.c
index 1d80bd3..b512a4b 100644
--- a/drivers/crypto/caam/jr.c
+++ b/drivers/crypto/caam/jr.c
@@ -453,8 +453,8 @@ static int caam_jr_probe(struct platform_device *pdev)
int error;
jrdev = &pdev->dev;
- jrpriv = kmalloc(sizeof(struct caam_drv_private_jr),
- GFP_KERNEL);
+ jrpriv = devm_kmalloc(jrdev, sizeof(struct caam_drv_private_jr),
+ GFP_KERNEL);
if (!jrpriv)
return -ENOMEM;
@@ -487,10 +487,8 @@ static int caam_jr_probe(struct platform_device *pdev)
/* Now do the platform independent part */
error = caam_jr_init(jrdev); /* now turn on hardware */
- if (error) {
- kfree(jrpriv);
+ if (error)
return error;
- }
jrpriv->dev = jrdev;
spin_lock(&driver_data.jr_alloc_lock);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 091/259] dm: allocate a special workqueue for deferred device removal
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (89 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 090/259] crypto: caam - fix memleak in caam_jr module Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 092/259] dm io: fix a race condition in the wake up code for sync_io Kamal Mostafa
` (167 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mikulas Patocka, Dan Carpenter, Mike Snitzer, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit acfe0ad74d2e1bfc81d1d7bf5e15b043985d3650 upstream.
The commit 2c140a246dc ("dm: allow remove to be deferred") introduced a
deferred removal feature for the device mapper. When this feature is
used (by passing a flag DM_DEFERRED_REMOVE to DM_DEV_REMOVE_CMD ioctl)
and the user tries to remove a device that is currently in use, the
device will be removed automatically in the future when the last user
closes it.
Device mapper used the system workqueue to perform deferred removals.
However, some targets (dm-raid1, dm-mpath, dm-stripe) flush work items
scheduled for the system workqueue from their destructor. If the
destructor itself is called from the system workqueue during deferred
removal, it introduces a possible deadlock - the workqueue tries to flush
itself.
Fix this possible deadlock by introducing a new workqueue for deferred
removals. We allocate just one workqueue for all dm targets. The
ability of dm targets to process IOs isn't dependent on deferred removal
of unused targets, so a deadlock due to shared workqueue isn't possible.
Also, cleanup local_init() to eliminate potential for returning success
on failure.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index b49c762..72859fa 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -54,6 +54,8 @@ static void do_deferred_remove(struct work_struct *w);
static DECLARE_WORK(deferred_remove_work, do_deferred_remove);
+static struct workqueue_struct *deferred_remove_workqueue;
+
/*
* For bio-based dm.
* One of these is allocated per bio.
@@ -283,16 +285,24 @@ static int __init local_init(void)
if (r)
goto out_free_rq_tio_cache;
+ deferred_remove_workqueue = alloc_workqueue("kdmremove", WQ_UNBOUND, 1);
+ if (!deferred_remove_workqueue) {
+ r = -ENOMEM;
+ goto out_uevent_exit;
+ }
+
_major = major;
r = register_blkdev(_major, _name);
if (r < 0)
- goto out_uevent_exit;
+ goto out_free_workqueue;
if (!_major)
_major = r;
return 0;
+out_free_workqueue:
+ destroy_workqueue(deferred_remove_workqueue);
out_uevent_exit:
dm_uevent_exit();
out_free_rq_tio_cache:
@@ -306,6 +316,7 @@ out_free_io_cache:
static void local_exit(void)
{
flush_scheduled_work();
+ destroy_workqueue(deferred_remove_workqueue);
kmem_cache_destroy(_rq_tio_cache);
kmem_cache_destroy(_io_cache);
@@ -414,7 +425,7 @@ static void dm_blk_close(struct gendisk *disk, fmode_t mode)
if (atomic_dec_and_test(&md->open_count) &&
(test_bit(DMF_DEFERRED_REMOVE, &md->flags)))
- schedule_work(&deferred_remove_work);
+ queue_work(deferred_remove_workqueue, &deferred_remove_work);
dm_put(md);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 092/259] dm io: fix a race condition in the wake up code for sync_io
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (90 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 091/259] dm: allocate a special workqueue for deferred device removal Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 093/259] drm/radeon/dp: return -EIO for flags not zero case Kamal Mostafa
` (166 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Joe Thornber, Mike Snitzer, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Thornber <thornber@redhat.com>
commit 10f1d5d111e8aed46a0f1179faf9a3cf422f689e upstream.
There's a race condition between the atomic_dec_and_test(&io->count)
in dec_count() and the waking of the sync_io() thread. If the thread
is spuriously woken immediately after the decrement it may exit,
making the on stack io struct invalid, yet the dec_count could still
be using it.
Fix this race by using a completion in sync_io() and dec_count().
Reported-by: Minfei Huang <huangminfei@ucloud.cn>
Signed-off-by: Joe Thornber <thornber@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Acked-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm-io.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
index 2a20986..e60c2ea 100644
--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -10,6 +10,7 @@
#include <linux/device-mapper.h>
#include <linux/bio.h>
+#include <linux/completion.h>
#include <linux/mempool.h>
#include <linux/module.h>
#include <linux/sched.h>
@@ -32,7 +33,7 @@ struct dm_io_client {
struct io {
unsigned long error_bits;
atomic_t count;
- struct task_struct *sleeper;
+ struct completion *wait;
struct dm_io_client *client;
io_notify_fn callback;
void *context;
@@ -121,8 +122,8 @@ static void dec_count(struct io *io, unsigned int region, int error)
invalidate_kernel_vmap_range(io->vma_invalidate_address,
io->vma_invalidate_size);
- if (io->sleeper)
- wake_up_process(io->sleeper);
+ if (io->wait)
+ complete(io->wait);
else {
unsigned long r = io->error_bits;
@@ -385,6 +386,7 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions,
*/
volatile char io_[sizeof(struct io) + __alignof__(struct io) - 1];
struct io *io = (struct io *)PTR_ALIGN(&io_, __alignof__(struct io));
+ DECLARE_COMPLETION_ONSTACK(wait);
if (num_regions > 1 && (rw & RW_MASK) != WRITE) {
WARN_ON(1);
@@ -393,7 +395,7 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions,
io->error_bits = 0;
atomic_set(&io->count, 1); /* see dispatch_io() */
- io->sleeper = current;
+ io->wait = &wait;
io->client = client;
io->vma_invalidate_address = dp->vma_invalidate_address;
@@ -401,15 +403,7 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions,
dispatch_io(rw, num_regions, where, dp, io, 1);
- while (1) {
- set_current_state(TASK_UNINTERRUPTIBLE);
-
- if (!atomic_read(&io->count))
- break;
-
- io_schedule();
- }
- set_current_state(TASK_RUNNING);
+ wait_for_completion_io(&wait);
if (error_bits)
*error_bits = io->error_bits;
@@ -432,7 +426,7 @@ static int async_io(struct dm_io_client *client, unsigned int num_regions,
io = mempool_alloc(client->pool, GFP_NOIO);
io->error_bits = 0;
atomic_set(&io->count, 1); /* see dispatch_io() */
- io->sleeper = NULL;
+ io->wait = NULL;
io->client = client;
io->callback = fn;
io->context = context;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 093/259] drm/radeon/dp: return -EIO for flags not zero case
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (91 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 092/259] dm io: fix a race condition in the wake up code for sync_io Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 094/259] drm/radeon: fix typo in golden register setup on evergreen Kamal Mostafa
` (165 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit f6be5e64500abbba44e191e1ca0f3366c7d0291b upstream.
If there are error flags in the aux transaction return
-EIO rather than -EBUSY. -EIO restarts the whole transaction
while -EBUSY jus retries. Fixes problematic aux transfers.
Bug:
https://bugs.freedesktop.org/show_bug.cgi?id=80684
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[ kamal: backport to 3.13-stable (context) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/atombios_dp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c
index a1a0350..514a623 100644
--- a/drivers/gpu/drm/radeon/atombios_dp.c
+++ b/drivers/gpu/drm/radeon/atombios_dp.c
@@ -123,7 +123,7 @@ static int radeon_process_aux_ch(struct radeon_i2c_chan *chan,
/* flags not zero */
if (args.v1.ucReplyStatus == 2) {
DRM_DEBUG_KMS("dp_aux_ch flags not zero\n");
- return -EBUSY;
+ return -EIO;
}
/* error */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 094/259] drm/radeon: fix typo in golden register setup on evergreen
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (92 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 093/259] drm/radeon/dp: return -EIO for flags not zero case Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 095/259] drm/radeon: fix typo in ci_stop_dpm() Kamal Mostafa
` (164 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 6abafb78f9881b4891baf74ab4e9f090ae45230e upstream.
Fixes hangs on driver load on some cards.
bug:
https://bugs.freedesktop.org/show_bug.cgi?id=76998
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/evergreen.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
index 4c84deb..47463d8 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -188,7 +188,7 @@ static const u32 evergreen_golden_registers[] =
0x8c1c, 0xffffffff, 0x00001010,
0x28350, 0xffffffff, 0x00000000,
0xa008, 0xffffffff, 0x00010000,
- 0x5cc, 0xffffffff, 0x00000001,
+ 0x5c4, 0xffffffff, 0x00000001,
0x9508, 0xffffffff, 0x00000002,
0x913c, 0x0000000f, 0x0000000a
};
@@ -475,7 +475,7 @@ static const u32 cedar_golden_registers[] =
0x8c1c, 0xffffffff, 0x00001010,
0x28350, 0xffffffff, 0x00000000,
0xa008, 0xffffffff, 0x00010000,
- 0x5cc, 0xffffffff, 0x00000001,
+ 0x5c4, 0xffffffff, 0x00000001,
0x9508, 0xffffffff, 0x00000002
};
@@ -634,7 +634,7 @@ static const u32 juniper_mgcg_init[] =
static const u32 supersumo_golden_registers[] =
{
0x5eb4, 0xffffffff, 0x00000002,
- 0x5cc, 0xffffffff, 0x00000001,
+ 0x5c4, 0xffffffff, 0x00000001,
0x7030, 0xffffffff, 0x00000011,
0x7c30, 0xffffffff, 0x00000011,
0x6104, 0x01000300, 0x00000000,
@@ -718,7 +718,7 @@ static const u32 sumo_golden_registers[] =
static const u32 wrestler_golden_registers[] =
{
0x5eb4, 0xffffffff, 0x00000002,
- 0x5cc, 0xffffffff, 0x00000001,
+ 0x5c4, 0xffffffff, 0x00000001,
0x7030, 0xffffffff, 0x00000011,
0x7c30, 0xffffffff, 0x00000011,
0x6104, 0x01000300, 0x00000000,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 095/259] drm/radeon: fix typo in ci_stop_dpm()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (93 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 094/259] drm/radeon: fix typo in golden register setup on evergreen Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 096/259] drm/radeon/dpm: Reenabling SS on Cayman Kamal Mostafa
` (163 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit ed96377132e564d797c48a5490fd46bed01c4273 upstream.
Need to use the RREG32_SMC() accessor since the register
is an smc indirect index.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/ci_dpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
index 318d226..ca13ab5 100644
--- a/drivers/gpu/drm/radeon/ci_dpm.c
+++ b/drivers/gpu/drm/radeon/ci_dpm.c
@@ -1162,7 +1162,7 @@ static int ci_stop_dpm(struct radeon_device *rdev)
tmp &= ~GLOBAL_PWRMGT_EN;
WREG32_SMC(GENERAL_PWRMGT, tmp);
- tmp = RREG32(SCLK_PWRMGT_CNTL);
+ tmp = RREG32_SMC(SCLK_PWRMGT_CNTL);
tmp &= ~DYNAMIC_PM_EN;
WREG32_SMC(SCLK_PWRMGT_CNTL, tmp);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 096/259] drm/radeon/dpm: Reenabling SS on Cayman
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (94 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 095/259] drm/radeon: fix typo in ci_stop_dpm() Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 097/259] powerpc/perf: Add PPMU_ARCH_207S define Kamal Mostafa
` (162 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alexandre Demers, Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Demers <alexandre.f.demers@gmail.com>
commit 41959341ac7e33dd360c7a881d13566f9eca37b2 upstream.
It reverts commit c745fe611ca42295c9d91d8e305d27983e9132ef now that
Cayman is stable since VDDCI fix. Spread spectrum was not the culprit.
This depends on b0880e87c1fd038b84498944f52e52c3e86ebe59
(drm/radeon/dpm: fix vddci setup typo on cayman).
Signed-off-by: Alexandre Demers <alexandre.f.demers@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/rv770_dpm.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/gpu/drm/radeon/rv770_dpm.c b/drivers/gpu/drm/radeon/rv770_dpm.c
index a239b30..890cf17 100644
--- a/drivers/gpu/drm/radeon/rv770_dpm.c
+++ b/drivers/gpu/drm/radeon/rv770_dpm.c
@@ -2328,12 +2328,6 @@ void rv770_get_engine_memory_ss(struct radeon_device *rdev)
pi->mclk_ss = radeon_atombios_get_asic_ss_info(rdev, &ss,
ASIC_INTERNAL_MEMORY_SS, 0);
- /* disable ss, causes hangs on some cayman boards */
- if (rdev->family == CHIP_CAYMAN) {
- pi->sclk_ss = false;
- pi->mclk_ss = false;
- }
-
if (pi->sclk_ss || pi->mclk_ss)
pi->dynamic_ss = true;
else
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 097/259] powerpc/perf: Add PPMU_ARCH_207S define
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (95 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 096/259] drm/radeon/dpm: Reenabling SS on Cayman Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 098/259] powerpc/perf: Clear MMCR2 when enabling PMU Kamal Mostafa
` (161 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Joel Stanley, Benjamin Herrenschmidt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Stanley <joel@jms.id.au>
commit 4d9690dd56b0d18f2af8a9d4a279cb205aae3345 upstream.
Instead of separate bits for every POWER8 PMU feature, have a single one
for v2.07 of the architecture.
This saves us adding a MMCR2 define for a future patch.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
[ kamal: backport to 3.13-stable (drop perf_event_print_debug change) ]
---
arch/powerpc/include/asm/perf_event_server.h | 3 +--
arch/powerpc/perf/core-book3s.c | 4 ++--
arch/powerpc/perf/power8-pmu.c | 2 +-
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/include/asm/perf_event_server.h b/arch/powerpc/include/asm/perf_event_server.h
index 3fd2f1b..cefc7b4 100644
--- a/arch/powerpc/include/asm/perf_event_server.h
+++ b/arch/powerpc/include/asm/perf_event_server.h
@@ -60,8 +60,7 @@ struct power_pmu {
#define PPMU_SIAR_VALID 0x00000010 /* Processor has SIAR Valid bit */
#define PPMU_HAS_SSLOT 0x00000020 /* Has sampled slot in MMCRA */
#define PPMU_HAS_SIER 0x00000040 /* Has SIER */
-#define PPMU_BHRB 0x00000080 /* has BHRB feature enabled */
-#define PPMU_EBB 0x00000100 /* supports event based branch */
+#define PPMU_ARCH_207S 0x00000080 /* PMC is architecture v2.07S */
/*
* Values for flags to get_alternatives()
diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
index 29b89e8..8855aec 100644
--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -483,7 +483,7 @@ static bool is_ebb_event(struct perf_event *event)
* check that the PMU supports EBB, meaning those that don't can still
* use bit 63 of the event code for something else if they wish.
*/
- return (ppmu->flags & PPMU_EBB) &&
+ return (ppmu->flags & PPMU_ARCH_207S) &&
((event->attr.config >> PERF_EVENT_CONFIG_EBB_SHIFT) & 1);
}
@@ -1547,7 +1547,7 @@ static int power_pmu_event_init(struct perf_event *event)
if (has_branch_stack(event)) {
/* PMU has BHRB enabled */
- if (!(ppmu->flags & PPMU_BHRB))
+ if (!(ppmu->flags & PPMU_ARCH_207S))
return -EOPNOTSUPP;
}
diff --git a/arch/powerpc/perf/power8-pmu.c b/arch/powerpc/perf/power8-pmu.c
index a3f7abd..79b7e20 100644
--- a/arch/powerpc/perf/power8-pmu.c
+++ b/arch/powerpc/perf/power8-pmu.c
@@ -608,7 +608,7 @@ static struct power_pmu power8_pmu = {
.get_constraint = power8_get_constraint,
.get_alternatives = power8_get_alternatives,
.disable_pmc = power8_disable_pmc,
- .flags = PPMU_HAS_SSLOT | PPMU_HAS_SIER | PPMU_BHRB | PPMU_EBB,
+ .flags = PPMU_HAS_SSLOT | PPMU_HAS_SIER | PPMU_ARCH_207S,
.n_generic = ARRAY_SIZE(power8_generic_events),
.generic_events = power8_generic_events,
.attr_groups = power8_pmu_attr_groups,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 098/259] powerpc/perf: Clear MMCR2 when enabling PMU
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (96 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 097/259] powerpc/perf: Add PPMU_ARCH_207S define Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 099/259] powerpc/perf: Never program book3s PMCs with values >= 0x80000000 Kamal Mostafa
` (160 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Joel Stanley, Benjamin Herrenschmidt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Stanley <joel@jms.id.au>
commit b50a6c584bb47b370f84bfd746770c0bbe7129b7 upstream.
On POWER8 when switching to a KVM guest we set bits in MMCR2 to freeze
the PMU counters. Aside from on boot they are then never reset,
resulting in stuck perf counters for any user in the guest or host.
We now set MMCR2 to 0 whenever enabling the PMU, which provides a sane
state for perf to use the PMU counters under either the guest or the
host.
This was manifesting as a bug with ppc64_cpu --frequency:
$ sudo ppc64_cpu --frequency
WARNING: couldn't run on cpu 0
WARNING: couldn't run on cpu 8
...
WARNING: couldn't run on cpu 144
WARNING: couldn't run on cpu 152
min: 18446744073.710 GHz (cpu -1)
max: 0.000 GHz (cpu -1)
avg: 0.000 GHz
The command uses a perf counter to measure CPU cycles over a fixed
amount of time, in order to approximate the frequency of the machine.
The counters were returning zero once a guest was started, regardless of
weather it was still running or had been shut down.
By dumping the value of MMCR2, it was observed that once a guest is
running MMCR2 is set to 1s - which stops counters from running:
$ sudo sh -c 'echo p > /proc/sysrq-trigger'
CPU: 0 PMU registers, ppmu = POWER8 n_counters = 6
PMC1: 5b635e38 PMC2: 00000000 PMC3: 00000000 PMC4: 00000000
PMC5: 1bf5a646 PMC6: 5793d378 PMC7: deadbeef PMC8: deadbeef
MMCR0: 0000000080000000 MMCR1: 000000001e000000 MMCRA: 0000040000000000
MMCR2: fffffffffffffc00 EBBHR: 0000000000000000
EBBRR: 0000000000000000 BESCR: 0000000000000000
SIAR: 00000000000a51cc SDAR: c00000000fc40000 SIER: 0000000001000000
This is done unconditionally in book3s_hv_interrupts.S upon entering the
guest, and the original value is only save/restored if the host has
indicated it was using the PMU. This is okay, however the user of the
PMU needs to ensure that it is in a defined state when it starts using
it.
Fixes: e05b9b9e5c10 ("powerpc/perf: Power8 PMU support")
Signed-off-by: Joel Stanley <joel@jms.id.au>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/powerpc/perf/core-book3s.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
index 8855aec..d23b01c 100644
--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -1149,6 +1149,9 @@ static void power_pmu_enable(struct pmu *pmu)
mb();
write_mmcr0(cpuhw, mmcr0);
+ if (ppmu->flags & PPMU_ARCH_207S)
+ mtspr(SPRN_MMCR2, 0);
+
/*
* Enable instruction sampling if necessary
*/
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 099/259] powerpc/perf: Never program book3s PMCs with values >= 0x80000000
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (97 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 098/259] powerpc/perf: Clear MMCR2 when enabling PMU Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 100/259] USB: serial: ftdi_sio: Add Infineon Triboard Kamal Mostafa
` (159 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Anton Blanchard, Benjamin Herrenschmidt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Blanchard <anton@samba.org>
commit f56029410a13cae3652d1f34788045c40a13ffc7 upstream.
We are seeing a lot of PMU warnings on POWER8:
Can't find PMC that caused IRQ
Looking closer, the active PMC is 0 at this point and we took a PMU
exception on the transition from negative to 0. Some versions of POWER8
have an issue where they edge detect and not level detect PMC overflows.
A number of places program the PMC with (0x80000000 - period_left),
where period_left can be negative. We can either fix all of these or
just ensure that period_left is always >= 1.
This patch takes the second option.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/powerpc/perf/core-book3s.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
index d23b01c..57a8ff9 100644
--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -851,7 +851,22 @@ static void power_pmu_read(struct perf_event *event)
} while (local64_cmpxchg(&event->hw.prev_count, prev, val) != prev);
local64_add(delta, &event->count);
- local64_sub(delta, &event->hw.period_left);
+
+ /*
+ * A number of places program the PMC with (0x80000000 - period_left).
+ * We never want period_left to be less than 1 because we will program
+ * the PMC with a value >= 0x800000000 and an edge detected PMC will
+ * roll around to 0 before taking an exception. We have seen this
+ * on POWER8.
+ *
+ * To fix this, clamp the minimum value of period_left to 1.
+ */
+ do {
+ prev = local64_read(&event->hw.period_left);
+ val = prev - delta;
+ if (val < 1)
+ val = 1;
+ } while (local64_cmpxchg(&event->hw.period_left, prev, val) != prev);
}
/*
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 100/259] USB: serial: ftdi_sio: Add Infineon Triboard
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (98 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 099/259] powerpc/perf: Never program book3s PMCs with values >= 0x80000000 Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 101/259] phy: core: Fix error path in phy_create() Kamal Mostafa
` (158 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Sojka, Johan Hovold, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Sojka <sojkam1@fel.cvut.cz>
commit d8279a40e50ad55539780aa617a32a53d7f0953e upstream.
This adds support for Infineon TriBoard TC1798 [1]. Only interface 1
is used as serial line (see [2], Figure 8-6).
[1] http://www.infineon.com/cms/de/product/microcontroller/development-tools-software-and-kits/tricore-tm-development-tools-software-and-kits/starterkits-and-evaluation-boards/starter-kit-tc1798/channel.html?channel=db3a304333b8a7ca0133cfa3d73e4268
[2] http://www.infineon.com/dgdl/TriBoardManual-TC1798-V10.pdf?folderId=db3a304412b407950112b409ae7c0343&fileId=db3a304333b8a7ca0133cfae99fe426a
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Cc: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 2a077ea..44771a0 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -946,6 +946,8 @@ static struct usb_device_id id_table_combined [] = {
{ USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_2_PID) },
{ USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_3_PID) },
{ USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_842_4_PID) },
+ /* Infineon Devices */
+ { USB_DEVICE_INTERFACE_NUMBER(INFINEON_VID, INFINEON_TRIBOARD_PID, 1) },
{ } /* Terminating entry */
};
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index 106cc16..c4777bc 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -584,6 +584,12 @@
#define RATOC_PRODUCT_ID_USB60F 0xb020
/*
+ * Infineon Technologies
+ */
+#define INFINEON_VID 0x058b
+#define INFINEON_TRIBOARD_PID 0x0028 /* DAS JTAG TriBoard TC1798 V1.0 */
+
+/*
* Acton Research Corp.
*/
#define ACTON_VID 0x0647 /* Vendor ID */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 101/259] phy: core: Fix error path in phy_create()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (99 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 100/259] USB: serial: ftdi_sio: Add Infineon Triboard Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 102/259] ext4: fix a potential deadlock in __ext4_es_shrink() Kamal Mostafa
` (157 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Roger Quadros, Kishon Vijay Abraham I, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Roger Quadros <rogerq@ti.com>
commit e73b49f1c4e75c44d62585cc3e5b9c7894b61c32 upstream.
Prevent resources from being freed twice in case device_add() call
fails within phy_create(). Also use ida_simple_remove() instead of
ida_remove() as we had used ida_simple_get() to allocate the ida.
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/phy/phy-core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
index 58e0e97..c6683f8 100644
--- a/drivers/phy/phy-core.c
+++ b/drivers/phy/phy-core.c
@@ -477,8 +477,9 @@ struct phy *phy_create(struct device *dev, const struct phy_ops *ops,
return phy;
put_dev:
- put_device(&phy->dev);
- ida_remove(&phy_ida, phy->id);
+ put_device(&phy->dev); /* calls phy_release() which frees resources */
+ return ERR_PTR(ret);
+
free_phy:
kfree(phy);
return ERR_PTR(ret);
@@ -662,7 +663,7 @@ static void phy_release(struct device *dev)
phy = to_phy(dev);
dev_vdbg(dev, "releasing '%s'\n", dev_name(dev));
- ida_remove(&phy_ida, phy->id);
+ ida_simple_remove(&phy_ida, phy->id);
kfree(phy);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 102/259] ext4: fix a potential deadlock in __ext4_es_shrink()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (100 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 101/259] phy: core: Fix error path in phy_create() Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 103/259] parisc: add serial ports of C8000/1GHz machine to hardware database Kamal Mostafa
` (156 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Theodore Ts'o, Zheng Liu, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 3f1f9b851311a76226140b55b1ea22111234a7c2 upstream.
This fixes the following lockdep complaint:
[ INFO: possible circular locking dependency detected ]
3.16.0-rc2-mm1+ #7 Tainted: G O
-------------------------------------------------------
kworker/u24:0/4356 is trying to acquire lock:
(&(&sbi->s_es_lru_lock)->rlock){+.+.-.}, at: [<ffffffff81285fff>] __ext4_es_shrink+0x4f/0x2e0
but task is already holding lock:
(&ei->i_es_lock){++++-.}, at: [<ffffffff81286961>] ext4_es_insert_extent+0x71/0x180
which lock already depends on the new lock.
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ei->i_es_lock);
lock(&(&sbi->s_es_lru_lock)->rlock);
lock(&ei->i_es_lock);
lock(&(&sbi->s_es_lru_lock)->rlock);
*** DEADLOCK ***
6 locks held by kworker/u24:0/4356:
#0: ("writeback"){.+.+.+}, at: [<ffffffff81071d00>] process_one_work+0x180/0x560
#1: ((&(&wb->dwork)->work)){+.+.+.}, at: [<ffffffff81071d00>] process_one_work+0x180/0x560
#2: (&type->s_umount_key#22){++++++}, at: [<ffffffff811a9c74>] grab_super_passive+0x44/0x90
#3: (jbd2_handle){+.+...}, at: [<ffffffff812979f9>] start_this_handle+0x189/0x5f0
#4: (&ei->i_data_sem){++++..}, at: [<ffffffff81247062>] ext4_map_blocks+0x132/0x550
#5: (&ei->i_es_lock){++++-.}, at: [<ffffffff81286961>] ext4_es_insert_extent+0x71/0x180
stack backtrace:
CPU: 0 PID: 4356 Comm: kworker/u24:0 Tainted: G O 3.16.0-rc2-mm1+ #7
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Workqueue: writeback bdi_writeback_workfn (flush-253:0)
ffffffff8213dce0 ffff880014b07538 ffffffff815df0bb 0000000000000007
ffffffff8213e040 ffff880014b07588 ffffffff815db3dd ffff880014b07568
ffff880014b07610 ffff88003b868930 ffff88003b868908 ffff88003b868930
Call Trace:
[<ffffffff815df0bb>] dump_stack+0x4e/0x68
[<ffffffff815db3dd>] print_circular_bug+0x1fb/0x20c
[<ffffffff810a7a3e>] __lock_acquire+0x163e/0x1d00
[<ffffffff815e89dc>] ? retint_restore_args+0xe/0xe
[<ffffffff815ddc7b>] ? __slab_alloc+0x4a8/0x4ce
[<ffffffff81285fff>] ? __ext4_es_shrink+0x4f/0x2e0
[<ffffffff810a8707>] lock_acquire+0x87/0x120
[<ffffffff81285fff>] ? __ext4_es_shrink+0x4f/0x2e0
[<ffffffff8128592d>] ? ext4_es_free_extent+0x5d/0x70
[<ffffffff815e6f09>] _raw_spin_lock+0x39/0x50
[<ffffffff81285fff>] ? __ext4_es_shrink+0x4f/0x2e0
[<ffffffff8119760b>] ? kmem_cache_alloc+0x18b/0x1a0
[<ffffffff81285fff>] __ext4_es_shrink+0x4f/0x2e0
[<ffffffff812869b8>] ext4_es_insert_extent+0xc8/0x180
[<ffffffff812470f4>] ext4_map_blocks+0x1c4/0x550
[<ffffffff8124c4c4>] ext4_writepages+0x6d4/0xd00
...
Reported-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Minchan Kim <minchan@kernel.org>
Cc: Zheng Liu <gnehzuil.liu@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ext4/extents_status.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
index 3981ff7..171b9fa 100644
--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -962,10 +962,10 @@ retry:
continue;
}
- if (ei->i_es_lru_nr == 0 || ei == locked_ei)
+ if (ei->i_es_lru_nr == 0 || ei == locked_ei ||
+ !write_trylock(&ei->i_es_lock))
continue;
- write_lock(&ei->i_es_lock);
shrunk = __es_try_to_reclaim_extents(ei, nr_to_scan);
if (ei->i_es_lru_nr == 0)
list_del_init(&ei->i_es_lru);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 103/259] parisc: add serial ports of C8000/1GHz machine to hardware database
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (101 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 102/259] ext4: fix a potential deadlock in __ext4_es_shrink() Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 104/259] parisc: fix fanotify_mark() syscall on 32bit compat kernel Kamal Mostafa
` (155 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Helge Deller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit eadcc7208a2237016be7bdff4551ba7614da85c8 upstream.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/parisc/kernel/hardware.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/parisc/kernel/hardware.c b/arch/parisc/kernel/hardware.c
index 608716f..af3bc35 100644
--- a/arch/parisc/kernel/hardware.c
+++ b/arch/parisc/kernel/hardware.c
@@ -1210,7 +1210,8 @@ static struct hp_hardware hp_hardware_list[] = {
{HPHW_FIO, 0x004, 0x00320, 0x0, "Metheus Frame Buffer"},
{HPHW_FIO, 0x004, 0x00340, 0x0, "BARCO CX4500 VME Grphx Cnsl"},
{HPHW_FIO, 0x004, 0x00360, 0x0, "Hughes TOG VME FDDI"},
- {HPHW_FIO, 0x076, 0x000AD, 0x00, "Crestone Peak RS-232"},
+ {HPHW_FIO, 0x076, 0x000AD, 0x0, "Crestone Peak Core RS-232"},
+ {HPHW_FIO, 0x077, 0x000AD, 0x0, "Crestone Peak Fast? Core RS-232"},
{HPHW_IOA, 0x185, 0x0000B, 0x00, "Java BC Summit Port"},
{HPHW_IOA, 0x1FF, 0x0000B, 0x00, "Hitachi Ghostview Summit Port"},
{HPHW_IOA, 0x580, 0x0000B, 0x10, "U2-IOA BC Runway Port"},
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 104/259] parisc: fix fanotify_mark() syscall on 32bit compat kernel
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (102 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 103/259] parisc: add serial ports of C8000/1GHz machine to hardware database Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 105/259] parisc: drop unused defines and header includes Kamal Mostafa
` (154 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Helge Deller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit ab8a261ba5e2dd9206da640de5870cc31d568a7c upstream.
On parisc we can not use the existing compat implementation for fanotify_mark()
because for the 64bit mask parameter the higher and lower 32bits are ordered
differently than what the compat function expects from big endian
architectures.
Specifically:
It finally turned out, that on hppa we end up with different assignments
of parameters to kernel arguments depending on if we call the glibc
wrapper function
int fanotify_mark (int __fanotify_fd, unsigned int __flags,
uint64_t __mask, int __dfd, const char *__pathname);
or directly calling the syscall manually
syscall(__NR_fanotify_mark, ...)
Reason is, that the syscall() function is implemented as C-function and
because we now have the sysno as first parameter in front of the other
parameters the compiler will unexpectedly add an empty paramenter in
front of the u64 value to ensure the correct calling alignment for 64bit
values.
This means, on hppa you can't simply use syscall() to call the kernel
fanotify_mark() function directly, but you have to use the glibc
function instead.
This patch fixes the kernel in the hppa-arch specifc coding to adjust
the parameters in a way as if userspace calls the glibc wrapper function
fanotify_mark().
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/parisc/kernel/sys_parisc32.c | 10 ++++++++++
arch/parisc/kernel/syscall_table.S | 2 +-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/arch/parisc/kernel/sys_parisc32.c b/arch/parisc/kernel/sys_parisc32.c
index bb9f3b6..ec741fe 100644
--- a/arch/parisc/kernel/sys_parisc32.c
+++ b/arch/parisc/kernel/sys_parisc32.c
@@ -4,6 +4,7 @@
* Copyright (C) 2000-2001 Hewlett Packard Company
* Copyright (C) 2000 John Marvin
* Copyright (C) 2001 Matthew Wilcox
+ * Copyright (C) 2014 Helge Deller <deller@gmx.de>
*
* These routines maintain argument size conversion between 32bit and 64bit
* environment. Based heavily on sys_ia32.c and sys_sparc32.c.
@@ -57,3 +58,12 @@ asmlinkage long sys32_unimplemented(int r26, int r25, int r24, int r23,
current->comm, current->pid, r20);
return -ENOSYS;
}
+
+asmlinkage long sys32_fanotify_mark(compat_int_t fanotify_fd, compat_uint_t flags,
+ compat_uint_t mask0, compat_uint_t mask1, compat_int_t dfd,
+ const char __user * pathname)
+{
+ return sys_fanotify_mark(fanotify_fd, flags,
+ ((__u64)mask1 << 32) | mask0,
+ dfd, pathname);
+}
diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S
index 10a0c2a..486a600 100644
--- a/arch/parisc/kernel/syscall_table.S
+++ b/arch/parisc/kernel/syscall_table.S
@@ -418,7 +418,7 @@
ENTRY_SAME(accept4) /* 320 */
ENTRY_SAME(prlimit64)
ENTRY_SAME(fanotify_init)
- ENTRY_COMP(fanotify_mark)
+ ENTRY_DIFF(fanotify_mark)
ENTRY_COMP(clock_adjtime)
ENTRY_SAME(name_to_handle_at) /* 325 */
ENTRY_COMP(open_by_handle_at)
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 105/259] parisc: drop unused defines and header includes
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (103 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 104/259] parisc: fix fanotify_mark() syscall on 32bit compat kernel Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 106/259] clk: spear3xx: Use proper control register offset Kamal Mostafa
` (153 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Helge Deller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit fe22ddcb9f271d2af0e72d2743726cf28085b1dd upstream.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/parisc/kernel/sys_parisc32.c | 36 ------------------------------------
1 file changed, 36 deletions(-)
diff --git a/arch/parisc/kernel/sys_parisc32.c b/arch/parisc/kernel/sys_parisc32.c
index ec741fe..93c1963 100644
--- a/arch/parisc/kernel/sys_parisc32.c
+++ b/arch/parisc/kernel/sys_parisc32.c
@@ -12,44 +12,8 @@
#include <linux/compat.h>
#include <linux/kernel.h>
-#include <linux/sched.h>
-#include <linux/fs.h>
-#include <linux/mm.h>
-#include <linux/file.h>
-#include <linux/signal.h>
-#include <linux/resource.h>
-#include <linux/times.h>
-#include <linux/time.h>
-#include <linux/smp.h>
-#include <linux/sem.h>
-#include <linux/shm.h>
-#include <linux/slab.h>
-#include <linux/uio.h>
-#include <linux/ncp_fs.h>
-#include <linux/poll.h>
-#include <linux/personality.h>
-#include <linux/stat.h>
-#include <linux/highmem.h>
-#include <linux/highuid.h>
-#include <linux/mman.h>
-#include <linux/binfmts.h>
-#include <linux/namei.h>
-#include <linux/vfs.h>
-#include <linux/ptrace.h>
-#include <linux/swap.h>
#include <linux/syscalls.h>
-#include <asm/types.h>
-#include <asm/uaccess.h>
-#include <asm/mmu_context.h>
-
-#undef DEBUG
-
-#ifdef DEBUG
-#define DBG(x) printk x
-#else
-#define DBG(x)
-#endif
asmlinkage long sys32_unimplemented(int r26, int r25, int r24, int r23,
int r22, int r21, int r20)
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 106/259] clk: spear3xx: Use proper control register offset
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (104 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 105/259] parisc: drop unused defines and header includes Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 107/259] Bluetooth: Ignore H5 non-link packets in non-active state Kamal Mostafa
` (152 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Thomas Gleixner, Mike Turquette, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 15ebb05248d025534773c9ef64915bd888f04e4b upstream.
The control register is at offset 0x10, not 0x0. This is wreckaged
since commit 5df33a62c (SPEAr: Switch to common clock framework).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Mike Turquette <mturquette@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/clk/spear/spear3xx_clock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/spear/spear3xx_clock.c b/drivers/clk/spear/spear3xx_clock.c
index c2d2043..125eba8 100644
--- a/drivers/clk/spear/spear3xx_clock.c
+++ b/drivers/clk/spear/spear3xx_clock.c
@@ -211,7 +211,7 @@ static inline void spear310_clk_init(void) { }
/* array of all spear 320 clock lookups */
#ifdef CONFIG_MACH_SPEAR320
-#define SPEAR320_CONTROL_REG (soc_config_base + 0x0000)
+#define SPEAR320_CONTROL_REG (soc_config_base + 0x0010)
#define SPEAR320_EXT_CTRL_REG (soc_config_base + 0x0018)
#define SPEAR320_UARTX_PCLK_MASK 0x1
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 107/259] Bluetooth: Ignore H5 non-link packets in non-active state
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (105 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 106/259] clk: spear3xx: Use proper control register offset Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 108/259] iwlwifi: update the 7265 series HW IDs Kamal Mostafa
` (151 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Loic Poulain, Marcel Holtmann, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Loic Poulain <loic.poulain@intel.com>
commit 48439d501e3d9e8634bdc0c418e066870039599d upstream.
When detecting a non-link packet, h5_reset_rx() frees the Rx skb.
Not returning after that will cause the upcoming h5_rx_payload()
call to dereference a now NULL Rx skb and trigger a kernel oops.
Signed-off-by: Loic Poulain <loic.poulain@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/bluetooth/hci_h5.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index f6f4974..e36a024 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -406,6 +406,7 @@ static int h5_rx_3wire_hdr(struct hci_uart *hu, unsigned char c)
H5_HDR_PKT_TYPE(hdr) != HCI_3WIRE_LINK_PKT) {
BT_ERR("Non-link packet received in non-active state");
h5_reset_rx(h5);
+ return 0;
}
h5->rx_func = h5_rx_payload;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 108/259] iwlwifi: update the 7265 series HW IDs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (106 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 107/259] Bluetooth: Ignore H5 non-link packets in non-active state Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 109/259] mwifiex: fix Tx timeout issue Kamal Mostafa
` (150 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oren Givon, Emmanuel Grumbach, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Oren Givon <oren.givon@intel.com>
commit b3c063ae7279981f7161e63b44f214c62f122b32 upstream.
Add one more 7265 series HW ID.
Edit one existing 7265 series HW ID.
Signed-off-by: Oren Givon <oren.givon@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/wireless/iwlwifi/pcie/drv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c
index a9e3655..d408df2 100644
--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
@@ -362,6 +362,7 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = {
{IWL_PCI_DEVICE(0x095B, 0x5210, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5012, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5410, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x5510, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5400, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x1010, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5000, iwl7265_2n_cfg)},
@@ -375,7 +376,7 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = {
{IWL_PCI_DEVICE(0x095A, 0x9110, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9112, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9210, iwl7265_2ac_cfg)},
- {IWL_PCI_DEVICE(0x095A, 0x9200, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095B, 0x9200, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9510, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9310, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9410, iwl7265_2ac_cfg)},
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 109/259] mwifiex: fix Tx timeout issue
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (107 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 108/259] iwlwifi: update the 7265 series HW IDs Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 110/259] x86, tsc: Fix cpufreq lockup Kamal Mostafa
` (149 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Amitkumar Karwar, Maithili Hinge, Avinash Patil, Bing Zhao,
John W. Linville, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Amitkumar Karwar <akarwar@marvell.com>
commit d76744a93246eccdca1106037e8ee29debf48277 upstream.
https://bugzilla.kernel.org/show_bug.cgi?id=70191
https://bugzilla.kernel.org/show_bug.cgi?id=77581
It is observed that sometimes Tx packet is downloaded without
adding driver's txpd header. This results in firmware parsing
garbage data as packet length. Sometimes firmware is unable
to read the packet if length comes out as invalid. This stops
further traffic and timeout occurs.
The root cause is uninitialized fields in tx_info(skb->cb) of
packet used to get garbage values. In this case if
MWIFIEX_BUF_FLAG_REQUEUED_PKT flag is mistakenly set, txpd
header was skipped. This patch makes sure that tx_info is
correctly initialized to fix the problem.
Reported-by: Andrew Wiley <wiley.andrew.j@gmail.com>
Reported-by: Linus Gasser <list@markas-al-nour.org>
Reported-by: Michael Hirsch <hirsch@teufel.de>
Tested-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Maithili Hinge <maithili@marvell.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/wireless/mwifiex/main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c
index 8bb8988..a5c00cc 100644
--- a/drivers/net/wireless/mwifiex/main.c
+++ b/drivers/net/wireless/mwifiex/main.c
@@ -646,6 +646,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
}
tx_info = MWIFIEX_SKB_TXCB(skb);
+ memset(tx_info, 0, sizeof(*tx_info));
tx_info->bss_num = priv->bss_num;
tx_info->bss_type = priv->bss_type;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 110/259] x86, tsc: Fix cpufreq lockup
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (108 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 109/259] mwifiex: fix Tx timeout issue Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 111/259] perf/x86/intel: ignore CondChgd bit to avoid false NMI handling Kamal Mostafa
` (148 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Rafael J. Wysocki, Viresh Kumar, Bin Gao, Linus Torvalds,
Mika Westerberg, Paul Gortmaker, Stefani Seibold, Peter Zijlstra,
Ingo Molnar, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 3896c329df8092661dac80f55a8c3f60136fd61a upstream.
Mauro reported that his AMD X2 using the powernow-k8 cpufreq driver
locked up when doing cpu hotplug.
Because we called set_cyc2ns_scale() from the time_cpufreq_notifier()
unconditionally, it gets called multiple times for each freq change,
instead of only the once, when the tsc_khz value actually changes.
Because it gets called more than once, we run out of cyc2ns data slots
and stall, waiting for a free one, but because we're half way offline,
there's no consumers to free slots.
By placing the call inside the condition that actually changes tsc_khz
we avoid superfluous calls and avoid the problem.
Reported-by: Mauro <registosites@hotmail.com>
Tested-by: Mauro <registosites@hotmail.com>
Fixes: 20d1c86a5776 ("sched/clock, x86: Rewrite cyc2ns() to avoid the need to disable IRQs")
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Cc: Bin Gao <bin.gao@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Cc: Stefani Seibold <stefani@seibold.net>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/tsc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index 930e5d4..66af9af 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -722,9 +722,9 @@ static int time_cpufreq_notifier(struct notifier_block *nb, unsigned long val,
tsc_khz = cpufreq_scale(tsc_khz_ref, ref_freq, freq->new);
if (!(freq->flags & CPUFREQ_CONST_LOOPS))
mark_tsc_unstable("cpufreq changes");
- }
- set_cyc2ns_scale(tsc_khz, freq->cpu);
+ set_cyc2ns_scale(tsc_khz, freq->cpu);
+ }
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 111/259] perf/x86/intel: ignore CondChgd bit to avoid false NMI handling
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (109 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 110/259] x86, tsc: Fix cpufreq lockup Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 112/259] perf: Do not allow optimized switch for non-cloned events Kamal Mostafa
` (147 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: HATAYAMA Daisuke, Peter Zijlstra, Arnaldo Carvalho de Melo,
Linus Torvalds, Ingo Molnar, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
commit b292d7a10487aee6e74b1c18b8d95b92f40d4a4f upstream.
Currently, any NMI is falsely handled by a NMI handler of NMI watchdog
if CondChgd bit in MSR_CORE_PERF_GLOBAL_STATUS MSR is set.
For example, we use external NMI to make system panic to get crash
dump, but in this case, the external NMI is falsely handled do to the
issue.
This commit deals with the issue simply by ignoring CondChgd bit.
Here is explanation in detail.
On x86 NMI watchdog uses performance monitoring feature to
periodically signal NMI each time performance counter gets overflowed.
intel_pmu_handle_irq() is called as a NMI_LOCAL handler from a NMI
handler of NMI watchdog, perf_event_nmi_handler(). It identifies an
owner of a given NMI by looking at overflow status bits in
MSR_CORE_PERF_GLOBAL_STATUS MSR. If some of the bits are set, then it
handles the given NMI as its own NMI.
The problem is that the intel_pmu_handle_irq() doesn't distinguish
CondChgd bit from other bits. Unlike the other status bits, CondChgd
bit doesn't represent overflow status for performance counters. Thus,
CondChgd bit cannot be thought of as a mark indicating a given NMI is
NMI watchdog's.
As a result, if CondChgd bit is set, any NMI is falsely handled by the
NMI handler of NMI watchdog. Also, if type of the falsely handled NMI
is either NMI_UNKNOWN, NMI_SERR or NMI_IO_CHECK, the corresponding
action is never performed until CondChgd bit is cleared.
I noticed this behavior on systems with Ivy Bridge processors: Intel
Xeon CPU E5-2630 v2 and Intel Xeon CPU E7-8890 v2. On both systems,
CondChgd bit in MSR_CORE_PERF_GLOBAL_STATUS MSR has already been set
in the beginning at boot. Then the CondChgd bit is immediately cleared
by next wrmsr to MSR_CORE_PERF_GLOBAL_CTRL MSR and appears to remain
0.
On the other hand, on older processors such as Nehalem, Xeon E7540,
CondChgd bit is not set in the beginning at boot.
I'm not sure about exact behavior of CondChgd bit, in particular when
this bit is set. Although I read Intel System Programmer's Manual to
figure out that, the descriptions I found are:
In 18.9.1:
"The MSR_PERF_GLOBAL_STATUS MSR also provides a ¡sticky bit¢ to
indicate changes to the state of performancmonitoring hardware"
In Table 35-2 IA-32 Architectural MSRs
63 CondChg: status bits of this register has changed.
These are different from the bahviour I see on the actual system as I
explained above.
At least, I think ignoring CondChgd bit should be enough for NMI
watchdog perspective.
Signed-off-by: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/20140625.103503.409316067.d.hatayama@jp.fujitsu.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/cpu/perf_event_intel.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
index 0fa4f24..0b1825a 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1385,6 +1385,15 @@ again:
intel_pmu_lbr_read();
/*
+ * CondChgd bit 63 doesn't mean any overflow status. Ignore
+ * and clear the bit.
+ */
+ if (__test_and_clear_bit(63, (unsigned long *)&status)) {
+ if (!status)
+ goto done;
+ }
+
+ /*
* PEBS overflow sets bit 62 in the global status register
*/
if (__test_and_clear_bit(62, (unsigned long *)&status)) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 112/259] perf: Do not allow optimized switch for non-cloned events
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (110 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 111/259] perf/x86/intel: ignore CondChgd bit to avoid false NMI handling Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 113/259] xen/manage: fix potential deadlock when resuming the console Kamal Mostafa
` (146 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jiri Olsa, Peter Zijlstra, Arnaldo Carvalho de Melo,
Paul Mackerras, Frederic Weisbecker, Namhyung Kim, Corey Ashford,
David Ahern, Jiri Olsa, Linus Torvalds, Ingo Molnar,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@redhat.com>
commit 1f9a7268c67f0290837aada443d28fd953ddca90 upstream.
The context check in perf_event_context_sched_out allows
non-cloned context to be part of the optimized schedule
out switch.
This could move non-cloned context into another workload
child. Once this child exits, the context is closed and
leaves all original (parent) events in closed state.
Any other new cloned event will have closed state and not
measure anything. And probably causing other odd bugs.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Corey Ashford <cjashfor@linux.vnet.ibm.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/1403598026-2310-2-git-send-email-jolsa@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/events/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index f0a8ac7..f8519d6 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2296,7 +2296,7 @@ static void perf_event_context_sched_out(struct task_struct *task, int ctxn,
next_parent = rcu_dereference(next_ctx->parent_ctx);
/* If neither context have a parent context; they cannot be clones. */
- if (!parent && !next_parent)
+ if (!parent || !next_parent)
goto unlock;
if (next_parent == ctx || next_ctx == parent || next_parent == parent) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 113/259] xen/manage: fix potential deadlock when resuming the console
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (111 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 112/259] perf: Do not allow optimized switch for non-cloned events Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 114/259] iwlwifi: dvm: don't enable CTS to self Kamal Mostafa
` (145 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: David Vrabel, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
commit 1b6478231c6f5f844185acb32045cf195028cfce upstream.
Calling xen_console_resume() in xen_suspend() causes a warning because
it locks irq_mapping_update_lock (a mutex) and this may sleep. If a
userspace process is using the evtchn device then this mutex may be
locked at the point of the stop_machine() call and
xen_console_resume() would then deadlock.
Resuming the console after stop_machine() returns avoids this
deadlock.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/xen/manage.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c
index 624e8dc..0bc8086 100644
--- a/drivers/xen/manage.c
+++ b/drivers/xen/manage.c
@@ -95,7 +95,6 @@ static int xen_suspend(void *data)
if (!si->cancelled) {
xen_irq_resume();
- xen_console_resume();
xen_timer_resume();
}
@@ -152,6 +151,10 @@ static void do_suspend(void)
err = stop_machine(xen_suspend, &si, cpumask_of(0));
+ /* Resume console as early as possible. */
+ if (!si.cancelled)
+ xen_console_resume();
+
dpm_resume_start(si.cancelled ? PMSG_THAW : PMSG_RESTORE);
if (err) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 114/259] iwlwifi: dvm: don't enable CTS to self
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (112 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 113/259] xen/manage: fix potential deadlock when resuming the console Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 115/259] iwlwifi: mvm: disable CTS to Self Kamal Mostafa
` (144 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Emmanuel Grumbach, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
commit 43d826ca5979927131685cc2092c7ce862cb91cd upstream.
We should always prefer to use full RTS protection. Using
CTS to self gives a meaningless improvement, but this flow
is much harder for the firmware which is likely to have
issues with it.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/wireless/iwlwifi/dvm/rxon.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/drivers/net/wireless/iwlwifi/dvm/rxon.c b/drivers/net/wireless/iwlwifi/dvm/rxon.c
index d7ce2f1..6a5b759 100644
--- a/drivers/net/wireless/iwlwifi/dvm/rxon.c
+++ b/drivers/net/wireless/iwlwifi/dvm/rxon.c
@@ -1068,13 +1068,6 @@ int iwlagn_commit_rxon(struct iwl_priv *priv, struct iwl_rxon_context *ctx)
/* recalculate basic rates */
iwl_calc_basic_rates(priv, ctx);
- /*
- * force CTS-to-self frames protection if RTS-CTS is not preferred
- * one aggregation protection method
- */
- if (!priv->hw_params.use_rts_for_aggregation)
- ctx->staging.flags |= RXON_FLG_SELF_CTS_EN;
-
if ((ctx->vif && ctx->vif->bss_conf.use_short_slot) ||
!(ctx->staging.flags & RXON_FLG_BAND_24G_MSK))
ctx->staging.flags |= RXON_FLG_SHORT_SLOT_MSK;
@@ -1480,11 +1473,6 @@ void iwlagn_bss_info_changed(struct ieee80211_hw *hw,
else
ctx->staging.flags &= ~RXON_FLG_TGG_PROTECT_MSK;
- if (bss_conf->use_cts_prot)
- ctx->staging.flags |= RXON_FLG_SELF_CTS_EN;
- else
- ctx->staging.flags &= ~RXON_FLG_SELF_CTS_EN;
-
memcpy(ctx->staging.bssid_addr, bss_conf->bssid, ETH_ALEN);
if (vif->type == NL80211_IFTYPE_AP ||
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 115/259] iwlwifi: mvm: disable CTS to Self
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (113 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 114/259] iwlwifi: dvm: don't enable CTS to self Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 116/259] xen/balloon: set ballooned out pages as invalid in p2m Kamal Mostafa
` (143 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Emmanuel Grumbach, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
commit dc271ee0d04d12d6bfabacbec803289a7072fbd9 upstream.
Firmware folks seem say that this flag can make trouble.
Drop it. The advantage of CTS to self is that it slightly
reduces the cost of the protection, but make the protection
less reliable.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
[ kamal: backport to 3.13-stable (context) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c b/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c
index f41f9b0..1fc0332 100644
--- a/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c
@@ -566,13 +566,8 @@ static void iwl_mvm_mac_ctxt_cmd_common(struct iwl_mvm *mvm,
if (vif->bss_conf.qos)
cmd->qos_flags |= cpu_to_le32(MAC_QOS_FLG_UPDATE_EDCA);
- /* Don't use cts to self as the fw doesn't support it currently. */
- if (vif->bss_conf.use_cts_prot) {
+ if (vif->bss_conf.use_cts_prot)
cmd->protection_flags |= cpu_to_le32(MAC_PROT_FLG_TGG_PROTECT);
- if (IWL_UCODE_API(mvm->fw->ucode_ver) >= 8)
- cmd->protection_flags |=
- cpu_to_le32(MAC_PROT_FLG_SELF_CTS_EN);
- }
/*
* I think that we should enable these 2 flags regardless the HT PROT
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 116/259] xen/balloon: set ballooned out pages as invalid in p2m
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (114 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 115/259] iwlwifi: mvm: disable CTS to Self Kamal Mostafa
@ 2014-08-08 20:38 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 117/259] mtd: devices: elm: fix elm_context_save() and elm_context_restore() functions Kamal Mostafa
` (142 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: David Vrabel, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
commit fb9a0c443691ceaab3daba966bbbd9f5ff3aa26f upstream.
Since cd9151e26d31048b2b5e00fd02e110e07d2200c9 (xen/balloon: set a
mapping for ballooned out pages), a ballooned out page had its entry
in the p2m set to the MFN of one of the scratch pages. This means
that the p2m will contain many entries pointing to the same MFN.
During a domain save, these many-to-one entries are not identified as
such and the scratch page is saved multiple times. On restore the
ballooned pages are populated with new frames and the domain may use
up its allocation before all pages can be restored.
Since the original fix only needed to keep a mapping for the ballooned
page it is safe to set ballooned out pages as INVALID_P2M_ENTRY in the
p2m (as they were before). Thus preventing them from being saved and
re-populated on restore.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reported-by: Marek Marczykowski <marmarek@invisiblethingslab.com>
Tested-by: Marek Marczykowski <marmarek@invisiblethingslab.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/xen/balloon.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index 2c85267..6b831b1 100644
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -433,20 +433,18 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp)
* p2m are consistent.
*/
if (!xen_feature(XENFEAT_auto_translated_physmap)) {
- unsigned long p;
- struct page *scratch_page = get_balloon_scratch_page();
-
if (!PageHighMem(page)) {
+ struct page *scratch_page = get_balloon_scratch_page();
+
ret = HYPERVISOR_update_va_mapping(
(unsigned long)__va(pfn << PAGE_SHIFT),
pfn_pte(page_to_pfn(scratch_page),
PAGE_KERNEL_RO), 0);
BUG_ON(ret);
- }
- p = page_to_pfn(scratch_page);
- __set_phys_to_machine(pfn, pfn_to_mfn(p));
- put_balloon_scratch_page();
+ put_balloon_scratch_page();
+ }
+ __set_phys_to_machine(pfn, INVALID_P2M_ENTRY);
}
#endif
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 117/259] mtd: devices: elm: fix elm_context_save() and elm_context_restore() functions
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (115 preceding siblings ...)
2014-08-08 20:38 ` [PATCH 3.13 116/259] xen/balloon: set ballooned out pages as invalid in p2m Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 118/259] fuse: timeout comparison fix Kamal Mostafa
` (141 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Ted Juan, Brian Norris, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ted Juan <ted.juan@gmail.com>
commit 6938ad40cb97a52d88a763008935340729a4acc7 upstream.
These two function's switch case lack the 'break' that make them always
return error.
Signed-off-by: Ted Juan <ted.juan@gmail.com>
Acked-by: Pekon Gupta <pekon@ti.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/mtd/devices/elm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mtd/devices/elm.c b/drivers/mtd/devices/elm.c
index d1dd6a3..3059a7a 100644
--- a/drivers/mtd/devices/elm.c
+++ b/drivers/mtd/devices/elm.c
@@ -428,6 +428,7 @@ static int elm_context_save(struct elm_info *info)
ELM_SYNDROME_FRAGMENT_1 + offset);
regs->elm_syndrome_fragment_0[i] = elm_read_reg(info,
ELM_SYNDROME_FRAGMENT_0 + offset);
+ break;
default:
return -EINVAL;
}
@@ -466,6 +467,7 @@ static int elm_context_restore(struct elm_info *info)
regs->elm_syndrome_fragment_1[i]);
elm_write_reg(info, ELM_SYNDROME_FRAGMENT_0 + offset,
regs->elm_syndrome_fragment_0[i]);
+ break;
default:
return -EINVAL;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 118/259] fuse: timeout comparison fix
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (116 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 117/259] mtd: devices: elm: fix elm_context_save() and elm_context_restore() functions Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 119/259] fuse: ignore entry-timeout on LOOKUP_REVAL Kamal Mostafa
` (140 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Miklos Szeredi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@suse.cz>
commit 126b9d4365b110c157bc4cbc32540dfa66c9c85a upstream.
As suggested by checkpatch.pl, use time_before64() instead of direct
comparison of jiffies64 values.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/fuse/dir.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index c3eb2c4..ba60cfd 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -188,7 +188,7 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags)
inode = ACCESS_ONCE(entry->d_inode);
if (inode && is_bad_inode(inode))
goto invalid;
- else if (fuse_dentry_time(entry) < get_jiffies_64()) {
+ else if (time_before64(fuse_dentry_time(entry), get_jiffies_64())) {
int err;
struct fuse_entry_out outarg;
struct fuse_req *req;
@@ -915,7 +915,7 @@ int fuse_update_attributes(struct inode *inode, struct kstat *stat,
int err;
bool r;
- if (fi->i_time < get_jiffies_64()) {
+ if (time_before64(fi->i_time, get_jiffies_64())) {
r = true;
err = fuse_do_getattr(inode, stat, file);
} else {
@@ -1101,7 +1101,7 @@ static int fuse_permission(struct inode *inode, int mask)
((mask & MAY_EXEC) && S_ISREG(inode->i_mode))) {
struct fuse_inode *fi = get_fuse_inode(inode);
- if (fi->i_time < get_jiffies_64()) {
+ if (time_before64(fi->i_time, get_jiffies_64())) {
refreshed = true;
err = fuse_perm_getattr(inode, mask);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 119/259] fuse: ignore entry-timeout on LOOKUP_REVAL
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (117 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 118/259] fuse: timeout comparison fix Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 120/259] fuse: handle large user and group ID Kamal Mostafa
` (139 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Anand Avati, Miklos Szeredi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Anand Avati <avati@redhat.com>
commit 154210ccb3a871e631bf39fdeb7a8731d98af87b upstream.
The following test case demonstrates the bug:
sh# mount -t glusterfs localhost:meta-test /mnt/one
sh# mount -t glusterfs localhost:meta-test /mnt/two
sh# echo stuff > /mnt/one/file; rm -f /mnt/two/file; echo stuff > /mnt/one/file
bash: /mnt/one/file: Stale file handle
sh# echo stuff > /mnt/one/file; rm -f /mnt/two/file; sleep 1; echo stuff > /mnt/one/file
On the second open() on /mnt/one, FUSE would have used the old
nodeid (file handle) trying to re-open it. Gluster is returning
-ESTALE. The ESTALE propagates back to namei.c:filename_lookup()
where lookup is re-attempted with LOOKUP_REVAL. The right
behavior now, would be for FUSE to ignore the entry-timeout and
and do the up-call revalidation. Instead FUSE is ignoring
LOOKUP_REVAL, succeeding the revalidation (because entry-timeout
has not passed), and open() is again retried on the old file
handle and finally the ESTALE is going back to the application.
Fix: if revalidation is happening with LOOKUP_REVAL, then ignore
entry-timeout and always do the up-call.
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/fuse/dir.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index ba60cfd..989dabd 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -188,7 +188,8 @@ static int fuse_dentry_revalidate(struct dentry *entry, unsigned int flags)
inode = ACCESS_ONCE(entry->d_inode);
if (inode && is_bad_inode(inode))
goto invalid;
- else if (time_before64(fuse_dentry_time(entry), get_jiffies_64())) {
+ else if (time_before64(fuse_dentry_time(entry), get_jiffies_64()) ||
+ (flags & LOOKUP_REVAL)) {
int err;
struct fuse_entry_out outarg;
struct fuse_req *req;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 120/259] fuse: handle large user and group ID
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (118 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 119/259] fuse: ignore entry-timeout on LOOKUP_REVAL Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 121/259] alarmtimer: Fix bug where relative alarm timers were treated as absolute Kamal Mostafa
` (138 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Miklos Szeredi, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@suse.cz>
commit 233a01fa9c4c7c41238537e8db8434667ff28a2f upstream.
If the number in "user_id=N" or "group_id=N" mount options was larger than
INT_MAX then fuse returned EINVAL.
Fix this to handle all valid uid/gid values.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/fuse/inode.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index d468643..73f6bcb 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -461,6 +461,17 @@ static const match_table_t tokens = {
{OPT_ERR, NULL}
};
+static int fuse_match_uint(substring_t *s, unsigned int *res)
+{
+ int err = -ENOMEM;
+ char *buf = match_strdup(s);
+ if (buf) {
+ err = kstrtouint(buf, 10, res);
+ kfree(buf);
+ }
+ return err;
+}
+
static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
{
char *p;
@@ -471,6 +482,7 @@ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
while ((p = strsep(&opt, ",")) != NULL) {
int token;
int value;
+ unsigned uv;
substring_t args[MAX_OPT_ARGS];
if (!*p)
continue;
@@ -494,18 +506,18 @@ static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
break;
case OPT_USER_ID:
- if (match_int(&args[0], &value))
+ if (fuse_match_uint(&args[0], &uv))
return 0;
- d->user_id = make_kuid(current_user_ns(), value);
+ d->user_id = make_kuid(current_user_ns(), uv);
if (!uid_valid(d->user_id))
return 0;
d->user_id_present = 1;
break;
case OPT_GROUP_ID:
- if (match_int(&args[0], &value))
+ if (fuse_match_uint(&args[0], &uv))
return 0;
- d->group_id = make_kgid(current_user_ns(), value);
+ d->group_id = make_kgid(current_user_ns(), uv);
if (!gid_valid(d->group_id))
return 0;
d->group_id_present = 1;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 121/259] alarmtimer: Fix bug where relative alarm timers were treated as absolute
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (119 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 120/259] fuse: handle large user and group ID Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 122/259] irqchip: gic: Add support for cortex a7 compatible string Kamal Mostafa
` (137 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: John Stultz, Thomas Gleixner, Ingo Molnar, Prarit Bhargava,
Sharvil Nanavati, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: John Stultz <john.stultz@linaro.org>
commit 16927776ae757d0d132bdbfabbfe2c498342bd59 upstream.
Sharvil noticed with the posix timer_settime interface, using the
CLOCK_REALTIME_ALARM or CLOCK_BOOTTIME_ALARM clockid, if the users
tried to specify a relative time timer, it would incorrectly be
treated as absolute regardless of the state of the flags argument.
This patch corrects this, properly checking the absolute/relative flag,
as well as adds further error checking that no invalid flag bits are set.
Reported-by: Sharvil Nanavati <sharvil@google.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Sharvil Nanavati <sharvil@google.com>
Link: http://lkml.kernel.org/r/1404767171-6902-1-git-send-email-john.stultz@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/time/alarmtimer.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
index 88c9c65..fe75444 100644
--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -585,9 +585,14 @@ static int alarm_timer_set(struct k_itimer *timr, int flags,
struct itimerspec *new_setting,
struct itimerspec *old_setting)
{
+ ktime_t exp;
+
if (!rtcdev)
return -ENOTSUPP;
+ if (flags & ~TIMER_ABSTIME)
+ return -EINVAL;
+
if (old_setting)
alarm_timer_get(timr, old_setting);
@@ -597,8 +602,16 @@ static int alarm_timer_set(struct k_itimer *timr, int flags,
/* start the timer */
timr->it.alarm.interval = timespec_to_ktime(new_setting->it_interval);
- alarm_start(&timr->it.alarm.alarmtimer,
- timespec_to_ktime(new_setting->it_value));
+ exp = timespec_to_ktime(new_setting->it_value);
+ /* Convert (if necessary) to absolute time */
+ if (flags != TIMER_ABSTIME) {
+ ktime_t now;
+
+ now = alarm_bases[timr->it.alarm.alarmtimer.type].gettime();
+ exp = ktime_add(now, exp);
+ }
+
+ alarm_start(&timr->it.alarm.alarmtimer, exp);
return 0;
}
@@ -730,6 +743,9 @@ static int alarm_timer_nsleep(const clockid_t which_clock, int flags,
if (!alarmtimer_get_rtcdev())
return -ENOTSUPP;
+ if (flags & ~TIMER_ABSTIME)
+ return -EINVAL;
+
if (!capable(CAP_WAKE_ALARM))
return -EPERM;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 122/259] irqchip: gic: Add support for cortex a7 compatible string
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (120 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 121/259] alarmtimer: Fix bug where relative alarm timers were treated as absolute Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 123/259] net: mvneta: fix operation in 10 Mbit/s mode Kamal Mostafa
` (136 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Matthias Brugger, Jason Cooper, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Brugger <matthias.bgg@gmail.com>
commit a97e8027b1d28eafe6bafe062556c1ec926a49c6 upstream.
Patch 0a68214b "ARM: DT: Add binding for GIC virtualization extentions (VGIC)" added
the "arm,cortex-a7-gic" compatible string, but the corresponding IRQCHIP_DECLARE
was never added to the gic driver.
To let real Cortex-A7 SoCs use it, add the necessary declaration to the device driver.
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Link: https://lkml.kernel.org/r/1404388732-28890-1-git-send-email-matthias.bgg@gmail.com
Fixes: 0a68214b76ca ("ARM: DT: Add binding for GIC virtualization extentions (VGIC)")
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/irqchip/irq-gic.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
index ac2d41b..ecf2565 100644
--- a/drivers/irqchip/irq-gic.c
+++ b/drivers/irqchip/irq-gic.c
@@ -1010,6 +1010,7 @@ int __init gic_of_init(struct device_node *node, struct device_node *parent)
}
IRQCHIP_DECLARE(cortex_a15_gic, "arm,cortex-a15-gic", gic_of_init);
IRQCHIP_DECLARE(cortex_a9_gic, "arm,cortex-a9-gic", gic_of_init);
+IRQCHIP_DECLARE(cortex_a7_gic, "arm,cortex-a7-gic", gic_of_init);
IRQCHIP_DECLARE(msm_8660_qgic, "qcom,msm-8660-qgic", gic_of_init);
IRQCHIP_DECLARE(msm_qgic2, "qcom,msm-qgic2", gic_of_init);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 123/259] net: mvneta: fix operation in 10 Mbit/s mode
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (121 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 122/259] irqchip: gic: Add support for cortex a7 compatible string Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 124/259] net: mvneta: Fix big endian issue in mvneta_txq_desc_csum() Kamal Mostafa
` (135 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Maggie Mae Roxas, Thomas Petazzoni, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
commit 4d12bc63ab5e48c1d78fa13883cf6fefcea3afb1 upstream.
As reported by Maggie Mae Roxas, the mvneta driver doesn't behave
properly in 10 Mbit/s mode. This is due to a misconfiguration of the
MVNETA_GMAC_AUTONEG_CONFIG register: bit MVNETA_GMAC_CONFIG_MII_SPEED
must be set for a 100 Mbit/s speed, but cleared for a 10 Mbit/s speed,
which the driver was not properly doing. This commit adjusts that by
setting the MVNETA_GMAC_CONFIG_MII_SPEED bit only in 100 Mbit/s mode,
and relying on the fact that all the speed related bits of this
register are cleared at the beginning of the mvneta_adjust_link()
function.
This problem exists since c5aff18204da0 ("net: mvneta: driver for
Marvell Armada 370/XP network unit") which is the commit that
introduced the mvneta driver in the kernel.
Fixes: c5aff18204da0 ("net: mvneta: driver for Marvell Armada 370/XP network unit")
Reported-by: Maggie Mae Roxas <maggie.mae.roxas@gmail.com>
Cc: Maggie Mae Roxas <maggie.mae.roxas@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/marvell/mvneta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index d7aa22a..1c8dd19 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -2367,7 +2367,7 @@ static void mvneta_adjust_link(struct net_device *ndev)
if (phydev->speed == SPEED_1000)
val |= MVNETA_GMAC_CONFIG_GMII_SPEED;
- else
+ else if (phydev->speed == SPEED_100)
val |= MVNETA_GMAC_CONFIG_MII_SPEED;
mvreg_write(pp, MVNETA_GMAC_AUTONEG_CONFIG, val);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 124/259] net: mvneta: Fix big endian issue in mvneta_txq_desc_csum()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (122 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 123/259] net: mvneta: fix operation in 10 Mbit/s mode Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 125/259] igb: Workaround for i210 Errata 25: Slow System Clock Kamal Mostafa
` (134 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Thomas Fitzsimmons, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fitzsimmons <fitzsim@fitzsim.org>
commit 0a1985879437d14bda8c90d0dae3455c467d7642 upstream.
This commit fixes the command value generated for CSUM calculation
when running in big endian mode. The Ethernet protocol ID for IP was
being unconditionally byte-swapped in the layer 3 protocol check (with
swab16), which caused the mvneta driver to not function correctly in
big endian mode. This patch byte-swaps the ID conditionally with
htons.
Signed-off-by: Thomas Fitzsimmons <fitzsim@fitzsim.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/marvell/mvneta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 1c8dd19..89c85b7 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -1212,7 +1212,7 @@ static u32 mvneta_txq_desc_csum(int l3_offs, int l3_proto,
command = l3_offs << MVNETA_TX_L3_OFF_SHIFT;
command |= ip_hdr_len << MVNETA_TX_IP_HLEN_SHIFT;
- if (l3_proto == swab16(ETH_P_IP))
+ if (l3_proto == htons(ETH_P_IP))
command |= MVNETA_TXD_IP_CSUM;
else
command |= MVNETA_TX_L3_IP6;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 125/259] igb: Workaround for i210 Errata 25: Slow System Clock
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (123 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 124/259] net: mvneta: Fix big endian issue in mvneta_txq_desc_csum() Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 126/259] x86/efi: Include a .bss section within the PE/COFF headers Kamal Mostafa
` (133 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Todd Fujinaka, Jeff Kirsher, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Todd Fujinaka <todd.fujinaka@intel.com>
commit 948264879b6894dc389a44b99fae4f0b72932619 upstream.
On some devices, the internal PLL circuit occasionally provides the
wrong clock frequency after power up. The probability of failure is less
than one failure per 1000 power cycles. When the failure occurs, the
internal clock frequency is around 1/20 of the correct frequency.
Signed-off-by: Todd Fujinaka <todd.fujinaka@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/intel/igb/e1000_82575.c | 7 +++
drivers/net/ethernet/intel/igb/e1000_defines.h | 18 +++----
drivers/net/ethernet/intel/igb/e1000_hw.h | 3 ++
drivers/net/ethernet/intel/igb/e1000_i210.c | 66 ++++++++++++++++++++++++++
drivers/net/ethernet/intel/igb/e1000_i210.h | 12 +++++
drivers/net/ethernet/intel/igb/e1000_regs.h | 1 +
drivers/net/ethernet/intel/igb/igb_main.c | 14 ++++++
7 files changed, 113 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/intel/igb/e1000_82575.c b/drivers/net/ethernet/intel/igb/e1000_82575.c
index 47c2d10..974558e 100644
--- a/drivers/net/ethernet/intel/igb/e1000_82575.c
+++ b/drivers/net/ethernet/intel/igb/e1000_82575.c
@@ -1403,6 +1403,13 @@ static s32 igb_init_hw_82575(struct e1000_hw *hw)
s32 ret_val;
u16 i, rar_count = mac->rar_entry_count;
+ if ((hw->mac.type >= e1000_i210) &&
+ !(igb_get_flash_presence_i210(hw))) {
+ ret_val = igb_pll_workaround_i210(hw);
+ if (ret_val)
+ return ret_val;
+ }
+
/* Initialize identification LED */
ret_val = igb_id_led_init(hw);
if (ret_val) {
diff --git a/drivers/net/ethernet/intel/igb/e1000_defines.h b/drivers/net/ethernet/intel/igb/e1000_defines.h
index 978eca3..956c4c3 100644
--- a/drivers/net/ethernet/intel/igb/e1000_defines.h
+++ b/drivers/net/ethernet/intel/igb/e1000_defines.h
@@ -46,14 +46,15 @@
/* Extended Device Control */
#define E1000_CTRL_EXT_SDP3_DATA 0x00000080 /* Value of SW Defineable Pin 3 */
/* Physical Func Reset Done Indication */
-#define E1000_CTRL_EXT_PFRSTD 0x00004000
-#define E1000_CTRL_EXT_LINK_MODE_MASK 0x00C00000
-#define E1000_CTRL_EXT_LINK_MODE_PCIE_SERDES 0x00C00000
-#define E1000_CTRL_EXT_LINK_MODE_1000BASE_KX 0x00400000
-#define E1000_CTRL_EXT_LINK_MODE_SGMII 0x00800000
-#define E1000_CTRL_EXT_LINK_MODE_GMII 0x00000000
-#define E1000_CTRL_EXT_EIAME 0x01000000
-#define E1000_CTRL_EXT_IRCA 0x00000001
+#define E1000_CTRL_EXT_PFRSTD 0x00004000
+#define E1000_CTRL_EXT_SDLPE 0X00040000 /* SerDes Low Power Enable */
+#define E1000_CTRL_EXT_LINK_MODE_MASK 0x00C00000
+#define E1000_CTRL_EXT_LINK_MODE_PCIE_SERDES 0x00C00000
+#define E1000_CTRL_EXT_LINK_MODE_1000BASE_KX 0x00400000
+#define E1000_CTRL_EXT_LINK_MODE_SGMII 0x00800000
+#define E1000_CTRL_EXT_LINK_MODE_GMII 0x00000000
+#define E1000_CTRL_EXT_EIAME 0x01000000
+#define E1000_CTRL_EXT_IRCA 0x00000001
/* Interrupt delay cancellation */
/* Driver loaded bit for FW */
#define E1000_CTRL_EXT_DRV_LOAD 0x10000000
@@ -62,6 +63,7 @@
/* packet buffer parity error detection enabled */
/* descriptor FIFO parity error detection enable */
#define E1000_CTRL_EXT_PBA_CLR 0x80000000 /* PBA Clear */
+#define E1000_CTRL_EXT_PHYPDEN 0x00100000
#define E1000_I2CCMD_REG_ADDR_SHIFT 16
#define E1000_I2CCMD_PHY_ADDR_SHIFT 24
#define E1000_I2CCMD_OPCODE_READ 0x08000000
diff --git a/drivers/net/ethernet/intel/igb/e1000_hw.h b/drivers/net/ethernet/intel/igb/e1000_hw.h
index 2e166b2..01c36b8 100644
--- a/drivers/net/ethernet/intel/igb/e1000_hw.h
+++ b/drivers/net/ethernet/intel/igb/e1000_hw.h
@@ -569,4 +569,7 @@ struct net_device *igb_get_hw_dev(struct e1000_hw *hw);
/* These functions must be implemented by drivers */
s32 igb_read_pcie_cap_reg(struct e1000_hw *hw, u32 reg, u16 *value);
s32 igb_write_pcie_cap_reg(struct e1000_hw *hw, u32 reg, u16 *value);
+
+void igb_read_pci_cfg(struct e1000_hw *hw, u32 reg, u16 *value);
+void igb_write_pci_cfg(struct e1000_hw *hw, u32 reg, u16 *value);
#endif /* _E1000_HW_H_ */
diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.c b/drivers/net/ethernet/intel/igb/e1000_i210.c
index 0c03933..0217d4e 100644
--- a/drivers/net/ethernet/intel/igb/e1000_i210.c
+++ b/drivers/net/ethernet/intel/igb/e1000_i210.c
@@ -835,3 +835,69 @@ s32 igb_init_nvm_params_i210(struct e1000_hw *hw)
}
return ret_val;
}
+
+/**
+ * igb_pll_workaround_i210
+ * @hw: pointer to the HW structure
+ *
+ * Works around an errata in the PLL circuit where it occasionally
+ * provides the wrong clock frequency after power up.
+ **/
+s32 igb_pll_workaround_i210(struct e1000_hw *hw)
+{
+ s32 ret_val;
+ u32 wuc, mdicnfg, ctrl, ctrl_ext, reg_val;
+ u16 nvm_word, phy_word, pci_word, tmp_nvm;
+ int i;
+
+ /* Get and set needed register values */
+ wuc = rd32(E1000_WUC);
+ mdicnfg = rd32(E1000_MDICNFG);
+ reg_val = mdicnfg & ~E1000_MDICNFG_EXT_MDIO;
+ wr32(E1000_MDICNFG, reg_val);
+
+ /* Get data from NVM, or set default */
+ ret_val = igb_read_invm_word_i210(hw, E1000_INVM_AUTOLOAD,
+ &nvm_word);
+ if (ret_val)
+ nvm_word = E1000_INVM_DEFAULT_AL;
+ tmp_nvm = nvm_word | E1000_INVM_PLL_WO_VAL;
+ for (i = 0; i < E1000_MAX_PLL_TRIES; i++) {
+ /* check current state directly from internal PHY */
+ igb_read_phy_reg_gs40g(hw, (E1000_PHY_PLL_FREQ_PAGE |
+ E1000_PHY_PLL_FREQ_REG), &phy_word);
+ if ((phy_word & E1000_PHY_PLL_UNCONF)
+ != E1000_PHY_PLL_UNCONF) {
+ ret_val = 0;
+ break;
+ } else {
+ ret_val = -E1000_ERR_PHY;
+ }
+ /* directly reset the internal PHY */
+ ctrl = rd32(E1000_CTRL);
+ wr32(E1000_CTRL, ctrl|E1000_CTRL_PHY_RST);
+
+ ctrl_ext = rd32(E1000_CTRL_EXT);
+ ctrl_ext |= (E1000_CTRL_EXT_PHYPDEN | E1000_CTRL_EXT_SDLPE);
+ wr32(E1000_CTRL_EXT, ctrl_ext);
+
+ wr32(E1000_WUC, 0);
+ reg_val = (E1000_INVM_AUTOLOAD << 4) | (tmp_nvm << 16);
+ wr32(E1000_EEARBC_I210, reg_val);
+
+ igb_read_pci_cfg(hw, E1000_PCI_PMCSR, &pci_word);
+ pci_word |= E1000_PCI_PMCSR_D3;
+ igb_write_pci_cfg(hw, E1000_PCI_PMCSR, &pci_word);
+ usleep_range(1000, 2000);
+ pci_word &= ~E1000_PCI_PMCSR_D3;
+ igb_write_pci_cfg(hw, E1000_PCI_PMCSR, &pci_word);
+ reg_val = (E1000_INVM_AUTOLOAD << 4) | (nvm_word << 16);
+ wr32(E1000_EEARBC_I210, reg_val);
+
+ /* restore WUC register */
+ wr32(E1000_WUC, wuc);
+ }
+ /* restore MDICNFG setting */
+ wr32(E1000_MDICNFG, mdicnfg);
+ return ret_val;
+}
diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.h b/drivers/net/ethernet/intel/igb/e1000_i210.h
index 2d91371..710f8e9 100644
--- a/drivers/net/ethernet/intel/igb/e1000_i210.h
+++ b/drivers/net/ethernet/intel/igb/e1000_i210.h
@@ -46,6 +46,7 @@ s32 igb_read_xmdio_reg(struct e1000_hw *hw, u16 addr, u8 dev_addr, u16 *data);
s32 igb_write_xmdio_reg(struct e1000_hw *hw, u16 addr, u8 dev_addr, u16 data);
s32 igb_init_nvm_params_i210(struct e1000_hw *hw);
bool igb_get_flash_presence_i210(struct e1000_hw *hw);
+s32 igb_pll_workaround_i210(struct e1000_hw *hw);
#define E1000_STM_OPCODE 0xDB00
#define E1000_EEPROM_FLASH_SIZE_WORD 0x11
@@ -91,4 +92,15 @@ enum E1000_INVM_STRUCTURE_TYPE {
#define NVM_LED_1_CFG_DEFAULT_I211 0x0184
#define NVM_LED_0_2_CFG_DEFAULT_I211 0x200C
+/* PLL Defines */
+#define E1000_PCI_PMCSR 0x44
+#define E1000_PCI_PMCSR_D3 0x03
+#define E1000_MAX_PLL_TRIES 5
+#define E1000_PHY_PLL_UNCONF 0xFF
+#define E1000_PHY_PLL_FREQ_PAGE 0xFC0000
+#define E1000_PHY_PLL_FREQ_REG 0x000E
+#define E1000_INVM_DEFAULT_AL 0x202F
+#define E1000_INVM_AUTOLOAD 0x0A
+#define E1000_INVM_PLL_WO_VAL 0x0010
+
#endif
diff --git a/drivers/net/ethernet/intel/igb/e1000_regs.h b/drivers/net/ethernet/intel/igb/e1000_regs.h
index 82632c6..7156981 100644
--- a/drivers/net/ethernet/intel/igb/e1000_regs.h
+++ b/drivers/net/ethernet/intel/igb/e1000_regs.h
@@ -69,6 +69,7 @@
#define E1000_PBA 0x01000 /* Packet Buffer Allocation - RW */
#define E1000_PBS 0x01008 /* Packet Buffer Size */
#define E1000_EEMNGCTL 0x01010 /* MNG EEprom Control */
+#define E1000_EEARBC_I210 0x12024 /* EEPROM Auto Read Bus Control */
#define E1000_EEWR 0x0102C /* EEPROM Write Register - RW */
#define E1000_I2CCMD 0x01028 /* SFPI2C Command Register - RW */
#define E1000_FRTIMER 0x01048 /* Free Running Timer - RW */
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 0f42ce8..ddbf995 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -6914,6 +6914,20 @@ static int igb_ioctl(struct net_device *netdev, struct ifreq *ifr, int cmd)
}
}
+void igb_read_pci_cfg(struct e1000_hw *hw, u32 reg, u16 *value)
+{
+ struct igb_adapter *adapter = hw->back;
+
+ pci_read_config_word(adapter->pdev, reg, value);
+}
+
+void igb_write_pci_cfg(struct e1000_hw *hw, u32 reg, u16 *value)
+{
+ struct igb_adapter *adapter = hw->back;
+
+ pci_write_config_word(adapter->pdev, reg, *value);
+}
+
s32 igb_read_pcie_cap_reg(struct e1000_hw *hw, u32 reg, u16 *value)
{
struct igb_adapter *adapter = hw->back;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 126/259] x86/efi: Include a .bss section within the PE/COFF headers
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (124 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 125/259] igb: Workaround for i210 Errata 25: Slow System Clock Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 127/259] igb: do a reset on SR-IOV re-init if device is down Kamal Mostafa
` (132 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michael Brown, Thomas Bächler, Josh Boyer, Matt Fleming,
Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Brown <mbrown@fensystems.co.uk>
commit c7fb93ec51d462ec3540a729ba446663c26a0505 upstream.
The PE/COFF headers currently describe only the initialised-data
portions of the image, and result in no space being allocated for the
uninitialised-data portions. Consequently, the EFI boot stub will end
up overwriting unexpected areas of memory, with unpredictable results.
Fix by including a .bss section in the PE/COFF headers (functionally
equivalent to the init_size field in the bzImage header).
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
Cc: Thomas Bächler <thomas@archlinux.org>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
[ luis: backported to 3.11: used Michael's backport ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
| 26 ++++++++++++++++++++++----
arch/x86/boot/tools/build.c | 37 ++++++++++++++++++++++++++++++-------
2 files changed, 52 insertions(+), 11 deletions(-)
--git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
index 9ec06a1..4257124 100644
--- a/arch/x86/boot/header.S
+++ b/arch/x86/boot/header.S
@@ -91,10 +91,9 @@ bs_die:
.section ".bsdata", "a"
bugger_off_msg:
- .ascii "Direct floppy boot is not supported. "
- .ascii "Use a boot loader program instead.\r\n"
+ .ascii "Use a boot loader.\r\n"
.ascii "\n"
- .ascii "Remove disk and press any key to reboot ...\r\n"
+ .ascii "Remove disk and press any key to reboot...\r\n"
.byte 0
#ifdef CONFIG_EFI_STUB
@@ -108,7 +107,7 @@ coff_header:
#else
.word 0x8664 # x86-64
#endif
- .word 3 # nr_sections
+ .word 4 # nr_sections
.long 0 # TimeDateStamp
.long 0 # PointerToSymbolTable
.long 1 # NumberOfSymbols
@@ -250,6 +249,25 @@ section_table:
.word 0 # NumberOfLineNumbers
.long 0x60500020 # Characteristics (section flags)
+ #
+ # The offset & size fields are filled in by build.c.
+ #
+ .ascii ".bss"
+ .byte 0
+ .byte 0
+ .byte 0
+ .byte 0
+ .long 0
+ .long 0x0
+ .long 0 # Size of initialized data
+ # on disk
+ .long 0x0
+ .long 0 # PointerToRelocations
+ .long 0 # PointerToLineNumbers
+ .word 0 # NumberOfRelocations
+ .word 0 # NumberOfLineNumbers
+ .long 0xc8000080 # Characteristics (section flags)
+
#endif /* CONFIG_EFI_STUB */
# Kernel attributes; used by setup. This is part 1 of the
diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c
index 8e15b22..3dafaeb 100644
--- a/arch/x86/boot/tools/build.c
+++ b/arch/x86/boot/tools/build.c
@@ -142,7 +142,7 @@ static void usage(void)
#ifdef CONFIG_EFI_STUB
-static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
+static void update_pecoff_section_header_fields(char *section_name, u32 vma, u32 size, u32 datasz, u32 offset)
{
unsigned int pe_header;
unsigned short num_sections;
@@ -163,10 +163,10 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
put_unaligned_le32(size, section + 0x8);
/* section header vma field */
- put_unaligned_le32(offset, section + 0xc);
+ put_unaligned_le32(vma, section + 0xc);
/* section header 'size of initialised data' field */
- put_unaligned_le32(size, section + 0x10);
+ put_unaligned_le32(datasz, section + 0x10);
/* section header 'file offset' field */
put_unaligned_le32(offset, section + 0x14);
@@ -178,6 +178,11 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
}
}
+static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
+{
+ update_pecoff_section_header_fields(section_name, offset, size, size, offset);
+}
+
static void update_pecoff_setup_and_reloc(unsigned int size)
{
u32 setup_offset = 0x200;
@@ -202,9 +207,6 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
pe_header = get_unaligned_le32(&buf[0x3c]);
- /* Size of image */
- put_unaligned_le32(file_sz, &buf[pe_header + 0x50]);
-
/*
* Size of code: Subtract the size of the first sector (512 bytes)
* which includes the header.
@@ -219,6 +221,22 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
update_pecoff_section_header(".text", text_start, text_sz);
}
+static void update_pecoff_bss(unsigned int file_sz, unsigned int init_sz)
+{
+ unsigned int pe_header;
+ unsigned int bss_sz = init_sz - file_sz;
+
+ pe_header = get_unaligned_le32(&buf[0x3c]);
+
+ /* Size of uninitialized data */
+ put_unaligned_le32(bss_sz, &buf[pe_header + 0x24]);
+
+ /* Size of image */
+ put_unaligned_le32(init_sz, &buf[pe_header + 0x50]);
+
+ update_pecoff_section_header_fields(".bss", file_sz, bss_sz, 0, 0);
+}
+
#endif /* CONFIG_EFI_STUB */
@@ -270,6 +288,9 @@ int main(int argc, char ** argv)
int fd;
void *kernel;
u32 crc = 0xffffffffUL;
+#ifdef CONFIG_EFI_STUB
+ unsigned int init_sz;
+#endif
/* Defaults for old kernel */
#ifdef CONFIG_X86_32
@@ -343,7 +364,9 @@ int main(int argc, char ** argv)
put_unaligned_le32(sys_size, &buf[0x1f4]);
#ifdef CONFIG_EFI_STUB
- update_pecoff_text(setup_sectors * 512, sz + i + ((sys_size * 16) - sz));
+ update_pecoff_text(setup_sectors * 512, i + (sys_size * 16));
+ init_sz = get_unaligned_le32(&buf[0x260]);
+ update_pecoff_bss(i + (sys_size * 16), init_sz);
#ifdef CONFIG_X86_64 /* Yes, this is really how we defined it :( */
efi_stub_entry -= 0x200;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 127/259] igb: do a reset on SR-IOV re-init if device is down
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (125 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 126/259] x86/efi: Include a .bss section within the PE/COFF headers Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 128/259] iio:core: Handle error when mask type is not separate Kamal Mostafa
` (131 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Stefan Assmann, Jeff Kirsher, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Assmann <sassmann@kpanic.de>
commit 76252723e88681628a3dbb9c09c963e095476f73 upstream.
To properly re-initialize SR-IOV it is necessary to reset the device
even if it is already down. Not doing this may result in Tx unit hangs.
Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/intel/igb/igb_main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index ddbf995..6e0c7a9 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -7857,6 +7857,8 @@ int igb_reinit_queues(struct igb_adapter *adapter)
if (netif_running(netdev))
igb_close(netdev);
+ else
+ igb_reset(adapter);
igb_clear_interrupt_scheme(adapter);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 128/259] iio:core: Handle error when mask type is not separate
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (126 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 127/259] igb: do a reset on SR-IOV re-init if device is down Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 129/259] of/irq: do irq resolution in platform_get_irq_byname() Kamal Mostafa
` (130 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Srinivas Pandruvada, Jonathan Cameron, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit 78b3321610bf920d7fceb1a0236faa881be0bcf3 upstream.
When event spec is shared by multiple channels, which has definition
for mask_shared_by_type, iio_device_register_eventset fails.
For example:
static const struct iio_event_spec iio_dummy_events[] = {
{
.type = IIO_EV_TYPE_THRESH,
.dir = IIO_EV_DIR_RISING,
.mask_separate = BIT(IIO_EV_INFO_ENABLE),
.mask_shared_by_type = BIT(IIO_EV_INFO_VALUE),
}, {
.type = IIO_EV_TYPE_THRESH,
.dir = IIO_EV_DIR_FALLING,
.mask_separate = BIT(IIO_EV_INFO_ENABLE),a
.mask_shared_by_type = BIT(IIO_EV_INFO_VALUE),
}
};
If two channels use this event spec, this will result in error.
This change handles EBUSY error similar to iio_device_add_info_mask_type().
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/industrialio-event.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/iio/industrialio-event.c b/drivers/iio/industrialio-event.c
index c10eab6..c531839 100644
--- a/drivers/iio/industrialio-event.c
+++ b/drivers/iio/industrialio-event.c
@@ -362,6 +362,9 @@ static int iio_device_add_event(struct iio_dev *indio_dev,
&indio_dev->event_interface->dev_attr_list);
kfree(postfix);
+ if ((ret == -EBUSY) && (shared_by != IIO_SEPARATE))
+ continue;
+
if (ret)
return ret;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 129/259] of/irq: do irq resolution in platform_get_irq_byname()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (127 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 128/259] iio:core: Handle error when mask type is not separate Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 130/259] platform_get_irq: Revert to platform_get_resource if of_irq_get fails Kamal Mostafa
` (129 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Russell King, Rob Herring, Tony Lindgren, Grant Likely,
Thierry Reding, Grygorii Strashko, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Grygorii Strashko <grygorii.strashko@ti.com>
commit ad69674e73a18dc3a8da557f4059ccf9389531a5 upstream.
The commit 9ec36cafe43bf835f8f29273597a5b0cbc8267ef
"of/irq: do irq resolution in platform_get_irq" from Rob Herring -
moves resolving of the interrupt resources in platform_get_irq().
But this solution isn't complete because platform_get_irq_byname()
need to be modified the same way.
Hence, fix it by adding interrupt resolution code at the
platform_get_irq_byname() function too.
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Rob Herring <robh@kernel.org>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Grant Likely <grant.likely@linaro.org>
Cc: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Grant Likely <grant.likely@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/base/platform.c | 7 +++++--
drivers/of/irq.c | 22 ++++++++++++++++++++++
include/linux/of_irq.h | 5 +++++
3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/drivers/base/platform.c b/drivers/base/platform.c
index 39d2f6b..0d13679 100644
--- a/drivers/base/platform.c
+++ b/drivers/base/platform.c
@@ -131,9 +131,12 @@ EXPORT_SYMBOL_GPL(platform_get_resource_byname);
*/
int platform_get_irq_byname(struct platform_device *dev, const char *name)
{
- struct resource *r = platform_get_resource_byname(dev, IORESOURCE_IRQ,
- name);
+ struct resource *r;
+
+ if (IS_ENABLED(CONFIG_OF_IRQ) && dev->dev.of_node)
+ return of_irq_get_byname(dev->dev.of_node, name);
+ r = platform_get_resource_byname(dev, IORESOURCE_IRQ, name);
return r ? r->start : -ENXIO;
}
EXPORT_SYMBOL_GPL(platform_get_irq_byname);
diff --git a/drivers/of/irq.c b/drivers/of/irq.c
index 11c7f73..5d8c346 100644
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -403,6 +403,28 @@ int of_irq_get(struct device_node *dev, int index)
}
/**
+ * of_irq_get_byname - Decode a node's IRQ and return it as a Linux irq number
+ * @dev: pointer to device tree node
+ * @name: irq name
+ *
+ * Returns Linux irq number on success, or -EPROBE_DEFER if the irq domain
+ * is not yet created, or error code in case of any other failure.
+ */
+int of_irq_get_byname(struct device_node *dev, const char *name)
+{
+ int index;
+
+ if (unlikely(!name))
+ return -EINVAL;
+
+ index = of_property_match_string(dev, "interrupt-names", name);
+ if (index < 0)
+ return index;
+
+ return of_irq_get(dev, index);
+}
+
+/**
* of_irq_count - Count the number of IRQs a node uses
* @dev: pointer to device tree node
*/
diff --git a/include/linux/of_irq.h b/include/linux/of_irq.h
index 6404253..bfec136 100644
--- a/include/linux/of_irq.h
+++ b/include/linux/of_irq.h
@@ -45,6 +45,7 @@ extern void of_irq_init(const struct of_device_id *matches);
#ifdef CONFIG_OF_IRQ
extern int of_irq_count(struct device_node *dev);
extern int of_irq_get(struct device_node *dev, int index);
+extern int of_irq_get_byname(struct device_node *dev, const char *name);
#else
static inline int of_irq_count(struct device_node *dev)
{
@@ -54,6 +55,10 @@ static inline int of_irq_get(struct device_node *dev, int index)
{
return 0;
}
+static inline int of_irq_get_byname(struct device_node *dev, const char *name)
+{
+ return 0;
+}
#endif
#if defined(CONFIG_OF)
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 130/259] platform_get_irq: Revert to platform_get_resource if of_irq_get fails
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (128 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 129/259] of/irq: do irq resolution in platform_get_irq_byname() Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 131/259] aio: protect reqs_available updates from changes in interrupt handlers Kamal Mostafa
` (128 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Russell King, Tony Lindgren, Grant Likely, Grygorii Strashko,
Guenter Roeck, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit aff008ad813c7cf3cfe7b532e7ba2c526c136f22 upstream.
Commits 9ec36ca (of/irq: do irq resolution in platform_get_irq)
and ad69674 (of/irq: do irq resolution in platform_get_irq_byname)
change the semantics of platform_get_irq and platform_get_irq_byname
to always rely on devicetree information if devicetree is enabled
and if a devicetree node is attached to the device. The functions
now return an error if the devicetree data does not include interrupt
information, even if the information is available as platform resource
data.
This causes mfd client drivers to fail if the interrupt number is
passed via platform resources. Therefore, if of_irq_get fails, try
platform_get_resource as method of last resort. This restores the
original functionality for drivers depending on platform resources
to get irq information.
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Grant Likely <grant.likely@linaro.org>
Cc: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/base/platform.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/base/platform.c b/drivers/base/platform.c
index 0d13679..f081b81 100644
--- a/drivers/base/platform.c
+++ b/drivers/base/platform.c
@@ -89,8 +89,13 @@ int platform_get_irq(struct platform_device *dev, unsigned int num)
return dev->archdata.irqs[num];
#else
struct resource *r;
- if (IS_ENABLED(CONFIG_OF_IRQ) && dev->dev.of_node)
- return of_irq_get(dev->dev.of_node, num);
+ if (IS_ENABLED(CONFIG_OF_IRQ) && dev->dev.of_node) {
+ int ret;
+
+ ret = of_irq_get(dev->dev.of_node, num);
+ if (ret >= 0 || ret == -EPROBE_DEFER)
+ return ret;
+ }
r = platform_get_resource(dev, IORESOURCE_IRQ, num);
@@ -133,8 +138,13 @@ int platform_get_irq_byname(struct platform_device *dev, const char *name)
{
struct resource *r;
- if (IS_ENABLED(CONFIG_OF_IRQ) && dev->dev.of_node)
- return of_irq_get_byname(dev->dev.of_node, name);
+ if (IS_ENABLED(CONFIG_OF_IRQ) && dev->dev.of_node) {
+ int ret;
+
+ ret = of_irq_get_byname(dev->dev.of_node, name);
+ if (ret >= 0 || ret == -EPROBE_DEFER)
+ return ret;
+ }
r = platform_get_resource_byname(dev, IORESOURCE_IRQ, name);
return r ? r->start : -ENXIO;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 131/259] aio: protect reqs_available updates from changes in interrupt handlers
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (129 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 130/259] platform_get_irq: Revert to platform_get_resource if of_irq_get fails Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 132/259] hwmon: (da9052) Don't use dash in the name attribute Kamal Mostafa
` (127 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Benjamin LaHaise, Jens Axboe, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin LaHaise <bcrl@kvack.org>
commit 263782c1c95bbddbb022dc092fd89a36bb8d5577 upstream.
As of commit f8567a3845ac05bb28f3c1b478ef752762bd39ef it is now possible to
have put_reqs_available() called from irq context. While put_reqs_available()
is per cpu, it did not protect itself from interrupts on the same CPU. This
lead to aio_complete() corrupting the available io requests count when run
under a heavy O_DIRECT workloads as reported by Robert Elliott. Fix this by
disabling irq updates around the per cpu batch updates of reqs_available.
Many thanks to Robert and folks for testing and tracking this down.
Reported-by: Robert Elliot <Elliott@hp.com>
Tested-by: Robert Elliot <Elliott@hp.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: Jens Axboe <axboe@kernel.dk>, Christoph Hellwig <hch@infradead.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/aio.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/aio.c b/fs/aio.c
index 19e7d95..a0d9e43 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -816,16 +816,20 @@ void exit_aio(struct mm_struct *mm)
static void put_reqs_available(struct kioctx *ctx, unsigned nr)
{
struct kioctx_cpu *kcpu;
+ unsigned long flags;
preempt_disable();
kcpu = this_cpu_ptr(ctx->cpu);
+ local_irq_save(flags);
kcpu->reqs_available += nr;
+
while (kcpu->reqs_available >= ctx->req_batch * 2) {
kcpu->reqs_available -= ctx->req_batch;
atomic_add(ctx->req_batch, &ctx->reqs_available);
}
+ local_irq_restore(flags);
preempt_enable();
}
@@ -833,10 +837,12 @@ static bool get_reqs_available(struct kioctx *ctx)
{
struct kioctx_cpu *kcpu;
bool ret = false;
+ unsigned long flags;
preempt_disable();
kcpu = this_cpu_ptr(ctx->cpu);
+ local_irq_save(flags);
if (!kcpu->reqs_available) {
int old, avail = atomic_read(&ctx->reqs_available);
@@ -855,6 +861,7 @@ static bool get_reqs_available(struct kioctx *ctx)
ret = true;
kcpu->reqs_available--;
out:
+ local_irq_restore(flags);
preempt_enable();
return ret;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 132/259] hwmon: (da9052) Don't use dash in the name attribute
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (130 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 131/259] aio: protect reqs_available updates from changes in interrupt handlers Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 133/259] hwmon: (da9055) " Kamal Mostafa
` (126 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Axel Lin, Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Axel Lin <axel.lin@ingics.com>
commit ee14b644daaa58afe1e91bb9ebd9cf1b18d1f5fa upstream.
Dashes are not allowed in hwmon name attributes.
Use "da9052" instead of "da9052-hwmon".
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/da9052-hwmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/da9052-hwmon.c b/drivers/hwmon/da9052-hwmon.c
index 960fac3..48044b0 100644
--- a/drivers/hwmon/da9052-hwmon.c
+++ b/drivers/hwmon/da9052-hwmon.c
@@ -194,7 +194,7 @@ static ssize_t da9052_hwmon_show_name(struct device *dev,
struct device_attribute *devattr,
char *buf)
{
- return sprintf(buf, "da9052-hwmon\n");
+ return sprintf(buf, "da9052\n");
}
static ssize_t show_label(struct device *dev,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 133/259] hwmon: (da9055) Don't use dash in the name attribute
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (131 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 132/259] hwmon: (da9052) Don't use dash in the name attribute Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 134/259] net/l2tp: don't fall back on UDP [get|set]sockopt Kamal Mostafa
` (125 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Axel Lin, Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Axel Lin <axel.lin@ingics.com>
commit 6b00f440dd678d786389a7100a2e03fe44478431 upstream.
Dashes are not allowed in hwmon name attributes.
Use "da9055" instead of "da9055-hwmon".
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/da9055-hwmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/da9055-hwmon.c b/drivers/hwmon/da9055-hwmon.c
index 029ecab..1b275a2 100644
--- a/drivers/hwmon/da9055-hwmon.c
+++ b/drivers/hwmon/da9055-hwmon.c
@@ -204,7 +204,7 @@ static ssize_t da9055_hwmon_show_name(struct device *dev,
struct device_attribute *devattr,
char *buf)
{
- return sprintf(buf, "da9055-hwmon\n");
+ return sprintf(buf, "da9055\n");
}
static ssize_t show_label(struct device *dev,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 134/259] net/l2tp: don't fall back on UDP [get|set]sockopt
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (132 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 133/259] hwmon: (da9055) " Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 135/259] PM / sleep: Fix request_firmware() error at resume Kamal Mostafa
` (124 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Phil Turnbull, Vegard Nossum, Willy Tarreau, Linus Torvalds,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sasha.levin@oracle.com>
commit 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf upstream.
The l2tp [get|set]sockopt() code has fallen back to the UDP functions
for socket option levels != SOL_PPPOL2TP since day one, but that has
never actually worked, since the l2tp socket isn't an inet socket.
As David Miller points out:
"If we wanted this to work, it'd have to look up the tunnel and then
use tunnel->sk, but I wonder how useful that would be"
Since this can never have worked so nobody could possibly have depended
on that functionality, just remove the broken code and return -EINVAL.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: James Chapman <jchapman@katalix.com>
Acked-by: David Miller <davem@davemloft.net>
Cc: Phil Turnbull <phil.turnbull@oracle.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/l2tp/l2tp_ppp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 8580b78..cfa1406 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1365,7 +1365,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
int err;
if (level != SOL_PPPOL2TP)
- return udp_prot.setsockopt(sk, level, optname, optval, optlen);
+ return -EINVAL;
if (optlen < sizeof(int))
return -EINVAL;
@@ -1491,7 +1491,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
struct pppol2tp_session *ps;
if (level != SOL_PPPOL2TP)
- return udp_prot.getsockopt(sk, level, optname, optval, optlen);
+ return -EINVAL;
if (get_user(len, optlen))
return -EFAULT;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 135/259] PM / sleep: Fix request_firmware() error at resume
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (133 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 134/259] net/l2tp: don't fall back on UDP [get|set]sockopt Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 136/259] ALSA: hda - Fix broken PM due to incomplete i915 initialization Kamal Mostafa
` (123 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Takashi Iwai, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 4320f6b1d9db4ca912c5eb6ecb328b2e090e1586 upstream.
The commit [247bc037: PM / Sleep: Mitigate race between the freezer
and request_firmware()] introduced the finer state control, but it
also leads to a new bug; for example, a bug report regarding the
firmware loading of intel BT device at suspend/resume:
https://bugzilla.novell.com/show_bug.cgi?id=873790
The root cause seems to be a small window between the process resume
and the clear of usermodehelper lock. The request_firmware() function
checks the UMH lock and gives up when it's in UMH_DISABLE state. This
is for avoiding the invalid f/w loading during suspend/resume phase.
The problem is, however, that usermodehelper_enable() is called at the
end of thaw_processes(). Thus, a thawed process in between can kick
off the f/w loader code path (in this case, via btusb_setup_intel())
even before the call of usermodehelper_enable(). Then
usermodehelper_read_trylock() returns an error and request_firmware()
spews WARN_ON() in the end.
This oneliner patch fixes the issue just by setting to UMH_FREEZING
state again before restarting tasks, so that the call of
request_firmware() will be blocked until the end of this function
instead of returning an error.
Fixes: 247bc0374254 (PM / Sleep: Mitigate race between the freezer and request_firmware())
Link: https://bugzilla.novell.com/show_bug.cgi?id=873790
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/power/process.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/power/process.c b/kernel/power/process.c
index 06ec886..14f9a8d 100644
--- a/kernel/power/process.c
+++ b/kernel/power/process.c
@@ -184,6 +184,7 @@ void thaw_processes(void)
printk("Restarting tasks ... ");
+ __usermodehelper_set_disable_depth(UMH_FREEZING);
thaw_workqueues();
read_lock(&tasklist_lock);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 136/259] ALSA: hda - Fix broken PM due to incomplete i915 initialization
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (134 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 135/259] PM / sleep: Fix request_firmware() error at resume Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 137/259] tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs Kamal Mostafa
` (122 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Takashi Iwai, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 4da63c6fc426023d1a20e45508c47d7d68c6a53d upstream.
When the initialization of Intel HDMI controller fails due to missing
i915 kernel symbols (e.g. HD-audio is built in while i915 is module),
the driver discontinues the probe. However, since the probe was done
asynchronously, the driver object still remains, thus the relevant PM
ops are still called at suspend/resume. This results in the bad access
to the incomplete audio card object, eventually leads to Oops or stall
at PM.
This patch adds the missing checks of chip->init_failed flag at each
PM callback in order to fix the problem above.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=79561
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/pci/hda/hda_intel.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index eab13e2..e8de8a3 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2949,7 +2949,7 @@ static int azx_suspend(struct device *dev)
struct azx *chip = card->private_data;
struct azx_pcm *p;
- if (chip->disabled)
+ if (chip->disabled || chip->init_failed)
return 0;
snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
@@ -2987,7 +2987,7 @@ static int azx_resume(struct device *dev)
struct snd_card *card = dev_get_drvdata(dev);
struct azx *chip = card->private_data;
- if (chip->disabled)
+ if (chip->disabled || chip->init_failed)
return 0;
if (chip->driver_caps & AZX_DCAPS_I915_POWERWELL) {
@@ -3024,7 +3024,7 @@ static int azx_runtime_suspend(struct device *dev)
struct snd_card *card = dev_get_drvdata(dev);
struct azx *chip = card->private_data;
- if (chip->disabled)
+ if (chip->disabled || chip->init_failed)
return 0;
if (!(chip->driver_caps & AZX_DCAPS_PM_RUNTIME))
@@ -3052,7 +3052,7 @@ static int azx_runtime_resume(struct device *dev)
struct hda_codec *codec;
int status;
- if (chip->disabled)
+ if (chip->disabled || chip->init_failed)
return 0;
if (!(chip->driver_caps & AZX_DCAPS_PM_RUNTIME))
@@ -3089,7 +3089,7 @@ static int azx_runtime_idle(struct device *dev)
struct snd_card *card = dev_get_drvdata(dev);
struct azx *chip = card->private_data;
- if (chip->disabled)
+ if (chip->disabled || chip->init_failed)
return 0;
if (!power_save_controller ||
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 137/259] tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (135 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 136/259] ALSA: hda - Fix broken PM due to incomplete i915 initialization Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 138/259] tracing: Fix graph tracer with stack tracer on other archs Kamal Mostafa
` (121 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: zhangwei(Jovi), Steven Rostedt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
commit 8abfb8727f4a724d31f9ccfd8013fbd16d539445 upstream.
Currently trace option stacktrace is not applicable for
trace_printk with constant string argument, the reason is
in __trace_puts/__trace_bputs ftrace_trace_stack is missing.
In contrast, when using trace_printk with non constant string
argument(will call into __trace_printk/__trace_bprintk), then
trace option stacktrace is workable, this inconstant result
will confuses users a lot.
Link: http://lkml.kernel.org/p/51E7A7C9.9040401@huawei.com
Signed-off-by: zhangwei(Jovi) <jovi.zhangwei@huawei.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/trace/trace.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 9250479..d3db296 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -454,6 +454,9 @@ int __trace_puts(unsigned long ip, const char *str, int size)
struct print_entry *entry;
unsigned long irq_flags;
int alloc;
+ int pc;
+
+ pc = preempt_count();
if (unlikely(tracing_selftest_running || tracing_disabled))
return 0;
@@ -463,7 +466,7 @@ int __trace_puts(unsigned long ip, const char *str, int size)
local_save_flags(irq_flags);
buffer = global_trace.trace_buffer.buffer;
event = trace_buffer_lock_reserve(buffer, TRACE_PRINT, alloc,
- irq_flags, preempt_count());
+ irq_flags, pc);
if (!event)
return 0;
@@ -480,6 +483,7 @@ int __trace_puts(unsigned long ip, const char *str, int size)
entry->buf[size] = '\0';
__buffer_unlock_commit(buffer, event);
+ ftrace_trace_stack(buffer, irq_flags, 4, pc);
return size;
}
@@ -497,6 +501,9 @@ int __trace_bputs(unsigned long ip, const char *str)
struct bputs_entry *entry;
unsigned long irq_flags;
int size = sizeof(struct bputs_entry);
+ int pc;
+
+ pc = preempt_count();
if (unlikely(tracing_selftest_running || tracing_disabled))
return 0;
@@ -504,7 +511,7 @@ int __trace_bputs(unsigned long ip, const char *str)
local_save_flags(irq_flags);
buffer = global_trace.trace_buffer.buffer;
event = trace_buffer_lock_reserve(buffer, TRACE_BPUTS, size,
- irq_flags, preempt_count());
+ irq_flags, pc);
if (!event)
return 0;
@@ -513,6 +520,7 @@ int __trace_bputs(unsigned long ip, const char *str)
entry->str = str;
__buffer_unlock_commit(buffer, event);
+ ftrace_trace_stack(buffer, irq_flags, 4, pc);
return 1;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 138/259] tracing: Fix graph tracer with stack tracer on other archs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (136 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 137/259] tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 139/259] tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs Kamal Mostafa
` (120 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Steven Rostedt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 5f8bf2d263a20b986225ae1ed7d6759dc4b93af9 upstream.
Running my ftrace tests on PowerPC, it failed the test that checks
if function_graph tracer is affected by the stack tracer. It was.
Looking into this, I found that the update_function_graph_func()
must be called even if the trampoline function is not changed.
This is because archs like PowerPC do not support ftrace_ops being
passed by assembly and instead uses a helper function (what the
trampoline function points to). Since this function is not changed
even when multiple ftrace_ops are added to the code, the test that
falls out before calling update_function_graph_func() will miss that
the update must still be done.
Call update_function_graph_function() for all calls to
update_ftrace_function()
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/trace/ftrace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 7db0614..bb4ca60 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -331,12 +331,12 @@ static void update_ftrace_function(void)
func = ftrace_ops_list_func;
}
+ update_function_graph_func();
+
/* If there's no change, then do nothing more here */
if (ftrace_trace_function == func)
return;
- update_function_graph_func();
-
/*
* If we are using the list function, it doesn't care
* about the function_trace_ops.
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 139/259] tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (137 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 138/259] tracing: Fix graph tracer with stack tracer on other archs Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 140/259] dm thin metadata: do not allow the data block size to change Kamal Mostafa
` (119 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: zhangwei(Jovi), Steven Rostedt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
commit f0160a5a2912267c02cfe692eac955c360de5fdf upstream.
The TRACE_ITER_PRINTK check in __trace_puts/__trace_bputs is missing,
so add it, to be consistent with __trace_printk/__trace_bprintk.
Those functions are all called by the same function: trace_printk().
Link: http://lkml.kernel.org/p/51E7A7D6.8090900@huawei.com
Signed-off-by: zhangwei(Jovi) <jovi.zhangwei@huawei.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/trace/trace.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index d3db296..83cb797 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -456,6 +456,9 @@ int __trace_puts(unsigned long ip, const char *str, int size)
int alloc;
int pc;
+ if (!(trace_flags & TRACE_ITER_PRINTK))
+ return 0;
+
pc = preempt_count();
if (unlikely(tracing_selftest_running || tracing_disabled))
@@ -503,6 +506,9 @@ int __trace_bputs(unsigned long ip, const char *str)
int size = sizeof(struct bputs_entry);
int pc;
+ if (!(trace_flags & TRACE_ITER_PRINTK))
+ return 0;
+
pc = preempt_count();
if (unlikely(tracing_selftest_running || tracing_disabled))
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 140/259] dm thin metadata: do not allow the data block size to change
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (138 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 139/259] tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 141/259] dm cache " Kamal Mostafa
` (118 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Mike Snitzer, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit 9aec8629ec829fc9403788cd959e05dd87988bd1 upstream.
The block size for the thin-pool's data device must remained fixed for
the life of the thin-pool. Disallow any attempt to change the
thin-pool's data block size.
It should be noted that attempting to change the data block size via
thin-pool table reload will be ignored as a side-effect of the thin-pool
handover that the thin-pool target does during thin-pool table reload.
Here is an example outcome of attempting to load a thin-pool table that
reduced the thin-pool's data block size from 1024K to 512K.
Before:
kernel: device-mapper: thin: 253:4: growing the data device from 204800 to 409600 blocks
After:
kernel: device-mapper: thin metadata: changing the data block size (from 2048 to 1024) is not supported
kernel: device-mapper: table: 253:4: thin-pool: Error creating metadata object
kernel: device-mapper: ioctl: error adding target to table
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm-thin-metadata.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
index 07a6ea3..b63095c 100644
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -613,6 +613,15 @@ static int __open_metadata(struct dm_pool_metadata *pmd)
disk_super = dm_block_data(sblock);
+ /* Verify the data block size hasn't changed */
+ if (le32_to_cpu(disk_super->data_block_size) != pmd->data_block_size) {
+ DMERR("changing the data block size (from %u to %llu) is not supported",
+ le32_to_cpu(disk_super->data_block_size),
+ (unsigned long long)pmd->data_block_size);
+ r = -EINVAL;
+ goto bad_unlock_sblock;
+ }
+
r = __check_incompat_features(disk_super, pmd);
if (r < 0)
goto bad_unlock_sblock;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 141/259] dm cache metadata: do not allow the data block size to change
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (139 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 140/259] dm thin metadata: do not allow the data block size to change Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 142/259] quota: missing lock in dqcache_shrink_scan() Kamal Mostafa
` (117 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Mike Snitzer, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit 048e5a07f282c57815b3901d4a68a77fa131ce0a upstream.
The block size for the dm-cache's data device must remained fixed for
the life of the cache. Disallow any attempt to change the cache's data
block size.
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm-cache-metadata.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
index 5320332..a87d3fa 100644
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -425,6 +425,15 @@ static int __open_metadata(struct dm_cache_metadata *cmd)
disk_super = dm_block_data(sblock);
+ /* Verify the data block size hasn't changed */
+ if (le32_to_cpu(disk_super->data_block_size) != cmd->data_block_size) {
+ DMERR("changing the data block size (from %u to %llu) is not supported",
+ le32_to_cpu(disk_super->data_block_size),
+ (unsigned long long)cmd->data_block_size);
+ r = -EINVAL;
+ goto bad;
+ }
+
r = __check_incompat_features(disk_super, cmd);
if (r < 0)
goto bad;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 142/259] quota: missing lock in dqcache_shrink_scan()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (140 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 141/259] dm cache " Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 143/259] ring-buffer: Fix polling on trace_pipe Kamal Mostafa
` (116 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Niu Yawei, Jan Kara, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Niu Yawei <yawei.niu@gmail.com>
commit d68aab6b8f572406aa93b45ef6483934dd3b54a6 upstream.
Commit 1ab6c4997e04 (fs: convert fs shrinkers to new scan/count API)
accidentally removed locking from quota shrinker. Fix it -
dqcache_shrink_scan() should use dq_list_lock to protect the
scan on free_dquots list.
Fixes: 1ab6c4997e04a00c50c6d786c2f046adc0d1f5de
Signed-off-by: Niu Yawei <yawei.niu@intel.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/quota/dquot.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index cfc8dcc..ce87c90 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -702,6 +702,7 @@ dqcache_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
struct dquot *dquot;
unsigned long freed = 0;
+ spin_lock(&dq_list_lock);
head = free_dquots.prev;
while (head != &free_dquots && sc->nr_to_scan) {
dquot = list_entry(head, struct dquot, dq_free);
@@ -713,6 +714,7 @@ dqcache_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
freed++;
head = free_dquots.prev;
}
+ spin_unlock(&dq_list_lock);
return freed;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 143/259] ring-buffer: Fix polling on trace_pipe
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (141 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 142/259] quota: missing lock in dqcache_shrink_scan() Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 144/259] sched: Fix possible divide by zero in avg_atom() calculation Kamal Mostafa
` (115 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Martin Lau, Steven Rostedt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Lau <kafai@fb.com>
commit 97b8ee845393701edc06e27ccec2876ff9596019 upstream.
ring_buffer_poll_wait() should always put the poll_table to its wait_queue
even there is immediate data available. Otherwise, the following epoll and
read sequence will eventually hang forever:
1. Put some data to make the trace_pipe ring_buffer read ready first
2. epoll_ctl(efd, EPOLL_CTL_ADD, trace_pipe_fd, ee)
3. epoll_wait()
4. read(trace_pipe_fd) till EAGAIN
5. Add some more data to the trace_pipe ring_buffer
6. epoll_wait() -> this epoll_wait() will block forever
~ During the epoll_ctl(efd, EPOLL_CTL_ADD,...) call in step 2,
ring_buffer_poll_wait() returns immediately without adding poll_table,
which has poll_table->_qproc pointing to ep_poll_callback(), to its
wait_queue.
~ During the epoll_wait() call in step 3 and step 6,
ring_buffer_poll_wait() cannot add ep_poll_callback() to its wait_queue
because the poll_table->_qproc is NULL and it is how epoll works.
~ When there is new data available in step 6, ring_buffer does not know
it has to call ep_poll_callback() because it is not in its wait queue.
Hence, block forever.
Other poll implementation seems to call poll_wait() unconditionally as the very
first thing to do. For example, tcp_poll() in tcp.c.
Link: http://lkml.kernel.org/p/20140610060637.GA14045@devbig242.prn2.facebook.com
Fixes: 2a2cc8f7c4d0 "ftrace: allow the event pipe to be polled"
Reviewed-by: Chris Mason <clm@fb.com>
Signed-off-by: Martin Lau <kafai@fb.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/trace/ring_buffer.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 0e337ee..bca008f 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -613,10 +613,6 @@ int ring_buffer_poll_wait(struct ring_buffer *buffer, int cpu,
struct ring_buffer_per_cpu *cpu_buffer;
struct rb_irq_work *work;
- if ((cpu == RING_BUFFER_ALL_CPUS && !ring_buffer_empty(buffer)) ||
- (cpu != RING_BUFFER_ALL_CPUS && !ring_buffer_empty_cpu(buffer, cpu)))
- return POLLIN | POLLRDNORM;
-
if (cpu == RING_BUFFER_ALL_CPUS)
work = &buffer->irq_work;
else {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 144/259] sched: Fix possible divide by zero in avg_atom() calculation
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (142 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 143/259] ring-buffer: Fix polling on trace_pipe Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` Kamal Mostafa
` (114 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mateusz Guzik, Peter Zijlstra, Linus Torvalds, Ingo Molnar,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Guzik <mguzik@redhat.com>
commit b0ab99e7736af88b8ac1b7ae50ea287fffa2badc upstream.
proc_sched_show_task() does:
if (nr_switches)
do_div(avg_atom, nr_switches);
nr_switches is unsigned long and do_div truncates it to 32 bits, which
means it can test non-zero on e.g. x86-64 and be truncated to zero for
division.
Fix the problem by using div64_ul() instead.
As a side effect calculations of avg_atom for big nr_switches are now correct.
Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/1402750809-31991-1-git-send-email-mguzik@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/sched/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c
index 5c34d18..0c60913 100644
--- a/kernel/sched/debug.c
+++ b/kernel/sched/debug.c
@@ -608,7 +608,7 @@ void proc_sched_show_task(struct task_struct *p, struct seq_file *m)
avg_atom = p->se.sum_exec_runtime;
if (nr_switches)
- do_div(avg_atom, nr_switches);
+ avg_atom = div64_ul(avg_atom, nr_switches);
else
avg_atom = -1LL;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 145/259] locking/mutex: Disable optimistic spinning on some architectures
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 001/259] ACPI / PAD: call schedule() when need_resched() is true Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 002/259] KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 004/259] sctp: Fix sk_ack_backlog wrap-around problem Kamal Mostafa
` (255 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Zijlstra, David Miller, Chris Metcalf, James Bottomley,
Vineet Gupta, Jason Low, Waiman Long, James E.J. Bottomley,
Paul McKenney, John David Anglin, James Hogan, Linus Torvalds,
Davidlohr Bueso, Benjamin Herrenschmidt, Catalin Marinas,
Russell King, Will Deacon, linux-arm-kernel, linuxppc-dev,
sparclinux, Ingo Molnar, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 4badad352a6bb202ec68afa7a574c0bb961e5ebc upstream.
The optimistic spin code assumes regular stores and cmpxchg() play nice;
this is found to not be true for at least: parisc, sparc32, tile32,
metag-lock1, arc-!llsc and hexagon.
There is further wreckage, but this in particular seemed easy to
trigger, so blacklist this.
Opt in for known good archs.
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: David Miller <davem@davemloft.net>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: Jason Low <jason.low2@hp.com>
Cc: Waiman Long <waiman.long@hp.com>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: John David Anglin <dave.anglin@bell.net>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: sparclinux@vger.kernel.org
Link: http://lkml.kernel.org/r/20140606175316.GV13930@laptop.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/Kconfig | 1 +
arch/arm64/Kconfig | 1 +
arch/powerpc/Kconfig | 1 +
arch/sparc/Kconfig | 1 +
arch/x86/Kconfig | 1 +
kernel/Kconfig.locks | 5 ++++-
6 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 31e1f44..b3d400d 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -6,6 +6,7 @@ config ARM
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
select ARCH_HAVE_CUSTOM_GPIO_H
select ARCH_MIGHT_HAVE_PC_PARPORT
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_USE_CMPXCHG_LOCKREF
select ARCH_WANT_IPC_PARSE_VERSION
select BUILDTIME_EXTABLE_SORT if MMU
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6d4dd22..bf0ed5d 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -2,6 +2,7 @@ config ARM64
def_bool y
select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
select ARCH_USE_CMPXCHG_LOCKREF
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_WANT_OPTIONAL_GPIOLIB
select ARCH_WANT_COMPAT_IPC_PARSE_VERSION
select ARCH_WANT_FRAME_POINTERS
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index b44b52c..ab43fa3 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -139,6 +139,7 @@ config PPC
select OLD_SIGACTION if PPC32
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK
+ select ARCH_SUPPORTS_ATOMIC_RMW
config GENERIC_CSUM
def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index 6c95f4d..94cd9c1 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -76,6 +76,7 @@ config SPARC64
select ARCH_HAVE_NMI_SAFE_CMPXCHG
select HAVE_C_RECORDMCOUNT
select NO_BOOTMEM
+ select ARCH_SUPPORTS_ATOMIC_RMW
config ARCH_DEFCONFIG
string
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 9e31880..9562fc3 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -125,6 +125,7 @@ config X86
select RTC_LIB
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
+ select ARCH_SUPPORTS_ATOMIC_RMW
config INSTRUCTION_DECODER
def_bool y
diff --git a/kernel/Kconfig.locks b/kernel/Kconfig.locks
index d2b32ac..ecee67a 100644
--- a/kernel/Kconfig.locks
+++ b/kernel/Kconfig.locks
@@ -220,6 +220,9 @@ config INLINE_WRITE_UNLOCK_IRQRESTORE
endif
+config ARCH_SUPPORTS_ATOMIC_RMW
+ bool
+
config MUTEX_SPIN_ON_OWNER
def_bool y
- depends on SMP && !DEBUG_MUTEXES
+ depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 145/259] locking/mutex: Disable optimistic spinning on some architectures
@ 2014-08-08 20:39 ` Kamal Mostafa
0 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-arm-kernel
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 4badad352a6bb202ec68afa7a574c0bb961e5ebc upstream.
The optimistic spin code assumes regular stores and cmpxchg() play nice;
this is found to not be true for at least: parisc, sparc32, tile32,
metag-lock1, arc-!llsc and hexagon.
There is further wreckage, but this in particular seemed easy to
trigger, so blacklist this.
Opt in for known good archs.
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: David Miller <davem@davemloft.net>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: Jason Low <jason.low2@hp.com>
Cc: Waiman Long <waiman.long@hp.com>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: John David Anglin <dave.anglin@bell.net>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: sparclinux@vger.kernel.org
Link: http://lkml.kernel.org/r/20140606175316.GV13930@laptop.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/Kconfig | 1 +
arch/arm64/Kconfig | 1 +
arch/powerpc/Kconfig | 1 +
arch/sparc/Kconfig | 1 +
arch/x86/Kconfig | 1 +
kernel/Kconfig.locks | 5 ++++-
6 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 31e1f44..b3d400d 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -6,6 +6,7 @@ config ARM
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
select ARCH_HAVE_CUSTOM_GPIO_H
select ARCH_MIGHT_HAVE_PC_PARPORT
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_USE_CMPXCHG_LOCKREF
select ARCH_WANT_IPC_PARSE_VERSION
select BUILDTIME_EXTABLE_SORT if MMU
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6d4dd22..bf0ed5d 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -2,6 +2,7 @@ config ARM64
def_bool y
select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
select ARCH_USE_CMPXCHG_LOCKREF
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_WANT_OPTIONAL_GPIOLIB
select ARCH_WANT_COMPAT_IPC_PARSE_VERSION
select ARCH_WANT_FRAME_POINTERS
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index b44b52c..ab43fa3 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -139,6 +139,7 @@ config PPC
select OLD_SIGACTION if PPC32
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK
+ select ARCH_SUPPORTS_ATOMIC_RMW
config GENERIC_CSUM
def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index 6c95f4d..94cd9c1 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -76,6 +76,7 @@ config SPARC64
select ARCH_HAVE_NMI_SAFE_CMPXCHG
select HAVE_C_RECORDMCOUNT
select NO_BOOTMEM
+ select ARCH_SUPPORTS_ATOMIC_RMW
config ARCH_DEFCONFIG
string
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 9e31880..9562fc3 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -125,6 +125,7 @@ config X86
select RTC_LIB
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
+ select ARCH_SUPPORTS_ATOMIC_RMW
config INSTRUCTION_DECODER
def_bool y
diff --git a/kernel/Kconfig.locks b/kernel/Kconfig.locks
index d2b32ac..ecee67a 100644
--- a/kernel/Kconfig.locks
+++ b/kernel/Kconfig.locks
@@ -220,6 +220,9 @@ config INLINE_WRITE_UNLOCK_IRQRESTORE
endif
+config ARCH_SUPPORTS_ATOMIC_RMW
+ bool
+
config MUTEX_SPIN_ON_OWNER
def_bool y
- depends on SMP && !DEBUG_MUTEXES
+ depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 145/259] locking/mutex: Disable optimistic spinning on some architectures
@ 2014-08-08 20:39 ` Kamal Mostafa
0 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Zijlstra, Catalin Marinas, Will Deacon, James Bottomley,
Davidlohr Bueso, sparclinux, Ingo Molnar, Russell King,
James E.J. Bottomley, Linus Torvalds, Paul McKenney, James Hogan,
Chris Metcalf, John David Anglin, linux-arm-kernel, Jason Low,
Waiman Long, Vineet Gupta, Kamal Mostafa, linuxppc-dev,
David Miller
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 4badad352a6bb202ec68afa7a574c0bb961e5ebc upstream.
The optimistic spin code assumes regular stores and cmpxchg() play nice;
this is found to not be true for at least: parisc, sparc32, tile32,
metag-lock1, arc-!llsc and hexagon.
There is further wreckage, but this in particular seemed easy to
trigger, so blacklist this.
Opt in for known good archs.
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: David Miller <davem@davemloft.net>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: Jason Low <jason.low2@hp.com>
Cc: Waiman Long <waiman.long@hp.com>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: John David Anglin <dave.anglin@bell.net>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: sparclinux@vger.kernel.org
Link: http://lkml.kernel.org/r/20140606175316.GV13930@laptop.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/Kconfig | 1 +
arch/arm64/Kconfig | 1 +
arch/powerpc/Kconfig | 1 +
arch/sparc/Kconfig | 1 +
arch/x86/Kconfig | 1 +
kernel/Kconfig.locks | 5 ++++-
6 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 31e1f44..b3d400d 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -6,6 +6,7 @@ config ARM
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
select ARCH_HAVE_CUSTOM_GPIO_H
select ARCH_MIGHT_HAVE_PC_PARPORT
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_USE_CMPXCHG_LOCKREF
select ARCH_WANT_IPC_PARSE_VERSION
select BUILDTIME_EXTABLE_SORT if MMU
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6d4dd22..bf0ed5d 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -2,6 +2,7 @@ config ARM64
def_bool y
select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
select ARCH_USE_CMPXCHG_LOCKREF
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_WANT_OPTIONAL_GPIOLIB
select ARCH_WANT_COMPAT_IPC_PARSE_VERSION
select ARCH_WANT_FRAME_POINTERS
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index b44b52c..ab43fa3 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -139,6 +139,7 @@ config PPC
select OLD_SIGACTION if PPC32
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK
+ select ARCH_SUPPORTS_ATOMIC_RMW
config GENERIC_CSUM
def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index 6c95f4d..94cd9c1 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -76,6 +76,7 @@ config SPARC64
select ARCH_HAVE_NMI_SAFE_CMPXCHG
select HAVE_C_RECORDMCOUNT
select NO_BOOTMEM
+ select ARCH_SUPPORTS_ATOMIC_RMW
config ARCH_DEFCONFIG
string
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 9e31880..9562fc3 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -125,6 +125,7 @@ config X86
select RTC_LIB
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
+ select ARCH_SUPPORTS_ATOMIC_RMW
config INSTRUCTION_DECODER
def_bool y
diff --git a/kernel/Kconfig.locks b/kernel/Kconfig.locks
index d2b32ac..ecee67a 100644
--- a/kernel/Kconfig.locks
+++ b/kernel/Kconfig.locks
@@ -220,6 +220,9 @@ config INLINE_WRITE_UNLOCK_IRQRESTORE
endif
+config ARCH_SUPPORTS_ATOMIC_RMW
+ bool
+
config MUTEX_SPIN_ON_OWNER
def_bool y
- depends on SMP && !DEBUG_MUTEXES
+ depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 145/259] locking/mutex: Disable optimistic spinning on some architectures
@ 2014-08-08 20:39 ` Kamal Mostafa
0 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-arm-kernel
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 4badad352a6bb202ec68afa7a574c0bb961e5ebc upstream.
The optimistic spin code assumes regular stores and cmpxchg() play nice;
this is found to not be true for at least: parisc, sparc32, tile32,
metag-lock1, arc-!llsc and hexagon.
There is further wreckage, but this in particular seemed easy to
trigger, so blacklist this.
Opt in for known good archs.
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: David Miller <davem@davemloft.net>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: Jason Low <jason.low2@hp.com>
Cc: Waiman Long <waiman.long@hp.com>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: John David Anglin <dave.anglin@bell.net>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel at lists.infradead.org
Cc: linux-kernel at vger.kernel.org
Cc: linuxppc-dev at lists.ozlabs.org
Cc: sparclinux at vger.kernel.org
Link: http://lkml.kernel.org/r/20140606175316.GV13930 at laptop.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/Kconfig | 1 +
arch/arm64/Kconfig | 1 +
arch/powerpc/Kconfig | 1 +
arch/sparc/Kconfig | 1 +
arch/x86/Kconfig | 1 +
kernel/Kconfig.locks | 5 ++++-
6 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 31e1f44..b3d400d 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -6,6 +6,7 @@ config ARM
select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
select ARCH_HAVE_CUSTOM_GPIO_H
select ARCH_MIGHT_HAVE_PC_PARPORT
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_USE_CMPXCHG_LOCKREF
select ARCH_WANT_IPC_PARSE_VERSION
select BUILDTIME_EXTABLE_SORT if MMU
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6d4dd22..bf0ed5d 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -2,6 +2,7 @@ config ARM64
def_bool y
select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
select ARCH_USE_CMPXCHG_LOCKREF
+ select ARCH_SUPPORTS_ATOMIC_RMW
select ARCH_WANT_OPTIONAL_GPIOLIB
select ARCH_WANT_COMPAT_IPC_PARSE_VERSION
select ARCH_WANT_FRAME_POINTERS
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index b44b52c..ab43fa3 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -139,6 +139,7 @@ config PPC
select OLD_SIGACTION if PPC32
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK
+ select ARCH_SUPPORTS_ATOMIC_RMW
config GENERIC_CSUM
def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index 6c95f4d..94cd9c1 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -76,6 +76,7 @@ config SPARC64
select ARCH_HAVE_NMI_SAFE_CMPXCHG
select HAVE_C_RECORDMCOUNT
select NO_BOOTMEM
+ select ARCH_SUPPORTS_ATOMIC_RMW
config ARCH_DEFCONFIG
string
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 9e31880..9562fc3 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -125,6 +125,7 @@ config X86
select RTC_LIB
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
+ select ARCH_SUPPORTS_ATOMIC_RMW
config INSTRUCTION_DECODER
def_bool y
diff --git a/kernel/Kconfig.locks b/kernel/Kconfig.locks
index d2b32ac..ecee67a 100644
--- a/kernel/Kconfig.locks
+++ b/kernel/Kconfig.locks
@@ -220,6 +220,9 @@ config INLINE_WRITE_UNLOCK_IRQRESTORE
endif
+config ARCH_SUPPORTS_ATOMIC_RMW
+ bool
+
config MUTEX_SPIN_ON_OWNER
def_bool y
- depends on SMP && !DEBUG_MUTEXES
+ depends on SMP && !DEBUG_MUTEXES && ARCH_SUPPORTS_ATOMIC_RMW
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 146/259] drm/qxl: return IRQ_NONE if it was not our irq
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (144 preceding siblings ...)
2014-08-08 20:39 ` Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 147/259] hwmon: (adt7470) Fix writes to temperature limit registers Kamal Mostafa
` (112 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Gerd Hoffmann, Jason Wang, Dave Airlie, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
commit fbb60fe35ad579b511de8604b06a30b43846473b upstream.
Return IRQ_NONE if it was not our irq. This is necessary for the case
when qxl is sharing irq line with a device A in a crash kernel. If qxl
is initialized before A and A's irq was raised during this gap,
returning IRQ_HANDLED in this case will cause this irq to be raised
again after EOI since kernel think it was handled but in fact it was
not.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/qxl/qxl_irq.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/qxl/qxl_irq.c b/drivers/gpu/drm/qxl/qxl_irq.c
index 21393dc..f4b6b89 100644
--- a/drivers/gpu/drm/qxl/qxl_irq.c
+++ b/drivers/gpu/drm/qxl/qxl_irq.c
@@ -33,6 +33,9 @@ irqreturn_t qxl_irq_handler(DRM_IRQ_ARGS)
pending = xchg(&qdev->ram_header->int_pending, 0);
+ if (!pending)
+ return IRQ_NONE;
+
atomic_inc(&qdev->irq_received);
if (pending & QXL_INTERRUPT_DISPLAY) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 147/259] hwmon: (adt7470) Fix writes to temperature limit registers
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (145 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 146/259] drm/qxl: return IRQ_NONE if it was not our irq Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 148/259] cpufreq: move policy kobj to policy->cpu at resume Kamal Mostafa
` (111 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit de12d6f4b10b21854441f5242dcb29ea96181e58 upstream.
Temperature limit registers are signed. Limits therefore need
to be clamped to (-128, 127) degrees C and not to (0, 255)
degrees C.
Without this fix, writing a limit of 128 degrees C sets the
actual limit to -128 degrees C.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/adt7470.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
index 0f4dea5..9ee3913 100644
--- a/drivers/hwmon/adt7470.c
+++ b/drivers/hwmon/adt7470.c
@@ -515,7 +515,7 @@ static ssize_t set_temp_min(struct device *dev,
return -EINVAL;
temp = DIV_ROUND_CLOSEST(temp, 1000);
- temp = clamp_val(temp, 0, 255);
+ temp = clamp_val(temp, -128, 127);
mutex_lock(&data->lock);
data->temp_min[attr->index] = temp;
@@ -549,7 +549,7 @@ static ssize_t set_temp_max(struct device *dev,
return -EINVAL;
temp = DIV_ROUND_CLOSEST(temp, 1000);
- temp = clamp_val(temp, 0, 255);
+ temp = clamp_val(temp, -128, 127);
mutex_lock(&data->lock);
data->temp_max[attr->index] = temp;
@@ -826,7 +826,7 @@ static ssize_t set_pwm_tmin(struct device *dev,
return -EINVAL;
temp = DIV_ROUND_CLOSEST(temp, 1000);
- temp = clamp_val(temp, 0, 255);
+ temp = clamp_val(temp, -128, 127);
mutex_lock(&data->lock);
data->pwm_tmin[attr->index] = temp;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 148/259] cpufreq: move policy kobj to policy->cpu at resume
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (146 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 147/259] hwmon: (adt7470) Fix writes to temperature limit registers Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 149/259] drm/radeon: avoid leaking edid data Kamal Mostafa
` (110 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Viresh Kumar, Rafael J. Wysocki, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 92c14bd9477a20a83144f08c0ca25b0308bf0730 upstream.
This is only relevant to implementations with multiple clusters, where clusters
have separate clock lines but all CPUs within a cluster share it.
Consider a dual cluster platform with 2 cores per cluster. During suspend we
start hot unplugging CPUs in order 1 to 3. When CPU2 is removed, policy->kobj
would be moved to CPU3 and when CPU3 goes down we wouldn't free policy or its
kobj as we want to retain permissions/values/etc.
Now on resume, we will get CPU2 before CPU3 and will call __cpufreq_add_dev().
We will recover the old policy and update policy->cpu from 3 to 2 from
update_policy_cpu().
But the kobj is still tied to CPU3 and isn't moved to CPU2. We wouldn't create a
link for CPU2, but would try that for CPU3 while bringing it online. Which will
report errors as CPU3 already has kobj assigned to it.
This bug got introduced with commit 42f921a, which overlooked this scenario.
To fix this, lets move kobj to the new policy->cpu while bringing first CPU of a
cluster back. Also do a WARN_ON() if kobject_move failed, as we would reach here
only for the first CPU of a non-boot cluster. And we can't recover from this
situation, if kobject_move() fails.
Fixes: 42f921a6f10c (cpufreq: remove sysfs files for CPUs which failed to come back after resume)
Reported-and-tested-by: Bu Yitian <ybu@qti.qualcomm.com>
Reported-by: Saravana Kannan <skannan@codeaurora.org>
Reviewed-by: Srivatsa S. Bhat <srivatsa@mit.edu>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ kamal: backport to 3.13-stable (context) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/cpufreq/cpufreq.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index 99a443e..c166b4a 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1031,10 +1031,12 @@ static int __cpufreq_add_dev(struct device *dev, struct subsys_interface *sif,
* the creation of a brand new one. So we need to perform this update
* by invoking update_policy_cpu().
*/
- if (frozen && cpu != policy->cpu)
+ if (frozen && cpu != policy->cpu) {
update_policy_cpu(policy, cpu);
- else
+ WARN_ON(kobject_move(&policy->kobj, &dev->kobj));
+ } else {
policy->cpu = cpu;
+ }
policy->governor = CPUFREQ_DEFAULT_GOVERNOR;
cpumask_copy(policy->cpus, cpumask_of(cpu));
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 149/259] drm/radeon: avoid leaking edid data
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (147 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 148/259] cpufreq: move policy kobj to policy->cpu at resume Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 150/259] drm/radeon: set default bl level to something reasonable Kamal Mostafa
` (109 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 0ac66effe7fcdee55bda6d5d10d3372c95a41920 upstream.
In some cases we fetch the edid in the detect() callback
in order to determine what sort of monitor is connected.
If that happens, don't fetch the edid again in the get_modes()
callback or we will leak the edid.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/radeon_display.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
index f3514ea..f41c080 100644
--- a/drivers/gpu/drm/radeon/radeon_display.c
+++ b/drivers/gpu/drm/radeon/radeon_display.c
@@ -753,6 +753,10 @@ int radeon_ddc_get_modes(struct radeon_connector *radeon_connector)
struct radeon_device *rdev = dev->dev_private;
int ret = 0;
+ /* don't leak the edid if we already fetched it in detect() */
+ if (radeon_connector->edid)
+ goto got_edid;
+
/* on hw with routers, select right port */
if (radeon_connector->router.ddc_valid)
radeon_router_select_ddc_port(radeon_connector);
@@ -792,6 +796,7 @@ int radeon_ddc_get_modes(struct radeon_connector *radeon_connector)
radeon_connector->edid = radeon_bios_get_hardcoded_edid(rdev);
}
if (radeon_connector->edid) {
+got_edid:
drm_mode_connector_update_edid_property(&radeon_connector->base, radeon_connector->edid);
ret = drm_add_edid_modes(&radeon_connector->base, radeon_connector->edid);
drm_edid_to_eld(&radeon_connector->base, radeon_connector->edid);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 150/259] drm/radeon: set default bl level to something reasonable
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (148 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 149/259] drm/radeon: avoid leaking edid data Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 151/259] usb: chipidea: udc: Disable auto ZLP generation on ep0 Kamal Mostafa
` (108 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 201bb62402e0227375c655446ea04fcd0acf7287 upstream.
If the value in the scratch register is 0, set it to the
max level. This fixes an issue where the console fb blanking
code calls back into the backlight driver on unblank and then
sets the backlight level to 0 after the driver has already
set the mode and enabled the backlight.
bugs:
https://bugs.freedesktop.org/show_bug.cgi?id=81382
https://bugs.freedesktop.org/show_bug.cgi?id=70207
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: David Heidelberger <david.heidelberger@ixit.cz>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/atombios_encoders.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
index 95ac45e..a3ab59a 100644
--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -183,7 +183,6 @@ void radeon_atom_backlight_init(struct radeon_encoder *radeon_encoder,
struct backlight_properties props;
struct radeon_backlight_privdata *pdata;
struct radeon_encoder_atom_dig *dig;
- u8 backlight_level;
char bl_name[16];
/* Mac laptops with multiple GPUs use the gmux driver for backlight
@@ -222,12 +221,17 @@ void radeon_atom_backlight_init(struct radeon_encoder *radeon_encoder,
pdata->encoder = radeon_encoder;
- backlight_level = radeon_atom_get_backlight_level_from_reg(rdev);
-
dig = radeon_encoder->enc_priv;
dig->bl_dev = bd;
bd->props.brightness = radeon_atom_backlight_get_brightness(bd);
+ /* Set a reasonable default here if the level is 0 otherwise
+ * fbdev will attempt to turn the backlight on after console
+ * unblanking and it will try and restore 0 which turns the backlight
+ * off again.
+ */
+ if (bd->props.brightness == 0)
+ bd->props.brightness = RADEON_MAX_BL_LEVEL;
bd->props.power = FB_BLANK_UNBLANK;
backlight_update_status(bd);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 151/259] usb: chipidea: udc: Disable auto ZLP generation on ep0
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (149 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 150/259] drm/radeon: set default bl level to something reasonable Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 152/259] usb: Check if port status is equal to RxDetect Kamal Mostafa
` (107 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Abbas Raza, Peter Chen, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Abbas Raza <Abbas_Raza@mentor.com>
commit 953c66469735aed8d2ada639a72b150f01dae605 upstream.
There are 2 methods for ZLP (zero-length packet) generation:
1) In software
2) Automatic generation by device controller
1) is implemented in UDC driver and it attaches ZLP to IN packet if
descriptor->size < wLength
2) can be enabled/disabled by setting ZLT bit in the QH
When gadget ffs is connected to ubuntu host, the host sends
get descriptor request and wLength in setup packet is 255 while the
size of descriptor which will be sent by gadget in IN packet is
64 byte. So the composite driver sets req->zero = 1.
In UDC driver following code will be executed then
if (hwreq->req.zero && hwreq->req.length
&& (hwreq->req.length % hwep->ep.maxpacket == 0))
add_td_to_list(hwep, hwreq, 0);
Case-A:
So in case of ubuntu host, UDC driver will attach a ZLP to the IN packet.
ubuntu host will request 255 byte in IN request, gadget will send 64 byte
with ZLP and host will come to know that there is no more data.
But hold on, by default ZLT=0 for endpoint 0 so hardware also tries to
automatically generate the ZLP which blocks enumeration for ~6 seconds due
to endpoint 0 STALL, NAKs are sent to host for any requests (OUT/PING)
Case-B:
In case when gadget ffs is connected to Apple device, Apple device sends
setup packet with wLength=64. So descriptor->size = 64 and wLength=64
therefore req->zero = 0 and UDC driver will not attach any ZLP to the
IN packet. Apple device requests 64 bytes, gets 64 bytes and doesn't
further request for IN data. But ZLT=0 by default for endpoint 0 so
hardware tries to automatically generate the ZLP which blocks enumeration
for ~6 seconds due to endpoint 0 STALL, NAKs are sent to host for any
requests (OUT/PING)
According to USB2.0 specs:
8.5.3.2 Variable-length Data Stage
A control pipe may have a variable-length data phase in which the
host requests more data than is contained in the specified data
structure. When all of the data structure is returned to the host,
the function should indicate that the Data stage is ended by
returning a packet that is shorter than the MaxPacketSize for the
pipe. If the data structure is an exact multiple of wMaxPacketSize
for the pipe, the function will return a zero-length packet to indicate
the end of the Data stage.
In Case-A mentioned above:
If we disable software ZLP generation & ZLT=0 for endpoint 0 OR if software
ZLP generation is not disabled but we set ZLT=1 for endpoint 0 then
enumeration doesn't block for 6 seconds.
In Case-B mentioned above:
If we disable software ZLP generation & ZLT=0 for endpoint then enumeration
still blocks due to ZLP automatically generated by hardware and host not needing
it. But if we keep software ZLP generation enabled but we set ZLT=1 for
endpoint 0 then enumeration doesn't block for 6 seconds.
So the proper solution for this issue seems to disable automatic ZLP generation
by hardware (i.e by setting ZLT=1 for endpoint 0) and let software (UDC driver)
handle the ZLP generation based on req->zero field.
Signed-off-by: Abbas Raza <Abbas_Raza@mentor.com>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/chipidea/udc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
index 71d0d35..6c8b198 100644
--- a/drivers/usb/chipidea/udc.c
+++ b/drivers/usb/chipidea/udc.c
@@ -1179,8 +1179,8 @@ static int ep_enable(struct usb_ep *ep,
if (hwep->type == USB_ENDPOINT_XFER_CONTROL)
cap |= QH_IOS;
- if (hwep->num)
- cap |= QH_ZLT;
+
+ cap |= QH_ZLT;
cap |= (hwep->ep.maxpacket << __ffs(QH_MAX_PKT)) & QH_MAX_PKT;
/*
* For ISO-TX, we set mult at QH as the largest value, and use
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 152/259] usb: Check if port status is equal to RxDetect
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (150 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 151/259] usb: chipidea: udc: Disable auto ZLP generation on ep0 Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 153/259] irqchip: gic: Fix core ID calculation when topology is read from DT Kamal Mostafa
` (106 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Gavin Guo, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Guo <gavin.guo@canonical.com>
commit bb86cf569bbd7ad4dce581a37c7fbd748057e9dc upstream.
When using USB 3.0 pen drive with the [AMD] FCH USB XHCI Controller
[1022:7814], the second hotplugging will experience the USB 3.0 pen
drive is recognized as high-speed device. After bisecting the kernel,
I found the commit number 41e7e056cdc662f704fa9262e5c6e213b4ab45dd
(USB: Allow USB 3.0 ports to be disabled.) causes the bug. After doing
some experiments, the bug can be fixed by avoiding executing the function
hub_usb3_port_disable(). Because the port status with [AMD] FCH USB
XHCI Controlleris [1022:7814] is already in RxDetect
(I tried printing out the port status before setting to Disabled state),
it's reasonable to check the port status before really executing
hub_usb3_port_disable().
Fixes: 41e7e056cdc6 (USB: Allow USB 3.0 ports to be disabled.)
Signed-off-by: Gavin Guo <gavin.guo@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/core/hub.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 7f139f3..2de2f27 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -891,6 +891,25 @@ static int hub_usb3_port_disable(struct usb_hub *hub, int port1)
if (!hub_is_superspeed(hub->hdev))
return -EINVAL;
+ ret = hub_port_status(hub, port1, &portstatus, &portchange);
+ if (ret < 0)
+ return ret;
+
+ /*
+ * USB controller Advanced Micro Devices, Inc. [AMD] FCH USB XHCI
+ * Controller [1022:7814] will have spurious result making the following
+ * usb 3.0 device hotplugging route to the 2.0 root hub and recognized
+ * as high-speed device if we set the usb 3.0 port link state to
+ * Disabled. Since it's already in USB_SS_PORT_LS_RX_DETECT state, we
+ * check the state here to avoid the bug.
+ */
+ if ((portstatus & USB_PORT_STAT_LINK_STATE) ==
+ USB_SS_PORT_LS_RX_DETECT) {
+ dev_dbg(&hub->ports[port1 - 1]->dev,
+ "Not disabling port; link state is RxDetect\n");
+ return ret;
+ }
+
ret = hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_SS_DISABLED);
if (ret)
return ret;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 153/259] irqchip: gic: Fix core ID calculation when topology is read from DT
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (151 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 152/259] usb: Check if port status is equal to RxDetect Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 154/259] slab_common: fix the check for duplicate slab names Kamal Mostafa
` (105 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tomasz Figa, Jason Cooper, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Figa <t.figa@samsung.com>
commit 29e697b11853d3f83b1864ae385abdad4aa2c361 upstream.
Certain GIC implementation, namely those found on earlier, single
cluster, Exynos SoCs, have registers mapped without per-CPU banking,
which means that the driver needs to use different offset for each CPU.
Currently the driver calculates the offset by multiplying value returned
by cpu_logical_map() by CPU offset parsed from DT. This is correct when
CPU topology is not specified in DT and aforementioned function returns
core ID alone. However when DT contains CPU topology, the function
changes to return cluster ID as well, which is non-zero on mentioned
SoCs and so breaks the calculation in GIC driver.
This patch fixes this by masking out cluster ID in CPU offset
calculation so that only core ID is considered. Multi-cluster Exynos
SoCs already have banked GIC implementations, so this simple fix should
be enough.
Reported-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reported-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Tomasz Figa <t.figa@samsung.com>
Fixes: db0d4db22a78d ("ARM: gic: allow GIC to support non-banked setups")
Link: https://lkml.kernel.org/r/1405610624-18722-1-git-send-email-t.figa@samsung.com
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/irqchip/irq-gic.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
index ecf2565..2e00501 100644
--- a/drivers/irqchip/irq-gic.c
+++ b/drivers/irqchip/irq-gic.c
@@ -42,6 +42,7 @@
#include <linux/irqchip/chained_irq.h>
#include <linux/irqchip/arm-gic.h>
+#include <asm/cputype.h>
#include <asm/irq.h>
#include <asm/exception.h>
#include <asm/smp_plat.h>
@@ -903,7 +904,9 @@ void __init gic_init_bases(unsigned int gic_nr, int irq_start,
}
for_each_possible_cpu(cpu) {
- unsigned long offset = percpu_offset * cpu_logical_map(cpu);
+ u32 mpidr = cpu_logical_map(cpu);
+ u32 core_id = MPIDR_AFFINITY_LEVEL(mpidr, 0);
+ unsigned long offset = percpu_offset * core_id;
*per_cpu_ptr(gic->dist_base.percpu_base, cpu) = dist_base + offset;
*per_cpu_ptr(gic->cpu_base.percpu_base, cpu) = cpu_base + offset;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 154/259] slab_common: fix the check for duplicate slab names
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (152 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 153/259] irqchip: gic: Fix core ID calculation when topology is read from DT Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 155/259] xtensa: add fixup for double exception raised in window overflow Kamal Mostafa
` (104 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mikulas Patocka, Pekka Enberg, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 694617474e33b8603fc76e090ed7d09376514b1a upstream.
The patch 3e374919b314f20e2a04f641ebc1093d758f66a4 is supposed to fix the
problem where kmem_cache_create incorrectly reports duplicate cache name
and fails. The problem is described in the header of that patch.
However, the patch doesn't really fix the problem because of these
reasons:
* the logic to test for debugging is reversed. It was intended to perform
the check only if slub debugging is enabled (which implies that caches
with the same parameters are not merged). Therefore, there should be
#if !defined(CONFIG_SLUB) || defined(CONFIG_SLUB_DEBUG_ON)
The current code has the condition reversed and performs the test if
debugging is disabled.
* slub debugging may be enabled or disabled based on kernel command line,
CONFIG_SLUB_DEBUG_ON is just the default settings. Therefore the test
based on definition of CONFIG_SLUB_DEBUG_ON is unreliable.
This patch fixes the problem by removing the test
"!defined(CONFIG_SLUB_DEBUG_ON)". Therefore, duplicate names are never
checked if the SLUB allocator is used.
Note to stable kernel maintainers: when backporint this patch, please
backport also the patch 3e374919b314f20e2a04f641ebc1093d758f66a4.
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/slab_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/slab_common.c b/mm/slab_common.c
index 0b7bb39..08ded33 100644
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -56,7 +56,7 @@ static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name,
continue;
}
-#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON)
+#if !defined(CONFIG_SLUB)
/*
* For simplicity, we won't check this in the list of memcg
* caches. We have control over memcg naming, and if there
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 155/259] xtensa: add fixup for double exception raised in window overflow
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (153 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 154/259] slab_common: fix the check for duplicate slab names Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 156/259] [media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio Kamal Mostafa
` (103 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Max Filippov, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Filippov <jcmvbkbc@gmail.com>
commit 17290231df16eeee5dfc198dbf5ee4b419996dcd upstream.
There are two FIXMEs in the double exception handler 'for the extremely
unlikely case'. This case gets hit by gcc during kernel build once in
a few hours, resulting in an unrecoverable exception condition.
Provide missing fixup routine to handle this case. Double exception
literals now need 8 more bytes, add them to the linker script.
Also replace bbsi instructions with bbsi.l as we're branching depending
on 8th and 7th LSB-based bits of exception address.
This may be tested by adding the explicit DTLB invalidation to window
overflow handlers, like the following:
--- a/arch/xtensa/kernel/vectors.S
+++ b/arch/xtensa/kernel/vectors.S
@@ -592,6 +592,14 @@ ENDPROC(_WindowUnderflow4)
ENTRY_ALIGN64(_WindowOverflow8)
s32e a0, a9, -16
+ bbsi.l a9, 31, 1f
+ rsr a0, ccount
+ bbsi.l a0, 4, 1f
+ pdtlb a0, a9
+ idtlb a0
+ movi a0, 9
+ idtlb a0
+1:
l32e a0, a1, -12
s32e a2, a9, -8
s32e a1, a9, -12
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/xtensa/kernel/vectors.S | 158 +++++++++++++++++++++++++++++++++------
arch/xtensa/kernel/vmlinux.lds.S | 4 +-
2 files changed, 138 insertions(+), 24 deletions(-)
diff --git a/arch/xtensa/kernel/vectors.S b/arch/xtensa/kernel/vectors.S
index cb8fd44..da0224d 100644
--- a/arch/xtensa/kernel/vectors.S
+++ b/arch/xtensa/kernel/vectors.S
@@ -376,38 +376,42 @@ _DoubleExceptionVector_WindowOverflow:
beqz a2, 1f # if at start of vector, don't restore
addi a0, a0, -128
- bbsi a0, 8, 1f # don't restore except for overflow 8 and 12
- bbsi a0, 7, 2f
+ bbsi.l a0, 8, 1f # don't restore except for overflow 8 and 12
+
+ /*
+ * This fixup handler is for the extremely unlikely case where the
+ * overflow handler's reference thru a0 gets a hardware TLB refill
+ * that bumps out the (distinct, aliasing) TLB entry that mapped its
+ * prior references thru a9/a13, and where our reference now thru
+ * a9/a13 gets a 2nd-level miss exception (not hardware TLB refill).
+ */
+ movi a2, window_overflow_restore_a0_fixup
+ s32i a2, a3, EXC_TABLE_FIXUP
+ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE
+ xsr a3, excsave1
+
+ bbsi.l a0, 7, 2f
/*
* Restore a0 as saved by _WindowOverflow8().
- *
- * FIXME: we really need a fixup handler for this L32E,
- * for the extremely unlikely case where the overflow handler's
- * reference thru a0 gets a hardware TLB refill that bumps out
- * the (distinct, aliasing) TLB entry that mapped its prior
- * references thru a9, and where our reference now thru a9
- * gets a 2nd-level miss exception (not hardware TLB refill).
*/
- l32e a2, a9, -16
- wsr a2, depc # replace the saved a0
- j 1f
+ l32e a0, a9, -16
+ wsr a0, depc # replace the saved a0
+ j 3f
2:
/*
* Restore a0 as saved by _WindowOverflow12().
- *
- * FIXME: we really need a fixup handler for this L32E,
- * for the extremely unlikely case where the overflow handler's
- * reference thru a0 gets a hardware TLB refill that bumps out
- * the (distinct, aliasing) TLB entry that mapped its prior
- * references thru a13, and where our reference now thru a13
- * gets a 2nd-level miss exception (not hardware TLB refill).
*/
- l32e a2, a13, -16
- wsr a2, depc # replace the saved a0
+ l32e a0, a13, -16
+ wsr a0, depc # replace the saved a0
+3:
+ xsr a3, excsave1
+ movi a0, 0
+ s32i a0, a3, EXC_TABLE_FIXUP
+ s32i a2, a3, EXC_TABLE_DOUBLE_SAVE
1:
/*
* Restore WindowBase while leaving all address registers restored.
@@ -449,6 +453,7 @@ _DoubleExceptionVector_WindowOverflow:
s32i a0, a2, PT_DEPC
+_DoubleExceptionVector_handle_exception:
addx4 a0, a0, a3
l32i a0, a0, EXC_TABLE_FAST_USER
xsr a3, excsave1
@@ -464,11 +469,120 @@ _DoubleExceptionVector_WindowOverflow:
rotw -3
j 1b
- .end literal_prefix
ENDPROC(_DoubleExceptionVector)
/*
+ * Fixup handler for TLB miss in double exception handler for window owerflow.
+ * We get here with windowbase set to the window that was being spilled and
+ * a0 trashed. a0 bit 7 determines if this is a call8 (bit clear) or call12
+ * (bit set) window.
+ *
+ * We do the following here:
+ * - go to the original window retaining a0 value;
+ * - set up exception stack to return back to appropriate a0 restore code
+ * (we'll need to rotate window back and there's no place to save this
+ * information, use different return address for that);
+ * - handle the exception;
+ * - go to the window that was being spilled;
+ * - set up window_overflow_restore_a0_fixup as a fixup routine;
+ * - reload a0;
+ * - restore the original window;
+ * - reset the default fixup routine;
+ * - return to user. By the time we get to this fixup handler all information
+ * about the conditions of the original double exception that happened in
+ * the window overflow handler is lost, so we just return to userspace to
+ * retry overflow from start.
+ *
+ * a0: value of depc, original value in depc
+ * a2: trashed, original value in EXC_TABLE_DOUBLE_SAVE
+ * a3: exctable, original value in excsave1
+ */
+
+ENTRY(window_overflow_restore_a0_fixup)
+
+ rsr a0, ps
+ extui a0, a0, PS_OWB_SHIFT, PS_OWB_WIDTH
+ rsr a2, windowbase
+ sub a0, a2, a0
+ extui a0, a0, 0, 3
+ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE
+ xsr a3, excsave1
+
+ _beqi a0, 1, .Lhandle_1
+ _beqi a0, 3, .Lhandle_3
+
+ .macro overflow_fixup_handle_exception_pane n
+
+ rsr a0, depc
+ rotw -\n
+
+ xsr a3, excsave1
+ wsr a2, depc
+ l32i a2, a3, EXC_TABLE_KSTK
+ s32i a0, a2, PT_AREG0
+
+ movi a0, .Lrestore_\n
+ s32i a0, a2, PT_DEPC
+ rsr a0, exccause
+ j _DoubleExceptionVector_handle_exception
+
+ .endm
+
+ overflow_fixup_handle_exception_pane 2
+.Lhandle_1:
+ overflow_fixup_handle_exception_pane 1
+.Lhandle_3:
+ overflow_fixup_handle_exception_pane 3
+
+ .macro overflow_fixup_restore_a0_pane n
+
+ rotw \n
+ /* Need to preserve a0 value here to be able to handle exception
+ * that may occur on a0 reload from stack. It may occur because
+ * TLB miss handler may not be atomic and pointer to page table
+ * may be lost before we get here. There are no free registers,
+ * so we need to use EXC_TABLE_DOUBLE_SAVE area.
+ */
+ xsr a3, excsave1
+ s32i a2, a3, EXC_TABLE_DOUBLE_SAVE
+ movi a2, window_overflow_restore_a0_fixup
+ s32i a2, a3, EXC_TABLE_FIXUP
+ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE
+ xsr a3, excsave1
+ bbsi.l a0, 7, 1f
+ l32e a0, a9, -16
+ j 2f
+1:
+ l32e a0, a13, -16
+2:
+ rotw -\n
+
+ .endm
+
+.Lrestore_2:
+ overflow_fixup_restore_a0_pane 2
+
+.Lset_default_fixup:
+ xsr a3, excsave1
+ s32i a2, a3, EXC_TABLE_DOUBLE_SAVE
+ movi a2, 0
+ s32i a2, a3, EXC_TABLE_FIXUP
+ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE
+ xsr a3, excsave1
+ rfe
+
+.Lrestore_1:
+ overflow_fixup_restore_a0_pane 1
+ j .Lset_default_fixup
+.Lrestore_3:
+ overflow_fixup_restore_a0_pane 3
+ j .Lset_default_fixup
+
+ENDPROC(window_overflow_restore_a0_fixup)
+
+ .end literal_prefix
+/*
* Debug interrupt vector
*
* There is not much space here, so simply jump to another handler.
diff --git a/arch/xtensa/kernel/vmlinux.lds.S b/arch/xtensa/kernel/vmlinux.lds.S
index 21acd11..af84f8f 100644
--- a/arch/xtensa/kernel/vmlinux.lds.S
+++ b/arch/xtensa/kernel/vmlinux.lds.S
@@ -262,13 +262,13 @@ SECTIONS
.UserExceptionVector.literal)
SECTION_VECTOR (_DoubleExceptionVector_literal,
.DoubleExceptionVector.literal,
- DOUBLEEXC_VECTOR_VADDR - 16,
+ DOUBLEEXC_VECTOR_VADDR - 40,
SIZEOF(.UserExceptionVector.text),
.UserExceptionVector.text)
SECTION_VECTOR (_DoubleExceptionVector_text,
.DoubleExceptionVector.text,
DOUBLEEXC_VECTOR_VADDR,
- 32,
+ 40,
.DoubleExceptionVector.literal)
. = (LOADADDR( .DoubleExceptionVector.text ) + SIZEOF( .DoubleExceptionVector.text ) + 3) & ~ 3;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 156/259] [media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (154 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 155/259] xtensa: add fixup for double exception raised in window overflow Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 157/259] [media] hdpvr: fix two audio bugs Kamal Mostafa
` (102 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Rickard Strandqvist, Hans Verkuil, Mauro Carvalho Chehab, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
commit f71920efb1066d71d74811e1dbed658173adf9bf upstream.
Wrong value used in same cases for the aspect ratio.
Signed-off-by: Rickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-dv-timings.c b/drivers/media/v4l2-core/v4l2-dv-timings.c
index ee52b9f4..4a904ad 100644
--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
+++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
@@ -590,10 +590,10 @@ struct v4l2_fract v4l2_calc_aspect_ratio(u8 hor_landscape, u8 vert_portrait)
aspect.denominator = 9;
} else if (ratio == 34) {
aspect.numerator = 4;
- aspect.numerator = 3;
+ aspect.denominator = 3;
} else if (ratio == 68) {
aspect.numerator = 15;
- aspect.numerator = 9;
+ aspect.denominator = 9;
} else {
aspect.numerator = hor_landscape + 99;
aspect.denominator = 100;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 157/259] [media] hdpvr: fix two audio bugs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (155 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 156/259] [media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 158/259] block: don't assume last put of shared tags is for the host Kamal Mostafa
` (101 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Hans Verkuil, Mauro Carvalho Chehab, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil@xs4all.nl>
commit 3445857b22eafb70a6ac258979e955b116bfd2c6 upstream.
When the audio encoding is changed the driver calls hdpvr_set_audio
with the current opt->audio_input value. However, that should have
been opt->audio_input + 1. So changing the audio encoding inadvertently
changes the input as well. This bug has always been there.
The second bug was introduced in kernel 3.10 and that broke the
default_audio_input module option handling: the audio encoding was
never switched to AC3 if default_audio_input was set to 2 (SPDIF input).
In addition, since starting with 3.10 the audio encoding is always set
at the start the first bug now always happens when the driver is loaded.
In the past this bug would only surface if the user would change the
audio encoding after the driver was loaded.
Also fixes a small trivial typo (bufffer -> buffer).
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reported-by: Scott Doty <scott@corp.sonic.net>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/media/usb/hdpvr/hdpvr-video.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c
index 0500c417..6bce01a 100644
--- a/drivers/media/usb/hdpvr/hdpvr-video.c
+++ b/drivers/media/usb/hdpvr/hdpvr-video.c
@@ -82,7 +82,7 @@ static void hdpvr_read_bulk_callback(struct urb *urb)
}
/*=========================================================================*/
-/* bufffer bits */
+/* buffer bits */
/* function expects dev->io_mutex to be hold by caller */
int hdpvr_cancel_queue(struct hdpvr_device *dev)
@@ -926,7 +926,7 @@ static int hdpvr_s_ctrl(struct v4l2_ctrl *ctrl)
case V4L2_CID_MPEG_AUDIO_ENCODING:
if (dev->flags & HDPVR_FLAG_AC3_CAP) {
opt->audio_codec = ctrl->val;
- return hdpvr_set_audio(dev, opt->audio_input,
+ return hdpvr_set_audio(dev, opt->audio_input + 1,
opt->audio_codec);
}
return 0;
@@ -1198,7 +1198,7 @@ int hdpvr_register_videodev(struct hdpvr_device *dev, struct device *parent,
v4l2_ctrl_new_std_menu(hdl, &hdpvr_ctrl_ops,
V4L2_CID_MPEG_AUDIO_ENCODING,
ac3 ? V4L2_MPEG_AUDIO_ENCODING_AC3 : V4L2_MPEG_AUDIO_ENCODING_AAC,
- 0x7, V4L2_MPEG_AUDIO_ENCODING_AAC);
+ 0x7, ac3 ? dev->options.audio_codec : V4L2_MPEG_AUDIO_ENCODING_AAC);
v4l2_ctrl_new_std_menu(hdl, &hdpvr_ctrl_ops,
V4L2_CID_MPEG_VIDEO_ENCODING,
V4L2_MPEG_VIDEO_ENCODING_MPEG_4_AVC, 0x3,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 158/259] block: don't assume last put of shared tags is for the host
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (156 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 157/259] [media] hdpvr: fix two audio bugs Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 159/259] blkcg: don't call into policy draining if root_blkg is already gone Kamal Mostafa
` (100 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Christoph Hellwig, Jens Axboe, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit d45b3279a5a2252cafcd665bbf2db8c9b31ef783 upstream.
There is no inherent reason why the last put of a tag structure must be
the one for the Scsi_Host, as device model objects can be held for
arbitrary periods. Merge blk_free_tags and __blk_free_tags into a single
funtion that just release a references and get rid of the BUG() when the
host reference wasn't the last.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
block/blk-tag.c | 33 +++++++--------------------------
1 file changed, 7 insertions(+), 26 deletions(-)
diff --git a/block/blk-tag.c b/block/blk-tag.c
index 3f33d86..a185b86 100644
--- a/block/blk-tag.c
+++ b/block/blk-tag.c
@@ -27,18 +27,15 @@ struct request *blk_queue_find_tag(struct request_queue *q, int tag)
EXPORT_SYMBOL(blk_queue_find_tag);
/**
- * __blk_free_tags - release a given set of tag maintenance info
+ * blk_free_tags - release a given set of tag maintenance info
* @bqt: the tag map to free
*
- * Tries to free the specified @bqt. Returns true if it was
- * actually freed and false if there are still references using it
+ * Drop the reference count on @bqt and frees it when the last reference
+ * is dropped.
*/
-static int __blk_free_tags(struct blk_queue_tag *bqt)
+void blk_free_tags(struct blk_queue_tag *bqt)
{
- int retval;
-
- retval = atomic_dec_and_test(&bqt->refcnt);
- if (retval) {
+ if (atomic_dec_and_test(&bqt->refcnt)) {
BUG_ON(find_first_bit(bqt->tag_map, bqt->max_depth) <
bqt->max_depth);
@@ -50,9 +47,8 @@ static int __blk_free_tags(struct blk_queue_tag *bqt)
kfree(bqt);
}
-
- return retval;
}
+EXPORT_SYMBOL(blk_free_tags);
/**
* __blk_queue_free_tags - release tag maintenance info
@@ -69,28 +65,13 @@ void __blk_queue_free_tags(struct request_queue *q)
if (!bqt)
return;
- __blk_free_tags(bqt);
+ blk_free_tags(bqt);
q->queue_tags = NULL;
queue_flag_clear_unlocked(QUEUE_FLAG_QUEUED, q);
}
/**
- * blk_free_tags - release a given set of tag maintenance info
- * @bqt: the tag map to free
- *
- * For externally managed @bqt frees the map. Callers of this
- * function must guarantee to have released all the queues that
- * might have been using this tag map.
- */
-void blk_free_tags(struct blk_queue_tag *bqt)
-{
- if (unlikely(!__blk_free_tags(bqt)))
- BUG();
-}
-EXPORT_SYMBOL(blk_free_tags);
-
-/**
* blk_queue_free_tags - release tag maintenance info
* @q: the request queue for the device
*
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 159/259] blkcg: don't call into policy draining if root_blkg is already gone
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (157 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 158/259] block: don't assume last put of shared tags is for the host Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 160/259] block: provide compat ioctl for BLKZEROOUT Kamal Mostafa
` (99 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Tejun Heo, Jens Axboe, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit 0b462c89e31f7eb6789713437eb551833ee16ff3 upstream.
While a queue is being destroyed, all the blkgs are destroyed and its
->root_blkg pointer is set to NULL. If someone else starts to drain
while the queue is in this state, the following oops happens.
NULL pointer dereference at 0000000000000028
IP: [<ffffffff8144e944>] blk_throtl_drain+0x84/0x230
PGD e4a1067 PUD b773067 PMD 0
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: cfq_iosched(-) [last unloaded: cfq_iosched]
CPU: 1 PID: 537 Comm: bash Not tainted 3.16.0-rc3-work+ #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff88000e222250 ti: ffff88000efd4000 task.ti: ffff88000efd4000
RIP: 0010:[<ffffffff8144e944>] [<ffffffff8144e944>] blk_throtl_drain+0x84/0x230
RSP: 0018:ffff88000efd7bf0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff880015091450 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88000efd7c10 R08: 0000000000000000 R09: 0000000000000001
R10: ffff88000e222250 R11: 0000000000000000 R12: ffff880015091450
R13: ffff880015092e00 R14: ffff880015091d70 R15: ffff88001508fc28
FS: 00007f1332650740(0000) GS:ffff88001fa80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000028 CR3: 0000000009446000 CR4: 00000000000006e0
Stack:
ffffffff8144e8f6 ffff880015091450 0000000000000000 ffff880015091d80
ffff88000efd7c28 ffffffff8144ae2f ffff880015091450 ffff88000efd7c58
ffffffff81427641 ffff880015091450 ffffffff82401f00 ffff880015091450
Call Trace:
[<ffffffff8144ae2f>] blkcg_drain_queue+0x1f/0x60
[<ffffffff81427641>] __blk_drain_queue+0x71/0x180
[<ffffffff81429b3e>] blk_queue_bypass_start+0x6e/0xb0
[<ffffffff814498b8>] blkcg_deactivate_policy+0x38/0x120
[<ffffffff8144ec44>] blk_throtl_exit+0x34/0x50
[<ffffffff8144aea5>] blkcg_exit_queue+0x35/0x40
[<ffffffff8142d476>] blk_release_queue+0x26/0xd0
[<ffffffff81454968>] kobject_cleanup+0x38/0x70
[<ffffffff81454848>] kobject_put+0x28/0x60
[<ffffffff81427505>] blk_put_queue+0x15/0x20
[<ffffffff817d07bb>] scsi_device_dev_release_usercontext+0x16b/0x1c0
[<ffffffff810bc339>] execute_in_process_context+0x89/0xa0
[<ffffffff817d064c>] scsi_device_dev_release+0x1c/0x20
[<ffffffff817930e2>] device_release+0x32/0xa0
[<ffffffff81454968>] kobject_cleanup+0x38/0x70
[<ffffffff81454848>] kobject_put+0x28/0x60
[<ffffffff817934d7>] put_device+0x17/0x20
[<ffffffff817d11b9>] __scsi_remove_device+0xa9/0xe0
[<ffffffff817d121b>] scsi_remove_device+0x2b/0x40
[<ffffffff817d1257>] sdev_store_delete+0x27/0x30
[<ffffffff81792ca8>] dev_attr_store+0x18/0x30
[<ffffffff8126f75e>] sysfs_kf_write+0x3e/0x50
[<ffffffff8126ea87>] kernfs_fop_write+0xe7/0x170
[<ffffffff811f5e9f>] vfs_write+0xaf/0x1d0
[<ffffffff811f69bd>] SyS_write+0x4d/0xc0
[<ffffffff81d24692>] system_call_fastpath+0x16/0x1b
776687bce42b ("block, blk-mq: draining can't be skipped even if
bypass_depth was non-zero") made it easier to trigger this bug by
making blk_queue_bypass_start() drain even when it loses the first
bypass test to blk_cleanup_queue(); however, the bug has always been
there even before the commit as blk_queue_bypass_start() could race
against queue destruction, win the initial bypass test but perform the
actual draining after blk_cleanup_queue() already destroyed all blkgs.
Fix it by skippping calling into policy draining if all the blkgs are
already gone.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Shirish Pargaonkar <spargaonkar@suse.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Reported-by: Jet Chen <jet.chen@intel.com>
Tested-by: Shirish Pargaonkar <spargaonkar@suse.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
block/blk-cgroup.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index dd0dd2d..d8f80e7 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -859,6 +859,13 @@ void blkcg_drain_queue(struct request_queue *q)
{
lockdep_assert_held(q->queue_lock);
+ /*
+ * @q could be exiting and already have destroyed all blkgs as
+ * indicated by NULL root_blkg. If so, don't confuse policies.
+ */
+ if (!q->root_blkg)
+ return;
+
blk_throtl_drain(q);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 160/259] block: provide compat ioctl for BLKZEROOUT
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (158 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 159/259] blkcg: don't call into policy draining if root_blkg is already gone Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 161/259] libata: support the ata host which implements a queue depth less than 32 Kamal Mostafa
` (98 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mikulas Patocka, Jens Axboe, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 3b3a1814d1703027f9867d0f5cbbfaf6c7482474 upstream.
This patch provides the compat BLKZEROOUT ioctl. The argument is a pointer
to two uint64_t values, so there is no need to translate it.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
block/compat_ioctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c
index fbd5a67..a0926a6 100644
--- a/block/compat_ioctl.c
+++ b/block/compat_ioctl.c
@@ -690,6 +690,7 @@ long compat_blkdev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
case BLKROSET:
case BLKDISCARD:
case BLKSECDISCARD:
+ case BLKZEROOUT:
/*
* the ones below are implemented in blkdev_locked_ioctl,
* but we call blkdev_ioctl, which gets the lock for us
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 161/259] libata: support the ata host which implements a queue depth less than 32
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (159 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 160/259] block: provide compat ioctl for BLKZEROOUT Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 162/259] [media] tda10071: force modulation to QPSK on DVB-S Kamal Mostafa
` (97 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Kevin Hao, Tejun Heo, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
commit 1871ee134b73fb4cadab75752a7152ed2813c751 upstream.
The sata on fsl mpc8315e is broken after the commit 8a4aeec8d2d6
("libata/ahci: accommodate tag ordered controllers"). The reason is
that the ata controller on this SoC only implement a queue depth of
16. When issuing the commands in tag order, all the commands in tag
16 ~ 31 are mapped to tag 0 unconditionally and then causes the sata
malfunction. It makes no senses to use a 32 queue in software while
the hardware has less queue depth. So consider the queue depth
implemented by the hardware when requesting a command tag.
Fixes: 8a4aeec8d2d6 ("libata/ahci: accommodate tag ordered controllers")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/ata/libata-core.c | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 62fda16..0172e30 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4787,6 +4787,10 @@ void swap_buf_le16(u16 *buf, unsigned int buf_words)
* ata_qc_new - Request an available ATA command, for queueing
* @ap: target port
*
+ * Some ATA host controllers may implement a queue depth which is less
+ * than ATA_MAX_QUEUE. So we shouldn't allocate a tag which is beyond
+ * the hardware limitation.
+ *
* LOCKING:
* None.
*/
@@ -4794,14 +4798,16 @@ void swap_buf_le16(u16 *buf, unsigned int buf_words)
static struct ata_queued_cmd *ata_qc_new(struct ata_port *ap)
{
struct ata_queued_cmd *qc = NULL;
- unsigned int i, tag;
+ unsigned int i, tag, max_queue;
+
+ max_queue = ap->scsi_host->can_queue;
/* no command while frozen */
if (unlikely(ap->pflags & ATA_PFLAG_FROZEN))
return NULL;
- for (i = 0; i < ATA_MAX_QUEUE; i++) {
- tag = (i + ap->last_tag + 1) % ATA_MAX_QUEUE;
+ for (i = 0, tag = ap->last_tag + 1; i < max_queue; i++, tag++) {
+ tag = tag < max_queue ? tag : 0;
/* the last tag is reserved for internal command. */
if (tag == ATA_TAG_INTERNAL)
@@ -6184,6 +6190,16 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
{
int i, rc;
+ /*
+ * The max queue supported by hardware must not be greater than
+ * ATA_MAX_QUEUE.
+ */
+ if (sht->can_queue > ATA_MAX_QUEUE) {
+ dev_err(host->dev, "BUG: the hardware max queue is too large\n");
+ WARN_ON(1);
+ return -EINVAL;
+ }
+
/* host must have been started */
if (!(host->flags & ATA_HOST_STARTED)) {
dev_err(host->dev, "BUG: trying to register unstarted host\n");
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 162/259] [media] tda10071: force modulation to QPSK on DVB-S
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (160 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 161/259] libata: support the ata host which implements a queue depth less than 32 Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 163/259] [media] gspca_pac7302: Add new usb-id for Genius i-Look 317 Kamal Mostafa
` (96 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Antti Palosaari, Mauro Carvalho Chehab, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Antti Palosaari <crope@iki.fi>
commit db4175ae2095634dbecd4c847da439f9c83e1b3b upstream.
Only supported modulation for DVB-S is QPSK. Modulation parameter
contains invalid value for DVB-S on some cases, which leads driver
refusing tuning attempt. Due to that, hard code modulation to QPSK
in case of DVB-S.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/media/dvb-frontends/tda10071.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
index 8ad3a57..287b977 100644
--- a/drivers/media/dvb-frontends/tda10071.c
+++ b/drivers/media/dvb-frontends/tda10071.c
@@ -667,6 +667,7 @@ static int tda10071_set_frontend(struct dvb_frontend *fe)
struct dtv_frontend_properties *c = &fe->dtv_property_cache;
int ret, i;
u8 mode, rolloff, pilot, inversion, div;
+ fe_modulation_t modulation;
dev_dbg(&priv->i2c->dev, "%s: delivery_system=%d modulation=%d " \
"frequency=%d symbol_rate=%d inversion=%d pilot=%d " \
@@ -701,10 +702,13 @@ static int tda10071_set_frontend(struct dvb_frontend *fe)
switch (c->delivery_system) {
case SYS_DVBS:
+ modulation = QPSK;
rolloff = 0;
pilot = 2;
break;
case SYS_DVBS2:
+ modulation = c->modulation;
+
switch (c->rolloff) {
case ROLLOFF_20:
rolloff = 2;
@@ -749,7 +753,7 @@ static int tda10071_set_frontend(struct dvb_frontend *fe)
for (i = 0, mode = 0xff; i < ARRAY_SIZE(TDA10071_MODCOD); i++) {
if (c->delivery_system == TDA10071_MODCOD[i].delivery_system &&
- c->modulation == TDA10071_MODCOD[i].modulation &&
+ modulation == TDA10071_MODCOD[i].modulation &&
c->fec_inner == TDA10071_MODCOD[i].fec) {
mode = TDA10071_MODCOD[i].val;
dev_dbg(&priv->i2c->dev, "%s: mode found=%02x\n",
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 163/259] [media] gspca_pac7302: Add new usb-id for Genius i-Look 317
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (161 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 162/259] [media] tda10071: force modulation to QPSK on DVB-S Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 164/259] s390/ptrace: fix PSW mask check Kamal Mostafa
` (95 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Hans de Goede, Mauro Carvalho Chehab, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 242841d3d71191348f98310e2d2001e1001d8630 upstream.
Tested-and-reported-by: yullaw <yullaw@mageia.cz>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/media/usb/gspca/pac7302.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/usb/gspca/pac7302.c b/drivers/media/usb/gspca/pac7302.c
index 2fd1c5e..339adce 100644
--- a/drivers/media/usb/gspca/pac7302.c
+++ b/drivers/media/usb/gspca/pac7302.c
@@ -928,6 +928,7 @@ static const struct usb_device_id device_table[] = {
{USB_DEVICE(0x093a, 0x2620)},
{USB_DEVICE(0x093a, 0x2621)},
{USB_DEVICE(0x093a, 0x2622), .driver_info = FL_VFLIP},
+ {USB_DEVICE(0x093a, 0x2623), .driver_info = FL_VFLIP},
{USB_DEVICE(0x093a, 0x2624), .driver_info = FL_VFLIP},
{USB_DEVICE(0x093a, 0x2625)},
{USB_DEVICE(0x093a, 0x2626)},
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 164/259] s390/ptrace: fix PSW mask check
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (162 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 163/259] [media] gspca_pac7302: Add new usb-id for Genius i-Look 317 Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 165/259] ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) Kamal Mostafa
` (94 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Martin Schwidefsky, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit dab6cf55f81a6e16b8147aed9a843e1691dcd318 upstream.
The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
interface accepts all combinations for the address-space-control
bits. To protect the kernel space the PSW mask check in ptrace needs
to reject the address-space-control bit combination for home space.
Fixes CVE-2014-3534
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/s390/kernel/ptrace.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
index e65c91c..c5ff2f03 100644
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -326,9 +326,14 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
unsigned long mask = PSW_MASK_USER;
mask |= is_ri_task(child) ? PSW_MASK_RI : 0;
- if ((data & ~mask) != PSW_USER_BITS)
+ if ((data ^ PSW_USER_BITS) & ~mask)
+ /* Invalid psw mask. */
+ return -EINVAL;
+ if ((data & PSW_MASK_ASC) == PSW_ASC_HOME)
+ /* Invalid address-space-control bits */
return -EINVAL;
if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))
+ /* Invalid addressing mode bits */
return -EINVAL;
}
*(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
@@ -664,9 +669,12 @@ static int __poke_user_compat(struct task_struct *child,
mask |= is_ri_task(child) ? PSW32_MASK_RI : 0;
/* Build a 64 bit psw mask from 31 bit mask. */
- if ((tmp & ~mask) != PSW32_USER_BITS)
+ if ((tmp ^ PSW32_USER_BITS) & ~mask)
/* Invalid psw mask. */
return -EINVAL;
+ if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME)
+ /* Invalid address-space-control bits */
+ return -EINVAL;
regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
(regs->psw.mask & PSW_MASK_BA) |
(__u64)(tmp & mask) << 32;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 165/259] ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode)
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (163 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 164/259] s390/ptrace: fix PSW mask check Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 166/259] Input: fix defuzzing logic Kamal Mostafa
` (93 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Romain Degez, Tejun Heo, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Romain Degez <romain.degez@gmail.com>
commit b32bfc06aefab61acc872dec3222624e6cd867ed upstream.
Add support of the Promise FastTrak TX8660 SATA HBA in ahci mode by
registering the board in the ahci_pci_tbl[].
Note: this HBA also provide a hardware RAID mode when activated in
BIOS but specific drivers from the manufacturer are required in this
case.
Signed-off-by: Romain Degez <romain.degez@gmail.com>
Tested-by: Romain Degez <romain.degez@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/ata/ahci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 2d9f619..5e98993 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -455,6 +455,7 @@ static const struct pci_device_id ahci_pci_tbl[] = {
/* Promise */
{ PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */
+ { PCI_VDEVICE(PROMISE, 0x3781), board_ahci }, /* FastTrak TX8660 ahci-mode */
/* Asmedia */
{ PCI_VDEVICE(ASMEDIA, 0x0601), board_ahci }, /* ASM1060 */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 166/259] Input: fix defuzzing logic
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (164 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 165/259] ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 167/259] tracing: Fix wraparound problems in "uptime" trace clock Kamal Mostafa
` (92 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Dmitry Torokhov, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dtor@chromium.org>
commit 50c5d36dab930b1f1b1e3348b8608aa8b9ee7610 upstream.
We attempt to remove noise from coordinates reported by devices in
input_handle_abs_event(), unfortunately, unless we were dropping the
event altogether, we were ignoring the adjusted value and were passing
on the original value instead.
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Reviewed-by: Benson Leung <bleung@chromium.org>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Reviewed-by: Henrik Rydberg <rydberg@euromail.se>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/input/input.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/input/input.c b/drivers/input/input.c
index d2965e4..960b389 100644
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -257,9 +257,10 @@ static int input_handle_abs_event(struct input_dev *dev,
}
static int input_get_disposition(struct input_dev *dev,
- unsigned int type, unsigned int code, int value)
+ unsigned int type, unsigned int code, int *pval)
{
int disposition = INPUT_IGNORE_EVENT;
+ int value = *pval;
switch (type) {
@@ -357,6 +358,7 @@ static int input_get_disposition(struct input_dev *dev,
break;
}
+ *pval = value;
return disposition;
}
@@ -365,7 +367,7 @@ static void input_handle_event(struct input_dev *dev,
{
int disposition;
- disposition = input_get_disposition(dev, type, code, value);
+ disposition = input_get_disposition(dev, type, code, &value);
if ((disposition & INPUT_PASS_TO_DEVICE) && dev->event)
dev->event(dev, type, code, value);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 167/259] tracing: Fix wraparound problems in "uptime" trace clock
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (165 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 166/259] Input: fix defuzzing logic Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 168/259] drm/i915: Reorder the semaphore deadlock check, again Kamal Mostafa
` (91 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tony Luck, Steven Rostedt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Luck <tony.luck@intel.com>
commit 58d4e21e50ff3cc57910a8abc20d7e14375d2f61 upstream.
The "uptime" trace clock added in:
commit 8aacf017b065a805d27467843490c976835eb4a5
tracing: Add "uptime" trace clock that uses jiffies
has wraparound problems when the system has been up more
than 1 hour 11 minutes and 34 seconds. It converts jiffies
to nanoseconds using:
(u64)jiffies_to_usecs(jiffy) * 1000ULL
but since jiffies_to_usecs() only returns a 32-bit value, it
truncates at 2^32 microseconds. An additional problem on 32-bit
systems is that the argument is "unsigned long", so fixing the
return value only helps until 2^32 jiffies (49.7 days on a HZ=1000
system).
Avoid these problems by using jiffies_64 as our basis, and
not converting to nanoseconds (we do convert to clock_t because
user facing API must not be dependent on internal kernel
HZ values).
Link: http://lkml.kernel.org/p/99d63c5bfe9b320a3b428d773825a37095bf6a51.1405708254.git.tony.luck@intel.com
Fixes: 8aacf017b065 "tracing: Add "uptime" trace clock that uses jiffies"
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/trace/trace.c | 2 +-
kernel/trace/trace_clock.c | 9 +++++----
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 83cb797..9270fbc 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -784,7 +784,7 @@ static struct {
{ trace_clock_local, "local", 1 },
{ trace_clock_global, "global", 1 },
{ trace_clock_counter, "counter", 0 },
- { trace_clock_jiffies, "uptime", 1 },
+ { trace_clock_jiffies, "uptime", 0 },
{ trace_clock, "perf", 1 },
ARCH_TRACE_CLOCKS
};
diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c
index 26dc348..57b67b1 100644
--- a/kernel/trace/trace_clock.c
+++ b/kernel/trace/trace_clock.c
@@ -59,13 +59,14 @@ u64 notrace trace_clock(void)
/*
* trace_jiffy_clock(): Simply use jiffies as a clock counter.
+ * Note that this use of jiffies_64 is not completely safe on
+ * 32-bit systems. But the window is tiny, and the effect if
+ * we are affected is that we will have an obviously bogus
+ * timestamp on a trace event - i.e. not life threatening.
*/
u64 notrace trace_clock_jiffies(void)
{
- u64 jiffy = jiffies - INITIAL_JIFFIES;
-
- /* Return nsecs */
- return (u64)jiffies_to_usecs(jiffy) * 1000ULL;
+ return jiffies_64_to_clock_t(jiffies_64 - INITIAL_JIFFIES);
}
/*
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 168/259] drm/i915: Reorder the semaphore deadlock check, again
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (166 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 167/259] tracing: Fix wraparound problems in "uptime" trace clock Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 169/259] libata: introduce ata_host->n_tags to avoid oops on SAS controllers Kamal Mostafa
` (90 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Chris Wilson, Mika Kuoppala, Jani Nikula, Daniel Vetter, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
commit a0d036b074b4a5a933e37fcb9bdd6b3cc80a0387 upstream.
commit 4be173813e57c7298103a83155c2391b5b167b4c
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date: Fri Jun 6 10:22:29 2014 +0100
drm/i915: Reorder semaphore deadlock check
did the majority of the work, but it missed one crucial detail:
The check for the unkickable deadlock on this ring must come after the
check whether the ring that we are waiting on has already passed its
target seqno.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80709
Tested-by: Stefan Huber <shuber@sthu.org>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Mika Kuoppala <mika.kuoppala@intel.com>
Cc: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/i915/i915_irq.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
index 2093c72..3a10da2 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -2392,7 +2392,7 @@ static int semaphore_passed(struct intel_ring_buffer *ring)
{
struct drm_i915_private *dev_priv = ring->dev->dev_private;
struct intel_ring_buffer *signaller;
- u32 seqno, ctl;
+ u32 seqno;
ring->hangcheck.deadlock++;
@@ -2404,15 +2404,12 @@ static int semaphore_passed(struct intel_ring_buffer *ring)
if (signaller->hangcheck.deadlock >= I915_NUM_RINGS)
return -1;
- /* cursory check for an unkickable deadlock */
- ctl = I915_READ_CTL(signaller);
- if (ctl & RING_WAIT_SEMAPHORE && semaphore_passed(signaller) < 0)
- return -1;
-
if (i915_seqno_passed(signaller->get_seqno(signaller, false), seqno))
return 1;
- if (signaller->hangcheck.deadlock)
+ /* cursory check for an unkickable deadlock */
+ if (I915_READ_CTL(signaller) & RING_WAIT_SEMAPHORE &&
+ semaphore_passed(signaller) < 0)
return -1;
return 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 169/259] libata: introduce ata_host->n_tags to avoid oops on SAS controllers
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (167 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 168/259] drm/i915: Reorder the semaphore deadlock check, again Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 170/259] drm/radeon: fix irq ring buffer overflow handling Kamal Mostafa
` (89 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tejun Heo, Kevin Hao, Dan Williams, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit 1a112d10f03e83fb3a2fdc4c9165865dec8a3ca6 upstream.
1871ee134b73 ("libata: support the ata host which implements a queue
depth less than 32") directly used ata_port->scsi_host->can_queue from
ata_qc_new() to determine the number of tags supported by the host;
unfortunately, SAS controllers doing SATA don't initialize ->scsi_host
leading to the following oops.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
IP: [<ffffffff814e0618>] ata_qc_new_init+0x188/0x1b0
PGD 0
Oops: 0002 [#1] SMP
Modules linked in: isci libsas scsi_transport_sas mgag200 drm_kms_helper ttm
CPU: 1 PID: 518 Comm: udevd Not tainted 3.16.0-rc6+ #62
Hardware name: Intel Corporation S2600CO/S2600CO, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
task: ffff880c1a00b280 ti: ffff88061a000000 task.ti: ffff88061a000000
RIP: 0010:[<ffffffff814e0618>] [<ffffffff814e0618>] ata_qc_new_init+0x188/0x1b0
RSP: 0018:ffff88061a003ae8 EFLAGS: 00010012
RAX: 0000000000000001 RBX: ffff88000241ca80 RCX: 00000000000000fa
RDX: 0000000000000020 RSI: 0000000000000020 RDI: ffff8806194aa298
RBP: ffff88061a003ae8 R08: ffff8806194a8000 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88000241ca80 R12: ffff88061ad58200
R13: ffff8806194aa298 R14: ffffffff814e67a0 R15: ffff8806194a8000
FS: 00007f3ad7fe3840(0000) GS:ffff880627620000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000058 CR3: 000000061a118000 CR4: 00000000001407e0
Stack:
ffff88061a003b20 ffffffff814e96e1 ffff88000241ca80 ffff88061ad58200
ffff8800b6bf6000 ffff880c1c988000 ffff880619903850 ffff88061a003b68
ffffffffa0056ce1 ffff88061a003b48 0000000013d6e6f8 ffff88000241ca80
Call Trace:
[<ffffffff814e96e1>] ata_sas_queuecmd+0xa1/0x430
[<ffffffffa0056ce1>] sas_queuecommand+0x191/0x220 [libsas]
[<ffffffff8149afee>] scsi_dispatch_cmd+0x10e/0x300
[<ffffffff814a3bc5>] scsi_request_fn+0x2f5/0x550
[<ffffffff81317613>] __blk_run_queue+0x33/0x40
[<ffffffff8131781a>] queue_unplugged+0x2a/0x90
[<ffffffff8131ceb4>] blk_flush_plug_list+0x1b4/0x210
[<ffffffff8131d274>] blk_finish_plug+0x14/0x50
[<ffffffff8117eaa8>] __do_page_cache_readahead+0x198/0x1f0
[<ffffffff8117ee21>] force_page_cache_readahead+0x31/0x50
[<ffffffff8117ee7e>] page_cache_sync_readahead+0x3e/0x50
[<ffffffff81172ac6>] generic_file_read_iter+0x496/0x5a0
[<ffffffff81219897>] blkdev_read_iter+0x37/0x40
[<ffffffff811e307e>] new_sync_read+0x7e/0xb0
[<ffffffff811e3734>] vfs_read+0x94/0x170
[<ffffffff811e43c6>] SyS_read+0x46/0xb0
[<ffffffff811e33d1>] ? SyS_lseek+0x91/0xb0
[<ffffffff8171ee29>] system_call_fastpath+0x16/0x1b
Code: 00 00 00 88 50 29 83 7f 08 01 19 d2 83 e2 f0 83 ea 50 88 50 34 c6 81 1d 02 00 00 40 c6 81 17 02 00 00 00 5d c3 66 0f 1f 44 00 00 <89> 14 25 58 00 00 00
Fix it by introducing ata_host->n_tags which is initialized to
ATA_MAX_QUEUE - 1 in ata_host_init() for SAS controllers and set to
scsi_host_template->can_queue in ata_host_register() for !SAS ones.
As SAS hosts are never registered, this will give them the same
ATA_MAX_QUEUE - 1 as before. Note that we can't use
scsi_host->can_queue directly for SAS hosts anyway as they can go
higher than the libata maximum.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Mike Qiu <qiudayu@linux.vnet.ibm.com>
Reported-by: Jesse Brandeburg <jesse.brandeburg@gmail.com>
Reported-by: Peter Hurley <peter@hurleysoftware.com>
Reported-by: Peter Zijlstra <peterz@infradead.org>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Fixes: 1871ee134b73 ("libata: support the ata host which implements a queue depth less than 32")
Cc: Kevin Hao <haokexin@gmail.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/ata/libata-core.c | 16 ++++------------
include/linux/libata.h | 1 +
2 files changed, 5 insertions(+), 12 deletions(-)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 0172e30..f761603 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4798,9 +4798,8 @@ void swap_buf_le16(u16 *buf, unsigned int buf_words)
static struct ata_queued_cmd *ata_qc_new(struct ata_port *ap)
{
struct ata_queued_cmd *qc = NULL;
- unsigned int i, tag, max_queue;
-
- max_queue = ap->scsi_host->can_queue;
+ unsigned int max_queue = ap->host->n_tags;
+ unsigned int i, tag;
/* no command while frozen */
if (unlikely(ap->pflags & ATA_PFLAG_FROZEN))
@@ -6109,6 +6108,7 @@ void ata_host_init(struct ata_host *host, struct device *dev,
{
spin_lock_init(&host->lock);
mutex_init(&host->eh_mutex);
+ host->n_tags = ATA_MAX_QUEUE - 1;
host->dev = dev;
host->ops = ops;
}
@@ -6190,15 +6190,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
{
int i, rc;
- /*
- * The max queue supported by hardware must not be greater than
- * ATA_MAX_QUEUE.
- */
- if (sht->can_queue > ATA_MAX_QUEUE) {
- dev_err(host->dev, "BUG: the hardware max queue is too large\n");
- WARN_ON(1);
- return -EINVAL;
- }
+ host->n_tags = clamp(sht->can_queue, 1, ATA_MAX_QUEUE - 1);
/* host must have been started */
if (!(host->flags & ATA_HOST_STARTED)) {
diff --git a/include/linux/libata.h b/include/linux/libata.h
index 3fee55e..e13b3ae 100644
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -593,6 +593,7 @@ struct ata_host {
struct device *dev;
void __iomem * const *iomap;
unsigned int n_ports;
+ unsigned int n_tags; /* nr of NCQ tags */
void *private_data;
struct ata_port_operations *ops;
unsigned long flags;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 170/259] drm/radeon: fix irq ring buffer overflow handling
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (168 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 169/259] libata: introduce ata_host->n_tags to avoid oops on SAS controllers Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 171/259] coredump: fix the setting of PF_DUMPCORE Kamal Mostafa
` (88 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Christian König, Alex Deucher, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
commit e8c214d22e76dd0ead38f97f8d2dc09aac70d651 upstream.
We must mask out the overflow bit as well, otherwise
the wptr will never match the rptr again and the interrupt
handler will loop forever.
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/cik.c | 1 +
drivers/gpu/drm/radeon/evergreen.c | 1 +
drivers/gpu/drm/radeon/r600.c | 1 +
drivers/gpu/drm/radeon/si.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c
index bc5fad4..950c94a 100644
--- a/drivers/gpu/drm/radeon/cik.c
+++ b/drivers/gpu/drm/radeon/cik.c
@@ -7067,6 +7067,7 @@ static inline u32 cik_get_ih_wptr(struct radeon_device *rdev)
tmp = RREG32(IH_RB_CNTL);
tmp |= IH_WPTR_OVERFLOW_CLEAR;
WREG32(IH_RB_CNTL, tmp);
+ wptr &= ~RB_OVERFLOW;
}
return (wptr & rdev->ih.ptr_mask);
}
diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
index 47463d8..838dcd5 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -4713,6 +4713,7 @@ static u32 evergreen_get_ih_wptr(struct radeon_device *rdev)
tmp = RREG32(IH_RB_CNTL);
tmp |= IH_WPTR_OVERFLOW_CLEAR;
WREG32(IH_RB_CNTL, tmp);
+ wptr &= ~RB_OVERFLOW;
}
return (wptr & rdev->ih.ptr_mask);
}
diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
index 3a55ae4..b9038b6 100644
--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -3707,6 +3707,7 @@ static u32 r600_get_ih_wptr(struct radeon_device *rdev)
tmp = RREG32(IH_RB_CNTL);
tmp |= IH_WPTR_OVERFLOW_CLEAR;
WREG32(IH_RB_CNTL, tmp);
+ wptr &= ~RB_OVERFLOW;
}
return (wptr & rdev->ih.ptr_mask);
}
diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
index d9d8e55..d5c8438 100644
--- a/drivers/gpu/drm/radeon/si.c
+++ b/drivers/gpu/drm/radeon/si.c
@@ -5982,6 +5982,7 @@ static inline u32 si_get_ih_wptr(struct radeon_device *rdev)
tmp = RREG32(IH_RB_CNTL);
tmp |= IH_WPTR_OVERFLOW_CLEAR;
WREG32(IH_RB_CNTL, tmp);
+ wptr &= ~RB_OVERFLOW;
}
return (wptr & rdev->ih.ptr_mask);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 171/259] coredump: fix the setting of PF_DUMPCORE
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (169 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 170/259] drm/radeon: fix irq ring buffer overflow handling Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 172/259] fs: umount on symlink leaks mnt count Kamal Mostafa
` (87 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Silesh C V, Mandeep Singh Baines, Andrew Morton, Linus Torvalds,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Silesh C V <svellattu@mvista.com>
commit aed8adb7688d5744cb484226820163af31d2499a upstream.
Commit 079148b919d0 ("coredump: factor out the setting of PF_DUMPCORE")
cleaned up the setting of PF_DUMPCORE by removing it from all the
linux_binfmt->core_dump() and moving it to zap_threads().But this ended
up clearing all the previously set flags. This causes issues during
core generation when tsk->flags is checked again (eg. for PF_USED_MATH
to dump floating point registers). Fix this.
Signed-off-by: Silesh C V <svellattu@mvista.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Mandeep Singh Baines <msb@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/coredump.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/coredump.c b/fs/coredump.c
index fab2568..59009ac 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -307,7 +307,7 @@ static int zap_threads(struct task_struct *tsk, struct mm_struct *mm,
if (unlikely(nr < 0))
return nr;
- tsk->flags = PF_DUMPCORE;
+ tsk->flags |= PF_DUMPCORE;
if (atomic_read(&mm->mm_users) == nr + 1)
goto done;
/*
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 172/259] fs: umount on symlink leaks mnt count
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (170 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 171/259] coredump: fix the setting of PF_DUMPCORE Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 173/259] hwmon: (smsc47m192) Fix temperature limit and vrm write operations Kamal Mostafa
` (86 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Vasily Averin, Christoph Hellwig, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Averin <vvs@parallels.com>
commit 295dc39d941dc2ae53d5c170365af4c9d5c16212 upstream.
Currently umount on symlink blocks following umount:
/vz is separate mount
# ls /vz/ -al | grep test
drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir
lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir
# umount -l /vz/testlink
umount: /vz/testlink: not mounted (expected)
# lsof /vz
# umount /vz
umount: /vz: device is busy. (unexpected)
In this case mountpoint_last() gets an extra refcount on path->mnt
Signed-off-by: Vasily Averin <vvs@openvz.org>
Acked-by: Ian Kent <raven@themaw.net>
Acked-by: Jeff Layton <jlayton@primarydata.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/namei.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/namei.c b/fs/namei.c
index 01aca74..31673f4 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2236,9 +2236,10 @@ done:
goto out;
}
path->dentry = dentry;
- path->mnt = mntget(nd->path.mnt);
+ path->mnt = nd->path.mnt;
if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW))
return 1;
+ mntget(path->mnt);
follow_mount(path);
error = 0;
out:
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 173/259] hwmon: (smsc47m192) Fix temperature limit and vrm write operations
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (171 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 172/259] fs: umount on symlink leaks mnt count Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 174/259] parisc: Remove SA_RESTORER define Kamal Mostafa
` (85 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Axel Lin, Guenter Roeck, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 043572d5444116b9d9ad8ae763cf069e7accbc30 upstream.
Temperature limit clamps are applied after converting the temperature
from milli-degrees C to degrees C, so either the clamp limit needs
to be specified in degrees C, not milli-degrees C, or clamping must
happen before converting to degrees C. Use the latter method to avoid
overflows.
vrm is an u8, so the written value needs to be limited to [0, 255].
Cc: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/hwmon/smsc47m192.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/smsc47m192.c b/drivers/hwmon/smsc47m192.c
index efee4c5..34b9a60 100644
--- a/drivers/hwmon/smsc47m192.c
+++ b/drivers/hwmon/smsc47m192.c
@@ -86,7 +86,7 @@ static inline u8 IN_TO_REG(unsigned long val, int n)
*/
static inline s8 TEMP_TO_REG(int val)
{
- return clamp_val(SCALE(val, 1, 1000), -128000, 127000);
+ return SCALE(clamp_val(val, -128000, 127000), 1, 1000);
}
static inline int TEMP_FROM_REG(s8 val)
@@ -384,6 +384,8 @@ static ssize_t set_vrm(struct device *dev, struct device_attribute *attr,
err = kstrtoul(buf, 10, &val);
if (err)
return err;
+ if (val > 255)
+ return -EINVAL;
data->vrm = val;
return count;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 174/259] parisc: Remove SA_RESTORER define
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (172 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 173/259] hwmon: (smsc47m192) Fix temperature limit and vrm write operations Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 175/259] drm/radeon: fix cut and paste issue for hawaii Kamal Mostafa
` (84 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: John David Anglin, Helge Deller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: John David Anglin <dave.anglin@bell.net>
commit 20dbea494543aefaace874cc3ec93a39b94b1ec4 upstream.
The sa_restorer field in struct sigaction is obsolete and no longer in
the parisc implementation. However, the core code assumes the field is
present if SA_RESTORER is defined. So, the define needs to be removed.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/parisc/include/uapi/asm/signal.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/parisc/include/uapi/asm/signal.h b/arch/parisc/include/uapi/asm/signal.h
index a2fa2971..f5645d6 100644
--- a/arch/parisc/include/uapi/asm/signal.h
+++ b/arch/parisc/include/uapi/asm/signal.h
@@ -69,8 +69,6 @@
#define SA_NOMASK SA_NODEFER
#define SA_ONESHOT SA_RESETHAND
-#define SA_RESTORER 0x04000000 /* obsolete -- ignored */
-
#define MINSIGSTKSZ 2048
#define SIGSTKSZ 8192
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 175/259] drm/radeon: fix cut and paste issue for hawaii.
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (173 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 174/259] parisc: Remove SA_RESTORER define Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 176/259] parport: fix menu breakage Kamal Mostafa
` (83 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jérôme Glisse, Dave Airlie, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Glisse <jglisse@redhat.com>
commit 1b2c4869d8247f9e202fa8a73777c34adc62d409 upstream.
This is a halfway fix for hawaii acceleration. More fixes to come
but hopefully isolated to userspace.
Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/cik.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c
index 950c94a..17649ac 100644
--- a/drivers/gpu/drm/radeon/cik.c
+++ b/drivers/gpu/drm/radeon/cik.c
@@ -2219,6 +2219,7 @@ static void cik_tiling_mode_table_init(struct radeon_device *rdev)
gb_tile_moden = 0;
break;
}
+ rdev->config.cik.macrotile_mode_array[reg_offset] = gb_tile_moden;
WREG32(GB_MACROTILE_MODE0 + (reg_offset * 4), gb_tile_moden);
}
} else if (num_pipe_configs == 8) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 176/259] parport: fix menu breakage
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (174 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 175/259] drm/radeon: fix cut and paste issue for hawaii Kamal Mostafa
@ 2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 177/259] Fix gcc-4.9.0 miscompilation of load_balance() in scheduler Kamal Mostafa
` (82 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Randy Dunlap, Mark Salter, Ingo Molnar, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
commit edffe1b626b39bd7121691dfdecb548431003bbb upstream.
Do not split the PARPORT-related symbols with the new kconfig
symbol ARCH_MIGHT_HAVE_PC_PARPORT. The split was causing incorrect
display of these symbols -- they were not being displayed together
as they should be.
Fixes: d90c3eb31535 "Kconfig cleanup (PARPORT_PC dependencies)"
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Mark Salter <msalter@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/parport/Kconfig | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/parport/Kconfig b/drivers/parport/Kconfig
index 2872ece..44333bd 100644
--- a/drivers/parport/Kconfig
+++ b/drivers/parport/Kconfig
@@ -5,6 +5,12 @@
# Parport configuration.
#
+config ARCH_MIGHT_HAVE_PC_PARPORT
+ bool
+ help
+ Select this config option from the architecture Kconfig if
+ the architecture might have PC parallel port hardware.
+
menuconfig PARPORT
tristate "Parallel port support"
depends on HAS_IOMEM
@@ -31,12 +37,6 @@ menuconfig PARPORT
If unsure, say Y.
-config ARCH_MIGHT_HAVE_PC_PARPORT
- bool
- help
- Select this config option from the architecture Kconfig if
- the architecture might have PC parallel port hardware.
-
if PARPORT
config PARPORT_PC
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 177/259] Fix gcc-4.9.0 miscompilation of load_balance() in scheduler
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (175 preceding siblings ...)
2014-08-08 20:39 ` [PATCH 3.13 176/259] parport: fix menu breakage Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 178/259] Revert "mac80211: move "bufferable MMPDU" check to fix AP mode scan" Kamal Mostafa
` (81 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jakub Jelinek, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 2062afb4f804afef61cbe62a30cac9a46e58e067 upstream.
Michel Dänzer and a couple of other people reported inexplicable random
oopses in the scheduler, and the cause turns out to be gcc mis-compiling
the load_balance() function when debugging is enabled. The gcc bug
apparently goes back to gcc-4.5, but slight optimization changes means
that it now showed up as a problem in 4.9.0 and 4.9.1.
The instruction scheduling problem causes gcc to schedule a spill
operation to before the stack frame has been created, which in turn can
corrupt the spilled value if an interrupt comes in. There may be other
effects of this bug too, but that's the code generation problem seen in
Michel's case.
This is fixed in current gcc HEAD, but the workaround as suggested by
Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments
when compiling the kernel, which disables the gcc code that causes the
problem. This can result in slightly worse debug information for
variable accesses, but that is infinitely preferable to actual code
generation problems.
Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows
non-debug builds to verify that the debug build would be identical: we
can do
export GCC_COMPARE_DEBUG=1
to make gcc internally verify that the result of the build is
independent of the "-g" flag (it will make the compiler build everything
twice, toggling the debug flag, and compare the results).
Without the "-fno-var-tracking-assignments" option, the build would fail
(even with 4.8.3 that didn't show the actual stack frame bug) with a gcc
compare failure.
See also gcc bugzilla:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801
Reported-by: Michel Dänzer <michel@daenzer.net>
Suggested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Jakub Jelinek <jakub@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile b/Makefile
index e1fa2a4..3ad2dc5 100644
--- a/Makefile
+++ b/Makefile
@@ -617,6 +617,8 @@ KBUILD_CFLAGS += -fomit-frame-pointer
endif
endif
+KBUILD_CFLAGS += $(call cc-option, -fno-var-tracking-assignments)
+
ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 178/259] Revert "mac80211: move "bufferable MMPDU" check to fix AP mode scan"
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (176 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 177/259] Fix gcc-4.9.0 miscompilation of load_balance() in scheduler Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 179/259] scsi: handle flush errors properly Kamal Mostafa
` (80 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Johannes Berg, Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 08b9939997df30e42a228e1ecb97f99e9c8ea84e upstream.
This reverts commit 277d916fc2e959c3f106904116bb4f7b1148d47a as it was
at least breaking iwlwifi by setting the IEEE80211_TX_CTL_NO_PS_BUFFER
flag in all kinds of interface modes, not only for AP mode where it is
appropriate.
To avoid reintroducing the original problem, explicitly check for probe
request frames in the multicast buffering code.
Fixes: 277d916fc2e9 ("mac80211: move "bufferable MMPDU" check to fix AP mode scan")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ luis: backported to 3.11: based on Johannes' backport for 3.10 ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/mac80211/tx.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c45f75f..101bccf 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -413,6 +413,9 @@ ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx)
if (ieee80211_has_order(hdr->frame_control))
return TX_CONTINUE;
+ if (ieee80211_is_probe_req(hdr->frame_control))
+ return TX_CONTINUE;
+
if (tx->local->hw.flags & IEEE80211_HW_QUEUE_CONTROL)
info->hw_queue = tx->sdata->vif.cab_queue;
@@ -463,6 +466,7 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
{
struct sta_info *sta = tx->sta;
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
struct ieee80211_local *local = tx->local;
if (unlikely(!sta))
@@ -473,6 +477,15 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
!(info->flags & IEEE80211_TX_CTL_NO_PS_BUFFER))) {
int ac = skb_get_queue_mapping(tx->skb);
+ /* only deauth, disassoc and action are bufferable MMPDUs */
+ if (ieee80211_is_mgmt(hdr->frame_control) &&
+ !ieee80211_is_deauth(hdr->frame_control) &&
+ !ieee80211_is_disassoc(hdr->frame_control) &&
+ !ieee80211_is_action(hdr->frame_control)) {
+ info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
+ return TX_CONTINUE;
+ }
+
ps_dbg(sta->sdata, "STA %pM aid %d: PS buffer for AC %d\n",
sta->sta.addr, sta->sta.aid, ac);
if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
@@ -530,22 +543,9 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
static ieee80211_tx_result debug_noinline
ieee80211_tx_h_ps_buf(struct ieee80211_tx_data *tx)
{
- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
- struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
-
if (unlikely(tx->flags & IEEE80211_TX_PS_BUFFERED))
return TX_CONTINUE;
- /* only deauth, disassoc and action are bufferable MMPDUs */
- if (ieee80211_is_mgmt(hdr->frame_control) &&
- !ieee80211_is_deauth(hdr->frame_control) &&
- !ieee80211_is_disassoc(hdr->frame_control) &&
- !ieee80211_is_action(hdr->frame_control)) {
- if (tx->flags & IEEE80211_TX_UNICAST)
- info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
- return TX_CONTINUE;
- }
-
if (tx->flags & IEEE80211_TX_UNICAST)
return ieee80211_tx_h_unicast_ps_buf(tx);
else
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 179/259] scsi: handle flush errors properly
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (177 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 178/259] Revert "mac80211: move "bufferable MMPDU" check to fix AP mode scan" Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 180/259] cfg80211: fix mic_failure tracing Kamal Mostafa
` (79 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Bottomley, Christoph Hellwig, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Bottomley <JBottomley@Parallels.com>
commit 89fb4cd1f717a871ef79fa7debbe840e3225cd54 upstream.
Flush commands don't transfer data and thus need to be special cased
in the I/O completion handler so that we can propagate errors to
the block layer and filesystem.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Reported-by: Steven Haber <steven@qumulo.com>
Tested-by: Steven Haber <steven@qumulo.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/scsi_lib.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 62ec84b..64e487a 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -831,6 +831,14 @@ void scsi_io_completion(struct scsi_cmnd *cmd, unsigned int good_bytes)
scsi_next_command(cmd);
return;
}
+ } else if (blk_rq_bytes(req) == 0 && result && !sense_deferred) {
+ /*
+ * Certain non BLOCK_PC requests are commands that don't
+ * actually transfer anything (FLUSH), so cannot use
+ * good_bytes != blk_rq_bytes(req) as the signal for an error.
+ * This sets the error explicitly for the problem case.
+ */
+ error = __scsi_error_from_host_byte(cmd, result);
}
/* no bidi support for !REQ_TYPE_BLOCK_PC yet */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 180/259] cfg80211: fix mic_failure tracing
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (178 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 179/259] scsi: handle flush errors properly Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 181/259] iio: buffer: Fix demux table creation Kamal Mostafa
` (78 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eliad Peller, Emmanuel Grumbach, Johannes Berg, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eliad Peller <eliad@wizery.com>
commit 8c26d458394be44e135d1c6bd4557e1c4e1a0535 upstream.
tsc can be NULL (mac80211 currently always passes NULL),
resulting in NULL-dereference. check before copying it.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/wireless/trace.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index ba5f0d6..064b471 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -2029,7 +2029,8 @@ TRACE_EVENT(cfg80211_michael_mic_failure,
MAC_ASSIGN(addr, addr);
__entry->key_type = key_type;
__entry->key_id = key_id;
- memcpy(__entry->tsc, tsc, 6);
+ if (tsc)
+ memcpy(__entry->tsc, tsc, 6);
),
TP_printk(NETDEV_PR_FMT ", " MAC_PR_FMT ", key type: %d, key id: %d, tsc: %pm",
NETDEV_PR_ARG, MAC_PR_ARG(addr), __entry->key_type,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 181/259] iio: buffer: Fix demux table creation
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (179 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 180/259] cfg80211: fix mic_failure tracing Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 182/259] iio:bma180: Fix scale factors to report correct acceleration units Kamal Mostafa
` (77 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lars-Peter Clausen, Jonathan Cameron, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 61bd55ce1667809f022be88da77db17add90ea4e upstream.
When creating the demux table we need to iterate over the selected scan mask for
the buffer to get the samples which should be copied to destination buffer.
Right now the code uses the mask which contains all active channels, which means
the demux table contains entries which causes it to copy all the samples from
source to destination buffer one by one without doing any demuxing.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/industrialio-buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
index 4bf831a..d660c89 100644
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -924,7 +924,7 @@ static int iio_buffer_update_demux(struct iio_dev *indio_dev,
/* Now we have the two masks, work from least sig and build up sizes */
for_each_set_bit(out_ind,
- indio_dev->active_scan_mask,
+ buffer->scan_mask,
indio_dev->masklength) {
in_ind = find_next_bit(indio_dev->active_scan_mask,
indio_dev->masklength,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 182/259] iio:bma180: Fix scale factors to report correct acceleration units
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (180 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 181/259] iio: buffer: Fix demux table creation Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 183/259] iio:bma180: Missing check for frequency fractional part Kamal Mostafa
` (76 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Meerwald, Oleksandr Kravchenko, Jonathan Cameron, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Meerwald <pmeerw@pmeerw.net>
commit 381676d5e86596b11e22a62f196e192df6091373 upstream.
The userspace interface for acceleration sensors is documented as using
m/s^2 units [Documentation/ABI/testing/sysfs-bus-iio]
The fullscale raw values for the BMA80 corresponds to -/+ 1, 1.5, 2, etc G
depending on the selected mode.
The scale table was converting to G rather than m/s^2.
Change the scaling table to match the documented interface.
See commit 71702e6e, iio: mma8452: Use correct acceleration units,
for a related fix.
Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
Cc: Oleksandr Kravchenko <o.v.kravchenko@globallogic.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/accel/bma180.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c
index 28b3928..8d5ea9b 100644
--- a/drivers/iio/accel/bma180.c
+++ b/drivers/iio/accel/bma180.c
@@ -68,13 +68,13 @@
/* Defaults values */
#define BMA180_DEF_PMODE 0
#define BMA180_DEF_BW 20
-#define BMA180_DEF_SCALE 250
+#define BMA180_DEF_SCALE 2452
/* Available values for sysfs */
#define BMA180_FLP_FREQ_AVAILABLE \
"10 20 40 75 150 300"
#define BMA180_SCALE_AVAILABLE \
- "0.000130 0.000190 0.000250 0.000380 0.000500 0.000990 0.001980"
+ "0.001275 0.001863 0.002452 0.003727 0.004903 0.009709 0.019417"
struct bma180_data {
struct i2c_client *client;
@@ -94,7 +94,7 @@ enum bma180_axis {
};
static int bw_table[] = { 10, 20, 40, 75, 150, 300 }; /* Hz */
-static int scale_table[] = { 130, 190, 250, 380, 500, 990, 1980 };
+static int scale_table[] = { 1275, 1863, 2452, 3727, 4903, 9709, 19417 };
static int bma180_get_acc_reg(struct bma180_data *data, enum bma180_axis axis)
{
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 183/259] iio:bma180: Missing check for frequency fractional part
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (181 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 182/259] iio:bma180: Fix scale factors to report correct acceleration units Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 184/259] powerpc/perf: Fix MMCR2 handling for EBB Kamal Mostafa
` (75 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Meerwald, Oleksandr Kravchenko, Jonathan Cameron, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Meerwald <pmeerw@pmeerw.net>
commit 9b2a4d35a6ceaf217be61ed8eb3c16986244f640 upstream.
val2 should be zero
This will make no difference for correct inputs but will reject
incorrect ones with a decimal part in the value written to the sysfs
interface.
Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
Cc: Oleksandr Kravchenko <o.v.kravchenko@globallogic.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/accel/bma180.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c
index 8d5ea9b..93ff0ba 100644
--- a/drivers/iio/accel/bma180.c
+++ b/drivers/iio/accel/bma180.c
@@ -376,6 +376,8 @@ static int bma180_write_raw(struct iio_dev *indio_dev,
mutex_unlock(&data->mutex);
return ret;
case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
+ if (val2)
+ return -EINVAL;
mutex_lock(&data->mutex);
ret = bma180_set_bw(data, val);
mutex_unlock(&data->mutex);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 184/259] powerpc/perf: Fix MMCR2 handling for EBB
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (182 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 183/259] iio:bma180: Missing check for frequency fractional part Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 185/259] ath9k: fix aggregation session lockup Kamal Mostafa
` (74 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michael Ellerman, Benjamin Herrenschmidt, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
commit 8903461c9bc56fcb041fb92d054e2529951770b6 upstream.
In the recent commit b50a6c584bb4 "Clear MMCR2 when enabling PMU", I
screwed up the handling of MMCR2 for tasks using EBB.
We must make sure we set MMCR2 *before* ebb_switch_in(), otherwise we
overwrite the value of MMCR2 that userspace may have written. That
potentially breaks a task that uses EBB and manually uses MMCR2 for
event freezing.
Fixes: b50a6c584bb4 ("powerpc/perf: Clear MMCR2 when enabling PMU")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/powerpc/perf/core-book3s.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
index 57a8ff9..36a8bdd 100644
--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -1159,14 +1159,14 @@ static void power_pmu_enable(struct pmu *pmu)
cpuhw->mmcr[0] |= MMCR0_PMXE | MMCR0_FCECE;
out_enable:
+ if (ppmu->flags & PPMU_ARCH_207S)
+ mtspr(SPRN_MMCR2, 0);
+
mmcr0 = ebb_switch_in(ebb, cpuhw->mmcr[0]);
mb();
write_mmcr0(cpuhw, mmcr0);
- if (ppmu->flags & PPMU_ARCH_207S)
- mtspr(SPRN_MMCR2, 0);
-
/*
* Enable instruction sampling if necessary
*/
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 185/259] ath9k: fix aggregation session lockup
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (183 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 184/259] powerpc/perf: Fix MMCR2 handling for EBB Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 186/259] sched_clock: Avoid corrupting hrtimer tree during suspend Kamal Mostafa
` (73 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Felix Fietkau, John W. Linville, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@openwrt.org>
commit c01fac1c77a00227f706a1654317023e3f4ac7f0 upstream.
If an aggregation session fails, frames still end up in the driver queue
with IEEE80211_TX_CTL_AMPDU set.
This causes tx for the affected station/tid to stall, since
ath_tx_get_tid_subframe returning packets to send.
Fix this by clearing IEEE80211_TX_CTL_AMPDU as long as no aggregation
session is running.
Reported-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/wireless/ath/ath9k/xmit.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 6fa2d35..62744cb 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -904,6 +904,15 @@ ath_tx_get_tid_subframe(struct ath_softc *sc, struct ath_txq *txq,
tx_info = IEEE80211_SKB_CB(skb);
tx_info->flags &= ~IEEE80211_TX_CTL_CLEAR_PS_FILT;
+
+ /*
+ * No aggregation session is running, but there may be frames
+ * from a previous session or a failed attempt in the queue.
+ * Send them out as normal data frames
+ */
+ if (!tid->active)
+ tx_info->flags &= ~IEEE80211_TX_CTL_AMPDU;
+
if (!(tx_info->flags & IEEE80211_TX_CTL_AMPDU)) {
bf->bf_state.bf_type = 0;
return bf;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 186/259] sched_clock: Avoid corrupting hrtimer tree during suspend
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (184 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 185/259] ath9k: fix aggregation session lockup Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 187/259] staging: vt6655: Fix Warning on boot handle_irq_event_percpu Kamal Mostafa
` (72 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Stephen Boyd, John Stultz, Ingo Molnar, Thomas Gleixner, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Boyd <sboyd@codeaurora.org>
commit f723aa1817dd8f4fe005aab52ba70c8ab0ef9457 upstream.
During suspend we call sched_clock_poll() to update the epoch and
accumulated time and reprogram the sched_clock_timer to fire
before the next wrap-around time. Unfortunately,
sched_clock_poll() doesn't restart the timer, instead it relies
on the hrtimer layer to do that and during suspend we aren't
calling that function from the hrtimer layer. Instead, we're
reprogramming the expires time while the hrtimer is enqueued,
which can cause the hrtimer tree to be corrupted. Furthermore, we
restart the timer during suspend but we update the epoch during
resume which seems counter-intuitive.
Let's fix this by saving the accumulated state and canceling the
timer during suspend. On resume we can update the epoch and
restart the timer similar to what we would do if we were starting
the clock for the first time.
Fixes: a08ca5d1089d "sched_clock: Use an hrtimer instead of timer"
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Link: http://lkml.kernel.org/r/1406174630-23458-1-git-send-email-john.stultz@linaro.org
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/time/sched_clock.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c
index 0abb364..4763ec7 100644
--- a/kernel/time/sched_clock.c
+++ b/kernel/time/sched_clock.c
@@ -192,7 +192,8 @@ void __init sched_clock_postinit(void)
static int sched_clock_suspend(void)
{
- sched_clock_poll(&sched_clock_timer);
+ update_sched_clock();
+ hrtimer_cancel(&sched_clock_timer);
cd.suspended = true;
return 0;
}
@@ -200,6 +201,7 @@ static int sched_clock_suspend(void)
static void sched_clock_resume(void)
{
cd.epoch_cyc = read_sched_clock();
+ hrtimer_start(&sched_clock_timer, cd.wrap_kt, HRTIMER_MODE_REL);
cd.suspended = false;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 187/259] staging: vt6655: Fix Warning on boot handle_irq_event_percpu.
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (185 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 186/259] sched_clock: Avoid corrupting hrtimer tree during suspend Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 188/259] staging: vt6655: Fix disassociated messages every 10 seconds Kamal Mostafa
` (71 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Malcolm Priestley, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
commit 6cff1f6ad4c615319c1a146b2aa0af1043c5e9f5 upstream.
WARNING: CPU: 0 PID: 929 at /home/apw/COD/linux/kernel/irq/handle.c:147 handle_irq_event_percpu+0x1d1/0x1e0()
irq 17 handler device_intr+0x0/0xa80 [vt6655_stage] enabled interrupts
Using spin_lock_irqsave appears to fix this.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/staging/vt6655/device_main.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
index e93fdc8..d3e8336a 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -2431,6 +2431,7 @@ static irqreturn_t device_intr(int irq, void *dev_instance) {
unsigned char byData = 0;
int ii = 0;
// unsigned char byRSSI;
+ unsigned long flags;
MACvReadISR(pDevice->PortOffset, &pDevice->dwIsr);
@@ -2455,7 +2456,8 @@ static irqreturn_t device_intr(int irq, void *dev_instance) {
handled = 1;
MACvIntDisable(pDevice->PortOffset);
- spin_lock_irq(&pDevice->lock);
+
+ spin_lock_irqsave(&pDevice->lock, flags);
//Make sure current page is 0
VNSvInPortB(pDevice->PortOffset + MAC_REG_PAGE1SEL, &byOrgPageSel);
@@ -2696,7 +2698,8 @@ static irqreturn_t device_intr(int irq, void *dev_instance) {
MACvSelectPage1(pDevice->PortOffset);
}
- spin_unlock_irq(&pDevice->lock);
+ spin_unlock_irqrestore(&pDevice->lock, flags);
+
MACvIntEnable(pDevice->PortOffset, IMR_MASK_VALUE);
return IRQ_RETVAL(handled);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 188/259] staging: vt6655: Fix disassociated messages every 10 seconds
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (186 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 187/259] staging: vt6655: Fix Warning on boot handle_irq_event_percpu Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 189/259] can: c_can_platform: Fix raminit, use devm_ioremap() instead of devm_ioremap_resource() Kamal Mostafa
` (70 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Malcolm Priestley, Greg Kroah-Hartman, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
commit 4aa0abed3a2a11b7d71ad560c1a3e7631c5a31cd upstream.
byReAssocCount is incremented every second resulting in
disassociated message being send every 10 seconds whether
connection or not.
byReAssocCount should only advance while eCommandState
is in WLAN_ASSOCIATE_WAIT
Change existing scope to if condition.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/staging/vt6655/bssdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/vt6655/bssdb.c b/drivers/staging/vt6655/bssdb.c
index a23b591..e608ee2 100644
--- a/drivers/staging/vt6655/bssdb.c
+++ b/drivers/staging/vt6655/bssdb.c
@@ -1029,7 +1029,7 @@ start:
pDevice->byERPFlag &= ~(WLAN_SET_ERP_USE_PROTECTION(1));
}
- {
+ if (pDevice->eCommandState == WLAN_ASSOCIATE_WAIT) {
pDevice->byReAssocCount++;
if ((pDevice->byReAssocCount > 10) && (pDevice->bLinkPass != true)) { //10 sec timeout
printk("Re-association timeout!!!\n");
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 189/259] can: c_can_platform: Fix raminit, use devm_ioremap() instead of devm_ioremap_resource()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (187 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 188/259] staging: vt6655: Fix disassociated messages every 10 seconds Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 190/259] crypto: arm-aes - fix encryption of unaligned data Kamal Mostafa
` (69 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: George Cherian, Mugunthan V N, Marc Kleine-Budde, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: George Cherian <george.cherian@ti.com>
commit 33cf75656923ff11d67a937a4f8e9344f58cea77 upstream.
The raminit register is shared register for both can0 and can1. Since commit:
32766ff net: can: Convert to use devm_ioremap_resource
devm_ioremap_resource() is used to map raminit register. When using both
interfaces the mapping for the can1 interface fails, leading to a non
functional can interface.
Signed-off-by: George Cherian <george.cherian@ti.com>
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/can/c_can/c_can_platform.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/c_can/c_can_platform.c b/drivers/net/can/c_can/c_can_platform.c
index d66ac26..873b83a 100644
--- a/drivers/net/can/c_can/c_can_platform.c
+++ b/drivers/net/can/c_can/c_can_platform.c
@@ -194,7 +194,8 @@ static int c_can_plat_probe(struct platform_device *pdev)
priv->instance = pdev->id;
res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
- priv->raminit_ctrlreg = devm_ioremap_resource(&pdev->dev, res);
+ priv->raminit_ctrlreg = devm_ioremap(&pdev->dev, res->start,
+ resource_size(res));
if (IS_ERR(priv->raminit_ctrlreg) || (int)priv->instance < 0)
dev_info(&pdev->dev, "control memory is not used for raminit\n");
else
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 190/259] crypto: arm-aes - fix encryption of unaligned data
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (188 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 189/259] can: c_can_platform: Fix raminit, use devm_ioremap() instead of devm_ioremap_resource() Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 191/259] ARM: fix alignment of keystone page table fixup Kamal Mostafa
` (68 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mikulas Patocka, Herbert Xu, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit f3c400ef473e00c680ea713a66196b05870b3710 upstream.
Fix the same alignment bug as in arm64 - we need to pass residue
unprocessed bytes as the last argument to blkcipher_walk_done.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/crypto/aesbs-glue.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/crypto/aesbs-glue.c b/arch/arm/crypto/aesbs-glue.c
index 4522366..15468fb 100644
--- a/arch/arm/crypto/aesbs-glue.c
+++ b/arch/arm/crypto/aesbs-glue.c
@@ -137,7 +137,7 @@ static int aesbs_cbc_encrypt(struct blkcipher_desc *desc,
dst += AES_BLOCK_SIZE;
} while (--blocks);
}
- err = blkcipher_walk_done(desc, &walk, 0);
+ err = blkcipher_walk_done(desc, &walk, walk.nbytes % AES_BLOCK_SIZE);
}
return err;
}
@@ -158,7 +158,7 @@ static int aesbs_cbc_decrypt(struct blkcipher_desc *desc,
bsaes_cbc_encrypt(walk.src.virt.addr, walk.dst.virt.addr,
walk.nbytes, &ctx->dec, walk.iv);
kernel_neon_end();
- err = blkcipher_walk_done(desc, &walk, 0);
+ err = blkcipher_walk_done(desc, &walk, walk.nbytes % AES_BLOCK_SIZE);
}
while (walk.nbytes) {
u32 blocks = walk.nbytes / AES_BLOCK_SIZE;
@@ -182,7 +182,7 @@ static int aesbs_cbc_decrypt(struct blkcipher_desc *desc,
dst += AES_BLOCK_SIZE;
src += AES_BLOCK_SIZE;
} while (--blocks);
- err = blkcipher_walk_done(desc, &walk, 0);
+ err = blkcipher_walk_done(desc, &walk, walk.nbytes % AES_BLOCK_SIZE);
}
return err;
}
@@ -268,7 +268,7 @@ static int aesbs_xts_encrypt(struct blkcipher_desc *desc,
bsaes_xts_encrypt(walk.src.virt.addr, walk.dst.virt.addr,
walk.nbytes, &ctx->enc, walk.iv);
kernel_neon_end();
- err = blkcipher_walk_done(desc, &walk, 0);
+ err = blkcipher_walk_done(desc, &walk, walk.nbytes % AES_BLOCK_SIZE);
}
return err;
}
@@ -292,7 +292,7 @@ static int aesbs_xts_decrypt(struct blkcipher_desc *desc,
bsaes_xts_decrypt(walk.src.virt.addr, walk.dst.virt.addr,
walk.nbytes, &ctx->dec, walk.iv);
kernel_neon_end();
- err = blkcipher_walk_done(desc, &walk, 0);
+ err = blkcipher_walk_done(desc, &walk, walk.nbytes % AES_BLOCK_SIZE);
}
return err;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 191/259] ARM: fix alignment of keystone page table fixup
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (189 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 190/259] crypto: arm-aes - fix encryption of unaligned data Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 192/259] net: sendmsg: fix NULL pointer dereference Kamal Mostafa
` (67 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Russell King, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
commit 823a19cd3b91b0729d7417f1848413846be61712 upstream.
If init_mm.brk is not section aligned, the LPAE fixup code will miss
updating the final PMD. Fix this by aligning map_end.
Fixes: a77e0c7b2774 ("ARM: mm: Recreate kernel mappings in early_paging_init()")
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/mm/mmu.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
index dd0949f..b8c90c5 100644
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -1352,8 +1352,8 @@ void __init early_paging_init(const struct machine_desc *mdesc,
return;
/* remap kernel code and data */
- map_start = init_mm.start_code;
- map_end = init_mm.brk;
+ map_start = init_mm.start_code & PMD_MASK;
+ map_end = ALIGN(init_mm.brk, PMD_SIZE);
/* get a handle on things... */
pgd0 = pgd_offset_k(0);
@@ -1388,7 +1388,7 @@ void __init early_paging_init(const struct machine_desc *mdesc,
}
/* remap pmds for kernel mapping */
- phys = __pa(map_start) & PMD_MASK;
+ phys = __pa(map_start);
do {
*pmdk++ = __pmd(phys | pmdprot);
phys += PMD_SIZE;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 192/259] net: sendmsg: fix NULL pointer dereference
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (190 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 191/259] ARM: fix alignment of keystone page table fixup Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 193/259] mm/page-writeback.c: fix divide by zero in bdi_dirty_limits() Kamal Mostafa
` (66 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Hannes Frederic Sowa, Eric Dumazet, Andrey Ryabinin,
David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
commit 40eea803c6b2cfaab092f053248cbeab3f368412 upstream.
Sasha's report:
> While fuzzing with trinity inside a KVM tools guest running the latest -next
> kernel with the KASAN patchset, I've stumbled on the following spew:
>
> [ 4448.949424] ==================================================================
> [ 4448.951737] AddressSanitizer: user-memory-access on address 0
> [ 4448.952988] Read of size 2 by thread T19638:
> [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813
> [ 4448.956823] ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40
> [ 4448.958233] ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d
> [ 4448.959552] 0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000
> [ 4448.961266] Call Trace:
> [ 4448.963158] dump_stack (lib/dump_stack.c:52)
> [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184)
> [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352)
> [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339)
> [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339)
> [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555)
> [ 4448.970103] sock_sendmsg (net/socket.c:654)
> [ 4448.971584] ? might_fault (mm/memory.c:3741)
> [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740)
> [ 4448.973596] ? verify_iovec (net/core/iovec.c:64)
> [ 4448.974522] ___sys_sendmsg (net/socket.c:2096)
> [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254)
> [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273)
> [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1))
> [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188)
> [ 4448.980535] __sys_sendmmsg (net/socket.c:2181)
> [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
> [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607)
> [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2))
> [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
> [ 4448.986754] SyS_sendmmsg (net/socket.c:2201)
> [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542)
> [ 4448.988929] ==================================================================
This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0.
After this report there was no usual "Unable to handle kernel NULL pointer dereference"
and this gave me a clue that address 0 is mapped and contains valid socket address structure in it.
This bug was introduced in f3d3342602f8bcbf37d7c46641cb9bca7618eb1c
(net: rework recvmsg handler msg_name and msg_namelen logic).
Commit message states that:
"Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
affect sendto as it would bail out earlier while trying to copy-in the
address."
But in fact this affects sendto when address 0 is mapped and contains
socket address structure in it. In such case copy-in address will succeed,
verify_iovec() function will successfully exit with msg->msg_namelen > 0
and msg->msg_name == NULL.
This patch fixes it by setting msg_namelen to 0 if msg_name == NULL.
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Eric Dumazet <edumazet@google.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/compat.c | 9 +++++----
net/core/iovec.c | 6 +++---
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/compat.c b/net/compat.c
index f50161f..cbc1a2a 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -85,7 +85,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
{
int tot_len;
- if (kern_msg->msg_namelen) {
+ if (kern_msg->msg_name && kern_msg->msg_namelen) {
if (mode == VERIFY_READ) {
int err = move_addr_to_kernel(kern_msg->msg_name,
kern_msg->msg_namelen,
@@ -93,10 +93,11 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
if (err < 0)
return err;
}
- if (kern_msg->msg_name)
- kern_msg->msg_name = kern_address;
- } else
+ kern_msg->msg_name = kern_address;
+ } else {
kern_msg->msg_name = NULL;
+ kern_msg->msg_namelen = 0;
+ }
tot_len = iov_from_user_compat_to_kern(kern_iov,
(struct compat_iovec __user *)kern_msg->msg_iov,
diff --git a/net/core/iovec.c b/net/core/iovec.c
index b618694..a9c46ba 100644
--- a/net/core/iovec.c
+++ b/net/core/iovec.c
@@ -39,7 +39,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
{
int size, ct, err;
- if (m->msg_namelen) {
+ if (m->msg_name && m->msg_namelen) {
if (mode == VERIFY_READ) {
void __user *namep;
namep = (void __user __force *) m->msg_name;
@@ -48,10 +48,10 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
if (err < 0)
return err;
}
- if (m->msg_name)
- m->msg_name = address;
+ m->msg_name = address;
} else {
m->msg_name = NULL;
+ m->msg_namelen = 0;
}
size = m->msg_iovlen * sizeof(struct iovec);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 193/259] mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (191 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 192/259] net: sendmsg: fix NULL pointer dereference Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 194/259] mm, thp: do not allow thp faults to avoid cpuset restrictions Kamal Mostafa
` (65 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Maxim Patlasov, Michal Hocko, KOSAKI Motohiro, Wu Fengguang,
Johannes Weiner, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Patlasov <MPatlasov@parallels.com>
commit f6789593d5cea42a4ecb1cbeab6a23ade5ebbba7 upstream.
Under memory pressure, it is possible for dirty_thresh, calculated by
global_dirty_limits() in balance_dirty_pages(), to equal zero. Then, if
strictlimit is true, bdi_dirty_limits() tries to resolve the proportion:
bdi_bg_thresh : bdi_thresh = background_thresh : dirty_thresh
by dividing by zero.
Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/page-writeback.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index d013dba..9f45f87 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -1324,9 +1324,9 @@ static inline void bdi_dirty_limits(struct backing_dev_info *bdi,
*bdi_thresh = bdi_dirty_limit(bdi, dirty_thresh);
if (bdi_bg_thresh)
- *bdi_bg_thresh = div_u64((u64)*bdi_thresh *
- background_thresh,
- dirty_thresh);
+ *bdi_bg_thresh = dirty_thresh ? div_u64((u64)*bdi_thresh *
+ background_thresh,
+ dirty_thresh) : 0;
/*
* In order to avoid the stacked BDI deadlock we need
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 194/259] mm, thp: do not allow thp faults to avoid cpuset restrictions
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (192 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 193/259] mm/page-writeback.c: fix divide by zero in bdi_dirty_limits() Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 195/259] rapidio/tsi721_dma: fix failure to obtain transaction descriptor Kamal Mostafa
` (64 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David Rientjes, Bob Liu, Dave Hansen, Hedi Berriche,
Hugh Dickins, Johannes Weiner, Kirill A. Shutemov, Mel Gorman,
Rik van Riel, Srivatsa S. Bhat, Andrew Morton, Linus Torvalds,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Rientjes <rientjes@google.com>
commit b104a35d32025ca740539db2808aa3385d0f30eb upstream.
The page allocator relies on __GFP_WAIT to determine if ALLOC_CPUSET
should be set in allocflags. ALLOC_CPUSET controls if a page allocation
should be restricted only to the set of allowed cpuset mems.
Transparent hugepages clears __GFP_WAIT when defrag is disabled to prevent
the fault path from using memory compaction or direct reclaim. Thus, it
is unfairly able to allocate outside of its cpuset mems restriction as a
side-effect.
This patch ensures that ALLOC_CPUSET is only cleared when the gfp mask is
truly GFP_ATOMIC by verifying it is also not a thp allocation.
Signed-off-by: David Rientjes <rientjes@google.com>
Reported-by: Alex Thorlton <athorlton@sgi.com>
Tested-by: Alex Thorlton <athorlton@sgi.com>
Cc: Bob Liu <lliubbo@gmail.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Hedi Berriche <hedi@sgi.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/page_alloc.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index c4133b4..9aad4f1 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2419,7 +2419,7 @@ static inline int
gfp_to_alloc_flags(gfp_t gfp_mask)
{
int alloc_flags = ALLOC_WMARK_MIN | ALLOC_CPUSET;
- const gfp_t wait = gfp_mask & __GFP_WAIT;
+ const bool atomic = !(gfp_mask & (__GFP_WAIT | __GFP_NO_KSWAPD));
/* __GFP_HIGH is assumed to be the same as ALLOC_HIGH to save a branch. */
BUILD_BUG_ON(__GFP_HIGH != (__force gfp_t) ALLOC_HIGH);
@@ -2428,20 +2428,20 @@ gfp_to_alloc_flags(gfp_t gfp_mask)
* The caller may dip into page reserves a bit more if the caller
* cannot run direct reclaim, or if the caller has realtime scheduling
* policy or is asking for __GFP_HIGH memory. GFP_ATOMIC requests will
- * set both ALLOC_HARDER (!wait) and ALLOC_HIGH (__GFP_HIGH).
+ * set both ALLOC_HARDER (atomic == true) and ALLOC_HIGH (__GFP_HIGH).
*/
alloc_flags |= (__force int) (gfp_mask & __GFP_HIGH);
- if (!wait) {
+ if (atomic) {
/*
- * Not worth trying to allocate harder for
- * __GFP_NOMEMALLOC even if it can't schedule.
+ * Not worth trying to allocate harder for __GFP_NOMEMALLOC even
+ * if it can't schedule.
*/
- if (!(gfp_mask & __GFP_NOMEMALLOC))
+ if (!(gfp_mask & __GFP_NOMEMALLOC))
alloc_flags |= ALLOC_HARDER;
/*
- * Ignore cpuset if GFP_ATOMIC (!wait) rather than fail alloc.
- * See also cpuset_zone_allowed() comment in kernel/cpuset.c.
+ * Ignore cpuset mems for GFP_ATOMIC rather than fail, see the
+ * comment for __cpuset_node_allowed_softwall().
*/
alloc_flags &= ~ALLOC_CPUSET;
} else if (unlikely(rt_task(current)) && !in_interrupt())
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 195/259] rapidio/tsi721_dma: fix failure to obtain transaction descriptor
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (193 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 194/259] mm, thp: do not allow thp faults to avoid cpuset restrictions Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 196/259] memcg: oom_notify use-after-free fix Kamal Mostafa
` (63 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alexandre Bounine, Matt Porter, Andre van Herk, Stef van Os,
Vinod Koul, Dan Williams, Andrew Morton, Linus Torvalds,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Bounine <alexandre.bounine@idt.com>
commit 0193ed8225e1a79ed64632106ec3cc81798cb13c upstream.
This is a bug fix for the situation when function tsi721_desc_get() fails
to obtain a free transaction descriptor.
The bug usually results in a memory access crash dump when data transfer
scatter-gather list has more entries than size of hardware buffer
descriptors ring. This fix ensures that error is properly returned to a
caller instead of an invalid entry.
This patch is applicable to kernel versions starting from v3.5.
Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Andre van Herk <andre.van.herk@prodrive-technologies.com>
Cc: Stef van Os <stef.van.os@prodrive-technologies.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/rapidio/devices/tsi721_dma.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/rapidio/devices/tsi721_dma.c b/drivers/rapidio/devices/tsi721_dma.c
index 91245f5..47257b6 100644
--- a/drivers/rapidio/devices/tsi721_dma.c
+++ b/drivers/rapidio/devices/tsi721_dma.c
@@ -287,6 +287,12 @@ struct tsi721_tx_desc *tsi721_desc_get(struct tsi721_bdma_chan *bdma_chan)
"desc %p not ACKed\n", tx_desc);
}
+ if (ret == NULL) {
+ dev_dbg(bdma_chan->dchan.device->dev,
+ "%s: unable to obtain tx descriptor\n", __func__);
+ goto err_out;
+ }
+
i = bdma_chan->wr_count_next % bdma_chan->bd_num;
if (i == bdma_chan->bd_num - 1) {
i = 0;
@@ -297,7 +303,7 @@ struct tsi721_tx_desc *tsi721_desc_get(struct tsi721_bdma_chan *bdma_chan)
tx_desc->txd.phys = bdma_chan->bd_phys +
i * sizeof(struct tsi721_dma_desc);
tx_desc->hw_desc = &((struct tsi721_dma_desc *)bdma_chan->bd_base)[i];
-
+err_out:
spin_unlock_bh(&bdma_chan->lock);
return ret;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 196/259] memcg: oom_notify use-after-free fix
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (194 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 195/259] rapidio/tsi721_dma: fix failure to obtain transaction descriptor Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 197/259] crypto: af_alg - properly label AF_ALG socket Kamal Mostafa
` (62 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Hocko, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.cz>
commit 2bcf2e92c3918ce62ab4e934256e47e9a16d19c3 upstream.
Paul Furtado has reported the following GPF:
general protection fault: 0000 [#1] SMP
Modules linked in: ipv6 dm_mod xen_netfront coretemp hwmon x86_pkg_temp_thermal crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ablk_helper cryptd lrw gf128mul glue_helper aes_x86_64 microcode pcspkr ext4 jbd2 mbcache raid0 xen_blkfront
CPU: 3 PID: 3062 Comm: java Not tainted 3.16.0-rc5 #1
task: ffff8801cfe8f170 ti: ffff8801d2ec4000 task.ti: ffff8801d2ec4000
RIP: e030:mem_cgroup_oom_synchronize+0x140/0x240
RSP: e02b:ffff8801d2ec7d48 EFLAGS: 00010283
RAX: 0000000000000001 RBX: ffff88009d633800 RCX: 000000000000000e
RDX: fffffffffffffffe RSI: ffff88009d630200 RDI: ffff88009d630200
RBP: ffff8801d2ec7da8 R08: 0000000000000012 R09: 00000000fffffffe
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88009d633800
R13: ffff8801d2ec7d48 R14: dead000000100100 R15: ffff88009d633a30
FS: 00007f1748bb4700(0000) GS:ffff8801def80000(0000) knlGS:0000000000000000
CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f4110300308 CR3: 00000000c05f7000 CR4: 0000000000002660
Call Trace:
pagefault_out_of_memory+0x18/0x90
mm_fault_error+0xa9/0x1a0
__do_page_fault+0x478/0x4c0
do_page_fault+0x2c/0x40
page_fault+0x28/0x30
Code: 44 00 00 48 89 df e8 40 ca ff ff 48 85 c0 49 89 c4 74 35 4c 8b b0 30 02 00 00 4c 8d b8 30 02 00 00 4d 39 fe 74 1b 0f 1f 44 00 00 <49> 8b 7e 10 be 01 00 00 00 e8 42 d2 04 00 4d 8b 36 4d 39 fe 75
RIP mem_cgroup_oom_synchronize+0x140/0x240
Commit fb2a6fc56be6 ("mm: memcg: rework and document OOM waiting and
wakeup") has moved mem_cgroup_oom_notify outside of memcg_oom_lock
assuming it is protected by the hierarchical OOM-lock.
Although this is true for the notification part the protection doesn't
cover unregistration of event which can happen in parallel now so
mem_cgroup_oom_notify can see already unlinked and/or freed
mem_cgroup_eventfd_list.
Fix this by using memcg_oom_lock also in mem_cgroup_oom_notify.
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=80881
Fixes: fb2a6fc56be6 (mm: memcg: rework and document OOM waiting and wakeup)
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Paul Furtado <paulfurtado91@gmail.com>
Tested-by: Paul Furtado <paulfurtado91@gmail.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/memcontrol.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 44b0eec..a106a2d 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5656,8 +5656,12 @@ static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg)
{
struct mem_cgroup_eventfd_list *ev;
+ spin_lock(&memcg_oom_lock);
+
list_for_each_entry(ev, &memcg->oom_notify, list)
eventfd_signal(ev->eventfd, 1);
+
+ spin_unlock(&memcg_oom_lock);
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 197/259] crypto: af_alg - properly label AF_ALG socket
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (195 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 196/259] memcg: oom_notify use-after-free fix Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 198/259] printk: rename printk_sched to printk_deferred Kamal Mostafa
` (61 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Milan Broz, Herbert Xu, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Milan Broz <gmazyland@gmail.com>
commit 4c63f83c2c2e16a13ce274ee678e28246bd33645 upstream.
Th AF_ALG socket was missing a security label (e.g. SELinux)
which means that socket was in "unlabeled" state.
This was recently demonstrated in the cryptsetup package
(cryptsetup v1.6.5 and later.)
See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
This patch clones the sock's label from the parent sock
and resolves the issue (similar to AF_BLUETOOTH protocol family).
Signed-off-by: Milan Broz <gmazyland@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
crypto/af_alg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 966f893..6a3ad80 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -21,6 +21,7 @@
#include <linux/module.h>
#include <linux/net.h>
#include <linux/rwsem.h>
+#include <linux/security.h>
struct alg_type_list {
const struct af_alg_type *type;
@@ -243,6 +244,7 @@ int af_alg_accept(struct sock *sk, struct socket *newsock)
sock_init_data(newsock, sk2);
sock_graft(sk2, newsock);
+ security_sk_clone(sk, sk2);
err = type->accept(ask->private, sk2);
if (err) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 198/259] printk: rename printk_sched to printk_deferred
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (196 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 197/259] crypto: af_alg - properly label AF_ALG socket Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 199/259] timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks Kamal Mostafa
` (60 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: John Stultz, Jan Kara, Peter Zijlstra, Jiri Bohac,
Thomas Gleixner, Ingo Molnar, Andrew Morton, Linus Torvalds,
Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: John Stultz <john.stultz@linaro.org>
commit aac74dc495456412c4130a1167ce4beb6c1f0b38 upstream.
After learning we'll need some sort of deferred printk functionality in
the timekeeping core, Peter suggested we rename the printk_sched function
so it can be reused by needed subsystems.
This only changes the function name. No logic changes.
Signed-off-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Bohac <jbohac@suse.cz>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ luis: prereq for 504d58745c9c ("timer: Fix lock inversion between
hrtimer_bases.lock and scheduler locks"); backported to 3.11:
- dropped changes to kernel/sched/deadline.c ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/linux/printk.h | 6 +++---
kernel/printk/printk.c | 2 +-
kernel/sched/core.c | 2 +-
kernel/sched/rt.c | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/linux/printk.h b/include/linux/printk.h
index 6949258..1864d94 100644
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -124,9 +124,9 @@ asmlinkage __printf(1, 2) __cold
int printk(const char *fmt, ...);
/*
- * Special printk facility for scheduler use only, _DO_NOT_USE_ !
+ * Special printk facility for scheduler/timekeeping use only, _DO_NOT_USE_ !
*/
-__printf(1, 2) __cold int printk_sched(const char *fmt, ...);
+__printf(1, 2) __cold int printk_deferred(const char *fmt, ...);
/*
* Please don't use printk_ratelimit(), because it shares ratelimiting state
@@ -161,7 +161,7 @@ int printk(const char *s, ...)
return 0;
}
static inline __printf(1, 2) __cold
-int printk_sched(const char *s, ...)
+int printk_deferred(const char *s, ...)
{
return 0;
}
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 97fb834..9dbf3a1 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -2469,7 +2469,7 @@ void wake_up_klogd(void)
preempt_enable();
}
-int printk_sched(const char *fmt, ...)
+int printk_deferred(const char *fmt, ...)
{
unsigned long flags;
va_list args;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index c677510..0a90d12 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1321,7 +1321,7 @@ out:
* leave kernel.
*/
if (p->mm && printk_ratelimit()) {
- printk_sched("process %d (%s) no longer affine to cpu%d\n",
+ printk_deferred("process %d (%s) no longer affine to cpu%d\n",
task_pid_nr(p), p->comm, cpu);
}
}
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 1c40655..721d4c0 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -829,7 +829,7 @@ static int sched_rt_runtime_exceeded(struct rt_rq *rt_rq)
if (!once) {
once = true;
- printk_sched("sched: RT throttling activated\n");
+ printk_deferred("sched: RT throttling activated\n");
}
} else {
/*
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 199/259] timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (197 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 198/259] printk: rename printk_sched to printk_deferred Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 200/259] dm bufio: fully initialize shrinker Kamal Mostafa
` (59 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jan Kara, Thomas Gleixner, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 504d58745c9ca28d33572e2d8a9990b43e06075d upstream.
clockevents_increase_min_delta() calls printk() from under
hrtimer_bases.lock. That causes lock inversion on scheduler locks because
printk() can call into the scheduler. Lockdep puts it as:
======================================================
[ INFO: possible circular locking dependency detected ]
3.15.0-rc8-06195-g939f04b #2 Not tainted
-------------------------------------------------------
trinity-main/74 is trying to acquire lock:
(&port_lock_key){-.....}, at: [<811c60be>] serial8250_console_write+0x8c/0x10c
but task is already holding lock:
(hrtimer_bases.lock){-.-...}, at: [<8103caeb>] hrtimer_try_to_cancel+0x13/0x66
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #5 (hrtimer_bases.lock){-.-...}:
[<8104a942>] lock_acquire+0x92/0x101
[<8142f11d>] _raw_spin_lock_irqsave+0x2e/0x3e
[<8103c918>] __hrtimer_start_range_ns+0x1c/0x197
[<8107ec20>] perf_swevent_start_hrtimer.part.41+0x7a/0x85
[<81080792>] task_clock_event_start+0x3a/0x3f
[<810807a4>] task_clock_event_add+0xd/0x14
[<8108259a>] event_sched_in+0xb6/0x17a
[<810826a2>] group_sched_in+0x44/0x122
[<81082885>] ctx_sched_in.isra.67+0x105/0x11f
[<810828e6>] perf_event_sched_in.isra.70+0x47/0x4b
[<81082bf6>] __perf_install_in_context+0x8b/0xa3
[<8107eb8e>] remote_function+0x12/0x2a
[<8105f5af>] smp_call_function_single+0x2d/0x53
[<8107e17d>] task_function_call+0x30/0x36
[<8107fb82>] perf_install_in_context+0x87/0xbb
[<810852c9>] SYSC_perf_event_open+0x5c6/0x701
[<810856f9>] SyS_perf_event_open+0x17/0x19
[<8142f8ee>] syscall_call+0x7/0xb
-> #4 (&ctx->lock){......}:
[<8104a942>] lock_acquire+0x92/0x101
[<8142f04c>] _raw_spin_lock+0x21/0x30
[<81081df3>] __perf_event_task_sched_out+0x1dc/0x34f
[<8142cacc>] __schedule+0x4c6/0x4cb
[<8142cae0>] schedule+0xf/0x11
[<8142f9a6>] work_resched+0x5/0x30
-> #3 (&rq->lock){-.-.-.}:
[<8104a942>] lock_acquire+0x92/0x101
[<8142f04c>] _raw_spin_lock+0x21/0x30
[<81040873>] __task_rq_lock+0x33/0x3a
[<8104184c>] wake_up_new_task+0x25/0xc2
[<8102474b>] do_fork+0x15c/0x2a0
[<810248a9>] kernel_thread+0x1a/0x1f
[<814232a2>] rest_init+0x1a/0x10e
[<817af949>] start_kernel+0x303/0x308
[<817af2ab>] i386_start_kernel+0x79/0x7d
-> #2 (&p->pi_lock){-.-...}:
[<8104a942>] lock_acquire+0x92/0x101
[<8142f11d>] _raw_spin_lock_irqsave+0x2e/0x3e
[<810413dd>] try_to_wake_up+0x1d/0xd6
[<810414cd>] default_wake_function+0xb/0xd
[<810461f3>] __wake_up_common+0x39/0x59
[<81046346>] __wake_up+0x29/0x3b
[<811b8733>] tty_wakeup+0x49/0x51
[<811c3568>] uart_write_wakeup+0x17/0x19
[<811c5dc1>] serial8250_tx_chars+0xbc/0xfb
[<811c5f28>] serial8250_handle_irq+0x54/0x6a
[<811c5f57>] serial8250_default_handle_irq+0x19/0x1c
[<811c56d8>] serial8250_interrupt+0x38/0x9e
[<810510e7>] handle_irq_event_percpu+0x5f/0x1e2
[<81051296>] handle_irq_event+0x2c/0x43
[<81052cee>] handle_level_irq+0x57/0x80
[<81002a72>] handle_irq+0x46/0x5c
[<810027df>] do_IRQ+0x32/0x89
[<8143036e>] common_interrupt+0x2e/0x33
[<8142f23c>] _raw_spin_unlock_irqrestore+0x3f/0x49
[<811c25a4>] uart_start+0x2d/0x32
[<811c2c04>] uart_write+0xc7/0xd6
[<811bc6f6>] n_tty_write+0xb8/0x35e
[<811b9beb>] tty_write+0x163/0x1e4
[<811b9cd9>] redirected_tty_write+0x6d/0x75
[<810b6ed6>] vfs_write+0x75/0xb0
[<810b7265>] SyS_write+0x44/0x77
[<8142f8ee>] syscall_call+0x7/0xb
-> #1 (&tty->write_wait){-.....}:
[<8104a942>] lock_acquire+0x92/0x101
[<8142f11d>] _raw_spin_lock_irqsave+0x2e/0x3e
[<81046332>] __wake_up+0x15/0x3b
[<811b8733>] tty_wakeup+0x49/0x51
[<811c3568>] uart_write_wakeup+0x17/0x19
[<811c5dc1>] serial8250_tx_chars+0xbc/0xfb
[<811c5f28>] serial8250_handle_irq+0x54/0x6a
[<811c5f57>] serial8250_default_handle_irq+0x19/0x1c
[<811c56d8>] serial8250_interrupt+0x38/0x9e
[<810510e7>] handle_irq_event_percpu+0x5f/0x1e2
[<81051296>] handle_irq_event+0x2c/0x43
[<81052cee>] handle_level_irq+0x57/0x80
[<81002a72>] handle_irq+0x46/0x5c
[<810027df>] do_IRQ+0x32/0x89
[<8143036e>] common_interrupt+0x2e/0x33
[<8142f23c>] _raw_spin_unlock_irqrestore+0x3f/0x49
[<811c25a4>] uart_start+0x2d/0x32
[<811c2c04>] uart_write+0xc7/0xd6
[<811bc6f6>] n_tty_write+0xb8/0x35e
[<811b9beb>] tty_write+0x163/0x1e4
[<811b9cd9>] redirected_tty_write+0x6d/0x75
[<810b6ed6>] vfs_write+0x75/0xb0
[<810b7265>] SyS_write+0x44/0x77
[<8142f8ee>] syscall_call+0x7/0xb
-> #0 (&port_lock_key){-.....}:
[<8104a62d>] __lock_acquire+0x9ea/0xc6d
[<8104a942>] lock_acquire+0x92/0x101
[<8142f11d>] _raw_spin_lock_irqsave+0x2e/0x3e
[<811c60be>] serial8250_console_write+0x8c/0x10c
[<8104e402>] call_console_drivers.constprop.31+0x87/0x118
[<8104f5d5>] console_unlock+0x1d7/0x398
[<8104fb70>] vprintk_emit+0x3da/0x3e4
[<81425f76>] printk+0x17/0x19
[<8105bfa0>] clockevents_program_min_delta+0x104/0x116
[<8105c548>] clockevents_program_event+0xe7/0xf3
[<8105cc1c>] tick_program_event+0x1e/0x23
[<8103c43c>] hrtimer_force_reprogram+0x88/0x8f
[<8103c49e>] __remove_hrtimer+0x5b/0x79
[<8103cb21>] hrtimer_try_to_cancel+0x49/0x66
[<8103cb4b>] hrtimer_cancel+0xd/0x18
[<8107f102>] perf_swevent_cancel_hrtimer.part.60+0x2b/0x30
[<81080705>] task_clock_event_stop+0x20/0x64
[<81080756>] task_clock_event_del+0xd/0xf
[<81081350>] event_sched_out+0xab/0x11e
[<810813e0>] group_sched_out+0x1d/0x66
[<81081682>] ctx_sched_out+0xaf/0xbf
[<81081e04>] __perf_event_task_sched_out+0x1ed/0x34f
[<8142cacc>] __schedule+0x4c6/0x4cb
[<8142cae0>] schedule+0xf/0x11
[<8142f9a6>] work_resched+0x5/0x30
other info that might help us debug this:
Chain exists of:
&port_lock_key --> &ctx->lock --> hrtimer_bases.lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(hrtimer_bases.lock);
lock(&ctx->lock);
lock(hrtimer_bases.lock);
lock(&port_lock_key);
*** DEADLOCK ***
4 locks held by trinity-main/74:
#0: (&rq->lock){-.-.-.}, at: [<8142c6f3>] __schedule+0xed/0x4cb
#1: (&ctx->lock){......}, at: [<81081df3>] __perf_event_task_sched_out+0x1dc/0x34f
#2: (hrtimer_bases.lock){-.-...}, at: [<8103caeb>] hrtimer_try_to_cancel+0x13/0x66
#3: (console_lock){+.+...}, at: [<8104fb5d>] vprintk_emit+0x3c7/0x3e4
stack backtrace:
CPU: 0 PID: 74 Comm: trinity-main Not tainted 3.15.0-rc8-06195-g939f04b #2
00000000 81c3a310 8b995c14 81426f69 8b995c44 81425a99 8161f671 8161f570
8161f538 8161f559 8161f538 8b995c78 8b142bb0 00000004 8b142fdc 8b142bb0
8b995ca8 8104a62d 8b142fac 000016f2 81c3a310 00000001 00000001 00000003
Call Trace:
[<81426f69>] dump_stack+0x16/0x18
[<81425a99>] print_circular_bug+0x18f/0x19c
[<8104a62d>] __lock_acquire+0x9ea/0xc6d
[<8104a942>] lock_acquire+0x92/0x101
[<811c60be>] ? serial8250_console_write+0x8c/0x10c
[<811c6032>] ? wait_for_xmitr+0x76/0x76
[<8142f11d>] _raw_spin_lock_irqsave+0x2e/0x3e
[<811c60be>] ? serial8250_console_write+0x8c/0x10c
[<811c60be>] serial8250_console_write+0x8c/0x10c
[<8104af87>] ? lock_release+0x191/0x223
[<811c6032>] ? wait_for_xmitr+0x76/0x76
[<8104e402>] call_console_drivers.constprop.31+0x87/0x118
[<8104f5d5>] console_unlock+0x1d7/0x398
[<8104fb70>] vprintk_emit+0x3da/0x3e4
[<81425f76>] printk+0x17/0x19
[<8105bfa0>] clockevents_program_min_delta+0x104/0x116
[<8105cc1c>] tick_program_event+0x1e/0x23
[<8103c43c>] hrtimer_force_reprogram+0x88/0x8f
[<8103c49e>] __remove_hrtimer+0x5b/0x79
[<8103cb21>] hrtimer_try_to_cancel+0x49/0x66
[<8103cb4b>] hrtimer_cancel+0xd/0x18
[<8107f102>] perf_swevent_cancel_hrtimer.part.60+0x2b/0x30
[<81080705>] task_clock_event_stop+0x20/0x64
[<81080756>] task_clock_event_del+0xd/0xf
[<81081350>] event_sched_out+0xab/0x11e
[<810813e0>] group_sched_out+0x1d/0x66
[<81081682>] ctx_sched_out+0xaf/0xbf
[<81081e04>] __perf_event_task_sched_out+0x1ed/0x34f
[<8104416d>] ? __dequeue_entity+0x23/0x27
[<81044505>] ? pick_next_task_fair+0xb1/0x120
[<8142cacc>] __schedule+0x4c6/0x4cb
[<81047574>] ? trace_hardirqs_off_caller+0xd7/0x108
[<810475b0>] ? trace_hardirqs_off+0xb/0xd
[<81056346>] ? rcu_irq_exit+0x64/0x77
Fix the problem by using printk_deferred() which does not call into the
scheduler.
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/time/clockevents.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/time/clockevents.c b/kernel/time/clockevents.c
index 086ad60..60ba1af 100644
--- a/kernel/time/clockevents.c
+++ b/kernel/time/clockevents.c
@@ -146,7 +146,8 @@ static int clockevents_increase_min_delta(struct clock_event_device *dev)
{
/* Nothing to do if we already reached the limit */
if (dev->min_delta_ns >= MIN_DELTA_LIMIT) {
- printk(KERN_WARNING "CE: Reprogramming failure. Giving up\n");
+ printk_deferred(KERN_WARNING
+ "CE: Reprogramming failure. Giving up\n");
dev->next_event.tv64 = KTIME_MAX;
return -ETIME;
}
@@ -159,9 +160,10 @@ static int clockevents_increase_min_delta(struct clock_event_device *dev)
if (dev->min_delta_ns > MIN_DELTA_LIMIT)
dev->min_delta_ns = MIN_DELTA_LIMIT;
- printk(KERN_WARNING "CE: %s increased min_delta_ns to %llu nsec\n",
- dev->name ? dev->name : "?",
- (unsigned long long) dev->min_delta_ns);
+ printk_deferred(KERN_WARNING
+ "CE: %s increased min_delta_ns to %llu nsec\n",
+ dev->name ? dev->name : "?",
+ (unsigned long long) dev->min_delta_ns);
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 200/259] dm bufio: fully initialize shrinker
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (198 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 199/259] timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 201/259] dm cache: fix race affecting dirty block count Kamal Mostafa
` (58 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Greg Thelen, Mike Snitzer, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Thelen <gthelen@google.com>
commit d8c712ea471ce7a4fd1734ad2211adf8469ddddc upstream.
1d3d4437eae1 ("vmscan: per-node deferred work") added a flags field to
struct shrinker assuming that all shrinkers were zero filled. The dm
bufio shrinker is not zero filled, which leaves arbitrary kmalloc() data
in flags. So far the only defined flags bit is SHRINKER_NUMA_AWARE.
But there are proposed patches which add other bits to shrinker.flags
(e.g. memcg awareness).
Rather than simply initializing the shrinker, this patch uses kzalloc()
when allocating the dm_bufio_client to ensure that the embedded shrinker
and any other similar structures are zeroed.
This fixes theoretical over aggressive shrinking of dm bufio objects.
If the uninitialized dm_bufio_client.shrinker.flags contains
SHRINKER_NUMA_AWARE then shrink_slab() would call the dm shrinker for
each numa node rather than just once. This has been broken since 3.12.
Signed-off-by: Greg Thelen <gthelen@google.com>
Acked-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm-bufio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
index 54bdd923..5056c45 100644
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -1511,7 +1511,7 @@ struct dm_bufio_client *dm_bufio_client_create(struct block_device *bdev, unsign
BUG_ON(block_size < 1 << SECTOR_SHIFT ||
(block_size & (block_size - 1)));
- c = kmalloc(sizeof(*c), GFP_KERNEL);
+ c = kzalloc(sizeof(*c), GFP_KERNEL);
if (!c) {
r = -ENOMEM;
goto bad_client;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 201/259] dm cache: fix race affecting dirty block count
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (199 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 200/259] dm bufio: fully initialize shrinker Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 202/259] netlink: Rename netlink_capable netlink_allowed Kamal Mostafa
` (57 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Anssi Hannula, Joe Thornber, Mike Snitzer, Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Anssi Hannula <anssi.hannula@iki.fi>
commit 44fa816bb778edbab6b6ddaaf24908dd6295937e upstream.
nr_dirty is updated without locking, causing it to drift so that it is
non-zero (either a small positive integer, or a very large one when an
underflow occurs) even when there are no actual dirty blocks. This was
due to a race between the workqueue and map function accessing nr_dirty
in parallel without proper protection.
People were seeing under runs due to a race on increment/decrement of
nr_dirty, see: https://lkml.org/lkml/2014/6/3/648
Fix this by using an atomic_t for nr_dirty.
Reported-by: roma1390@gmail.com
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[ luis: backported to 3.11: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm-cache-target.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c
index fd92101..ae73ee5 100644
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -225,7 +225,7 @@ struct cache {
/*
* cache_size entries, dirty if set
*/
- dm_cblock_t nr_dirty;
+ atomic_t nr_dirty;
unsigned long *dirty_bitset;
/*
@@ -487,7 +487,7 @@ static bool is_dirty(struct cache *cache, dm_cblock_t b)
static void set_dirty(struct cache *cache, dm_oblock_t oblock, dm_cblock_t cblock)
{
if (!test_and_set_bit(from_cblock(cblock), cache->dirty_bitset)) {
- cache->nr_dirty = to_cblock(from_cblock(cache->nr_dirty) + 1);
+ atomic_inc(&cache->nr_dirty);
policy_set_dirty(cache->policy, oblock);
}
}
@@ -496,8 +496,7 @@ static void clear_dirty(struct cache *cache, dm_oblock_t oblock, dm_cblock_t cbl
{
if (test_and_clear_bit(from_cblock(cblock), cache->dirty_bitset)) {
policy_clear_dirty(cache->policy, oblock);
- cache->nr_dirty = to_cblock(from_cblock(cache->nr_dirty) - 1);
- if (!from_cblock(cache->nr_dirty))
+ if (atomic_dec_return(&cache->nr_dirty) == 0)
dm_table_event(cache->ti->table);
}
}
@@ -2275,7 +2274,7 @@ static int cache_create(struct cache_args *ca, struct cache **result)
atomic_set(&cache->quiescing_ack, 0);
r = -ENOMEM;
- cache->nr_dirty = 0;
+ atomic_set(&cache->nr_dirty, 0);
cache->dirty_bitset = alloc_bitset(from_cblock(cache->cache_size));
if (!cache->dirty_bitset) {
*error = "could not allocate dirty bitset";
@@ -2816,7 +2815,7 @@ static void cache_status(struct dm_target *ti, status_type_t type,
residency = policy_residency(cache->policy);
- DMEMIT("%llu/%llu %u %u %u %u %u %u %llu %u ",
+ DMEMIT("%llu/%llu %u %u %u %u %u %u %llu %lu ",
(unsigned long long)(nr_blocks_metadata - nr_free_blocks_metadata),
(unsigned long long)nr_blocks_metadata,
(unsigned) atomic_read(&cache->stats.read_hit),
@@ -2826,7 +2825,7 @@ static void cache_status(struct dm_target *ti, status_type_t type,
(unsigned) atomic_read(&cache->stats.demotion),
(unsigned) atomic_read(&cache->stats.promotion),
(unsigned long long) from_cblock(residency),
- cache->nr_dirty);
+ (unsigned long) atomic_read(&cache->nr_dirty));
if (writethrough_mode(&cache->features))
DMEMIT("1 writethrough ");
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 202/259] netlink: Rename netlink_capable netlink_allowed
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (200 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 201/259] dm cache: fix race affecting dirty block count Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 203/259] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump Kamal Mostafa
` (56 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric W. Biederman, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit 5187cd055b6e81fc6526109456f8b20623148d5f ]
netlink_capable is a static internal function in af_netlink.c and we
have better uses for the name netlink_capable.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/netlink/af_netlink.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index bca50b9..5f0e9bd 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1352,7 +1352,7 @@ retry:
return err;
}
-static inline int netlink_capable(const struct socket *sock, unsigned int flag)
+static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
{
return (nl_table[sock->sk->sk_protocol].flags & flag) ||
ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
@@ -1420,7 +1420,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
/* Only superuser is allowed to listen multicasts */
if (nladdr->nl_groups) {
- if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))
+ if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
return -EPERM;
err = netlink_realloc_groups(sk);
if (err)
@@ -1482,7 +1482,7 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
return -EINVAL;
/* Only superuser is allowed to send multicasts */
- if (nladdr->nl_groups && !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
+ if (nladdr->nl_groups && !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
return -EPERM;
if (!nlk->portid)
@@ -2088,7 +2088,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
break;
case NETLINK_ADD_MEMBERSHIP:
case NETLINK_DROP_MEMBERSHIP: {
- if (!netlink_capable(sock, NL_CFG_F_NONROOT_RECV))
+ if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
return -EPERM;
err = netlink_realloc_groups(sk);
if (err)
@@ -2239,7 +2239,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
dst_group = ffs(addr->nl_groups);
err = -EPERM;
if ((dst_group || dst_portid) &&
- !netlink_capable(sock, NL_CFG_F_NONROOT_SEND))
+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
goto out;
} else {
dst_portid = nlk->dst_portid;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 203/259] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (201 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 202/259] netlink: Rename netlink_capable netlink_allowed Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 204/259] net: Add variants of capable for use on on sockets Kamal Mostafa
` (55 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric W. Biederman, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit a53b72c83a4216f2eb883ed45a0cbce014b8e62d ]
The permission check in sock_diag_put_filterinfo is wrong, and it is so removed
from it's sources it is not clear why it is wrong. Move the computation
into packet_diag_dump and pass a bool of the result into sock_diag_filterinfo.
This does not yet correct the capability check but instead simply moves it to make
it clear what is going on.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/linux/sock_diag.h | 2 +-
net/core/sock_diag.c | 4 ++--
net/packet/diag.c | 7 ++++++-
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index 302ab80..46cca4c 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -23,7 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie);
void sock_diag_save_cookie(void *sk, __u32 *cookie);
int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
-int sock_diag_put_filterinfo(struct sock *sk,
+int sock_diag_put_filterinfo(bool may_report_filterinfo, struct sock *sk,
struct sk_buff *skb, int attrtype);
#endif
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 6a7fae2..c38e7a2 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -49,7 +49,7 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
}
EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
-int sock_diag_put_filterinfo(struct sock *sk,
+int sock_diag_put_filterinfo(bool may_report_filterinfo, struct sock *sk,
struct sk_buff *skb, int attrtype)
{
struct nlattr *attr;
@@ -57,7 +57,7 @@ int sock_diag_put_filterinfo(struct sock *sk,
unsigned int len;
int err = 0;
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ if (!may_report_filterinfo) {
nla_reserve(skb, attrtype, 0);
return 0;
}
diff --git a/net/packet/diag.c b/net/packet/diag.c
index ec8b6e8..01cd1ac 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -127,6 +127,7 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
struct packet_diag_req *req,
+ bool may_report_filterinfo,
struct user_namespace *user_ns,
u32 portid, u32 seq, u32 flags, int sk_ino)
{
@@ -171,7 +172,8 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
goto out_nlmsg_trim;
if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
- sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER))
+ sock_diag_put_filterinfo(may_report_filterinfo, sk, skb,
+ PACKET_DIAG_FILTER))
goto out_nlmsg_trim;
return nlmsg_end(skb, nlh);
@@ -187,9 +189,11 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
struct packet_diag_req *req;
struct net *net;
struct sock *sk;
+ bool may_report_filterinfo;
net = sock_net(skb->sk);
req = nlmsg_data(cb->nlh);
+ may_report_filterinfo = ns_capable(net->user_ns, CAP_NET_ADMIN);
mutex_lock(&net->packet.sklist_lock);
sk_for_each(sk, &net->packet.sklist) {
@@ -199,6 +203,7 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
goto next;
if (sk_diag_fill(sk, skb, req,
+ may_report_filterinfo,
sk_user_ns(NETLINK_CB(cb->skb).sk),
NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq, NLM_F_MULTI,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 204/259] net: Add variants of capable for use on on sockets
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (202 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 203/259] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 205/259] net: Add variants of capable for use on netlink messages Kamal Mostafa
` (54 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric W. Biederman, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit a3b299da869d6e78cf42ae0b1b41797bcb8c5e4b ]
sk_net_capable - The common case, operations that are safe in a network namespace.
sk_capable - Operations that are not known to be safe in a network namespace
sk_ns_capable - The general case for special cases.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/net/sock.h | 5 +++++
net/core/sock.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+)
diff --git a/include/net/sock.h b/include/net/sock.h
index a2b3d4e..ca1aeeb 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2267,6 +2267,11 @@ int sock_get_timestampns(struct sock *, struct timespec __user *);
int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, int level,
int type);
+bool sk_ns_capable(const struct sock *sk,
+ struct user_namespace *user_ns, int cap);
+bool sk_capable(const struct sock *sk, int cap);
+bool sk_net_capable(const struct sock *sk, int cap);
+
/*
* Enable debug/info messages
*/
diff --git a/net/core/sock.c b/net/core/sock.c
index 50db733..1ed4266 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -145,6 +145,55 @@
static DEFINE_MUTEX(proto_list_mutex);
static LIST_HEAD(proto_list);
+/**
+ * sk_ns_capable - General socket capability test
+ * @sk: Socket to use a capability on or through
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket had when the socket was
+ * created and the current process has the capability @cap in the user
+ * namespace @user_ns.
+ */
+bool sk_ns_capable(const struct sock *sk,
+ struct user_namespace *user_ns, int cap)
+{
+ return file_ns_capable(sk->sk_socket->file, user_ns, cap) &&
+ ns_capable(user_ns, cap);
+}
+EXPORT_SYMBOL(sk_ns_capable);
+
+/**
+ * sk_capable - Socket global capability test
+ * @sk: Socket to use a capability on or through
+ * @cap: The global capbility to use
+ *
+ * Test to see if the opener of the socket had when the socket was
+ * created and the current process has the capability @cap in all user
+ * namespaces.
+ */
+bool sk_capable(const struct sock *sk, int cap)
+{
+ return sk_ns_capable(sk, &init_user_ns, cap);
+}
+EXPORT_SYMBOL(sk_capable);
+
+/**
+ * sk_net_capable - Network namespace socket capability test
+ * @sk: Socket to use a capability on or through
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket had when the socke was created
+ * and the current process has the capability @cap over the network namespace
+ * the socket is a member of.
+ */
+bool sk_net_capable(const struct sock *sk, int cap)
+{
+ return sk_ns_capable(sk, sock_net(sk)->user_ns, cap);
+}
+EXPORT_SYMBOL(sk_net_capable);
+
+
#ifdef CONFIG_MEMCG_KMEM
int mem_cgroup_sockets_init(struct mem_cgroup *memcg, struct cgroup_subsys *ss)
{
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 205/259] net: Add variants of capable for use on netlink messages
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (203 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 204/259] net: Add variants of capable for use on on sockets Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 206/259] net: Use netlink_ns_capable to verify the permisions of " Kamal Mostafa
` (53 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric W. Biederman, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit aa4cf9452f469f16cea8c96283b641b4576d4a7b ]
netlink_net_capable - The common case use, for operations that are safe on a network namespace
netlink_capable - For operations that are only known to be safe for the global root
netlink_ns_capable - The general case of capable used to handle special cases
__netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of
the skbuff of a netlink message.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/linux/netlink.h | 7 ++++++
net/netlink/af_netlink.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index 7a6c396..8d11541 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -171,4 +171,11 @@ extern int netlink_add_tap(struct netlink_tap *nt);
extern int __netlink_remove_tap(struct netlink_tap *nt);
extern int netlink_remove_tap(struct netlink_tap *nt);
+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
+ struct user_namespace *ns, int cap);
+bool netlink_ns_capable(const struct sk_buff *skb,
+ struct user_namespace *ns, int cap);
+bool netlink_capable(const struct sk_buff *skb, int cap);
+bool netlink_net_capable(const struct sk_buff *skb, int cap);
+
#endif /* __LINUX_NETLINK_H */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5f0e9bd..bd0ce97 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1352,6 +1352,71 @@ retry:
return err;
}
+/**
+ * __netlink_ns_capable - General netlink message capability test
+ * @nsp: NETLINK_CB of the socket buffer holding a netlink command from userspace.
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
+ struct user_namespace *user_ns, int cap)
+{
+ return sk_ns_capable(nsp->sk, user_ns, cap);
+}
+EXPORT_SYMBOL(__netlink_ns_capable);
+
+/**
+ * netlink_ns_capable - General netlink message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in the user namespace @user_ns.
+ */
+bool netlink_ns_capable(const struct sk_buff *skb,
+ struct user_namespace *user_ns, int cap)
+{
+ return __netlink_ns_capable(&NETLINK_CB(skb), user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_ns_capable);
+
+/**
+ * netlink_capable - Netlink global message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap in all user namespaces.
+ */
+bool netlink_capable(const struct sk_buff *skb, int cap)
+{
+ return netlink_ns_capable(skb, &init_user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_capable);
+
+/**
+ * netlink_net_capable - Netlink network namespace message capability test
+ * @skb: socket buffer holding a netlink command from userspace
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket we received the message
+ * from had when the netlink socket was created and the sender of the
+ * message has has the capability @cap over the network namespace of
+ * the socket we received the message from.
+ */
+bool netlink_net_capable(const struct sk_buff *skb, int cap)
+{
+ return netlink_ns_capable(skb, sock_net(skb->sk)->user_ns, cap);
+}
+EXPORT_SYMBOL(netlink_net_capable);
+
static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
{
return (nl_table[sock->sk->sk_protocol].flags & flag) ||
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 206/259] net: Use netlink_ns_capable to verify the permisions of netlink messages
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (204 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 205/259] net: Add variants of capable for use on netlink messages Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 207/259] netlink: Only check file credentials for implicit destinations Kamal Mostafa
` (52 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric W. Biederman, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit 90f62cf30a78721641e08737bda787552428061e ]
It is possible by passing a netlink socket to a more privileged
executable and then to fool that executable into writing to the socket
data that happens to be valid netlink message to do something that
privileged executable did not intend to do.
To keep this from happening replace bare capable and ns_capable calls
with netlink_capable, netlink_net_calls and netlink_ns_capable calls.
Which act the same as the previous calls except they verify that the
opener of the socket had the desired permissions as well.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ kamal: backport to 3.13-stable from David's 3.14 port: remove unused 'net' ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
crypto/crypto_user.c | 2 +-
drivers/connector/cn_proc.c | 2 +-
drivers/scsi/scsi_netlink.c | 2 +-
kernel/audit.c | 4 ++--
net/can/gw.c | 4 ++--
net/core/rtnetlink.c | 20 +++++++++++---------
net/dcb/dcbnl.c | 2 +-
net/decnet/dn_dev.c | 4 ++--
net/decnet/dn_fib.c | 4 ++--
net/decnet/netfilter/dn_rtmsg.c | 2 +-
net/netfilter/nfnetlink.c | 3 +--
net/netlink/genetlink.c | 2 +-
net/packet/diag.c | 2 +-
net/phonet/pn_netlink.c | 8 ++++----
net/sched/act_api.c | 2 +-
net/sched/cls_api.c | 2 +-
net/sched/sch_api.c | 6 +++---
net/tipc/netlink.c | 2 +-
net/xfrm/xfrm_user.c | 2 +-
19 files changed, 38 insertions(+), 37 deletions(-)
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index 1512e41..43665d0 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -466,7 +466,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
type -= CRYPTO_MSG_BASE;
link = &crypto_dispatch[type];
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) &&
diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
index 18c5b9b..3165811 100644
--- a/drivers/connector/cn_proc.c
+++ b/drivers/connector/cn_proc.c
@@ -369,7 +369,7 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
return;
/* Can only change if privileged. */
- if (!capable(CAP_NET_ADMIN)) {
+ if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) {
err = EPERM;
goto out;
}
diff --git a/drivers/scsi/scsi_netlink.c b/drivers/scsi/scsi_netlink.c
index fe30ea9..109802f 100644
--- a/drivers/scsi/scsi_netlink.c
+++ b/drivers/scsi/scsi_netlink.c
@@ -77,7 +77,7 @@ scsi_nl_rcv_msg(struct sk_buff *skb)
goto next_msg;
}
- if (!capable(CAP_SYS_ADMIN)) {
+ if (!netlink_capable(skb, CAP_SYS_ADMIN)) {
err = -EPERM;
goto next_msg;
}
diff --git a/kernel/audit.c b/kernel/audit.c
index 7c195fe..b64b367 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -605,13 +605,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
case AUDIT_TTY_SET:
case AUDIT_TRIM:
case AUDIT_MAKE_EQUIV:
- if (!capable(CAP_AUDIT_CONTROL))
+ if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
err = -EPERM;
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
- if (!capable(CAP_AUDIT_WRITE))
+ if (!netlink_capable(skb, CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */
diff --git a/net/can/gw.c b/net/can/gw.c
index 3f9b0f3..233ce53 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -804,7 +804,7 @@ static int cgw_create_job(struct sk_buff *skb, struct nlmsghdr *nlh)
u8 limhops = 0;
int err = 0;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (nlmsg_len(nlh) < sizeof(*r))
@@ -900,7 +900,7 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh)
u8 limhops = 0;
int err = 0;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (nlmsg_len(nlh) < sizeof(*r))
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 5e5da43..17833d1 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1366,7 +1366,8 @@ static int do_set_master(struct net_device *dev, int ifindex)
return 0;
}
-static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
+static int do_setlink(const struct sk_buff *skb,
+ struct net_device *dev, struct ifinfomsg *ifm,
struct nlattr **tb, char *ifname, int modified)
{
const struct net_device_ops *ops = dev->netdev_ops;
@@ -1378,7 +1379,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
err = PTR_ERR(net);
goto errout;
}
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
err = -EPERM;
goto errout;
}
@@ -1632,7 +1633,7 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0)
goto errout;
- err = do_setlink(dev, ifm, tb, ifname, 0);
+ err = do_setlink(skb, dev, ifm, tb, ifname, 0);
errout:
return err;
}
@@ -1749,7 +1750,8 @@ err:
}
EXPORT_SYMBOL(rtnl_create_link);
-static int rtnl_group_changelink(struct net *net, int group,
+static int rtnl_group_changelink(const struct sk_buff *skb,
+ struct net *net, int group,
struct ifinfomsg *ifm,
struct nlattr **tb)
{
@@ -1758,7 +1760,7 @@ static int rtnl_group_changelink(struct net *net, int group,
for_each_netdev(net, dev) {
if (dev->group == group) {
- err = do_setlink(dev, ifm, tb, NULL, 0);
+ err = do_setlink(skb, dev, ifm, tb, NULL, 0);
if (err < 0)
return err;
}
@@ -1860,12 +1862,12 @@ replay:
modified = 1;
}
- return do_setlink(dev, ifm, tb, ifname, modified);
+ return do_setlink(skb, dev, ifm, tb, ifname, modified);
}
if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
if (ifm->ifi_index == 0 && tb[IFLA_GROUP])
- return rtnl_group_changelink(net,
+ return rtnl_group_changelink(skb, net,
nla_get_u32(tb[IFLA_GROUP]),
ifm, tb);
return -ENODEV;
@@ -2247,7 +2249,7 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh)
int err = -EINVAL;
__u8 *addr;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL);
@@ -2699,7 +2701,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
sz_idx = type>>2;
kind = type&3;
- if (kind != 2 && !ns_capable(net->user_ns, CAP_NET_ADMIN))
+ if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 40d5829..1074ffb 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1670,7 +1670,7 @@ static int dcb_doit(struct sk_buff *skb, struct nlmsghdr *nlh)
struct nlmsghdr *reply_nlh = NULL;
const struct reply_func *fn;
- if ((nlh->nlmsg_type == RTM_SETDCB) && !capable(CAP_NET_ADMIN))
+ if ((nlh->nlmsg_type == RTM_SETDCB) && !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
ret = nlmsg_parse(nlh, sizeof(*dcb), tb, DCB_ATTR_MAX,
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
index dd0dfb2..70f2549 100644
--- a/net/decnet/dn_dev.c
+++ b/net/decnet/dn_dev.c
@@ -573,7 +573,7 @@ static int dn_nl_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh)
struct dn_ifaddr __rcu **ifap;
int err = -EINVAL;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (!net_eq(net, &init_net))
@@ -617,7 +617,7 @@ static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh)
struct dn_ifaddr *ifa;
int err;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (!net_eq(net, &init_net))
diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
index 57dc159..d332aef 100644
--- a/net/decnet/dn_fib.c
+++ b/net/decnet/dn_fib.c
@@ -505,7 +505,7 @@ static int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh)
struct nlattr *attrs[RTA_MAX+1];
int err;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (!net_eq(net, &init_net))
@@ -530,7 +530,7 @@ static int dn_fib_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh)
struct nlattr *attrs[RTA_MAX+1];
int err;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (!net_eq(net, &init_net))
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index e83015c..e4d9560 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -107,7 +107,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
return;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
RCV_SKB_FAIL(-EPERM);
/* Eventually we might send routing messages too */
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 046aa13..8be4810 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -360,14 +360,13 @@ done:
static void nfnetlink_rcv(struct sk_buff *skb)
{
struct nlmsghdr *nlh = nlmsg_hdr(skb);
- struct net *net = sock_net(skb->sk);
int msglen;
if (nlh->nlmsg_len < NLMSG_HDRLEN ||
skb->len < nlh->nlmsg_len)
return;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+ if (!netlink_net_capable(skb, CAP_NET_ADMIN)) {
netlink_ack(skb, nlh, -EPERM);
return;
}
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 713671a..5e4af16 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -541,7 +541,7 @@ static int genl_family_rcv_msg(struct genl_family *family,
return -EOPNOTSUPP;
if ((ops->flags & GENL_ADMIN_PERM) &&
- !capable(CAP_NET_ADMIN))
+ !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP) {
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 01cd1ac..674b0a6 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -193,7 +193,7 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
net = sock_net(skb->sk);
req = nlmsg_data(cb->nlh);
- may_report_filterinfo = ns_capable(net->user_ns, CAP_NET_ADMIN);
+ may_report_filterinfo = netlink_net_capable(cb->skb, CAP_NET_ADMIN);
mutex_lock(&net->packet.sklist_lock);
sk_for_each(sk, &net->packet.sklist) {
diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
index dc15f43..b64151a 100644
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -70,10 +70,10 @@ static int addr_doit(struct sk_buff *skb, struct nlmsghdr *nlh)
int err;
u8 pnaddr;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
- if (!capable(CAP_SYS_ADMIN))
+ if (!netlink_capable(skb, CAP_SYS_ADMIN))
return -EPERM;
ASSERT_RTNL();
@@ -233,10 +233,10 @@ static int route_doit(struct sk_buff *skb, struct nlmsghdr *nlh)
int err;
u8 dst;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
- if (!capable(CAP_SYS_ADMIN))
+ if (!netlink_capable(skb, CAP_SYS_ADMIN))
return -EPERM;
ASSERT_RTNL();
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 69cb848..36aec5f 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -997,7 +997,7 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n)
u32 portid = skb ? NETLINK_CB(skb).portid : 0;
int ret = 0, ovr = 0;
- if ((n->nlmsg_type != RTM_GETACTION) && !capable(CAP_NET_ADMIN))
+ if ((n->nlmsg_type != RTM_GETACTION) && !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
ret = nlmsg_parse(n, sizeof(struct tcamsg), tca, TCA_ACT_MAX, NULL);
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 8e118af..2ea40d1 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -138,7 +138,7 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n)
int err;
int tp_created = 0;
- if ((n->nlmsg_type != RTM_GETTFILTER) && !capable(CAP_NET_ADMIN))
+ if ((n->nlmsg_type != RTM_GETTFILTER) && !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
replay:
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index cd81505..e4528ae 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1079,7 +1079,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n)
struct Qdisc *p = NULL;
int err;
- if ((n->nlmsg_type != RTM_GETQDISC) && !capable(CAP_NET_ADMIN))
+ if ((n->nlmsg_type != RTM_GETQDISC) && !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
@@ -1146,7 +1146,7 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n)
struct Qdisc *q, *p;
int err;
- if (!capable(CAP_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
replay:
@@ -1486,7 +1486,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n)
u32 qid;
int err;
- if ((n->nlmsg_type != RTM_GETTCLASS) && !capable(CAP_NET_ADMIN))
+ if ((n->nlmsg_type != RTM_GETTCLASS) && !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index 9f72a63..557115f 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -47,7 +47,7 @@ static int handle_cmd(struct sk_buff *skb, struct genl_info *info)
int hdr_space = nlmsg_total_size(GENL_HDRLEN + TIPC_GENL_HDRLEN);
u16 cmd;
- if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN)))
+ if ((req_userhdr->cmd & 0xC000) && (!netlink_capable(skb, CAP_NET_ADMIN)))
cmd = TIPC_CMD_NOT_NET_ADMIN;
else
cmd = req_userhdr->cmd;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index f964d4c..352dfa4 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2363,7 +2363,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ if (!netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 207/259] netlink: Only check file credentials for implicit destinations
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (205 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 206/259] net: Use netlink_ns_capable to verify the permisions of " Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 208/259] qlcnic: info leak in qlcnic_dcb_peer_app_info() Kamal Mostafa
` (51 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric W. Biederman, Andy Lutomirski, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit 2d7a85f4b06e9c27ff629f07a524c48074f07f81 ]
It was possible to get a setuid root or setcap executable to write to
it's stdout or stderr (which has been set made a netlink socket) and
inadvertently reconfigure the networking stack.
To prevent this we check that both the creator of the socket and
the currentl applications has permission to reconfigure the network
stack.
Unfortunately this breaks Zebra which always uses sendto/sendmsg
and creates it's socket without any privileges.
To keep Zebra working don't bother checking if the creator of the
socket has privilege when a destination address is specified. Instead
rely exclusively on the privileges of the sender of the socket.
Note from Andy: This is exactly Eric's code except for some comment
clarifications and formatting fixes. Neither I nor, I think, anyone
else is thrilled with this approach, but I'm hesitant to wait on a
better fix since 3.15 is almost here.
Note to stable maintainers: This is a mess. An earlier series of
patches in 3.15 fix a rather serious security issue (CVE-2014-0181),
but they did so in a way that breaks Zebra. The offending series
includes:
commit aa4cf9452f469f16cea8c96283b641b4576d4a7b
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed Apr 23 14:28:03 2014 -0700
net: Add variants of capable for use on netlink messages
If a given kernel version is missing that series of fixes, it's
probably worth backporting it and this patch. if that series is
present, then this fix is critical if you care about Zebra.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/linux/netlink.h | 7 ++++---
net/netlink/af_netlink.c | 7 ++++++-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index 8d11541..8b50a62 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -16,9 +16,10 @@ static inline struct nlmsghdr *nlmsg_hdr(const struct sk_buff *skb)
}
enum netlink_skb_flags {
- NETLINK_SKB_MMAPED = 0x1, /* Packet data is mmaped */
- NETLINK_SKB_TX = 0x2, /* Packet was sent by userspace */
- NETLINK_SKB_DELIVERED = 0x4, /* Packet was delivered */
+ NETLINK_SKB_MMAPED = 0x1, /* Packet data is mmaped */
+ NETLINK_SKB_TX = 0x2, /* Packet was sent by userspace */
+ NETLINK_SKB_DELIVERED = 0x4, /* Packet was delivered */
+ NETLINK_SKB_DST = 0x8, /* Dst set in sendto or sendmsg */
};
struct netlink_skb_parms {
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index bd0ce97..ba45917 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1365,7 +1365,9 @@ retry:
bool __netlink_ns_capable(const struct netlink_skb_parms *nsp,
struct user_namespace *user_ns, int cap)
{
- return sk_ns_capable(nsp->sk, user_ns, cap);
+ return ((nsp->flags & NETLINK_SKB_DST) ||
+ file_ns_capable(nsp->sk->sk_socket->file, user_ns, cap)) &&
+ ns_capable(user_ns, cap);
}
EXPORT_SYMBOL(__netlink_ns_capable);
@@ -2285,6 +2287,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
struct sk_buff *skb;
int err;
struct scm_cookie scm;
+ u32 netlink_skb_flags = 0;
if (msg->msg_flags&MSG_OOB)
return -EOPNOTSUPP;
@@ -2306,6 +2309,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
if ((dst_group || dst_portid) &&
!netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
goto out;
+ netlink_skb_flags |= NETLINK_SKB_DST;
} else {
dst_portid = nlk->dst_portid;
dst_group = nlk->dst_group;
@@ -2335,6 +2339,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
NETLINK_CB(skb).portid = nlk->portid;
NETLINK_CB(skb).dst_group = dst_group;
NETLINK_CB(skb).creds = siocb->scm->creds;
+ NETLINK_CB(skb).flags = netlink_skb_flags;
err = -EFAULT;
if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 208/259] qlcnic: info leak in qlcnic_dcb_peer_app_info()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (206 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 207/259] netlink: Only check file credentials for implicit destinations Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 209/259] netlink: rate-limit leftover bytes warning and print process name Kamal Mostafa
` (50 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dan Carpenter, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 7df566bbdd0af0785542b89466a937e94257fcfb ]
This function is called from dcbnl_build_peer_app(). The "info"
struct isn't initialized at all so we disclose 2 bytes of uninitialized
stack data. We should clear it before passing it to the user.
Fixes: 48365e485275 ('qlcnic: dcb: Add support for CEE Netlink interface.')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
index 86bca7c..ca38cb3 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
@@ -1047,6 +1047,7 @@ static int qlcnic_dcb_peer_app_info(struct net_device *netdev,
struct qlcnic_dcb_cee *peer;
int i;
+ memset(info, 0, sizeof(*info));
*app_count = 0;
if (!test_bit(QLCNIC_DCB_STATE, &adapter->dcb->state))
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 209/259] netlink: rate-limit leftover bytes warning and print process name
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (207 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 208/259] qlcnic: info leak in qlcnic_dcb_peer_app_info() Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 210/259] bridge: Prevent insertion of FDB entry with disallowed vlan Kamal Mostafa
` (49 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Schmidt, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit bfc5184b69cf9eeb286137640351c650c27f118a ]
Any process is able to send netlink messages with leftover bytes.
Make the warning rate-limited to prevent too much log spam.
The warning is supposed to help find userspace bugs, so print the
triggering command name to implicate the buggy program.
[v2: Use pr_warn_ratelimited instead of printk_ratelimited.]
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
lib/nlattr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/nlattr.c b/lib/nlattr.c
index fc67547..10ad042d 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -201,8 +201,8 @@ int nla_parse(struct nlattr **tb, int maxtype, const struct nlattr *head,
}
if (unlikely(rem > 0))
- printk(KERN_WARNING "netlink: %d bytes leftover after parsing "
- "attributes.\n", rem);
+ pr_warn_ratelimited("netlink: %d bytes leftover after parsing attributes in process `%s'.\n",
+ rem, current->comm);
err = 0;
errout:
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 210/259] bridge: Prevent insertion of FDB entry with disallowed vlan
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (208 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 209/259] netlink: rate-limit leftover bytes warning and print process name Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 211/259] net: tunnels - enable module autoloading Kamal Mostafa
` (48 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Toshiaki Makita, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
[ Upstream commit e0d7968ab6c8bce2437b36fa7f04117e333f196d ]
br_handle_local_finish() is allowing us to insert an FDB entry with
disallowed vlan. For example, when port 1 and 2 are communicating in
vlan 10, and even if vlan 10 is disallowed on port 3, port 3 can
interfere with their communication by spoofed src mac address with
vlan id 10.
Note: Even if it is judged that a frame should not be learned, it should
not be dropped because it is destined for not forwarding layer but higher
layer. See IEEE 802.1Q-2011 8.13.10.
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Acked-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/bridge/br_input.c | 4 ++--
net/bridge/br_private.h | 7 +++++++
net/bridge/br_vlan.c | 28 ++++++++++++++++++++++++++++
3 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index fa29179..2bc64f8 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -146,8 +146,8 @@ static int br_handle_local_finish(struct sk_buff *skb)
struct net_bridge_port *p = br_port_get_rcu(skb->dev);
u16 vid = 0;
- br_vlan_get_tag(skb, &vid);
- if (p->flags & BR_LEARNING)
+ /* check if vlan is allowed, to avoid spoofing */
+ if (p->flags & BR_LEARNING && br_should_learn(p, skb, &vid))
br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid);
return 0; /* process further */
}
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 045d56e..280f601 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -587,6 +587,7 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
struct sk_buff *skb, u16 *vid);
bool br_allowed_egress(struct net_bridge *br, const struct net_port_vlans *v,
const struct sk_buff *skb);
+bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid);
struct sk_buff *br_handle_vlan(struct net_bridge *br,
const struct net_port_vlans *v,
struct sk_buff *skb);
@@ -653,6 +654,12 @@ static inline bool br_allowed_egress(struct net_bridge *br,
return true;
}
+static inline bool br_should_learn(struct net_bridge_port *p,
+ struct sk_buff *skb, u16 *vid)
+{
+ return true;
+}
+
static inline struct sk_buff *br_handle_vlan(struct net_bridge *br,
const struct net_port_vlans *v,
struct sk_buff *skb)
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 9bddc9b..4f5341a 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -252,6 +252,34 @@ bool br_allowed_egress(struct net_bridge *br,
return false;
}
+/* Called under RCU */
+bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid)
+{
+ struct net_bridge *br = p->br;
+ struct net_port_vlans *v;
+
+ if (!br->vlan_enabled)
+ return true;
+
+ v = rcu_dereference(p->vlan_info);
+ if (!v)
+ return false;
+
+ br_vlan_get_tag(skb, vid);
+ if (!*vid) {
+ *vid = br_get_pvid(v);
+ if (*vid == VLAN_N_VID)
+ return false;
+
+ return true;
+ }
+
+ if (test_bit(*vid, v->vlan_bitmap))
+ return true;
+
+ return false;
+}
+
/* Must be protected by RTNL.
* Must be called with vid in range from 1 to 4094 inclusive.
*/
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 211/259] net: tunnels - enable module autoloading
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (209 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 210/259] bridge: Prevent insertion of FDB entry with disallowed vlan Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 212/259] net: fix inet_getid() and ipv6_select_ident() bugs Kamal Mostafa
` (47 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tom Gundersen, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Gundersen <teg@jklm.no>
[ Upstream commit f98f89a0104454f35a62d681683c844f6dbf4043 ]
Enable the module alias hookup to allow tunnel modules to be autoloaded on demand.
This is in line with how most other netdev kinds work, and will allow userspace
to create tunnels without having CAP_SYS_MODULE.
Signed-off-by: Tom Gundersen <teg@jklm.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/ipip.c | 1 +
net/ipv6/ip6_tunnel.c | 1 +
net/ipv6/sit.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index fe3e9f7..af34bdb 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -486,4 +486,5 @@ static void __exit ipip_fini(void)
module_init(ipip_init);
module_exit(ipip_fini);
MODULE_LICENSE("GPL");
+MODULE_ALIAS_RTNL_LINK("ipip");
MODULE_ALIAS_NETDEV("tunl0");
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 41d97be..5d686b3 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -62,6 +62,7 @@
MODULE_AUTHOR("Ville Nuorvala");
MODULE_DESCRIPTION("IPv6 tunneling device");
MODULE_LICENSE("GPL");
+MODULE_ALIAS_RTNL_LINK("ip6tnl");
MODULE_ALIAS_NETDEV("ip6tnl0");
#ifdef IP6_TNL_DEBUG
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index d3005b3..cd4777e 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1831,4 +1831,5 @@ xfrm_tunnel_failed:
module_init(sit_init);
module_exit(sit_cleanup);
MODULE_LICENSE("GPL");
+MODULE_ALIAS_RTNL_LINK("sit");
MODULE_ALIAS_NETDEV("sit0");
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 212/259] net: fix inet_getid() and ipv6_select_ident() bugs
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (210 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 211/259] net: tunnels - enable module autoloading Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 213/259] team: fix mtu setting Kamal Mostafa
` (46 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 39c36094d78c39e038c1e499b2364e13bce36f54 ]
I noticed we were sending wrong IPv4 ID in TCP flows when MTU discovery
is disabled.
Note how GSO/TSO packets do not have monotonically incrementing ID.
06:37:41.575531 IP (id 14227, proto: TCP (6), length: 4396)
06:37:41.575534 IP (id 14272, proto: TCP (6), length: 65212)
06:37:41.575544 IP (id 14312, proto: TCP (6), length: 57972)
06:37:41.575678 IP (id 14317, proto: TCP (6), length: 7292)
06:37:41.575683 IP (id 14361, proto: TCP (6), length: 63764)
It appears I introduced this bug in linux-3.1.
inet_getid() must return the old value of peer->ip_id_count,
not the new one.
Lets revert this part, and remove the prevention of
a null identification field in IPv6 Fragment Extension Header,
which is dubious and not even done properly.
Fixes: 87c48fa3b463 ("ipv6: make fragment identifications less predictable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/net/inetpeer.h | 9 +--------
net/ipv6/output_core.c | 11 +++--------
2 files changed, 4 insertions(+), 16 deletions(-)
diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
index f4e127a..9a93930 100644
--- a/include/net/inetpeer.h
+++ b/include/net/inetpeer.h
@@ -178,16 +178,9 @@ static inline void inet_peer_refcheck(const struct inet_peer *p)
/* can be called with or without local BH being disabled */
static inline int inet_getid(struct inet_peer *p, int more)
{
- int old, new;
more++;
inet_peer_refcheck(p);
- do {
- old = atomic_read(&p->ip_id_count);
- new = old + more;
- if (!new)
- new = 1;
- } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
- return new;
+ return atomic_add_return(more, &p->ip_id_count) - more;
}
#endif /* _NET_INETPEER_H */
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 827f795..b31a012 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -10,7 +10,7 @@
void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
{
static atomic_t ipv6_fragmentation_id;
- int old, new;
+ int ident;
#if IS_ENABLED(CONFIG_IPV6)
if (rt && !(rt->dst.flags & DST_NOPEER)) {
@@ -26,13 +26,8 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
}
}
#endif
- do {
- old = atomic_read(&ipv6_fragmentation_id);
- new = old + 1;
- if (!new)
- new = 1;
- } while (atomic_cmpxchg(&ipv6_fragmentation_id, old, new) != old);
- fhdr->identification = htonl(new);
+ ident = atomic_inc_return(&ipv6_fragmentation_id);
+ fhdr->identification = htonl(ident);
}
EXPORT_SYMBOL(ipv6_select_ident);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 213/259] team: fix mtu setting
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (211 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 212/259] net: fix inet_getid() and ipv6_select_ident() bugs Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 214/259] tcp: fix cwnd undo on DSACK in F-RTO Kamal Mostafa
` (45 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jiri Pirko, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@resnulli.us>
[ Upstream commit 9d0d68faea6962d62dd501cd6e71ce5cc8ed262b ]
Now it is not possible to set mtu to team device which has a port
enslaved to it. The reason is that when team_change_mtu() calls
dev_set_mtu() for port device, notificator for NETDEV_PRECHANGEMTU
event is called and team_device_event() returns NOTIFY_BAD forbidding
the change. So fix this by returning NOTIFY_DONE here in case team is
changing mtu in team_change_mtu().
Introduced-by: 3d249d4c "net: introduce ethernet teaming device"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/team/team.c | 7 ++++++-
include/linux/if_team.h | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index b75ae5b..99500d1 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1732,6 +1732,7 @@ static int team_change_mtu(struct net_device *dev, int new_mtu)
* to traverse list in reverse under rcu_read_lock
*/
mutex_lock(&team->lock);
+ team->port_mtu_change_allowed = true;
list_for_each_entry(port, &team->port_list, list) {
err = dev_set_mtu(port->dev, new_mtu);
if (err) {
@@ -1740,6 +1741,7 @@ static int team_change_mtu(struct net_device *dev, int new_mtu)
goto unwind;
}
}
+ team->port_mtu_change_allowed = false;
mutex_unlock(&team->lock);
dev->mtu = new_mtu;
@@ -1749,6 +1751,7 @@ static int team_change_mtu(struct net_device *dev, int new_mtu)
unwind:
list_for_each_entry_continue_reverse(port, &team->port_list, list)
dev_set_mtu(port->dev, dev->mtu);
+ team->port_mtu_change_allowed = false;
mutex_unlock(&team->lock);
return err;
@@ -2853,7 +2856,9 @@ static int team_device_event(struct notifier_block *unused,
break;
case NETDEV_CHANGEMTU:
/* Forbid to change mtu of underlaying device */
- return NOTIFY_BAD;
+ if (!port->team->port_mtu_change_allowed)
+ return NOTIFY_BAD;
+ break;
case NETDEV_PRE_TYPE_CHANGE:
/* Forbid to change type of underlaying device */
return NOTIFY_BAD;
diff --git a/include/linux/if_team.h b/include/linux/if_team.h
index a899dc2..a6aa970 100644
--- a/include/linux/if_team.h
+++ b/include/linux/if_team.h
@@ -194,6 +194,7 @@ struct team {
bool user_carrier_enabled;
bool queue_override_enabled;
struct list_head *qom_lists; /* array of queue override mapping lists */
+ bool port_mtu_change_allowed;
struct {
unsigned int count;
unsigned int interval; /* in ms */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 214/259] tcp: fix cwnd undo on DSACK in F-RTO
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (212 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 213/259] team: fix mtu setting Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 215/259] sh_eth: use RNC mode for packet reception Kamal Mostafa
` (44 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Yuchung Cheng, Neal Cardwell, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuchung Cheng <ycheng@google.com>
[ Upstream commit 0cfa5c07d6d1d7f8e710fc671c5ba1ce85e09fa4 ]
This bug is discovered by an recent F-RTO issue on tcpm list
https://www.ietf.org/mail-archive/web/tcpm/current/msg08794.html
The bug is that currently F-RTO does not use DSACK to undo cwnd in
certain cases: upon receiving an ACK after the RTO retransmission in
F-RTO, and the ACK has DSACK indicating the retransmission is spurious,
the sender only calls tcp_try_undo_loss() if some never retransmisted
data is sacked (FLAG_ORIG_DATA_SACKED).
The correct behavior is to unconditionally call tcp_try_undo_loss so
the DSACK information is used properly to undo the cwnd reduction.
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/tcp_input.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c53b7f3..320cfe1 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2680,13 +2680,12 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack)
bool recovered = !before(tp->snd_una, tp->high_seq);
if (tp->frto) { /* F-RTO RFC5682 sec 3.1 (sack enhanced version). */
- if (flag & FLAG_ORIG_SACK_ACKED) {
- /* Step 3.b. A timeout is spurious if not all data are
- * lost, i.e., never-retransmitted data are (s)acked.
- */
- tcp_try_undo_loss(sk, true);
+ /* Step 3.b. A timeout is spurious if not all data are
+ * lost, i.e., never-retransmitted data are (s)acked.
+ */
+ if (tcp_try_undo_loss(sk, flag & FLAG_ORIG_SACK_ACKED))
return;
- }
+
if (after(tp->snd_nxt, tp->high_seq) &&
(flag & FLAG_DATA_SACKED || is_dupack)) {
tp->frto = 0; /* Loss was real: 2nd part of step 3.a */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 215/259] sh_eth: use RNC mode for packet reception
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (213 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 214/259] tcp: fix cwnd undo on DSACK in F-RTO Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 216/259] sh_eth: fix SH7619/771x support Kamal Mostafa
` (43 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ben Dooks, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
[ Upstream commit 530aa2d0d9d55ab2775d47621ddf4b5b15bc1110 ]
The current behaviour of the sh_eth driver is not to use the RNC bit
for the receive ring. This means that every packet recieved is not only
generating an IRQ but it also stops the receive ring DMA as well until
the driver re-enables it after unloading the packet.
This means that a number of the following errors are generated due to
the receive packet FIFO overflowing due to nowhere to put packets:
net eth0: Receive FIFO Overflow
Since feedback from Yoshihiro Shimoda shows that every supported LSI
for this driver should have the bit enabled it seems the best way is
to remove the RMCR default value from the per-system data and just
write it when initialising the RMCR value. This is discussed in
the message (http://www.spinics.net/lists/netdev/msg284912.html).
I have tested the RMCR_RNC configuration with NFS root filesystem and
the driver has not failed yet. There are further test reports from
Sergei Shtylov and others for both the R8A7790 and R8A7791.
There is also feedback fron Cao Minh Hiep[1] which reports the
same issue in (http://comments.gmane.org/gmane.linux.network/316285)
showing this fixes issues with losing UDP datagrams under iperf.
Tested-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Acked-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/renesas/sh_eth.c | 10 ++--------
drivers/net/ethernet/renesas/sh_eth.h | 2 --
2 files changed, 2 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index d256ce1..dc19d37 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -483,7 +483,6 @@ static struct sh_eth_cpu_data sh7757_data = {
.register_type = SH_ETH_REG_FAST_SH4,
.eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff,
- .rmcr_value = RMCR_RNC,
.tx_check = EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | EESR_RTO,
.eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE |
@@ -561,7 +560,6 @@ static struct sh_eth_cpu_data sh7757_data_giga = {
EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE |
EESR_TDE | EESR_ECI,
.fdr_value = 0x0000072f,
- .rmcr_value = RMCR_RNC,
.irq_flags = IRQF_SHARED,
.apr = 1,
@@ -689,7 +687,6 @@ static struct sh_eth_cpu_data r8a7740_data = {
EESR_RFE | EESR_RDE | EESR_RFRMER | EESR_TFE |
EESR_TDE | EESR_ECI,
.fdr_value = 0x0000070f,
- .rmcr_value = RMCR_RNC,
.apr = 1,
.mpr = 1,
@@ -738,9 +735,6 @@ static void sh_eth_set_default_cpu_data(struct sh_eth_cpu_data *cd)
if (!cd->fdr_value)
cd->fdr_value = DEFAULT_FDR_INIT;
- if (!cd->rmcr_value)
- cd->rmcr_value = DEFAULT_RMCR_VALUE;
-
if (!cd->tx_check)
cd->tx_check = DEFAULT_TX_CHECK;
@@ -1193,8 +1187,8 @@ static int sh_eth_dev_init(struct net_device *ndev, bool start)
sh_eth_write(ndev, mdp->cd->fdr_value, FDR);
sh_eth_write(ndev, 0, TFTR);
- /* Frame recv control */
- sh_eth_write(ndev, mdp->cd->rmcr_value, RMCR);
+ /* Frame recv control (enable multiple-packets per rx irq) */
+ sh_eth_write(ndev, RMCR_RNC, RMCR);
sh_eth_write(ndev, DESC_I_RINT8 | DESC_I_RINT5 | DESC_I_TINT2, TRSCER);
diff --git a/drivers/net/ethernet/renesas/sh_eth.h b/drivers/net/ethernet/renesas/sh_eth.h
index f32c169..de985a3 100644
--- a/drivers/net/ethernet/renesas/sh_eth.h
+++ b/drivers/net/ethernet/renesas/sh_eth.h
@@ -324,7 +324,6 @@ enum TD_STS_BIT {
enum RMCR_BIT {
RMCR_RNC = 0x00000001,
};
-#define DEFAULT_RMCR_VALUE 0x00000000
/* ECMR */
enum FELIC_MODE_BIT {
@@ -473,7 +472,6 @@ struct sh_eth_cpu_data {
unsigned long fdr_value;
unsigned long fcftr_value;
unsigned long rpadir_value;
- unsigned long rmcr_value;
/* interrupt checking mask */
unsigned long tx_check;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 216/259] sh_eth: fix SH7619/771x support
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (214 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 215/259] sh_eth: use RNC mode for packet reception Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 217/259] net: filter: fix typo in sparc BPF JIT Kamal Mostafa
` (42 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sergei Shtylyov, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
[ Upstream commit d8b0426af5b67973585712c9af36b86f6ea97815 ]
Commit 4a55530f38e4 (net: sh_eth: modify the definitions of register) managed
to leave out the E-DMAC register entries in sh_eth_offset_fast_sh3_sh2[], thus
totally breaking SH7619/771x support. Add the missing entries using the data
from before that commit.
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/renesas/sh_eth.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index dc19d37..8d002f1 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -247,6 +247,27 @@ static const u16 sh_eth_offset_fast_sh4[SH_ETH_MAX_REGISTER_OFFSET] = {
};
static const u16 sh_eth_offset_fast_sh3_sh2[SH_ETH_MAX_REGISTER_OFFSET] = {
+ [EDMR] = 0x0000,
+ [EDTRR] = 0x0004,
+ [EDRRR] = 0x0008,
+ [TDLAR] = 0x000c,
+ [RDLAR] = 0x0010,
+ [EESR] = 0x0014,
+ [EESIPR] = 0x0018,
+ [TRSCER] = 0x001c,
+ [RMFCR] = 0x0020,
+ [TFTR] = 0x0024,
+ [FDR] = 0x0028,
+ [RMCR] = 0x002c,
+ [EDOCR] = 0x0030,
+ [FCFTR] = 0x0034,
+ [RPADIR] = 0x0038,
+ [TRIMD] = 0x003c,
+ [RBWAR] = 0x0040,
+ [RDFAR] = 0x0044,
+ [TBRAR] = 0x004c,
+ [TDFAR] = 0x0050,
+
[ECMR] = 0x0160,
[ECSR] = 0x0164,
[ECSIPR] = 0x0168,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 217/259] net: filter: fix typo in sparc BPF JIT
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (215 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 216/259] sh_eth: fix SH7619/771x support Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 218/259] net: filter: fix sparc32 typo Kamal Mostafa
` (41 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alexei Starovoitov, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Starovoitov <ast@plumgrid.com>
[ Upstream commit 569810d1e3278907264f5b115281fca3f0038d53 ]
fix typo in sparc codegen for SKF_AD_IFINDEX and SKF_AD_HATYPE
classic BPF extensions
Fixes: 2809a2087cc4 ("net: filter: Just In Time compiler for sparc")
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/sparc/net/bpf_jit_comp.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c
index 01fe994..649828f 100644
--- a/arch/sparc/net/bpf_jit_comp.c
+++ b/arch/sparc/net/bpf_jit_comp.c
@@ -83,9 +83,9 @@ static void bpf_flush_icache(void *start_, void *end_)
#define BNE (F2(0, 2) | CONDNE)
#ifdef CONFIG_SPARC64
-#define BNE_PTR (F2(0, 1) | CONDNE | (2 << 20))
+#define BE_PTR (F2(0, 1) | CONDE | (2 << 20))
#else
-#define BNE_PTR BNE
+#define BE_PTR BNE
#endif
#define SETHI(K, REG) \
@@ -600,7 +600,7 @@ void bpf_jit_compile(struct sk_filter *fp)
case BPF_S_ANC_IFINDEX:
emit_skb_loadptr(dev, r_A);
emit_cmpi(r_A, 0);
- emit_branch(BNE_PTR, cleanup_addr + 4);
+ emit_branch(BE_PTR, cleanup_addr + 4);
emit_nop();
emit_load32(r_A, struct net_device, ifindex, r_A);
break;
@@ -613,7 +613,7 @@ void bpf_jit_compile(struct sk_filter *fp)
case BPF_S_ANC_HATYPE:
emit_skb_loadptr(dev, r_A);
emit_cmpi(r_A, 0);
- emit_branch(BNE_PTR, cleanup_addr + 4);
+ emit_branch(BE_PTR, cleanup_addr + 4);
emit_nop();
emit_load16(r_A, struct net_device, type, r_A);
break;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 218/259] net: filter: fix sparc32 typo
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (216 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 217/259] net: filter: fix typo in sparc BPF JIT Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 219/259] net: qmi_wwan: add Olivetti Olicard modems Kamal Mostafa
` (40 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alexei Starovoitov, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Starovoitov <ast@plumgrid.com>
[ Upstream commit 588f5d629b3369aba88f52217d1c473a28fa7723 ]
Fixes: 569810d1e327 ("net: filter: fix typo in sparc BPF JIT")
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/sparc/net/bpf_jit_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c
index 649828f..44d258d 100644
--- a/arch/sparc/net/bpf_jit_comp.c
+++ b/arch/sparc/net/bpf_jit_comp.c
@@ -85,7 +85,7 @@ static void bpf_flush_icache(void *start_, void *end_)
#ifdef CONFIG_SPARC64
#define BE_PTR (F2(0, 1) | CONDE | (2 << 20))
#else
-#define BE_PTR BNE
+#define BE_PTR BE
#endif
#define SETHI(K, REG) \
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 219/259] net: qmi_wwan: add Olivetti Olicard modems
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (217 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 218/259] net: filter: fix sparc32 typo Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 220/259] net: force a list_del() in unregister_netdevice_many() Kamal Mostafa
` (39 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bjørn Mork, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
[ Upstream commit ba6de0f5304ccdc45ae260e7e0feb6e0ef2dd558 ]
Lars writes: "I'm only 99% sure that the net interfaces are qmi
interfaces, nothing to lose by adding them in my opinion."
And I tend to agree based on the similarity with the two Olicard
modems we already have here.
Reported-by: Lars Melin <larsm17@gmail.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/usb/qmi_wwan.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index aea1e93..841157f 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -751,7 +751,12 @@ static const struct usb_device_id products[] = {
{QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
{QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
{QMI_FIXED_INTF(0x1bc7, 0x1201, 2)}, /* Telit LE920 */
- {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc000, 4)}, /* Olivetti Olicard 100 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc001, 4)}, /* Olivetti Olicard 120 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc002, 4)}, /* Olivetti Olicard 140 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc004, 6)}, /* Olivetti Olicard 155 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc005, 6)}, /* Olivetti Olicard 200 */
+ {QMI_FIXED_INTF(0x0b3c, 0xc00a, 6)}, /* Olivetti Olicard 160 */
{QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */
{QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
{QMI_FIXED_INTF(0x413c, 0x81a2, 8)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 220/259] net: force a list_del() in unregister_netdevice_many()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (218 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 219/259] net: qmi_wwan: add Olivetti Olicard modems Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 221/259] ipip, sit: fix ipv4_{update_pmtu,redirect} calls Kamal Mostafa
` (38 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 87757a917b0b3c0787e0563c679762152be81312 ]
unregister_netdevice_many() API is error prone and we had too
many bugs because of dangling LIST_HEAD on stacks.
See commit f87e6f47933e3e ("net: dont leave active on stack LIST_HEAD")
In fact, instead of making sure no caller leaves an active list_head,
just force a list_del() in the callee. No one seems to need to access
the list after unregister_netdevice_many()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/macvlan.c | 1 -
net/core/dev.c | 5 ++++-
net/core/rtnetlink.c | 1 -
net/mac80211/iface.c | 1 -
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 9687122..333f8bc 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1052,7 +1052,6 @@ static int macvlan_device_event(struct notifier_block *unused,
list_for_each_entry_safe(vlan, next, &port->vlans, list)
vlan->dev->rtnl_link_ops->dellink(vlan->dev, &list_kill);
unregister_netdevice_many(&list_kill);
- list_del(&list_kill);
break;
case NETDEV_PRE_TYPE_CHANGE:
/* Forbid underlaying device to change its type. */
diff --git a/net/core/dev.c b/net/core/dev.c
index fd9b17a..9e8b117 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6477,6 +6477,9 @@ EXPORT_SYMBOL(unregister_netdevice_queue);
/**
* unregister_netdevice_many - unregister many devices
* @head: list of devices
+ *
+ * Note: As most callers use a stack allocated list_head,
+ * we force a list_del() to make sure stack wont be corrupted later.
*/
void unregister_netdevice_many(struct list_head *head)
{
@@ -6486,6 +6489,7 @@ void unregister_netdevice_many(struct list_head *head)
rollback_registered_many(head);
list_for_each_entry(dev, head, unreg_list)
net_set_todo(dev);
+ list_del(head);
}
}
EXPORT_SYMBOL(unregister_netdevice_many);
@@ -6941,7 +6945,6 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
}
}
unregister_netdevice_many(&dev_kill_list);
- list_del(&dev_kill_list);
rtnl_unlock();
}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 17833d1..410e586 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1673,7 +1673,6 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh)
ops->dellink(dev, &list_kill);
unregister_netdevice_many(&list_kill);
- list_del(&list_kill);
return 0;
}
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index a075791..822d508 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1774,7 +1774,6 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
}
mutex_unlock(&local->iflist_mtx);
unregister_netdevice_many(&unreg_list);
- list_del(&unreg_list);
list_for_each_entry_safe(sdata, tmp, &wdev_list, list) {
list_del(&sdata->list);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 221/259] ipip, sit: fix ipv4_{update_pmtu,redirect} calls
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (219 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 220/259] net: force a list_del() in unregister_netdevice_many() Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 222/259] sfc: PIO:Restrict to 64bit arch and use 64-bit writes Kamal Mostafa
` (37 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dmitry Popov, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Popov <ixaphire@qrator.net>
[ Upstream commit 2346829e641b804ece9ac9298136b56d9567c278 ]
ipv4_{update_pmtu,redirect} were called with tunnel's ifindex (t->dev is a
tunnel netdevice). It caused wrong route lookup and failure of pmtu update or
redirect. We should use the same ifindex that we use in ip_route_output_* in
*tunnel_xmit code. It is t->parms.link .
Signed-off-by: Dmitry Popov <ixaphire@qrator.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/ipip.c | 4 ++--
net/ipv6/sit.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index af34bdb..1e625b0 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -149,13 +149,13 @@ static int ipip_err(struct sk_buff *skb, u32 info)
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
ipv4_update_pmtu(skb, dev_net(skb->dev), info,
- t->dev->ifindex, 0, IPPROTO_IPIP, 0);
+ t->parms.link, 0, IPPROTO_IPIP, 0);
err = 0;
goto out;
}
if (type == ICMP_REDIRECT) {
- ipv4_redirect(skb, dev_net(skb->dev), t->dev->ifindex, 0,
+ ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
IPPROTO_IPIP, 0);
err = 0;
goto out;
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index cd4777e..8f59675 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -559,12 +559,12 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
ipv4_update_pmtu(skb, dev_net(skb->dev), info,
- t->dev->ifindex, 0, IPPROTO_IPV6, 0);
+ t->parms.link, 0, IPPROTO_IPV6, 0);
err = 0;
goto out;
}
if (type == ICMP_REDIRECT) {
- ipv4_redirect(skb, dev_net(skb->dev), t->dev->ifindex, 0,
+ ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
IPPROTO_IPV6, 0);
err = 0;
goto out;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 222/259] sfc: PIO:Restrict to 64bit arch and use 64-bit writes.
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (220 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 221/259] ipip, sit: fix ipv4_{update_pmtu,redirect} calls Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 223/259] ipv4: fix a race in ip4_datagram_release_cb() Kamal Mostafa
` (36 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Shradha Shah, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Cooper <jcooper@solarflare.com>
[ Upstream commit daf37b556e437ec1ea1a597dcfeff338068380e1 ]
Fixes:ee45fd92c739
("sfc: Use TX PIO for sufficiently small packets")
The linux net driver uses memcpy_toio() in order to copy into
the PIO buffers.
Even on a 64bit machine this causes 32bit accesses to a write-
combined memory region.
There are hardware limitations that mean that only 64bit
naturally aligned accesses are safe in all cases.
Due to being write-combined memory region two 32bit accesses
may be coalesced to form a 64bit non 64bit aligned access.
Solution was to open-code the memory copy routines using pointers
and to only enable PIO for x86_64 machines.
Not tested on platforms other than x86_64 because this patch
disables the PIO feature on other platforms.
Compile-tested on x86 to ensure that works.
The WARN_ON_ONCE() code in the previous version of this patch
has been moved into the internal sfc debug driver as the
assertion was unnecessary in the upstream kernel code.
This bug fix applies to v3.13 and v3.14 stable branches.
Signed-off-by: Shradha Shah <sshah@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/sfc/io.h | 7 +++++++
drivers/net/ethernet/sfc/tx.c | 22 +++++++++++++++++-----
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/sfc/io.h b/drivers/net/ethernet/sfc/io.h
index 4d3f119..afb94aa 100644
--- a/drivers/net/ethernet/sfc/io.h
+++ b/drivers/net/ethernet/sfc/io.h
@@ -66,10 +66,17 @@
#define EFX_USE_QWORD_IO 1
#endif
+/* Hardware issue requires that only 64-bit naturally aligned writes
+ * are seen by hardware. Its not strictly necessary to restrict to
+ * x86_64 arch, but done for safety since unusual write combining behaviour
+ * can break PIO.
+ */
+#ifdef CONFIG_X86_64
/* PIO is a win only if write-combining is possible */
#ifdef ARCH_HAS_IOREMAP_WC
#define EFX_USE_PIO 1
#endif
+#endif
#ifdef EFX_USE_QWORD_IO
static inline void _efx_writeq(struct efx_nic *efx, __le64 value,
diff --git a/drivers/net/ethernet/sfc/tx.c b/drivers/net/ethernet/sfc/tx.c
index c49d1fb..105b3ca 100644
--- a/drivers/net/ethernet/sfc/tx.c
+++ b/drivers/net/ethernet/sfc/tx.c
@@ -189,6 +189,18 @@ struct efx_short_copy_buffer {
u8 buf[L1_CACHE_BYTES];
};
+/* Copy in explicit 64-bit writes. */
+static void efx_memcpy_64(void __iomem *dest, void *src, size_t len)
+{
+ u64 *src64 = src;
+ u64 __iomem *dest64 = dest;
+ size_t l64 = len / 8;
+ size_t i;
+
+ for (i = 0; i < l64; i++)
+ writeq(src64[i], &dest64[i]);
+}
+
/* Copy to PIO, respecting that writes to PIO buffers must be dword aligned.
* Advances piobuf pointer. Leaves additional data in the copy buffer.
*/
@@ -198,7 +210,7 @@ static void efx_memcpy_toio_aligned(struct efx_nic *efx, u8 __iomem **piobuf,
{
int block_len = len & ~(sizeof(copy_buf->buf) - 1);
- memcpy_toio(*piobuf, data, block_len);
+ efx_memcpy_64(*piobuf, data, block_len);
*piobuf += block_len;
len -= block_len;
@@ -230,7 +242,7 @@ static void efx_memcpy_toio_aligned_cb(struct efx_nic *efx, u8 __iomem **piobuf,
if (copy_buf->used < sizeof(copy_buf->buf))
return;
- memcpy_toio(*piobuf, copy_buf->buf, sizeof(copy_buf->buf));
+ efx_memcpy_64(*piobuf, copy_buf->buf, sizeof(copy_buf->buf));
*piobuf += sizeof(copy_buf->buf);
data += copy_to_buf;
len -= copy_to_buf;
@@ -245,7 +257,7 @@ static void efx_flush_copy_buffer(struct efx_nic *efx, u8 __iomem *piobuf,
{
/* if there's anything in it, write the whole buffer, including junk */
if (copy_buf->used)
- memcpy_toio(piobuf, copy_buf->buf, sizeof(copy_buf->buf));
+ efx_memcpy_64(piobuf, copy_buf->buf, sizeof(copy_buf->buf));
}
/* Traverse skb structure and copy fragments in to PIO buffer.
@@ -304,8 +316,8 @@ efx_enqueue_skb_pio(struct efx_tx_queue *tx_queue, struct sk_buff *skb)
*/
BUILD_BUG_ON(L1_CACHE_BYTES >
SKB_DATA_ALIGN(sizeof(struct skb_shared_info)));
- memcpy_toio(tx_queue->piobuf, skb->data,
- ALIGN(skb->len, L1_CACHE_BYTES));
+ efx_memcpy_64(tx_queue->piobuf, skb->data,
+ ALIGN(skb->len, L1_CACHE_BYTES));
}
EFX_POPULATE_QWORD_5(buffer->option,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 223/259] ipv4: fix a race in ip4_datagram_release_cb()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (221 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 222/259] sfc: PIO:Restrict to 64bit arch and use 64-bit writes Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 224/259] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 Kamal Mostafa
` (35 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Steffen Klassert, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9709674e68646cee5a24e3000b3558d25412203a ]
Alexey gave a AddressSanitizer[1] report that finally gave a good hint
at where was the origin of various problems already reported by Dormando
in the past [2]
Problem comes from the fact that UDP can have a lockless TX path, and
concurrent threads can manipulate sk_dst_cache, while another thread,
is holding socket lock and calls __sk_dst_set() in
ip4_datagram_release_cb() (this was added in linux-3.8)
It seems that all we need to do is to use sk_dst_check() and
sk_dst_set() so that all the writers hold same spinlock
(sk->sk_dst_lock) to prevent corruptions.
TCP stack do not need this protection, as all sk_dst_cache writers hold
the socket lock.
[1]
https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
AddressSanitizer: heap-use-after-free in ipv4_dst_check
Read of size 2 by thread T15453:
[<ffffffff817daa3a>] ipv4_dst_check+0x1a/0x90 ./net/ipv4/route.c:1116
[<ffffffff8175b789>] __sk_dst_check+0x89/0xe0 ./net/core/sock.c:531
[<ffffffff81830a36>] ip4_datagram_release_cb+0x46/0x390 ??:0
[<ffffffff8175eaea>] release_sock+0x17a/0x230 ./net/core/sock.c:2413
[<ffffffff81830882>] ip4_datagram_connect+0x462/0x5d0 ??:0
[<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
[<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
[<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
[<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
Freed by thread T15455:
[<ffffffff8178d9b8>] dst_destroy+0xa8/0x160 ./net/core/dst.c:251
[<ffffffff8178de25>] dst_release+0x45/0x80 ./net/core/dst.c:280
[<ffffffff818304c1>] ip4_datagram_connect+0xa1/0x5d0 ??:0
[<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
[<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
[<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
[<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
Allocated by thread T15453:
[<ffffffff8178d291>] dst_alloc+0x81/0x2b0 ./net/core/dst.c:171
[<ffffffff817db3b7>] rt_dst_alloc+0x47/0x50 ./net/ipv4/route.c:1406
[< inlined >] __ip_route_output_key+0x3e8/0xf70
__mkroute_output ./net/ipv4/route.c:1939
[<ffffffff817dde08>] __ip_route_output_key+0x3e8/0xf70 ./net/ipv4/route.c:2161
[<ffffffff817deb34>] ip_route_output_flow+0x14/0x30 ./net/ipv4/route.c:2249
[<ffffffff81830737>] ip4_datagram_connect+0x317/0x5d0 ??:0
[<ffffffff81846d06>] inet_dgram_connect+0x76/0xd0 ./net/ipv4/af_inet.c:534
[<ffffffff817580ac>] SYSC_connect+0x15c/0x1c0 ./net/socket.c:1701
[<ffffffff817596ce>] SyS_connect+0xe/0x10 ./net/socket.c:1682
[<ffffffff818b0a29>] system_call_fastpath+0x16/0x1b
./arch/x86/kernel/entry_64.S:629
[2]
<4>[196727.311203] general protection fault: 0000 [#1] SMP
<4>[196727.311224] Modules linked in: xt_TEE xt_dscp xt_DSCP macvlan bridge coretemp crc32_pclmul ghash_clmulni_intel gpio_ich microcode ipmi_watchdog ipmi_devintf sb_edac edac_core lpc_ich mfd_core tpm_tis tpm tpm_bios ipmi_si ipmi_msghandler isci igb libsas i2c_algo_bit ixgbe ptp pps_core mdio
<4>[196727.311333] CPU: 17 PID: 0 Comm: swapper/17 Not tainted 3.10.26 #1
<4>[196727.311344] Hardware name: Supermicro X9DRi-LN4+/X9DR3-LN4+/X9DRi-LN4+/X9DR3-LN4+, BIOS 3.0 07/05/2013
<4>[196727.311364] task: ffff885e6f069700 ti: ffff885e6f072000 task.ti: ffff885e6f072000
<4>[196727.311377] RIP: 0010:[<ffffffff815f8c7f>] [<ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
<4>[196727.311399] RSP: 0018:ffff885effd23a70 EFLAGS: 00010282
<4>[196727.311409] RAX: dead000000200200 RBX: ffff8854c398ecc0 RCX: 0000000000000040
<4>[196727.311423] RDX: dead000000100100 RSI: dead000000100100 RDI: dead000000200200
<4>[196727.311437] RBP: ffff885effd23a80 R08: ffffffff815fd9e0 R09: ffff885d5a590800
<4>[196727.311451] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
<4>[196727.311464] R13: ffffffff81c8c280 R14: 0000000000000000 R15: ffff880e85ee16ce
<4>[196727.311510] FS: 0000000000000000(0000) GS:ffff885effd20000(0000) knlGS:0000000000000000
<4>[196727.311554] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[196727.311581] CR2: 00007a46751eb000 CR3: 0000005e65688000 CR4: 00000000000407e0
<4>[196727.311625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
<4>[196727.311669] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
<4>[196727.311713] Stack:
<4>[196727.311733] ffff8854c398ecc0 ffff8854c398ecc0 ffff885effd23ab0 ffffffff815b7f42
<4>[196727.311784] ffff88be6595bc00 ffff8854c398ecc0 0000000000000000 ffff8854c398ecc0
<4>[196727.311834] ffff885effd23ad0 ffffffff815b86c6 ffff885d5a590800 ffff8816827821c0
<4>[196727.311885] Call Trace:
<4>[196727.311907] <IRQ>
<4>[196727.311912] [<ffffffff815b7f42>] dst_destroy+0x32/0xe0
<4>[196727.311959] [<ffffffff815b86c6>] dst_release+0x56/0x80
<4>[196727.311986] [<ffffffff81620bd5>] tcp_v4_do_rcv+0x2a5/0x4a0
<4>[196727.312013] [<ffffffff81622b5a>] tcp_v4_rcv+0x7da/0x820
<4>[196727.312041] [<ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
<4>[196727.312070] [<ffffffff815de02d>] ? nf_hook_slow+0x7d/0x150
<4>[196727.312097] [<ffffffff815fd9e0>] ? ip_rcv_finish+0x360/0x360
<4>[196727.312125] [<ffffffff815fda92>] ip_local_deliver_finish+0xb2/0x230
<4>[196727.312154] [<ffffffff815fdd9a>] ip_local_deliver+0x4a/0x90
<4>[196727.312183] [<ffffffff815fd799>] ip_rcv_finish+0x119/0x360
<4>[196727.312212] [<ffffffff815fe00b>] ip_rcv+0x22b/0x340
<4>[196727.312242] [<ffffffffa0339680>] ? macvlan_broadcast+0x160/0x160 [macvlan]
<4>[196727.312275] [<ffffffff815b0c62>] __netif_receive_skb_core+0x512/0x640
<4>[196727.312308] [<ffffffff811427fb>] ? kmem_cache_alloc+0x13b/0x150
<4>[196727.312338] [<ffffffff815b0db1>] __netif_receive_skb+0x21/0x70
<4>[196727.312368] [<ffffffff815b0fa1>] netif_receive_skb+0x31/0xa0
<4>[196727.312397] [<ffffffff815b1ae8>] napi_gro_receive+0xe8/0x140
<4>[196727.312433] [<ffffffffa00274f1>] ixgbe_poll+0x551/0x11f0 [ixgbe]
<4>[196727.312463] [<ffffffff815fe00b>] ? ip_rcv+0x22b/0x340
<4>[196727.312491] [<ffffffff815b1691>] net_rx_action+0x111/0x210
<4>[196727.312521] [<ffffffff815b0db1>] ? __netif_receive_skb+0x21/0x70
<4>[196727.312552] [<ffffffff810519d0>] __do_softirq+0xd0/0x270
<4>[196727.312583] [<ffffffff816cef3c>] call_softirq+0x1c/0x30
<4>[196727.312613] [<ffffffff81004205>] do_softirq+0x55/0x90
<4>[196727.312640] [<ffffffff81051c85>] irq_exit+0x55/0x60
<4>[196727.312668] [<ffffffff816cf5c3>] do_IRQ+0x63/0xe0
<4>[196727.312696] [<ffffffff816c5aaa>] common_interrupt+0x6a/0x6a
<4>[196727.312722] <EOI>
<1>[196727.313071] RIP [<ffffffff815f8c7f>] ipv4_dst_destroy+0x4f/0x80
<4>[196727.313100] RSP <ffff885effd23a70>
<4>[196727.313377] ---[ end trace 64b3f14fae0f2e29 ]---
<0>[196727.380908] Kernel panic - not syncing: Fatal exception in interrupt
Reported-by: Alexey Preobrazhensky <preobr@google.com>
Reported-by: dormando <dormando@rydia.ne>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 8141ed9fcedb2 ("ipv4: Add a socket release callback for datagram sockets")
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/datagram.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index 19e3637..5f3dc1d 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -86,18 +86,26 @@ out:
}
EXPORT_SYMBOL(ip4_datagram_connect);
+/* Because UDP xmit path can manipulate sk_dst_cache without holding
+ * socket lock, we need to use sk_dst_set() here,
+ * even if we own the socket lock.
+ */
void ip4_datagram_release_cb(struct sock *sk)
{
const struct inet_sock *inet = inet_sk(sk);
const struct ip_options_rcu *inet_opt;
__be32 daddr = inet->inet_daddr;
+ struct dst_entry *dst;
struct flowi4 fl4;
struct rtable *rt;
- if (! __sk_dst_get(sk) || __sk_dst_check(sk, 0))
- return;
-
rcu_read_lock();
+
+ dst = __sk_dst_get(sk);
+ if (!dst || !dst->obsolete || dst->ops->check(dst, 0)) {
+ rcu_read_unlock();
+ return;
+ }
inet_opt = rcu_dereference(inet->inet_opt);
if (inet_opt && inet_opt->opt.srr)
daddr = inet_opt->opt.faddr;
@@ -105,8 +113,10 @@ void ip4_datagram_release_cb(struct sock *sk)
inet->inet_saddr, inet->inet_dport,
inet->inet_sport, sk->sk_protocol,
RT_CONN_FLAGS(sk), sk->sk_bound_dev_if);
- if (!IS_ERR(rt))
- __sk_dst_set(sk, &rt->dst);
+
+ dst = !IS_ERR(rt) ? &rt->dst : NULL;
+ sk_dst_set(sk, dst);
+
rcu_read_unlock();
}
EXPORT_SYMBOL_GPL(ip4_datagram_release_cb);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 224/259] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (222 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 223/259] ipv4: fix a race in ip4_datagram_release_cb() Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 225/259] vxlan: use dev->needed_headroom instead of dev->hard_header_len Kamal Mostafa
` (34 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Schmidt, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit e5eca6d41f53db48edd8cf88a3f59d2c30227f8e ]
When running RHEL6 userspace on a current upstream kernel, "ip link"
fails to show VF information.
The reason is a kernel<->userspace API change introduced by commit
88c5b5ce5cb57 ("rtnetlink: Call nlmsg_parse() with correct header length"),
after which the kernel does not see iproute2's IFLA_EXT_MASK attribute
in the netlink request.
iproute2 adjusted for the API change in its commit 63338dca4513
("libnetlink: Use ifinfomsg instead of rtgenmsg in rtnl_wilddump_req_filter").
The problem has been noticed before:
http://marc.info/?l=linux-netdev&m=136692296022182&w=2
(Subject: Re: getting VF link info seems to be broken in 3.9-rc8)
We can do better than tell those with old userspace to upgrade. We can
recognize the old iproute2 in the kernel by checking the netlink message
length. Even when including the IFLA_EXT_MASK attribute, its netlink
message is shorter than struct ifinfomsg.
With this patch "ip link" shows VF information in both old and new
iproute2 versions.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/rtnetlink.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 410e586..a7b6520 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1106,6 +1106,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
struct nlattr *tb[IFLA_MAX+1];
u32 ext_filter_mask = 0;
int err;
+ int hdrlen;
s_h = cb->args[0];
s_idx = cb->args[1];
@@ -1113,8 +1114,17 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
rcu_read_lock();
cb->seq = net->dev_base_seq;
- if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
- ifla_policy) >= 0) {
+ /* A hack to preserve kernel<->userspace interface.
+ * The correct header is ifinfomsg. It is consistent with rtnl_getlink.
+ * However, before Linux v3.9 the code here assumed rtgenmsg and that's
+ * what iproute2 < v3.9.0 used.
+ * We can detect the old iproute2. Even including the IFLA_EXT_MASK
+ * attribute, its netlink message is shorter than struct ifinfomsg.
+ */
+ hdrlen = nlmsg_len(cb->nlh) < sizeof(struct ifinfomsg) ?
+ sizeof(struct rtgenmsg) : sizeof(struct ifinfomsg);
+
+ if (nlmsg_parse(cb->nlh, hdrlen, tb, IFLA_MAX, ifla_policy) >= 0) {
if (tb[IFLA_EXT_MASK])
ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
@@ -1978,9 +1988,13 @@ static u16 rtnl_calcit(struct sk_buff *skb, struct nlmsghdr *nlh)
struct nlattr *tb[IFLA_MAX+1];
u32 ext_filter_mask = 0;
u16 min_ifinfo_dump_size = 0;
+ int hdrlen;
+
+ /* Same kernel<->userspace interface hack as in rtnl_dump_ifinfo. */
+ hdrlen = nlmsg_len(nlh) < sizeof(struct ifinfomsg) ?
+ sizeof(struct rtgenmsg) : sizeof(struct ifinfomsg);
- if (nlmsg_parse(nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
- ifla_policy) >= 0) {
+ if (nlmsg_parse(nlh, hdrlen, tb, IFLA_MAX, ifla_policy) >= 0) {
if (tb[IFLA_EXT_MASK])
ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 225/259] vxlan: use dev->needed_headroom instead of dev->hard_header_len
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (223 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 224/259] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 226/259] udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup Kamal Mostafa
` (33 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David S. Miller, stephen hemminger, Pravin B Shelar, Cong Wang,
Cong Wang, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <cwang@twopensource.com>
[ Upstream commit 2853af6a2ea1a8ed09b09dd4fb578e7f435e8d34 ]
When we mirror packets from a vxlan tunnel to other device,
the mirror device should see the same packets (that is, without
outer header). Because vxlan tunnel sets dev->hard_header_len,
tcf_mirred() resets mac header back to outer mac, the mirror device
actually sees packets with outer headers
Vxlan tunnel should set dev->needed_headroom instead of
dev->hard_header_len, like what other ip tunnels do. This fixes
the above problem.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: stephen hemminger <stephen@networkplumber.org>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/vxlan.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index fc5d2b7..7e748a1 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2161,9 +2161,9 @@ static void vxlan_setup(struct net_device *dev)
eth_hw_addr_random(dev);
ether_setup(dev);
if (vxlan->default_dst.remote_ip.sa.sa_family == AF_INET6)
- dev->hard_header_len = ETH_HLEN + VXLAN6_HEADROOM;
+ dev->needed_headroom = ETH_HLEN + VXLAN6_HEADROOM;
else
- dev->hard_header_len = ETH_HLEN + VXLAN_HEADROOM;
+ dev->needed_headroom = ETH_HLEN + VXLAN_HEADROOM;
dev->netdev_ops = &vxlan_netdev_ops;
dev->destructor = free_netdev;
@@ -2541,8 +2541,7 @@ static int vxlan_newlink(struct net *net, struct net_device *dev,
if (!tb[IFLA_MTU])
dev->mtu = lowerdev->mtu - (use_ipv6 ? VXLAN6_HEADROOM : VXLAN_HEADROOM);
- /* update header length based on lower device */
- dev->hard_header_len = lowerdev->hard_header_len +
+ dev->needed_headroom = lowerdev->hard_header_len +
(use_ipv6 ? VXLAN6_HEADROOM : VXLAN_HEADROOM);
} else if (use_ipv6)
vxlan->flags |= VXLAN_F_IPV6;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 226/259] udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (224 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 225/259] vxlan: use dev->needed_headroom instead of dev->hard_header_len Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 227/259] net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset Kamal Mostafa
` (32 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Shawn Bohrer, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 63c6f81cdde58c41da62a8d8a209592e42a0203e ]
Its too easy to add thousand of UDP sockets on a particular bucket,
and slow down an innocent multicast receiver.
Early demux is supposed to be an optimization, we should avoid spending
too much time in it.
It is interesting to note __udp4_lib_demux_lookup() only tries to
match first socket in the chain.
10 is the threshold we already have in __udp4_lib_lookup() to switch
to secondary hash.
Fixes: 421b3885bf6d5 ("udp: ipv4: Add udp early demux")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: David Held <drheld@google.com>
Cc: Shawn Bohrer <sbohrer@rgmadvisors.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/udp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index a7e4729..98ea36d 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1833,6 +1833,10 @@ static struct sock *__udp4_lib_mcast_demux_lookup(struct net *net,
unsigned int count, slot = udp_hashfn(net, hnum, udp_table.mask);
struct udp_hslot *hslot = &udp_table.hash[slot];
+ /* Do not bother scanning a too big list */
+ if (hslot->count > 10)
+ return NULL;
+
rcu_read_lock();
begin:
count = 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 227/259] net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (225 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 226/259] udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 228/259] net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() Kamal Mostafa
` (31 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Wei Yang, David S. Miller, Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Yang <weiyang@linux.vnet.ibm.com>
[ No upstream commit, this is a cherry picked backport enabler. ]
The second parameter of __mlx4_init_one() is used to identify whether the
pci_dev is a PF or VF. Currently, when it is invoked in mlx4_pci_slot_reset()
this information is missed.
This patch match the pci_dev with mlx4_pci_table and passes the
pci_device_id.driver_data to __mlx4_init_one() in mlx4_pci_slot_reset().
Signed-off-by: Wei Yang <weiyang@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/mellanox/mlx4/main.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
index 01fc651..c239a9a 100644
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -2567,7 +2567,11 @@ static pci_ers_result_t mlx4_pci_err_detected(struct pci_dev *pdev,
static pci_ers_result_t mlx4_pci_slot_reset(struct pci_dev *pdev)
{
- int ret = __mlx4_init_one(pdev, 0);
+ const struct pci_device_id *id;
+ int ret;
+
+ id = pci_match_id(mlx4_pci_table, pdev);
+ ret = __mlx4_init_one(pdev, id->driver_data);
return ret ? PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_RECOVERED;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 228/259] net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (226 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 227/259] net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 229/259] ip_tunnel: fix ip_tunnel_lookup Kamal Mostafa
` (30 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bjorn Helgaas, Amir Vadai, Jack Morgenstein, Or Gerlitz,
Wei Yang, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Yang <weiyang@linux.vnet.ibm.com>
[ Upstream commit befdf8978accecac2e0739e6b5075afc62db37fe ]
pci_match_id() just match the static pci_device_id, which may return NULL if
someone binds the driver to a device manually using
/sys/bus/pci/drivers/.../new_id.
This patch wrap up a helper function __mlx4_remove_one() which does the tear
down function but preserve the drv_data. Functions like
mlx4_pci_err_detected() and mlx4_restart_one() will call this one with out
releasing drvdata.
Fixes: 97a5221 "net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset".
CC: Bjorn Helgaas <bhelgaas@google.com>
CC: Amir Vadai <amirv@mellanox.com>
CC: Jack Morgenstein <jackm@dev.mellanox.co.il>
CC: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Wei Yang <weiyang@linux.vnet.ibm.com>
Acked-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/mellanox/mlx4/main.c | 170 +++++++++++++++++-------------
drivers/net/ethernet/mellanox/mlx4/mlx4.h | 1 +
2 files changed, 95 insertions(+), 76 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
index c239a9a..1f4b447 100644
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -2171,13 +2171,8 @@ static int __mlx4_init_one(struct pci_dev *pdev, int pci_dev_data)
/* Allow large DMA segments, up to the firmware limit of 1 GB */
dma_set_max_seg_size(&pdev->dev, 1024 * 1024 * 1024);
- priv = kzalloc(sizeof(*priv), GFP_KERNEL);
- if (!priv) {
- err = -ENOMEM;
- goto err_release_regions;
- }
-
- dev = &priv->dev;
+ dev = pci_get_drvdata(pdev);
+ priv = mlx4_priv(dev);
dev->pdev = pdev;
INIT_LIST_HEAD(&priv->ctx_list);
spin_lock_init(&priv->ctx_lock);
@@ -2350,8 +2345,7 @@ slave_start:
mlx4_sense_init(dev);
mlx4_start_sense(dev);
- priv->pci_dev_data = pci_dev_data;
- pci_set_drvdata(pdev, dev);
+ priv->removed = 0;
return 0;
@@ -2417,84 +2411,108 @@ err_disable_pdev:
static int mlx4_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
{
+ struct mlx4_priv *priv;
+ struct mlx4_dev *dev;
+
printk_once(KERN_INFO "%s", mlx4_version);
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
+ dev = &priv->dev;
+ pci_set_drvdata(pdev, dev);
+ priv->pci_dev_data = id->driver_data;
+
return __mlx4_init_one(pdev, id->driver_data);
}
-static void mlx4_remove_one(struct pci_dev *pdev)
+static void __mlx4_remove_one(struct pci_dev *pdev)
{
struct mlx4_dev *dev = pci_get_drvdata(pdev);
struct mlx4_priv *priv = mlx4_priv(dev);
+ int pci_dev_data;
int p;
- if (dev) {
- /* in SRIOV it is not allowed to unload the pf's
- * driver while there are alive vf's */
- if (mlx4_is_master(dev)) {
- if (mlx4_how_many_lives_vf(dev))
- printk(KERN_ERR "Removing PF when there are assigned VF's !!!\n");
- }
- mlx4_stop_sense(dev);
- mlx4_unregister_device(dev);
+ if (priv->removed)
+ return;
- for (p = 1; p <= dev->caps.num_ports; p++) {
- mlx4_cleanup_port_info(&priv->port[p]);
- mlx4_CLOSE_PORT(dev, p);
- }
+ pci_dev_data = priv->pci_dev_data;
- if (mlx4_is_master(dev))
- mlx4_free_resource_tracker(dev,
- RES_TR_FREE_SLAVES_ONLY);
-
- mlx4_cleanup_counters_table(dev);
- mlx4_cleanup_qp_table(dev);
- mlx4_cleanup_srq_table(dev);
- mlx4_cleanup_cq_table(dev);
- mlx4_cmd_use_polling(dev);
- mlx4_cleanup_eq_table(dev);
- mlx4_cleanup_mcg_table(dev);
- mlx4_cleanup_mr_table(dev);
- mlx4_cleanup_xrcd_table(dev);
- mlx4_cleanup_pd_table(dev);
+ /* in SRIOV it is not allowed to unload the pf's
+ * driver while there are alive vf's */
+ if (mlx4_is_master(dev) && mlx4_how_many_lives_vf(dev))
+ printk(KERN_ERR "Removing PF when there are assigned VF's !!!\n");
+ mlx4_stop_sense(dev);
+ mlx4_unregister_device(dev);
- if (mlx4_is_master(dev))
- mlx4_free_resource_tracker(dev,
- RES_TR_FREE_STRUCTS_ONLY);
-
- iounmap(priv->kar);
- mlx4_uar_free(dev, &priv->driver_uar);
- mlx4_cleanup_uar_table(dev);
- if (!mlx4_is_slave(dev))
- mlx4_clear_steering(dev);
- mlx4_free_eq_table(dev);
- if (mlx4_is_master(dev))
- mlx4_multi_func_cleanup(dev);
- mlx4_close_hca(dev);
- if (mlx4_is_slave(dev))
- mlx4_multi_func_cleanup(dev);
- mlx4_cmd_cleanup(dev);
-
- if (dev->flags & MLX4_FLAG_MSI_X)
- pci_disable_msix(pdev);
- if (dev->flags & MLX4_FLAG_SRIOV) {
- mlx4_warn(dev, "Disabling SR-IOV\n");
- pci_disable_sriov(pdev);
- }
+ for (p = 1; p <= dev->caps.num_ports; p++) {
+ mlx4_cleanup_port_info(&priv->port[p]);
+ mlx4_CLOSE_PORT(dev, p);
+ }
- if (!mlx4_is_slave(dev))
- mlx4_free_ownership(dev);
+ if (mlx4_is_master(dev))
+ mlx4_free_resource_tracker(dev,
+ RES_TR_FREE_SLAVES_ONLY);
+
+ mlx4_cleanup_counters_table(dev);
+ mlx4_cleanup_qp_table(dev);
+ mlx4_cleanup_srq_table(dev);
+ mlx4_cleanup_cq_table(dev);
+ mlx4_cmd_use_polling(dev);
+ mlx4_cleanup_eq_table(dev);
+ mlx4_cleanup_mcg_table(dev);
+ mlx4_cleanup_mr_table(dev);
+ mlx4_cleanup_xrcd_table(dev);
+ mlx4_cleanup_pd_table(dev);
- kfree(dev->caps.qp0_tunnel);
- kfree(dev->caps.qp0_proxy);
- kfree(dev->caps.qp1_tunnel);
- kfree(dev->caps.qp1_proxy);
+ if (mlx4_is_master(dev))
+ mlx4_free_resource_tracker(dev,
+ RES_TR_FREE_STRUCTS_ONLY);
- kfree(priv);
- pci_release_regions(pdev);
- pci_disable_device(pdev);
- pci_set_drvdata(pdev, NULL);
+ iounmap(priv->kar);
+ mlx4_uar_free(dev, &priv->driver_uar);
+ mlx4_cleanup_uar_table(dev);
+ if (!mlx4_is_slave(dev))
+ mlx4_clear_steering(dev);
+ mlx4_free_eq_table(dev);
+ if (mlx4_is_master(dev))
+ mlx4_multi_func_cleanup(dev);
+ mlx4_close_hca(dev);
+ if (mlx4_is_slave(dev))
+ mlx4_multi_func_cleanup(dev);
+ mlx4_cmd_cleanup(dev);
+
+ if (dev->flags & MLX4_FLAG_MSI_X)
+ pci_disable_msix(pdev);
+ if (dev->flags & MLX4_FLAG_SRIOV) {
+ mlx4_warn(dev, "Disabling SR-IOV\n");
+ pci_disable_sriov(pdev);
}
+
+ if (!mlx4_is_slave(dev))
+ mlx4_free_ownership(dev);
+
+ kfree(dev->caps.qp0_tunnel);
+ kfree(dev->caps.qp0_proxy);
+ kfree(dev->caps.qp1_tunnel);
+ kfree(dev->caps.qp1_proxy);
+
+ pci_release_regions(pdev);
+ pci_disable_device(pdev);
+ memset(priv, 0, sizeof(*priv));
+ priv->pci_dev_data = pci_dev_data;
+ priv->removed = 1;
+}
+
+static void mlx4_remove_one(struct pci_dev *pdev)
+{
+ struct mlx4_dev *dev = pci_get_drvdata(pdev);
+ struct mlx4_priv *priv = mlx4_priv(dev);
+
+ __mlx4_remove_one(pdev);
+ kfree(priv);
+ pci_set_drvdata(pdev, NULL);
}
int mlx4_restart_one(struct pci_dev *pdev)
@@ -2504,7 +2522,7 @@ int mlx4_restart_one(struct pci_dev *pdev)
int pci_dev_data;
pci_dev_data = priv->pci_dev_data;
- mlx4_remove_one(pdev);
+ __mlx4_remove_one(pdev);
return __mlx4_init_one(pdev, pci_dev_data);
}
@@ -2559,7 +2577,7 @@ MODULE_DEVICE_TABLE(pci, mlx4_pci_table);
static pci_ers_result_t mlx4_pci_err_detected(struct pci_dev *pdev,
pci_channel_state_t state)
{
- mlx4_remove_one(pdev);
+ __mlx4_remove_one(pdev);
return state == pci_channel_io_perm_failure ?
PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_NEED_RESET;
@@ -2567,11 +2585,11 @@ static pci_ers_result_t mlx4_pci_err_detected(struct pci_dev *pdev,
static pci_ers_result_t mlx4_pci_slot_reset(struct pci_dev *pdev)
{
- const struct pci_device_id *id;
- int ret;
+ struct mlx4_dev *dev = pci_get_drvdata(pdev);
+ struct mlx4_priv *priv = mlx4_priv(dev);
+ int ret;
- id = pci_match_id(mlx4_pci_table, pdev);
- ret = __mlx4_init_one(pdev, id->driver_data);
+ ret = __mlx4_init_one(pdev, priv->pci_dev_data);
return ret ? PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_RECOVERED;
}
diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4.h b/drivers/net/ethernet/mellanox/mlx4/mlx4.h
index e582a41..640dcce 100644
--- a/drivers/net/ethernet/mellanox/mlx4/mlx4.h
+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4.h
@@ -791,6 +791,7 @@ struct mlx4_priv {
spinlock_t ctx_lock;
int pci_dev_data;
+ int removed;
struct list_head pgdir_list;
struct mutex pgdir_mutex;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 229/259] ip_tunnel: fix ip_tunnel_lookup
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (227 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 228/259] net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 230/259] slip: Fix deadlock in write_wakeup Kamal Mostafa
` (29 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dmitry Popov, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Popov <ixaphire@qrator.net>
[ Upstream commit e0056593b61253f1a8a9941dacda22e73b963cdc ]
This patch fixes 3 similar bugs where incoming packets might be routed into
wrong non-wildcard tunnels:
1) Consider the following setup:
ip address add 1.1.1.1/24 dev eth0
ip address add 1.1.1.2/24 dev eth0
ip tunnel add ipip1 remote 2.2.2.2 local 1.1.1.1 mode ipip dev eth0
ip link set ipip1 up
Incoming ipip packets from 2.2.2.2 were routed into ipip1 even if it has dst =
1.1.1.2. Moreover even if there was wildcard tunnel like
ip tunnel add ipip0 remote 2.2.2.2 local any mode ipip dev eth0
but it was created before explicit one (with local 1.1.1.1), incoming ipip
packets with src = 2.2.2.2 and dst = 1.1.1.2 were still routed into ipip1.
Same issue existed with all tunnels that use ip_tunnel_lookup (gre, vti)
2) ip address add 1.1.1.1/24 dev eth0
ip tunnel add ipip1 remote 2.2.146.85 local 1.1.1.1 mode ipip dev eth0
ip link set ipip1 up
Incoming ipip packets with dst = 1.1.1.1 were routed into ipip1, no matter what
src address is. Any remote ip address which has ip_tunnel_hash = 0 raised this
issue, 2.2.146.85 is just an example, there are more than 4 million of them.
And again, wildcard tunnel like
ip tunnel add ipip0 remote any local 1.1.1.1 mode ipip dev eth0
wouldn't be ever matched if it was created before explicit tunnel like above.
Gre & vti tunnels had the same issue.
3) ip address add 1.1.1.1/24 dev eth0
ip tunnel add gre1 remote 2.2.146.84 local 1.1.1.1 key 1 mode gre dev eth0
ip link set gre1 up
Any incoming gre packet with key = 1 were routed into gre1, no matter what
src/dst addresses are. Any remote ip address which has ip_tunnel_hash = 0 raised
the issue, 2.2.146.84 is just an example, there are more than 4 million of them.
Wildcard tunnel like
ip tunnel add gre2 remote any local any key 1 mode gre dev eth0
wouldn't be ever matched if it was created before explicit tunnel like above.
All this stuff happened because while looking for a wildcard tunnel we didn't
check that matched tunnel is a wildcard one. Fixed.
Signed-off-by: Dmitry Popov <ixaphire@qrator.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/ip_tunnel.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index a39c5cf..d4e7bd7 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -166,6 +166,7 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
hlist_for_each_entry_rcu(t, head, hash_node) {
if (remote != t->parms.iph.daddr ||
+ t->parms.iph.saddr != 0 ||
!(t->dev->flags & IFF_UP))
continue;
@@ -182,10 +183,11 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
head = &itn->tunnels[hash];
hlist_for_each_entry_rcu(t, head, hash_node) {
- if ((local != t->parms.iph.saddr &&
- (local != t->parms.iph.daddr ||
- !ipv4_is_multicast(local))) ||
- !(t->dev->flags & IFF_UP))
+ if ((local != t->parms.iph.saddr || t->parms.iph.daddr != 0) &&
+ (local != t->parms.iph.daddr || !ipv4_is_multicast(local)))
+ continue;
+
+ if (!(t->dev->flags & IFF_UP))
continue;
if (!ip_tunnel_key_match(&t->parms, flags, key))
@@ -202,6 +204,8 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
hlist_for_each_entry_rcu(t, head, hash_node) {
if (t->parms.i_key != key ||
+ t->parms.iph.saddr != 0 ||
+ t->parms.iph.daddr != 0 ||
!(t->dev->flags & IFF_UP))
continue;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 230/259] slip: Fix deadlock in write_wakeup
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (228 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 229/259] ip_tunnel: fix ip_tunnel_lookup Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 231/259] slcan: Port write_wakeup deadlock fix from slip Kamal Mostafa
` (28 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tyler Hall, Oliver Hartkopp, Andre Naujoks, David S. Miller,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Hall <tylerwhall@gmail.com>
[ Upstream commit 661f7fda21b15ec52f57fcd397c03370acc28688 ]
Use schedule_work() to avoid potentially taking the spinlock in
interrupt context.
Commit cc9fa74e2a ("slip/slcan: added locking in wakeup function") added
necessary locking to the wakeup function and 367525c8c2/ddcde142be ("can:
slcan: Fix spinlock variant") converted it to spin_lock_bh() because the lock
is also taken in timers.
Disabling softirqs is not sufficient, however, as tty drivers may call
write_wakeup from interrupt context. This driver calls tty->ops->write() with
its spinlock held, which may immediately cause an interrupt on the same CPU and
subsequent spin_bug().
Simply converting to spin_lock_irq/irqsave() prevents this deadlock, but
causes lockdep to point out a possible circular locking dependency
between these locks:
(&(&sl->lock)->rlock){-.....}, at: slip_write_wakeup
(&port_lock_key){-.....}, at: serial8250_handle_irq.part.13
The slip transmit is holding the slip spinlock when calling the tty write.
This grabs the port lock. On an interrupt, the handler grabs the port
lock and calls write_wakeup which grabs the slip lock. This could be a
problem if a serial interrupt occurs on another CPU during the slip
transmit.
To deal with these issues, don't grab the lock in the wakeup function by
deferring the writeout to a workqueue. Also hold the lock during close
when de-assigning the tty pointer to safely disarm the worker and
timers.
This bug is easily reproducible on the first transmit when slip is
used with the standard 8250 serial driver.
[<c0410b7c>] (spin_bug+0x0/0x38) from [<c006109c>] (do_raw_spin_lock+0x60/0x1d0)
r5:eab27000 r4:ec02754c
[<c006103c>] (do_raw_spin_lock+0x0/0x1d0) from [<c04185c0>] (_raw_spin_lock+0x28/0x2c)
r10:0000001f r9:eabb814c r8:eabb8140 r7:40070193 r6:ec02754c r5:eab27000
r4:ec02754c r3:00000000
[<c0418598>] (_raw_spin_lock+0x0/0x2c) from [<bf3a0220>] (slip_write_wakeup+0x50/0xe0 [slip])
r4:ec027540 r3:00000003
[<bf3a01d0>] (slip_write_wakeup+0x0/0xe0 [slip]) from [<c026e420>] (tty_wakeup+0x48/0x68)
r6:00000000 r5:ea80c480 r4:eab27000 r3:bf3a01d0
[<c026e3d8>] (tty_wakeup+0x0/0x68) from [<c028a8ec>] (uart_write_wakeup+0x2c/0x30)
r5:ed68ea90 r4:c06790d8
[<c028a8c0>] (uart_write_wakeup+0x0/0x30) from [<c028dc44>] (serial8250_tx_chars+0x114/0x170)
[<c028db30>] (serial8250_tx_chars+0x0/0x170) from [<c028dffc>] (serial8250_handle_irq+0xa0/0xbc)
r6:000000c2 r5:00000060 r4:c06790d8 r3:00000000
[<c028df5c>] (serial8250_handle_irq+0x0/0xbc) from [<c02933a4>] (dw8250_handle_irq+0x38/0x64)
r7:00000000 r6:edd2f390 r5:000000c2 r4:c06790d8
[<c029336c>] (dw8250_handle_irq+0x0/0x64) from [<c028d2f4>] (serial8250_interrupt+0x44/0xc4)
r6:00000000 r5:00000000 r4:c06791c4 r3:c029336c
[<c028d2b0>] (serial8250_interrupt+0x0/0xc4) from [<c0067fe4>] (handle_irq_event_percpu+0xb4/0x2b0)
r10:c06790d8 r9:eab27000 r8:00000000 r7:00000000 r6:0000001f r5:edd52980
r4:ec53b6c0 r3:c028d2b0
[<c0067f30>] (handle_irq_event_percpu+0x0/0x2b0) from [<c006822c>] (handle_irq_event+0x4c/0x6c)
r10:c06790d8 r9:eab27000 r8:c0673ae0 r7:c05c2020 r6:ec53b6c0 r5:edd529d4
r4:edd52980
[<c00681e0>] (handle_irq_event+0x0/0x6c) from [<c006b140>] (handle_level_irq+0xe8/0x100)
r6:00000000 r5:edd529d4 r4:edd52980 r3:00022000
[<c006b058>] (handle_level_irq+0x0/0x100) from [<c00676f8>] (generic_handle_irq+0x30/0x40)
r5:0000001f r4:0000001f
[<c00676c8>] (generic_handle_irq+0x0/0x40) from [<c000f57c>] (handle_IRQ+0xd0/0x13c)
r4:ea997b18 r3:000000e0
[<c000f4ac>] (handle_IRQ+0x0/0x13c) from [<c00086c4>] (armada_370_xp_handle_irq+0x4c/0x118)
r8:000003ff r7:ea997b18 r6:ffffffff r5:60070013 r4:c0674dc0
[<c0008678>] (armada_370_xp_handle_irq+0x0/0x118) from [<c0013840>] (__irq_svc+0x40/0x70)
Exception stack(0xea997b18 to 0xea997b60)
7b00: 00000001 20070013
7b20: 00000000 0000000b 20070013 eab27000 20070013 00000000 ed10103e eab27000
7b40: c06790d8 ea997b74 ea997b60 ea997b60 c04186c0 c04186c8 60070013 ffffffff
r9:eab27000 r8:ed10103e r7:ea997b4c r6:ffffffff r5:60070013 r4:c04186c8
[<c04186a4>] (_raw_spin_unlock_irqrestore+0x0/0x54) from [<c0288fc0>] (uart_start+0x40/0x44)
r4:c06790d8 r3:c028ddd8
[<c0288f80>] (uart_start+0x0/0x44) from [<c028982c>] (uart_write+0xe4/0xf4)
r6:0000003e r5:00000000 r4:ed68ea90 r3:0000003e
[<c0289748>] (uart_write+0x0/0xf4) from [<bf3a0d20>] (sl_xmit+0x1c4/0x228 [slip])
r10:ed388e60 r9:0000003c r8:ffffffdd r7:0000003e r6:ec02754c r5:ea717eb8
r4:ec027000
[<bf3a0b5c>] (sl_xmit+0x0/0x228 [slip]) from [<c0368d74>] (dev_hard_start_xmit+0x39c/0x6d0)
r8:eaf163c0 r7:ec027000 r6:ea717eb8 r5:00000000 r4:00000000
Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Andre Naujoks <nautsch2@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/slip/slip.c | 36 ++++++++++++++++++++++++++----------
drivers/net/slip/slip.h | 1 +
2 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index ad4a94e..8752644 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -83,6 +83,7 @@
#include <linux/delay.h>
#include <linux/init.h>
#include <linux/slab.h>
+#include <linux/workqueue.h>
#include "slip.h"
#ifdef CONFIG_INET
#include <linux/ip.h>
@@ -416,36 +417,46 @@ static void sl_encaps(struct slip *sl, unsigned char *icp, int len)
#endif
}
-/*
- * Called by the driver when there's room for more data. If we have
- * more packets to send, we send them here.
- */
-static void slip_write_wakeup(struct tty_struct *tty)
+/* Write out any remaining transmit buffer. Scheduled when tty is writable */
+static void slip_transmit(struct work_struct *work)
{
+ struct slip *sl = container_of(work, struct slip, tx_work);
int actual;
- struct slip *sl = tty->disc_data;
+ spin_lock_bh(&sl->lock);
/* First make sure we're connected. */
- if (!sl || sl->magic != SLIP_MAGIC || !netif_running(sl->dev))
+ if (!sl->tty || sl->magic != SLIP_MAGIC || !netif_running(sl->dev)) {
+ spin_unlock_bh(&sl->lock);
return;
+ }
- spin_lock_bh(&sl->lock);
if (sl->xleft <= 0) {
/* Now serial buffer is almost free & we can start
* transmission of another packet */
sl->dev->stats.tx_packets++;
- clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
+ clear_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags);
spin_unlock_bh(&sl->lock);
sl_unlock(sl);
return;
}
- actual = tty->ops->write(tty, sl->xhead, sl->xleft);
+ actual = sl->tty->ops->write(sl->tty, sl->xhead, sl->xleft);
sl->xleft -= actual;
sl->xhead += actual;
spin_unlock_bh(&sl->lock);
}
+/*
+ * Called by the driver when there's room for more data.
+ * Schedule the transmit.
+ */
+static void slip_write_wakeup(struct tty_struct *tty)
+{
+ struct slip *sl = tty->disc_data;
+
+ schedule_work(&sl->tx_work);
+}
+
static void sl_tx_timeout(struct net_device *dev)
{
struct slip *sl = netdev_priv(dev);
@@ -749,6 +760,7 @@ static struct slip *sl_alloc(dev_t line)
sl->magic = SLIP_MAGIC;
sl->dev = dev;
spin_lock_init(&sl->lock);
+ INIT_WORK(&sl->tx_work, slip_transmit);
sl->mode = SL_MODE_DEFAULT;
#ifdef CONFIG_SLIP_SMART
/* initialize timer_list struct */
@@ -872,8 +884,12 @@ static void slip_close(struct tty_struct *tty)
if (!sl || sl->magic != SLIP_MAGIC || sl->tty != tty)
return;
+ spin_lock_bh(&sl->lock);
tty->disc_data = NULL;
sl->tty = NULL;
+ spin_unlock_bh(&sl->lock);
+
+ flush_work(&sl->tx_work);
/* VSV = very important to remove timers */
#ifdef CONFIG_SLIP_SMART
diff --git a/drivers/net/slip/slip.h b/drivers/net/slip/slip.h
index 67673cf..cf32aad 100644
--- a/drivers/net/slip/slip.h
+++ b/drivers/net/slip/slip.h
@@ -53,6 +53,7 @@ struct slip {
struct tty_struct *tty; /* ptr to TTY structure */
struct net_device *dev; /* easy for intr handling */
spinlock_t lock;
+ struct work_struct tx_work; /* Flushes transmit buffer */
#ifdef SL_INCLUDE_CSLIP
struct slcompress *slcomp; /* for header compression */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 231/259] slcan: Port write_wakeup deadlock fix from slip
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (229 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 230/259] slip: Fix deadlock in write_wakeup Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 232/259] net: sctp: propagate sysctl errors from proc_do* properly Kamal Mostafa
` (27 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tyler Hall, Oliver Hartkopp, Andre Naujoks, David S. Miller,
Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Hall <tylerwhall@gmail.com>
[ Upstream commit a8e83b17536aad603fbeae4c460f2da0ee9fe6ed ]
The commit "slip: Fix deadlock in write_wakeup" fixes a deadlock caused
by a change made in both slcan and slip. This is a direct port of that
fix.
Signed-off-by: Tyler Hall <tylerwhall@gmail.com>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Andre Naujoks <nautsch2@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/can/slcan.c | 41 +++++++++++++++++++++++++++++------------
1 file changed, 29 insertions(+), 12 deletions(-)
diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
index 25377e5..3c28d1f 100644
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -54,6 +54,7 @@
#include <linux/delay.h>
#include <linux/init.h>
#include <linux/kernel.h>
+#include <linux/workqueue.h>
#include <linux/can.h>
#include <linux/can/skb.h>
@@ -87,6 +88,7 @@ struct slcan {
struct tty_struct *tty; /* ptr to TTY structure */
struct net_device *dev; /* easy for intr handling */
spinlock_t lock;
+ struct work_struct tx_work; /* Flushes transmit buffer */
/* These are pointers to the malloc()ed frame buffers. */
unsigned char rbuff[SLC_MTU]; /* receiver buffer */
@@ -311,34 +313,44 @@ static void slc_encaps(struct slcan *sl, struct can_frame *cf)
sl->dev->stats.tx_bytes += cf->can_dlc;
}
-/*
- * Called by the driver when there's room for more data. If we have
- * more packets to send, we send them here.
- */
-static void slcan_write_wakeup(struct tty_struct *tty)
+/* Write out any remaining transmit buffer. Scheduled when tty is writable */
+static void slcan_transmit(struct work_struct *work)
{
+ struct slcan *sl = container_of(work, struct slcan, tx_work);
int actual;
- struct slcan *sl = (struct slcan *) tty->disc_data;
+ spin_lock_bh(&sl->lock);
/* First make sure we're connected. */
- if (!sl || sl->magic != SLCAN_MAGIC || !netif_running(sl->dev))
+ if (!sl->tty || sl->magic != SLCAN_MAGIC || !netif_running(sl->dev)) {
+ spin_unlock_bh(&sl->lock);
return;
+ }
- spin_lock(&sl->lock);
if (sl->xleft <= 0) {
/* Now serial buffer is almost free & we can start
* transmission of another packet */
sl->dev->stats.tx_packets++;
- clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
- spin_unlock(&sl->lock);
+ clear_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags);
+ spin_unlock_bh(&sl->lock);
netif_wake_queue(sl->dev);
return;
}
- actual = tty->ops->write(tty, sl->xhead, sl->xleft);
+ actual = sl->tty->ops->write(sl->tty, sl->xhead, sl->xleft);
sl->xleft -= actual;
sl->xhead += actual;
- spin_unlock(&sl->lock);
+ spin_unlock_bh(&sl->lock);
+}
+
+/*
+ * Called by the driver when there's room for more data.
+ * Schedule the transmit.
+ */
+static void slcan_write_wakeup(struct tty_struct *tty)
+{
+ struct slcan *sl = tty->disc_data;
+
+ schedule_work(&sl->tx_work);
}
/* Send a can_frame to a TTY queue. */
@@ -524,6 +536,7 @@ static struct slcan *slc_alloc(dev_t line)
sl->magic = SLCAN_MAGIC;
sl->dev = dev;
spin_lock_init(&sl->lock);
+ INIT_WORK(&sl->tx_work, slcan_transmit);
slcan_devs[i] = dev;
return sl;
@@ -622,8 +635,12 @@ static void slcan_close(struct tty_struct *tty)
if (!sl || sl->magic != SLCAN_MAGIC || sl->tty != tty)
return;
+ spin_lock_bh(&sl->lock);
tty->disc_data = NULL;
sl->tty = NULL;
+ spin_unlock_bh(&sl->lock);
+
+ flush_work(&sl->tx_work);
/* Flush network side */
unregister_netdev(sl->dev);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 232/259] net: sctp: propagate sysctl errors from proc_do* properly
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (230 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 231/259] slcan: Port write_wakeup deadlock fix from slip Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 233/259] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb Kamal Mostafa
` (26 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Daniel Borkmann, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
[ Upstream commit ff5e92c1affe7166b3f6e7073e648ed65a6e2e59 ]
sysctl handler proc_sctp_do_hmac_alg(), proc_sctp_do_rto_min() and
proc_sctp_do_rto_max() do not properly reflect some error cases
when writing values via sysctl from internal proc functions such
as proc_dointvec() and proc_dostring().
In all these cases we pass the test for write != 0 and partially
do additional work just to notice that additional sanity checks
fail and we return with hard-coded -EINVAL while proc_do*
functions might also return different errors. So fix this up by
simply testing a successful return of proc_do* right after
calling it.
This also allows to propagate its return value onwards to the user.
While touching this, also fix up some minor style issues.
Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl")
Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/sctp/sysctl.c | 43 +++++++++++++++++++++++--------------------
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index b2da788..7c4eac4 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -307,41 +307,40 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
loff_t *ppos)
{
struct net *net = current->nsproxy->net_ns;
- char tmp[8];
struct ctl_table tbl;
- int ret;
- int changed = 0;
+ bool changed = false;
char *none = "none";
+ char tmp[8];
+ int ret;
memset(&tbl, 0, sizeof(struct ctl_table));
if (write) {
tbl.data = tmp;
- tbl.maxlen = 8;
+ tbl.maxlen = sizeof(tmp);
} else {
tbl.data = net->sctp.sctp_hmac_alg ? : none;
tbl.maxlen = strlen(tbl.data);
}
- ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
- if (write) {
+ ret = proc_dostring(&tbl, write, buffer, lenp, ppos);
+ if (write && ret == 0) {
#ifdef CONFIG_CRYPTO_MD5
if (!strncmp(tmp, "md5", 3)) {
net->sctp.sctp_hmac_alg = "md5";
- changed = 1;
+ changed = true;
}
#endif
#ifdef CONFIG_CRYPTO_SHA1
if (!strncmp(tmp, "sha1", 4)) {
net->sctp.sctp_hmac_alg = "sha1";
- changed = 1;
+ changed = true;
}
#endif
if (!strncmp(tmp, "none", 4)) {
net->sctp.sctp_hmac_alg = NULL;
- changed = 1;
+ changed = true;
}
-
if (!changed)
ret = -EINVAL;
}
@@ -354,11 +353,10 @@ static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write,
loff_t *ppos)
{
struct net *net = current->nsproxy->net_ns;
- int new_value;
- struct ctl_table tbl;
unsigned int min = *(unsigned int *) ctl->extra1;
unsigned int max = *(unsigned int *) ctl->extra2;
- int ret;
+ struct ctl_table tbl;
+ int ret, new_value;
memset(&tbl, 0, sizeof(struct ctl_table));
tbl.maxlen = sizeof(unsigned int);
@@ -367,12 +365,15 @@ static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write,
tbl.data = &new_value;
else
tbl.data = &net->sctp.rto_min;
+
ret = proc_dointvec(&tbl, write, buffer, lenp, ppos);
- if (write) {
- if (ret || new_value > max || new_value < min)
+ if (write && ret == 0) {
+ if (new_value > max || new_value < min)
return -EINVAL;
+
net->sctp.rto_min = new_value;
}
+
return ret;
}
@@ -381,11 +382,10 @@ static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write,
loff_t *ppos)
{
struct net *net = current->nsproxy->net_ns;
- int new_value;
- struct ctl_table tbl;
unsigned int min = *(unsigned int *) ctl->extra1;
unsigned int max = *(unsigned int *) ctl->extra2;
- int ret;
+ struct ctl_table tbl;
+ int ret, new_value;
memset(&tbl, 0, sizeof(struct ctl_table));
tbl.maxlen = sizeof(unsigned int);
@@ -394,12 +394,15 @@ static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write,
tbl.data = &new_value;
else
tbl.data = &net->sctp.rto_max;
+
ret = proc_dointvec(&tbl, write, buffer, lenp, ppos);
- if (write) {
- if (ret || new_value > max || new_value < min)
+ if (write && ret == 0) {
+ if (new_value > max || new_value < min)
return -EINVAL;
+
net->sctp.rto_max = new_value;
}
+
return ret;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 233/259] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (231 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 232/259] net: sctp: propagate sysctl errors from proc_do* properly Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 234/259] net: sctp: check proc_dointvec result in proc_sctp_do_auth Kamal Mostafa
` (25 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Neal Cardwell, Eric Dumazet, Yuchung Cheng, Ilpo Jarvinen,
David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Neal Cardwell <ncardwell@google.com>
[ Upstream commit 2cd0d743b05e87445c54ca124a9916f22f16742e ]
If there is an MSS change (or misbehaving receiver) that causes a SACK
to arrive that covers the end of an skb but is less than one MSS, then
tcp_match_skb_to_sack() was rounding up pkt_len to the full length of
the skb ("Round if necessary..."), then chopping all bytes off the skb
and creating a zero-byte skb in the write queue.
This was visible now because the recently simplified TLP logic in
bef1909ee3ed1c ("tcp: fixing TLP's FIN recovery") could find that 0-byte
skb at the end of the write queue, and now that we do not check that
skb's length we could send it as a TLP probe.
Consider the following example scenario:
mss: 1000
skb: seq: 0 end_seq: 4000 len: 4000
SACK: start_seq: 3999 end_seq: 4000
The tcp_match_skb_to_sack() code will compute:
in_sack = false
pkt_len = start_seq - TCP_SKB_CB(skb)->seq = 3999 - 0 = 3999
new_len = (pkt_len / mss) * mss = (3999/1000)*1000 = 3000
new_len += mss = 4000
Previously we would find the new_len > skb->len check failing, so we
would fall through and set pkt_len = new_len = 4000 and chop off
pkt_len of 4000 from the 4000-byte skb, leaving a 0-byte segment
afterward in the write queue.
With this new commit, we notice that the new new_len >= skb->len check
succeeds, so that we return without trying to fragment.
Fixes: adb92db857ee ("tcp: Make SACK code to split only at mss boundaries")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Ilpo Jarvinen <ilpo.jarvinen@helsinki.fi>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/tcp_input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 320cfe1..a8827e7 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1167,7 +1167,7 @@ static int tcp_match_skb_to_sack(struct sock *sk, struct sk_buff *skb,
unsigned int new_len = (pkt_len / mss) * mss;
if (!in_sack && new_len < pkt_len) {
new_len += mss;
- if (new_len > skb->len)
+ if (new_len >= skb->len)
return 0;
}
pkt_len = new_len;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 234/259] net: sctp: check proc_dointvec result in proc_sctp_do_auth
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (232 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 233/259] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 235/259] 8021q: fix a potential memory leak Kamal Mostafa
` (24 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Daniel Borkmann, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
[ Upstream commit 24599e61b7552673dd85971cf5a35369cd8c119e ]
When writing to the sysctl field net.sctp.auth_enable, it can well
be that the user buffer we handed over to proc_dointvec() via
proc_sctp_do_auth() handler contains something other than integers.
In that case, we would set an uninitialized 4-byte value from the
stack to net->sctp.auth_enable that can be leaked back when reading
the sysctl variable, and it can unintentionally turn auth_enable
on/off based on the stack content since auth_enable is interpreted
as a boolean.
Fix it up by making sure proc_dointvec() returned sucessfully.
Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
Reported-by: Florian Westphal <fwestpha@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/sctp/sysctl.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 7c4eac4..99abe1a 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -423,8 +423,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
tbl.data = &net->sctp.auth_enable;
ret = proc_dointvec(&tbl, write, buffer, lenp, ppos);
-
- if (write) {
+ if (write && ret == 0) {
struct sock *sk = net->sctp.ctl_sock;
net->sctp.auth_enable = new_value;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 235/259] 8021q: fix a potential memory leak
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (233 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 234/259] net: sctp: check proc_dointvec result in proc_sctp_do_auth Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 236/259] net: huawei_cdc_ncm: increase command buffer size Kamal Mostafa
` (23 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Li RongQing, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Li RongQing <roy.qing.li@gmail.com>
[ Upstream commit 916c1689a09bc1ca81f2d7a34876f8d35aadd11b ]
skb_cow called in vlan_reorder_header does not free the skb when it failed,
and vlan_reorder_header returns NULL to reset original skb when it is called
in vlan_untag, lead to a memory leak.
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/8021q/vlan_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 6ee48aa..7e57135 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -108,8 +108,11 @@ EXPORT_SYMBOL(vlan_dev_vlan_id);
static struct sk_buff *vlan_reorder_header(struct sk_buff *skb)
{
- if (skb_cow(skb, skb_headroom(skb)) < 0)
+ if (skb_cow(skb, skb_headroom(skb)) < 0) {
+ kfree_skb(skb);
return NULL;
+ }
+
memmove(skb->data - ETH_HLEN, skb->data - VLAN_ETH_HLEN, 2 * ETH_ALEN);
skb->mac_header += VLAN_HLEN;
return skb;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 236/259] net: huawei_cdc_ncm: increase command buffer size
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (234 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 235/259] 8021q: fix a potential memory leak Kamal Mostafa
@ 2014-08-08 20:40 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 237/259] ipv4: fix dst race in sk_dst_get() Kamal Mostafa
` (22 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Enrico Mioso, Bjørn Mork, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
[ Upstream commit 3acc74619b0175b7a154cf8dc54813f6faf97aa9 ]
Messages from the modem exceeding 256 bytes cause communication
failure.
The WDM protocol is strictly "read on demand", meaning that we only
poll for unread data after receiving a notification from the modem.
Since we have no way to know how much data the modem has to send,
we must make sure that the buffer we provide is "big enough".
Message truncation does not work. Truncated messages are left unread
until the modem has another message to send. Which often won't
happen until the userspace application has given up waiting for the
final part of the last message, and therefore sends another command.
With a proper CDC WDM function there is a descriptor telling us
which buffer size the modem uses. But with this vendor specific
implementation there is no known way to calculate the exact "big
enough" number. It is an unknown property of the modem firmware.
Experience has shown that 256 is too small. The discussion of
this failure ended up concluding that 512 might be too small as
well. So 1024 seems like a reasonable value for now.
Fixes: 41c47d8cfd68 ("net: huawei_cdc_ncm: Introduce the huawei_cdc_ncm driver")
Cc: Enrico Mioso <mrkiko.rs@gmail.com>
Reported-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-By: Enrico Mioso <mrkiko.rs@gmail.com>
Tested-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/usb/huawei_cdc_ncm.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/usb/huawei_cdc_ncm.c b/drivers/net/usb/huawei_cdc_ncm.c
index 312178d..75d9ee4 100644
--- a/drivers/net/usb/huawei_cdc_ncm.c
+++ b/drivers/net/usb/huawei_cdc_ncm.c
@@ -84,12 +84,13 @@ static int huawei_cdc_ncm_bind(struct usbnet *usbnet_dev,
ctx = drvstate->ctx;
if (usbnet_dev->status)
- /* CDC-WMC r1.1 requires wMaxCommand to be "at least 256
- * decimal (0x100)"
+ /* The wMaxCommand buffer must be big enough to hold
+ * any message from the modem. Experience has shown
+ * that some replies are more than 256 bytes long
*/
subdriver = usb_cdc_wdm_register(ctx->control,
&usbnet_dev->status->desc,
- 256, /* wMaxCommand */
+ 1024, /* wMaxCommand */
huawei_cdc_ncm_wdm_manage_power);
if (IS_ERR(subdriver)) {
ret = PTR_ERR(subdriver);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 237/259] ipv4: fix dst race in sk_dst_get()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (235 preceding siblings ...)
2014-08-08 20:40 ` [PATCH 3.13 236/259] net: huawei_cdc_ncm: increase command buffer size Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 238/259] ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix Kamal Mostafa
` (21 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit f88649721268999bdff09777847080a52004f691 upstream.
When IP route cache had been removed in linux-3.6, we broke assumption
that dst entries were all freed after rcu grace period. DST_NOCACHE
dst were supposed to be freed from dst_release(). But it appears
we want to keep such dst around, either in UDP sockets or tunnels.
In sk_dst_get() we need to make sure dst refcount is not 0
before incrementing it, or else we might end up freeing a dst
twice.
DST_NOCACHE set on a dst does not mean this dst can not be attached
to a socket or a tunnel.
Then, before actual freeing, we need to observe a rcu grace period
to make sure all other cpus can catch the fact the dst is no longer
usable.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dormando <dormando@rydia.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.11: used davem's backport to 3.10 ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/net/sock.h | 4 ++--
net/core/dst.c | 16 +++++++++++-----
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index ca1aeeb..e7ad8ac 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1743,8 +1743,8 @@ sk_dst_get(struct sock *sk)
rcu_read_lock();
dst = rcu_dereference(sk->sk_dst_cache);
- if (dst)
- dst_hold(dst);
+ if (dst && !atomic_inc_not_zero(&dst->__refcnt))
+ dst = NULL;
rcu_read_unlock();
return dst;
}
diff --git a/net/core/dst.c b/net/core/dst.c
index ca4231e..15b6792 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -267,6 +267,15 @@ again:
}
EXPORT_SYMBOL(dst_destroy);
+static void dst_destroy_rcu(struct rcu_head *head)
+{
+ struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);
+
+ dst = dst_destroy(dst);
+ if (dst)
+ __dst_free(dst);
+}
+
void dst_release(struct dst_entry *dst)
{
if (dst) {
@@ -274,11 +283,8 @@ void dst_release(struct dst_entry *dst)
newrefcnt = atomic_dec_return(&dst->__refcnt);
WARN_ON(newrefcnt < 0);
- if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) {
- dst = dst_destroy(dst);
- if (dst)
- __dst_free(dst);
- }
+ if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt)
+ call_rcu(&dst->rcu_head, dst_destroy_rcu);
}
}
EXPORT_SYMBOL(dst_release);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 238/259] ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (236 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 237/259] ipv4: fix dst race in sk_dst_get() Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 239/259] net: fix sparse warning in sk_dst_set() Kamal Mostafa
` (20 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Steffen Klassert, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7f502361531e9eecb396cf99bdc9e9a59f7ebd7f ]
We have two different ways to handle changes to sk->sk_dst
First way (used by TCP) assumes socket lock is owned by caller, and use
no extra lock : __sk_dst_set() & __sk_dst_reset()
Another way (used by UDP) uses sk_dst_lock because socket lock is not
always taken. Note that sk_dst_lock is not softirq safe.
These ways are not inter changeable for a given socket type.
ipv4_sk_update_pmtu(), added in linux-3.8, added a race, as it used
the socket lock as synchronization, but users might be UDP sockets.
Instead of converting sk_dst_lock to a softirq safe version, use xchg()
as we did for sk_rx_dst in commit e47eb5dfb296b ("udp: ipv4: do not use
sk_dst_lock from softirq context")
In a follow up patch, we probably can remove sk_dst_lock, as it is
only used in IPv6.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Fixes: 9cb3a50c5f63e ("ipv4: Invalidate the socket cached route on pmtu events if possible")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/net/sock.h | 12 ++++++------
net/ipv4/route.c | 15 ++++++++-------
2 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index e7ad8ac..f901631 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1781,9 +1781,11 @@ __sk_dst_set(struct sock *sk, struct dst_entry *dst)
static inline void
sk_dst_set(struct sock *sk, struct dst_entry *dst)
{
- spin_lock(&sk->sk_dst_lock);
- __sk_dst_set(sk, dst);
- spin_unlock(&sk->sk_dst_lock);
+ struct dst_entry *old_dst;
+
+ sk_tx_queue_clear(sk);
+ old_dst = xchg(&sk->sk_dst_cache, dst);
+ dst_release(old_dst);
}
static inline void
@@ -1795,9 +1797,7 @@ __sk_dst_reset(struct sock *sk)
static inline void
sk_dst_reset(struct sock *sk)
{
- spin_lock(&sk->sk_dst_lock);
- __sk_dst_reset(sk);
- spin_unlock(&sk->sk_dst_lock);
+ sk_dst_set(sk, NULL);
}
struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index a25c6e7..566bfa5 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1032,7 +1032,7 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
const struct iphdr *iph = (const struct iphdr *) skb->data;
struct flowi4 fl4;
struct rtable *rt;
- struct dst_entry *dst;
+ struct dst_entry *odst = NULL;
bool new = false;
bh_lock_sock(sk);
@@ -1040,16 +1040,17 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
if (!ip_sk_accept_pmtu(sk))
goto out;
- rt = (struct rtable *) __sk_dst_get(sk);
+ odst = sk_dst_get(sk);
- if (sock_owned_by_user(sk) || !rt) {
+ if (sock_owned_by_user(sk) || !odst) {
__ipv4_sk_update_pmtu(skb, sk, mtu);
goto out;
}
__build_flow_key(&fl4, sk, iph, 0, 0, 0, 0, 0);
- if (!__sk_dst_check(sk, 0)) {
+ rt = (struct rtable *)odst;
+ if (odst->obsolete && odst->ops->check(odst, 0) == NULL) {
rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
if (IS_ERR(rt))
goto out;
@@ -1059,8 +1060,7 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
__ip_rt_update_pmtu((struct rtable *) rt->dst.path, &fl4, mtu);
- dst = dst_check(&rt->dst, 0);
- if (!dst) {
+ if (!dst_check(&rt->dst, 0)) {
if (new)
dst_release(&rt->dst);
@@ -1072,10 +1072,11 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
}
if (new)
- __sk_dst_set(sk, &rt->dst);
+ sk_dst_set(sk, &rt->dst);
out:
bh_unlock_sock(sk);
+ dst_release(odst);
}
EXPORT_SYMBOL_GPL(ipv4_sk_update_pmtu);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 239/259] net: fix sparse warning in sk_dst_set()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (237 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 238/259] ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 240/259] vlan: free percpu stats in device destructor Kamal Mostafa
` (19 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5925a0555bdaf0b396a84318cbc21ba085f6c0d3 ]
sk_dst_cache has __rcu annotation, so we need a cast to avoid
following sparse error :
include/net/sock.h:1774:19: warning: incorrect type in initializer (different address spaces)
include/net/sock.h:1774:19: expected struct dst_entry [noderef] <asn:4>*__ret
include/net/sock.h:1774:19: got struct dst_entry *dst
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Fixes: 7f502361531e ("ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/net/sock.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index f901631..4d64744 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1784,7 +1784,7 @@ sk_dst_set(struct sock *sk, struct dst_entry *dst)
struct dst_entry *old_dst;
sk_tx_queue_clear(sk);
- old_dst = xchg(&sk->sk_dst_cache, dst);
+ old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst);
dst_release(old_dst);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 240/259] vlan: free percpu stats in device destructor
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (238 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 239/259] net: fix sparse warning in sk_dst_set() Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 241/259] bnx2x: fix possible panic under memory stress Kamal Mostafa
` (18 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Li RongQing, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a48e5fafecfb9c0c807d7e7284b5ff884dfb7a3a ]
Madalin-Cristian reported crashs happening after a recent commit
(5a4ae5f6e7d4 "vlan: unnecessary to check if vlan_pcpu_stats is NULL")
-----------------------------------------------------------------------
root@p5040ds:~# vconfig add eth8 1
root@p5040ds:~# vconfig rem eth8.1
Unable to handle kernel paging request for data at address 0x2bc88028
Faulting instruction address: 0xc058e950
Oops: Kernel access of bad area, sig: 11 [#1]
SMP NR_CPUS=8 CoreNet Generic
Modules linked in:
CPU: 3 PID: 2167 Comm: vconfig Tainted: G W 3.16.0-rc3-00346-g65e85bf #2
task: e7264d90 ti: e2c2c000 task.ti: e2c2c000
NIP: c058e950 LR: c058ea30 CTR: c058e900
REGS: e2c2db20 TRAP: 0300 Tainted: G W (3.16.0-rc3-00346-g65e85bf)
MSR: 00029002 <CE,EE,ME> CR: 48000428 XER: 20000000
DEAR: 2bc88028 ESR: 00000000
GPR00: c047299c e2c2dbd0 e7264d90 00000000 2bc88000 00000000 ffffffff 00000000
GPR08: 0000000f 00000000 000000ff 00000000 28000422 10121928 10100000 10100000
GPR16: 10100000 00000000 c07c5968 00000000 00000000 00000000 e2c2dc48 e7838000
GPR24: c07c5bac c07c58a8 e77290cc c07b0000 00000000 c05de6c0 e7838000 e2c2dc48
NIP [c058e950] vlan_dev_get_stats64+0x50/0x170
LR [c058ea30] vlan_dev_get_stats64+0x130/0x170
Call Trace:
[e2c2dbd0] [ffffffea] 0xffffffea (unreliable)
[e2c2dc20] [c047299c] dev_get_stats+0x4c/0x140
[e2c2dc40] [c0488ca8] rtnl_fill_ifinfo+0x3d8/0x960
[e2c2dd70] [c0489f4c] rtmsg_ifinfo+0x6c/0x110
[e2c2dd90] [c04731d4] rollback_registered_many+0x344/0x3b0
[e2c2ddd0] [c047332c] rollback_registered+0x2c/0x50
[e2c2ddf0] [c0476058] unregister_netdevice_queue+0x78/0xf0
[e2c2de00] [c058d800] unregister_vlan_dev+0xc0/0x160
[e2c2de20] [c058e360] vlan_ioctl_handler+0x1c0/0x550
[e2c2de90] [c045d11c] sock_ioctl+0x28c/0x2f0
[e2c2deb0] [c010d070] do_vfs_ioctl+0x90/0x7b0
[e2c2df20] [c010d7d0] SyS_ioctl+0x40/0x80
[e2c2df40] [c000f924] ret_from_syscall+0x0/0x3c
Fix this problem by freeing percpu stats from dev->destructor() instead
of ndo_uninit()
Reported-by: Madalin-Cristian Bucur <madalin.bucur@freescale.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Madalin-Cristian Bucur <madalin.bucur@freescale.com>
Fixes: 5a4ae5f6e7d4 ("vlan: unnecessary to check if vlan_pcpu_stats is NULL")
Cc: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/8021q/vlan_dev.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 731ede4..df13d18 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -632,8 +632,6 @@ static void vlan_dev_uninit(struct net_device *dev)
struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
int i;
- free_percpu(vlan->vlan_pcpu_stats);
- vlan->vlan_pcpu_stats = NULL;
for (i = 0; i < ARRAY_SIZE(vlan->egress_priority_map); i++) {
while ((pm = vlan->egress_priority_map[i]) != NULL) {
vlan->egress_priority_map[i] = pm->next;
@@ -793,6 +791,15 @@ static const struct net_device_ops vlan_netdev_ops = {
.ndo_get_lock_subclass = vlan_dev_get_lock_subclass,
};
+static void vlan_dev_free(struct net_device *dev)
+{
+ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+
+ free_percpu(vlan->vlan_pcpu_stats);
+ vlan->vlan_pcpu_stats = NULL;
+ free_netdev(dev);
+}
+
void vlan_setup(struct net_device *dev)
{
ether_setup(dev);
@@ -802,7 +809,7 @@ void vlan_setup(struct net_device *dev)
dev->tx_queue_len = 0;
dev->netdev_ops = &vlan_netdev_ops;
- dev->destructor = free_netdev;
+ dev->destructor = vlan_dev_free;
dev->ethtool_ops = &vlan_ethtool_ops;
memset(dev->broadcast, 0, ETH_ALEN);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 241/259] bnx2x: fix possible panic under memory stress
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (239 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 240/259] vlan: free percpu stats in device destructor Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 242/259] tcp: Fix divide by zero when pushing during tcp-repair Kamal Mostafa
` (17 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Ariel Elior, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 07b0f00964def8af9321cfd6c4a7e84f6362f728 ]
While it is legal to kfree(NULL), it is not wise to use :
put_page(virt_to_head_page(NULL))
BUG: unable to handle kernel paging request at ffffeba400000000
IP: [<ffffffffc01f5928>] virt_to_head_page+0x36/0x44 [bnx2x]
Reported-by: Michel Lespinasse <walken@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ariel Elior <ariel.elior@qlogic.com>
Fixes: d46d132cc021 ("bnx2x: use netdev_alloc_frag()")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index bf81156..db7654a 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -755,7 +755,8 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
return;
}
- bnx2x_frag_free(fp, new_data);
+ if (new_data)
+ bnx2x_frag_free(fp, new_data);
drop:
/* drop the packet and keep the buffer in the bin */
DP(NETIF_MSG_RX_STATUS,
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 242/259] tcp: Fix divide by zero when pushing during tcp-repair
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (240 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 241/259] bnx2x: fix possible panic under memory stress Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 243/259] ipv4: icmp: Fix pMTU handling for rare case Kamal Mostafa
` (16 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Andrew Vagin, Pavel Emelyanov, Christoph Paasch, David S. Miller,
Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <christoph.paasch@uclouvain.be>
commit 5924f17a8a30c2ae18d034a86ee7581b34accef6 upstream.
When in repair-mode and TCP_RECV_QUEUE is set, we end up calling
tcp_push with mss_now being 0. If data is in the send-queue and
tcp_set_skb_tso_segs gets called, we crash because it will divide by
mss_now:
[ 347.151939] divide error: 0000 [#1] SMP
[ 347.152907] Modules linked in:
[ 347.152907] CPU: 1 PID: 1123 Comm: packetdrill Not tainted 3.16.0-rc2 #4
[ 347.152907] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 347.152907] task: f5b88540 ti: f3c82000 task.ti: f3c82000
[ 347.152907] EIP: 0060:[<c1601359>] EFLAGS: 00210246 CPU: 1
[ 347.152907] EIP is at tcp_set_skb_tso_segs+0x49/0xa0
[ 347.152907] EAX: 00000b67 EBX: f5acd080 ECX: 00000000 EDX: 00000000
[ 347.152907] ESI: f5a28f40 EDI: f3c88f00 EBP: f3c83d10 ESP: f3c83d00
[ 347.152907] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 347.152907] CR0: 80050033 CR2: 083158b0 CR3: 35146000 CR4: 000006b0
[ 347.152907] Stack:
[ 347.152907] c167f9d9 f5acd080 000005b4 00000002 f3c83d20 c16013e6 f3c88f00 f5acd080
[ 347.152907] f3c83da0 c1603b5a f3c83d38 c10a0188 00000000 00000000 f3c83d84 c10acc85
[ 347.152907] c1ad5ec0 00000000 00000000 c1ad679c 010003e0 00000000 00000000 f3c88fc8
[ 347.152907] Call Trace:
[ 347.152907] [<c167f9d9>] ? apic_timer_interrupt+0x2d/0x34
[ 347.152907] [<c16013e6>] tcp_init_tso_segs+0x36/0x50
[ 347.152907] [<c1603b5a>] tcp_write_xmit+0x7a/0xbf0
[ 347.152907] [<c10a0188>] ? up+0x28/0x40
[ 347.152907] [<c10acc85>] ? console_unlock+0x295/0x480
[ 347.152907] [<c10ad24f>] ? vprintk_emit+0x1ef/0x4b0
[ 347.152907] [<c1605716>] __tcp_push_pending_frames+0x36/0xd0
[ 347.152907] [<c15f4860>] tcp_push+0xf0/0x120
[ 347.152907] [<c15f7641>] tcp_sendmsg+0xf1/0xbf0
[ 347.152907] [<c116d920>] ? kmem_cache_free+0xf0/0x120
[ 347.152907] [<c106a682>] ? __sigqueue_free+0x32/0x40
[ 347.152907] [<c106a682>] ? __sigqueue_free+0x32/0x40
[ 347.152907] [<c114f0f0>] ? do_wp_page+0x3e0/0x850
[ 347.152907] [<c161c36a>] inet_sendmsg+0x4a/0xb0
[ 347.152907] [<c1150269>] ? handle_mm_fault+0x709/0xfb0
[ 347.152907] [<c15a006b>] sock_aio_write+0xbb/0xd0
[ 347.152907] [<c1180b79>] do_sync_write+0x69/0xa0
[ 347.152907] [<c1181023>] vfs_write+0x123/0x160
[ 347.152907] [<c1181d55>] SyS_write+0x55/0xb0
[ 347.152907] [<c167f0d8>] sysenter_do_call+0x12/0x28
This can easily be reproduced with the following packetdrill-script (the
"magic" with netem, sk_pacing and limit_output_bytes is done to prevent
the kernel from pushing all segments, because hitting the limit without
doing this is not so easy with packetdrill):
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 32792 <mss 1460>
+0 > S. 0:0(0) ack 1 <mss 1460>
+0.1 < . 1:1(0) ack 1 win 65000
+0 accept(3, ..., ...) = 4
// This forces that not all segments of the snd-queue will be pushed
+0 `tc qdisc add dev tun0 root netem delay 10ms`
+0 `sysctl -w net.ipv4.tcp_limit_output_bytes=2`
+0 setsockopt(4, SOL_SOCKET, 47, [2], 4) = 0
+0 write(4,...,10000) = 10000
+0 write(4,...,10000) = 10000
// Set tcp-repair stuff, particularly TCP_RECV_QUEUE
+0 setsockopt(4, SOL_TCP, 19, [1], 4) = 0
+0 setsockopt(4, SOL_TCP, 20, [1], 4) = 0
// This now will make the write push the remaining segments
+0 setsockopt(4, SOL_SOCKET, 47, [20000], 4) = 0
+0 `sysctl -w net.ipv4.tcp_limit_output_bytes=130000`
// Now we will crash
+0 write(4,...,1000) = 1000
This happens since ec3423257508 (tcp: fix retransmission in repair
mode). Prior to that, the call to tcp_push was prevented by a check for
tp->repair.
The patch fixes it, by adding the new goto-label out_nopush. When exiting
tcp_sendmsg and a push is not required, which is the case for tp->repair,
we go to this label.
When repairing and calling send() with TCP_RECV_QUEUE, the data is
actually put in the receive-queue. So, no push is required because no
data has been added to the send-queue.
Cc: Andrew Vagin <avagin@openvz.org>
Cc: Pavel Emelyanov <xemul@parallels.com>
Fixes: ec3423257508 (tcp: fix retransmission in repair mode)
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Acked-by: Andrew Vagin <avagin@openvz.org>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 00b9b27..c200b34 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1066,7 +1066,7 @@ int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
if (unlikely(tp->repair)) {
if (tp->repair_queue == TCP_RECV_QUEUE) {
copied = tcp_send_rcvq(sk, msg, size);
- goto out;
+ goto out_nopush;
}
err = -EINVAL;
@@ -1239,6 +1239,7 @@ wait_for_memory:
out:
if (copied)
tcp_push(sk, flags, mss_now, tp->nonagle);
+out_nopush:
release_sock(sk);
return copied + copied_syn;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 243/259] ipv4: icmp: Fix pMTU handling for rare case
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (241 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 242/259] tcp: Fix divide by zero when pushing during tcp-repair Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 244/259] net: qmi_wwan: Add ID for Telewell TW-LTE 4G v2 Kamal Mostafa
` (15 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Edward Allcutt, David S. Miller, Luis Henriques, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Allcutt <edward.allcutt@openmarket.com>
commit 68b7107b62983f2cff0948292429d5f5999df096 upstream.
Some older router implementations still send Fragmentation Needed
errors with the Next-Hop MTU field set to zero. This is explicitly
described as an eventuality that hosts must deal with by the
standard (RFC 1191) since older standards specified that those
bits must be zero.
Linux had a generic (for all of IPv4) implementation of the algorithm
described in the RFC for searching a list of MTU plateaus for a good
value. Commit 46517008e116 ("ipv4: Kill ip_rt_frag_needed().")
removed this as part of the changes to remove the routing cache.
Subsequently any Fragmentation Needed packet with a zero Next-Hop
MTU has been discarded without being passed to the per-protocol
handlers or notifying userspace for raw sockets.
When there is a router which does not implement RFC 1191 on an
MTU limited path then this results in stalled connections since
large packets are discarded and the local protocols are not
notified so they never attempt to lower the pMTU.
One example I have seen is an OpenBSD router terminating IPSec
tunnels. It's worth pointing out that this case is distinct from
the BSD 4.2 bug which incorrectly calculated the Next-Hop MTU
since the commit in question dismissed that as a valid concern.
All of the per-protocols handlers implement the simple approach from
RFC 1191 of immediately falling back to the minimum value. Although
this is sub-optimal it is vastly preferable to connections hanging
indefinitely.
Remove the Next-Hop MTU != 0 check and allow such packets
to follow the normal path.
Fixes: 46517008e116 ("ipv4: Kill ip_rt_frag_needed().")
Signed-off-by: Edward Allcutt <edward.allcutt@openmarket.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/icmp.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 5c0e8bc..dfe19f2 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -710,8 +710,6 @@ static void icmp_unreach(struct sk_buff *skb)
&iph->daddr);
} else {
info = ntohs(icmph->un.frag.mtu);
- if (!info)
- goto out;
}
break;
case ICMP_SR_FAILED:
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 244/259] net: qmi_wwan: Add ID for Telewell TW-LTE 4G v2
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (242 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 243/259] ipv4: icmp: Fix pMTU handling for rare case Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 245/259] net: qmi_wwan: add two Sierra Wireless/Netgear devices Kamal Mostafa
` (14 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bernd Wachter, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Wachter <bernd.wachter@jolla.com>
[ Upstream commit 8dcb4b1526747d8431f9895e153dd478c9d16186 ]
There's a new version of the Telewell 4G modem working with, but not
recognized by this driver.
Signed-off-by: Bernd Wachter <bernd.wachter@jolla.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 841157f..f415957 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -733,6 +733,7 @@ static const struct usb_device_id products[] = {
{QMI_FIXED_INTF(0x19d2, 0x1424, 2)},
{QMI_FIXED_INTF(0x19d2, 0x1425, 2)},
{QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */
+ {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */
{QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
{QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
{QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 245/259] net: qmi_wwan: add two Sierra Wireless/Netgear devices
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (243 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 244/259] net: qmi_wwan: Add ID for Telewell TW-LTE 4G v2 Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 246/259] net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush Kamal Mostafa
` (13 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bjørn Mork, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
[ Upstream commit 5343330010a892b76a97fd93ad3c455a4a32a7fb ]
Add two device IDs found in an out-of-tree driver downloadable
from Netgear.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/usb/qmi_wwan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index f415957..bfcd241 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -660,6 +660,7 @@ static const struct usb_device_id products[] = {
{QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
{QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
{QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
{QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
{QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
{QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
@@ -746,6 +747,7 @@ static const struct usb_device_id products[] = {
{QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */
{QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */
{QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */
+ {QMI_FIXED_INTF(0x1199, 0x9057, 8)},
{QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
{QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
{QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 246/259] net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (244 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 245/259] net: qmi_wwan: add two Sierra Wireless/Netgear devices Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 247/259] igmp: fix the problem when mc leave group Kamal Mostafa
` (12 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Loic Prylli, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Loic Prylli <loicp@google.com>
[ Upstream commit 54951194656e4853e441266fd095f880bc0398f3 ]
A bug was introduced in NETDEV_CHANGE notifier sequence causing the
arp table to be sometimes spuriously cleared (including manual arp
entries marked permanent), upon network link carrier changes.
The changed argument for the notifier was applied only to a single
caller of NETDEV_CHANGE, missing among others netdev_state_change().
So upon net_carrier events induced by the network, which are
triggering a call to netdev_state_change(), arp_netdev_event() would
decide whether to clear or not arp cache based on random/junk stack
values (a kind of read buffer overflow).
Fixes: be9efd365328 ("net: pass changed flags along with NETDEV_CHANGE event")
Fixes: 6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change")
Signed-off-by: Loic Prylli <loicp@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ kamal: backport to 3.13-stable from David's 3.14 port
(call_netdevice_notifiers_info is not static) ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/dev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 9e8b117..e61bda3 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1203,7 +1203,11 @@ EXPORT_SYMBOL(netdev_features_change);
void netdev_state_change(struct net_device *dev)
{
if (dev->flags & IFF_UP) {
- call_netdevice_notifiers(NETDEV_CHANGE, dev);
+ struct netdev_notifier_change_info change_info;
+
+ change_info.flags_changed = 0;
+ call_netdevice_notifiers_info(NETDEV_CHANGE, dev,
+ &change_info.info);
rtmsg_ifinfo(RTM_NEWLINK, dev, 0, GFP_KERNEL);
}
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 247/259] igmp: fix the problem when mc leave group
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (245 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 246/259] net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 248/259] tcp: fix false undo corner cases Kamal Mostafa
` (11 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ding Tianhong, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: dingtianhong <dingtianhong@huawei.com>
[ Upstream commit 52ad353a5344f1f700c5b777175bdfa41d3cd65a ]
The problem was triggered by these steps:
1) create socket, bind and then setsockopt for add mc group.
mreq.imr_multiaddr.s_addr = inet_addr("255.0.0.37");
mreq.imr_interface.s_addr = inet_addr("192.168.1.2");
setsockopt(sockfd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreq, sizeof(mreq));
2) drop the mc group for this socket.
mreq.imr_multiaddr.s_addr = inet_addr("255.0.0.37");
mreq.imr_interface.s_addr = inet_addr("0.0.0.0");
setsockopt(sockfd, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mreq, sizeof(mreq));
3) and then drop the socket, I found the mc group was still used by the dev:
netstat -g
Interface RefCnt Group
--------------- ------ ---------------------
eth2 1 255.0.0.37
Normally even though the IP_DROP_MEMBERSHIP return error, the mc group still need
to be released for the netdev when drop the socket, but this process was broken when
route default is NULL, the reason is that:
The ip_mc_leave_group() will choose the in_dev by the imr_interface.s_addr, if input addr
is NULL, the default route dev will be chosen, then the ifindex is got from the dev,
then polling the inet->mc_list and return -ENODEV, but if the default route dev is NULL,
the in_dev and ifIndex is both NULL, when polling the inet->mc_list, the mc group will be
released from the mc_list, but the dev didn't dec the refcnt for this mc group, so
when dropping the socket, the mc_list is NULL and the dev still keep this group.
v1->v2: According Hideaki's suggestion, we should align with IPv6 (RFC3493) and BSDs,
so I add the checking for the in_dev before polling the mc_list, make sure when
we remove the mc group, dec the refcnt to the real dev which was using the mc address.
The problem would never happened again.
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/igmp.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 7defdc9..9fa5c09 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1952,6 +1952,10 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
rtnl_lock();
in_dev = ip_mc_find_dev(net, imr);
+ if (!in_dev) {
+ ret = -ENODEV;
+ goto out;
+ }
ifindex = imr->imr_ifindex;
for (imlp = &inet->mc_list;
(iml = rtnl_dereference(*imlp)) != NULL;
@@ -1969,16 +1973,14 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
*imlp = iml->next_rcu;
- if (in_dev)
- ip_mc_dec_group(in_dev, group);
+ ip_mc_dec_group(in_dev, group);
rtnl_unlock();
/* decrease mem now to avoid the memleak warning */
atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
kfree_rcu(iml, rcu);
return 0;
}
- if (!in_dev)
- ret = -ENODEV;
+out:
rtnl_unlock();
return ret;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 248/259] tcp: fix false undo corner cases
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (246 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 247/259] igmp: fix the problem when mc leave group Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 249/259] appletalk: Fix socket referencing in skb Kamal Mostafa
` (10 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Yuchung Cheng, Neal Cardwell, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuchung Cheng <ycheng@google.com>
[ Upstream commit 6e08d5e3c8236e7484229e46fdf92006e1dd4c49 ]
The undo code assumes that, upon entering loss recovery, TCP
1) always retransmit something
2) the retransmission never fails locally (e.g., qdisc drop)
so undo_marker is set in tcp_enter_recovery() and undo_retrans is
incremented only when tcp_retransmit_skb() is successful.
When the assumption is broken because TCP's cwnd is too small to
retransmit or the retransmit fails locally. The next (DUP)ACK
would incorrectly revert the cwnd and the congestion state in
tcp_try_undo_dsack() or tcp_may_undo(). Subsequent (DUP)ACKs
may enter the recovery state. The sender repeatedly enter and
(incorrectly) exit recovery states if the retransmits continue to
fail locally while receiving (DUP)ACKs.
The fix is to initialize undo_retrans to -1 and start counting on
the first retransmission. Always increment undo_retrans even if the
retransmissions fail locally because they couldn't cause DSACKs to
undo the cwnd reduction.
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/tcp_input.c | 8 ++++----
net/ipv4/tcp_output.c | 6 ++++--
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a8827e7..53d60b4 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1111,7 +1111,7 @@ static bool tcp_check_dsack(struct sock *sk, const struct sk_buff *ack_skb,
}
/* D-SACK for already forgotten data... Do dumb counting. */
- if (dup_sack && tp->undo_marker && tp->undo_retrans &&
+ if (dup_sack && tp->undo_marker && tp->undo_retrans > 0 &&
!after(end_seq_0, prior_snd_una) &&
after(end_seq_0, tp->undo_marker))
tp->undo_retrans--;
@@ -1191,7 +1191,7 @@ static u8 tcp_sacktag_one(struct sock *sk,
/* Account D-SACK for retransmitted packet. */
if (dup_sack && (sacked & TCPCB_RETRANS)) {
- if (tp->undo_marker && tp->undo_retrans &&
+ if (tp->undo_marker && tp->undo_retrans > 0 &&
after(end_seq, tp->undo_marker))
tp->undo_retrans--;
if (sacked & TCPCB_SACKED_ACKED)
@@ -1892,7 +1892,7 @@ static void tcp_clear_retrans_partial(struct tcp_sock *tp)
tp->lost_out = 0;
tp->undo_marker = 0;
- tp->undo_retrans = 0;
+ tp->undo_retrans = -1;
}
void tcp_clear_retrans(struct tcp_sock *tp)
@@ -2660,7 +2660,7 @@ static void tcp_enter_recovery(struct sock *sk, bool ece_ack)
tp->prior_ssthresh = 0;
tp->undo_marker = tp->snd_una;
- tp->undo_retrans = tp->retrans_out;
+ tp->undo_retrans = tp->retrans_out ? : -1;
if (inet_csk(sk)->icsk_ca_state < TCP_CA_CWR) {
if (!ece_ack)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 99737ed..e3688a4 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2422,8 +2422,6 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
if (!tp->retrans_stamp)
tp->retrans_stamp = TCP_SKB_CB(skb)->when;
- tp->undo_retrans += tcp_skb_pcount(skb);
-
/* snd_nxt is stored to detect loss of retransmitted segment,
* see tcp_input.c tcp_sacktag_write_queue().
*/
@@ -2431,6 +2429,10 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
} else {
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPRETRANSFAIL);
}
+
+ if (tp->undo_retrans < 0)
+ tp->undo_retrans = 0;
+ tp->undo_retrans += tcp_skb_pcount(skb);
return err;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 249/259] appletalk: Fix socket referencing in skb
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (247 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 248/259] tcp: fix false undo corner cases Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 250/259] netlink: Fix handling of error from netlink_dump() Kamal Mostafa
` (9 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Andrey Utkin, Eric Dumazet, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Utkin <andrey.krieger.utkin@gmail.com>
[ Upstream commit 36beddc272c111689f3042bf3d10a64d8a805f93 ]
Setting just skb->sk without taking its reference and setting a
destructor is invalid. However, in the places where this was done, skb
is used in a way not requiring skb->sk setting. So dropping the setting
of skb->sk.
Thanks to Eric Dumazet <eric.dumazet@gmail.com> for correct solution.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=79441
Reported-by: Ed Martin <edman007@edman007.com>
Signed-off-by: Andrey Utkin <andrey.krieger.utkin@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/appletalk/ddp.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 7d424ac..43e875c 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1489,8 +1489,6 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
goto drop;
/* Queue packet (standard) */
- skb->sk = sock;
-
if (sock_queue_rcv_skb(sock, skb) < 0)
goto drop;
@@ -1644,7 +1642,6 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
if (!skb)
goto out;
- skb->sk = sk;
skb_reserve(skb, ddp_dl->header_length);
skb_reserve(skb, dev->hard_header_len);
skb->dev = dev;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 250/259] netlink: Fix handling of error from netlink_dump().
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (248 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 249/259] appletalk: Fix socket referencing in skb Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 251/259] be2net: set EQ DB clear-intr bit in be_open() Kamal Mostafa
` (8 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ben Pfaff, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Pfaff <blp@nicira.com>
[ Upstream commit ac30ef832e6af0505b6f0251a6659adcfa74975e ]
netlink_dump() returns a negative errno value on error. Until now,
netlink_recvmsg() directly recorded that negative value in sk->sk_err, but
that's wrong since sk_err takes positive errno values. (This manifests as
userspace receiving a positive return value from the recv() system call,
falsely indicating success.) This bug was introduced in the commit that
started checking the netlink_dump() return value, commit b44d211 (netlink:
handle errors from netlink_dump()).
Multithreaded Netlink dumps are one way to trigger this behavior in
practice, as described in the commit message for the userspace workaround
posted here:
http://openvswitch.org/pipermail/dev/2014-June/042339.html
This commit also fixes the same bug in netlink_poll(), introduced in commit
cd1df525d (netlink: add flow control for memory mapped I/O).
Signed-off-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/netlink/af_netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index ba45917..ab68a92e 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -628,7 +628,7 @@ static unsigned int netlink_poll(struct file *file, struct socket *sock,
while (nlk->cb_running && netlink_dump_space(nlk)) {
err = netlink_dump(sk);
if (err < 0) {
- sk->sk_err = err;
+ sk->sk_err = -err;
sk->sk_error_report(sk);
break;
}
@@ -2440,7 +2440,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
ret = netlink_dump(sk);
if (ret) {
- sk->sk_err = ret;
+ sk->sk_err = -ret;
sk->sk_error_report(sk);
}
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 251/259] be2net: set EQ DB clear-intr bit in be_open()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (249 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 250/259] netlink: Fix handling of error from netlink_dump() Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 252/259] tipc: clear 'next'-pointer of message fragments before reassembly Kamal Mostafa
` (7 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Suresh Reddy, Sathya Perla, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Suresh Reddy <Suresh.Reddy@emulex.com>
[ Upstream commit 4cad9f3b61c7268fa89ab8096e23202300399b5d ]
On BE3, if the clear-interrupt bit of the EQ doorbell is not set the first
time it is armed, ocassionally we have observed that the EQ doesn't raise
anymore interrupts even if it is in armed state.
This patch fixes this by setting the clear-interrupt bit when EQs are
armed for the first time in be_open().
Signed-off-by: Suresh Reddy <Suresh.Reddy@emulex.com>
Signed-off-by: Sathya Perla <sathya.perla@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
index a37039d..a67ddf8 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -2797,7 +2797,7 @@ static int be_open(struct net_device *netdev)
for_all_evt_queues(adapter, eqo, i) {
napi_enable(&eqo->napi);
be_enable_busy_poll(eqo);
- be_eq_notify(adapter, eqo->q.id, true, false, 0);
+ be_eq_notify(adapter, eqo->q.id, true, true, 0);
}
adapter->flags |= BE_FLAGS_NAPI_ENABLED;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 252/259] tipc: clear 'next'-pointer of message fragments before reassembly
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (250 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 251/259] be2net: set EQ DB clear-intr bit in be_open() Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 253/259] net: sctp: fix information leaks in ulpevent layer Kamal Mostafa
` (6 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jon Maloy, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Paul Maloy <jon.maloy@ericsson.com>
[ Upstream commit 999417549c16dd0e3a382aa9f6ae61688db03181 ]
If the 'next' pointer of the last fragment buffer in a message is not
zeroed before reassembly, we risk ending up with a corrupt message,
since the reassembly function itself isn't doing this.
Currently, when a buffer is retrieved from the deferred queue of the
broadcast link, the next pointer is not cleared, with the result as
described above.
This commit corrects this, and thereby fixes a bug that may occur when
long broadcast messages are transmitted across dual interfaces. The bug
has been present since 40ba3cdf542a469aaa9083fa041656e59b109b90 ("tipc:
message reassembly using fragment chain")
This commit should be applied to both net and net-next.
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/tipc/bcast.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 0d44025..bc1e5d6 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -537,6 +537,7 @@ receive:
buf = node->bclink.deferred_head;
node->bclink.deferred_head = buf->next;
+ buf->next = NULL;
node->bclink.deferred_size--;
goto receive;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 253/259] net: sctp: fix information leaks in ulpevent layer
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (251 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 252/259] tipc: clear 'next'-pointer of message fragments before reassembly Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 254/259] net: pppoe: use correct channel MTU when using Multilink PPP Kamal Mostafa
` (5 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Daniel Borkmann, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
[ Upstream commit 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea ]
While working on some other SCTP code, I noticed that some
structures shared with user space are leaking uninitialized
stack or heap buffer. In particular, struct sctp_sndrcvinfo
has a 2 bytes hole between .sinfo_flags and .sinfo_ppid that
remains unfilled by us in sctp_ulpevent_read_sndrcvinfo() when
putting this into cmsg. But also struct sctp_remote_error
contains a 2 bytes hole that we don't fill but place into a skb
through skb_copy_expand() via sctp_ulpevent_make_remote_error().
Both structures are defined by the IETF in RFC6458:
* Section 5.3.2. SCTP Header Information Structure:
The sctp_sndrcvinfo structure is defined below:
struct sctp_sndrcvinfo {
uint16_t sinfo_stream;
uint16_t sinfo_ssn;
uint16_t sinfo_flags;
<-- 2 bytes hole -->
uint32_t sinfo_ppid;
uint32_t sinfo_context;
uint32_t sinfo_timetolive;
uint32_t sinfo_tsn;
uint32_t sinfo_cumtsn;
sctp_assoc_t sinfo_assoc_id;
};
* 6.1.3. SCTP_REMOTE_ERROR:
A remote peer may send an Operation Error message to its peer.
This message indicates a variety of error conditions on an
association. The entire ERROR chunk as it appears on the wire
is included in an SCTP_REMOTE_ERROR event. Please refer to the
SCTP specification [RFC4960] and any extensions for a list of
possible error formats. An SCTP error notification has the
following format:
struct sctp_remote_error {
uint16_t sre_type;
uint16_t sre_flags;
uint32_t sre_length;
uint16_t sre_error;
<-- 2 bytes hole -->
sctp_assoc_t sre_assoc_id;
uint8_t sre_data[];
};
Fix this by setting both to 0 before filling them out. We also
have other structures shared between user and kernel space in
SCTP that contains holes (e.g. struct sctp_paddrthlds), but we
copy that buffer over from user space first and thus don't need
to care about it in that cases.
While at it, we can also remove lengthy comments copied from
the draft, instead, we update the comment with the correct RFC
number where one can look it up.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/sctp/ulpevent.c | 122 +++++++---------------------------------------------
1 file changed, 15 insertions(+), 107 deletions(-)
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index 81089ed..12c37ce 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -367,9 +367,10 @@ fail:
* specification [SCTP] and any extensions for a list of possible
* error formats.
*/
-struct sctp_ulpevent *sctp_ulpevent_make_remote_error(
- const struct sctp_association *asoc, struct sctp_chunk *chunk,
- __u16 flags, gfp_t gfp)
+struct sctp_ulpevent *
+sctp_ulpevent_make_remote_error(const struct sctp_association *asoc,
+ struct sctp_chunk *chunk, __u16 flags,
+ gfp_t gfp)
{
struct sctp_ulpevent *event;
struct sctp_remote_error *sre;
@@ -388,8 +389,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error(
/* Copy the skb to a new skb with room for us to prepend
* notification with.
*/
- skb = skb_copy_expand(chunk->skb, sizeof(struct sctp_remote_error),
- 0, gfp);
+ skb = skb_copy_expand(chunk->skb, sizeof(*sre), 0, gfp);
/* Pull off the rest of the cause TLV from the chunk. */
skb_pull(chunk->skb, elen);
@@ -400,62 +400,21 @@ struct sctp_ulpevent *sctp_ulpevent_make_remote_error(
event = sctp_skb2event(skb);
sctp_ulpevent_init(event, MSG_NOTIFICATION, skb->truesize);
- sre = (struct sctp_remote_error *)
- skb_push(skb, sizeof(struct sctp_remote_error));
+ sre = (struct sctp_remote_error *) skb_push(skb, sizeof(*sre));
/* Trim the buffer to the right length. */
- skb_trim(skb, sizeof(struct sctp_remote_error) + elen);
+ skb_trim(skb, sizeof(*sre) + elen);
- /* Socket Extensions for SCTP
- * 5.3.1.3 SCTP_REMOTE_ERROR
- *
- * sre_type:
- * It should be SCTP_REMOTE_ERROR.
- */
+ /* RFC6458, Section 6.1.3. SCTP_REMOTE_ERROR */
+ memset(sre, 0, sizeof(*sre));
sre->sre_type = SCTP_REMOTE_ERROR;
-
- /*
- * Socket Extensions for SCTP
- * 5.3.1.3 SCTP_REMOTE_ERROR
- *
- * sre_flags: 16 bits (unsigned integer)
- * Currently unused.
- */
sre->sre_flags = 0;
-
- /* Socket Extensions for SCTP
- * 5.3.1.3 SCTP_REMOTE_ERROR
- *
- * sre_length: sizeof (__u32)
- *
- * This field is the total length of the notification data,
- * including the notification header.
- */
sre->sre_length = skb->len;
-
- /* Socket Extensions for SCTP
- * 5.3.1.3 SCTP_REMOTE_ERROR
- *
- * sre_error: 16 bits (unsigned integer)
- * This value represents one of the Operational Error causes defined in
- * the SCTP specification, in network byte order.
- */
sre->sre_error = cause;
-
- /* Socket Extensions for SCTP
- * 5.3.1.3 SCTP_REMOTE_ERROR
- *
- * sre_assoc_id: sizeof (sctp_assoc_t)
- *
- * The association id field, holds the identifier for the association.
- * All notifications for a given association have the same association
- * identifier. For TCP style socket, this field is ignored.
- */
sctp_ulpevent_set_owner(event, asoc);
sre->sre_assoc_id = sctp_assoc2id(asoc);
return event;
-
fail:
return NULL;
}
@@ -900,7 +859,9 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event)
return notification->sn_header.sn_type;
}
-/* Copy out the sndrcvinfo into a msghdr. */
+/* RFC6458, Section 5.3.2. SCTP Header Information Structure
+ * (SCTP_SNDRCV, DEPRECATED)
+ */
void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event,
struct msghdr *msghdr)
{
@@ -909,74 +870,21 @@ void sctp_ulpevent_read_sndrcvinfo(const struct sctp_ulpevent *event,
if (sctp_ulpevent_is_notification(event))
return;
- /* Sockets API Extensions for SCTP
- * Section 5.2.2 SCTP Header Information Structure (SCTP_SNDRCV)
- *
- * sinfo_stream: 16 bits (unsigned integer)
- *
- * For recvmsg() the SCTP stack places the message's stream number in
- * this value.
- */
+ memset(&sinfo, 0, sizeof(sinfo));
sinfo.sinfo_stream = event->stream;
- /* sinfo_ssn: 16 bits (unsigned integer)
- *
- * For recvmsg() this value contains the stream sequence number that
- * the remote endpoint placed in the DATA chunk. For fragmented
- * messages this is the same number for all deliveries of the message
- * (if more than one recvmsg() is needed to read the message).
- */
sinfo.sinfo_ssn = event->ssn;
- /* sinfo_ppid: 32 bits (unsigned integer)
- *
- * In recvmsg() this value is
- * the same information that was passed by the upper layer in the peer
- * application. Please note that byte order issues are NOT accounted
- * for and this information is passed opaquely by the SCTP stack from
- * one end to the other.
- */
sinfo.sinfo_ppid = event->ppid;
- /* sinfo_flags: 16 bits (unsigned integer)
- *
- * This field may contain any of the following flags and is composed of
- * a bitwise OR of these values.
- *
- * recvmsg() flags:
- *
- * SCTP_UNORDERED - This flag is present when the message was sent
- * non-ordered.
- */
sinfo.sinfo_flags = event->flags;
- /* sinfo_tsn: 32 bit (unsigned integer)
- *
- * For the receiving side, this field holds a TSN that was
- * assigned to one of the SCTP Data Chunks.
- */
sinfo.sinfo_tsn = event->tsn;
- /* sinfo_cumtsn: 32 bit (unsigned integer)
- *
- * This field will hold the current cumulative TSN as
- * known by the underlying SCTP layer. Note this field is
- * ignored when sending and only valid for a receive
- * operation when sinfo_flags are set to SCTP_UNORDERED.
- */
sinfo.sinfo_cumtsn = event->cumtsn;
- /* sinfo_assoc_id: sizeof (sctp_assoc_t)
- *
- * The association handle field, sinfo_assoc_id, holds the identifier
- * for the association announced in the COMMUNICATION_UP notification.
- * All notifications for a given association have the same identifier.
- * Ignored for one-to-one style sockets.
- */
sinfo.sinfo_assoc_id = sctp_assoc2id(event->asoc);
-
- /* context value that is set via SCTP_CONTEXT socket option. */
+ /* Context value that is set via SCTP_CONTEXT socket option. */
sinfo.sinfo_context = event->asoc->default_rcv_context;
-
/* These fields are not used while receiving. */
sinfo.sinfo_timetolive = 0;
put_cmsg(msghdr, IPPROTO_SCTP, SCTP_SNDRCV,
- sizeof(struct sctp_sndrcvinfo), (void *)&sinfo);
+ sizeof(sinfo), &sinfo);
}
/* Do accounting for bytes received and hold a reference to the association
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 254/259] net: pppoe: use correct channel MTU when using Multilink PPP
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (252 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 253/259] net: sctp: fix information leaks in ulpevent layer Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 255/259] sunvnet: clean up objects created in vnet_new() on vnet_exit() Kamal Mostafa
` (4 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Christoph Schulz, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Schulz <develop@kristov.de>
[ Upstream commit a8a3e41c67d24eb12f9ab9680cbb85e24fcd9711 ]
The PPP channel MTU is used with Multilink PPP when ppp_mp_explode() (see
ppp_generic module) tries to determine how big a fragment might be. According
to RFC 1661, the MTU excludes the 2-byte PPP protocol field, see the
corresponding comment and code in ppp_mp_explode():
/*
* hdrlen includes the 2-byte PPP protocol field, but the
* MTU counts only the payload excluding the protocol field.
* (RFC1661 Section 2)
*/
mtu = pch->chan->mtu - (hdrlen - 2);
However, the pppoe module *does* include the PPP protocol field in the channel
MTU, which is wrong as it causes the PPP payload to be 1-2 bytes too big under
certain circumstances (one byte if PPP protocol compression is used, two
otherwise), causing the generated Ethernet packets to be dropped. So the pppoe
module has to subtract two bytes from the channel MTU. This error only
manifests itself when using Multilink PPP, as otherwise the channel MTU is not
used anywhere.
In the following, I will describe how to reproduce this bug. We configure two
pppd instances for multilink PPP over two PPPoE links, say eth2 and eth3, with
a MTU of 1492 bytes for each link and a MRRU of 2976 bytes. (This MRRU is
computed by adding the two link MTUs and subtracting the MP header twice, which
is 4 bytes long.) The necessary pppd statements on both sides are "multilink
mtu 1492 mru 1492 mrru 2976". On the client side, we additionally need "plugin
rp-pppoe.so eth2" and "plugin rp-pppoe.so eth3", respectively; on the server
side, we additionally need to start two pppoe-server instances to be able to
establish two PPPoE sessions, one over eth2 and one over eth3. We set the MTU
of the PPP network interface to the MRRU (2976) on both sides of the connection
in order to make use of the higher bandwidth. (If we didn't do that, IP
fragmentation would kick in, which we want to avoid.)
Now we send a ICMPv4 echo request with a payload of 2948 bytes from client to
server over the PPP link. This results in the following network packet:
2948 (echo payload)
+ 8 (ICMPv4 header)
+ 20 (IPv4 header)
---------------------
2976 (PPP payload)
These 2976 bytes do not exceed the MTU of the PPP network interface, so the
IP packet is not fragmented. Now the multilink PPP code in ppp_mp_explode()
prepends one protocol byte (0x21 for IPv4), making the packet one byte bigger
than the negotiated MRRU. So this packet would have to be divided in three
fragments. But this does not happen as each link MTU is assumed to be two bytes
larger. So this packet is diveded into two fragments only, one of size 1489 and
one of size 1488. Now we have for that bigger fragment:
1489 (PPP payload)
+ 4 (MP header)
+ 2 (PPP protocol field for the MP payload (0x3d))
+ 6 (PPPoE header)
--------------------------
1501 (Ethernet payload)
This packet exceeds the link MTU and is discarded.
If one configures the link MTU on the client side to 1501, one can see the
discarded Ethernet frames with tcpdump running on the client. A
ping -s 2948 -c 1 192.168.15.254
leads to the smaller fragment that is correctly received on the server side:
(tcpdump -vvvne -i eth3 pppoes and ppp proto 0x3d)
52:54:00:ad:87:fd > 52:54:00:79:5c:d0, ethertype PPPoE S (0x8864),
length 1514: PPPoE [ses 0x3] MLPPP (0x003d), length 1494: seq 0x000,
Flags [end], length 1492
and to the bigger fragment that is not received on the server side:
(tcpdump -vvvne -i eth2 pppoes and ppp proto 0x3d)
52:54:00:70:9e:89 > 52:54:00:5d:6f:b0, ethertype PPPoE S (0x8864),
length 1515: PPPoE [ses 0x5] MLPPP (0x003d), length 1495: seq 0x000,
Flags [begin], length 1493
With the patch below, we correctly obtain three fragments:
52:54:00:ad:87:fd > 52:54:00:79:5c:d0, ethertype PPPoE S (0x8864),
length 1514: PPPoE [ses 0x1] MLPPP (0x003d), length 1494: seq 0x000,
Flags [begin], length 1492
52:54:00:70:9e:89 > 52:54:00:5d:6f:b0, ethertype PPPoE S (0x8864),
length 1514: PPPoE [ses 0x1] MLPPP (0x003d), length 1494: seq 0x000,
Flags [none], length 1492
52:54:00:ad:87:fd > 52:54:00:79:5c:d0, ethertype PPPoE S (0x8864),
length 27: PPPoE [ses 0x1] MLPPP (0x003d), length 7: seq 0x000,
Flags [end], length 5
And the ICMPv4 echo request is successfully received at the server side:
IP (tos 0x0, ttl 64, id 21925, offset 0, flags [DF], proto ICMP (1),
length 2976)
192.168.222.2 > 192.168.15.254: ICMP echo request, id 30530, seq 0,
length 2956
The bug was introduced in commit c9aa6895371b2a257401f59d3393c9f7ac5a8698
("[PPPOE]: Advertise PPPoE MTU") from the very beginning. This patch applies
to 3.10 upwards but the fix can be applied (with minor modifications) to
kernels as old as 2.6.32.
Signed-off-by: Christoph Schulz <develop@kristov.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ppp/pppoe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 82ee6ed..addd232 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -675,7 +675,7 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
po->chan.hdrlen = (sizeof(struct pppoe_hdr) +
dev->hard_header_len);
- po->chan.mtu = dev->mtu - sizeof(struct pppoe_hdr);
+ po->chan.mtu = dev->mtu - sizeof(struct pppoe_hdr) - 2;
po->chan.private = sk;
po->chan.ops = &pppoe_chan_ops;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 255/259] sunvnet: clean up objects created in vnet_new() on vnet_exit()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (253 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 254/259] net: pppoe: use correct channel MTU when using Multilink PPP Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 256/259] net: huawei_cdc_ncm: add "subclass 3" devices Kamal Mostafa
` (3 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sowmini Varadhan, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
[ Upstream commit a4b70a07ed12a71131cab7adce2ce91c71b37060 ]
Nothing cleans up the objects created by
vnet_new(), they are completely leaked.
vnet_exit(), after doing the vio_unregister_driver() to clean
up ports, should call a helper function that iterates over vnet_list
and cleans up those objects. This includes unregister_netdevice()
as well as free_netdev().
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Reviewed-by: Karl Volz <karl.volz@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/sun/sunvnet.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c
index 3df5684..398faff 100644
--- a/drivers/net/ethernet/sun/sunvnet.c
+++ b/drivers/net/ethernet/sun/sunvnet.c
@@ -1083,6 +1083,24 @@ static struct vnet *vnet_find_or_create(const u64 *local_mac)
return vp;
}
+static void vnet_cleanup(void)
+{
+ struct vnet *vp;
+ struct net_device *dev;
+
+ mutex_lock(&vnet_list_mutex);
+ while (!list_empty(&vnet_list)) {
+ vp = list_first_entry(&vnet_list, struct vnet, list);
+ list_del(&vp->list);
+ dev = vp->dev;
+ /* vio_unregister_driver() should have cleaned up port_list */
+ BUG_ON(!list_empty(&vp->port_list));
+ unregister_netdev(dev);
+ free_netdev(dev);
+ }
+ mutex_unlock(&vnet_list_mutex);
+}
+
static const char *local_mac_prop = "local-mac-address";
static struct vnet *vnet_find_parent(struct mdesc_handle *hp,
@@ -1240,7 +1258,6 @@ static int vnet_port_remove(struct vio_dev *vdev)
kfree(port);
- unregister_netdev(vp->dev);
}
return 0;
}
@@ -1268,6 +1285,7 @@ static int __init vnet_init(void)
static void __exit vnet_exit(void)
{
vio_unregister_driver(&vnet_port_driver);
+ vnet_cleanup();
}
module_init(vnet_init);
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 256/259] net: huawei_cdc_ncm: add "subclass 3" devices
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (254 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 255/259] sunvnet: clean up objects created in vnet_new() on vnet_exit() Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 257/259] dns_resolver: assure that dns_query() result is null-terminated Kamal Mostafa
` (2 subsequent siblings)
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Enrico Mioso, Bjørn Mork, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
[ Upstream commit c2a6c7813f1ffae636e369b5d7011c9f518d3cd9 ]
Huawei's usage of the subclass and protocol fields is not 100%
clear to us, but there appears to be a very strict system.
A device with the "shared" device ID 12d1:1506 and this NCM
function was recently reported (showing only default altsetting):
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 3
bInterfaceProtocol 22
iInterface 8 CDC Network Control Model (NCM)
** UNRECOGNIZED: 05 24 00 10 01
** UNRECOGNIZED: 06 24 1a 00 01 1f
** UNRECOGNIZED: 0c 24 1b 00 01 00 04 10 14 dc 05 20
** UNRECOGNIZED: 0d 24 0f 0a 0f 00 00 00 ea 05 03 00 01
** UNRECOGNIZED: 05 24 06 01 01
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0010 1x 16 bytes
bInterval 9
Cc: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/usb/huawei_cdc_ncm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/usb/huawei_cdc_ncm.c b/drivers/net/usb/huawei_cdc_ncm.c
index 75d9ee4..a014625 100644
--- a/drivers/net/usb/huawei_cdc_ncm.c
+++ b/drivers/net/usb/huawei_cdc_ncm.c
@@ -207,6 +207,9 @@ static const struct usb_device_id huawei_cdc_ncm_devs[] = {
{ USB_VENDOR_AND_INTERFACE_INFO(0x12d1, 0xff, 0x02, 0x76),
.driver_info = (unsigned long)&huawei_cdc_ncm_info,
},
+ { USB_VENDOR_AND_INTERFACE_INFO(0x12d1, 0xff, 0x03, 0x16),
+ .driver_info = (unsigned long)&huawei_cdc_ncm_info,
+ },
/* Terminating entry */
{
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 257/259] dns_resolver: assure that dns_query() result is null-terminated
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (255 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 256/259] net: huawei_cdc_ncm: add "subclass 3" devices Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 258/259] dns_resolver: Null-terminate the right string Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 259/259] ipv4: fix buffer overflow in ip_options_compile() Kamal Mostafa
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Manuel Schölling, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= <manuel.schoelling@gmx.de>
[ Upstream commit 84a7c0b1db1c17d5ded8d3800228a608e1070b40 ]
dns_query() credulously assumes that keys are null-terminated and
returns a copy of a memory block that is off by one.
Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/dns_resolver/dns_query.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index c32be29..ede0e2d 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -150,7 +150,9 @@ int dns_query(const char *type, const char *name, size_t namelen,
if (!*_result)
goto put;
- memcpy(*_result, upayload->data, len + 1);
+ memcpy(*_result, upayload->data, len);
+ *_result[len] = '\0';
+
if (_expiry)
*_expiry = rkey->expiry;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 258/259] dns_resolver: Null-terminate the right string
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (256 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 257/259] dns_resolver: assure that dns_query() result is null-terminated Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 259/259] ipv4: fix buffer overflow in ip_options_compile() Kamal Mostafa
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ben Hutchings, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
[ Upstream commit 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a ]
*_result[len] is parsed as *(_result[len]) which is not at all what we
want to touch here.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/dns_resolver/dns_query.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c
index ede0e2d..2022b46 100644
--- a/net/dns_resolver/dns_query.c
+++ b/net/dns_resolver/dns_query.c
@@ -151,7 +151,7 @@ int dns_query(const char *type, const char *name, size_t namelen,
goto put;
memcpy(*_result, upayload->data, len);
- *_result[len] = '\0';
+ (*_result)[len] = '\0';
if (_expiry)
*_expiry = rkey->expiry;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* [PATCH 3.13 259/259] ipv4: fix buffer overflow in ip_options_compile()
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
` (257 preceding siblings ...)
2014-08-08 20:41 ` [PATCH 3.13 258/259] dns_resolver: Null-terminate the right string Kamal Mostafa
@ 2014-08-08 20:41 ` Kamal Mostafa
258 siblings, 0 replies; 264+ messages in thread
From: Kamal Mostafa @ 2014-08-08 20:41 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Kamal Mostafa
3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 10ec9472f05b45c94db3c854d22581a20b97db41 ]
There is a benign buffer overflow in ip_options_compile spotted by
AddressSanitizer[1] :
Its benign because we always can access one extra byte in skb->head
(because header is followed by struct skb_shared_info), and in this case
this byte is not even used.
[28504.910798] ==================================================================
[28504.912046] AddressSanitizer: heap-buffer-overflow in ip_options_compile
[28504.913170] Read of size 1 by thread T15843:
[28504.914026] [<ffffffff81802f91>] ip_options_compile+0x121/0x9c0
[28504.915394] [<ffffffff81804a0d>] ip_options_get_from_user+0xad/0x120
[28504.916843] [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.918175] [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.919490] [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.920835] [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.922208] [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.923459] [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.924722]
[28504.925106] Allocated by thread T15843:
[28504.925815] [<ffffffff81804995>] ip_options_get_from_user+0x35/0x120
[28504.926884] [<ffffffff8180dedf>] do_ip_setsockopt.isra.15+0x8df/0x1630
[28504.927975] [<ffffffff8180ec60>] ip_setsockopt+0x30/0xa0
[28504.929175] [<ffffffff8181e59b>] tcp_setsockopt+0x5b/0x90
[28504.930400] [<ffffffff8177462f>] sock_common_setsockopt+0x5f/0x70
[28504.931677] [<ffffffff817729c2>] SyS_setsockopt+0xa2/0x140
[28504.932851] [<ffffffff818cfb69>] system_call_fastpath+0x16/0x1b
[28504.934018]
[28504.934377] The buggy address ffff880026382828 is located 0 bytes to the right
[28504.934377] of 40-byte region [ffff880026382800, ffff880026382828)
[28504.937144]
[28504.937474] Memory state around the buggy address:
[28504.938430] ffff880026382300: ........ rrrrrrrr rrrrrrrr rrrrrrrr
[28504.939884] ffff880026382400: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.941294] ffff880026382500: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.942504] ffff880026382600: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.943483] ffff880026382700: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28504.944511] >ffff880026382800: .....rrr rrrrrrrr rrrrrrrr rrrrrrrr
[28504.945573] ^
[28504.946277] ffff880026382900: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.094949] ffff880026382a00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.096114] ffff880026382b00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.097116] ffff880026382c00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.098472] ffff880026382d00: ffffffff rrrrrrrr rrrrrrrr rrrrrrrr
[28505.099804] Legend:
[28505.100269] f - 8 freed bytes
[28505.100884] r - 8 redzone bytes
[28505.101649] . - 8 allocated bytes
[28505.102406] x=1..7 - x allocated bytes + (8-x) redzone bytes
[28505.103637] ==================================================================
[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/ip_options.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index ec72645..089ed81 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -288,6 +288,10 @@ int ip_options_compile(struct net *net,
optptr++;
continue;
}
+ if (unlikely(l < 2)) {
+ pp_ptr = optptr;
+ goto error;
+ }
optlen = optptr[1];
if (optlen<2 || optlen>l) {
pp_ptr = optptr;
--
1.9.1
^ permalink raw reply related [flat|nested] 264+ messages in thread
* Re: [PATCH 3.13 061/259] thermal: hwmon: Make the check for critical temp valid consistent
2014-08-08 20:38 ` [PATCH 3.13 061/259] thermal: hwmon: Make the check for critical temp valid consistent Kamal Mostafa
@ 2014-08-09 16:51 ` edubezval
0 siblings, 0 replies; 264+ messages in thread
From: edubezval @ 2014-08-09 16:51 UTC (permalink / raw)
To: Kamal Mostafa; +Cc: LKML, stable, kernel-team, Aaron Lu, Zhang Rui
Hello,
On Fri, Aug 8, 2014 at 4:38 PM, Kamal Mostafa <kamal@canonical.com> wrote:
> 3.13.11.6 -stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Aaron Lu <aaron.lu@intel.com>
>
> commit e8db5d6736a712a3e2280c0e31f4b301d85172d8 upstream.
>
> On 05/21/2014 04:22 PM, Aaron Lu wrote:
>> On 05/21/2014 01:57 PM, Kui Zhang wrote:
>>> Hello,
>>>
>>> I get following error when rmmod thermal.
>>>
>>> rmmod thermal
>>> Killed
>
> While dealing with this problem, I found another problem that also
> results in a kernel crash on thermal module removal:
>
> From: Aaron Lu <aaron.lu@intel.com>
> Date: Wed, 21 May 2014 16:05:38 +0800
> Subject: [PATCH] thermal: hwmon: Make the check for critical temp valid consistent
>
> We used the tz->ops->get_crit_temp && !tz->ops->get_crit_temp(tz, temp)
> to decide if we need to create the temp_crit attribute file but we just
> check if tz->ops->get_crit_temp exists to decide if we need to remove
> that attribute file. Some ACPI thermal zone doesn't have a valid critical
> trip point and that would result in removing a non-existent device file
> on thermal module unload.
>
> Signed-off-by: Aaron Lu <aaron.lu@intel.com>
> Signed-off-by: Zhang Rui <rui.zhang@intel.com>
> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Acked-by: Eduardo Valentin <edubezval@gmail.com>
> ---
> drivers/thermal/thermal_hwmon.c | 33 ++++++++++++++++++---------------
> 1 file changed, 18 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/thermal/thermal_hwmon.c b/drivers/thermal/thermal_hwmon.c
> index fdb0719..1967bee 100644
> --- a/drivers/thermal/thermal_hwmon.c
> +++ b/drivers/thermal/thermal_hwmon.c
> @@ -140,6 +140,12 @@ thermal_hwmon_lookup_temp(const struct thermal_hwmon_device *hwmon,
> return NULL;
> }
>
> +static bool thermal_zone_crit_temp_valid(struct thermal_zone_device *tz)
> +{
> + unsigned long temp;
> + return tz->ops->get_crit_temp && !tz->ops->get_crit_temp(tz, &temp);
> +}
> +
> int thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
> {
> struct thermal_hwmon_device *hwmon;
> @@ -189,21 +195,18 @@ int thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
> if (result)
> goto free_temp_mem;
>
> - if (tz->ops->get_crit_temp) {
> - unsigned long temperature;
> - if (!tz->ops->get_crit_temp(tz, &temperature)) {
> - snprintf(temp->temp_crit.name,
> - sizeof(temp->temp_crit.name),
> + if (thermal_zone_crit_temp_valid(tz)) {
> + snprintf(temp->temp_crit.name,
> + sizeof(temp->temp_crit.name),
> "temp%d_crit", hwmon->count);
> - temp->temp_crit.attr.attr.name = temp->temp_crit.name;
> - temp->temp_crit.attr.attr.mode = 0444;
> - temp->temp_crit.attr.show = temp_crit_show;
> - sysfs_attr_init(&temp->temp_crit.attr.attr);
> - result = device_create_file(hwmon->device,
> - &temp->temp_crit.attr);
> - if (result)
> - goto unregister_input;
> - }
> + temp->temp_crit.attr.attr.name = temp->temp_crit.name;
> + temp->temp_crit.attr.attr.mode = 0444;
> + temp->temp_crit.attr.show = temp_crit_show;
> + sysfs_attr_init(&temp->temp_crit.attr.attr);
> + result = device_create_file(hwmon->device,
> + &temp->temp_crit.attr);
> + if (result)
> + goto unregister_input;
> }
>
> mutex_lock(&thermal_hwmon_list_lock);
> @@ -250,7 +253,7 @@ void thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz)
> }
>
> device_remove_file(hwmon->device, &temp->temp_input.attr);
> - if (tz->ops->get_crit_temp)
> + if (thermal_zone_crit_temp_valid(tz))
> device_remove_file(hwmon->device, &temp->temp_crit.attr);
>
> mutex_lock(&thermal_hwmon_list_lock);
> --
> 1.9.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Eduardo Bezerra Valentin
^ permalink raw reply [flat|nested] 264+ messages in thread
end of thread, other threads:[~2014-08-09 16:51 UTC | newest]
Thread overview: 264+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-08 20:37 [3.13.y.z extended stable] Linux 3.13.11.6 stable review Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 001/259] ACPI / PAD: call schedule() when need_resched() is true Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 002/259] KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 003/259] target: Explicitly clear ramdisk_mcp backend pages Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 004/259] sctp: Fix sk_ack_backlog wrap-around problem Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 005/259] mm: hugetlb: fix copy_hugetlb_page_range() Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 006/259] x86_32, entry: Store badsys error code in %eax Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 007/259] shmem: fix faulting into a hole while it's punched Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 008/259] shmem: fix faulting into a hole, not taking i_mutex Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 009/259] shmem: fix splicing from a hole while it's punched Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 010/259] net: fix UDP tunnel GSO of frag_list GRO packets Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 011/259] ipvs: Fix panic due to non-linear skb Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 012/259] ALSA: hda/hdmi - apply all Haswell fix-ups to Broadwell display codec Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 013/259] ALSA: hda - verify pin:converter connection on unsol event for HSW and VLV Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 014/259] ALSA: hda - verify pin:cvt connection on preparing a stream for Intel HDMI codec Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 015/259] x86/xen: safely map and unmap grant frames when in atomic context Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 016/259] ext4: Fix buffer double free in ext4_alloc_branch() Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 017/259] ARM: OMAP2+: Fix parser-bug in platform muxing code Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 018/259] KVM: x86: Increase the number of fixed MTRR regs to 10 Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 019/259] KVM: x86: preserve the high 32-bits of the PAT register Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 020/259] usb: musb: ux500: don't propagate the OF node Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 021/259] usb: gadget: f_fs: fix NULL pointer dereference when there are no strings Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 022/259] staging: iio/ad7291: fix error code in ad7291_probe() Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 023/259] iio: of_iio_channel_get_by_name() returns non-null pointers for error legs Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 024/259] irqchip: spear_shirq: Fix interrupt offset Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 025/259] USB: option: add device ID for SpeedUp SU9800 usb 3g modem Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 026/259] USB: ftdi_sio: fix null deref at port probe Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 027/259] usb: option: add/modify Olivetti Olicard modems Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 028/259] scsi_error: fix invalid setting of host byte Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 029/259] xhci: Use correct SLOT ID when handling a reset device command Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 030/259] xhci: correct burst count field for isoc transfers on 1.0 xhci hosts Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 031/259] xhci: clear root port wake on bits if controller isn't wake-up capable Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 032/259] xhci: Fix runtime suspended xhci from blocking system suspend Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 033/259] ibmvscsi: Abort init sequence during error recovery Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 034/259] ibmvscsi: Add memory barriers for send / receive Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 035/259] virtio-scsi: avoid cancelling uninitialized work items Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 036/259] virtio-scsi: fix various bad behavior on aborted requests Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 037/259] MIPS: KVM: Fix memory leak on VCPU Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 038/259] ext4: Fix hole punching for files with indirect blocks Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 039/259] usb: musb: Fix panic upon musb_am335x module removal Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 040/259] usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 041/259] nfsd: fix rare symlink decoding bug Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 042/259] tools: ffs-test: fix header values endianess Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 043/259] usb-storage/SCSI: Add broken_fua blacklist flag Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 044/259] drm/radeon/dpm: fix typo in vddci setup for eg/btc Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 045/259] drm/radeon/dpm: fix vddci setup typo on cayman Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 046/259] tracing: Remove ftrace_stop/start() from reading the trace file Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 047/259] usb: chipidea: udc: delete td from req's td list at ep_dequeue Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 048/259] drm/radeon/cik: fix typo in EOP packet Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 049/259] md: flush writes before starting a recovery Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 050/259] drm/vmwgfx: Fix incorrect write to read-only register v2: Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 051/259] mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 052/259] /proc/stat: convert to single_open_size() Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 053/259] nick kvfree() from apparmor Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 054/259] fs/seq_file: fallback to vmalloc allocation Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 055/259] lz4: add overrun checks to lz4_uncompress_unknownoutputsize() Kamal Mostafa
2014-08-08 20:37 ` [PATCH 3.13 056/259] ptrace,x86: force IRET path after a ptrace_stop() Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 057/259] arm64: mm: Make icache synchronisation logic huge page aware Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 058/259] workqueue: fix dev_set_uevent_suppress() imbalance Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 059/259] cpuset,mempolicy: fix sleeping function called from invalid context Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 060/259] crypto: sha512_ssse3 - fix byte count to bit count conversion Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 061/259] thermal: hwmon: Make the check for critical temp valid consistent Kamal Mostafa
2014-08-09 16:51 ` edubezval
2014-08-08 20:38 ` [PATCH 3.13 062/259] clk: s2mps11: Fix double free corruption during driver unbind Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 063/259] hwmon: (amc6821) Fix permissions for temp2_input Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 064/259] hwmon: (adm1029) Ensure the fan_div cache is updated in set_fan_div Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 065/259] hwmon: (adm1021) Fix cache problem when writing temperature limits Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 066/259] ext4: fix unjournalled bg descriptor while initializing inode bitmap Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 067/259] ext4: clarify error count warning messages Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 068/259] ext4: clarify ext4_error message in ext4_mb_generate_buddy_error() Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 069/259] ext4: disable synchronous transaction batching if max_batch_time==0 Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 070/259] Revert "ACPI / AC: Remove AC's proc directory." Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 071/259] intel_pstate: Fix setting VID Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 072/259] intel_pstate: don't touch turbo bit if turbo disabled or unavailable Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 073/259] intel_pstate: Set CPU number before accessing MSRs Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 074/259] USB: cp210x: add support for Corsair usb dongle Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 075/259] usb: option: Add ID for Telewell TW-LTE 4G v2 Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 076/259] ACPI / EC: Avoid race condition related to advance_transaction() Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 077/259] ACPI / EC: Add asynchronous command byte write support Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 078/259] ACPI / EC: Remove duplicated ec_wait_ibf0() waiter Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 079/259] ACPI / EC: Fix race condition in ec_transaction_completed() Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 080/259] ACPI / battery: Retry to get battery information if failed during probing Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 081/259] hwmon: (adm1031) Fix writes to limit registers Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 082/259] workqueue: zero cpumask of wq_numa_possible_cpumask on init Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 083/259] hwmon: (emc2103) Clamp limits instead of bailing out Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 084/259] arm64: implement TASK_SIZE_OF Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 085/259] iio: ti_am335x_adc: Fix: Use same step id at FIFOs both ends Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 086/259] cpufreq: Makefile: fix compilation for davinci platform Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 087/259] drm/i915: Don't clobber the GTT when it's within stolen memory Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 088/259] Drivers: hv: vmbus: Fix a bug in the channel callback dispatch code Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 089/259] USB: ftdi_sio: Add extra PID Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 090/259] crypto: caam - fix memleak in caam_jr module Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 091/259] dm: allocate a special workqueue for deferred device removal Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 092/259] dm io: fix a race condition in the wake up code for sync_io Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 093/259] drm/radeon/dp: return -EIO for flags not zero case Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 094/259] drm/radeon: fix typo in golden register setup on evergreen Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 095/259] drm/radeon: fix typo in ci_stop_dpm() Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 096/259] drm/radeon/dpm: Reenabling SS on Cayman Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 097/259] powerpc/perf: Add PPMU_ARCH_207S define Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 098/259] powerpc/perf: Clear MMCR2 when enabling PMU Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 099/259] powerpc/perf: Never program book3s PMCs with values >= 0x80000000 Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 100/259] USB: serial: ftdi_sio: Add Infineon Triboard Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 101/259] phy: core: Fix error path in phy_create() Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 102/259] ext4: fix a potential deadlock in __ext4_es_shrink() Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 103/259] parisc: add serial ports of C8000/1GHz machine to hardware database Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 104/259] parisc: fix fanotify_mark() syscall on 32bit compat kernel Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 105/259] parisc: drop unused defines and header includes Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 106/259] clk: spear3xx: Use proper control register offset Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 107/259] Bluetooth: Ignore H5 non-link packets in non-active state Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 108/259] iwlwifi: update the 7265 series HW IDs Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 109/259] mwifiex: fix Tx timeout issue Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 110/259] x86, tsc: Fix cpufreq lockup Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 111/259] perf/x86/intel: ignore CondChgd bit to avoid false NMI handling Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 112/259] perf: Do not allow optimized switch for non-cloned events Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 113/259] xen/manage: fix potential deadlock when resuming the console Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 114/259] iwlwifi: dvm: don't enable CTS to self Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 115/259] iwlwifi: mvm: disable CTS to Self Kamal Mostafa
2014-08-08 20:38 ` [PATCH 3.13 116/259] xen/balloon: set ballooned out pages as invalid in p2m Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 117/259] mtd: devices: elm: fix elm_context_save() and elm_context_restore() functions Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 118/259] fuse: timeout comparison fix Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 119/259] fuse: ignore entry-timeout on LOOKUP_REVAL Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 120/259] fuse: handle large user and group ID Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 121/259] alarmtimer: Fix bug where relative alarm timers were treated as absolute Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 122/259] irqchip: gic: Add support for cortex a7 compatible string Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 123/259] net: mvneta: fix operation in 10 Mbit/s mode Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 124/259] net: mvneta: Fix big endian issue in mvneta_txq_desc_csum() Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 125/259] igb: Workaround for i210 Errata 25: Slow System Clock Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 126/259] x86/efi: Include a .bss section within the PE/COFF headers Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 127/259] igb: do a reset on SR-IOV re-init if device is down Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 128/259] iio:core: Handle error when mask type is not separate Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 129/259] of/irq: do irq resolution in platform_get_irq_byname() Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 130/259] platform_get_irq: Revert to platform_get_resource if of_irq_get fails Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 131/259] aio: protect reqs_available updates from changes in interrupt handlers Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 132/259] hwmon: (da9052) Don't use dash in the name attribute Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 133/259] hwmon: (da9055) " Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 134/259] net/l2tp: don't fall back on UDP [get|set]sockopt Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 135/259] PM / sleep: Fix request_firmware() error at resume Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 136/259] ALSA: hda - Fix broken PM due to incomplete i915 initialization Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 137/259] tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 138/259] tracing: Fix graph tracer with stack tracer on other archs Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 139/259] tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 140/259] dm thin metadata: do not allow the data block size to change Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 141/259] dm cache " Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 142/259] quota: missing lock in dqcache_shrink_scan() Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 143/259] ring-buffer: Fix polling on trace_pipe Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 144/259] sched: Fix possible divide by zero in avg_atom() calculation Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 145/259] locking/mutex: Disable optimistic spinning on some architectures Kamal Mostafa
2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 146/259] drm/qxl: return IRQ_NONE if it was not our irq Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 147/259] hwmon: (adt7470) Fix writes to temperature limit registers Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 148/259] cpufreq: move policy kobj to policy->cpu at resume Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 149/259] drm/radeon: avoid leaking edid data Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 150/259] drm/radeon: set default bl level to something reasonable Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 151/259] usb: chipidea: udc: Disable auto ZLP generation on ep0 Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 152/259] usb: Check if port status is equal to RxDetect Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 153/259] irqchip: gic: Fix core ID calculation when topology is read from DT Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 154/259] slab_common: fix the check for duplicate slab names Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 155/259] xtensa: add fixup for double exception raised in window overflow Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 156/259] [media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 157/259] [media] hdpvr: fix two audio bugs Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 158/259] block: don't assume last put of shared tags is for the host Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 159/259] blkcg: don't call into policy draining if root_blkg is already gone Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 160/259] block: provide compat ioctl for BLKZEROOUT Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 161/259] libata: support the ata host which implements a queue depth less than 32 Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 162/259] [media] tda10071: force modulation to QPSK on DVB-S Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 163/259] [media] gspca_pac7302: Add new usb-id for Genius i-Look 317 Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 164/259] s390/ptrace: fix PSW mask check Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 165/259] ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 166/259] Input: fix defuzzing logic Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 167/259] tracing: Fix wraparound problems in "uptime" trace clock Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 168/259] drm/i915: Reorder the semaphore deadlock check, again Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 169/259] libata: introduce ata_host->n_tags to avoid oops on SAS controllers Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 170/259] drm/radeon: fix irq ring buffer overflow handling Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 171/259] coredump: fix the setting of PF_DUMPCORE Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 172/259] fs: umount on symlink leaks mnt count Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 173/259] hwmon: (smsc47m192) Fix temperature limit and vrm write operations Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 174/259] parisc: Remove SA_RESTORER define Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 175/259] drm/radeon: fix cut and paste issue for hawaii Kamal Mostafa
2014-08-08 20:39 ` [PATCH 3.13 176/259] parport: fix menu breakage Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 177/259] Fix gcc-4.9.0 miscompilation of load_balance() in scheduler Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 178/259] Revert "mac80211: move "bufferable MMPDU" check to fix AP mode scan" Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 179/259] scsi: handle flush errors properly Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 180/259] cfg80211: fix mic_failure tracing Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 181/259] iio: buffer: Fix demux table creation Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 182/259] iio:bma180: Fix scale factors to report correct acceleration units Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 183/259] iio:bma180: Missing check for frequency fractional part Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 184/259] powerpc/perf: Fix MMCR2 handling for EBB Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 185/259] ath9k: fix aggregation session lockup Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 186/259] sched_clock: Avoid corrupting hrtimer tree during suspend Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 187/259] staging: vt6655: Fix Warning on boot handle_irq_event_percpu Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 188/259] staging: vt6655: Fix disassociated messages every 10 seconds Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 189/259] can: c_can_platform: Fix raminit, use devm_ioremap() instead of devm_ioremap_resource() Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 190/259] crypto: arm-aes - fix encryption of unaligned data Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 191/259] ARM: fix alignment of keystone page table fixup Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 192/259] net: sendmsg: fix NULL pointer dereference Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 193/259] mm/page-writeback.c: fix divide by zero in bdi_dirty_limits() Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 194/259] mm, thp: do not allow thp faults to avoid cpuset restrictions Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 195/259] rapidio/tsi721_dma: fix failure to obtain transaction descriptor Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 196/259] memcg: oom_notify use-after-free fix Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 197/259] crypto: af_alg - properly label AF_ALG socket Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 198/259] printk: rename printk_sched to printk_deferred Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 199/259] timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 200/259] dm bufio: fully initialize shrinker Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 201/259] dm cache: fix race affecting dirty block count Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 202/259] netlink: Rename netlink_capable netlink_allowed Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 203/259] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 204/259] net: Add variants of capable for use on on sockets Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 205/259] net: Add variants of capable for use on netlink messages Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 206/259] net: Use netlink_ns_capable to verify the permisions of " Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 207/259] netlink: Only check file credentials for implicit destinations Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 208/259] qlcnic: info leak in qlcnic_dcb_peer_app_info() Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 209/259] netlink: rate-limit leftover bytes warning and print process name Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 210/259] bridge: Prevent insertion of FDB entry with disallowed vlan Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 211/259] net: tunnels - enable module autoloading Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 212/259] net: fix inet_getid() and ipv6_select_ident() bugs Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 213/259] team: fix mtu setting Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 214/259] tcp: fix cwnd undo on DSACK in F-RTO Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 215/259] sh_eth: use RNC mode for packet reception Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 216/259] sh_eth: fix SH7619/771x support Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 217/259] net: filter: fix typo in sparc BPF JIT Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 218/259] net: filter: fix sparc32 typo Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 219/259] net: qmi_wwan: add Olivetti Olicard modems Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 220/259] net: force a list_del() in unregister_netdevice_many() Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 221/259] ipip, sit: fix ipv4_{update_pmtu,redirect} calls Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 222/259] sfc: PIO:Restrict to 64bit arch and use 64-bit writes Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 223/259] ipv4: fix a race in ip4_datagram_release_cb() Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 224/259] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 225/259] vxlan: use dev->needed_headroom instead of dev->hard_header_len Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 226/259] udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 227/259] net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 228/259] net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 229/259] ip_tunnel: fix ip_tunnel_lookup Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 230/259] slip: Fix deadlock in write_wakeup Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 231/259] slcan: Port write_wakeup deadlock fix from slip Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 232/259] net: sctp: propagate sysctl errors from proc_do* properly Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 233/259] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 234/259] net: sctp: check proc_dointvec result in proc_sctp_do_auth Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 235/259] 8021q: fix a potential memory leak Kamal Mostafa
2014-08-08 20:40 ` [PATCH 3.13 236/259] net: huawei_cdc_ncm: increase command buffer size Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 237/259] ipv4: fix dst race in sk_dst_get() Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 238/259] ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 239/259] net: fix sparse warning in sk_dst_set() Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 240/259] vlan: free percpu stats in device destructor Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 241/259] bnx2x: fix possible panic under memory stress Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 242/259] tcp: Fix divide by zero when pushing during tcp-repair Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 243/259] ipv4: icmp: Fix pMTU handling for rare case Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 244/259] net: qmi_wwan: Add ID for Telewell TW-LTE 4G v2 Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 245/259] net: qmi_wwan: add two Sierra Wireless/Netgear devices Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 246/259] net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 247/259] igmp: fix the problem when mc leave group Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 248/259] tcp: fix false undo corner cases Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 249/259] appletalk: Fix socket referencing in skb Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 250/259] netlink: Fix handling of error from netlink_dump() Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 251/259] be2net: set EQ DB clear-intr bit in be_open() Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 252/259] tipc: clear 'next'-pointer of message fragments before reassembly Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 253/259] net: sctp: fix information leaks in ulpevent layer Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 254/259] net: pppoe: use correct channel MTU when using Multilink PPP Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 255/259] sunvnet: clean up objects created in vnet_new() on vnet_exit() Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 256/259] net: huawei_cdc_ncm: add "subclass 3" devices Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 257/259] dns_resolver: assure that dns_query() result is null-terminated Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 258/259] dns_resolver: Null-terminate the right string Kamal Mostafa
2014-08-08 20:41 ` [PATCH 3.13 259/259] ipv4: fix buffer overflow in ip_options_compile() Kamal Mostafa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.