* [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review
@ 2015-09-22 17:50 Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 001/102] [3.19-stable only] Revert "dmaengine: pl330: Fix overflow when reporting residue in memcpy" Kamal Mostafa
` (102 more replies)
0 siblings, 103 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:50 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Kamal Mostafa
This is the start of the review cycle for the Linux 3.19.8-ckt7 stable kernel.
This version contains 102 new patches, summarized below. The new patches are
posted as replies to this message and also available in this git branch:
http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.19.y-review
git://kernel.ubuntu.com/ubuntu/linux.git linux-3.19.y-review
The review period for version 3.19.8-ckt7 will be open for the next three days.
To report a problem, please reply to the relevant follow-up patch message.
For more information about the Linux 3.19.y-ckt extended stable kernel version,
see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .
-Kamal
--
arch/arm64/kvm/inject_fault.c | 12 +-
arch/mips/ath79/setup.c | 1 +
arch/mips/include/asm/pgtable.h | 31 +++
arch/mips/include/asm/stackframe.h | 25 +++
arch/mips/kernel/mips-mt-fpaff.c | 5 +-
arch/mips/kernel/scall64-64.S | 2 +-
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/traps.c | 13 ++
arch/mips/lantiq/irq.c | 1 +
arch/mips/mti-malta/malta-time.c | 16 +-
arch/mips/mti-sead3/sead3-time.c | 1 +
arch/mips/ralink/irq.c | 1 +
arch/sparc/include/asm/visasm.h | 16 +-
arch/sparc/lib/NG4memcpy.S | 5 +-
arch/sparc/lib/VISsave.S | 67 +------
arch/sparc/lib/ksyms.c | 4 -
arch/x86/include/asm/desc.h | 15 --
arch/x86/include/asm/mmu.h | 3 +-
arch/x86/include/asm/mmu_context.h | 48 ++++-
arch/x86/kernel/cpu/common.c | 4 +-
arch/x86/kernel/cpu/perf_event.c | 13 +-
arch/x86/kernel/ldt.c | 262 ++++++++++++++-----------
arch/x86/kernel/process_64.c | 4 +-
arch/x86/kernel/step.c | 8 +-
arch/x86/kvm/x86.c | 2 +-
arch/x86/math-emu/fpu_entry.c | 3 +-
arch/x86/math-emu/fpu_system.h | 21 +-
arch/x86/math-emu/get_address.c | 3 +-
arch/x86/power/cpu.c | 3 +-
arch/x86/xen/Kconfig | 4 +-
arch/x86/xen/Makefile | 4 +-
arch/x86/xen/xen-ops.h | 6 +-
block/blk-settings.c | 4 +-
drivers/ata/libata-core.c | 2 +
drivers/base/regmap/regcache-rbtree.c | 19 +-
drivers/block/rbd.c | 22 ++-
drivers/block/xen-blkback/blkback.c | 4 +-
drivers/block/xen-blkfront.c | 6 +-
drivers/char/hw_random/core.c | 2 +-
drivers/char/ipmi/ipmi_powernv.c | 1 +
drivers/crypto/caam/caamhash.c | 7 +-
drivers/crypto/ixp4xx_crypto.c | 1 -
drivers/crypto/qat/qat_common/qat_algs.c | 24 ++-
drivers/dma/pl330.c | 1 -
drivers/edac/ppc4xx_edac.c | 2 +-
drivers/gpu/drm/drm_dp_mst_topology.c | 20 +-
drivers/gpu/drm/i915/intel_lrc.c | 2 +
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 +-
drivers/input/keyboard/gpio_keys_polled.c | 2 +-
drivers/md/dm-thin-metadata.c | 4 +-
drivers/md/dm.c | 27 +--
drivers/md/md.c | 2 +
drivers/md/persistent-data/dm-btree-internal.h | 6 +
drivers/md/persistent-data/dm-btree-remove.c | 12 +-
drivers/md/persistent-data/dm-btree-spine.c | 37 ++++
drivers/md/persistent-data/dm-btree.c | 7 +-
drivers/md/raid1.c | 10 +-
drivers/mfd/arizona-core.c | 14 +-
drivers/net/bonding/bond_main.c | 20 ++
drivers/net/ethernet/brocade/bna/bnad.c | 2 +-
drivers/net/ethernet/rocker/rocker.c | 1 +
drivers/net/phy/phy.c | 16 +-
drivers/net/virtio_net.c | 4 +-
drivers/net/wireless/rtlwifi/rtl8723be/sw.c | 1 +
drivers/pci/Kconfig | 2 +-
drivers/scsi/fnic/fnic.h | 2 +-
drivers/scsi/fnic/fnic_scsi.c | 4 +-
drivers/scsi/libfc/fc_exch.c | 8 +-
drivers/scsi/libfc/fc_fcp.c | 19 +-
drivers/scsi/libiscsi.c | 25 +--
drivers/scsi/scsi_pm.c | 22 +--
drivers/scsi/sd.c | 6 +-
drivers/staging/vt6655/device_main.c | 5 +-
drivers/target/iscsi/iscsi_target.c | 2 +-
drivers/target/target_core_spc.c | 13 +-
drivers/usb/chipidea/core.c | 13 +-
drivers/usb/chipidea/host.c | 7 +-
drivers/usb/chipidea/host.h | 6 +
drivers/usb/gadget/function/f_uac2.c | 4 +-
drivers/usb/gadget/udc/udc-core.c | 1 +
drivers/usb/host/xhci-mem.c | 3 +-
drivers/usb/host/xhci-ring.c | 2 +-
drivers/usb/serial/option.c | 2 +
drivers/usb/serial/qcserial.c | 2 +-
drivers/usb/serial/sierra.c | 1 +
drivers/video/fbdev/Kconfig | 2 +-
drivers/xen/gntdev.c | 42 ++--
fs/nfsd/nfs4xdr.c | 11 +-
fs/notify/mark.c | 30 ++-
fs/ocfs2/dlmglue.c | 10 +-
include/drm/drm_crtc.h | 2 -
include/drm/drm_pciids.h | 1 +
include/net/ip.h | 1 +
include/uapi/linux/pci_regs.h | 1 +
ipc/mqueue.c | 5 -
ipc/sem.c | 41 +++-
kernel/cpuset.c | 2 +-
kernel/events/core.c | 87 +++++---
mm/memory-failure.c | 2 +
mm/vmscan.c | 14 +-
net/batman-adv/soft-interface.c | 3 +
net/batman-adv/translation-table.c | 29 ++-
net/bridge/br_netlink.c | 2 +
net/core/datagram.c | 28 +--
net/core/pktgen.c | 4 +-
net/core/rtnetlink.c | 166 ++++++++--------
net/ipv4/datagram.c | 16 +-
net/ipv4/udp.c | 13 +-
net/ipv6/addrconf.c | 17 +-
net/ipv6/datagram.c | 20 +-
net/ipv6/ip6_gre.c | 1 +
net/ipv6/ip6_offload.c | 2 -
net/key/af_key.c | 46 ++---
net/netlink/af_netlink.c | 79 +++++---
net/rds/connection.c | 6 +
net/rds/info.c | 2 +-
net/sched/sch_fq_codel.c | 22 ++-
net/tipc/socket.c | 1 +
scripts/kconfig/streamline_config.pl | 2 +-
sound/firewire/amdtp.c | 5 +-
sound/firewire/amdtp.h | 2 +
sound/firewire/fireworks/fireworks.c | 8 +
sound/firewire/fireworks/fireworks.h | 1 +
sound/firewire/fireworks/fireworks_stream.c | 9 +
sound/usb/card.c | 2 +-
sound/usb/quirks.c | 1 +
126 files changed, 1099 insertions(+), 679 deletions(-)
Alan Stern (2):
usb: udc: core: add device_del() call to error pathway
SCSI: Fix NULL pointer dereference in runtime PM
Alban Crequy (1):
cpuset: use trialcs->mems_allowed as a temp variable
Alex Deucher (1):
drm/radeon: add new OLAND pci id
Alexei Potashnik (1):
target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT
Alistair Popple (1):
ipmi/powernv: Fix minor locking bug
Andy Lutomirski (2):
x86/ldt: Make modify_ldt synchronous
x86/ldt: Further fix FPU emulation
Bart Van Assche (2):
libfc: Fix fc_exch_recv_req() error path
libfc: Fix fc_fcp_cleanup_each_cmd()
Bjorn Helgaas (1):
PCI: Don't use 64-bit bus addresses on PA-RISC
Bob Liu (2):
xen-blkfront: don't add indirect pages to list when !feature_persistent
xen-blkback: replace work_pending with work_busy in purge_persistent_gnt()
Charles Keepax (1):
mfd: arizona: Fix initialisation of the PM runtime
Chris Wilson (1):
drm/i915: Flag the execlists context object as dirty after every use
Dan Carpenter (1):
rds: fix an integer overflow test in rds_info_getsockopt()
Daniel Borkmann (1):
rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver
Daniel Vetter (1):
drm/dp-mst: Remove debug WARN_ON
David Ahern (1):
net: Fix RCU splat in af_key
David Daney (1):
MIPS: Make set_pte() SMP safe.
David S. Miller (1):
sparc64: Fix userspace FPU register corruptions.
David Vrabel (2):
xen/gntdev: convert priv->lock to a mutex
x86/xen: make CONFIG_XEN depend on CONFIG_X86_LOCAL_APIC
Dirk Behme (1):
USB: sierra: add 1199:68AB device ID
Eric Dumazet (3):
fq_codel: explicitly reset flows in ->reset()
udp: fix dst races with multicast early demux
ipv6: lock socket in ip6_datagram_connect()
Felix Fietkau (2):
MIPS: Fix sched_getaffinity with MT FPAFF enabled
MIPS: Export get_c0_perfcount_int()
Florian Westphal (1):
netlink: don't hold mutex in rcu callback when releasing mmapd ring
Gavin Shan (1):
drivers/usb: Delete XHCI command timer if necessary
Guenter Roeck (1):
regmap: regcache-rbtree: Clean new present bits on present bitmap resize
Guillermo A. Amaral (1):
Add factory recertified Crucial M500s to blacklist
Haozhong Zhang (1):
KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST
Herbert Xu (4):
crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer
net: Fix skb_set_peeked use-after-free bug
net: Fix skb csum races when peeking
Revert "sit: Add gro callbacks to sit_offload"
Herton R. Krzesinski (1):
ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits
Hiral Shah (1):
fnic: Use the local variable instead of I/O flag to acquire io_req_lock in fnic_queuecommand() to avoid deadloack
Horia Geant? (1):
crypto: caam - fix memory corruption in ahash_final_ctx
Ido Schimmel (1):
rocker: free netdevice during netdevice removal
Ilya Dryomov (1):
rbd: fix copyup completion race
Ivan Vecera (1):
bna: fix interrupts storm caused by erroneous packets
James Hogan (4):
MIPS: Malta: Don't reinitialise RTC
MIPS: do_mcheck: Fix kernel code dump with EVA
MIPS: show_stack: Fix stack trace with EVA
MIPS: Flush RPS on kernel entry with EVA
Jan Kara (1):
fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
Jason A. Donenfeld (1):
x86/xen: build "Xen PV" APIC driver for domU as well
Jason Wang (1):
virtio-net: drop NETIF_F_FRAGLIST
Joe Thornber (2):
dm thin metadata: delete btrees when releasing metadata snapshot
dm btree: add ref counting ops for the leaves of top level btrees
John Soni Jose (1):
libiscsi: Fix host busy blocking during connection teardown
Joseph Qi (1):
ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
Juergen Gross (2):
x86/ldt: Correct LDT access in single stepping logic
x86/ldt: Correct FPU emulation access to LDT
Jurgen Kramer (1):
ALSA: usb: Add native DSD support for Gustard DAC-X20U
Kamal Mostafa (1):
[3.19-stable only] Revert "dmaengine: pl330: Fix overflow when reporting residue in memcpy"
Kinglong Mee (1):
nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
Larry Finger (1):
rtlwifi: rtl8723be: Add module parameter for MSI interrupts
Linus Walleij (1):
fbdev: select versatile helpers for the integrator
Maarten Lankhorst (1):
drm/dp/mst: Remove port after removing connector.
Malcolm Priestley (1):
staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL
Manfred Spraul (1):
ipc/sem.c: update/correct memory barriers
Marc Zyngier (1):
arm64: KVM: Fix host crash when injecting a fault into a 32bit guest
Marcelo Leitner (1):
ipv6: addrconf: validate new MTU before applying it
Marcus Gelderie (1):
ipc: modify message queue accounting to not take kernel data structures into account
Marek Lindner (2):
batman-adv: protect tt_local_entry from concurrent delete events
batman-adv: fix kernel crash due to missing NULL checks
Marek Marczykowski-Górecki (1):
xen/gntdevt: Fix race condition in gntdev_release()
Markos Chandras (1):
MIPS: Fix seccomp syscall argument for MIPS64
Martin K. Petersen (1):
sd: Fix maximum I/O size for BLOCK_PC requests
Martin Schwidefsky (1):
hwrng: core - correct error check of kthread_run call
Mathias Nyman (1):
xhci: fix off by one error in TRB DMA address boundary check
Michael S. Tsirkin (1):
PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition
Michael Walle (1):
EDAC, ppc4xx: Access mci->csrows array elements properly
Michal Hocko (1):
mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations
Mike Snitzer (1):
dm: fix dm_merge_bvec regression on 32 bit systems
NeilBrown (2):
md: flush ->event_work before stopping array.
md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies
Nikolay Aleksandrov (1):
bridge: netlink: account for the IFLA_BRPORT_PROXYARP attribute size and policy
Oleg Nesterov (1):
net: pktgen: fix race between pktgen_thread_worker() and kthread_stop()
Peter Chen (2):
usb: chipidea: ehci_init_driver is intended to call one time
usb: gadget: f_uac2: fix calculation of uac2->p_interval
Peter Zijlstra (2):
perf: Fix fasync handling on inherited events
perf: Fix PERF_EVENT_IOC_PERIOD migration race
Pieter Hollants (1):
USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
Reinhard Speyerer (1):
USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
Richard Weinberger (1):
localmodconfig: Use Kbuild files too
Roland Dreier (1):
target: REPORT LUNS should return LUN 0 even for dynamic ACLs
Russell King (1):
net: phy: add locking to phy_read_mmd_indirect()/phy_write_mmd_indirect()
Sasha Levin (1):
RDS: verify the underlying transport exists before creating a connection
Stephen Smalley (1):
net/tipc: initialize security state for new connection socket
Tadeusz Struk (1):
crypto: qat - Fix invalid synchronization between register/unregister sym algs
Takashi Iwai (1):
ALSA: usb-audio: Fix runtime PM unbalance
Takashi Sakamoto (1):
ALSA: fireworks/firewire-lib: add support for recent firmware quirk
Thomas Hellstrom (1):
drm/vmwgfx: Fix execbuf locking issues
Vincent Pelletier (1):
Input: gpio_keys_polled - request GPIO pin as input.
Wanpeng Li (1):
mm/hwpoison: fix page refcount of unknown non LRU page
dingtianhong (1):
bonding: correct the MAC address for "follow" fail_over_mac policy
huaibin Wang (1):
ip6_gre: release cached dst on tunnel removal
^ permalink raw reply [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 001/102] [3.19-stable only] Revert "dmaengine: pl330: Fix overflow when reporting residue in memcpy"
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
@ 2015-09-22 17:50 ` Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 002/102] x86/ldt: Make modify_ldt synchronous Kamal Mostafa
` (101 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:50 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Mostafa <kamal@canonical.com>
This reverts commit 3f99e272649b084999266a5049d4faadee378830.
Not suitable for 3.19-stable:
'struct dma_pl330_desc' has no member named 'bytes_requested'
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/dma/pl330.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
index c068ef1..bdf40b5 100644
--- a/drivers/dma/pl330.c
+++ b/drivers/dma/pl330.c
@@ -2521,7 +2521,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
desc->rqcfg.brst_len = 1;
desc->rqcfg.brst_len = get_burst_len(desc, len);
- desc->bytes_requested = len;
desc->txd.flags = flags;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 002/102] x86/ldt: Make modify_ldt synchronous
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 001/102] [3.19-stable only] Revert "dmaengine: pl330: Fix overflow when reporting residue in memcpy" Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 002/102] x86/ldt: Make modify_ldt synchronous Kamal Mostafa
@ 2015-09-22 17:50 ` Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 003/102] x86/ldt: Correct LDT access in single stepping logic Kamal Mostafa
` (99 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:50 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Andy Lutomirski, Andrew Cooper, Andy Lutomirski, Boris Ostrovsky,
Borislav Petkov, Brian Gerst, Denys Vlasenko, H. Peter Anvin,
Jan Beulich, Konrad Rzeszutek Wilk, Linus Torvalds,
Peter Zijlstra, Sasha Levin, Steven Rostedt, Thomas Gleixner,
security, xen-devel, Ingo Molnar, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit 37868fe113ff2ba814b3b4eb12df214df555f8dc upstream.
modify_ldt() has questionable locking and does not synchronize
threads. Improve it: redesign the locking and synchronize all
threads' LDTs using an IPI on all modifications.
This will dramatically slow down modify_ldt in multithreaded
programs, but there shouldn't be any multithreaded programs that
care about modify_ldt's performance in the first place.
This fixes some fallout from the CVE-2015-5157 fixes.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org <security@kernel.org>
Cc: xen-devel <xen-devel@lists.xen.org>
Link: http://lkml.kernel.org/r/4c6978476782160600471bd865b318db34c7b628.1438291540.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: backport to 3.13-stable: dropped comment changes in switch_mm();
included asm/mmu_context.h in perf_event.c; context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/include/asm/desc.h | 15 ---
arch/x86/include/asm/mmu.h | 3 +-
arch/x86/include/asm/mmu_context.h | 48 ++++++-
arch/x86/kernel/cpu/common.c | 4 +-
arch/x86/kernel/cpu/perf_event.c | 13 +-
arch/x86/kernel/ldt.c | 262 ++++++++++++++++++++-----------------
arch/x86/kernel/process_64.c | 4 +-
arch/x86/kernel/step.c | 6 +-
arch/x86/power/cpu.c | 3 +-
9 files changed, 208 insertions(+), 150 deletions(-)
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
index a94b82e..6912618 100644
--- a/arch/x86/include/asm/desc.h
+++ b/arch/x86/include/asm/desc.h
@@ -280,21 +280,6 @@ static inline void clear_LDT(void)
set_ldt(NULL, 0);
}
-/*
- * load one particular LDT into the current CPU
- */
-static inline void load_LDT_nolock(mm_context_t *pc)
-{
- set_ldt(pc->ldt, pc->size);
-}
-
-static inline void load_LDT(mm_context_t *pc)
-{
- preempt_disable();
- load_LDT_nolock(pc);
- preempt_enable();
-}
-
static inline unsigned long get_desc_base(const struct desc_struct *desc)
{
return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
index 876e74e..b6b7bc3 100644
--- a/arch/x86/include/asm/mmu.h
+++ b/arch/x86/include/asm/mmu.h
@@ -9,8 +9,7 @@
* we put the segment information here.
*/
typedef struct {
- void *ldt;
- int size;
+ struct ldt_struct *ldt;
#ifdef CONFIG_X86_64
/* True if mm supports a task running in 32 bit compatibility mode. */
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 4b75d59..1ab38a4 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -19,6 +19,50 @@ static inline void paravirt_activate_mm(struct mm_struct *prev,
#endif /* !CONFIG_PARAVIRT */
/*
+ * ldt_structs can be allocated, used, and freed, but they are never
+ * modified while live.
+ */
+struct ldt_struct {
+ /*
+ * Xen requires page-aligned LDTs with special permissions. This is
+ * needed to prevent us from installing evil descriptors such as
+ * call gates. On native, we could merge the ldt_struct and LDT
+ * allocations, but it's not worth trying to optimize.
+ */
+ struct desc_struct *entries;
+ int size;
+};
+
+static inline void load_mm_ldt(struct mm_struct *mm)
+{
+ struct ldt_struct *ldt;
+
+ /* lockless_dereference synchronizes with smp_store_release */
+ ldt = lockless_dereference(mm->context.ldt);
+
+ /*
+ * Any change to mm->context.ldt is followed by an IPI to all
+ * CPUs with the mm active. The LDT will not be freed until
+ * after the IPI is handled by all such CPUs. This means that,
+ * if the ldt_struct changes before we return, the values we see
+ * will be safe, and the new values will be loaded before we run
+ * any user code.
+ *
+ * NB: don't try to convert this to use RCU without extreme care.
+ * We would still need IRQs off, because we don't want to change
+ * the local LDT after an IPI loaded a newer value than the one
+ * that we can see.
+ */
+
+ if (unlikely(ldt))
+ set_ldt(ldt->entries, ldt->size);
+ else
+ clear_LDT();
+
+ DEBUG_LOCKS_WARN_ON(preemptible());
+}
+
+/*
* Used for LDT copy/destruction.
*/
int init_new_context(struct task_struct *tsk, struct mm_struct *mm);
@@ -63,7 +107,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
* prev->context.ldt won't be equal to next->context.ldt.
*/
if (unlikely(prev->context.ldt != next->context.ldt))
- load_LDT_nolock(&next->context);
+ load_mm_ldt(next);
}
#ifdef CONFIG_SMP
else {
@@ -85,7 +129,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
*/
load_cr3(next->pgd);
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
- load_LDT_nolock(&next->context);
+ load_mm_ldt(next);
}
}
#endif
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c604965..382a097 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1366,7 +1366,7 @@ void cpu_init(void)
load_sp0(t, ¤t->thread);
set_tss_desc(cpu, t);
load_TR_desc();
- load_LDT(&init_mm.context);
+ load_mm_ldt(&init_mm);
clear_all_debug_regs();
dbg_restore_debug_regs();
@@ -1409,7 +1409,7 @@ void cpu_init(void)
load_sp0(t, thread);
set_tss_desc(cpu, t);
load_TR_desc();
- load_LDT(&init_mm.context);
+ load_mm_ldt(&init_mm);
t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 143e5f5..82adb1a 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -31,6 +31,7 @@
#include <asm/nmi.h>
#include <asm/smp.h>
#include <asm/alternative.h>
+#include <asm/mmu_context.h>
#include <asm/timer.h>
#include <asm/desc.h>
#include <asm/ldt.h>
@@ -1986,21 +1987,25 @@ static unsigned long get_segment_base(unsigned int segment)
int idx = segment >> 3;
if ((segment & SEGMENT_TI_MASK) == SEGMENT_LDT) {
+ struct ldt_struct *ldt;
+
if (idx > LDT_ENTRIES)
return 0;
- if (idx > current->active_mm->context.size)
+ /* IRQs are off, so this synchronizes with smp_store_release */
+ ldt = lockless_dereference(current->active_mm->context.ldt);
+ if (!ldt || idx > ldt->size)
return 0;
- desc = current->active_mm->context.ldt;
+ desc = &ldt->entries[idx];
} else {
if (idx > GDT_ENTRIES)
return 0;
- desc = raw_cpu_ptr(gdt_page.gdt);
+ desc = raw_cpu_ptr(gdt_page.gdt) + idx;
}
- return get_desc_base(desc + idx);
+ return get_desc_base(desc);
}
#ifdef CONFIG_COMPAT
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index c37886d..2bcc052 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -12,6 +12,7 @@
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/smp.h>
+#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/uaccess.h>
@@ -20,82 +21,82 @@
#include <asm/mmu_context.h>
#include <asm/syscalls.h>
-#ifdef CONFIG_SMP
+/* context.lock is held for us, so we don't need any locking. */
static void flush_ldt(void *current_mm)
{
- if (current->active_mm == current_mm)
- load_LDT(¤t->active_mm->context);
+ mm_context_t *pc;
+
+ if (current->active_mm != current_mm)
+ return;
+
+ pc = ¤t->active_mm->context;
+ set_ldt(pc->ldt->entries, pc->ldt->size);
}
-#endif
-static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
+/* The caller must call finalize_ldt_struct on the result. LDT starts zeroed. */
+static struct ldt_struct *alloc_ldt_struct(int size)
{
- void *oldldt, *newldt;
- int oldsize;
-
- if (mincount <= pc->size)
- return 0;
- oldsize = pc->size;
- mincount = (mincount + (PAGE_SIZE / LDT_ENTRY_SIZE - 1)) &
- (~(PAGE_SIZE / LDT_ENTRY_SIZE - 1));
- if (mincount * LDT_ENTRY_SIZE > PAGE_SIZE)
- newldt = vmalloc(mincount * LDT_ENTRY_SIZE);
+ struct ldt_struct *new_ldt;
+ int alloc_size;
+
+ if (size > LDT_ENTRIES)
+ return NULL;
+
+ new_ldt = kmalloc(sizeof(struct ldt_struct), GFP_KERNEL);
+ if (!new_ldt)
+ return NULL;
+
+ BUILD_BUG_ON(LDT_ENTRY_SIZE != sizeof(struct desc_struct));
+ alloc_size = size * LDT_ENTRY_SIZE;
+
+ /*
+ * Xen is very picky: it requires a page-aligned LDT that has no
+ * trailing nonzero bytes in any page that contains LDT descriptors.
+ * Keep it simple: zero the whole allocation and never allocate less
+ * than PAGE_SIZE.
+ */
+ if (alloc_size > PAGE_SIZE)
+ new_ldt->entries = vzalloc(alloc_size);
else
- newldt = (void *)__get_free_page(GFP_KERNEL);
-
- if (!newldt)
- return -ENOMEM;
+ new_ldt->entries = kzalloc(PAGE_SIZE, GFP_KERNEL);
- if (oldsize)
- memcpy(newldt, pc->ldt, oldsize * LDT_ENTRY_SIZE);
- oldldt = pc->ldt;
- memset(newldt + oldsize * LDT_ENTRY_SIZE, 0,
- (mincount - oldsize) * LDT_ENTRY_SIZE);
+ if (!new_ldt->entries) {
+ kfree(new_ldt);
+ return NULL;
+ }
- paravirt_alloc_ldt(newldt, mincount);
+ new_ldt->size = size;
+ return new_ldt;
+}
-#ifdef CONFIG_X86_64
- /* CHECKME: Do we really need this ? */
- wmb();
-#endif
- pc->ldt = newldt;
- wmb();
- pc->size = mincount;
- wmb();
-
- if (reload) {
-#ifdef CONFIG_SMP
- preempt_disable();
- load_LDT(pc);
- if (!cpumask_equal(mm_cpumask(current->mm),
- cpumask_of(smp_processor_id())))
- smp_call_function(flush_ldt, current->mm, 1);
- preempt_enable();
-#else
- load_LDT(pc);
-#endif
- }
- if (oldsize) {
- paravirt_free_ldt(oldldt, oldsize);
- if (oldsize * LDT_ENTRY_SIZE > PAGE_SIZE)
- vfree(oldldt);
- else
- put_page(virt_to_page(oldldt));
- }
- return 0;
+/* After calling this, the LDT is immutable. */
+static void finalize_ldt_struct(struct ldt_struct *ldt)
+{
+ paravirt_alloc_ldt(ldt->entries, ldt->size);
}
-static inline int copy_ldt(mm_context_t *new, mm_context_t *old)
+/* context.lock is held */
+static void install_ldt(struct mm_struct *current_mm,
+ struct ldt_struct *ldt)
{
- int err = alloc_ldt(new, old->size, 0);
- int i;
+ /* Synchronizes with lockless_dereference in load_mm_ldt. */
+ smp_store_release(¤t_mm->context.ldt, ldt);
+
+ /* Activate the LDT for all CPUs using current_mm. */
+ on_each_cpu_mask(mm_cpumask(current_mm), flush_ldt, current_mm, true);
+}
- if (err < 0)
- return err;
+static void free_ldt_struct(struct ldt_struct *ldt)
+{
+ if (likely(!ldt))
+ return;
- for (i = 0; i < old->size; i++)
- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
- return 0;
+ paravirt_free_ldt(ldt->entries, ldt->size);
+ if (ldt->size * LDT_ENTRY_SIZE > PAGE_SIZE)
+ vfree(ldt->entries);
+ else
+ kfree(ldt->entries);
+ kfree(ldt);
}
/*
@@ -104,17 +105,37 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old)
*/
int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
{
+ struct ldt_struct *new_ldt;
struct mm_struct *old_mm;
int retval = 0;
mutex_init(&mm->context.lock);
- mm->context.size = 0;
old_mm = current->mm;
- if (old_mm && old_mm->context.size > 0) {
- mutex_lock(&old_mm->context.lock);
- retval = copy_ldt(&mm->context, &old_mm->context);
- mutex_unlock(&old_mm->context.lock);
+ if (!old_mm) {
+ mm->context.ldt = NULL;
+ return 0;
}
+
+ mutex_lock(&old_mm->context.lock);
+ if (!old_mm->context.ldt) {
+ mm->context.ldt = NULL;
+ goto out_unlock;
+ }
+
+ new_ldt = alloc_ldt_struct(old_mm->context.ldt->size);
+ if (!new_ldt) {
+ retval = -ENOMEM;
+ goto out_unlock;
+ }
+
+ memcpy(new_ldt->entries, old_mm->context.ldt->entries,
+ new_ldt->size * LDT_ENTRY_SIZE);
+ finalize_ldt_struct(new_ldt);
+
+ mm->context.ldt = new_ldt;
+
+out_unlock:
+ mutex_unlock(&old_mm->context.lock);
return retval;
}
@@ -125,53 +146,47 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
*/
void destroy_context(struct mm_struct *mm)
{
- if (mm->context.size) {
-#ifdef CONFIG_X86_32
- /* CHECKME: Can this ever happen ? */
- if (mm == current->active_mm)
- clear_LDT();
-#endif
- paravirt_free_ldt(mm->context.ldt, mm->context.size);
- if (mm->context.size * LDT_ENTRY_SIZE > PAGE_SIZE)
- vfree(mm->context.ldt);
- else
- put_page(virt_to_page(mm->context.ldt));
- mm->context.size = 0;
- }
+ free_ldt_struct(mm->context.ldt);
+ mm->context.ldt = NULL;
}
static int read_ldt(void __user *ptr, unsigned long bytecount)
{
- int err;
+ int retval;
unsigned long size;
struct mm_struct *mm = current->mm;
- if (!mm->context.size)
- return 0;
+ mutex_lock(&mm->context.lock);
+
+ if (!mm->context.ldt) {
+ retval = 0;
+ goto out_unlock;
+ }
+
if (bytecount > LDT_ENTRY_SIZE * LDT_ENTRIES)
bytecount = LDT_ENTRY_SIZE * LDT_ENTRIES;
- mutex_lock(&mm->context.lock);
- size = mm->context.size * LDT_ENTRY_SIZE;
+ size = mm->context.ldt->size * LDT_ENTRY_SIZE;
if (size > bytecount)
size = bytecount;
- err = 0;
- if (copy_to_user(ptr, mm->context.ldt, size))
- err = -EFAULT;
- mutex_unlock(&mm->context.lock);
- if (err < 0)
- goto error_return;
+ if (copy_to_user(ptr, mm->context.ldt->entries, size)) {
+ retval = -EFAULT;
+ goto out_unlock;
+ }
+
if (size != bytecount) {
- /* zero-fill the rest */
- if (clear_user(ptr + size, bytecount - size) != 0) {
- err = -EFAULT;
- goto error_return;
+ /* Zero-fill the rest and pretend we read bytecount bytes. */
+ if (clear_user(ptr + size, bytecount - size)) {
+ retval = -EFAULT;
+ goto out_unlock;
}
}
- return bytecount;
-error_return:
- return err;
+ retval = bytecount;
+
+out_unlock:
+ mutex_unlock(&mm->context.lock);
+ return retval;
}
static int read_default_ldt(void __user *ptr, unsigned long bytecount)
@@ -195,6 +210,8 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
struct desc_struct ldt;
int error;
struct user_desc ldt_info;
+ int oldsize, newsize;
+ struct ldt_struct *new_ldt, *old_ldt;
error = -EINVAL;
if (bytecount != sizeof(ldt_info))
@@ -213,34 +230,39 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
goto out;
}
- mutex_lock(&mm->context.lock);
- if (ldt_info.entry_number >= mm->context.size) {
- error = alloc_ldt(¤t->mm->context,
- ldt_info.entry_number + 1, 1);
- if (error < 0)
- goto out_unlock;
- }
-
- /* Allow LDTs to be cleared by the user. */
- if (ldt_info.base_addr == 0 && ldt_info.limit == 0) {
- if (oldmode || LDT_empty(&ldt_info)) {
- memset(&ldt, 0, sizeof(ldt));
- goto install;
+ if ((oldmode && !ldt_info.base_addr && !ldt_info.limit) ||
+ LDT_empty(&ldt_info)) {
+ /* The user wants to clear the entry. */
+ memset(&ldt, 0, sizeof(ldt));
+ } else {
+ if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
+ error = -EINVAL;
+ goto out;
}
+
+ fill_ldt(&ldt, &ldt_info);
+ if (oldmode)
+ ldt.avl = 0;
}
- if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
- error = -EINVAL;
+ mutex_lock(&mm->context.lock);
+
+ old_ldt = mm->context.ldt;
+ oldsize = old_ldt ? old_ldt->size : 0;
+ newsize = max((int)(ldt_info.entry_number + 1), oldsize);
+
+ error = -ENOMEM;
+ new_ldt = alloc_ldt_struct(newsize);
+ if (!new_ldt)
goto out_unlock;
- }
- fill_ldt(&ldt, &ldt_info);
- if (oldmode)
- ldt.avl = 0;
+ if (old_ldt)
+ memcpy(new_ldt->entries, old_ldt->entries, oldsize * LDT_ENTRY_SIZE);
+ new_ldt->entries[ldt_info.entry_number] = ldt;
+ finalize_ldt_struct(new_ldt);
- /* Install the new entry ... */
-install:
- write_ldt_entry(mm->context.ldt, ldt_info.entry_number, &ldt);
+ install_ldt(mm, new_ldt);
+ free_ldt_struct(old_ldt);
error = 0;
out_unlock:
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 5a2c029..ec03938 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -122,11 +122,11 @@ void __show_regs(struct pt_regs *regs, int all)
void release_thread(struct task_struct *dead_task)
{
if (dead_task->mm) {
- if (dead_task->mm->context.size) {
+ if (dead_task->mm->context.ldt) {
pr_warn("WARNING: dead process %s still has LDT? <%p/%d>\n",
dead_task->comm,
dead_task->mm->context.ldt,
- dead_task->mm->context.size);
+ dead_task->mm->context.ldt->size);
BUG();
}
}
diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c
index 9b4d51d..6273324 100644
--- a/arch/x86/kernel/step.c
+++ b/arch/x86/kernel/step.c
@@ -5,6 +5,7 @@
#include <linux/mm.h>
#include <linux/ptrace.h>
#include <asm/desc.h>
+#include <asm/mmu_context.h>
unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *regs)
{
@@ -30,10 +31,11 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
seg &= ~7UL;
mutex_lock(&child->mm->context.lock);
- if (unlikely((seg >> 3) >= child->mm->context.size))
+ if (unlikely(!child->mm->context.ldt ||
+ (seg >> 3) >= child->mm->context.ldt->size))
addr = -1L; /* bogus selector, access would fault */
else {
- desc = child->mm->context.ldt + seg;
+ desc = &child->mm->context.ldt->entries[seg];
base = get_desc_base(desc);
/* 16-bit code segment? */
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index 6ec7910..f846180 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
@@ -23,6 +23,7 @@
#include <asm/debugreg.h>
#include <asm/fpu-internal.h> /* pcntxt_mask */
#include <asm/cpu.h>
+#include <asm/mmu_context.h>
#ifdef CONFIG_X86_32
__visible unsigned long saved_context_ebx;
@@ -157,7 +158,7 @@ static void fix_processor_context(void)
syscall_init(); /* This sets MSR_*STAR and related */
#endif
load_TR_desc(); /* This does ltr */
- load_LDT(¤t->active_mm->context); /* This does lldt */
+ load_mm_ldt(current->active_mm); /* This does lldt */
}
/**
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 002/102] x86/ldt: Make modify_ldt synchronous
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 001/102] [3.19-stable only] Revert "dmaengine: pl330: Fix overflow when reporting residue in memcpy" Kamal Mostafa
@ 2015-09-22 17:50 ` Kamal Mostafa
2015-09-22 17:50 ` Kamal Mostafa
` (100 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:50 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ingo Molnar, security, Denys Vlasenko, Jan Beulich,
Peter Zijlstra, Andrew Cooper, Kamal Mostafa, H. Peter Anvin,
Steven Rostedt, Andy Lutomirski, Borislav Petkov,
Andy Lutomirski, Brian Gerst, Sasha Levin, Boris Ostrovsky,
xen-devel, Linus Torvalds, Thomas Gleixner
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit 37868fe113ff2ba814b3b4eb12df214df555f8dc upstream.
modify_ldt() has questionable locking and does not synchronize
threads. Improve it: redesign the locking and synchronize all
threads' LDTs using an IPI on all modifications.
This will dramatically slow down modify_ldt in multithreaded
programs, but there shouldn't be any multithreaded programs that
care about modify_ldt's performance in the first place.
This fixes some fallout from the CVE-2015-5157 fixes.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org <security@kernel.org>
Cc: xen-devel <xen-devel@lists.xen.org>
Link: http://lkml.kernel.org/r/4c6978476782160600471bd865b318db34c7b628.1438291540.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: backport to 3.13-stable: dropped comment changes in switch_mm();
included asm/mmu_context.h in perf_event.c; context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/include/asm/desc.h | 15 ---
arch/x86/include/asm/mmu.h | 3 +-
arch/x86/include/asm/mmu_context.h | 48 ++++++-
arch/x86/kernel/cpu/common.c | 4 +-
arch/x86/kernel/cpu/perf_event.c | 13 +-
arch/x86/kernel/ldt.c | 262 ++++++++++++++++++++-----------------
arch/x86/kernel/process_64.c | 4 +-
arch/x86/kernel/step.c | 6 +-
arch/x86/power/cpu.c | 3 +-
9 files changed, 208 insertions(+), 150 deletions(-)
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
index a94b82e..6912618 100644
--- a/arch/x86/include/asm/desc.h
+++ b/arch/x86/include/asm/desc.h
@@ -280,21 +280,6 @@ static inline void clear_LDT(void)
set_ldt(NULL, 0);
}
-/*
- * load one particular LDT into the current CPU
- */
-static inline void load_LDT_nolock(mm_context_t *pc)
-{
- set_ldt(pc->ldt, pc->size);
-}
-
-static inline void load_LDT(mm_context_t *pc)
-{
- preempt_disable();
- load_LDT_nolock(pc);
- preempt_enable();
-}
-
static inline unsigned long get_desc_base(const struct desc_struct *desc)
{
return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
index 876e74e..b6b7bc3 100644
--- a/arch/x86/include/asm/mmu.h
+++ b/arch/x86/include/asm/mmu.h
@@ -9,8 +9,7 @@
* we put the segment information here.
*/
typedef struct {
- void *ldt;
- int size;
+ struct ldt_struct *ldt;
#ifdef CONFIG_X86_64
/* True if mm supports a task running in 32 bit compatibility mode. */
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 4b75d59..1ab38a4 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -19,6 +19,50 @@ static inline void paravirt_activate_mm(struct mm_struct *prev,
#endif /* !CONFIG_PARAVIRT */
/*
+ * ldt_structs can be allocated, used, and freed, but they are never
+ * modified while live.
+ */
+struct ldt_struct {
+ /*
+ * Xen requires page-aligned LDTs with special permissions. This is
+ * needed to prevent us from installing evil descriptors such as
+ * call gates. On native, we could merge the ldt_struct and LDT
+ * allocations, but it's not worth trying to optimize.
+ */
+ struct desc_struct *entries;
+ int size;
+};
+
+static inline void load_mm_ldt(struct mm_struct *mm)
+{
+ struct ldt_struct *ldt;
+
+ /* lockless_dereference synchronizes with smp_store_release */
+ ldt = lockless_dereference(mm->context.ldt);
+
+ /*
+ * Any change to mm->context.ldt is followed by an IPI to all
+ * CPUs with the mm active. The LDT will not be freed until
+ * after the IPI is handled by all such CPUs. This means that,
+ * if the ldt_struct changes before we return, the values we see
+ * will be safe, and the new values will be loaded before we run
+ * any user code.
+ *
+ * NB: don't try to convert this to use RCU without extreme care.
+ * We would still need IRQs off, because we don't want to change
+ * the local LDT after an IPI loaded a newer value than the one
+ * that we can see.
+ */
+
+ if (unlikely(ldt))
+ set_ldt(ldt->entries, ldt->size);
+ else
+ clear_LDT();
+
+ DEBUG_LOCKS_WARN_ON(preemptible());
+}
+
+/*
* Used for LDT copy/destruction.
*/
int init_new_context(struct task_struct *tsk, struct mm_struct *mm);
@@ -63,7 +107,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
* prev->context.ldt won't be equal to next->context.ldt.
*/
if (unlikely(prev->context.ldt != next->context.ldt))
- load_LDT_nolock(&next->context);
+ load_mm_ldt(next);
}
#ifdef CONFIG_SMP
else {
@@ -85,7 +129,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
*/
load_cr3(next->pgd);
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
- load_LDT_nolock(&next->context);
+ load_mm_ldt(next);
}
}
#endif
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c604965..382a097 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1366,7 +1366,7 @@ void cpu_init(void)
load_sp0(t, ¤t->thread);
set_tss_desc(cpu, t);
load_TR_desc();
- load_LDT(&init_mm.context);
+ load_mm_ldt(&init_mm);
clear_all_debug_regs();
dbg_restore_debug_regs();
@@ -1409,7 +1409,7 @@ void cpu_init(void)
load_sp0(t, thread);
set_tss_desc(cpu, t);
load_TR_desc();
- load_LDT(&init_mm.context);
+ load_mm_ldt(&init_mm);
t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 143e5f5..82adb1a 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -31,6 +31,7 @@
#include <asm/nmi.h>
#include <asm/smp.h>
#include <asm/alternative.h>
+#include <asm/mmu_context.h>
#include <asm/timer.h>
#include <asm/desc.h>
#include <asm/ldt.h>
@@ -1986,21 +1987,25 @@ static unsigned long get_segment_base(unsigned int segment)
int idx = segment >> 3;
if ((segment & SEGMENT_TI_MASK) == SEGMENT_LDT) {
+ struct ldt_struct *ldt;
+
if (idx > LDT_ENTRIES)
return 0;
- if (idx > current->active_mm->context.size)
+ /* IRQs are off, so this synchronizes with smp_store_release */
+ ldt = lockless_dereference(current->active_mm->context.ldt);
+ if (!ldt || idx > ldt->size)
return 0;
- desc = current->active_mm->context.ldt;
+ desc = &ldt->entries[idx];
} else {
if (idx > GDT_ENTRIES)
return 0;
- desc = raw_cpu_ptr(gdt_page.gdt);
+ desc = raw_cpu_ptr(gdt_page.gdt) + idx;
}
- return get_desc_base(desc + idx);
+ return get_desc_base(desc);
}
#ifdef CONFIG_COMPAT
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index c37886d..2bcc052 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -12,6 +12,7 @@
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/smp.h>
+#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/uaccess.h>
@@ -20,82 +21,82 @@
#include <asm/mmu_context.h>
#include <asm/syscalls.h>
-#ifdef CONFIG_SMP
+/* context.lock is held for us, so we don't need any locking. */
static void flush_ldt(void *current_mm)
{
- if (current->active_mm == current_mm)
- load_LDT(¤t->active_mm->context);
+ mm_context_t *pc;
+
+ if (current->active_mm != current_mm)
+ return;
+
+ pc = ¤t->active_mm->context;
+ set_ldt(pc->ldt->entries, pc->ldt->size);
}
-#endif
-static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
+/* The caller must call finalize_ldt_struct on the result. LDT starts zeroed. */
+static struct ldt_struct *alloc_ldt_struct(int size)
{
- void *oldldt, *newldt;
- int oldsize;
-
- if (mincount <= pc->size)
- return 0;
- oldsize = pc->size;
- mincount = (mincount + (PAGE_SIZE / LDT_ENTRY_SIZE - 1)) &
- (~(PAGE_SIZE / LDT_ENTRY_SIZE - 1));
- if (mincount * LDT_ENTRY_SIZE > PAGE_SIZE)
- newldt = vmalloc(mincount * LDT_ENTRY_SIZE);
+ struct ldt_struct *new_ldt;
+ int alloc_size;
+
+ if (size > LDT_ENTRIES)
+ return NULL;
+
+ new_ldt = kmalloc(sizeof(struct ldt_struct), GFP_KERNEL);
+ if (!new_ldt)
+ return NULL;
+
+ BUILD_BUG_ON(LDT_ENTRY_SIZE != sizeof(struct desc_struct));
+ alloc_size = size * LDT_ENTRY_SIZE;
+
+ /*
+ * Xen is very picky: it requires a page-aligned LDT that has no
+ * trailing nonzero bytes in any page that contains LDT descriptors.
+ * Keep it simple: zero the whole allocation and never allocate less
+ * than PAGE_SIZE.
+ */
+ if (alloc_size > PAGE_SIZE)
+ new_ldt->entries = vzalloc(alloc_size);
else
- newldt = (void *)__get_free_page(GFP_KERNEL);
-
- if (!newldt)
- return -ENOMEM;
+ new_ldt->entries = kzalloc(PAGE_SIZE, GFP_KERNEL);
- if (oldsize)
- memcpy(newldt, pc->ldt, oldsize * LDT_ENTRY_SIZE);
- oldldt = pc->ldt;
- memset(newldt + oldsize * LDT_ENTRY_SIZE, 0,
- (mincount - oldsize) * LDT_ENTRY_SIZE);
+ if (!new_ldt->entries) {
+ kfree(new_ldt);
+ return NULL;
+ }
- paravirt_alloc_ldt(newldt, mincount);
+ new_ldt->size = size;
+ return new_ldt;
+}
-#ifdef CONFIG_X86_64
- /* CHECKME: Do we really need this ? */
- wmb();
-#endif
- pc->ldt = newldt;
- wmb();
- pc->size = mincount;
- wmb();
-
- if (reload) {
-#ifdef CONFIG_SMP
- preempt_disable();
- load_LDT(pc);
- if (!cpumask_equal(mm_cpumask(current->mm),
- cpumask_of(smp_processor_id())))
- smp_call_function(flush_ldt, current->mm, 1);
- preempt_enable();
-#else
- load_LDT(pc);
-#endif
- }
- if (oldsize) {
- paravirt_free_ldt(oldldt, oldsize);
- if (oldsize * LDT_ENTRY_SIZE > PAGE_SIZE)
- vfree(oldldt);
- else
- put_page(virt_to_page(oldldt));
- }
- return 0;
+/* After calling this, the LDT is immutable. */
+static void finalize_ldt_struct(struct ldt_struct *ldt)
+{
+ paravirt_alloc_ldt(ldt->entries, ldt->size);
}
-static inline int copy_ldt(mm_context_t *new, mm_context_t *old)
+/* context.lock is held */
+static void install_ldt(struct mm_struct *current_mm,
+ struct ldt_struct *ldt)
{
- int err = alloc_ldt(new, old->size, 0);
- int i;
+ /* Synchronizes with lockless_dereference in load_mm_ldt. */
+ smp_store_release(¤t_mm->context.ldt, ldt);
+
+ /* Activate the LDT for all CPUs using current_mm. */
+ on_each_cpu_mask(mm_cpumask(current_mm), flush_ldt, current_mm, true);
+}
- if (err < 0)
- return err;
+static void free_ldt_struct(struct ldt_struct *ldt)
+{
+ if (likely(!ldt))
+ return;
- for (i = 0; i < old->size; i++)
- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
- return 0;
+ paravirt_free_ldt(ldt->entries, ldt->size);
+ if (ldt->size * LDT_ENTRY_SIZE > PAGE_SIZE)
+ vfree(ldt->entries);
+ else
+ kfree(ldt->entries);
+ kfree(ldt);
}
/*
@@ -104,17 +105,37 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old)
*/
int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
{
+ struct ldt_struct *new_ldt;
struct mm_struct *old_mm;
int retval = 0;
mutex_init(&mm->context.lock);
- mm->context.size = 0;
old_mm = current->mm;
- if (old_mm && old_mm->context.size > 0) {
- mutex_lock(&old_mm->context.lock);
- retval = copy_ldt(&mm->context, &old_mm->context);
- mutex_unlock(&old_mm->context.lock);
+ if (!old_mm) {
+ mm->context.ldt = NULL;
+ return 0;
}
+
+ mutex_lock(&old_mm->context.lock);
+ if (!old_mm->context.ldt) {
+ mm->context.ldt = NULL;
+ goto out_unlock;
+ }
+
+ new_ldt = alloc_ldt_struct(old_mm->context.ldt->size);
+ if (!new_ldt) {
+ retval = -ENOMEM;
+ goto out_unlock;
+ }
+
+ memcpy(new_ldt->entries, old_mm->context.ldt->entries,
+ new_ldt->size * LDT_ENTRY_SIZE);
+ finalize_ldt_struct(new_ldt);
+
+ mm->context.ldt = new_ldt;
+
+out_unlock:
+ mutex_unlock(&old_mm->context.lock);
return retval;
}
@@ -125,53 +146,47 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
*/
void destroy_context(struct mm_struct *mm)
{
- if (mm->context.size) {
-#ifdef CONFIG_X86_32
- /* CHECKME: Can this ever happen ? */
- if (mm == current->active_mm)
- clear_LDT();
-#endif
- paravirt_free_ldt(mm->context.ldt, mm->context.size);
- if (mm->context.size * LDT_ENTRY_SIZE > PAGE_SIZE)
- vfree(mm->context.ldt);
- else
- put_page(virt_to_page(mm->context.ldt));
- mm->context.size = 0;
- }
+ free_ldt_struct(mm->context.ldt);
+ mm->context.ldt = NULL;
}
static int read_ldt(void __user *ptr, unsigned long bytecount)
{
- int err;
+ int retval;
unsigned long size;
struct mm_struct *mm = current->mm;
- if (!mm->context.size)
- return 0;
+ mutex_lock(&mm->context.lock);
+
+ if (!mm->context.ldt) {
+ retval = 0;
+ goto out_unlock;
+ }
+
if (bytecount > LDT_ENTRY_SIZE * LDT_ENTRIES)
bytecount = LDT_ENTRY_SIZE * LDT_ENTRIES;
- mutex_lock(&mm->context.lock);
- size = mm->context.size * LDT_ENTRY_SIZE;
+ size = mm->context.ldt->size * LDT_ENTRY_SIZE;
if (size > bytecount)
size = bytecount;
- err = 0;
- if (copy_to_user(ptr, mm->context.ldt, size))
- err = -EFAULT;
- mutex_unlock(&mm->context.lock);
- if (err < 0)
- goto error_return;
+ if (copy_to_user(ptr, mm->context.ldt->entries, size)) {
+ retval = -EFAULT;
+ goto out_unlock;
+ }
+
if (size != bytecount) {
- /* zero-fill the rest */
- if (clear_user(ptr + size, bytecount - size) != 0) {
- err = -EFAULT;
- goto error_return;
+ /* Zero-fill the rest and pretend we read bytecount bytes. */
+ if (clear_user(ptr + size, bytecount - size)) {
+ retval = -EFAULT;
+ goto out_unlock;
}
}
- return bytecount;
-error_return:
- return err;
+ retval = bytecount;
+
+out_unlock:
+ mutex_unlock(&mm->context.lock);
+ return retval;
}
static int read_default_ldt(void __user *ptr, unsigned long bytecount)
@@ -195,6 +210,8 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
struct desc_struct ldt;
int error;
struct user_desc ldt_info;
+ int oldsize, newsize;
+ struct ldt_struct *new_ldt, *old_ldt;
error = -EINVAL;
if (bytecount != sizeof(ldt_info))
@@ -213,34 +230,39 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
goto out;
}
- mutex_lock(&mm->context.lock);
- if (ldt_info.entry_number >= mm->context.size) {
- error = alloc_ldt(¤t->mm->context,
- ldt_info.entry_number + 1, 1);
- if (error < 0)
- goto out_unlock;
- }
-
- /* Allow LDTs to be cleared by the user. */
- if (ldt_info.base_addr == 0 && ldt_info.limit == 0) {
- if (oldmode || LDT_empty(&ldt_info)) {
- memset(&ldt, 0, sizeof(ldt));
- goto install;
+ if ((oldmode && !ldt_info.base_addr && !ldt_info.limit) ||
+ LDT_empty(&ldt_info)) {
+ /* The user wants to clear the entry. */
+ memset(&ldt, 0, sizeof(ldt));
+ } else {
+ if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
+ error = -EINVAL;
+ goto out;
}
+
+ fill_ldt(&ldt, &ldt_info);
+ if (oldmode)
+ ldt.avl = 0;
}
- if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
- error = -EINVAL;
+ mutex_lock(&mm->context.lock);
+
+ old_ldt = mm->context.ldt;
+ oldsize = old_ldt ? old_ldt->size : 0;
+ newsize = max((int)(ldt_info.entry_number + 1), oldsize);
+
+ error = -ENOMEM;
+ new_ldt = alloc_ldt_struct(newsize);
+ if (!new_ldt)
goto out_unlock;
- }
- fill_ldt(&ldt, &ldt_info);
- if (oldmode)
- ldt.avl = 0;
+ if (old_ldt)
+ memcpy(new_ldt->entries, old_ldt->entries, oldsize * LDT_ENTRY_SIZE);
+ new_ldt->entries[ldt_info.entry_number] = ldt;
+ finalize_ldt_struct(new_ldt);
- /* Install the new entry ... */
-install:
- write_ldt_entry(mm->context.ldt, ldt_info.entry_number, &ldt);
+ install_ldt(mm, new_ldt);
+ free_ldt_struct(old_ldt);
error = 0;
out_unlock:
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 5a2c029..ec03938 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -122,11 +122,11 @@ void __show_regs(struct pt_regs *regs, int all)
void release_thread(struct task_struct *dead_task)
{
if (dead_task->mm) {
- if (dead_task->mm->context.size) {
+ if (dead_task->mm->context.ldt) {
pr_warn("WARNING: dead process %s still has LDT? <%p/%d>\n",
dead_task->comm,
dead_task->mm->context.ldt,
- dead_task->mm->context.size);
+ dead_task->mm->context.ldt->size);
BUG();
}
}
diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c
index 9b4d51d..6273324 100644
--- a/arch/x86/kernel/step.c
+++ b/arch/x86/kernel/step.c
@@ -5,6 +5,7 @@
#include <linux/mm.h>
#include <linux/ptrace.h>
#include <asm/desc.h>
+#include <asm/mmu_context.h>
unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *regs)
{
@@ -30,10 +31,11 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
seg &= ~7UL;
mutex_lock(&child->mm->context.lock);
- if (unlikely((seg >> 3) >= child->mm->context.size))
+ if (unlikely(!child->mm->context.ldt ||
+ (seg >> 3) >= child->mm->context.ldt->size))
addr = -1L; /* bogus selector, access would fault */
else {
- desc = child->mm->context.ldt + seg;
+ desc = &child->mm->context.ldt->entries[seg];
base = get_desc_base(desc);
/* 16-bit code segment? */
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index 6ec7910..f846180 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
@@ -23,6 +23,7 @@
#include <asm/debugreg.h>
#include <asm/fpu-internal.h> /* pcntxt_mask */
#include <asm/cpu.h>
+#include <asm/mmu_context.h>
#ifdef CONFIG_X86_32
__visible unsigned long saved_context_ebx;
@@ -157,7 +158,7 @@ static void fix_processor_context(void)
syscall_init(); /* This sets MSR_*STAR and related */
#endif
load_TR_desc(); /* This does ltr */
- load_LDT(¤t->active_mm->context); /* This does lldt */
+ load_mm_ldt(current->active_mm); /* This does lldt */
}
/**
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 003/102] x86/ldt: Correct LDT access in single stepping logic
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (2 preceding siblings ...)
2015-09-22 17:50 ` Kamal Mostafa
@ 2015-09-22 17:50 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 004/102] x86/ldt: Correct FPU emulation access to LDT Kamal Mostafa
` (98 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:50 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Juergen Gross, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
bp, Ingo Molnar, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
commit 136d9d83c07c5e30ac49fc83b27e8c4842f108fc upstream.
Commit 37868fe113ff ("x86/ldt: Make modify_ldt synchronous")
introduced a new struct ldt_struct anchored at mm->context.ldt.
convert_ip_to_linear() was changed to reflect this, but indexing
into the ldt has to be changed as the pointer is no longer void *.
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: bp@suse.de
Link: http://lkml.kernel.org/r/1438848278-12906-1-git-send-email-jgross@suse.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/step.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c
index 6273324..0ccb53a 100644
--- a/arch/x86/kernel/step.c
+++ b/arch/x86/kernel/step.c
@@ -28,11 +28,11 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
struct desc_struct *desc;
unsigned long base;
- seg &= ~7UL;
+ seg >>= 3;
mutex_lock(&child->mm->context.lock);
if (unlikely(!child->mm->context.ldt ||
- (seg >> 3) >= child->mm->context.ldt->size))
+ seg >= child->mm->context.ldt->size))
addr = -1L; /* bogus selector, access would fault */
else {
desc = &child->mm->context.ldt->entries[seg];
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 004/102] x86/ldt: Correct FPU emulation access to LDT
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (3 preceding siblings ...)
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 003/102] x86/ldt: Correct LDT access in single stepping logic Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 005/102] md: flush ->event_work before stopping array Kamal Mostafa
` (97 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Juergen Gross, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
billm, Ingo Molnar, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
commit 4809146b86c3d41ce588fdb767d021e2a80600dd upstream.
Commit 37868fe113ff ("x86/ldt: Make modify_ldt synchronous")
introduced a new struct ldt_struct anchored at mm->context.ldt.
Adapt the x86 fpu emulation code to use that new structure.
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: billm@melbpc.org.au
Link: http://lkml.kernel.org/r/1438883674-1240-1-git-send-email-jgross@suse.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/math-emu/fpu_entry.c | 3 +--
arch/x86/math-emu/fpu_system.h | 21 ++++++++++++++++++---
arch/x86/math-emu/get_address.c | 3 +--
3 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/arch/x86/math-emu/fpu_entry.c b/arch/x86/math-emu/fpu_entry.c
index 9b86812..274a52b 100644
--- a/arch/x86/math-emu/fpu_entry.c
+++ b/arch/x86/math-emu/fpu_entry.c
@@ -29,7 +29,6 @@
#include <asm/uaccess.h>
#include <asm/traps.h>
-#include <asm/desc.h>
#include <asm/user.h>
#include <asm/i387.h>
@@ -185,7 +184,7 @@ void math_emulate(struct math_emu_info *info)
math_abort(FPU_info, SIGILL);
}
- code_descriptor = LDT_DESCRIPTOR(FPU_CS);
+ code_descriptor = FPU_get_ldt_descriptor(FPU_CS);
if (SEG_D_SIZE(code_descriptor)) {
/* The above test may be wrong, the book is not clear */
/* Segmented 32 bit protected mode */
diff --git a/arch/x86/math-emu/fpu_system.h b/arch/x86/math-emu/fpu_system.h
index 2c61441..d342fce 100644
--- a/arch/x86/math-emu/fpu_system.h
+++ b/arch/x86/math-emu/fpu_system.h
@@ -16,9 +16,24 @@
#include <linux/kernel.h>
#include <linux/mm.h>
-/* s is always from a cpu register, and the cpu does bounds checking
- * during register load --> no further bounds checks needed */
-#define LDT_DESCRIPTOR(s) (((struct desc_struct *)current->mm->context.ldt)[(s) >> 3])
+#include <asm/desc.h>
+#include <asm/mmu_context.h>
+
+static inline struct desc_struct FPU_get_ldt_descriptor(unsigned seg)
+{
+ static struct desc_struct zero_desc;
+ struct desc_struct ret = zero_desc;
+
+#ifdef CONFIG_MODIFY_LDT_SYSCALL
+ seg >>= 3;
+ mutex_lock(¤t->mm->context.lock);
+ if (current->mm->context.ldt && seg < current->mm->context.ldt->size)
+ ret = current->mm->context.ldt->entries[seg];
+ mutex_unlock(¤t->mm->context.lock);
+#endif
+ return ret;
+}
+
#define SEG_D_SIZE(x) ((x).b & (3 << 21))
#define SEG_G_BIT(x) ((x).b & (1 << 23))
#define SEG_GRANULARITY(x) (((x).b & (1 << 23)) ? 4096 : 1)
diff --git a/arch/x86/math-emu/get_address.c b/arch/x86/math-emu/get_address.c
index 6ef5e99..d13cab2 100644
--- a/arch/x86/math-emu/get_address.c
+++ b/arch/x86/math-emu/get_address.c
@@ -20,7 +20,6 @@
#include <linux/stddef.h>
#include <asm/uaccess.h>
-#include <asm/desc.h>
#include "fpu_system.h"
#include "exception.h"
@@ -158,7 +157,7 @@ static long pm_address(u_char FPU_modrm, u_char segment,
addr->selector = PM_REG_(segment);
}
- descriptor = LDT_DESCRIPTOR(PM_REG_(segment));
+ descriptor = FPU_get_ldt_descriptor(segment);
base_address = SEG_BASE_ADDR(descriptor);
address = base_address + offset;
limit = base_address
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 005/102] md: flush ->event_work before stopping array.
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (4 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 004/102] x86/ldt: Correct FPU emulation access to LDT Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 006/102] ipmi/powernv: Fix minor locking bug Kamal Mostafa
` (96 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: NeilBrown, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.com>
commit ee5d004fd0591536a061451eba2b187092e9127c upstream.
The 'event_work' worker used by dm-raid may still be running
when the array is stopped. This can result in an oops.
So flush the workqueue on which it is run after detaching
and before destroying the device.
Reported-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: NeilBrown <neilb@suse.com>
Fixes: 9d09e663d550 ("dm: raid456 basic support")
[kamal: backport to 3.19-stable: context]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/md.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index a31e15b..d7f0a56 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5076,6 +5076,8 @@ EXPORT_SYMBOL_GPL(md_stop_writes);
static void __md_stop(struct mddev *mddev)
{
+ /* Ensure ->event_work is done */
+ flush_workqueue(md_misc_wq);
mddev->ready = 0;
mddev->pers->stop(mddev);
if (mddev->pers->sync_request && mddev->to_remove == NULL)
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 006/102] ipmi/powernv: Fix minor locking bug
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (5 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 005/102] md: flush ->event_work before stopping array Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 007/102] ipv6: addrconf: validate new MTU before applying it Kamal Mostafa
` (95 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alistair Popple, Corey Minyard, Tim Gardner, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alistair Popple <alistair@popple.id.au>
commit ad1ed2a9dd4c435d6a3ce470211db9a8d107c3e0 upstream.
If ipmi_powernv_recv(...) is called without a current message it
prints a warning and returns. However it fails to release the message
lock causing the system to dead lock during any subsequent IPMI
operations.
This error path should never normally be taken unless there are bugs
elsewhere in the system.
Signed-off-by: Alistair Popple <alistair@popple.id.au>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/char/ipmi/ipmi_powernv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/char/ipmi/ipmi_powernv.c b/drivers/char/ipmi/ipmi_powernv.c
index 79524ed..8753b0f 100644
--- a/drivers/char/ipmi/ipmi_powernv.c
+++ b/drivers/char/ipmi/ipmi_powernv.c
@@ -125,6 +125,7 @@ static int ipmi_powernv_recv(struct ipmi_smi_powernv *smi)
spin_lock_irqsave(&smi->msg_lock, flags);
if (!smi->cur_msg) {
+ spin_unlock_irqrestore(&smi->msg_lock, flags);
pr_warn("no current message?\n");
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 007/102] ipv6: addrconf: validate new MTU before applying it
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (6 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 006/102] ipmi/powernv: Fix minor locking bug Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 008/102] virtio-net: drop NETIF_F_FRAGLIST Kamal Mostafa
` (94 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marcelo Ricardo Leitner, Sabrina Dubroca, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Leitner <mleitner@redhat.com>
commit 77751427a1ff25b27d47a4c36b12c3c8667855ac upstream.
Currently we don't check if the new MTU is valid or not and this allows
one to configure a smaller than minimum allowed by RFCs or even bigger
than interface own MTU, which is a problem as it may lead to packet
drops.
If you have a daemon like NetworkManager running, this may be exploited
by remote attackers by forging RA packets with an invalid MTU, possibly
leading to a DoS. (NetworkManager currently only validates for values
too small, but not for too big ones.)
The fix is just to make sure the new value is valid. That is, between
IPV6_MIN_MTU and interface's MTU.
Note that similar check is already performed at
ndisc_router_discovery(), for when kernel itself parses the RA.
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv6/addrconf.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index dac9419..167d23e 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4879,6 +4879,21 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
return ret;
}
+static
+int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ struct inet6_dev *idev = ctl->extra1;
+ int min_mtu = IPV6_MIN_MTU;
+ struct ctl_table lctl;
+
+ lctl = *ctl;
+ lctl.extra1 = &min_mtu;
+ lctl.extra2 = idev ? &idev->dev->mtu : NULL;
+
+ return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
+}
+
static void dev_disable_change(struct inet6_dev *idev)
{
struct netdev_notifier_info info;
@@ -5030,7 +5045,7 @@ static struct addrconf_sysctl_table
.data = &ipv6_devconf.mtu6,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .proc_handler = addrconf_sysctl_mtu,
},
{
.procname = "accept_ra",
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 008/102] virtio-net: drop NETIF_F_FRAGLIST
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (7 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 007/102] ipv6: addrconf: validate new MTU before applying it Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 009/102] RDS: verify the underlying transport exists before creating a connection Kamal Mostafa
` (93 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michael S. Tsirkin, Jason Wang, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 upstream.
virtio declares support for NETIF_F_FRAGLIST, but assumes
that there are at most MAX_SKB_FRAGS + 2 fragments which isn't
always true with a fraglist.
A longer fraglist in the skb will make the call to skb_to_sgvec overflow
the sg array, leading to memory corruption.
Drop NETIF_F_FRAGLIST so we only get what we can handle.
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/virtio_net.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 0ad6c0c..46976f4 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -1738,9 +1738,9 @@ static int virtnet_probe(struct virtio_device *vdev)
/* Do we support "hardware" checksums? */
if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) {
/* This opens up the world of extra features. */
- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
+ dev->hw_features |= NETIF_F_HW_CSUM | NETIF_F_SG;
if (csum)
- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
+ dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 009/102] RDS: verify the underlying transport exists before creating a connection
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (8 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 008/102] virtio-net: drop NETIF_F_FRAGLIST Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 010/102] xen/gntdev: convert priv->lock to a mutex Kamal Mostafa
` (92 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sasha Levin, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sasha.levin@oracle.com>
commit 74e98eb085889b0d2d4908f59f6e00026063014f upstream.
There was no verification that an underlying transport exists when creating
a connection, this would cause dereferencing a NULL ptr.
It might happen on sockets that weren't properly bound before attempting to
send a message, which will cause a NULL ptr deref:
[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[135546.051270] Modules linked in:
[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
[135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
[135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
[135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
[135546.064723] Stack:
[135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
[135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
[135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
[135546.068629] Call Trace:
[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
[135546.071981] rds_sendmsg (net/rds/send.c:1058)
[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
[135546.076349] ? __might_fault (mm/memory.c:3795)
[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
[135546.078856] SYSC_sendto (net/socket.c:1657)
[135546.079596] ? SYSC_connect (net/socket.c:1628)
[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/rds/connection.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/rds/connection.c b/net/rds/connection.c
index 378c3a6..f5fb7d6 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -183,6 +183,12 @@ static struct rds_connection *__rds_conn_create(__be32 laddr, __be32 faddr,
}
}
+ if (trans == NULL) {
+ kmem_cache_free(rds_conn_slab, conn);
+ conn = ERR_PTR(-ENODEV);
+ goto out;
+ }
+
conn->c_trans = trans;
ret = trans->conn_alloc(conn, gfp);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 010/102] xen/gntdev: convert priv->lock to a mutex
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (9 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 009/102] RDS: verify the underlying transport exists before creating a connection Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 011/102] xen/gntdevt: Fix race condition in gntdev_release() Kamal Mostafa
` (91 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: David Vrabel, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
commit 1401c00e59ea021c575f74612fe2dbba36d6a4ee upstream.
Unmapping may require sleeping and we unmap while holding priv->lock, so
convert it to a mutex.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/xen/gntdev.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 073b4a1..b7f028a 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -67,7 +67,7 @@ struct gntdev_priv {
* Only populated if populate_freeable_maps == 1 */
struct list_head freeable_maps;
/* lock protects maps and freeable_maps */
- spinlock_t lock;
+ struct mutex lock;
struct mm_struct *mm;
struct mmu_notifier mn;
};
@@ -216,9 +216,9 @@ static void gntdev_put_map(struct gntdev_priv *priv, struct grant_map *map)
}
if (populate_freeable_maps && priv) {
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
list_del(&map->next);
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
}
if (map->pages && !use_ptemod)
@@ -387,9 +387,9 @@ static void gntdev_vma_close(struct vm_area_struct *vma)
* not do any unmapping, since that has been done prior to
* closing the vma, but it may still iterate the unmap_ops list.
*/
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
map->vma = NULL;
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
}
vma->vm_private_data = NULL;
gntdev_put_map(priv, map);
@@ -433,14 +433,14 @@ static void mn_invl_range_start(struct mmu_notifier *mn,
struct gntdev_priv *priv = container_of(mn, struct gntdev_priv, mn);
struct grant_map *map;
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
list_for_each_entry(map, &priv->maps, next) {
unmap_if_in_range(map, start, end);
}
list_for_each_entry(map, &priv->freeable_maps, next) {
unmap_if_in_range(map, start, end);
}
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
}
static void mn_invl_page(struct mmu_notifier *mn,
@@ -457,7 +457,7 @@ static void mn_release(struct mmu_notifier *mn,
struct grant_map *map;
int err;
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
list_for_each_entry(map, &priv->maps, next) {
if (!map->vma)
continue;
@@ -476,7 +476,7 @@ static void mn_release(struct mmu_notifier *mn,
err = unmap_grant_pages(map, /* offset */ 0, map->count);
WARN_ON(err);
}
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
}
static struct mmu_notifier_ops gntdev_mmu_ops = {
@@ -498,7 +498,7 @@ static int gntdev_open(struct inode *inode, struct file *flip)
INIT_LIST_HEAD(&priv->maps);
INIT_LIST_HEAD(&priv->freeable_maps);
- spin_lock_init(&priv->lock);
+ mutex_init(&priv->lock);
if (use_ptemod) {
priv->mm = get_task_mm(current);
@@ -572,10 +572,10 @@ static long gntdev_ioctl_map_grant_ref(struct gntdev_priv *priv,
return -EFAULT;
}
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
gntdev_add_map(priv, map);
op.index = map->index << PAGE_SHIFT;
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
if (copy_to_user(u, &op, sizeof(op)) != 0)
return -EFAULT;
@@ -594,7 +594,7 @@ static long gntdev_ioctl_unmap_grant_ref(struct gntdev_priv *priv,
return -EFAULT;
pr_debug("priv %p, del %d+%d\n", priv, (int)op.index, (int)op.count);
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
map = gntdev_find_map_index(priv, op.index >> PAGE_SHIFT, op.count);
if (map) {
list_del(&map->next);
@@ -602,7 +602,7 @@ static long gntdev_ioctl_unmap_grant_ref(struct gntdev_priv *priv,
list_add_tail(&map->next, &priv->freeable_maps);
err = 0;
}
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
if (map)
gntdev_put_map(priv, map);
return err;
@@ -670,7 +670,7 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
out_flags = op.action;
out_event = op.event_channel_port;
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
list_for_each_entry(map, &priv->maps, next) {
uint64_t begin = map->index << PAGE_SHIFT;
@@ -698,7 +698,7 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
rc = 0;
unlock_out:
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
/* Drop the reference to the event channel we did not save in the map */
if (out_flags & UNMAP_NOTIFY_SEND_EVENT)
@@ -748,7 +748,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
pr_debug("map %d+%d at %lx (pgoff %lx)\n",
index, count, vma->vm_start, vma->vm_pgoff);
- spin_lock(&priv->lock);
+ mutex_lock(&priv->lock);
map = gntdev_find_map_index(priv, index, count);
if (!map)
goto unlock_out;
@@ -783,7 +783,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
map->flags |= GNTMAP_readonly;
}
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
if (use_ptemod) {
err = apply_to_page_range(vma->vm_mm, vma->vm_start,
@@ -811,11 +811,11 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
return 0;
unlock_out:
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
return err;
out_unlock_put:
- spin_unlock(&priv->lock);
+ mutex_unlock(&priv->lock);
out_put_map:
if (use_ptemod)
map->vma = NULL;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 011/102] xen/gntdevt: Fix race condition in gntdev_release()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (10 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 010/102] xen/gntdev: convert priv->lock to a mutex Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 012/102] PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition Kamal Mostafa
` (90 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marek Marczykowski-Górecki, David Vrabel, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
commit 30b03d05e07467b8c6ec683ea96b5bffcbcd3931 upstream.
While gntdev_release() is called the MMU notifier is still registered
and can traverse priv->maps list even if no pages are mapped (which is
the case -- gntdev_release() is called after all). But
gntdev_release() will clear that list, so make sure that only one of
those things happens at the same time.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/xen/gntdev.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index b7f028a..91cc446 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -529,12 +529,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
pr_debug("priv %p\n", priv);
+ mutex_lock(&priv->lock);
while (!list_empty(&priv->maps)) {
map = list_entry(priv->maps.next, struct grant_map, next);
list_del(&map->next);
gntdev_put_map(NULL /* already removed */, map);
}
WARN_ON(!list_empty(&priv->freeable_maps));
+ mutex_unlock(&priv->lock);
if (use_ptemod)
mmu_notifier_unregister(&priv->mn, priv->mm);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 012/102] PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (11 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 011/102] xen/gntdevt: Fix race condition in gntdev_release() Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 013/102] USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355 Kamal Mostafa
` (89 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michael S. Tsirkin, Bjorn Helgaas, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <mst@redhat.com>
commit c9ddbac9c89110f77cb0fa07e634aaf1194899aa upstream.
09a2c73ddfc7 ("PCI: Remove unused PCI_MSIX_FLAGS_BIRMASK definition")
removed PCI_MSIX_FLAGS_BIRMASK from an exported header because it was
unused in the kernel. But that breaks user programs that were using it
(QEMU in particular).
Restore the PCI_MSIX_FLAGS_BIRMASK definition.
[bhelgaas: changelog]
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/uapi/linux/pci_regs.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
index 4a1d0cc..7dd8d80 100644
--- a/include/uapi/linux/pci_regs.h
+++ b/include/uapi/linux/pci_regs.h
@@ -319,6 +319,7 @@
#define PCI_MSIX_PBA 8 /* Pending Bit Array offset */
#define PCI_MSIX_PBA_BIR 0x00000007 /* BAR index */
#define PCI_MSIX_PBA_OFFSET 0xfffffff8 /* Offset into specified BAR */
+#define PCI_MSIX_FLAGS_BIRMASK PCI_MSIX_PBA_BIR /* deprecated */
#define PCI_CAP_MSIX_SIZEOF 12 /* size of MSIX registers */
/* MSI-X Table entry format */
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 013/102] USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (12 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 012/102] PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 014/102] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem Kamal Mostafa
` (88 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Reinhard Speyerer, Johan Hovold, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Reinhard Speyerer <rspmn@arcor.de>
commit 653cdc13a340ad1cef29f1bab0d05d0771fa1d57 upstream.
Tests with a Sierra Wireless MC7355 have shown that 1199:9041 devices
also require the option_send_setup() code to be used on the USB
interface for the AT port to make unsolicited response codes work
correctly. Move these devices from the qcserial driver to the option
driver like it has been done for the 1199:68c0 devices in commit
d80c0d14183516f184a5ac88e11008ee4c7d2a2e ("USB: qcserial/option: make
AT URCs work for Sierra Wireless MC73xx").
Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/option.c | 2 ++
drivers/usb/serial/qcserial.c | 1 -
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index c8c4e50..463feb8 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1107,6 +1107,8 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
{ USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x68c0, 0xff),
.driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC73xx */
+ { USB_DEVICE_INTERFACE_CLASS(SIERRA_VENDOR_ID, 0x9041, 0xff),
+ .driver_info = (kernel_ulong_t)&sierra_mc73xx_blacklist }, /* MC7305/MC7355 */
{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index 9c63897..552dc9a 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -145,7 +145,6 @@ static const struct usb_device_id id_table[] = {
{DEVICE_SWI(0x1199, 0x901c)}, /* Sierra Wireless EM7700 */
{DEVICE_SWI(0x1199, 0x901f)}, /* Sierra Wireless EM7355 */
{DEVICE_SWI(0x1199, 0x9040)}, /* Sierra Wireless Modem */
- {DEVICE_SWI(0x1199, 0x9041)}, /* Sierra Wireless MC7305/MC7355 */
{DEVICE_SWI(0x1199, 0x9051)}, /* Netgear AirCard 340U */
{DEVICE_SWI(0x1199, 0x9053)}, /* Sierra Wireless Modem */
{DEVICE_SWI(0x1199, 0x9054)}, /* Sierra Wireless Modem */
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 014/102] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (13 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 013/102] USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355 Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 015/102] nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem Kamal Mostafa
` (87 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Pieter Hollants, Johan Hovold, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Pieter Hollants <pieter@hollants.com>
commit 6da3700c98cdc8360f55c5510915efae1d66deea upstream.
Added the USB IDs 0x413c:0x81b1 for the "Dell Wireless 5809e Gobi(TM) 4G
LTE Mobile Broadband Card", a Dell-branded Sierra Wireless EM7305 LTE
card in M.2 form factor, used eg. in Dell's Latitude E7540 Notebook
series.
"lsusb -v" output for this device:
Bus 002 Device 003: ID 413c:81b1 Dell Computer Corp.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x413c Dell Computer Corp.
idProduct 0x81b1
bcdDevice 0.06
iManufacturer 1 Sierra Wireless, Incorporated
iProduct 2 Dell Wireless 5809e Gobi™ 4G LTE Mobile Broadband Card
iSerial 3
bNumConfigurations 2
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 204
bNumInterfaces 4
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
** UNRECOGNIZED: 05 24 00 10 01
** UNRECOGNIZED: 05 24 01 00 00
** UNRECOGNIZED: 04 24 02 02
** UNRECOGNIZED: 05 24 06 00 00
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x000c 1x 12 bytes
bInterval 9
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 3
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
** UNRECOGNIZED: 05 24 00 10 01
** UNRECOGNIZED: 05 24 01 00 00
** UNRECOGNIZED: 04 24 02 02
** UNRECOGNIZED: 05 24 06 00 00
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x000c 1x 12 bytes
bInterval 9
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 8
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x87 EP 7 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x000a 1x 10 bytes
bInterval 9
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
** UNRECOGNIZED: 2c ff 42 49 53 54 00 01 07 f5 40 f6 00 00 00 00 01 f7 c4 09 02 f8 c4 09 03 f9 88 13 04 fa 10 27 05 fb 10 27 06 fc c4 09 07 fd c4 09
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 95
bNumInterfaces 2
bConfigurationValue 2
iConfiguration 0
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 500mA
Interface Association:
bLength 8
bDescriptorType 11
bFirstInterface 12
bInterfaceCount 2
bFunctionClass 2 Communications
bFunctionSubClass 14
bFunctionProtocol 0
iFunction 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 12
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 14
bInterfaceProtocol 0
iInterface 0
CDC Header:
bcdCDC 1.10
CDC Union:
bMasterInterface 12
bSlaveInterface 13
CDC MBIM:
bcdMBIMVersion 1.00
wMaxControlMessage 4096
bNumberFilters 32
bMaxFilterSize 128
wMaxSegmentSize 1500
bmNetworkCapabilities 0x20
8-byte ntb input size
CDC MBIM Extended:
bcdMBIMExtendedVersion 1.00
bMaxOutstandingCommandMessages 64
wMTU 1500
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 9
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 13
bAlternateSetting 0
bNumEndpoints 0
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0
bInterfaceProtocol 2
iInterface 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 13
bAlternateSetting 1
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0
bInterfaceProtocol 2
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 2
Device Status: 0x0000
(Bus Powered)
Signed-off-by: Pieter Hollants <pieter@hollants.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/qcserial.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index 552dc9a..d156545 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -157,6 +157,7 @@ static const struct usb_device_id id_table[] = {
{DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
{DEVICE_SWI(0x413c, 0x81a8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
{DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
/* Huawei devices */
{DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 015/102] nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (14 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 014/102] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 016/102] usb: chipidea: ehci_init_driver is intended to call one time Kamal Mostafa
` (86 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Kinglong Mee, J. Bruce Fields, Luis Henriques, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kinglong Mee <kinglongmee@gmail.com>
commit c2227a39a078473115910512aa0f8d53bd915e60 upstream.
On an absent filesystem (one served by another server), we need to be
able to handle requests for certain attributest (like fs_locations, so
the client can find out which server does have the filesystem), but
others we can't.
We forgot to take that into account when adding another attribute
bitmask work for the SECURITY_LABEL attribute.
There an export entry with the "refer" option can result in:
[ 88.414272] kernel BUG at fs/nfsd/nfs4xdr.c:2249!
[ 88.414828] invalid opcode: 0000 [#1] SMP
[ 88.415368] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache nfsd xfs libcrc32c iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi iosf_mbi ppdev btrfs coretemp crct10dif_pclmul crc32_pclmul crc32c_intel xor ghash_clmulni_intel raid6_pq vmw_balloon parport_pc parport i2c_piix4 shpchp vmw_vmci acpi_cpufreq auth_rpcgss nfs_acl lockd grace sunrpc vmwgfx drm_kms_helper ttm drm mptspi mptscsih serio_raw mptbase e1000 scsi_transport_spi ata_generic pata_acpi [last unloaded: nfsd]
[ 88.417827] CPU: 0 PID: 2116 Comm: nfsd Not tainted 4.0.7-300.fc22.x86_64 #1
[ 88.418448] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
[ 88.419093] task: ffff880079146d50 ti: ffff8800785d8000 task.ti: ffff8800785d8000
[ 88.419729] RIP: 0010:[<ffffffffa04b3c10>] [<ffffffffa04b3c10>] nfsd4_encode_fattr+0x820/0x1f00 [nfsd]
[ 88.420376] RSP: 0000:ffff8800785db998 EFLAGS: 00010206
[ 88.421027] RAX: 0000000000000001 RBX: 000000000018091a RCX: ffff88006668b980
[ 88.421676] RDX: 00000000fffef7fc RSI: 0000000000000000 RDI: ffff880078d05000
[ 88.422315] RBP: ffff8800785dbb58 R08: ffff880078d043f8 R09: ffff880078d4a000
[ 88.422968] R10: 0000000000010000 R11: 0000000000000002 R12: 0000000000b0a23a
[ 88.423612] R13: ffff880078d05000 R14: ffff880078683100 R15: ffff88006668b980
[ 88.424295] FS: 0000000000000000(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
[ 88.424944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.425597] CR2: 00007f40bc370f90 CR3: 0000000035af5000 CR4: 00000000001407f0
[ 88.426285] Stack:
[ 88.426921] ffff8800785dbaa8 ffffffffa049e4af ffff8800785dba08 ffffffff813298f0
[ 88.427585] ffff880078683300 ffff8800769b0de8 0000089d00000001 0000000087f805e0
[ 88.428228] ffff880000000000 ffff880079434a00 0000000000000000 ffff88006668b980
[ 88.428877] Call Trace:
[ 88.429527] [<ffffffffa049e4af>] ? exp_get_by_name+0x7f/0xb0 [nfsd]
[ 88.430168] [<ffffffff813298f0>] ? inode_doinit_with_dentry+0x210/0x6a0
[ 88.430807] [<ffffffff8123833e>] ? d_lookup+0x2e/0x60
[ 88.431449] [<ffffffff81236133>] ? dput+0x33/0x230
[ 88.432097] [<ffffffff8123f214>] ? mntput+0x24/0x40
[ 88.432719] [<ffffffff812272b2>] ? path_put+0x22/0x30
[ 88.433340] [<ffffffffa049ac87>] ? nfsd_cross_mnt+0xb7/0x1c0 [nfsd]
[ 88.433954] [<ffffffffa04b54e0>] nfsd4_encode_dirent+0x1b0/0x3d0 [nfsd]
[ 88.434601] [<ffffffffa04b5330>] ? nfsd4_encode_getattr+0x40/0x40 [nfsd]
[ 88.435172] [<ffffffffa049c991>] nfsd_readdir+0x1c1/0x2a0 [nfsd]
[ 88.435710] [<ffffffffa049a530>] ? nfsd_direct_splice_actor+0x20/0x20 [nfsd]
[ 88.436447] [<ffffffffa04abf30>] nfsd4_encode_readdir+0x120/0x220 [nfsd]
[ 88.437011] [<ffffffffa04b58cd>] nfsd4_encode_operation+0x7d/0x190 [nfsd]
[ 88.437566] [<ffffffffa04aa6dd>] nfsd4_proc_compound+0x24d/0x6f0 [nfsd]
[ 88.438157] [<ffffffffa0496103>] nfsd_dispatch+0xc3/0x220 [nfsd]
[ 88.438680] [<ffffffffa006f0cb>] svc_process_common+0x43b/0x690 [sunrpc]
[ 88.439192] [<ffffffffa0070493>] svc_process+0x103/0x1b0 [sunrpc]
[ 88.439694] [<ffffffffa0495a57>] nfsd+0x117/0x190 [nfsd]
[ 88.440194] [<ffffffffa0495940>] ? nfsd_destroy+0x90/0x90 [nfsd]
[ 88.440697] [<ffffffff810bb728>] kthread+0xd8/0xf0
[ 88.441260] [<ffffffff810bb650>] ? kthread_worker_fn+0x180/0x180
[ 88.441762] [<ffffffff81789e58>] ret_from_fork+0x58/0x90
[ 88.442322] [<ffffffff810bb650>] ? kthread_worker_fn+0x180/0x180
[ 88.442879] Code: 0f 84 93 05 00 00 83 f8 ea c7 85 a0 fe ff ff 00 00 27 30 0f 84 ba fe ff ff 85 c0 0f 85 a5 fe ff ff e9 e3 f9 ff ff 0f 1f 44 00 00 <0f> 0b 66 0f 1f 44 00 00 be 04 00 00 00 4c 89 ef 4c 89 8d 68 fe
[ 88.444052] RIP [<ffffffffa04b3c10>] nfsd4_encode_fattr+0x820/0x1f00 [nfsd]
[ 88.444658] RSP <ffff8800785db998>
[ 88.445232] ---[ end trace 6cb9d0487d94a29f ]---
Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/nfsd/nfs4xdr.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 281d126..043ed3f 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1991,6 +1991,7 @@ nfsd4_encode_aclname(struct xdr_stream *xdr, struct svc_rqst *rqstp,
#define WORD0_ABSENT_FS_ATTRS (FATTR4_WORD0_FS_LOCATIONS | FATTR4_WORD0_FSID | \
FATTR4_WORD0_RDATTR_ERROR)
#define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
+#define WORD2_ABSENT_FS_ATTRS 0
#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
static inline __be32
@@ -2019,7 +2020,7 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp,
{ return 0; }
#endif
-static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
+static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *bmval2, u32 *rdattr_err)
{
/* As per referral draft: */
if (*bmval0 & ~WORD0_ABSENT_FS_ATTRS ||
@@ -2032,6 +2033,7 @@ static __be32 fattr_handle_absent_fs(u32 *bmval0, u32 *bmval1, u32 *rdattr_err)
}
*bmval0 &= WORD0_ABSENT_FS_ATTRS;
*bmval1 &= WORD1_ABSENT_FS_ATTRS;
+ *bmval2 &= WORD2_ABSENT_FS_ATTRS;
return 0;
}
@@ -2095,8 +2097,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
BUG_ON(bmval2 & ~nfsd_suppattrs2(minorversion));
if (exp->ex_fslocs.migrated) {
- BUG_ON(bmval[2]);
- status = fattr_handle_absent_fs(&bmval0, &bmval1, &rdattr_err);
+ status = fattr_handle_absent_fs(&bmval0, &bmval1, &bmval2, &rdattr_err);
if (status)
goto out;
}
@@ -2139,8 +2140,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
}
#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
- if ((bmval[2] & FATTR4_WORD2_SECURITY_LABEL) ||
- bmval[0] & FATTR4_WORD0_SUPPORTED_ATTRS) {
+ if ((bmval2 & FATTR4_WORD2_SECURITY_LABEL) ||
+ bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) {
err = security_inode_getsecctx(dentry->d_inode,
&context, &contextlen);
contextsupport = (err == 0);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 016/102] usb: chipidea: ehci_init_driver is intended to call one time
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (15 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 015/102] nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 017/102] crypto: qat - Fix invalid synchronization between register/unregister sym algs Kamal Mostafa
` (85 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jun Li, Alan Stern, Peter Chen, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@freescale.com>
commit 2f01a33bd26545c16fea7592697f7f15c416402b upstream.
The ehci_init_driver is used to initialize hcd APIs for each
ehci controller driver, it is designed to be called only one time
and before driver register is called. The current design will
cause ehci_init_driver is called multiple times at probe process,
it will cause hc_driver's initialization affect current running hcd.
We run out NULL pointer dereference problem when one hcd is started
by module_init, and the other is started by otg thread at SMP platform.
The reason for this problem is ehci_init_driver will do memory copy
for current uniform hc_driver, and this memory copy will do memset (as 0)
first, so when the first hcd is running usb_add_hcd, and the second
hcd may clear the uniform hc_driver's space (at ehci_init_driver),
then the first hcd will meet NULL pointer at the same time.
See below two logs:
LOG_1:
ci_hdrc ci_hdrc.0: EHCI Host Controller
ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
ci_hdrc ci_hdrc.1: doesn't support gadget
Unable to handle kernel NULL pointer dereference at virtual address 00000014
pgd = 80004000
[00000014] *pgd=00000000
Internal error: Oops: 805 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-222193-g24b2734-dirty #25
Workqueue: ci_otg ci_otg_work
task: d839ec00 ti: d8400000 task.ti: d8400000
PC is at ehci_run+0x4c/0x284
LR is at _raw_spin_unlock_irqrestore+0x28/0x54
pc : [<8041f9a0>] lr : [<8070ea84>] psr: 60000113
sp : d8401e30 ip : 00000000 fp : d8004400
r10: 00000001 r9 : 00000001 r8 : 00000000
r7 : 00000000 r6 : d8419940 r5 : 80dd24c0 r4 : d8419800
r3 : 8001d060 r2 : 00000000 r1 : 00000001 r0 : 00000000
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 10c53c7d Table: 1000404a DAC: 00000015
Process kworker/u8:2 (pid: 108, stack limit = 0xd8400238)
Stack: (0xd8401e30 to 0xd8402000)
1e20: d87523c0 d8401e48 66667562 d8419800
1e40: 00000000 00000000 d8419800 00000000 00000000 00000000 d84198b0 8040fcdc
1e60: 00000000 80dd320c d8477610 d8419c00 d803d010 d8419800 00000000 00000000
1e80: d8004400 00000000 d8400008 80431494 80431374 d803d100 d803d010 d803d1ac
1ea0: 00000000 80432428 804323d4 d803d100 00000001 80435eb8 80e0d0bc d803d100
1ec0: 00000006 80436458 00000000 d803d100 80e92ec8 80436f44 d803d010 d803d100
1ee0: d83fde00 8043292c d8752710 d803d1f4 d803d010 8042ddfc 8042ddb8 d83f3b00
1f00: d803d1f4 80042b60 00000000 00000003 00000001 00000001 80054598 d83f3b00
1f20: d8004400 d83f3b18 d8004414 d8400000 80e3957b 00000089 d8004400 80043814
1f40: d839ec00 00000000 d83fcd80 d83f3b00 800436e4 00000000 00000000 00000000
1f60: 00000000 80048f34 00000000 00000000 00000000 d83f3b00 00000000 00000000
1f80: d8401f80 d8401f80 00000000 00000000 d8401f90 d8401f90 d8401fac d83fcd80
1fa0: 80048e68 00000000 00000000 8000e538 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[<8041f9a0>] (ehci_run) from [<8040fcdc>] (usb_add_hcd+0x248/0x6e8)
[<8040fcdc>] (usb_add_hcd) from [<80431494>] (host_start+0x120/0x2e4)
[<80431494>] (host_start) from [<80432428>] (ci_otg_start_host+0x54/0xbc)
[<80432428>] (ci_otg_start_host) from [<80435eb8>] (otg_set_protocol+0xa4/0xd0)
[<80435eb8>] (otg_set_protocol) from [<80436458>] (otg_set_state+0x574/0xc58)
[<80436458>] (otg_set_state) from [<80436f44>] (otg_statemachine+0x408/0x46c)
[<80436f44>] (otg_statemachine) from [<8043292c>] (ci_otg_fsm_work+0x3c/0x190)
[<8043292c>] (ci_otg_fsm_work) from [<8042ddfc>] (ci_otg_work+0x44/0x1c4)
[<8042ddfc>] (ci_otg_work) from [<80042b60>] (process_one_work+0xf4/0x35c)
[<80042b60>] (process_one_work) from [<80043814>] (worker_thread+0x130/0x3bc)
[<80043814>] (worker_thread) from [<80048f34>] (kthread+0xcc/0xe4)
[<80048f34>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c)
Code: e5953018 e3530000 0a000000 e12fff33 (e5878014)
LOG_2:
ci_hdrc ci_hdrc.0: EHCI Host Controller
ci_hdrc ci_hdrc.0: new USB bus registered, assigned bus number 1
ci_hdrc ci_hdrc.1: doesn't support gadget
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = 80004000
[00000000] *pgd=00000000
In Online 00:00ternal e Offline rror: Oops: 80000005 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 108 Comm: kworker/u8:2 Not tainted 3.14.38-02007-g24b2734-dirty #127
Workque Online 00:00ue: ci_o Offline tg ci_otg_work
Online 00:00task: d8 Offline 39ec00 ti: d83ea000 task.ti: d83ea000
PC is at 0x0
LR is at usb_add_hcd+0x248/0x6e8
pc : [<00000000>] lr : [<8040f644>] psr: 60000113
sp : d83ebe60 ip : 00000000 fp : d8004400
r10: 00000001 r9 : 00000001 r8 : d85fd4b0
r7 : 00000000 r6 : 00000000 r5 : 00000000 r4 : d85fd400
r3 : 00000000 r2 : d85fd4f4 r1 : 80410178 r0 : d85fd400
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 10c53c7d Table: 1000404a DAC: 00000015
Process kworker/u8:2 (pid: 108, stack limit = 0xd83ea238)
Stack: (0xd83ebe60 to 0xd83ec000)
be60: 00000000 80dd920c d8654e10 d85fd800 d803e010 d85fd400 00000000 00000000
be80: d8004400 00000000 d83ea008 80430e34 80430d14 d803e100 d803e010 d803e1ac
bea0: 00000000 80431dc8 80431d74 d803e100 00000001 80435858 80e130bc d803e100
bec0: 00000006 80435df8 00000000 d803e100 80e98ec8 804368e4 d803e010 d803e100
bee0: d86e8100 804322cc d86cf050 d803e1f4 d803e010 8042d79c 8042d758 d83cf900
bf00: d803e1f4 80042b78 00000000 00000003 00000001 00000001 800545e8 d83cf900
bf20: d8004400 d83cf918 d8004414 d83ea000 80e3f57b 00000089 d8004400 8004382c
bf40: d839ec00 00000000 d8393780 d83cf900 800436fc 00000000 00000000 00000000
bf60: 00000000 80048f50 80e019f4 00000000 0000264c d83cf900 00000000 00000000
bf80: d83ebf80 d83ebf80 00000000 00000000 d83ebf90 d83ebf90 d83ebfac d8393780
bfa0: 80048e84 00000000 00000000 8000e538 00000000 00000000 00000000 00000000
bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 ee66e85d 133ebd03
[<804 Online 00:000f644>] Offline (usb_add_hcd) from [<80430e34>] (host_start+0x120/0x2e4)
[<80430e34>] (host_start) from [<80431dc8>] (ci_otg_start_host+0x54/0xbc)
[<80431dc8>] (ci_otg_start_host) from [<80435858>] (otg_set_protocol+0xa4/0xd0)
[<80435858>] (otg_set_protocol) from [<80435df8>] (otg_set_state+0x574/0xc58)
[<80435df8>] (otg_set_state) from [<804368e4>] (otg_statemachine+0x408/0x46c)
[<804368e4>] (otg_statemachine) from [<804322cc>] (ci_otg_fsm_work+0x3c/0x190)
[<804322cc>] (ci_otg_fsm_work) from [<8042d79c>] (ci_otg_work+0x44/0x1c4)
[<8042d79c>] (ci_otg_work) from [<80042b78>] (process_one_work+0xf4/0x35c)
[<80042b78>] (process_one_work) from [<8004382c>] (worker_thread+0x130/0x3bc)
[<8004382c>] (worker_thread) from [<80048f50>] (kthread+0xcc/0xe4)
[<80048f50>] (kthread) from [<8000e538>] (ret_from_fork+0x14/0x3c)
Code: bad PC value
Cc: Jun Li <jun.li@freescale.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
[ kamal: backport to 3.19-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/chipidea/core.c | 13 ++++++++++++-
drivers/usb/chipidea/host.c | 7 +++++--
drivers/usb/chipidea/host.h | 6 ++++++
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
index a57dc88..714da17 100644
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -871,7 +871,18 @@ static struct platform_driver ci_hdrc_driver = {
},
};
-module_platform_driver(ci_hdrc_driver);
+static int __init ci_hdrc_platform_register(void)
+{
+ ci_hdrc_host_driver_init();
+ return platform_driver_register(&ci_hdrc_driver);
+}
+module_init(ci_hdrc_platform_register);
+
+static void __exit ci_hdrc_platform_unregister(void)
+{
+ platform_driver_unregister(&ci_hdrc_driver);
+}
+module_exit(ci_hdrc_platform_unregister);
MODULE_ALIAS("platform:ci_hdrc");
MODULE_LICENSE("GPL v2");
diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c
index 48731d0..d0162d3 100644
--- a/drivers/usb/chipidea/host.c
+++ b/drivers/usb/chipidea/host.c
@@ -175,7 +175,10 @@ int ci_hdrc_host_init(struct ci_hdrc *ci)
rdrv->name = "host";
ci->roles[CI_ROLE_HOST] = rdrv;
- ehci_init_driver(&ci_ehci_hc_driver, &ehci_ci_overrides);
-
return 0;
}
+
+void ci_hdrc_host_driver_init(void)
+{
+ ehci_init_driver(&ci_ehci_hc_driver, &ehci_ci_overrides);
+}
diff --git a/drivers/usb/chipidea/host.h b/drivers/usb/chipidea/host.h
index 5707bf3..0f12f13 100644
--- a/drivers/usb/chipidea/host.h
+++ b/drivers/usb/chipidea/host.h
@@ -5,6 +5,7 @@
int ci_hdrc_host_init(struct ci_hdrc *ci);
void ci_hdrc_host_destroy(struct ci_hdrc *ci);
+void ci_hdrc_host_driver_init(void);
#else
@@ -18,6 +19,11 @@ static inline void ci_hdrc_host_destroy(struct ci_hdrc *ci)
}
+static void ci_hdrc_host_driver_init(void)
+{
+
+}
+
#endif
#endif /* __DRIVERS_USB_CHIPIDEA_HOST_H */
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 017/102] crypto: qat - Fix invalid synchronization between register/unregister sym algs
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (16 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 016/102] usb: chipidea: ehci_init_driver is intended to call one time Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 018/102] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer Kamal Mostafa
` (84 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Tadeusz Struk, Herbert Xu, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tadeusz Struk <tadeusz.struk@intel.com>
commit 6f043b50da8e03bdcc5703fd37ea45bc6892432f upstream.
The synchronization method used atomic was bogus.
Use a proper synchronization with mutex.
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[ kamal: backport to 3.19-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/crypto/qat/qat_common/qat_algs.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c
index 19eea1c..8f4b6f1 100644
--- a/drivers/crypto/qat/qat_common/qat_algs.c
+++ b/drivers/crypto/qat/qat_common/qat_algs.c
@@ -73,7 +73,8 @@
ICP_QAT_HW_CIPHER_KEY_CONVERT, \
ICP_QAT_HW_CIPHER_DECRYPT)
-static atomic_t active_dev;
+static DEFINE_MUTEX(algs_lock);
+static unsigned int active_devs;
struct qat_alg_buf {
uint32_t len;
@@ -962,27 +963,34 @@ static struct crypto_alg qat_algs[] = { {
int qat_algs_register(void)
{
- if (atomic_add_return(1, &active_dev) == 1) {
+ int ret = 0;
+
+ mutex_lock(&algs_lock);
+ if (++active_devs == 1) {
int i;
for (i = 0; i < ARRAY_SIZE(qat_algs); i++)
qat_algs[i].cra_flags = CRYPTO_ALG_TYPE_AEAD |
CRYPTO_ALG_ASYNC;
- return crypto_register_algs(qat_algs, ARRAY_SIZE(qat_algs));
+ ret = crypto_register_algs(qat_algs, ARRAY_SIZE(qat_algs));
}
- return 0;
+ mutex_unlock(&algs_lock);
+ return ret;
}
int qat_algs_unregister(void)
{
- if (atomic_sub_return(1, &active_dev) == 0)
- return crypto_unregister_algs(qat_algs, ARRAY_SIZE(qat_algs));
- return 0;
+ int ret = 0;
+
+ mutex_lock(&algs_lock);
+ if (--active_devs == 0)
+ ret = crypto_unregister_algs(qat_algs, ARRAY_SIZE(qat_algs));
+ mutex_unlock(&algs_lock);
+ return ret;
}
int qat_algs_init(void)
{
- atomic_set(&active_dev, 0);
crypto_get_default_rng();
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 018/102] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (17 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 017/102] crypto: qat - Fix invalid synchronization between register/unregister sym algs Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 019/102] mfd: arizona: Fix initialisation of the PM runtime Kamal Mostafa
` (83 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Herbert Xu, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit f898c522f0e9ac9f3177d0762b76e2ab2d2cf9c0 upstream.
This patch removes a bogus BUG_ON in the ablkcipher path that
triggers when the destination buffer is different from the source
buffer and is scattered.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/crypto/ixp4xx_crypto.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
index f757a0f..3beed38 100644
--- a/drivers/crypto/ixp4xx_crypto.c
+++ b/drivers/crypto/ixp4xx_crypto.c
@@ -904,7 +904,6 @@ static int ablk_perform(struct ablkcipher_request *req, int encrypt)
crypt->mode |= NPE_OP_NOT_IN_PLACE;
/* This was never tested by Intel
* for more than one dst buffer, I think. */
- BUG_ON(req->dst->length < nbytes);
req_ctx->dst = NULL;
if (!chainup_buffers(dev, req->dst, nbytes, &dst_hook,
flags, DMA_FROM_DEVICE))
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 019/102] mfd: arizona: Fix initialisation of the PM runtime
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (18 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 018/102] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 020/102] xen-blkfront: don't add indirect pages to list when !feature_persistent Kamal Mostafa
` (82 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Charles Keepax, Lee Jones, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
commit 72e43164fd472f6c2659c8313b87da962322dbcf upstream.
The PM runtime core by default assumes a chip is suspended when runtime
PM is enabled. Currently the arizona driver enables runtime PM when the
chip is fully active and then disables the DCVDD regulator at the end of
arizona_dev_init. This however has several problems, firstly the if we
reach the end of arizona_dev_init, we did not properly follow all the
proceedures for shutting down the chip, and most notably we never marked
the chip as cache only so any writes occurring between then and the next
PM runtime resume will be lost. Secondly, if we are already resumed when
we reach the end of dev_init, then at best we get unbalanced regulator
enable/disables at work we lose DCVDD whilst we need it.
Additionally, since the commit 4f0216409f7c ("mfd: arizona: Add better
support for system suspend"), the PM runtime operations may
disable/enable the IRQ, so the IRQs must now be enabled before we call
any PM operations.
This patch adds a call to pm_runtime_set_active to inform the PM core
that the device is starting up active and moves the PM enabling to
around the IRQ initialisation to avoid any PM callbacks happening until
the IRQs are initialised.
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/mfd/arizona-core.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c
index 09ba8f1..be357a6 100644
--- a/drivers/mfd/arizona-core.c
+++ b/drivers/mfd/arizona-core.c
@@ -892,10 +892,6 @@ int arizona_dev_init(struct arizona *arizona)
arizona->pdata.gpio_defaults[i]);
}
- pm_runtime_set_autosuspend_delay(arizona->dev, 100);
- pm_runtime_use_autosuspend(arizona->dev);
- pm_runtime_enable(arizona->dev);
-
/* Chip default */
if (!arizona->pdata.clk32k_src)
arizona->pdata.clk32k_src = ARIZONA_32KZ_MCLK2;
@@ -992,11 +988,17 @@ int arizona_dev_init(struct arizona *arizona)
arizona->pdata.spk_fmt[i]);
}
+ pm_runtime_set_active(arizona->dev);
+ pm_runtime_enable(arizona->dev);
+
/* Set up for interrupts */
ret = arizona_irq_init(arizona);
if (ret != 0)
goto err_reset;
+ pm_runtime_set_autosuspend_delay(arizona->dev, 100);
+ pm_runtime_use_autosuspend(arizona->dev);
+
arizona_request_irq(arizona, ARIZONA_IRQ_CLKGEN_ERR, "CLKGEN error",
arizona_clkgen_err, arizona);
arizona_request_irq(arizona, ARIZONA_IRQ_OVERCLOCKED, "Overclocked",
@@ -1024,10 +1026,6 @@ int arizona_dev_init(struct arizona *arizona)
goto err_irq;
}
-#ifdef CONFIG_PM
- regulator_disable(arizona->dcvdd);
-#endif
-
return 0;
err_irq:
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 020/102] xen-blkfront: don't add indirect pages to list when !feature_persistent
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (19 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 019/102] mfd: arizona: Fix initialisation of the PM runtime Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 021/102] xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() Kamal Mostafa
` (81 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bob Liu, Konrad Rzeszutek Wilk, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bob Liu <bob.liu@oracle.com>
commit 7b0767502b5db11cb1f0daef2d01f6d71b1192dc upstream.
We should consider info->feature_persistent when adding indirect page to list
info->indirect_pages, else the BUG_ON() in blkif_free() would be triggered.
When we are using persistent grants the indirect_pages list
should always be empty because blkfront has pre-allocated enough
persistent pages to fill all requests on the ring.
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Bob Liu <bob.liu@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/block/xen-blkfront.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
index 2236c6f..7afb9ed 100644
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -1118,8 +1118,10 @@ static void blkif_completion(struct blk_shadow *s, struct blkfront_info *info,
* Add the used indirect page back to the list of
* available pages for indirect grefs.
*/
- indirect_page = pfn_to_page(s->indirect_grants[i]->pfn);
- list_add(&indirect_page->lru, &info->indirect_pages);
+ if (!info->feature_persistent) {
+ indirect_page = pfn_to_page(s->indirect_grants[i]->pfn);
+ list_add(&indirect_page->lru, &info->indirect_pages);
+ }
s->indirect_grants[i]->gref = GRANT_INVALID_REF;
list_add_tail(&s->indirect_grants[i]->node, &info->grants);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 021/102] xen-blkback: replace work_pending with work_busy in purge_persistent_gnt()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (20 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 020/102] xen-blkfront: don't add indirect pages to list when !feature_persistent Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 022/102] usb: gadget: f_uac2: fix calculation of uac2->p_interval Kamal Mostafa
` (80 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bob Liu, Konrad Rzeszutek Wilk, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bob Liu <bob.liu@oracle.com>
commit 53bc7dc004fecf39e0ba70f2f8d120a1444315d3 upstream.
The BUG_ON() in purge_persistent_gnt() will be triggered when previous purge
work haven't finished.
There is a work_pending() before this BUG_ON, but it doesn't account if the work
is still currently running.
Acked-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Bob Liu <bob.liu@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
[ kamal: backport to 3.19-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/block/xen-blkback/blkback.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index 63fc7f0..02004e1 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -350,8 +350,8 @@ static void purge_persistent_gnt(struct xen_blkif *blkif)
return;
}
- if (work_pending(&blkif->persistent_purge_work)) {
- pr_alert_ratelimited(DRV_PFX "Scheduled work from previous purge is still pending, cannot purge list\n");
+ if (work_busy(&blkif->persistent_purge_work)) {
+ pr_alert_ratelimited(DRV_PFX "Scheduled work from previous purge is still busy, cannot purge list\n");
return;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 022/102] usb: gadget: f_uac2: fix calculation of uac2->p_interval
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (21 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 021/102] xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 023/102] hwrng: core - correct error check of kthread_run call Kamal Mostafa
` (79 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Peter Chen, Felipe Balbi, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@freescale.com>
commit c41b7767673cb76adeb2b5fde220209f717ea13c upstream.
The p_interval should be less if the 'bInterval' at the descriptor
is larger, eg, if 'bInterval' is 5 for HS, the p_interval should be
8000 / 16 = 500.
It fixes the patch 9bb87f168931 ("usb: gadget: f_uac2: send
reasonably sized packets")
Fixes: 9bb87f168931 ("usb: gadget: f_uac2: send reasonably sized packets")
Acked-by: Daniel Mack <zonque@gmail.com>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/gadget/function/f_uac2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
index 33e1665..df02947 100644
--- a/drivers/usb/gadget/function/f_uac2.c
+++ b/drivers/usb/gadget/function/f_uac2.c
@@ -1162,14 +1162,14 @@ afunc_set_alt(struct usb_function *fn, unsigned intf, unsigned alt)
factor = 1000;
} else {
ep_desc = &hs_epin_desc;
- factor = 125;
+ factor = 8000;
}
/* pre-compute some values for iso_complete() */
uac2->p_framesize = opts->p_ssize *
num_channels(opts->p_chmask);
rate = opts->p_srate * uac2->p_framesize;
- uac2->p_interval = (1 << (ep_desc->bInterval - 1)) * factor;
+ uac2->p_interval = factor / (1 << (ep_desc->bInterval - 1));
uac2->p_pktsize = min_t(unsigned int, rate / uac2->p_interval,
prm->max_psize);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 023/102] hwrng: core - correct error check of kthread_run call
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (22 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 022/102] usb: gadget: f_uac2: fix calculation of uac2->p_interval Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 024/102] USB: sierra: add 1199:68AB device ID Kamal Mostafa
` (78 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Martin Schwidefsky, Herbert Xu, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit 17fb874dee093139923af8ed36061faa92cc8e79 upstream.
The kthread_run() function can return two different error values
but the hwrng core only checks for -ENOMEM. If the other error
value -EINTR is returned it is assigned to hwrng_fill and later
used on a kthread_stop() call which naturally crashes.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/char/hw_random/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
index 1500cfd..b98fb25 100644
--- a/drivers/char/hw_random/core.c
+++ b/drivers/char/hw_random/core.c
@@ -361,7 +361,7 @@ static int hwrng_fillfn(void *unused)
static void start_khwrngd(void)
{
hwrng_fill = kthread_run(hwrng_fillfn, NULL, "hwrng");
- if (hwrng_fill == ERR_PTR(-ENOMEM)) {
+ if (IS_ERR(hwrng_fill)) {
pr_err("hwrng_fill thread creation failed");
hwrng_fill = NULL;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 024/102] USB: sierra: add 1199:68AB device ID
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (23 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 023/102] hwrng: core - correct error check of kthread_run call Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 025/102] regmap: regcache-rbtree: Clean new present bits on present bitmap resize Kamal Mostafa
` (77 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dirk Behme, Lars Melin, Johan Hovold, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dirk Behme <dirk.behme@de.bosch.com>
commit 74472233233f577eaa0ca6d6e17d9017b6e53150 upstream.
Add support for the Sierra Wireless AR8550 device with
USB descriptor 0x1199, 0x68AB.
It is common with MC879x modules 1199:683c/683d which
also are composite devices with 7 interfaces (0..6)
and also MDM62xx based as the AR8550.
The major difference are only the interface attributes
02/02/01 on interfaces 3 and 4 on the AR8550. They are
vendor specific ff/ff/ff on MC879x modules.
lsusb reports:
Bus 001 Device 004: ID 1199:68ab Sierra Wireless, Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x1199 Sierra Wireless, Inc.
idProduct 0x68ab
bcdDevice 0.06
iManufacturer 3 Sierra Wireless, Incorporated
iProduct 2 AR8550
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 198
bNumInterfaces 7
bConfigurationValue 1
iConfiguration 1 Sierra Configuration
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 3
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 5
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 4
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 5
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x87 EP 7 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x05 EP 5 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 5
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x88 EP 8 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 5
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x89 EP 9 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x06 EP 6 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 6
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x8a EP 10 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 5
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x8b EP 11 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x07 EP 7 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 32
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 1
Device Status: 0x0001
Self Powered
Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
Cc: Lars Melin <larsm17@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/sierra.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
index 46179a0..07d1ecd 100644
--- a/drivers/usb/serial/sierra.c
+++ b/drivers/usb/serial/sierra.c
@@ -289,6 +289,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x68AA, 0xFF, 0xFF, 0xFF),
.driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
},
+ { USB_DEVICE(0x1199, 0x68AB) }, /* Sierra Wireless AR8550 */
/* AT&T Direct IP LTE modems */
{ USB_DEVICE_AND_INTERFACE_INFO(0x0F3D, 0x68AA, 0xFF, 0xFF, 0xFF),
.driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 025/102] regmap: regcache-rbtree: Clean new present bits on present bitmap resize
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (24 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 024/102] USB: sierra: add 1199:68AB device ID Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 026/102] target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT Kamal Mostafa
` (76 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Guenter Roeck, Mark Brown, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 8ef9724bf9718af81cfc5132253372f79c71b7e2 upstream.
When inserting a new register into a block, the present bit map size is
increased using krealloc. krealloc does not clear the additionally
allocated memory, leaving it filled with random values. Result is that
some registers are considered cached even though this is not the case.
Fix the problem by clearing the additionally allocated memory. Also, if
the bitmap size does not increase, do not reallocate the bitmap at all
to reduce overhead.
Fixes: 3f4ff561bc88 ("regmap: rbtree: Make cache_present bitmap per node")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/base/regmap/regcache-rbtree.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/base/regmap/regcache-rbtree.c b/drivers/base/regmap/regcache-rbtree.c
index 81751a4..56486d9 100644
--- a/drivers/base/regmap/regcache-rbtree.c
+++ b/drivers/base/regmap/regcache-rbtree.c
@@ -296,11 +296,20 @@ static int regcache_rbtree_insert_to_block(struct regmap *map,
if (!blk)
return -ENOMEM;
- present = krealloc(rbnode->cache_present,
- BITS_TO_LONGS(blklen) * sizeof(*present), GFP_KERNEL);
- if (!present) {
- kfree(blk);
- return -ENOMEM;
+ if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) {
+ present = krealloc(rbnode->cache_present,
+ BITS_TO_LONGS(blklen) * sizeof(*present),
+ GFP_KERNEL);
+ if (!present) {
+ kfree(blk);
+ return -ENOMEM;
+ }
+
+ memset(present + BITS_TO_LONGS(rbnode->blklen), 0,
+ (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen))
+ * sizeof(*present));
+ } else {
+ present = rbnode->cache_present;
}
/* insert the register value in the correct place in the rbnode block */
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 026/102] target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (25 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 025/102] regmap: regcache-rbtree: Clean new present bits on present bitmap resize Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 027/102] rbd: fix copyup completion race Kamal Mostafa
` (75 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alexei Potashnik, Spencer Baugh, Nicholas Bellinger,
Luis Henriques, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Potashnik <alexei@purestorage.com>
commit 9547308bda296b6f69876c840a0291fcfbeddbb8 upstream.
Make sure all non-READ SCSI commands get targ_xfer_tag initialized
to 0xffffffff, not just WRITEs.
Double-free of a TUR cmd object occurs under the following scenario:
1. TUR received (targ_xfer_tag is uninitialized and left at 0)
2. TUR status sent
3. First unsolicited NOPIN is sent to initiator (gets targ_xfer_tag of 0)
4. NOPOUT for NOPIN (with TTT=0) arrives
- its ExpStatSN acks TUR status, TUR is queued for removal
- LIO tries to find NOPIN with TTT=0, but finds the same TUR instead,
TUR is queued for removal for the 2nd time
(Drop unbalanced conditional bracket usage - nab)
Signed-off-by: Alexei Potashnik <alexei@purestorage.com>
Signed-off-by: Spencer Baugh <sbaugh@catern.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[ luis: backported to 3.16:
- kept brackets as they are needed in 3.16 kernel ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/target/iscsi/iscsi_target.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 4e08d63..0c508a4 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -967,7 +967,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
if (cmd->targ_xfer_tag == 0xFFFFFFFF)
cmd->targ_xfer_tag = conn->sess->targ_xfer_tag++;
spin_unlock_bh(&conn->sess->ttt_lock);
- } else if (hdr->flags & ISCSI_FLAG_CMD_WRITE)
+ } else
cmd->targ_xfer_tag = 0xFFFFFFFF;
cmd->cmd_sn = be32_to_cpu(hdr->cmdsn);
cmd->exp_stat_sn = be32_to_cpu(hdr->exp_statsn);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 027/102] rbd: fix copyup completion race
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (26 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 026/102] target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 028/102] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies Kamal Mostafa
` (74 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Elder, Ilya Dryomov, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 2761713d35e370fd640b5781109f753066b746c4 upstream.
For write/discard obj_requests that involved a copyup method call, the
opcode of the first op is CEPH_OSD_OP_CALL and the ->callback is
rbd_img_obj_copyup_callback(). The latter frees copyup pages, sets
->xferred and delegates to rbd_img_obj_callback(), the "normal" image
object callback, for reporting to block layer and putting refs.
rbd_osd_req_callback() however treats CEPH_OSD_OP_CALL as a trivial op,
which means obj_request is marked done in rbd_osd_trivial_callback(),
*before* ->callback is invoked and rbd_img_obj_copyup_callback() has
a chance to run. Marking obj_request done essentially means giving
rbd_img_obj_callback() a license to end it at any moment, so if another
obj_request from the same img_request is being completed concurrently,
rbd_img_obj_end_request() may very well be called on such prematurally
marked done request:
<obj_request-1/2 reply>
handle_reply()
rbd_osd_req_callback()
rbd_osd_trivial_callback()
rbd_obj_request_complete()
rbd_img_obj_copyup_callback()
rbd_img_obj_callback()
<obj_request-2/2 reply>
handle_reply()
rbd_osd_req_callback()
rbd_osd_trivial_callback()
for_each_obj_request(obj_request->img_request) {
rbd_img_obj_end_request(obj_request-1/2)
rbd_img_obj_end_request(obj_request-2/2) <--
}
Calling rbd_img_obj_end_request() on such a request leads to trouble,
in particular because its ->xfferred is 0. We report 0 to the block
layer with blk_update_request(), get back 1 for "this request has more
data in flight" and then trip on
rbd_assert(more ^ (which == img_request->obj_request_count));
with rhs (which == ...) being 1 because rbd_img_obj_end_request() has
been called for both requests and lhs (more) being 1 because we haven't
got a chance to set ->xfferred in rbd_img_obj_copyup_callback() yet.
To fix this, leverage that rbd wants to call class methods in only two
cases: one is a generic method call wrapper (obj_request is standalone)
and the other is a copyup (obj_request is part of an img_request). So
make a dedicated handler for CEPH_OSD_OP_CALL and directly invoke
rbd_img_obj_copyup_callback() from it if obj_request is part of an
img_request, similar to how CEPH_OSD_OP_READ handler invokes
rbd_img_obj_request_read_callback().
Since rbd_img_obj_copyup_callback() is now being called from the OSD
request callback (only), it is renamed to rbd_osd_copyup_callback().
Cc: Alex Elder <elder@linaro.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/block/rbd.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 0c4ede9..f33ff6c 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -520,6 +520,7 @@ void rbd_warn(struct rbd_device *rbd_dev, const char *fmt, ...)
# define rbd_assert(expr) ((void) 0)
#endif /* !RBD_DEBUG */
+static void rbd_osd_copyup_callback(struct rbd_obj_request *obj_request);
static int rbd_img_obj_request_submit(struct rbd_obj_request *obj_request);
static void rbd_img_parent_read(struct rbd_obj_request *obj_request);
static void rbd_dev_remove_parent(struct rbd_device *rbd_dev);
@@ -1795,6 +1796,16 @@ static void rbd_osd_stat_callback(struct rbd_obj_request *obj_request)
obj_request_done_set(obj_request);
}
+static void rbd_osd_call_callback(struct rbd_obj_request *obj_request)
+{
+ dout("%s: obj %p\n", __func__, obj_request);
+
+ if (obj_request_img_data_test(obj_request))
+ rbd_osd_copyup_callback(obj_request);
+ else
+ obj_request_done_set(obj_request);
+}
+
static void rbd_osd_req_callback(struct ceph_osd_request *osd_req,
struct ceph_msg *msg)
{
@@ -1842,6 +1853,8 @@ static void rbd_osd_req_callback(struct ceph_osd_request *osd_req,
rbd_osd_discard_callback(obj_request);
break;
case CEPH_OSD_OP_CALL:
+ rbd_osd_call_callback(obj_request);
+ break;
case CEPH_OSD_OP_NOTIFY_ACK:
case CEPH_OSD_OP_WATCH:
rbd_osd_trivial_callback(obj_request);
@@ -2503,13 +2516,15 @@ out_unwind:
}
static void
-rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request)
+rbd_osd_copyup_callback(struct rbd_obj_request *obj_request)
{
struct rbd_img_request *img_request;
struct rbd_device *rbd_dev;
struct page **pages;
u32 page_count;
+ dout("%s: obj %p\n", __func__, obj_request);
+
rbd_assert(obj_request->type == OBJ_REQUEST_BIO ||
obj_request->type == OBJ_REQUEST_NODATA);
rbd_assert(obj_request_img_data_test(obj_request));
@@ -2536,9 +2551,7 @@ rbd_img_obj_copyup_callback(struct rbd_obj_request *obj_request)
if (!obj_request->result)
obj_request->xferred = obj_request->length;
- /* Finish up with the normal image object callback */
-
- rbd_img_obj_callback(obj_request);
+ obj_request_done_set(obj_request);
}
static void
@@ -2623,7 +2636,6 @@ rbd_img_obj_parent_read_full_callback(struct rbd_img_request *img_request)
/* All set, send it off. */
- orig_request->callback = rbd_img_obj_copyup_callback;
osdc = &rbd_dev->rbd_client->client->osdc;
img_result = rbd_obj_request_submit(osdc, orig_request);
if (!img_result)
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 028/102] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (27 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 027/102] rbd: fix copyup completion race Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 029/102] target: REPORT LUNS should return LUN 0 even for dynamic ACLs Kamal Mostafa
` (73 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: NeilBrown, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.com>
commit 423f04d63cf421ea436bcc5be02543d549ce4b28 upstream.
raid1_end_read_request() assumes that the In_sync bits are consistent
with the ->degaded count.
raid1_spare_active updates the In_sync bit before the ->degraded count
and so exposes an inconsistency, as does error()
So extend the spinlock in raid1_spare_active() and error() to hide those
inconsistencies.
This should probably be part of
Commit: 34cab6f42003 ("md/raid1: fix test for 'was read error from
last working device'.")
as it addresses the same issue. It fixes the same bug and should go
to -stable for same reasons.
Fixes: 76073054c95b ("md/raid1: clean up read_balance.")
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/raid1.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index 8d9110f..d24245c 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1474,6 +1474,7 @@ static void error(struct mddev *mddev, struct md_rdev *rdev)
{
char b[BDEVNAME_SIZE];
struct r1conf *conf = mddev->private;
+ unsigned long flags;
/*
* If it is not operational, then we have already marked it as dead
@@ -1493,14 +1494,13 @@ static void error(struct mddev *mddev, struct md_rdev *rdev)
return;
}
set_bit(Blocked, &rdev->flags);
+ spin_lock_irqsave(&conf->device_lock, flags);
if (test_and_clear_bit(In_sync, &rdev->flags)) {
- unsigned long flags;
- spin_lock_irqsave(&conf->device_lock, flags);
mddev->degraded++;
set_bit(Faulty, &rdev->flags);
- spin_unlock_irqrestore(&conf->device_lock, flags);
} else
set_bit(Faulty, &rdev->flags);
+ spin_unlock_irqrestore(&conf->device_lock, flags);
/*
* if recovery is running, make sure it aborts.
*/
@@ -1566,7 +1566,10 @@ static int raid1_spare_active(struct mddev *mddev)
* Find all failed disks within the RAID1 configuration
* and mark them readable.
* Called under mddev lock, so rcu protection not needed.
+ * device_lock used to avoid races with raid1_end_read_request
+ * which expects 'In_sync' flags and ->degraded to be consistent.
*/
+ spin_lock_irqsave(&conf->device_lock, flags);
for (i = 0; i < conf->raid_disks; i++) {
struct md_rdev *rdev = conf->mirrors[i].rdev;
struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev;
@@ -1596,7 +1599,6 @@ static int raid1_spare_active(struct mddev *mddev)
sysfs_notify_dirent_safe(rdev->sysfs_state);
}
}
- spin_lock_irqsave(&conf->device_lock, flags);
mddev->degraded -= count;
spin_unlock_irqrestore(&conf->device_lock, flags);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 029/102] target: REPORT LUNS should return LUN 0 even for dynamic ACLs
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (28 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 028/102] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 030/102] MIPS: Fix sched_getaffinity with MT FPAFF enabled Kamal Mostafa
` (72 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Roland Dreier, Nicholas Bellinger, Luis Henriques, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Roland Dreier <roland@purestorage.com>
commit 9c395170a559d3b23dad100b01fc4a89d661c698 upstream.
If an initiator doesn't have any real LUNs assigned, we should report
LUN 0 and a LUN list length of 1. Some versions of Solaris at least
go beserk if we report a LUN list length of 0.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/target/target_core_spc.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c
index 4c71657..0bac24f 100644
--- a/drivers/target/target_core_spc.c
+++ b/drivers/target/target_core_spc.c
@@ -1238,11 +1238,8 @@ sense_reason_t spc_emulate_report_luns(struct se_cmd *cmd)
* coming via a target_core_mod PASSTHROUGH op, and not through
* a $FABRIC_MOD. In that case, report LUN=0 only.
*/
- if (!sess) {
- int_to_scsilun(0, (struct scsi_lun *)&buf[offset]);
- lun_count = 1;
+ if (!sess)
goto done;
- }
spin_lock_irq(&sess->se_node_acl->device_list_lock);
for (i = 0; i < TRANSPORT_MAX_LUNS_PER_TPG; i++) {
@@ -1267,6 +1264,14 @@ sense_reason_t spc_emulate_report_luns(struct se_cmd *cmd)
* See SPC3 r07, page 159.
*/
done:
+ /*
+ * If no LUNs are accessible, report virtual LUN 0.
+ */
+ if (lun_count == 0) {
+ int_to_scsilun(0, (struct scsi_lun *)&buf[offset]);
+ lun_count = 1;
+ }
+
lun_count *= 8;
buf[0] = ((lun_count >> 24) & 0xff);
buf[1] = ((lun_count >> 16) & 0xff);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 030/102] MIPS: Fix sched_getaffinity with MT FPAFF enabled
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (29 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 029/102] target: REPORT LUNS should return LUN 0 even for dynamic ACLs Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 031/102] MIPS: Malta: Don't reinitialise RTC Kamal Mostafa
` (71 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Felix Fietkau, linux-mips, Ralf Baechle, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@openwrt.org>
commit 1d62d737555e1378eb62a8bba26644f7d97139d2 upstream.
p->thread.user_cpus_allowed is zero-initialized and is only filled on
the first sched_setaffinity call.
To avoid adding overhead in the task initialization codepath, simply OR
the returned mask in sched_getaffinity with p->cpus_allowed.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10740/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kernel/mips-mt-fpaff.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/mips/kernel/mips-mt-fpaff.c b/arch/mips/kernel/mips-mt-fpaff.c
index 362bb37..116c67a 100644
--- a/arch/mips/kernel/mips-mt-fpaff.c
+++ b/arch/mips/kernel/mips-mt-fpaff.c
@@ -154,7 +154,7 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len,
unsigned long __user *user_mask_ptr)
{
unsigned int real_len;
- cpumask_t mask;
+ cpumask_t allowed, mask;
int retval;
struct task_struct *p;
@@ -173,7 +173,8 @@ asmlinkage long mipsmt_sys_sched_getaffinity(pid_t pid, unsigned int len,
if (retval)
goto out_unlock;
- cpumask_and(&mask, &p->thread.user_cpus_allowed, cpu_possible_mask);
+ cpumask_or(&allowed, &p->thread.user_cpus_allowed, &p->cpus_allowed);
+ cpumask_and(&mask, &allowed, cpu_active_mask);
out_unlock:
read_unlock(&tasklist_lock);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 031/102] MIPS: Malta: Don't reinitialise RTC
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (30 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 030/102] MIPS: Fix sched_getaffinity with MT FPAFF enabled Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 032/102] MIPS: do_mcheck: Fix kernel code dump with EVA Kamal Mostafa
` (70 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Hogan, Ralf Baechle, Maciej W. Rozycki, linux-mips, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 106eccb4d20f35ebc58ff2286c170d9e79c5ff68 upstream.
On Malta, since commit a87ea88d8f6c ("MIPS: Malta: initialise the RTC at
boot"), the RTC is reinitialised and forced into binary coded decimal
(BCD) mode during init, even if the bootloader has already initialised
it, and may even have already put it into binary mode (as YAMON does).
This corrupts the current time, can result in the RTC seconds being an
invalid BCD (e.g. 0x1a..0x1f) for up to 6 seconds, as well as confusing
YAMON for a while after reset, enough for it to report timeouts when
attempting to load from TFTP (it actually uses the RTC in that code).
Therefore only initialise the RTC to the extent that is necessary so
that Linux avoids interfering with the bootloader setup, while also
allowing it to estimate the CPU frequency without hanging, without a
bootloader necessarily having done anything with the RTC (for example
when the kernel is loaded via EJTAG).
The divider control is configured for a 32KHZ reference clock if
necessary, and the SET bit of the RTC_CONTROL register is cleared if
necessary without changing any other bits (this bit will be set when
coming out of reset if the battery has been disconnected).
Fixes: a87ea88d8f6c ("MIPS: Malta: initialise the RTC at boot")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10739/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/mti-malta/malta-time.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/arch/mips/mti-malta/malta-time.c b/arch/mips/mti-malta/malta-time.c
index ce02dbd..644ecce 100644
--- a/arch/mips/mti-malta/malta-time.c
+++ b/arch/mips/mti-malta/malta-time.c
@@ -147,14 +147,17 @@ unsigned int get_c0_compare_int(void)
static void __init init_rtc(void)
{
- /* stop the clock whilst setting it up */
- CMOS_WRITE(RTC_SET | RTC_24H, RTC_CONTROL);
+ unsigned char freq, ctrl;
- /* 32KHz time base */
- CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
+ /* Set 32KHz time base if not already set */
+ freq = CMOS_READ(RTC_FREQ_SELECT);
+ if ((freq & RTC_DIV_CTL) != RTC_REF_CLCK_32KHZ)
+ CMOS_WRITE(RTC_REF_CLCK_32KHZ, RTC_FREQ_SELECT);
- /* start the clock */
- CMOS_WRITE(RTC_24H, RTC_CONTROL);
+ /* Ensure SET bit is clear so RTC can run */
+ ctrl = CMOS_READ(RTC_CONTROL);
+ if (ctrl & RTC_SET)
+ CMOS_WRITE(ctrl & ~RTC_SET, RTC_CONTROL);
}
void __init plat_time_init(void)
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 032/102] MIPS: do_mcheck: Fix kernel code dump with EVA
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (31 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 031/102] MIPS: Malta: Don't reinitialise RTC Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 033/102] MIPS: show_stack: Fix stack trace " Kamal Mostafa
` (69 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Hogan, Markos Chandras, Leonid Yegoshin, linux-mips,
Ralf Baechle, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 55c723e181ccec30fb5c672397fe69ec35967d97 upstream.
If a machine check exception is raised in kernel mode, user context,
with EVA enabled, then the do_mcheck handler will attempt to read the
code around the EPC using EVA load instructions, i.e. as if the reads
were from user mode. This will either read random user data if the
process has anything mapped at the same address, or it will cause an
exception which is handled by __get_user, resulting in this output:
Code: (Bad address in epc)
Fix by setting the current user access mode to kernel if the saved
register context indicates the exception was taken in kernel mode. This
causes __get_user to use normal loads to read the kernel code.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10777/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kernel/traps.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
index c3b41e2..f4aacec 100644
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -1423,6 +1423,7 @@ asmlinkage void do_mcheck(struct pt_regs *regs)
const int field = 2 * sizeof(unsigned long);
int multi_match = regs->cp0_status & ST0_TS;
enum ctx_state prev_state;
+ mm_segment_t old_fs = get_fs();
prev_state = exception_enter();
show_regs(regs);
@@ -1444,8 +1445,13 @@ asmlinkage void do_mcheck(struct pt_regs *regs)
dump_tlb_all();
}
+ if (!user_mode(regs))
+ set_fs(KERNEL_DS);
+
show_code((unsigned int __user *) regs->cp0_epc);
+ set_fs(old_fs);
+
/*
* Some chips may have other causes of machine check (e.g. SB1
* graduation timer)
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 033/102] MIPS: show_stack: Fix stack trace with EVA
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (32 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 032/102] MIPS: do_mcheck: Fix kernel code dump with EVA Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 034/102] MIPS: Export get_c0_perfcount_int() Kamal Mostafa
` (68 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Hogan, Markos Chandras, Leonid Yegoshin, linux-mips,
Ralf Baechle, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 1e77863a51698c4319587df34171bd823691a66a upstream.
The show_stack() function deals exclusively with kernel contexts, but if
it gets called in user context with EVA enabled, show_stacktrace() will
attempt to access the stack using EVA accesses, which will either read
other user mapped data, or more likely cause an exception which will be
handled by __get_user().
This is easily reproduced using SysRq t to show all task states, which
results in the following stack dump output:
Stack : (Bad stack address)
Fix by setting the current user access mode to kernel around the call to
show_stacktrace(). This causes __get_user() to use normal loads to read
the kernel stack.
Now we get the correct output, like this:
Stack : 00000000 80168960 00000000 004a0000 00000000 00000000 8060016c 1f3abd0c
1f172cd8 8056f09c 7ff1e450 8014fc3c 00000001 806dd0b0 0000001d 00000002
1f17c6a0 1f17c804 1f17c6a0 8066f6e0 00000000 0000000a 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 0110e800 1f3abd6c 1f17c6a0
...
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10778/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kernel/traps.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
index f4aacec..3e0e61f 100644
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -190,6 +190,7 @@ static void show_stacktrace(struct task_struct *task,
void show_stack(struct task_struct *task, unsigned long *sp)
{
struct pt_regs regs;
+ mm_segment_t old_fs = get_fs();
if (sp) {
regs.regs[29] = (unsigned long)sp;
regs.regs[31] = 0;
@@ -208,7 +209,13 @@ void show_stack(struct task_struct *task, unsigned long *sp)
prepare_frametrace(®s);
}
}
+ /*
+ * show_stack() deals exclusively with kernel mode, so be sure to access
+ * the stack in the kernel (not user) address space.
+ */
+ set_fs(KERNEL_DS);
show_stacktrace(task, ®s);
+ set_fs(old_fs);
}
static void show_code(unsigned int __user *pc)
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 034/102] MIPS: Export get_c0_perfcount_int()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (33 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 033/102] MIPS: show_stack: Fix stack trace " Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 035/102] rtlwifi: rtl8723be: Add module parameter for MSI interrupts Kamal Mostafa
` (67 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Felix Fietkau, linux-mips, abrestic, Ralf Baechle, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@openwrt.org>
commit 0cb0985f57783c2f3c6c8ffe7e7665e80c56bd92 upstream.
get_c0_perfcount_int is tested from oprofile code. If oprofile is
compiled as module, get_c0_perfcount_int needs to be exported, otherwise
it cannot be resolved.
Fixes: a669efc4a3b4 ("MIPS: Add hook to get C0 performance counter interrupt")
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: linux-mips@linux-mips.org
Cc: abrestic@chromium.org
Patchwork: https://patchwork.linux-mips.org/patch/10763/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[ kamal: backport to 3.19-stable: no pistachio/time.c ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/ath79/setup.c | 1 +
arch/mips/lantiq/irq.c | 1 +
arch/mips/mti-malta/malta-time.c | 1 +
arch/mips/mti-sead3/sead3-time.c | 1 +
arch/mips/ralink/irq.c | 1 +
5 files changed, 5 insertions(+)
diff --git a/arch/mips/ath79/setup.c b/arch/mips/ath79/setup.c
index a73c93c..c0277e9 100644
--- a/arch/mips/ath79/setup.c
+++ b/arch/mips/ath79/setup.c
@@ -186,6 +186,7 @@ int get_c0_perfcount_int(void)
{
return ATH79_MISC_IRQ(5);
}
+EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
unsigned int get_c0_compare_int(void)
{
diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
index 6ab1057..d01ade6 100644
--- a/arch/mips/lantiq/irq.c
+++ b/arch/mips/lantiq/irq.c
@@ -466,6 +466,7 @@ int get_c0_perfcount_int(void)
{
return ltq_perfcount_irq;
}
+EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
unsigned int get_c0_compare_int(void)
{
diff --git a/arch/mips/mti-malta/malta-time.c b/arch/mips/mti-malta/malta-time.c
index 644ecce..a6cc3ef 100644
--- a/arch/mips/mti-malta/malta-time.c
+++ b/arch/mips/mti-malta/malta-time.c
@@ -130,6 +130,7 @@ int get_c0_perfcount_int(void)
return mips_cpu_perf_irq;
}
+EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
unsigned int get_c0_compare_int(void)
{
diff --git a/arch/mips/mti-sead3/sead3-time.c b/arch/mips/mti-sead3/sead3-time.c
index ec1dd24..90e303e 100644
--- a/arch/mips/mti-sead3/sead3-time.c
+++ b/arch/mips/mti-sead3/sead3-time.c
@@ -77,6 +77,7 @@ int get_c0_perfcount_int(void)
return MIPS_CPU_IRQ_BASE + cp0_perfcount_irq;
return -1;
}
+EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
unsigned int get_c0_compare_int(void)
{
diff --git a/arch/mips/ralink/irq.c b/arch/mips/ralink/irq.c
index 7cf91b9..199ace4 100644
--- a/arch/mips/ralink/irq.c
+++ b/arch/mips/ralink/irq.c
@@ -89,6 +89,7 @@ int get_c0_perfcount_int(void)
{
return rt_perfcount_irq;
}
+EXPORT_SYMBOL_GPL(get_c0_perfcount_int);
unsigned int get_c0_compare_int(void)
{
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 035/102] rtlwifi: rtl8723be: Add module parameter for MSI interrupts
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (34 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 034/102] MIPS: Export get_c0_perfcount_int() Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 036/102] MIPS: Flush RPS on kernel entry with EVA Kamal Mostafa
` (66 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Larry Finger, Kalle Valo, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Larry Finger <Larry.Finger@lwfinger.net>
commit 741e3b9902d11585e18bfc7f8d47e913616bb070 upstream.
The driver code allows for the disabling of MSI interrupts; however the
module_parm line was missed and the option fails to show with modinfo.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/wireless/rtlwifi/rtl8723be/sw.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/sw.c b/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
index 223eb42..775e7bc 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/sw.c
@@ -385,6 +385,7 @@ module_param_named(debug, rtl8723be_mod_params.debug, int, 0444);
module_param_named(ips, rtl8723be_mod_params.inactiveps, bool, 0444);
module_param_named(swlps, rtl8723be_mod_params.swctrl_lps, bool, 0444);
module_param_named(fwlps, rtl8723be_mod_params.fwctrl_lps, bool, 0444);
+module_param_named(msi, rtl8723be_mod_params.msi_support, bool, 0444);
module_param_named(disable_watchdog, rtl8723be_mod_params.disable_watchdog,
bool, 0444);
MODULE_PARM_DESC(swenc, "using hardware crypto (default 0 [hardware])\n");
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 036/102] MIPS: Flush RPS on kernel entry with EVA
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (35 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 035/102] rtlwifi: rtl8723be: Add module parameter for MSI interrupts Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 037/102] usb: udc: core: add device_del() call to error pathway Kamal Mostafa
` (65 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Hogan, Ralf Baechle, Markos Chandras, Leonid Yegoshin,
linux-mips, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 3aff47c062b944a5e1f9af56a37a23f5295628fc upstream.
When EVA is enabled, flush the Return Prediction Stack (RPS) present on
some MIPS cores on entry to the kernel from user mode.
This is important specifically for interAptiv with EVA enabled,
otherwise kernel mode RPS mispredicts may trigger speculative fetches of
user return addresses, which may be sensitive in the kernel address
space due to EVA's overlapping user/kernel address spaces.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10812/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/include/asm/stackframe.h | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/arch/mips/include/asm/stackframe.h b/arch/mips/include/asm/stackframe.h
index b188c79..0562a24 100644
--- a/arch/mips/include/asm/stackframe.h
+++ b/arch/mips/include/asm/stackframe.h
@@ -152,6 +152,31 @@
.set noreorder
bltz k0, 8f
move k1, sp
+#ifdef CONFIG_EVA
+ /*
+ * Flush interAptiv's Return Prediction Stack (RPS) by writing
+ * EntryHi. Toggling Config7.RPS is slower and less portable.
+ *
+ * The RPS isn't automatically flushed when exceptions are
+ * taken, which can result in kernel mode speculative accesses
+ * to user addresses if the RPS mispredicts. That's harmless
+ * when user and kernel share the same address space, but with
+ * EVA the same user segments may be unmapped to kernel mode,
+ * even containing sensitive MMIO regions or invalid memory.
+ *
+ * This can happen when the kernel sets the return address to
+ * ret_from_* and jr's to the exception handler, which looks
+ * more like a tail call than a function call. If nested calls
+ * don't evict the last user address in the RPS, it will
+ * mispredict the return and fetch from a user controlled
+ * address into the icache.
+ *
+ * More recent EVA-capable cores with MAAR to restrict
+ * speculative accesses aren't affected.
+ */
+ MFC0 k0, CP0_ENTRYHI
+ MTC0 k0, CP0_ENTRYHI
+#endif
.set reorder
/* Called from user mode, new stack. */
get_saved_sp
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 037/102] usb: udc: core: add device_del() call to error pathway
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (36 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 036/102] MIPS: Flush RPS on kernel entry with EVA Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 038/102] xhci: fix off by one error in TRB DMA address boundary check Kamal Mostafa
` (64 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alan Stern, Felipe Balbi, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit c93e64e91248becd0edb8f01723dff9da890e2ab upstream.
This patch fixes a bug in the error pathway of
usb_add_gadget_udc_release() in udc-core.c. If the udc registration
fails, the gadget registration is not fully undone; there's a
put_device(&gadget->dev) call but no device_del().
Acked-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/gadget/udc/udc-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/udc/udc-core.c b/drivers/usb/gadget/udc/udc-core.c
index e31d574..a1f46b0 100644
--- a/drivers/usb/gadget/udc/udc-core.c
+++ b/drivers/usb/gadget/udc/udc-core.c
@@ -298,6 +298,7 @@ err4:
err3:
put_device(&udc->dev);
+ device_del(&gadget->dev);
err2:
put_device(&gadget->dev);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 038/102] xhci: fix off by one error in TRB DMA address boundary check
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (37 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 037/102] usb: udc: core: add device_del() call to error pathway Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 039/102] drivers/usb: Delete XHCI command timer if necessary Kamal Mostafa
` (63 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 7895086afde2a05fa24a0e410d8e6b75ca7c8fdd upstream.
We need to check that a TRB is part of the current segment
before calculating its DMA address.
Previously a ring segment didn't use a full memory page, and every
new ring segment got a new memory page, so the off by one
error in checking the upper bound was never seen.
Now that we use a full memory page, 256 TRBs (4096 bytes), the off by one
didn't catch the case when a TRB was the first element of the next segment.
This is triggered if the virtual memory pages for a ring segment are
next to each in increasing order where the ring buffer wraps around and
causes errors like:
[ 106.398223] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
[ 106.398230] xhci_hcd 0000:00:14.0: Looking for event-dma fffd3000 trb-start fffd4fd0 trb-end fffd5000 seg-start fffd4000 seg-end fffd4ff0
The trb-end address is one outside the end-seg address.
Tested-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci-ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index ea19ba3..95c340c 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -82,7 +82,7 @@ dma_addr_t xhci_trb_virt_to_dma(struct xhci_segment *seg,
return 0;
/* offset in TRBs */
segment_offset = trb - seg->trbs;
- if (segment_offset > TRBS_PER_SEGMENT)
+ if (segment_offset >= TRBS_PER_SEGMENT)
return 0;
return seg->dma + (segment_offset * sizeof(*trb));
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 039/102] drivers/usb: Delete XHCI command timer if necessary
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (38 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 038/102] xhci: fix off by one error in TRB DMA address boundary check Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 040/102] staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL Kamal Mostafa
` (62 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Gavin Shan, Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Shan <gwshan@linux.vnet.ibm.com>
commit ffe5adcb7661d94e952d6b5ed7f493cb4ef0c7bc upstream.
When xhci_mem_cleanup() is called, it's possible that the command
timer isn't initialized and scheduled. For those cases, to delete
the command timer causes soft-lockup as below stack dump shows.
The patch avoids deleting the command timer if it's not scheduled
with the help of timer_pending().
NMI watchdog: BUG: soft lockup - CPU#40 stuck for 23s! [kworker/40:1:8140]
:
NIP [c000000000150b30] lock_timer_base.isra.34+0x90/0xa0
LR [c000000000150c24] try_to_del_timer_sync+0x34/0xa0
Call Trace:
[c000000f67c975e0] [c0000000015b84f8] mon_ops+0x0/0x8 (unreliable)
[c000000f67c97620] [c000000000150c24] try_to_del_timer_sync+0x34/0xa0
[c000000f67c97660] [c000000000150cf0] del_timer_sync+0x60/0x80
[c000000f67c97690] [c00000000070ac0c] xhci_mem_cleanup+0x5c/0x5e0
[c000000f67c97740] [c00000000070c2e8] xhci_mem_init+0x1158/0x13b0
[c000000f67c97860] [c000000000700978] xhci_init+0x88/0x110
[c000000f67c978e0] [c000000000701644] xhci_gen_setup+0x2b4/0x590
[c000000f67c97970] [c0000000006d4410] xhci_pci_setup+0x40/0x190
[c000000f67c979f0] [c0000000006b1af8] usb_add_hcd+0x418/0xba0
[c000000f67c97ab0] [c0000000006cb15c] usb_hcd_pci_probe+0x1dc/0x5c0
[c000000f67c97b50] [c0000000006d3ba4] xhci_pci_probe+0x64/0x1f0
[c000000f67c97ba0] [c0000000004fe9ac] local_pci_probe+0x6c/0x130
[c000000f67c97c30] [c0000000000e5ce8] work_for_cpu_fn+0x38/0x60
[c000000f67c97c60] [c0000000000eacb8] process_one_work+0x198/0x470
[c000000f67c97cf0] [c0000000000eb6ac] worker_thread+0x37c/0x5a0
[c000000f67c97d80] [c0000000000f2730] kthread+0x110/0x130
[c000000f67c97e30] [c000000000009660] ret_from_kernel_thread+0x5c/0x7c
Reported-by: Priya M. A <priyama2@in.ibm.com>
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci-mem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index a67018e..d44c904 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1796,7 +1796,8 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
int size;
int i, j, num_ports;
- del_timer_sync(&xhci->cmd_timer);
+ if (timer_pending(&xhci->cmd_timer))
+ del_timer_sync(&xhci->cmd_timer);
/* Free the Event Ring Segment Table and the actual Event Ring */
size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 040/102] staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (39 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 039/102] drivers/usb: Delete XHCI command timer if necessary Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 041/102] dm: fix dm_merge_bvec regression on 32 bit systems Kamal Mostafa
` (61 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Malcolm Priestley, Greg Kroah-Hartman, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
commit 1f17124006b65482d9084c01e252b59dbca8db8f upstream.
conf->beacon_rate can be NULL on association. So check conf->beacon_rate
BSS_CHANGED_BEACON_INFO needs to flagged in changed as the beacon_rate
will appear later.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/staging/vt6655/device_main.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
index 4968d8a..2e5de62 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -1516,8 +1516,9 @@ static void vnt_bss_info_changed(struct ieee80211_hw *hw,
}
}
- if (changed & BSS_CHANGED_ASSOC && priv->op_mode != NL80211_IFTYPE_AP) {
- if (conf->assoc) {
+ if (changed & (BSS_CHANGED_ASSOC | BSS_CHANGED_BEACON_INFO) &&
+ priv->op_mode != NL80211_IFTYPE_AP) {
+ if (conf->assoc && conf->beacon_rate) {
CARDbUpdateTSF(priv, conf->beacon_rate->hw_value,
conf->sync_device_ts, conf->sync_tsf);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 041/102] dm: fix dm_merge_bvec regression on 32 bit systems
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (40 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 040/102] staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 042/102] perf: Fix fasync handling on inherited events Kamal Mostafa
` (60 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Mike Snitzer, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit bd4aaf8f9b85d6b2df3231fd62b219ebb75d3568 upstream.
A DM regression on 32 bit systems was reported against v4.2-rc3 here:
https://lkml.org/lkml/2015/7/29/401
Fix this by reverting both commit 1c220c69 ("dm: fix casting bug in
dm_merge_bvec()") and 148e51ba ("dm: improve documentation and code
clarity in dm_merge_bvec"). This combined revert is done to eliminate
the possibility of a partial revert in stable@ kernels.
In hindsight the correct fix, at the time 1c220c69 was applied to fix
the regression that 148e51ba introduced, should've been to simply revert
148e51ba.
Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
Tested-by: Adam Williamson <awilliam@redhat.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm.c | 27 ++++++++++-----------------
1 file changed, 10 insertions(+), 17 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index a367a17..82fe47d 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1596,7 +1596,8 @@ static int dm_merge_bvec(struct request_queue *q,
struct mapped_device *md = q->queuedata;
struct dm_table *map = dm_get_live_table_fast(md);
struct dm_target *ti;
- sector_t max_sectors, max_size = 0;
+ sector_t max_sectors;
+ int max_size = 0;
if (unlikely(!map))
goto out;
@@ -1609,18 +1610,10 @@ static int dm_merge_bvec(struct request_queue *q,
* Find maximum amount of I/O that won't need splitting
*/
max_sectors = min(max_io_len(bvm->bi_sector, ti),
- (sector_t) queue_max_sectors(q));
+ (sector_t) BIO_MAX_SECTORS);
max_size = (max_sectors << SECTOR_SHIFT) - bvm->bi_size;
-
- /*
- * FIXME: this stop-gap fix _must_ be cleaned up (by passing a sector_t
- * to the targets' merge function since it holds sectors not bytes).
- * Just doing this as an interim fix for stable@ because the more
- * comprehensive cleanup of switching to sector_t will impact every
- * DM target that implements a ->merge hook.
- */
- if (max_size > INT_MAX)
- max_size = INT_MAX;
+ if (max_size < 0)
+ max_size = 0;
/*
* merge_bvec_fn() returns number of bytes
@@ -1628,13 +1621,13 @@ static int dm_merge_bvec(struct request_queue *q,
* max is precomputed maximal io size
*/
if (max_size && ti->type->merge)
- max_size = ti->type->merge(ti, bvm, biovec, (int) max_size);
+ max_size = ti->type->merge(ti, bvm, biovec, max_size);
/*
* If the target doesn't support merge method and some of the devices
- * provided their merge_bvec method (we know this by looking for the
- * max_hw_sectors that dm_set_device_limits may set), then we can't
- * allow bios with multiple vector entries. So always set max_size
- * to 0, and the code below allows just one page.
+ * provided their merge_bvec method (we know this by looking at
+ * queue_max_hw_sectors), then we can't allow bios with multiple vector
+ * entries. So always set max_size to 0, and the code below allows
+ * just one page.
*/
else if (queue_max_hw_sectors(q) <= PAGE_SIZE >> 9)
max_size = 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 042/102] perf: Fix fasync handling on inherited events
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (41 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 041/102] dm: fix dm_merge_bvec regression on 32 bit systems Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 043/102] drm/dp-mst: Remove debug WARN_ON Kamal Mostafa
` (59 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Zijlstra (Intel),
Arnaldo Carvalho deMelo, Linus Torvalds, Thomas Gleixner,
eranian, Ingo Molnar, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit fed66e2cdd4f127a43fd11b8d92a99bdd429528c upstream.
Vince reported that the fasync signal stuff doesn't work proper for
inherited events. So fix that.
Installing fasync allocates memory and sets filp->f_flags |= FASYNC,
which upon the demise of the file descriptor ensures the allocation is
freed and state is updated.
Now for perf, we can have the events stick around for a while after the
original FD is dead because of references from child events. So we
cannot copy the fasync pointer around. We can however consistently use
the parent's fasync, as that will be updated.
Reported-and-Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho deMelo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: eranian@google.com
Link: http://lkml.kernel.org/r/1434011521.1495.71.camel@twins
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/events/core.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index b59b7b0..3262aa5 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4398,12 +4398,20 @@ static const struct file_operations perf_fops = {
* to user-space before waking everybody up.
*/
+static inline struct fasync_struct **perf_event_fasync(struct perf_event *event)
+{
+ /* only the parent has fasync state */
+ if (event->parent)
+ event = event->parent;
+ return &event->fasync;
+}
+
void perf_event_wakeup(struct perf_event *event)
{
ring_buffer_wakeup(event);
if (event->pending_kill) {
- kill_fasync(&event->fasync, SIGIO, event->pending_kill);
+ kill_fasync(perf_event_fasync(event), SIGIO, event->pending_kill);
event->pending_kill = 0;
}
}
@@ -5675,7 +5683,7 @@ static int __perf_event_overflow(struct perf_event *event,
else
perf_event_output(event, data, regs);
- if (event->fasync && event->pending_kill) {
+ if (*perf_event_fasync(event) && event->pending_kill) {
event->pending_wakeup = 1;
irq_work_queue(&event->pending);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 043/102] drm/dp-mst: Remove debug WARN_ON
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (42 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 042/102] perf: Fix fasync handling on inherited events Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 044/102] ALSA: fireworks/firewire-lib: add support for recent firmware quirk Kamal Mostafa
` (58 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dave Airlie, Daniel Vetter, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Vetter <daniel.vetter@ffwll.ch>
commit 42639ba554655c280ae6cb72df0522b1201f2961 upstream.
Apparently been in there since forever and fairly easy to hit when
hotplugging really fast. I can do that since my mst hub has a manual
button to flick the hpd line for reprobing. The resulting WARNING spam
isn't pretty.
Cc: Dave Airlie <airlied@gmail.com>
Reviewed-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Ander Conselvan de Oliveira <conselvan2@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/drm_dp_mst_topology.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index 30308ab..8239563 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -1290,7 +1290,6 @@ retry:
goto retry;
}
DRM_DEBUG_KMS("failed to dpcd write %d %d\n", tosend, ret);
- WARN(1, "fail\n");
return -EIO;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 044/102] ALSA: fireworks/firewire-lib: add support for recent firmware quirk
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (43 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 043/102] drm/dp-mst: Remove debug WARN_ON Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 045/102] mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations Kamal Mostafa
` (57 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Takashi Sakamoto, Takashi Iwai, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
commit 18f5ed365d3f188a91149d528c853000330a4a58 upstream.
Fireworks uses TSB43CB43(IceLynx-Micro) as its IEC 61883-1/6 interface.
This chip includes ARM7 core, and loads and runs program. The firmware
is stored in on-board memory and loaded every powering-on from it.
Echo Audio ships several versions of firmwares for each model. These
firmwares have each quirk and the quirk changes a sequence of packets.
As long as I investigated, AudioFire2/AudioFire4/AudioFirePre8 have a
quirk to transfer a first packet with 0x02 in its dbc field. This causes
ALSA Fireworks driver to detect discontinuity. In this case, firmware
version 5.7.0, 5.7.3 and 5.8.0 are used.
Payload CIP CIP
quadlets header1 header2
02 00050002 90ffffff <-
42 0005000a 90013000
42 00050012 90014400
42 0005001a 90015800
02 0005001a 90ffffff
42 00050022 90019000
42 0005002a 9001a400
42 00050032 9001b800
02 00050032 90ffffff
42 0005003a 9001d000
42 00050042 9001e400
42 0005004a 9001f800
02 0005004a 90ffffff
(AudioFire2 with firmware version 5.7.)
$ dmesg
snd-fireworks fw1.0: Detect discontinuity of CIP: 00 02
These models, AudioFire8 (since Jul 2009 ) and Gibson Robot Interface
Pack series uses the same ARM binary as their firmware. Thus, this
quirk may be observed among them.
This commit adds a new member for AMDTP structure. This member represents
the value of dbc field in a first AMDTP packet. Drivers can set it with
a preferred value according to model's quirk.
Tested-by: Johannes Oertei <johannes.oertel@uni-due.de>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/firewire/amdtp.c | 5 +++--
sound/firewire/amdtp.h | 2 ++
sound/firewire/fireworks/fireworks.c | 8 ++++++++
sound/firewire/fireworks/fireworks.h | 1 +
sound/firewire/fireworks/fireworks_stream.c | 9 +++++++++
5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/sound/firewire/amdtp.c b/sound/firewire/amdtp.c
index 911341b..508cdb8 100644
--- a/sound/firewire/amdtp.c
+++ b/sound/firewire/amdtp.c
@@ -730,8 +730,9 @@ static void handle_in_packet(struct amdtp_stream *s,
s->data_block_counter != UINT_MAX)
data_block_counter = s->data_block_counter;
- if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) && data_block_counter == 0) ||
- (s->data_block_counter == UINT_MAX)) {
+ if (((s->flags & CIP_SKIP_DBC_ZERO_CHECK) &&
+ data_block_counter == s->tx_first_dbc) ||
+ s->data_block_counter == UINT_MAX) {
lost = false;
} else if (!(s->flags & CIP_DBC_IS_END_EVENT)) {
lost = data_block_counter != s->data_block_counter;
diff --git a/sound/firewire/amdtp.h b/sound/firewire/amdtp.h
index 8a03a91..25c9055 100644
--- a/sound/firewire/amdtp.h
+++ b/sound/firewire/amdtp.h
@@ -153,6 +153,8 @@ struct amdtp_stream {
/* quirk: fixed interval of dbc between previos/current packets. */
unsigned int tx_dbc_interval;
+ /* quirk: indicate the value of dbc field in a first packet. */
+ unsigned int tx_first_dbc;
bool callbacked;
wait_queue_head_t callback_wait;
diff --git a/sound/firewire/fireworks/fireworks.c b/sound/firewire/fireworks/fireworks.c
index 2682e7e..c94a432 100644
--- a/sound/firewire/fireworks/fireworks.c
+++ b/sound/firewire/fireworks/fireworks.c
@@ -248,8 +248,16 @@ efw_probe(struct fw_unit *unit,
err = get_hardware_info(efw);
if (err < 0)
goto error;
+ /* AudioFire8 (since 2009) and AudioFirePre8 */
if (entry->model_id == MODEL_ECHO_AUDIOFIRE_9)
efw->is_af9 = true;
+ /* These models uses the same firmware. */
+ if (entry->model_id == MODEL_ECHO_AUDIOFIRE_2 ||
+ entry->model_id == MODEL_ECHO_AUDIOFIRE_4 ||
+ entry->model_id == MODEL_ECHO_AUDIOFIRE_9 ||
+ entry->model_id == MODEL_GIBSON_RIP ||
+ entry->model_id == MODEL_GIBSON_GOLDTOP)
+ efw->is_fireworks3 = true;
snd_efw_proc_init(efw);
diff --git a/sound/firewire/fireworks/fireworks.h b/sound/firewire/fireworks/fireworks.h
index 4f0201a..084d414 100644
--- a/sound/firewire/fireworks/fireworks.h
+++ b/sound/firewire/fireworks/fireworks.h
@@ -71,6 +71,7 @@ struct snd_efw {
/* for quirks */
bool is_af9;
+ bool is_fireworks3;
u32 firmware_version;
unsigned int midi_in_ports;
diff --git a/sound/firewire/fireworks/fireworks_stream.c b/sound/firewire/fireworks/fireworks_stream.c
index c55db1b..7e353f1 100644
--- a/sound/firewire/fireworks/fireworks_stream.c
+++ b/sound/firewire/fireworks/fireworks_stream.c
@@ -172,6 +172,15 @@ int snd_efw_stream_init_duplex(struct snd_efw *efw)
efw->tx_stream.flags |= CIP_DBC_IS_END_EVENT;
/* Fireworks reset dbc at bus reset. */
efw->tx_stream.flags |= CIP_SKIP_DBC_ZERO_CHECK;
+ /*
+ * But Recent firmwares starts packets with non-zero dbc.
+ * Driver version 5.7.6 installs firmware version 5.7.3.
+ */
+ if (efw->is_fireworks3 &&
+ (efw->firmware_version == 0x5070000 ||
+ efw->firmware_version == 0x5070300 ||
+ efw->firmware_version == 0x5080000))
+ efw->tx_stream.tx_first_dbc = 0x02;
/* AudioFire9 always reports wrong dbs. */
if (efw->is_af9)
efw->tx_stream.flags |= CIP_WRONG_DBS;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 045/102] mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (44 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 044/102] ALSA: fireworks/firewire-lib: add support for recent firmware quirk Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 046/102] MIPS: Make set_pte() SMP safe Kamal Mostafa
` (56 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Hocko, Hugh Dickins, Linus Torvalds, Luis Henriques,
Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.cz>
commit ecf5fc6e9654cd7a268c782a523f072b2f1959f9 upstream.
Nikolay has reported a hang when a memcg reclaim got stuck with the
following backtrace:
PID: 18308 TASK: ffff883d7c9b0a30 CPU: 1 COMMAND: "rsync"
#0 __schedule at ffffffff815ab152
#1 schedule at ffffffff815ab76e
#2 schedule_timeout at ffffffff815ae5e5
#3 io_schedule_timeout at ffffffff815aad6a
#4 bit_wait_io at ffffffff815abfc6
#5 __wait_on_bit at ffffffff815abda5
#6 wait_on_page_bit at ffffffff8111fd4f
#7 shrink_page_list at ffffffff81135445
#8 shrink_inactive_list at ffffffff81135845
#9 shrink_lruvec at ffffffff81135ead
#10 shrink_zone at ffffffff811360c3
#11 shrink_zones at ffffffff81136eff
#12 do_try_to_free_pages at ffffffff8113712f
#13 try_to_free_mem_cgroup_pages at ffffffff811372be
#14 try_charge at ffffffff81189423
#15 mem_cgroup_try_charge at ffffffff8118c6f5
#16 __add_to_page_cache_locked at ffffffff8112137d
#17 add_to_page_cache_lru at ffffffff81121618
#18 pagecache_get_page at ffffffff8112170b
#19 grow_dev_page at ffffffff811c8297
#20 __getblk_slow at ffffffff811c91d6
#21 __getblk_gfp at ffffffff811c92c1
#22 ext4_ext_grow_indepth at ffffffff8124565c
#23 ext4_ext_create_new_leaf at ffffffff81246ca8
#24 ext4_ext_insert_extent at ffffffff81246f09
#25 ext4_ext_map_blocks at ffffffff8124a848
#26 ext4_map_blocks at ffffffff8121a5b7
#27 mpage_map_one_extent at ffffffff8121b1fa
#28 mpage_map_and_submit_extent at ffffffff8121f07b
#29 ext4_writepages at ffffffff8121f6d5
#30 do_writepages at ffffffff8112c490
#31 __filemap_fdatawrite_range at ffffffff81120199
#32 filemap_flush at ffffffff8112041c
#33 ext4_alloc_da_blocks at ffffffff81219da1
#34 ext4_rename at ffffffff81229b91
#35 ext4_rename2 at ffffffff81229e32
#36 vfs_rename at ffffffff811a08a5
#37 SYSC_renameat2 at ffffffff811a3ffc
#38 sys_renameat2 at ffffffff811a408e
#39 sys_rename at ffffffff8119e51e
#40 system_call_fastpath at ffffffff815afa89
Dave Chinner has properly pointed out that this is a deadlock in the
reclaim code because ext4 doesn't submit pages which are marked by
PG_writeback right away.
The heuristic was introduced by commit e62e384e9da8 ("memcg: prevent OOM
with too many dirty pages") and it was applied only when may_enter_fs
was specified. The code has been changed by c3b94f44fcb0 ("memcg:
further prevent OOM with too many dirty pages") which has removed the
__GFP_FS restriction with a reasoning that we do not get into the fs
code. But this is not sufficient apparently because the fs doesn't
necessarily submit pages marked PG_writeback for IO right away.
ext4_bio_write_page calls io_submit_add_bh but that doesn't necessarily
submit the bio. Instead it tries to map more pages into the bio and
mpage_map_one_extent might trigger memcg charge which might end up
waiting on a page which is marked PG_writeback but hasn't been submitted
yet so we would end up waiting for something that never finishes.
Fix this issue by replacing __GFP_IO by may_enter_fs check (for case 2)
before we go to wait on the writeback. The page fault path, which is
the only path that triggers memcg oom killer since 3.12, shouldn't
require GFP_NOFS and so we shouldn't reintroduce the premature OOM
killer issue which was originally addressed by the heuristic.
As per David Chinner the xfs is doing similar thing since 2.6.15 already
so ext4 is not the only affected filesystem. Moreover he notes:
: For example: IO completion might require unwritten extent conversion
: which executes filesystem transactions and GFP_NOFS allocations. The
: writeback flag on the pages can not be cleared until unwritten
: extent conversion completes. Hence memory reclaim cannot wait on
: page writeback to complete in GFP_NOFS context because it is not
: safe to do so, memcg reclaim or otherwise.
[tytso@mit.edu: corrected the control flow]
Fixes: c3b94f44fcb0 ("memcg: further prevent OOM with too many dirty pages")
Reported-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ luis: backported to 3.16: used Hugh's backport for 4.1 ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/vmscan.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/mm/vmscan.c b/mm/vmscan.c
index dcd90c8..566cc3d0 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -896,21 +896,17 @@ static unsigned long shrink_page_list(struct list_head *page_list,
*
* 2) Global reclaim encounters a page, memcg encounters a
* page that is not marked for immediate reclaim or
- * the caller does not have __GFP_IO. In this case mark
+ * the caller does not have __GFP_FS (or __GFP_IO if it's
+ * simply going to swap, not to fs). In this case mark
* the page for immediate reclaim and continue scanning.
*
- * __GFP_IO is checked because a loop driver thread might
+ * Require may_enter_fs because we would wait on fs, which
+ * may not have submitted IO yet. And the loop driver might
* enter reclaim, and deadlock if it waits on a page for
* which it is needed to do the write (loop masks off
* __GFP_IO|__GFP_FS for this reason); but more thought
* would probably show more reasons.
*
- * Don't require __GFP_FS, since we're not going into the
- * FS, just waiting on its writeback completion. Worryingly,
- * ext4 gfs2 and xfs allocate pages with
- * grab_cache_page_write_begin(,,AOP_FLAG_NOFS), so testing
- * may_enter_fs here is liable to OOM on them.
- *
* 3) memcg encounters a page that is not already marked
* PageReclaim. memcg does not have any dirty pages
* throttling so we could easily OOM just because too many
@@ -927,7 +923,7 @@ static unsigned long shrink_page_list(struct list_head *page_list,
/* Case 2 above */
} else if (global_reclaim(sc) ||
- !PageReclaim(page) || !(sc->gfp_mask & __GFP_IO)) {
+ !PageReclaim(page) || !may_enter_fs) {
/*
* This is slightly racy - end_page_writeback()
* might have just cleared PageReclaim, then
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 046/102] MIPS: Make set_pte() SMP safe.
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (45 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 045/102] mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 047/102] ipc: modify message queue accounting to not take kernel data structures into account Kamal Mostafa
` (55 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David Daney, linux-mips, Ralf Baechle, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Daney <david.daney@cavium.com>
commit 46011e6ea39235e4aca656673c500eac81a07a17 upstream.
On MIPS the GLOBAL bit of the PTE must have the same value in any
aligned pair of PTEs. These pairs of PTEs are referred to as
"buddies". In a SMP system is is possible for two CPUs to be calling
set_pte() on adjacent PTEs at the same time. There is a race between
setting the PTE and a different CPU setting the GLOBAL bit in its
buddy PTE.
This race can be observed when multiple CPUs are executing
vmap()/vfree() at the same time.
Make setting the buddy PTE's GLOBAL bit an atomic operation to close
the race condition.
The case of CONFIG_64BIT_PHYS_ADDR && CONFIG_CPU_MIPS32 is *not*
handled.
Signed-off-by: David Daney <david.daney@cavium.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10835/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/include/asm/pgtable.h | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
index 845016d..4ec91d5 100644
--- a/arch/mips/include/asm/pgtable.h
+++ b/arch/mips/include/asm/pgtable.h
@@ -187,8 +187,39 @@ static inline void set_pte(pte_t *ptep, pte_t pteval)
* Make sure the buddy is global too (if it's !none,
* it better already be global)
*/
+#ifdef CONFIG_SMP
+ /*
+ * For SMP, multiple CPUs can race, so we need to do
+ * this atomically.
+ */
+#ifdef CONFIG_64BIT
+#define LL_INSN "lld"
+#define SC_INSN "scd"
+#else /* CONFIG_32BIT */
+#define LL_INSN "ll"
+#define SC_INSN "sc"
+#endif
+ unsigned long page_global = _PAGE_GLOBAL;
+ unsigned long tmp;
+
+ __asm__ __volatile__ (
+ " .set push\n"
+ " .set noreorder\n"
+ "1: " LL_INSN " %[tmp], %[buddy]\n"
+ " bnez %[tmp], 2f\n"
+ " or %[tmp], %[tmp], %[global]\n"
+ " " SC_INSN " %[tmp], %[buddy]\n"
+ " beqz %[tmp], 1b\n"
+ " nop\n"
+ "2:\n"
+ " .set pop"
+ : [buddy] "+m" (buddy->pte),
+ [tmp] "=&r" (tmp)
+ : [global] "r" (page_global));
+#else /* !CONFIG_SMP */
if (pte_none(*buddy))
pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL;
+#endif /* CONFIG_SMP */
}
#endif
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 047/102] ipc: modify message queue accounting to not take kernel data structures into account
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (46 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 046/102] MIPS: Make set_pte() SMP safe Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 048/102] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() Kamal Mostafa
` (54 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marcus Gelderie, David Howells, Alexander Viro, John Duffy,
Arto Bendiken, Manfred Spraul, Andrew Morton, Linus Torvalds,
Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcus Gelderie <redmnic@gmail.com>
commit de54b9ac253787c366bbfb28d901a31954eb3511 upstream.
A while back, the message queue implementation in the kernel was
improved to use btrees to speed up retrieval of messages, in commit
d6629859b36d ("ipc/mqueue: improve performance of send/recv").
That patch introducing the improved kernel handling of message queues
(using btrees) has, as a by-product, changed the meaning of the QSIZE
field in the pseudo-file created for the queue. Before, this field
reflected the size of the user-data in the queue. Since, it also takes
kernel data structures into account. For example, if 13 bytes of user
data are in the queue, on my machine the file reports a size of 61
bytes.
There was some discussion on this topic before (for example
https://lkml.org/lkml/2014/10/1/115). Commenting on a th lkml, Michael
Kerrisk gave the following background
(https://lkml.org/lkml/2015/6/16/74):
The pseudofiles in the mqueue filesystem (usually mounted at
/dev/mqueue) expose fields with metadata describing a message
queue. One of these fields, QSIZE, as originally implemented,
showed the total number of bytes of user data in all messages in
the message queue, and this feature was documented from the
beginning in the mq_overview(7) page. In 3.5, some other (useful)
work happened to break the user-space API in a couple of places,
including the value exposed via QSIZE, which now includes a measure
of kernel overhead bytes for the queue, a figure that renders QSIZE
useless for its original purpose, since there's no way to deduce
the number of overhead bytes consumed by the implementation.
(The other user-space breakage was subsequently fixed.)
This patch removes the accounting of kernel data structures in the
queue. Reporting the size of these data-structures in the QSIZE field
was a breaking change (see Michael's comment above). Without the QSIZE
field reporting the total size of user-data in the queue, there is no
way to deduce this number.
It should be noted that the resource limit RLIMIT_MSGQUEUE is counted
against the worst-case size of the queue (in both the old and the new
implementation). Therefore, the kernel overhead accounting in QSIZE is
not necessary to help the user understand the limitations RLIMIT imposes
on the processes.
Signed-off-by: Marcus Gelderie <redmnic@gmail.com>
Acked-by: Doug Ledford <dledford@redhat.com>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Davidlohr Bueso <dbueso@suse.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: John Duffy <jb_duffy@btinternet.com>
Cc: Arto Bendiken <arto@bendiken.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
ipc/mqueue.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 7635a1c..182ed02 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *msg, struct mqueue_inode_info *info)
if (!leaf)
return -ENOMEM;
INIT_LIST_HEAD(&leaf->msg_list);
- info->qsize += sizeof(*leaf);
}
leaf->priority = msg->m_type;
rb_link_node(&leaf->rb_node, parent, p);
@@ -188,7 +187,6 @@ try_again:
"lazy leaf delete!\n");
rb_erase(&leaf->rb_node, &info->msg_tree);
if (info->node_cache) {
- info->qsize -= sizeof(*leaf);
kfree(leaf);
} else {
info->node_cache = leaf;
@@ -201,7 +199,6 @@ try_again:
if (list_empty(&leaf->msg_list)) {
rb_erase(&leaf->rb_node, &info->msg_tree);
if (info->node_cache) {
- info->qsize -= sizeof(*leaf);
kfree(leaf);
} else {
info->node_cache = leaf;
@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr,
/* Save our speculative allocation into the cache */
INIT_LIST_HEAD(&new_leaf->msg_list);
info->node_cache = new_leaf;
- info->qsize += sizeof(*new_leaf);
new_leaf = NULL;
} else {
kfree(new_leaf);
@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr,
/* Save our speculative allocation into the cache */
INIT_LIST_HEAD(&new_leaf->msg_list);
info->node_cache = new_leaf;
- info->qsize += sizeof(*new_leaf);
} else {
kfree(new_leaf);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 048/102] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (47 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 047/102] ipc: modify message queue accounting to not take kernel data structures into account Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 049/102] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() Kamal Mostafa
` (53 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Joseph Qi, Mark Fasheh, Joel Becker, Andrew Morton,
Linus Torvalds, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Qi <joseph.qi@huawei.com>
commit 209f7512d007980fd111a74a064d70a3656079cf upstream.
The "BUG_ON(list_empty(&osb->blocked_lock_list))" in
ocfs2_downconvert_thread_do_work can be triggered in the following case:
ocfs2dc has firstly saved osb->blocked_lock_count to local varibale
processed, and then processes the dentry lockres. During the dentry
put, it calls iput and then deletes rw, inode and open lockres from
blocked list in ocfs2_mark_lockres_freeing. And this causes the
variable `processed' to not reflect the number of blocked lockres to be
processed, which triggers the BUG.
Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Cc: Mark Fasheh <mfasheh@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/ocfs2/dlmglue.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c
index 1c423af..ba6c538 100644
--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -4017,9 +4017,13 @@ static void ocfs2_downconvert_thread_do_work(struct ocfs2_super *osb)
osb->dc_work_sequence = osb->dc_wake_sequence;
processed = osb->blocked_lock_count;
- while (processed) {
- BUG_ON(list_empty(&osb->blocked_lock_list));
-
+ /*
+ * blocked lock processing in this loop might call iput which can
+ * remove items off osb->blocked_lock_list. Downconvert up to
+ * 'processed' number of locks, but stop short if we had some
+ * removed in ocfs2_mark_lockres_freeing when downconverting.
+ */
+ while (processed && !list_empty(&osb->blocked_lock_list)) {
lockres = list_entry(osb->blocked_lock_list.next,
struct ocfs2_lock_res, l_blocked_list);
list_del_init(&lockres->l_blocked_list);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 049/102] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (48 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 048/102] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 050/102] KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST Kamal Mostafa
` (52 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jan Kara, Lino Sanfilippo, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.com>
commit 8f2f3eb59dff4ec538de55f2e0592fec85966aab upstream.
fsnotify_clear_marks_by_group_flags() can race with
fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked()
drops mark_mutex, a mark from the list iterated by
fsnotify_clear_marks_by_group_flags() can be freed and thus the next
entry pointer we have cached may become stale and we dereference free
memory.
Fix the problem by first moving marks to free to a special private list
and then always free the first entry in the special list. This method
is safe even when entries from the list can disappear once we drop the
lock.
Signed-off-by: Jan Kara <jack@suse.com>
Reported-by: Ashish Sangwan <a.sangwan@samsung.com>
Reviewed-by: Ashish Sangwan <a.sangwan@samsung.com>
Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/notify/mark.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/fs/notify/mark.c b/fs/notify/mark.c
index 92e48c7..39ddcaf 100644
--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
@@ -412,16 +412,36 @@ void fsnotify_clear_marks_by_group_flags(struct fsnotify_group *group,
unsigned int flags)
{
struct fsnotify_mark *lmark, *mark;
+ LIST_HEAD(to_free);
+ /*
+ * We have to be really careful here. Anytime we drop mark_mutex, e.g.
+ * fsnotify_clear_marks_by_inode() can come and free marks. Even in our
+ * to_free list so we have to use mark_mutex even when accessing that
+ * list. And freeing mark requires us to drop mark_mutex. So we can
+ * reliably free only the first mark in the list. That's why we first
+ * move marks to free to to_free list in one go and then free marks in
+ * to_free list one by one.
+ */
mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
- if (mark->flags & flags) {
- fsnotify_get_mark(mark);
- fsnotify_destroy_mark_locked(mark, group);
- fsnotify_put_mark(mark);
- }
+ if (mark->flags & flags)
+ list_move(&mark->g_list, &to_free);
}
mutex_unlock(&group->mark_mutex);
+
+ while (1) {
+ mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
+ if (list_empty(&to_free)) {
+ mutex_unlock(&group->mark_mutex);
+ break;
+ }
+ mark = list_first_entry(&to_free, struct fsnotify_mark, g_list);
+ fsnotify_get_mark(mark);
+ fsnotify_destroy_mark_locked(mark, group);
+ mutex_unlock(&group->mark_mutex);
+ fsnotify_put_mark(mark);
+ }
}
/*
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 050/102] KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (49 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 049/102] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 051/102] x86/xen: build "Xen PV" APIC driver for domU as well Kamal Mostafa
` (51 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Haozhong Zhang, Paolo Bonzini, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Haozhong Zhang <haozhong.zhang@intel.com>
commit d7add05458084a5e3d65925764a02ca9c8202c1e upstream.
When kvm_set_msr_common() handles a guest's write to
MSR_IA32_TSC_ADJUST, it will calcuate an adjustment based on the data
written by guest and then use it to adjust TSC offset by calling a
call-back adjust_tsc_offset(). The 3rd parameter of adjust_tsc_offset()
indicates whether the adjustment is in host TSC cycles or in guest TSC
cycles. If SVM TSC scaling is enabled, adjust_tsc_offset()
[i.e. svm_adjust_tsc_offset()] will first scale the adjustment;
otherwise, it will just use the unscaled one. As the MSR write here
comes from the guest, the adjustment is in guest TSC cycles. However,
the current kvm_set_msr_common() uses it as a value in host TSC
cycles (by using true as the 3rd parameter of adjust_tsc_offset()),
which can result in an incorrect adjustment of TSC offset if SVM TSC
scaling is enabled. This patch fixes this problem.
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kvm/x86.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index a692f1c..57d5915 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2143,7 +2143,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
if (guest_cpuid_has_tsc_adjust(vcpu)) {
if (!msr_info->host_initiated) {
s64 adj = data - vcpu->arch.ia32_tsc_adjust_msr;
- kvm_x86_ops->adjust_tsc_offset(vcpu, adj, true);
+ adjust_tsc_offset_guest(vcpu, adj);
}
vcpu->arch.ia32_tsc_adjust_msr = data;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 051/102] x86/xen: build "Xen PV" APIC driver for domU as well
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (50 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 050/102] KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 052/102] cpuset: use trialcs->mems_allowed as a temp variable Kamal Mostafa
` (50 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jason A. Donenfeld, David Vrabel, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
commit fc5fee86bdd3d720e2d1d324e4fae0c35845fa63 upstream.
It turns out that a PV domU also requires the "Xen PV" APIC
driver. Otherwise, the flat driver is used and we get stuck in busy
loops that never exit, such as in this stack trace:
(gdb) target remote localhost:9999
Remote debugging using localhost:9999
__xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56
56 while (native_apic_mem_read(APIC_ICR) & APIC_ICR_BUSY)
(gdb) bt
#0 __xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56
#1 __default_send_IPI_shortcut (shortcut=<optimized out>,
dest=<optimized out>, vector=<optimized out>) at
./arch/x86/include/asm/ipi.h:75
#2 apic_send_IPI_self (vector=246) at arch/x86/kernel/apic/probe_64.c:54
#3 0xffffffff81011336 in arch_irq_work_raise () at
arch/x86/kernel/irq_work.c:47
#4 0xffffffff8114990c in irq_work_queue (work=0xffff88000fc0e400) at
kernel/irq_work.c:100
#5 0xffffffff8110c29d in wake_up_klogd () at kernel/printk/printk.c:2633
#6 0xffffffff8110ca60 in vprintk_emit (facility=0, level=<optimized
out>, dict=0x0 <irq_stack_union>, dictlen=<optimized out>,
fmt=<optimized out>, args=<optimized out>)
at kernel/printk/printk.c:1778
#7 0xffffffff816010c8 in printk (fmt=<optimized out>) at
kernel/printk/printk.c:1868
#8 0xffffffffc00013ea in ?? ()
#9 0x0000000000000000 in ?? ()
Mailing-list-thread: https://lkml.org/lkml/2015/8/4/755
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/xen/Makefile | 4 ++--
arch/x86/xen/xen-ops.h | 6 ++----
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/arch/x86/xen/Makefile b/arch/x86/xen/Makefile
index 7322755..4b6e29a 100644
--- a/arch/x86/xen/Makefile
+++ b/arch/x86/xen/Makefile
@@ -13,13 +13,13 @@ CFLAGS_mmu.o := $(nostackp)
obj-y := enlighten.o setup.o multicalls.o mmu.o irq.o \
time.o xen-asm.o xen-asm_$(BITS).o \
grant-table.o suspend.o platform-pci-unplug.o \
- p2m.o
+ p2m.o apic.o
obj-$(CONFIG_EVENT_TRACING) += trace.o
obj-$(CONFIG_SMP) += smp.o
obj-$(CONFIG_PARAVIRT_SPINLOCKS)+= spinlock.o
obj-$(CONFIG_XEN_DEBUG_FS) += debugfs.o
-obj-$(CONFIG_XEN_DOM0) += apic.o vga.o
+obj-$(CONFIG_XEN_DOM0) += vga.o
obj-$(CONFIG_SWIOTLB_XEN) += pci-swiotlb-xen.o
obj-$(CONFIG_XEN_EFI) += efi.o
diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
index 5686bd9..68bf9bc 100644
--- a/arch/x86/xen/xen-ops.h
+++ b/arch/x86/xen/xen-ops.h
@@ -95,17 +95,15 @@ struct dom0_vga_console_info;
#ifdef CONFIG_XEN_DOM0
void __init xen_init_vga(const struct dom0_vga_console_info *, size_t size);
-void __init xen_init_apic(void);
#else
static inline void __init xen_init_vga(const struct dom0_vga_console_info *info,
size_t size)
{
}
-static inline void __init xen_init_apic(void)
-{
-}
#endif
+void __init xen_init_apic(void);
+
#ifdef CONFIG_XEN_EFI
extern void xen_efi_init(void);
#else
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 052/102] cpuset: use trialcs->mems_allowed as a temp variable
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (51 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 051/102] x86/xen: build "Xen PV" APIC driver for domU as well Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 053/102] drm/dp/mst: Remove port after removing connector Kamal Mostafa
` (49 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alban Crequy, Tejun Heo, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alban Crequy <alban.crequy@gmail.com>
commit 24ee3cf89bef04e8bc23788aca4e029a3f0f06d9 upstream.
The comment says it's using trialcs->mems_allowed as a temp variable but
it didn't match the code. Change the code to match the comment.
This fixes an issue when writing in cpuset.mems when a sub-directory
exists: we need to write several times for the information to persist:
| root@alban:/sys/fs/cgroup/cpuset# mkdir footest9
| root@alban:/sys/fs/cgroup/cpuset# cd footest9
| root@alban:/sys/fs/cgroup/cpuset/footest9# mkdir aa
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems
|
| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems
|
| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems
| 0
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems
|
| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > aa/cpuset.mems
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems
| 0
| root@alban:/sys/fs/cgroup/cpuset/footest9#
This should help to fix the following issue in Docker:
https://github.com/opencontainers/runc/issues/133
In some conditions, a Docker container needs to be started twice in
order to work.
Signed-off-by: Alban Crequy <alban@endocode.com>
Tested-by: Iago López Galeiras <iago@endocode.com>
Acked-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/cpuset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cpuset.c b/kernel/cpuset.c
index 9e25599..c90edf6 100644
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -1214,7 +1214,7 @@ static int update_nodemask(struct cpuset *cs, struct cpuset *trialcs,
spin_unlock_irq(&callback_lock);
/* use trialcs->mems_allowed as a temp variable */
- update_nodemasks_hier(cs, &cs->mems_allowed);
+ update_nodemasks_hier(cs, &trialcs->mems_allowed);
done:
return retval;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 053/102] drm/dp/mst: Remove port after removing connector.
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (52 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 052/102] cpuset: use trialcs->mems_allowed as a temp variable Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 054/102] localmodconfig: Use Kbuild files too Kamal Mostafa
` (48 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dave Airlie, Maarten Lankhorst, Jani Nikula, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
commit 4772ff03df8094fd99d28de5fcf5df3a3e9c68bb upstream.
The port is removed synchronously, but the connector delayed.
This causes a use after free which can cause a kernel BUG with
slug_debug=FPZU. This is fixed by freeing the port after the
connector.
This fixes a regression introduced with
6b8eeca65b18ae77e175cc2b6571731f0ee413bf
"drm/dp/mst: close deadlock in connector destruction."
Cc: Dave Airlie <airlied@redhat.com>
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/drm_dp_mst_topology.c | 19 +++++++++++++------
include/drm/drm_crtc.h | 2 --
2 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index 8239563..6c0a1b0 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -869,9 +869,10 @@ static void drm_dp_destroy_port(struct kref *kref)
from an EDID retrieval */
if (port->connector) {
mutex_lock(&mgr->destroy_connector_lock);
- list_add(&port->connector->destroy_list, &mgr->destroy_connector_list);
+ list_add(&port->next, &mgr->destroy_connector_list);
mutex_unlock(&mgr->destroy_connector_lock);
schedule_work(&mgr->destroy_connector_work);
+ return;
}
drm_dp_port_teardown_pdt(port, port->pdt);
@@ -2641,7 +2642,7 @@ static void drm_dp_tx_work(struct work_struct *work)
static void drm_dp_destroy_connector_work(struct work_struct *work)
{
struct drm_dp_mst_topology_mgr *mgr = container_of(work, struct drm_dp_mst_topology_mgr, destroy_connector_work);
- struct drm_connector *connector;
+ struct drm_dp_mst_port *port;
/*
* Not a regular list traverse as we have to drop the destroy
@@ -2650,15 +2651,21 @@ static void drm_dp_destroy_connector_work(struct work_struct *work)
*/
for (;;) {
mutex_lock(&mgr->destroy_connector_lock);
- connector = list_first_entry_or_null(&mgr->destroy_connector_list, struct drm_connector, destroy_list);
- if (!connector) {
+ port = list_first_entry_or_null(&mgr->destroy_connector_list, struct drm_dp_mst_port, next);
+ if (!port) {
mutex_unlock(&mgr->destroy_connector_lock);
break;
}
- list_del(&connector->destroy_list);
+ list_del(&port->next);
mutex_unlock(&mgr->destroy_connector_lock);
- mgr->cbs->destroy_connector(mgr, connector);
+ mgr->cbs->destroy_connector(mgr, port->connector);
+
+ drm_dp_port_teardown_pdt(port, port->pdt);
+
+ if (!port->input && port->vcpi.vcpi > 0)
+ drm_dp_mst_put_payload_id(mgr, port->vcpi.vcpi);
+ kfree(port);
}
}
diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h
index 3dab77c..b863298 100644
--- a/include/drm/drm_crtc.h
+++ b/include/drm/drm_crtc.h
@@ -689,8 +689,6 @@ struct drm_connector {
uint8_t num_h_tile, num_v_tile;
uint8_t tile_h_loc, tile_v_loc;
uint16_t tile_h_size, tile_v_size;
-
- struct list_head destroy_list;
};
/**
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 054/102] localmodconfig: Use Kbuild files too
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (53 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 053/102] drm/dp/mst: Remove port after removing connector Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 055/102] dm thin metadata: delete btrees when releasing metadata snapshot Kamal Mostafa
` (47 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Richard Weinberger, Steven Rostedt, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit c0ddc8c745b7f89c50385fd7aa03c78dc543fa7a upstream.
In kbuild it is allowed to define objects in files named "Makefile"
and "Kbuild".
Currently localmodconfig reads objects only from "Makefile"s and misses
modules like nouveau.
Link: http://lkml.kernel.org/r/1437948415-16290-1-git-send-email-richard@nod.at
Reported-and-tested-by: Leonidas Spyropoulos <artafinde@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
scripts/kconfig/streamline_config.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/kconfig/streamline_config.pl b/scripts/kconfig/streamline_config.pl
index 9cb8522..f3d3fb4 100755
--- a/scripts/kconfig/streamline_config.pl
+++ b/scripts/kconfig/streamline_config.pl
@@ -137,7 +137,7 @@ my $ksource = ($ARGV[0] ? $ARGV[0] : '.');
my $kconfig = $ARGV[1];
my $lsmod_file = $ENV{'LSMOD'};
-my @makefiles = `find $ksource -name Makefile 2>/dev/null`;
+my @makefiles = `find $ksource -name Makefile -or -name Kbuild 2>/dev/null`;
chomp @makefiles;
my %depends;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 055/102] dm thin metadata: delete btrees when releasing metadata snapshot
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (54 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 054/102] localmodconfig: Use Kbuild files too Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 056/102] dm btree: add ref counting ops for the leaves of top level btrees Kamal Mostafa
` (46 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Joe Thornber, Mike Snitzer, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Thornber <ejt@redhat.com>
commit 7f518ad0a212e2a6fd68630e176af1de395070a7 upstream.
The device details and mapping trees were just being decremented
before. Now btree_del() is called to do a deep delete.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm-thin-metadata.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
index 43adbb8..0eea5e7 100644
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -1295,8 +1295,8 @@ static int __release_metadata_snap(struct dm_pool_metadata *pmd)
return r;
disk_super = dm_block_data(copy);
- dm_sm_dec_block(pmd->metadata_sm, le64_to_cpu(disk_super->data_mapping_root));
- dm_sm_dec_block(pmd->metadata_sm, le64_to_cpu(disk_super->device_details_root));
+ dm_btree_del(&pmd->info, le64_to_cpu(disk_super->data_mapping_root));
+ dm_btree_del(&pmd->details_info, le64_to_cpu(disk_super->device_details_root));
dm_sm_dec_block(pmd->metadata_sm, held_root);
return dm_tm_unlock(pmd->tm, copy);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 056/102] dm btree: add ref counting ops for the leaves of top level btrees
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (55 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 055/102] dm thin metadata: delete btrees when releasing metadata snapshot Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 057/102] drm/radeon: add new OLAND pci id Kamal Mostafa
` (45 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Joe Thornber, Mike Snitzer, Luis Henriques, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Joe Thornber <ejt@redhat.com>
commit b0dc3c8bc157c60b1d470163882be8c13e1950af upstream.
When using nested btrees, the top leaves of the top levels contain
block addresses for the root of the next tree down. If we shadow a
shared leaf node the leaf values (sub tree roots) should be incremented
accordingly.
This is only an issue if there is metadata sharing in the top levels.
Which only occurs if metadata snapshots are being used (as is possible
with dm-thinp). And could result in a block from the thinp metadata
snap being reused early, thus corrupting the thinp metadata snap.
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[ luis: backported to 3.16:
- dropped changes to remove_one() as suggested by Mike Snitzer ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/persistent-data/dm-btree-internal.h | 6 +++++
drivers/md/persistent-data/dm-btree-remove.c | 12 +++------
drivers/md/persistent-data/dm-btree-spine.c | 37 ++++++++++++++++++++++++++
drivers/md/persistent-data/dm-btree.c | 7 +----
4 files changed, 47 insertions(+), 15 deletions(-)
diff --git a/drivers/md/persistent-data/dm-btree-internal.h b/drivers/md/persistent-data/dm-btree-internal.h
index bf2b80d..8731b6e 100644
--- a/drivers/md/persistent-data/dm-btree-internal.h
+++ b/drivers/md/persistent-data/dm-btree-internal.h
@@ -138,4 +138,10 @@ int lower_bound(struct btree_node *n, uint64_t key);
extern struct dm_block_validator btree_node_validator;
+/*
+ * Value type for upper levels of multi-level btrees.
+ */
+extern void init_le64_type(struct dm_transaction_manager *tm,
+ struct dm_btree_value_type *vt);
+
#endif /* DM_BTREE_INTERNAL_H */
diff --git a/drivers/md/persistent-data/dm-btree-remove.c b/drivers/md/persistent-data/dm-btree-remove.c
index a03178e..7c0d755 100644
--- a/drivers/md/persistent-data/dm-btree-remove.c
+++ b/drivers/md/persistent-data/dm-btree-remove.c
@@ -544,14 +544,6 @@ static int remove_raw(struct shadow_spine *s, struct dm_btree_info *info,
return r;
}
-static struct dm_btree_value_type le64_type = {
- .context = NULL,
- .size = sizeof(__le64),
- .inc = NULL,
- .dec = NULL,
- .equal = NULL
-};
-
int dm_btree_remove(struct dm_btree_info *info, dm_block_t root,
uint64_t *keys, dm_block_t *new_root)
{
@@ -559,12 +551,14 @@ int dm_btree_remove(struct dm_btree_info *info, dm_block_t root,
int index = 0, r = 0;
struct shadow_spine spine;
struct btree_node *n;
+ struct dm_btree_value_type le64_vt;
+ init_le64_type(info->tm, &le64_vt);
init_shadow_spine(&spine, info);
for (level = 0; level < info->levels; level++) {
r = remove_raw(&spine, info,
(level == last_level ?
- &info->value_type : &le64_type),
+ &info->value_type : &le64_vt),
root, keys[level], (unsigned *)&index);
if (r < 0)
break;
diff --git a/drivers/md/persistent-data/dm-btree-spine.c b/drivers/md/persistent-data/dm-btree-spine.c
index 1b5e13e..0dee514 100644
--- a/drivers/md/persistent-data/dm-btree-spine.c
+++ b/drivers/md/persistent-data/dm-btree-spine.c
@@ -249,3 +249,40 @@ int shadow_root(struct shadow_spine *s)
{
return s->root;
}
+
+static void le64_inc(void *context, const void *value_le)
+{
+ struct dm_transaction_manager *tm = context;
+ __le64 v_le;
+
+ memcpy(&v_le, value_le, sizeof(v_le));
+ dm_tm_inc(tm, le64_to_cpu(v_le));
+}
+
+static void le64_dec(void *context, const void *value_le)
+{
+ struct dm_transaction_manager *tm = context;
+ __le64 v_le;
+
+ memcpy(&v_le, value_le, sizeof(v_le));
+ dm_tm_dec(tm, le64_to_cpu(v_le));
+}
+
+static int le64_equal(void *context, const void *value1_le, const void *value2_le)
+{
+ __le64 v1_le, v2_le;
+
+ memcpy(&v1_le, value1_le, sizeof(v1_le));
+ memcpy(&v2_le, value2_le, sizeof(v2_le));
+ return v1_le == v2_le;
+}
+
+void init_le64_type(struct dm_transaction_manager *tm,
+ struct dm_btree_value_type *vt)
+{
+ vt->context = tm;
+ vt->size = sizeof(__le64);
+ vt->inc = le64_inc;
+ vt->dec = le64_dec;
+ vt->equal = le64_equal;
+}
diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
index fdd3793..c7726ce 100644
--- a/drivers/md/persistent-data/dm-btree.c
+++ b/drivers/md/persistent-data/dm-btree.c
@@ -667,12 +667,7 @@ static int insert(struct dm_btree_info *info, dm_block_t root,
struct btree_node *n;
struct dm_btree_value_type le64_type;
- le64_type.context = NULL;
- le64_type.size = sizeof(__le64);
- le64_type.inc = NULL;
- le64_type.dec = NULL;
- le64_type.equal = NULL;
-
+ init_le64_type(info->tm, &le64_type);
init_shadow_spine(&spine, info);
for (level = 0; level < (info->levels - 1); level++) {
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 057/102] drm/radeon: add new OLAND pci id
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (56 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 056/102] dm btree: add ref counting ops for the leaves of top level btrees Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 058/102] libiscsi: Fix host busy blocking during connection teardown Kamal Mostafa
` (44 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit e037239e5e7b61007763984aa35a8329596d8c88 upstream.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/drm/drm_pciids.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h
index 45c39a3..8bc073d 100644
--- a/include/drm/drm_pciids.h
+++ b/include/drm/drm_pciids.h
@@ -172,6 +172,7 @@
{0x1002, 0x6610, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \
{0x1002, 0x6611, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \
{0x1002, 0x6613, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_NEW_MEMMAP}, \
+ {0x1002, 0x6617, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
{0x1002, 0x6620, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
{0x1002, 0x6621, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
{0x1002, 0x6623, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_OLAND|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 058/102] libiscsi: Fix host busy blocking during connection teardown
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (57 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 057/102] drm/radeon: add new OLAND pci id Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 059/102] libfc: Fix fc_exch_recv_req() error path Kamal Mostafa
` (43 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: John Soni Jose, James Bottomley, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: John Soni Jose <sony.john@avagotech.com>
commit 660d0831d1494a6837b2f810d08b5be092c1f31d upstream.
In case of hw iscsi offload, an host can have N-number of active
connections. There can be IO's running on some connections which
make host->host_busy always TRUE. Now if logout from a connection
is tried then the code gets into an infinite loop as host->host_busy
is always TRUE.
iscsi_conn_teardown(....)
{
.........
/*
* Block until all in-progress commands for this connection
* time out or fail.
*/
for (;;) {
spin_lock_irqsave(session->host->host_lock, flags);
if (!atomic_read(&session->host->host_busy)) { /* OK for ERL == 0 */
spin_unlock_irqrestore(session->host->host_lock, flags);
break;
}
spin_unlock_irqrestore(session->host->host_lock, flags);
msleep_interruptible(500);
iscsi_conn_printk(KERN_INFO, conn, "iscsi conn_destroy(): "
"host_busy %d host_failed %d\n",
atomic_read(&session->host->host_busy),
session->host->host_failed);
................
...............
}
}
This is not an issue with software-iscsi/iser as each cxn is a separate
host.
Fix:
Acquiring eh_mutex in iscsi_conn_teardown() before setting
session->state = ISCSI_STATE_TERMINATE.
Signed-off-by: John Soni Jose <sony.john@avagotech.com>
Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/libiscsi.c | 25 ++-----------------------
1 file changed, 2 insertions(+), 23 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 8053f24..98d9bb6 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -2941,10 +2941,10 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn)
{
struct iscsi_conn *conn = cls_conn->dd_data;
struct iscsi_session *session = conn->session;
- unsigned long flags;
del_timer_sync(&conn->transport_timer);
+ mutex_lock(&session->eh_mutex);
spin_lock_bh(&session->frwd_lock);
conn->c_stage = ISCSI_CONN_CLEANUP_WAIT;
if (session->leadconn == conn) {
@@ -2956,28 +2956,6 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn)
}
spin_unlock_bh(&session->frwd_lock);
- /*
- * Block until all in-progress commands for this connection
- * time out or fail.
- */
- for (;;) {
- spin_lock_irqsave(session->host->host_lock, flags);
- if (!atomic_read(&session->host->host_busy)) { /* OK for ERL == 0 */
- spin_unlock_irqrestore(session->host->host_lock, flags);
- break;
- }
- spin_unlock_irqrestore(session->host->host_lock, flags);
- msleep_interruptible(500);
- iscsi_conn_printk(KERN_INFO, conn, "iscsi conn_destroy(): "
- "host_busy %d host_failed %d\n",
- atomic_read(&session->host->host_busy),
- session->host->host_failed);
- /*
- * force eh_abort() to unblock
- */
- wake_up(&conn->ehwait);
- }
-
/* flush queued up work because we free the connection below */
iscsi_suspend_tx(conn);
@@ -2994,6 +2972,7 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn)
if (session->leadconn == conn)
session->leadconn = NULL;
spin_unlock_bh(&session->frwd_lock);
+ mutex_unlock(&session->eh_mutex);
iscsi_destroy_conn(cls_conn);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 059/102] libfc: Fix fc_exch_recv_req() error path
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (58 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 058/102] libiscsi: Fix host busy blocking during connection teardown Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 060/102] libfc: Fix fc_fcp_cleanup_each_cmd() Kamal Mostafa
` (42 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bart Van Assche, Vasu Dev, James Bottomley, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit f6979adeaab578f8ca14fdd32b06ddee0d9d3314 upstream.
Due to patch "libfc: Do not invoke the response handler after
fc_exch_done()" (commit ID 7030fd62) the lport_recv() call
in fc_exch_recv_req() is passed a dangling pointer. Avoid this
by moving the fc_frame_free() call from fc_invoke_resp() to its
callers. This patch fixes the following crash:
general protection fault: 0000 [#3] PREEMPT SMP
RIP: fc_lport_recv_req+0x72/0x280 [libfc]
Call Trace:
fc_exch_recv+0x642/0xde0 [libfc]
fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe]
kthread+0x10a/0x120
ret_from_fork+0x42/0x70
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/libfc/fc_exch.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
index 1b3a094..30f9ef0 100644
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@@ -733,8 +733,6 @@ static bool fc_invoke_resp(struct fc_exch *ep, struct fc_seq *sp,
if (resp) {
resp(sp, fp, arg);
res = true;
- } else if (!IS_ERR(fp)) {
- fc_frame_free(fp);
}
spin_lock_bh(&ep->ex_lock);
@@ -1596,7 +1594,8 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
* If new exch resp handler is valid then call that
* first.
*/
- fc_invoke_resp(ep, sp, fp);
+ if (!fc_invoke_resp(ep, sp, fp))
+ fc_frame_free(fp);
fc_exch_release(ep);
return;
@@ -1695,7 +1694,8 @@ static void fc_exch_abts_resp(struct fc_exch *ep, struct fc_frame *fp)
fc_exch_hold(ep);
if (!rc)
fc_exch_delete(ep);
- fc_invoke_resp(ep, sp, fp);
+ if (!fc_invoke_resp(ep, sp, fp))
+ fc_frame_free(fp);
if (has_rec)
fc_exch_timer_set(ep, ep->r_a_tov);
fc_exch_release(ep);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 060/102] libfc: Fix fc_fcp_cleanup_each_cmd()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (59 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 059/102] libfc: Fix fc_exch_recv_req() error path Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 061/102] sd: Fix maximum I/O size for BLOCK_PC requests Kamal Mostafa
` (41 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bart Van Assche, Vasu Dev, James Bottomley, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 upstream.
Since fc_fcp_cleanup_cmd() can sleep this function must not
be called while holding a spinlock. This patch avoids that
fc_fcp_cleanup_each_cmd() triggers the following bug:
BUG: scheduling while atomic: sg_reset/1512/0x00000202
1 lock held by sg_reset/1512:
#0: (&(&fsp->scsi_pkt_lock)->rlock){+.-...}, at: [<ffffffffc0225cd5>] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
Preemption disabled at:[<ffffffffc0225cd5>] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
Call Trace:
[<ffffffff816c612c>] dump_stack+0x4f/0x7b
[<ffffffff810828bc>] __schedule_bug+0x6c/0xd0
[<ffffffff816c87aa>] __schedule+0x71a/0xa10
[<ffffffff816c8ad2>] schedule+0x32/0x80
[<ffffffffc0217eac>] fc_seq_set_resp+0xac/0x100 [libfc]
[<ffffffffc0218b11>] fc_exch_done+0x41/0x60 [libfc]
[<ffffffffc0225cff>] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc]
[<ffffffffc0225f43>] fc_eh_device_reset+0x1c3/0x270 [libfc]
[<ffffffff814a2cc9>] scsi_try_bus_device_reset+0x29/0x60
[<ffffffff814a3908>] scsi_ioctl_reset+0x258/0x2d0
[<ffffffff814a2650>] scsi_ioctl+0x150/0x440
[<ffffffff814b3a9d>] sd_ioctl+0xad/0x120
[<ffffffff8132f266>] blkdev_ioctl+0x1b6/0x810
[<ffffffff811da608>] block_ioctl+0x38/0x40
[<ffffffff811b4e08>] do_vfs_ioctl+0x2f8/0x530
[<ffffffff811b50c1>] SyS_ioctl+0x81/0xa0
[<ffffffff816cf8b2>] system_call_fastpath+0x16/0x7a
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/libfc/fc_fcp.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c
index c679594..2d5909c 100644
--- a/drivers/scsi/libfc/fc_fcp.c
+++ b/drivers/scsi/libfc/fc_fcp.c
@@ -1039,11 +1039,26 @@ restart:
fc_fcp_pkt_hold(fsp);
spin_unlock_irqrestore(&si->scsi_queue_lock, flags);
- if (!fc_fcp_lock_pkt(fsp)) {
+ spin_lock_bh(&fsp->scsi_pkt_lock);
+ if (!(fsp->state & FC_SRB_COMPL)) {
+ fsp->state |= FC_SRB_COMPL;
+ /*
+ * TODO: dropping scsi_pkt_lock and then reacquiring
+ * again around fc_fcp_cleanup_cmd() is required,
+ * since fc_fcp_cleanup_cmd() calls into
+ * fc_seq_set_resp() and that func preempts cpu using
+ * schedule. May be schedule and related code should be
+ * removed instead of unlocking here to avoid scheduling
+ * while atomic bug.
+ */
+ spin_unlock_bh(&fsp->scsi_pkt_lock);
+
fc_fcp_cleanup_cmd(fsp, error);
+
+ spin_lock_bh(&fsp->scsi_pkt_lock);
fc_io_compl(fsp);
- fc_fcp_unlock_pkt(fsp);
}
+ spin_unlock_bh(&fsp->scsi_pkt_lock);
fc_fcp_pkt_release(fsp);
spin_lock_irqsave(&si->scsi_queue_lock, flags);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 061/102] sd: Fix maximum I/O size for BLOCK_PC requests
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (60 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 060/102] libfc: Fix fc_fcp_cleanup_each_cmd() Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 062/102] EDAC, ppc4xx: Access mci->csrows array elements properly Kamal Mostafa
` (40 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Martin K. Petersen, James Bottomley, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Martin K. Petersen" <martin.petersen@oracle.com>
commit 4f258a46346c03fa0bbb6199ffaf4e1f9f599660 upstream.
Commit bcdb247c6b6a ("sd: Limit transfer length") clamped the maximum
size of an I/O request to the MAXIMUM TRANSFER LENGTH field in the BLOCK
LIMITS VPD. This had the unfortunate effect of also limiting the maximum
size of non-filesystem requests sent to the device through sg/bsg.
Avoid using blk_queue_max_hw_sectors() and set the max_sectors queue
limit directly.
Also update the comment in blk_limits_max_hw_sectors() to clarify that
max_hw_sectors defines the limit for the I/O controller only.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Reported-by: Brian King <brking@linux.vnet.ibm.com>
Tested-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
block/blk-settings.c | 4 ++--
drivers/scsi/sd.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/block/blk-settings.c b/block/blk-settings.c
index 12600bf..e0057d0 100644
--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -241,8 +241,8 @@ EXPORT_SYMBOL(blk_queue_bounce_limit);
* Description:
* Enables a low level driver to set a hard upper limit,
* max_hw_sectors, on the size of requests. max_hw_sectors is set by
- * the device driver based upon the combined capabilities of I/O
- * controller and storage device.
+ * the device driver based upon the capabilities of the I/O
+ * controller.
*
* max_sectors is a soft limit imposed by the block layer for
* filesystem type requests. This value can be overridden on a
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 7f71d7d..c80e1fe 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2794,9 +2794,9 @@ static int sd_revalidate_disk(struct gendisk *disk)
max_xfer = sdkp->max_xfer_blocks;
max_xfer <<= ilog2(sdp->sector_size) - 9;
- max_xfer = min_not_zero(queue_max_hw_sectors(sdkp->disk->queue),
- max_xfer);
- blk_queue_max_hw_sectors(sdkp->disk->queue, max_xfer);
+ sdkp->disk->queue->limits.max_sectors =
+ min_not_zero(queue_max_hw_sectors(sdkp->disk->queue), max_xfer);
+
set_capacity(disk, sdkp->capacity);
sd_config_write_same(sdkp);
kfree(buffer);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 062/102] EDAC, ppc4xx: Access mci->csrows array elements properly
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (61 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 061/102] sd: Fix maximum I/O size for BLOCK_PC requests Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 063/102] crypto: caam - fix memory corruption in ahash_final_ctx Kamal Mostafa
` (39 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michael Walle, linux-edac, Mauro Carvalho Chehab,
Borislav Petkov, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Walle <michael@walle.cc>
commit 5c16179b550b9fd8114637a56b153c9768ea06a5 upstream.
The commit
de3910eb79ac ("edac: change the mem allocation scheme to
make Documentation/kobject.txt happy")
changed the memory allocation for the csrows member. But ppc4xx_edac was
forgotten in the patch. Fix it.
Signed-off-by: Michael Walle <michael@walle.cc>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Link: http://lkml.kernel.org/r/1437469253-8611-1-git-send-email-michael@walle.cc
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/edac/ppc4xx_edac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/edac/ppc4xx_edac.c b/drivers/edac/ppc4xx_edac.c
index 1b64fd0..e73d384 100644
--- a/drivers/edac/ppc4xx_edac.c
+++ b/drivers/edac/ppc4xx_edac.c
@@ -920,7 +920,7 @@ static int ppc4xx_edac_init_csrows(struct mem_ctl_info *mci, u32 mcopt1)
*/
for (row = 0; row < mci->nr_csrows; row++) {
- struct csrow_info *csi = &mci->csrows[row];
+ struct csrow_info *csi = mci->csrows[row];
/*
* Get the configuration settings for this
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 063/102] crypto: caam - fix memory corruption in ahash_final_ctx
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (62 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 062/102] EDAC, ppc4xx: Access mci->csrows array elements properly Kamal Mostafa
@ 2015-09-22 17:51 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 064/102] drm/vmwgfx: Fix execbuf locking issues Kamal Mostafa
` (38 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:51 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Horia Geant?, Herbert Xu, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Horia Geant? <horia.geanta@freescale.com>
commit b310c178e6d897f82abb9da3af1cd7c02b09f592 upstream.
When doing pointer operation for accessing the HW S/G table,
a value representing number of entries (and not number of bytes)
must be used.
Fixes: 045e36780f115 ("crypto: caam - ahash hmac support")
Signed-off-by: Horia Geant? <horia.geanta@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/crypto/caam/caamhash.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
index 08b0da2..5408450 100644
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -909,13 +909,14 @@ static int ahash_final_ctx(struct ahash_request *req)
state->buflen_1;
u32 *sh_desc = ctx->sh_desc_fin, *desc;
dma_addr_t ptr = ctx->sh_desc_fin_dma;
- int sec4_sg_bytes;
+ int sec4_sg_bytes, sec4_sg_src_index;
int digestsize = crypto_ahash_digestsize(ahash);
struct ahash_edesc *edesc;
int ret = 0;
int sh_len;
- sec4_sg_bytes = (1 + (buflen ? 1 : 0)) * sizeof(struct sec4_sg_entry);
+ sec4_sg_src_index = 1 + (buflen ? 1 : 0);
+ sec4_sg_bytes = sec4_sg_src_index * sizeof(struct sec4_sg_entry);
/* allocate space for base edesc and hw desc commands, link tables */
edesc = kmalloc(sizeof(struct ahash_edesc) + DESC_JOB_IO_LEN +
@@ -942,7 +943,7 @@ static int ahash_final_ctx(struct ahash_request *req)
state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1,
buf, state->buf_dma, buflen,
last_buflen);
- (edesc->sec4_sg + sec4_sg_bytes - 1)->len |= SEC4_SG_LEN_FIN;
+ (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN;
edesc->sec4_sg_dma = dma_map_single(jrdev, edesc->sec4_sg,
sec4_sg_bytes, DMA_TO_DEVICE);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 064/102] drm/vmwgfx: Fix execbuf locking issues
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (63 preceding siblings ...)
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 063/102] crypto: caam - fix memory corruption in ahash_final_ctx Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 065/102] mm/hwpoison: fix page refcount of unknown non LRU page Kamal Mostafa
` (37 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Thomas Hellstrom, Dave Airlie, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellstrom <thellstrom@vmware.com>
commit 3e04e2fe6d87807d27521ad6ebb9e7919d628f25 upstream.
This addresses two issues that cause problems with viewperf maya-03 in
situation with memory pressure.
The first issue causes attempts to unreserve buffers if batched
reservation fails due to, for example, a signal pending. While previously
the ttm_eu api was resistant against this type of error, it is no longer
and the lockdep code will complain about attempting to unreserve buffers
that are not reserved. The issue is resolved by avoid calling
ttm_eu_backoff_reservation in the buffer reserve error path.
The second issue is that the binding_mutex may be held when user-space
fence objects are created and hence during memory reclaims. This may cause
recursive attempts to grab the binding mutex. The issue is resolved by not
holding the binding mutex across fence creation and submission.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 1e11489..2711b09 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2490,7 +2490,7 @@ int vmw_execbuf_process(struct drm_file *file_priv,
ret = ttm_eu_reserve_buffers(&ticket, &sw_context->validate_nodes,
true, NULL);
if (unlikely(ret != 0))
- goto out_err;
+ goto out_err_nores;
ret = vmw_validate_buffers(dev_priv, sw_context);
if (unlikely(ret != 0))
@@ -2534,6 +2534,7 @@ int vmw_execbuf_process(struct drm_file *file_priv,
vmw_resource_relocations_free(&sw_context->res_relocations);
vmw_fifo_commit(dev_priv, command_size);
+ mutex_unlock(&dev_priv->binding_mutex);
vmw_query_bo_switch_commit(dev_priv, sw_context);
ret = vmw_execbuf_fence_commands(file_priv, dev_priv,
@@ -2549,7 +2550,6 @@ int vmw_execbuf_process(struct drm_file *file_priv,
DRM_ERROR("Fence submission error. Syncing.\n");
vmw_resource_list_unreserve(&sw_context->resource_list, false);
- mutex_unlock(&dev_priv->binding_mutex);
ttm_eu_fence_buffer_objects(&ticket, &sw_context->validate_nodes,
(void *) fence);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 065/102] mm/hwpoison: fix page refcount of unknown non LRU page
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (64 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 064/102] drm/vmwgfx: Fix execbuf locking issues Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 066/102] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits Kamal Mostafa
` (36 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Wanpeng Li, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit 4f32be677b124a49459e2603321c7a5605ceb9f8 upstream.
After trying to drain pages from pagevec/pageset, we try to get reference
count of the page again, however, the reference count of the page is not
reduced if the page is still not on LRU list.
Fix it by adding the put_page() to drop the page reference which is from
__get_any_page().
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
mm/memory-failure.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index dc29bec..1e2f7ff 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1519,6 +1519,8 @@ static int get_any_page(struct page *page, unsigned long pfn, int flags)
*/
ret = __get_any_page(page, pfn, 0);
if (!PageLRU(page)) {
+ /* Drop page reference which is from __get_any_page() */
+ put_page(page);
pr_info("soft_offline: %#lx: unknown non LRU page type %lx\n",
pfn, page->flags);
return -EIO;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 066/102] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (65 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 065/102] mm/hwpoison: fix page refcount of unknown non LRU page Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 067/102] ipc/sem.c: update/correct memory barriers Kamal Mostafa
` (35 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Herton R. Krzesinski, Davidlohr Bueso, Rafael Aquini,
Aristeu Rozanski, David Jeffery, Andrew Morton, Linus Torvalds,
Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Herton R. Krzesinski" <herton@redhat.com>
commit 602b8593d2b4138c10e922eeaafe306f6b51817b upstream.
The current semaphore code allows a potential use after free: in
exit_sem we may free the task's sem_undo_list while there is still
another task looping through the same semaphore set and cleaning the
sem_undo list at freeary function (the task called IPC_RMID for the same
semaphore set).
For example, with a test program [1] running which keeps forking a lot
of processes (which then do a semop call with SEM_UNDO flag), and with
the parent right after removing the semaphore set with IPC_RMID, and a
kernel built with CONFIG_SLAB, CONFIG_SLAB_DEBUG and
CONFIG_DEBUG_SPINLOCK, you can easily see something like the following
in the kernel log:
Slab corruption (Not tainted): kmalloc-64 start=ffff88003b45c1c0, len=64
000: 6b 6b 6b 6b 6b 6b 6b 6b 00 6b 6b 6b 6b 6b 6b 6b kkkkkkkk.kkkkkkk
010: ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........
Prev obj: start=ffff88003b45c180, len=64
000: 00 00 00 00 ad 4e ad de ff ff ff ff 5a 5a 5a 5a .....N......ZZZZ
010: ff ff ff ff ff ff ff ff c0 fb 01 37 00 88 ff ff ...........7....
Next obj: start=ffff88003b45c200, len=64
000: 00 00 00 00 ad 4e ad de ff ff ff ff 5a 5a 5a 5a .....N......ZZZZ
010: ff ff ff ff ff ff ff ff 68 29 a7 3c 00 88 ff ff ........h).<....
BUG: spinlock wrong CPU on CPU#2, test/18028
general protection fault: 0000 [#1] SMP
Modules linked in: 8021q mrp garp stp llc nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables binfmt_misc ppdev input_leds joydev parport_pc parport floppy serio_raw virtio_balloon virtio_rng virtio_console virtio_net iosf_mbi crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcspkr qxl ttm drm_kms_helper drm snd_hda_codec_generic i2c_piix4 snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore crc32c_intel virtio_pci virtio_ring virtio pata_acpi ata_generic [last unloaded: speedstep_lib]
CPU: 2 PID: 18028 Comm: test Not tainted 4.2.0-rc5+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
RIP: spin_dump+0x53/0xc0
Call Trace:
spin_bug+0x30/0x40
do_raw_spin_unlock+0x71/0xa0
_raw_spin_unlock+0xe/0x10
freeary+0x82/0x2a0
? _raw_spin_lock+0xe/0x10
semctl_down.clone.0+0xce/0x160
? __do_page_fault+0x19a/0x430
? __audit_syscall_entry+0xa8/0x100
SyS_semctl+0x236/0x2c0
? syscall_trace_leave+0xde/0x130
entry_SYSCALL_64_fastpath+0x12/0x71
Code: 8b 80 88 03 00 00 48 8d 88 60 05 00 00 48 c7 c7 a0 2c a4 81 31 c0 65 8b 15 eb 40 f3 7e e8 08 31 68 00 4d 85 e4 44 8b 4b 08 74 5e <45> 8b 84 24 88 03 00 00 49 8d 8c 24 60 05 00 00 8b 53 04 48 89
RIP [<ffffffff810d6053>] spin_dump+0x53/0xc0
RSP <ffff88003750fd68>
---[ end trace 783ebb76612867a0 ]---
NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [test:18053]
Modules linked in: 8021q mrp garp stp llc nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables binfmt_misc ppdev input_leds joydev parport_pc parport floppy serio_raw virtio_balloon virtio_rng virtio_console virtio_net iosf_mbi crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcspkr qxl ttm drm_kms_helper drm snd_hda_codec_generic i2c_piix4 snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore crc32c_intel virtio_pci virtio_ring virtio pata_acpi ata_generic [last unloaded: speedstep_lib]
CPU: 3 PID: 18053 Comm: test Tainted: G D 4.2.0-rc5+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
RIP: native_read_tsc+0x0/0x20
Call Trace:
? delay_tsc+0x40/0x70
__delay+0xf/0x20
do_raw_spin_lock+0x96/0x140
_raw_spin_lock+0xe/0x10
sem_lock_and_putref+0x11/0x70
SYSC_semtimedop+0x7bf/0x960
? handle_mm_fault+0xbf6/0x1880
? dequeue_task_fair+0x79/0x4a0
? __do_page_fault+0x19a/0x430
? kfree_debugcheck+0x16/0x40
? __do_page_fault+0x19a/0x430
? __audit_syscall_entry+0xa8/0x100
? do_audit_syscall_entry+0x66/0x70
? syscall_trace_enter_phase1+0x139/0x160
SyS_semtimedop+0xe/0x10
SyS_semop+0x10/0x20
entry_SYSCALL_64_fastpath+0x12/0x71
Code: 47 10 83 e8 01 85 c0 89 47 10 75 08 65 48 89 3d 1f 74 ff 7e c9 c3 0f 1f 44 00 00 55 48 89 e5 e8 87 17 04 00 66 90 c9 c3 0f 1f 00 <55> 48 89 e5 0f 31 89 c1 48 89 d0 48 c1 e0 20 89 c9 48 09 c8 c9
Kernel panic - not syncing: softlockup: hung tasks
I wasn't able to trigger any badness on a recent kernel without the
proper config debugs enabled, however I have softlockup reports on some
kernel versions, in the semaphore code, which are similar as above (the
scenario is seen on some servers running IBM DB2 which uses semaphore
syscalls).
The patch here fixes the race against freeary, by acquiring or waiting
on the sem_undo_list lock as necessary (exit_sem can race with freeary,
while freeary sets un->semid to -1 and removes the same sem_undo from
list_proc or when it removes the last sem_undo).
After the patch I'm unable to reproduce the problem using the test case
[1].
[1] Test case used below:
#include <stdio.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/wait.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#include <errno.h>
#define NSEM 1
#define NSET 5
int sid[NSET];
void thread()
{
struct sembuf op;
int s;
uid_t pid = getuid();
s = rand() % NSET;
op.sem_num = pid % NSEM;
op.sem_op = 1;
op.sem_flg = SEM_UNDO;
semop(sid[s], &op, 1);
exit(EXIT_SUCCESS);
}
void create_set()
{
int i, j;
pid_t p;
union {
int val;
struct semid_ds *buf;
unsigned short int *array;
struct seminfo *__buf;
} un;
/* Create and initialize semaphore set */
for (i = 0; i < NSET; i++) {
sid[i] = semget(IPC_PRIVATE , NSEM, 0644 | IPC_CREAT);
if (sid[i] < 0) {
perror("semget");
exit(EXIT_FAILURE);
}
}
un.val = 0;
for (i = 0; i < NSET; i++) {
for (j = 0; j < NSEM; j++) {
if (semctl(sid[i], j, SETVAL, un) < 0)
perror("semctl");
}
}
/* Launch threads that operate on semaphore set */
for (i = 0; i < NSEM * NSET * NSET; i++) {
p = fork();
if (p < 0)
perror("fork");
if (p == 0)
thread();
}
/* Free semaphore set */
for (i = 0; i < NSET; i++) {
if (semctl(sid[i], NSEM, IPC_RMID))
perror("IPC_RMID");
}
/* Wait for forked processes to exit */
while (wait(NULL)) {
if (errno == ECHILD)
break;
};
}
int main(int argc, char **argv)
{
pid_t p;
srand(time(NULL));
while (1) {
p = fork();
if (p < 0) {
perror("fork");
exit(EXIT_FAILURE);
}
if (p == 0) {
create_set();
goto end;
}
/* Wait for forked processes to exit */
while (wait(NULL)) {
if (errno == ECHILD)
break;
};
}
end:
return 0;
}
[akpm@linux-foundation.org: use normal comment layout]
Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Rafael Aquini <aquini@redhat.com>
CC: Aristeu Rozanski <aris@redhat.com>
Cc: David Jeffery <djeffery@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
ipc/sem.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ipc/sem.c b/ipc/sem.c
index 6115146..0b52140 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -2074,17 +2074,28 @@ void exit_sem(struct task_struct *tsk)
rcu_read_lock();
un = list_entry_rcu(ulp->list_proc.next,
struct sem_undo, list_proc);
- if (&un->list_proc == &ulp->list_proc)
- semid = -1;
- else
- semid = un->semid;
+ if (&un->list_proc == &ulp->list_proc) {
+ /*
+ * We must wait for freeary() before freeing this ulp,
+ * in case we raced with last sem_undo. There is a small
+ * possibility where we exit while freeary() didn't
+ * finish unlocking sem_undo_list.
+ */
+ spin_unlock_wait(&ulp->lock);
+ rcu_read_unlock();
+ break;
+ }
+ spin_lock(&ulp->lock);
+ semid = un->semid;
+ spin_unlock(&ulp->lock);
+ /* exit_sem raced with IPC_RMID, nothing to do */
if (semid == -1) {
rcu_read_unlock();
- break;
+ continue;
}
- sma = sem_obtain_object_check(tsk->nsproxy->ipc_ns, un->semid);
+ sma = sem_obtain_object_check(tsk->nsproxy->ipc_ns, semid);
/* exit_sem raced with IPC_RMID, nothing to do */
if (IS_ERR(sma)) {
rcu_read_unlock();
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 067/102] ipc/sem.c: update/correct memory barriers
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (66 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 066/102] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 068/102] MIPS: Fix seccomp syscall argument for MIPS64 Kamal Mostafa
` (34 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Manfred Spraul, Paul E. McKenney, Kirill Tkhai, Ingo Molnar,
Josh Poimboeuf, Davidlohr Bueso, Andrew Morton, Linus Torvalds,
Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Manfred Spraul <manfred@colorfullife.com>
commit 3ed1f8a99d70ea1cd1508910eb107d0edcae5009 upstream.
sem_lock() did not properly pair memory barriers:
!spin_is_locked() and spin_unlock_wait() are both only control barriers.
The code needs an acquire barrier, otherwise the cpu might perform read
operations before the lock test.
As no primitive exists inside <include/spinlock.h> and since it seems
noone wants another primitive, the code creates a local primitive within
ipc/sem.c.
With regards to -stable:
The change of sem_wait_array() is a bugfix, the change to sem_lock() is a
nop (just a preprocessor redefinition to improve the readability). The
bugfix is necessary for all kernels that use sem_wait_array() (i.e.:
starting from 3.10).
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Reported-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Kirill Tkhai <ktkhai@parallels.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
ipc/sem.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/ipc/sem.c b/ipc/sem.c
index 0b52140..541cb0f 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -253,6 +253,16 @@ static void sem_rcu_free(struct rcu_head *head)
}
/*
+ * spin_unlock_wait() and !spin_is_locked() are not memory barriers, they
+ * are only control barriers.
+ * The code must pair with spin_unlock(&sem->lock) or
+ * spin_unlock(&sem_perm.lock), thus just the control barrier is insufficient.
+ *
+ * smp_rmb() is sufficient, as writes cannot pass the control barrier.
+ */
+#define ipc_smp_acquire__after_spin_is_unlocked() smp_rmb()
+
+/*
* Wait until all currently ongoing simple ops have completed.
* Caller must own sem_perm.lock.
* New simple ops cannot start, because simple ops first check
@@ -275,6 +285,7 @@ static void sem_wait_array(struct sem_array *sma)
sem = sma->sem_base + i;
spin_unlock_wait(&sem->lock);
}
+ ipc_smp_acquire__after_spin_is_unlocked();
}
/*
@@ -327,13 +338,12 @@ static inline int sem_lock(struct sem_array *sma, struct sembuf *sops,
/* Then check that the global lock is free */
if (!spin_is_locked(&sma->sem_perm.lock)) {
/*
- * The ipc object lock check must be visible on all
- * cores before rechecking the complex count. Otherwise
- * we can race with another thread that does:
+ * We need a memory barrier with acquire semantics,
+ * otherwise we can race with another thread that does:
* complex_count++;
* spin_unlock(sem_perm.lock);
*/
- smp_rmb();
+ ipc_smp_acquire__after_spin_is_unlocked();
/*
* Now repeat the test of complex_count:
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 068/102] MIPS: Fix seccomp syscall argument for MIPS64
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (67 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 067/102] ipc/sem.c: update/correct memory barriers Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 069/102] x86/ldt: Further fix FPU emulation Kamal Mostafa
` (33 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Markos Chandras, linux-mips, Ralf Baechle, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Markos Chandras <markos.chandras@imgtec.com>
commit 9f161439e4104b641a7bfb9b89581d801159fec8 upstream.
Commit 4c21b8fd8f14 ("MIPS: seccomp: Handle indirect system calls (o32)")
fixed indirect system calls on O32 but it also introduced a bug for MIPS64
where it erroneously modified the v0 (syscall) register with the assumption
that the sycall offset hasn't been taken into consideration. This breaks
seccomp on MIPS64 n64 and n32 ABIs. We fix this by replacing the addition
with a move instruction.
Fixes: 4c21b8fd8f14 ("MIPS: seccomp: Handle indirect system calls (o32)")
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10951/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kernel/scall64-64.S | 2 +-
arch/mips/kernel/scall64-n32.S | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
index ad4d4463..a6f6b76 100644
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -80,7 +80,7 @@ syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
- daddiu a1, v0, __NR_64_Linux
+ move a1, v0
jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
index 446cc65..4b20106 100644
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -72,7 +72,7 @@ n32_syscall_trace_entry:
SAVE_STATIC
move s0, t2
move a0, sp
- daddiu a1, v0, __NR_N32_Linux
+ move a1, v0
jal syscall_trace_enter
bltz v0, 2f # seccomp failed? Skip syscall
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 069/102] x86/ldt: Further fix FPU emulation
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (68 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 068/102] MIPS: Fix seccomp syscall argument for MIPS64 Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 070/102] drm/i915: Flag the execlists context object as dirty after every use Kamal Mostafa
` (32 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Juergen Gross, Andy Lutomirski, Linus Torvalds, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit 12e244f4b550498bbaf654a52f93633f7dde2dc7 upstream.
The previous fix confused a selector with a segment prefix. Fix it.
Compile-tested only.
Cc: Juergen Gross <jgross@suse.com>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: 4809146b86c3 ("x86/ldt: Correct FPU emulation access to LDT")
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/math-emu/get_address.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/math-emu/get_address.c b/arch/x86/math-emu/get_address.c
index d13cab2..8300db7 100644
--- a/arch/x86/math-emu/get_address.c
+++ b/arch/x86/math-emu/get_address.c
@@ -157,7 +157,7 @@ static long pm_address(u_char FPU_modrm, u_char segment,
addr->selector = PM_REG_(segment);
}
- descriptor = FPU_get_ldt_descriptor(segment);
+ descriptor = FPU_get_ldt_descriptor(addr->selector);
base_address = SEG_BASE_ADDR(descriptor);
address = base_address + offset;
limit = base_address
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 070/102] drm/i915: Flag the execlists context object as dirty after every use
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (69 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 069/102] x86/ldt: Further fix FPU emulation Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 071/102] fnic: Use the local variable instead of I/O flag to acquire io_req_lock in fnic_queuecommand() to avoid deadloack Kamal Mostafa
` (31 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Chris Wilson, Jani Nikula, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
commit 903ecd0bb970438c3a60c2c33ec9032d6443bf67 upstream.
Everytime we use the logical context with execlists it becomes dirty (as
the hardware will write the new register values afterwards, as well as
the GPU state that will be used). We need to then flag the context as
dirty everytime since after a swap-out/swap-in cycle the dirty flag will
be cleared, and a further swap-out cycle will then loose the most recent
GPU state.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/i915/intel_lrc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/i915/intel_lrc.c b/drivers/gpu/drm/i915/intel_lrc.c
index 5ebe805..2c5c00c 100644
--- a/drivers/gpu/drm/i915/intel_lrc.c
+++ b/drivers/gpu/drm/i915/intel_lrc.c
@@ -849,6 +849,8 @@ static int intel_lr_context_pin(struct intel_engine_cs *ring,
ret = intel_pin_and_map_ringbuffer_obj(ring->dev, ringbuf);
if (ret)
goto unpin_ctx_obj;
+
+ ctx_obj->dirty = true;
}
return ret;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 071/102] fnic: Use the local variable instead of I/O flag to acquire io_req_lock in fnic_queuecommand() to avoid deadloack
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (70 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 070/102] drm/i915: Flag the execlists context object as dirty after every use Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 072/102] SCSI: Fix NULL pointer dereference in runtime PM Kamal Mostafa
` (30 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Hiral Shah, Sesidhar Baddela, Anil Chintalapati, James Bottomley,
Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hiral Shah <hishah@cisco.com>
commit db196935d9562abec4510f48d887bc1f1e054fcf upstream.
We added changes in fnic driver patch 1.6.0.16 to acquire
io_req_lock in fnic_queuecommand() before issuing I/O so that io completion
is serialized. But when releasing the lock we check for the I/O flag and
this could be modified if IO abort occurs before I/O completion. In this case
we wont release the lock and causes deadlock in some scenerios. Using the
local variable to check the IO lock status will resolve the problem.
Fixes: 41df7b02db82cf6c14f094757bac3830d10a827f
Signed-off-by: Hiral Shah <hishah@cisco.com>
Signed-off-by: Sesidhar Baddela <sebaddel@cisco.com>
Signed-off-by: Anil Chintalapati <achintal@cisco.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/fnic/fnic.h | 2 +-
drivers/scsi/fnic/fnic_scsi.c | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/fnic/fnic.h b/drivers/scsi/fnic/fnic.h
index 26270c3..ce129e5 100644
--- a/drivers/scsi/fnic/fnic.h
+++ b/drivers/scsi/fnic/fnic.h
@@ -39,7 +39,7 @@
#define DRV_NAME "fnic"
#define DRV_DESCRIPTION "Cisco FCoE HBA Driver"
-#define DRV_VERSION "1.6.0.17"
+#define DRV_VERSION "1.6.0.17a"
#define PFX DRV_NAME ": "
#define DFX DRV_NAME "%d: "
diff --git a/drivers/scsi/fnic/fnic_scsi.c b/drivers/scsi/fnic/fnic_scsi.c
index 155b286..25436cd 100644
--- a/drivers/scsi/fnic/fnic_scsi.c
+++ b/drivers/scsi/fnic/fnic_scsi.c
@@ -425,6 +425,7 @@ static int fnic_queuecommand_lck(struct scsi_cmnd *sc, void (*done)(struct scsi_
unsigned long ptr;
struct fc_rport_priv *rdata;
spinlock_t *io_lock = NULL;
+ int io_lock_acquired = 0;
if (unlikely(fnic_chk_state_flags_locked(fnic, FNIC_FLAGS_IO_BLOCKED)))
return SCSI_MLQUEUE_HOST_BUSY;
@@ -518,6 +519,7 @@ static int fnic_queuecommand_lck(struct scsi_cmnd *sc, void (*done)(struct scsi_
spin_lock_irqsave(io_lock, flags);
/* initialize rest of io_req */
+ io_lock_acquired = 1;
io_req->port_id = rport->port_id;
io_req->start_time = jiffies;
CMD_STATE(sc) = FNIC_IOREQ_CMD_PENDING;
@@ -571,7 +573,7 @@ out:
(((u64)CMD_FLAGS(sc) >> 32) | CMD_STATE(sc)));
/* if only we issued IO, will we have the io lock */
- if (CMD_FLAGS(sc) & FNIC_IO_INITIALIZED)
+ if (io_lock_acquired)
spin_unlock_irqrestore(io_lock, flags);
atomic_dec(&fnic->in_flight);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 072/102] SCSI: Fix NULL pointer dereference in runtime PM
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (71 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 071/102] fnic: Use the local variable instead of I/O flag to acquire io_req_lock in fnic_queuecommand() to avoid deadloack Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 073/102] ALSA: usb-audio: Fix runtime PM unbalance Kamal Mostafa
` (29 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alan Stern, James Bottomley, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 49718f0fb8c9af192b33d8af3a2826db04025371 upstream.
The routines in scsi_rpm.c assume that if a runtime-PM callback is
invoked for a SCSI device, it can only mean that the device's driver
has asked the block layer to handle the runtime power management (by
calling blk_pm_runtime_init(), which among other things sets q->dev).
However, this assumption turns out to be wrong for things like the ses
driver. Normally ses devices are not allowed to do runtime PM, but
userspace can override this setting. If this happens, the kernel gets
a NULL pointer dereference when blk_post_runtime_resume() tries to use
the uninitialized q->dev pointer.
This patch fixes the problem by calling the block layer's runtime-PM
routines only if the device's driver really does have a runtime-PM
callback routine. Since ses doesn't define any such callbacks, the
crash won't occur.
This fixes Bugzilla #101371.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Stanisław Pitucha <viraptor@gmail.com>
Reported-by: Ilan Cohen <ilanco@gmail.com>
Tested-by: Ilan Cohen <ilanco@gmail.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/scsi_pm.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c
index 9e43ae1..e4b7998 100644
--- a/drivers/scsi/scsi_pm.c
+++ b/drivers/scsi/scsi_pm.c
@@ -217,15 +217,15 @@ static int sdev_runtime_suspend(struct device *dev)
{
const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
struct scsi_device *sdev = to_scsi_device(dev);
- int err;
+ int err = 0;
- err = blk_pre_runtime_suspend(sdev->request_queue);
- if (err)
- return err;
- if (pm && pm->runtime_suspend)
+ if (pm && pm->runtime_suspend) {
+ err = blk_pre_runtime_suspend(sdev->request_queue);
+ if (err)
+ return err;
err = pm->runtime_suspend(dev);
- blk_post_runtime_suspend(sdev->request_queue, err);
-
+ blk_post_runtime_suspend(sdev->request_queue, err);
+ }
return err;
}
@@ -248,11 +248,11 @@ static int sdev_runtime_resume(struct device *dev)
const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
int err = 0;
- blk_pre_runtime_resume(sdev->request_queue);
- if (pm && pm->runtime_resume)
+ if (pm && pm->runtime_resume) {
+ blk_pre_runtime_resume(sdev->request_queue);
err = pm->runtime_resume(dev);
- blk_post_runtime_resume(sdev->request_queue, err);
-
+ blk_post_runtime_resume(sdev->request_queue, err);
+ }
return err;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 073/102] ALSA: usb-audio: Fix runtime PM unbalance
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (72 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 072/102] SCSI: Fix NULL pointer dereference in runtime PM Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 074/102] x86/xen: make CONFIG_XEN depend on CONFIG_X86_LOCAL_APIC Kamal Mostafa
` (28 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Takashi Iwai, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 9003ebb13f61e8c78a641e0dda7775183ada0625 upstream.
The fix for deadlock in PM in commit [1ee23fe07ee8: ALSA: usb-audio:
Fix deadlocks at resuming] introduced a new check of in_pm flag.
However, the brainless patch author evaluated it in a wrong way
(logical AND instead of logical OR), thus usb_autopm_get_interface()
is wrongly called at probing, leading to unbalance of runtime PM
refcount.
This patch fixes it by correcting the logic.
Reported-by: Hans Yang <hansy@nvidia.com>
Fixes: 1ee23fe07ee8 ('ALSA: usb-audio: Fix deadlocks at resuming')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/usb/card.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c
index 1fab977..0450593 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -638,7 +638,7 @@ int snd_usb_autoresume(struct snd_usb_audio *chip)
int err = -ENODEV;
down_read(&chip->shutdown_rwsem);
- if (chip->probing && chip->in_pm)
+ if (chip->probing || chip->in_pm)
err = 0;
else if (!chip->shutdown)
err = usb_autopm_get_interface(chip->pm_intf);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 074/102] x86/xen: make CONFIG_XEN depend on CONFIG_X86_LOCAL_APIC
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (73 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 073/102] ALSA: usb-audio: Fix runtime PM unbalance Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 075/102] Input: gpio_keys_polled - request GPIO pin as input Kamal Mostafa
` (27 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: David Vrabel, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
commit 87ffd2b9bb74061c120f450e4d0f3409bb603ae0 upstream.
Since commit feb44f1f7a4ac299d1ab1c3606860e70b9b89d69 (x86/xen:
Provide a "Xen PV" APIC driver to support >255 VCPUs) Xen guests need
a full APIC driver and thus should depend on X86_LOCAL_APIC.
This fixes an i386 build failure with !SMP && !CONFIG_X86_UP_APIC by
disabling Xen support in this configuration.
Users needing Xen support in a non-SMP i386 kernel will need to enable
CONFIG_X86_UP_APIC.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/xen/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/xen/Kconfig b/arch/x86/xen/Kconfig
index e88fda8..4841453 100644
--- a/arch/x86/xen/Kconfig
+++ b/arch/x86/xen/Kconfig
@@ -8,7 +8,7 @@ config XEN
select PARAVIRT_CLOCK
select XEN_HAVE_PVMMU
depends on X86_64 || (X86_32 && X86_PAE)
- depends on X86_TSC
+ depends on X86_LOCAL_APIC && X86_TSC
help
This is the Linux Xen port. Enabling this will allow the
kernel to boot in a paravirtualized environment under the
@@ -17,7 +17,7 @@ config XEN
config XEN_DOM0
def_bool y
depends on XEN && PCI_XEN && SWIOTLB_XEN
- depends on X86_LOCAL_APIC && X86_IO_APIC && ACPI && PCI
+ depends on X86_IO_APIC && ACPI && PCI
config XEN_PVHVM
def_bool y
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 075/102] Input: gpio_keys_polled - request GPIO pin as input.
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (74 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 074/102] x86/xen: make CONFIG_XEN depend on CONFIG_X86_LOCAL_APIC Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 076/102] PCI: Don't use 64-bit bus addresses on PA-RISC Kamal Mostafa
` (26 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Vincent Pelletier, Dmitry Torokhov, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Pelletier <plr.vincent@gmail.com>
commit 1ae5ddb6f8837558928a1a694c7b8af7f09fdd21 upstream.
GPIOF_IN flag was lost in:
Commit 633a21d80b4a("input: gpio_keys_polled: Add support for GPIO
descriptors").
Without this flag, legacy code path (for non-descriptor GPIO declarations)
would configure GPIO as output (0 meaning GPIOF_DIR_OUT | GPIOF_INIT_LOW).
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/input/keyboard/gpio_keys_polled.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/keyboard/gpio_keys_polled.c b/drivers/input/keyboard/gpio_keys_polled.c
index 90df4df..959b826 100644
--- a/drivers/input/keyboard/gpio_keys_polled.c
+++ b/drivers/input/keyboard/gpio_keys_polled.c
@@ -246,7 +246,7 @@ static int gpio_keys_polled_probe(struct platform_device *pdev)
* convert it to descriptor.
*/
if (!button->gpiod && gpio_is_valid(button->gpio)) {
- unsigned flags = 0;
+ unsigned flags = GPIOF_IN;
if (button->active_low)
flags |= GPIOF_ACTIVE_LOW;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 076/102] PCI: Don't use 64-bit bus addresses on PA-RISC
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (75 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 075/102] Input: gpio_keys_polled - request GPIO pin as input Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 077/102] ALSA: usb: Add native DSD support for Gustard DAC-X20U Kamal Mostafa
` (25 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Bjorn Helgaas, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit 45ea2a5fed6dacb9bb0558d8b21eacc1c45d5bb4 upstream.
Meelis and Helge reported that 3a9ad0b4fdcd ("PCI: Add pci_bus_addr_t")
caused HPMCs on A500 and hangs on rp5470.
PA-RISC does not set ARCH_DMA_ADDR_T_64BIT, even for 64-bit kernels, so
prior to 3a9ad0b4fdcd, we always used 32-bit PCI addresses. After
3a9ad0b4fdcd, we do use 64-bit PCI addresses in 64-bit kernels, and
apparently there's some PA-RISC problem related to them.
Fixes: 3a9ad0b4fdcd ("PCI: Add pci_bus_addr_t")
Link: http://lkml.kernel.org/r/alpine.LRH.2.11.1507260929000.30065@math.ut.ee
Reported-by: Meelis Roos <mroos@linux.ee>
Reported-by: Helge Deller <deller@gmx.de>
Tested-by: Helge Deller <deller@gmx.de>
Based-on-idea-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/pci/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
index 73de4ef..944f500 100644
--- a/drivers/pci/Kconfig
+++ b/drivers/pci/Kconfig
@@ -2,7 +2,7 @@
# PCI configuration
#
config PCI_BUS_ADDR_T_64BIT
- def_bool y if (ARCH_DMA_ADDR_T_64BIT || 64BIT)
+ def_bool y if (ARCH_DMA_ADDR_T_64BIT || (64BIT && !PARISC))
depends on PCI
config PCI_MSI
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 077/102] ALSA: usb: Add native DSD support for Gustard DAC-X20U
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (76 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 076/102] PCI: Don't use 64-bit bus addresses on PA-RISC Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 078/102] Add factory recertified Crucial M500s to blacklist Kamal Mostafa
` (24 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jurgen Kramer, Takashi Iwai, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jurgen Kramer <gtmkramer@xs4all.nl>
commit 9544f8b6e2ee9ed02d2322ff018837b185f51d45 upstream.
This patch adds native DSD support for the Gustard DAC-X20U.
Signed-off-by: Jurgen Kramer <gtmkramer@xs4all.nl>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/usb/quirks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 1b195af..aa98e08 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1254,6 +1254,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip,
return SNDRV_PCM_FMTBIT_DSD_U32_BE;
break;
+ case USB_ID(0x20b1, 0x000a): /* Gustard DAC-X20U */
case USB_ID(0x20b1, 0x2009): /* DIYINHK DSD DXD 384kHz USB to I2S/DSD */
case USB_ID(0x20b1, 0x2023): /* JLsounds I2SoverUSB */
if (fp->altsetting == 3)
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 078/102] Add factory recertified Crucial M500s to blacklist
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (77 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 077/102] ALSA: usb: Add native DSD support for Gustard DAC-X20U Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 079/102] arm64: KVM: Fix host crash when injecting a fault into a 32bit guest Kamal Mostafa
` (23 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Guillermo A. Amaral, Tejun Heo, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Guillermo A. Amaral" <g@maral.me>
commit 7a7184b01aa9deb86df661c6f7cbcf69a95b728c upstream.
The Crucial M500 is known to have issues with queued TRIM commands, the
factory recertified SSDs use a different model number naming convention
which causes them to get ignored by the blacklist.
The new naming convention boils down to: s/Crucial_/FC/
Signed-off-by: Guillermo A. Amaral <g@maral.me>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/ata/libata-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index da7d05e..e097efe 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4256,6 +4256,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
ATA_HORKAGE_ZERO_AFTER_TRIM, },
{ "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
ATA_HORKAGE_ZERO_AFTER_TRIM, },
+ { "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_ZERO_AFTER_TRIM, },
/* devices that don't properly handle TRIM commands */
{ "SuperSSpeed S238*", NULL, ATA_HORKAGE_NOTRIM, },
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 079/102] arm64: KVM: Fix host crash when injecting a fault into a 32bit guest
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (78 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 078/102] Add factory recertified Crucial M500s to blacklist Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 080/102] batman-adv: protect tt_local_entry from concurrent delete events Kamal Mostafa
` (22 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marc Zyngier, Will Deacon, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <marc.zyngier@arm.com>
commit 126c69a0bd0e441bf6766a5d9bf20de011be9f68 upstream.
When injecting a fault into a misbehaving 32bit guest, it seems
rather idiotic to also inject a 64bit fault that is only going
to corrupt the guest state. This leads to a situation where we
perform an illegal exception return at EL2 causing the host
to crash instead of killing the guest.
Just fix the stupid bug that has been there from day 1.
Reported-by: Russell King <rmk+kernel@arm.linux.org.uk>
Tested-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm64/kvm/inject_fault.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
index 81a02a8..86825f88 100644
--- a/arch/arm64/kvm/inject_fault.c
+++ b/arch/arm64/kvm/inject_fault.c
@@ -168,8 +168,8 @@ void kvm_inject_dabt(struct kvm_vcpu *vcpu, unsigned long addr)
{
if (!(vcpu->arch.hcr_el2 & HCR_RW))
inject_abt32(vcpu, false, addr);
-
- inject_abt64(vcpu, false, addr);
+ else
+ inject_abt64(vcpu, false, addr);
}
/**
@@ -184,8 +184,8 @@ void kvm_inject_pabt(struct kvm_vcpu *vcpu, unsigned long addr)
{
if (!(vcpu->arch.hcr_el2 & HCR_RW))
inject_abt32(vcpu, true, addr);
-
- inject_abt64(vcpu, true, addr);
+ else
+ inject_abt64(vcpu, true, addr);
}
/**
@@ -198,6 +198,6 @@ void kvm_inject_undefined(struct kvm_vcpu *vcpu)
{
if (!(vcpu->arch.hcr_el2 & HCR_RW))
inject_undef32(vcpu);
-
- inject_undef64(vcpu);
+ else
+ inject_undef64(vcpu);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 080/102] batman-adv: protect tt_local_entry from concurrent delete events
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (79 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 079/102] arm64: KVM: Fix host crash when injecting a fault into a 32bit guest Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 081/102] ip6_gre: release cached dst on tunnel removal Kamal Mostafa
` (21 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marek Lindner, Antonio Quartulli, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Lindner <mareklindner@neomailbox.ch>
commit ef72706a0543d0c3a5ab29bd6378fdfb368118d9 upstream.
The tt_local_entry deletion performed in batadv_tt_local_remove() was neither
protecting against simultaneous deletes nor checking whether the element was
still part of the list before calling hlist_del_rcu().
Replacing the hlist_del_rcu() call with batadv_hash_remove() provides adequate
protection via hash spinlocks as well as an is-element-still-in-hash check to
avoid 'blind' hash removal.
Fixes: 068ee6e204e1 ("batman-adv: roaming handling mechanism redesign")
Reported-by: alfonsname@web.de
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/batman-adv/translation-table.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 5f59e7f..c8c5184 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1015,6 +1015,7 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
struct batadv_tt_local_entry *tt_local_entry;
uint16_t flags, curr_flags = BATADV_NO_FLAGS;
struct batadv_softif_vlan *vlan;
+ void *tt_entry_exists;
tt_local_entry = batadv_tt_local_hash_find(bat_priv, addr, vid);
if (!tt_local_entry)
@@ -1042,7 +1043,15 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
* immediately purge it
*/
batadv_tt_local_event(bat_priv, tt_local_entry, BATADV_TT_CLIENT_DEL);
- hlist_del_rcu(&tt_local_entry->common.hash_entry);
+
+ tt_entry_exists = batadv_hash_remove(bat_priv->tt.local_hash,
+ batadv_compare_tt,
+ batadv_choose_tt,
+ &tt_local_entry->common);
+ if (!tt_entry_exists)
+ goto out;
+
+ /* extra call to free the local tt entry */
batadv_tt_local_entry_free_ref(tt_local_entry);
/* decrease the reference held for this vlan */
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 081/102] ip6_gre: release cached dst on tunnel removal
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (80 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 080/102] batman-adv: protect tt_local_entry from concurrent delete events Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 082/102] perf: Fix PERF_EVENT_IOC_PERIOD migration race Kamal Mostafa
` (20 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dmitry Kozlov, huaibin Wang, Nicolas Dichtel, David S. Miller,
Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: huaibin Wang <huaibin.wang@6wind.com>
commit d4257295ba1b389c693b79de857a96e4b7cd8ac0 upstream.
When a tunnel is deleted, the cached dst entry should be released.
This problem may prevent the removal of a netns (seen with a x-netns IPv6
gre tunnel):
unregister_netdevice: waiting for lo to become free. Usage count = 3
CC: Dmitry Kozlov <xeb@mail.ru>
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: huaibin Wang <huaibin.wang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv6/ip6_gre.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 01ccc28..d1b83a3 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -361,6 +361,7 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
ip6gre_tunnel_unlink(ign, t);
+ ip6_tnl_dst_reset(t);
dev_put(dev);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 082/102] perf: Fix PERF_EVENT_IOC_PERIOD migration race
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (81 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 081/102] ip6_gre: release cached dst on tunnel removal Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 083/102] net: Fix RCU splat in af_key Kamal Mostafa
` (19 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Zijlstra (Intel),
Vince Weaver, Linus Torvalds, Thomas Gleixner, Ingo Molnar,
Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit c7999c6f3fed9e383d3131474588f282ae6d56b9 upstream.
I ran the perf fuzzer, which triggered some WARN()s which are due to
trying to stop/restart an event on the wrong CPU.
Use the normal IPI pattern to ensure we run the code on the correct CPU.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: bad7192b842c ("perf: Fix PERF_EVENT_IOC_PERIOD to force-reset the period")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/events/core.c | 75 ++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 55 insertions(+), 20 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 3262aa5..3527176 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -3729,28 +3729,21 @@ static void perf_event_for_each(struct perf_event *event,
mutex_unlock(&ctx->mutex);
}
-static int perf_event_period(struct perf_event *event, u64 __user *arg)
-{
- struct perf_event_context *ctx = event->ctx;
- int ret = 0, active;
+struct period_event {
+ struct perf_event *event;
u64 value;
+};
- if (!is_sampling_event(event))
- return -EINVAL;
-
- if (copy_from_user(&value, arg, sizeof(value)))
- return -EFAULT;
-
- if (!value)
- return -EINVAL;
+static int __perf_event_period(void *info)
+{
+ struct period_event *pe = info;
+ struct perf_event *event = pe->event;
+ struct perf_event_context *ctx = event->ctx;
+ u64 value = pe->value;
+ bool active;
- raw_spin_lock_irq(&ctx->lock);
+ raw_spin_lock(&ctx->lock);
if (event->attr.freq) {
- if (value > sysctl_perf_event_sample_rate) {
- ret = -EINVAL;
- goto unlock;
- }
-
event->attr.sample_freq = value;
} else {
event->attr.sample_period = value;
@@ -3769,11 +3762,53 @@ static int perf_event_period(struct perf_event *event, u64 __user *arg)
event->pmu->start(event, PERF_EF_RELOAD);
perf_pmu_enable(ctx->pmu);
}
+ raw_spin_unlock(&ctx->lock);
-unlock:
+ return 0;
+}
+
+static int perf_event_period(struct perf_event *event, u64 __user *arg)
+{
+ struct period_event pe = { .event = event, };
+ struct perf_event_context *ctx = event->ctx;
+ struct task_struct *task;
+ u64 value;
+
+ if (!is_sampling_event(event))
+ return -EINVAL;
+
+ if (copy_from_user(&value, arg, sizeof(value)))
+ return -EFAULT;
+
+ if (!value)
+ return -EINVAL;
+
+ if (event->attr.freq && value > sysctl_perf_event_sample_rate)
+ return -EINVAL;
+
+ task = ctx->task;
+ pe.value = value;
+
+ if (!task) {
+ cpu_function_call(event->cpu, __perf_event_period, &pe);
+ return 0;
+ }
+
+retry:
+ if (!task_function_call(task, __perf_event_period, &pe))
+ return 0;
+
+ raw_spin_lock_irq(&ctx->lock);
+ if (ctx->is_active) {
+ raw_spin_unlock_irq(&ctx->lock);
+ task = ctx->task;
+ goto retry;
+ }
+
+ __perf_event_period(&pe);
raw_spin_unlock_irq(&ctx->lock);
- return ret;
+ return 0;
}
static const struct file_operations perf_fops;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 083/102] net: Fix RCU splat in af_key
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (82 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 082/102] perf: Fix PERF_EVENT_IOC_PERIOD migration race Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 084/102] bna: fix interrupts storm caused by erroneous packets Kamal Mostafa
` (18 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David Ahern, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <dsa@cumulusnetworks.com>
commit ba51b6be38c122f7dab40965b4397aaf6188a464 upstream.
Hit the following splat testing VRF change for ipsec:
[ 113.475692] ===============================
[ 113.476194] [ INFO: suspicious RCU usage. ]
[ 113.476667] 4.2.0-rc6-1+deb7u2+clUNRELEASED #3.2.65-1+deb7u2+clUNRELEASED Not tainted
[ 113.477545] -------------------------------
[ 113.478013] /work/monster-14/dsa/kernel.git/include/linux/rcupdate.h:568 Illegal context switch in RCU read-side critical section!
[ 113.479288]
[ 113.479288] other info that might help us debug this:
[ 113.479288]
[ 113.480207]
[ 113.480207] rcu_scheduler_active = 1, debug_locks = 1
[ 113.480931] 2 locks held by setkey/6829:
[ 113.481371] #0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff814e9887>] pfkey_sendmsg+0xfb/0x213
[ 113.482509] #1: (rcu_read_lock){......}, at: [<ffffffff814e767f>] rcu_read_lock+0x0/0x6e
[ 113.483509]
[ 113.483509] stack backtrace:
[ 113.484041] CPU: 0 PID: 6829 Comm: setkey Not tainted 4.2.0-rc6-1+deb7u2+clUNRELEASED #3.2.65-1+deb7u2+clUNRELEASED
[ 113.485422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[ 113.486845] 0000000000000001 ffff88001d4c7a98 ffffffff81518af2 ffffffff81086962
[ 113.487732] ffff88001d538480 ffff88001d4c7ac8 ffffffff8107ae75 ffffffff8180a154
[ 113.488628] 0000000000000b30 0000000000000000 00000000000000d0 ffff88001d4c7ad8
[ 113.489525] Call Trace:
[ 113.489813] [<ffffffff81518af2>] dump_stack+0x4c/0x65
[ 113.490389] [<ffffffff81086962>] ? console_unlock+0x3d6/0x405
[ 113.491039] [<ffffffff8107ae75>] lockdep_rcu_suspicious+0xfa/0x103
[ 113.491735] [<ffffffff81064032>] rcu_preempt_sleep_check+0x45/0x47
[ 113.492442] [<ffffffff8106404d>] ___might_sleep+0x19/0x1c8
[ 113.493077] [<ffffffff81064268>] __might_sleep+0x6c/0x82
[ 113.493681] [<ffffffff81133190>] cache_alloc_debugcheck_before.isra.50+0x1d/0x24
[ 113.494508] [<ffffffff81134876>] kmem_cache_alloc+0x31/0x18f
[ 113.495149] [<ffffffff814012b5>] skb_clone+0x64/0x80
[ 113.495712] [<ffffffff814e6f71>] pfkey_broadcast_one+0x3d/0xff
[ 113.496380] [<ffffffff814e7b84>] pfkey_broadcast+0xb5/0x11e
[ 113.497024] [<ffffffff814e82d1>] pfkey_register+0x191/0x1b1
[ 113.497653] [<ffffffff814e9770>] pfkey_process+0x162/0x17e
[ 113.498274] [<ffffffff814e9895>] pfkey_sendmsg+0x109/0x213
In pfkey_sendmsg the net mutex is taken and then pfkey_broadcast takes
the RCU lock.
Since pfkey_broadcast takes the RCU lock the allocation argument is
pointless since GFP_ATOMIC must be used between the rcu_read_{,un}lock.
The one call outside of rcu can be done with GFP_KERNEL.
Fixes: 7f6b9dbd5afbd ("af_key: locking change")
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/key/af_key.c | 46 +++++++++++++++++++++++-----------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index f8ac939..4bfc5e5 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -219,7 +219,7 @@ static int pfkey_broadcast_one(struct sk_buff *skb, struct sk_buff **skb2,
#define BROADCAST_ONE 1
#define BROADCAST_REGISTERED 2
#define BROADCAST_PROMISC_ONLY 4
-static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
+static int pfkey_broadcast(struct sk_buff *skb,
int broadcast_flags, struct sock *one_sk,
struct net *net)
{
@@ -244,7 +244,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
* socket.
*/
if (pfk->promisc)
- pfkey_broadcast_one(skb, &skb2, allocation, sk);
+ pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
/* the exact target will be processed later */
if (sk == one_sk)
@@ -259,7 +259,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
continue;
}
- err2 = pfkey_broadcast_one(skb, &skb2, allocation, sk);
+ err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
/* Error is cleare after succecful sending to at least one
* registered KM */
@@ -269,7 +269,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
rcu_read_unlock();
if (one_sk != NULL)
- err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);
+ err = pfkey_broadcast_one(skb, &skb2, GFP_KERNEL, one_sk);
kfree_skb(skb2);
kfree_skb(skb);
@@ -292,7 +292,7 @@ static int pfkey_do_dump(struct pfkey_sock *pfk)
hdr = (struct sadb_msg *) pfk->dump.skb->data;
hdr->sadb_msg_seq = 0;
hdr->sadb_msg_errno = rc;
- pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
+ pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
&pfk->sk, sock_net(&pfk->sk));
pfk->dump.skb = NULL;
}
@@ -333,7 +333,7 @@ static int pfkey_error(const struct sadb_msg *orig, int err, struct sock *sk)
hdr->sadb_msg_len = (sizeof(struct sadb_msg) /
sizeof(uint64_t));
- pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ONE, sk, sock_net(sk));
+ pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
return 0;
}
@@ -1364,7 +1364,7 @@ static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, const struct sadb_
xfrm_state_put(x);
- pfkey_broadcast(resp_skb, GFP_KERNEL, BROADCAST_ONE, sk, net);
+ pfkey_broadcast(resp_skb, BROADCAST_ONE, sk, net);
return 0;
}
@@ -1451,7 +1451,7 @@ static int key_notify_sa(struct xfrm_state *x, const struct km_event *c)
hdr->sadb_msg_seq = c->seq;
hdr->sadb_msg_pid = c->portid;
- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xs_net(x));
+ pfkey_broadcast(skb, BROADCAST_ALL, NULL, xs_net(x));
return 0;
}
@@ -1564,7 +1564,7 @@ static int pfkey_get(struct sock *sk, struct sk_buff *skb, const struct sadb_msg
out_hdr->sadb_msg_reserved = 0;
out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
- pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
+ pfkey_broadcast(out_skb, BROADCAST_ONE, sk, sock_net(sk));
return 0;
}
@@ -1669,7 +1669,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad
return -ENOBUFS;
}
- pfkey_broadcast(supp_skb, GFP_KERNEL, BROADCAST_REGISTERED, sk, sock_net(sk));
+ pfkey_broadcast(supp_skb, BROADCAST_REGISTERED, sk, sock_net(sk));
return 0;
}
@@ -1688,7 +1688,7 @@ static int unicast_flush_resp(struct sock *sk, const struct sadb_msg *ihdr)
hdr->sadb_msg_errno = (uint8_t) 0;
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
- return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
+ return pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
}
static int key_notify_sa_flush(const struct km_event *c)
@@ -1709,7 +1709,7 @@ static int key_notify_sa_flush(const struct km_event *c)
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
hdr->sadb_msg_reserved = 0;
- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ pfkey_broadcast(skb, BROADCAST_ALL, NULL, c->net);
return 0;
}
@@ -1766,7 +1766,7 @@ static int dump_sa(struct xfrm_state *x, int count, void *ptr)
out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
if (pfk->dump.skb)
- pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
+ pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
&pfk->sk, sock_net(&pfk->sk));
pfk->dump.skb = out_skb;
@@ -1846,7 +1846,7 @@ static int pfkey_promisc(struct sock *sk, struct sk_buff *skb, const struct sadb
new_hdr->sadb_msg_errno = 0;
}
- pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));
+ pfkey_broadcast(skb, BROADCAST_ALL, NULL, sock_net(sk));
return 0;
}
@@ -2180,7 +2180,7 @@ static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_ev
out_hdr->sadb_msg_errno = 0;
out_hdr->sadb_msg_seq = c->seq;
out_hdr->sadb_msg_pid = c->portid;
- pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xp_net(xp));
+ pfkey_broadcast(out_skb, BROADCAST_ALL, NULL, xp_net(xp));
return 0;
}
@@ -2400,7 +2400,7 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
out_hdr->sadb_msg_errno = 0;
out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
- pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, xp_net(xp));
+ pfkey_broadcast(out_skb, BROADCAST_ONE, sk, xp_net(xp));
err = 0;
out:
@@ -2654,7 +2654,7 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
if (pfk->dump.skb)
- pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
+ pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
&pfk->sk, sock_net(&pfk->sk));
pfk->dump.skb = out_skb;
@@ -2707,7 +2707,7 @@ static int key_notify_policy_flush(const struct km_event *c)
hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
hdr->sadb_msg_reserved = 0;
- pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ pfkey_broadcast(skb_out, BROADCAST_ALL, NULL, c->net);
return 0;
}
@@ -2769,7 +2769,7 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb
void *ext_hdrs[SADB_EXT_MAX];
int err;
- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
+ pfkey_broadcast(skb_clone(skb, GFP_KERNEL),
BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
memset(ext_hdrs, 0, sizeof(ext_hdrs));
@@ -2991,7 +2991,7 @@ static int key_notify_sa_expire(struct xfrm_state *x, const struct km_event *c)
out_hdr->sadb_msg_seq = 0;
out_hdr->sadb_msg_pid = 0;
- pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL, xs_net(x));
+ pfkey_broadcast(out_skb, BROADCAST_REGISTERED, NULL, xs_net(x));
return 0;
}
@@ -3181,7 +3181,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
xfrm_ctx->ctx_len);
}
- return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL, xs_net(x));
+ return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
}
static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
@@ -3379,7 +3379,7 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
n_port->sadb_x_nat_t_port_port = sport;
n_port->sadb_x_nat_t_port_reserved = 0;
- return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL, xs_net(x));
+ return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
}
#ifdef CONFIG_NET_KEY_MIGRATE
@@ -3571,7 +3571,7 @@ static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
}
/* broadcast migrate message to sockets */
- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
+ pfkey_broadcast(skb, BROADCAST_ALL, NULL, &init_net);
return 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 084/102] bna: fix interrupts storm caused by erroneous packets
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (83 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 083/102] net: Fix RCU splat in af_key Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 085/102] net: Fix skb_set_peeked use-after-free bug Kamal Mostafa
` (17 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ivan Vecera, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
commit ade4dc3e616e33c80d7e62855fe1b6f9895bc7c3 upstream.
The commit "e29aa33 bna: Enable Multi Buffer RX" moved packets counter
increment from the beginning of the NAPI processing loop after the check
for erroneous packets so they are never accounted. This counter is used
to inform firmware about number of processed completions (packets).
As these packets are never acked the firmware fires IRQs for them again
and again.
Fixes: e29aa33 ("bna: Enable Multi Buffer RX")
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Acked-by: Rasesh Mody <rasesh.mody@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/brocade/bna/bnad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c
index 3237218..a29e5a6 100644
--- a/drivers/net/ethernet/brocade/bna/bnad.c
+++ b/drivers/net/ethernet/brocade/bna/bnad.c
@@ -674,6 +674,7 @@ bnad_cq_process(struct bnad *bnad, struct bna_ccb *ccb, int budget)
if (!next_cmpl->valid)
break;
}
+ packets++;
/* TODO: BNA_CQ_EF_LOCAL ? */
if (unlikely(flags & (BNA_CQ_EF_MAC_ERROR |
@@ -690,7 +691,6 @@ bnad_cq_process(struct bnad *bnad, struct bna_ccb *ccb, int budget)
else
bnad_cq_setup_skb_frags(rcb, skb, sop_ci, nvecs, len);
- packets++;
rcb->rxq->rx_packets++;
rcb->rxq->rx_bytes += totlen;
ccb->bytes_per_intr += totlen;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 085/102] net: Fix skb_set_peeked use-after-free bug
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (84 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 084/102] bna: fix interrupts storm caused by erroneous packets Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 086/102] rds: fix an integer overflow test in rds_info_getsockopt() Kamal Mostafa
` (16 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Herbert Xu, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit a0a2a6602496a45ae838a96db8b8173794b5d398 upstream.
The commit 738ac1ebb96d02e0d23bc320302a6ea94c612dec ("net: Clone
skb before setting peeked flag") introduced a use-after-free bug
in skb_recv_datagram. This is because skb_set_peeked may create
a new skb and free the existing one. As it stands the caller will
continue to use the old freed skb.
This patch fixes it by making skb_set_peeked return the new skb
(or the old one if unchanged).
Fixes: 738ac1ebb96d ("net: Clone skb before setting peeked flag")
Reported-by: Brenden Blanco <bblanco@plumgrid.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Brenden Blanco <bblanco@plumgrid.com>
Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/datagram.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/core/datagram.c b/net/core/datagram.c
index 91dbcfa..f5cce20 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -131,12 +131,12 @@ out_noerr:
goto out;
}
-static int skb_set_peeked(struct sk_buff *skb)
+static struct sk_buff *skb_set_peeked(struct sk_buff *skb)
{
struct sk_buff *nskb;
if (skb->peeked)
- return 0;
+ return skb;
/* We have to unshare an skb before modifying it. */
if (!skb_shared(skb))
@@ -144,7 +144,7 @@ static int skb_set_peeked(struct sk_buff *skb)
nskb = skb_clone(skb, GFP_ATOMIC);
if (!nskb)
- return -ENOMEM;
+ return ERR_PTR(-ENOMEM);
skb->prev->next = nskb;
skb->next->prev = nskb;
@@ -157,7 +157,7 @@ static int skb_set_peeked(struct sk_buff *skb)
done:
skb->peeked = 1;
- return 0;
+ return skb;
}
/**
@@ -229,8 +229,9 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
continue;
}
- error = skb_set_peeked(skb);
- if (error)
+ skb = skb_set_peeked(skb);
+ error = PTR_ERR(skb);
+ if (IS_ERR(skb))
goto unlock_err;
atomic_inc(&skb->users);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 086/102] rds: fix an integer overflow test in rds_info_getsockopt()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (85 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 085/102] net: Fix skb_set_peeked use-after-free bug Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 087/102] fq_codel: explicitly reset flows in ->reset() Kamal Mostafa
` (15 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dan Carpenter, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 468b732b6f76b138c0926eadf38ac88467dcd271 upstream.
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/rds/info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rds/info.c b/net/rds/info.c
index 9a6b4f6..140a44a 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
/* check for all kinds of wrapping and the like */
start = (unsigned long)optval;
- if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
+ if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
ret = -EINVAL;
goto out;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 087/102] fq_codel: explicitly reset flows in ->reset()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (86 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 086/102] rds: fix an integer overflow test in rds_info_getsockopt() Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 088/102] bridge: netlink: account for the IFLA_BRPORT_PROXYARP attribute size and policy Kamal Mostafa
` (14 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alex Gartrell, Jamal Hadi Salim, Eric Dumazet, Cong Wang,
David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
commit 3d0e0af40672a0bf16ca0f0591165535138c1f30 upstream.
Alex reported the following crash when using fq_codel
with htb:
crash> bt
PID: 630839 TASK: ffff8823c990d280 CPU: 14 COMMAND: "tc"
[... snip ...]
#8 [ffff8820ceec17a0] page_fault at ffffffff8160a8c2
[exception RIP: htb_qlen_notify+24]
RIP: ffffffffa0841718 RSP: ffff8820ceec1858 RFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88241747b400
RDX: ffff88241747b408 RSI: 0000000000000000 RDI: ffff8811fb27d000
RBP: ffff8820ceec1868 R8: ffff88120cdeff24 R9: ffff88120cdeff30
R10: 0000000000000bd4 R11: ffffffffa0840919 R12: ffffffffa0843340
R13: 0000000000000000 R14: 0000000000000001 R15: ffff8808dae5c2e8
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#9 [...] qdisc_tree_decrease_qlen at ffffffff81565375
#10 [...] fq_codel_dequeue at ffffffffa084e0a0 [sch_fq_codel]
#11 [...] fq_codel_reset at ffffffffa084e2f8 [sch_fq_codel]
#12 [...] qdisc_destroy at ffffffff81560d2d
#13 [...] htb_destroy_class at ffffffffa08408f8 [sch_htb]
#14 [...] htb_put at ffffffffa084095c [sch_htb]
#15 [...] tc_ctl_tclass at ffffffff815645a3
#16 [...] rtnetlink_rcv_msg at ffffffff81552cb0
[... snip ...]
As Jamal pointed out, there is actually no need to call dequeue
to purge the queued skb's in reset, data structures can be just
reset explicitly. Therefore, we reset everything except config's
and stats, so that we would have a fresh start after device flipping.
Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
Reported-by: Alex Gartrell <agartrell@fb.com>
Cc: Alex Gartrell <agartrell@fb.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
[xiyou.wangcong@gmail.com: added codel_vars_init() and qdisc_qstats_backlog_dec()]
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/sched/sch_fq_codel.c | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index b61fd84..398484c 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -286,10 +286,26 @@ begin:
static void fq_codel_reset(struct Qdisc *sch)
{
- struct sk_buff *skb;
+ struct fq_codel_sched_data *q = qdisc_priv(sch);
+ int i;
- while ((skb = fq_codel_dequeue(sch)) != NULL)
- kfree_skb(skb);
+ INIT_LIST_HEAD(&q->new_flows);
+ INIT_LIST_HEAD(&q->old_flows);
+ for (i = 0; i < q->flows_cnt; i++) {
+ struct fq_codel_flow *flow = q->flows + i;
+
+ while (flow->head) {
+ struct sk_buff *skb = dequeue_head(flow);
+
+ qdisc_qstats_backlog_dec(sch, skb);
+ kfree_skb(skb);
+ }
+
+ INIT_LIST_HEAD(&flow->flowchain);
+ codel_vars_init(&flow->cvars);
+ }
+ memset(q->backlogs, 0, q->flows_cnt * sizeof(u32));
+ sch->q.qlen = 0;
}
static const struct nla_policy fq_codel_policy[TCA_FQ_CODEL_MAX + 1] = {
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 088/102] bridge: netlink: account for the IFLA_BRPORT_PROXYARP attribute size and policy
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (87 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 087/102] fq_codel: explicitly reset flows in ->reset() Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 089/102] batman-adv: fix kernel crash due to missing NULL checks Kamal Mostafa
` (13 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Nikolay Aleksandrov, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
commit 355b9f9df1f0311f20087350aee8ad96eedca8a9 upstream.
The attribute size wasn't accounted for in the get_slave_size() callback
(br_port_get_slave_size) when it was introduced, so fix it now. Also add
a policy entry for it in br_port_policy.
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Fixes: 958501163ddd ("bridge: Add support for IEEE 802.11 Proxy ARP")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/bridge/br_netlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 36e56a9..dca5049 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -32,6 +32,7 @@ static inline size_t br_port_info_size(void)
+ nla_total_size(1) /* IFLA_BRPORT_FAST_LEAVE */
+ nla_total_size(1) /* IFLA_BRPORT_LEARNING */
+ nla_total_size(1) /* IFLA_BRPORT_UNICAST_FLOOD */
+ + nla_total_size(1) /* IFLA_BRPORT_PROXYARP */
+ 0;
}
@@ -284,6 +285,7 @@ static const struct nla_policy br_port_policy[IFLA_BRPORT_MAX + 1] = {
[IFLA_BRPORT_FAST_LEAVE]= { .type = NLA_U8 },
[IFLA_BRPORT_LEARNING] = { .type = NLA_U8 },
[IFLA_BRPORT_UNICAST_FLOOD] = { .type = NLA_U8 },
+ [IFLA_BRPORT_PROXYARP] = { .type = NLA_U8 },
};
/* Change the state of the port and notify spanning tree */
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 089/102] batman-adv: fix kernel crash due to missing NULL checks
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (88 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 088/102] bridge: netlink: account for the IFLA_BRPORT_PROXYARP attribute size and policy Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 090/102] fbdev: select versatile helpers for the integrator Kamal Mostafa
` (12 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marek Lindner, Antonio Quartulli, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Lindner <mareklindner@neomailbox.ch>
commit 354136bcc3c4f40a2813bba8f57ca5267d812d15 upstream.
batadv_softif_vlan_get() may return NULL which has to be verified
by the caller.
Fixes: 35df3b298fc8 ("batman-adv: fix TT VLAN inconsistency on VLAN re-add")
Reported-by: Ryan Thompson <ryan@eero.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/batman-adv/soft-interface.c | 3 +++
net/batman-adv/translation-table.c | 18 ++++++++++++++----
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 5467955..8e66b01 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -450,6 +450,9 @@ out:
*/
void batadv_softif_vlan_free_ref(struct batadv_softif_vlan *vlan)
{
+ if (!vlan)
+ return;
+
if (atomic_dec_and_test(&vlan->refcount)) {
spin_lock_bh(&vlan->bat_priv->softif_vlan_list_lock);
hlist_del_rcu(&vlan->list);
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index c8c5184..4503069 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -575,6 +575,9 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
/* increase the refcounter of the related vlan */
vlan = batadv_softif_vlan_get(bat_priv, vid);
+ if (WARN(!vlan, "adding TT local entry %pM to non-existent VLAN %d",
+ addr, BATADV_PRINT_VID(vid)))
+ goto out;
batadv_dbg(BATADV_DBG_TT, bat_priv,
"Creating new local tt entry: %pM (vid: %d, ttvn: %d)\n",
@@ -1056,6 +1059,9 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
/* decrease the reference held for this vlan */
vlan = batadv_softif_vlan_get(bat_priv, vid);
+ if (!vlan)
+ goto out;
+
batadv_softif_vlan_free_ref(vlan);
batadv_softif_vlan_free_ref(vlan);
@@ -1156,8 +1162,10 @@ static void batadv_tt_local_table_free(struct batadv_priv *bat_priv)
/* decrease the reference held for this vlan */
vlan = batadv_softif_vlan_get(bat_priv,
tt_common_entry->vid);
- batadv_softif_vlan_free_ref(vlan);
- batadv_softif_vlan_free_ref(vlan);
+ if (vlan) {
+ batadv_softif_vlan_free_ref(vlan);
+ batadv_softif_vlan_free_ref(vlan);
+ }
batadv_tt_local_entry_free_ref(tt_local);
}
@@ -3199,8 +3207,10 @@ static void batadv_tt_local_purge_pending_clients(struct batadv_priv *bat_priv)
/* decrease the reference held for this vlan */
vlan = batadv_softif_vlan_get(bat_priv, tt_common->vid);
- batadv_softif_vlan_free_ref(vlan);
- batadv_softif_vlan_free_ref(vlan);
+ if (vlan) {
+ batadv_softif_vlan_free_ref(vlan);
+ batadv_softif_vlan_free_ref(vlan);
+ }
batadv_tt_local_entry_free_ref(tt_local);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 090/102] fbdev: select versatile helpers for the integrator
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (89 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 089/102] batman-adv: fix kernel crash due to missing NULL checks Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 091/102] rocker: free netdevice during netdevice removal Kamal Mostafa
` (11 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Linus Walleij, Tomi Valkeinen, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 2701fa0864ecb9e49d47a4aa1c02f172ab79639a upstream.
Commit 11c32d7b6274cb0f554943d65bd4a126c4a86dcd
"video: move Versatile CLCD helpers" missed the fact
that the Integrator/CP is also using the helper, and
as a result the platform got only stubs and no graphics.
Add this as a default selection to Kconfig so we have
graphics again.
Fixes: 11c32d7b6274 (video: move Versatile CLCD helpers)
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/video/fbdev/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
index 4916c97..dc2406a 100644
--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -298,7 +298,7 @@ config FB_ARMCLCD
# Helper logic selected only by the ARM Versatile platform family.
config PLAT_VERSATILE_CLCD
- def_bool ARCH_VERSATILE || ARCH_REALVIEW || ARCH_VEXPRESS
+ def_bool ARCH_VERSATILE || ARCH_REALVIEW || ARCH_VEXPRESS || ARCH_INTEGRATOR
depends on ARM
depends on FB_ARMCLCD && FB=y
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 091/102] rocker: free netdevice during netdevice removal
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (90 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 090/102] fbdev: select versatile helpers for the integrator Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 092/102] udp: fix dst races with multicast early demux Kamal Mostafa
` (10 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ido Schimmel, Jiri Pirko, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@mellanox.com>
commit 1ebd47efa4e17391dfac8caa349c6a8d35f996d1 upstream.
When removing a port's netdevice in 'rocker_remove_ports', we should
also free the allocated 'net_device' structure. Do that by calling
'free_netdev' after unregistering it.
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Fixes: 4b8ac9660af ("rocker: introduce rocker switch driver")
Acked-by: Scott Feldman <sfeldma@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/rocker/rocker.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/rocker/rocker.c b/drivers/net/ethernet/rocker/rocker.c
index 24c0284..5f8645d 100644
--- a/drivers/net/ethernet/rocker/rocker.c
+++ b/drivers/net/ethernet/rocker/rocker.c
@@ -3960,6 +3960,7 @@ static void rocker_remove_ports(struct rocker *rocker)
rocker_port = rocker->ports[i];
rocker_port_ig_tbl(rocker_port, ROCKER_OP_FLAG_REMOVE);
unregister_netdev(rocker_port->dev);
+ free_netdev(rocker_port->dev);
}
kfree(rocker->ports);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 092/102] udp: fix dst races with multicast early demux
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (91 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 091/102] rocker: free netdevice during netdevice removal Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 093/102] net: phy: add locking to phy_read_mmd_indirect()/phy_write_mmd_indirect() Kamal Mostafa
` (9 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Michal Kubeček, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 10e2eb878f3ca07ac2f05fa5ca5e6c4c9174a27a upstream.
Multicast dst are not cached. They carry DST_NOCACHE.
As mentioned in commit f8864972126899 ("ipv4: fix dst race in
sk_dst_get()"), these dst need special care before caching them
into a socket.
Caching them is allowed only if their refcnt was not 0, ie we
must use atomic_inc_not_zero()
Also, we must use READ_ONCE() to fetch sk->sk_rx_dst, as mentioned
in commit d0c294c53a771 ("tcp: prevent fetching dst twice in early demux
code")
Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Tested-by: Gregory Hoggarth <Gregory.Hoggarth@alliedtelesis.co.nz>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Gregory Hoggarth <Gregory.Hoggarth@alliedtelesis.co.nz>
Reported-by: Alex Gartrell <agartrell@fb.com>
Cc: Michal Kubeček <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/udp.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index e0737ac..75f76d7 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2001,12 +2001,19 @@ void udp_v4_early_demux(struct sk_buff *skb)
skb->sk = sk;
skb->destructor = sock_efree;
- dst = sk->sk_rx_dst;
+ dst = READ_ONCE(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, 0);
- if (dst)
- skb_dst_set_noref(skb, dst);
+ if (dst) {
+ /* DST_NOCACHE can not be used without taking a reference */
+ if (dst->flags & DST_NOCACHE) {
+ if (likely(atomic_inc_not_zero(&dst->__refcnt)))
+ skb_dst_set(skb, dst);
+ } else {
+ skb_dst_set_noref(skb, dst);
+ }
+ }
}
int udp_rcv(struct sk_buff *skb)
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 093/102] net: phy: add locking to phy_read_mmd_indirect()/phy_write_mmd_indirect()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (92 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 092/102] udp: fix dst races with multicast early demux Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 094/102] sparc64: Fix userspace FPU register corruptions Kamal Mostafa
` (8 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Russell King, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
commit 05a7f582be961824d62a7f4a817f3783148b5f8a upstream.
The phy layer is missing locking for the above two functions - it
has been observed that two threads (userspace and the phy worker
thread) can race, entering the bus ->write or ->read functions
simultaneously.
This causes the FEC driver to initialise a completion while another
thread is waiting on it or while the interrupt is calling complete()
on it, which causes spinlock unlock-without-lock, spinlock lockups,
and completion timeouts.
Fixes: a59a4d192 ("phy: add the EEE support and the way to access to the MMD registers.")
Fixes: 0c1d77dfb ("net: libphy: Add phy specific function to access mmd phy registers")
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/phy/phy.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
index 91d6d03..15a7387 100644
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -993,10 +993,14 @@ int phy_read_mmd_indirect(struct phy_device *phydev, int prtad,
int value = -1;
if (phydrv->read_mmd_indirect == NULL) {
- mmd_phy_indirect(phydev->bus, prtad, devad, addr);
+ struct mii_bus *bus = phydev->bus;
+
+ mutex_lock(&bus->mdio_lock);
+ mmd_phy_indirect(bus, prtad, devad, addr);
/* Read the content of the MMD's selected register */
- value = phydev->bus->read(phydev->bus, addr, MII_MMD_DATA);
+ value = bus->read(bus, addr, MII_MMD_DATA);
+ mutex_unlock(&bus->mdio_lock);
} else {
value = phydrv->read_mmd_indirect(phydev, prtad, devad, addr);
}
@@ -1026,10 +1030,14 @@ void phy_write_mmd_indirect(struct phy_device *phydev, int prtad,
struct phy_driver *phydrv = phydev->drv;
if (phydrv->write_mmd_indirect == NULL) {
- mmd_phy_indirect(phydev->bus, prtad, devad, addr);
+ struct mii_bus *bus = phydev->bus;
+
+ mutex_lock(&bus->mdio_lock);
+ mmd_phy_indirect(bus, prtad, devad, addr);
/* Write the data into MMD's selected register */
- phydev->bus->write(phydev->bus, addr, MII_MMD_DATA, data);
+ bus->write(bus, addr, MII_MMD_DATA, data);
+ mutex_unlock(&bus->mdio_lock);
} else {
phydrv->write_mmd_indirect(phydev, prtad, devad, addr, data);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 094/102] sparc64: Fix userspace FPU register corruptions.
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (93 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 093/102] net: phy: add locking to phy_read_mmd_indirect()/phy_write_mmd_indirect() Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 095/102] rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver Kamal Mostafa
` (7 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit 44922150d87cef616fd183220d43d8fde4d41390 ]
If we have a series of events from userpsace, with %fprs=FPRS_FEF,
like follows:
ETRAP
ETRAP
VIS_ENTRY(fprs=0x4)
VIS_EXIT
RTRAP (kernel FPU restore with fpu_saved=0x4)
RTRAP
We will not restore the user registers that were clobbered by the FPU
using kernel code in the inner-most trap.
Traps allocate FPU save slots in the thread struct, and FPU using
sequences save the "dirty" FPU registers only.
This works at the initial trap level because all of the registers
get recorded into the top-level FPU save area, and we'll return
to userspace with the FPU disabled so that any FPU use by the user
will take an FPU disabled trap wherein we'll load the registers
back up properly.
But this is not how trap returns from kernel to kernel operate.
The simplest fix for this bug is to always save all FPU register state
for anything other than the top-most FPU save area.
Getting rid of the optimized inner-slot FPU saving code ends up
making VISEntryHalf degenerate into plain VISEntry.
Longer term we need to do something smarter to reinstate the partial
save optimizations. Perhaps the fundament error is having trap entry
and exit allocate FPU save slots and restore register state. Instead,
the VISEntry et al. calls should be doing that work.
This bug is about two decades old.
Reported-by: James Y Knight <jyknight@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/sparc/include/asm/visasm.h | 16 +++-------
arch/sparc/lib/NG4memcpy.S | 5 ++-
arch/sparc/lib/VISsave.S | 67 ++---------------------------------------
arch/sparc/lib/ksyms.c | 4 ---
4 files changed, 11 insertions(+), 81 deletions(-)
diff --git a/arch/sparc/include/asm/visasm.h b/arch/sparc/include/asm/visasm.h
index 1f0aa20..6424249 100644
--- a/arch/sparc/include/asm/visasm.h
+++ b/arch/sparc/include/asm/visasm.h
@@ -28,16 +28,10 @@
* Must preserve %o5 between VISEntryHalf and VISExitHalf */
#define VISEntryHalf \
- rd %fprs, %o5; \
- andcc %o5, FPRS_FEF, %g0; \
- be,pt %icc, 297f; \
- sethi %hi(298f), %g7; \
- sethi %hi(VISenterhalf), %g1; \
- jmpl %g1 + %lo(VISenterhalf), %g0; \
- or %g7, %lo(298f), %g7; \
- clr %o5; \
-297: wr %o5, FPRS_FEF, %fprs; \
-298:
+ VISEntry
+
+#define VISExitHalf \
+ VISExit
#define VISEntryHalfFast(fail_label) \
rd %fprs, %o5; \
@@ -47,7 +41,7 @@
ba,a,pt %xcc, fail_label; \
297: wr %o5, FPRS_FEF, %fprs;
-#define VISExitHalf \
+#define VISExitHalfFast \
wr %o5, 0, %fprs;
#ifndef __ASSEMBLY__
diff --git a/arch/sparc/lib/NG4memcpy.S b/arch/sparc/lib/NG4memcpy.S
index 140527a..83aeeb1 100644
--- a/arch/sparc/lib/NG4memcpy.S
+++ b/arch/sparc/lib/NG4memcpy.S
@@ -240,8 +240,11 @@ FUNC_NAME: /* %o0=dst, %o1=src, %o2=len */
add %o0, 0x40, %o0
bne,pt %icc, 1b
LOAD(prefetch, %g1 + 0x200, #n_reads_strong)
+#ifdef NON_USER_COPY
+ VISExitHalfFast
+#else
VISExitHalf
-
+#endif
brz,pn %o2, .Lexit
cmp %o2, 19
ble,pn %icc, .Lsmall_unaligned
diff --git a/arch/sparc/lib/VISsave.S b/arch/sparc/lib/VISsave.S
index b320ae9..a063d84 100644
--- a/arch/sparc/lib/VISsave.S
+++ b/arch/sparc/lib/VISsave.S
@@ -44,9 +44,8 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3
stx %g3, [%g6 + TI_GSR]
2: add %g6, %g1, %g3
- cmp %o5, FPRS_DU
- be,pn %icc, 6f
- sll %g1, 3, %g1
+ mov FPRS_DU | FPRS_DL | FPRS_FEF, %o5
+ sll %g1, 3, %g1
stb %o5, [%g3 + TI_FPSAVED]
rd %gsr, %g2
add %g6, %g1, %g3
@@ -80,65 +79,3 @@ vis1: ldub [%g6 + TI_FPSAVED], %g3
.align 32
80: jmpl %g7 + %g0, %g0
nop
-
-6: ldub [%g3 + TI_FPSAVED], %o5
- or %o5, FPRS_DU, %o5
- add %g6, TI_FPREGS+0x80, %g2
- stb %o5, [%g3 + TI_FPSAVED]
-
- sll %g1, 5, %g1
- add %g6, TI_FPREGS+0xc0, %g3
- wr %g0, FPRS_FEF, %fprs
- membar #Sync
- stda %f32, [%g2 + %g1] ASI_BLK_P
- stda %f48, [%g3 + %g1] ASI_BLK_P
- membar #Sync
- ba,pt %xcc, 80f
- nop
-
- .align 32
-80: jmpl %g7 + %g0, %g0
- nop
-
- .align 32
-VISenterhalf:
- ldub [%g6 + TI_FPDEPTH], %g1
- brnz,a,pn %g1, 1f
- cmp %g1, 1
- stb %g0, [%g6 + TI_FPSAVED]
- stx %fsr, [%g6 + TI_XFSR]
- clr %o5
- jmpl %g7 + %g0, %g0
- wr %g0, FPRS_FEF, %fprs
-
-1: bne,pn %icc, 2f
- srl %g1, 1, %g1
- ba,pt %xcc, vis1
- sub %g7, 8, %g7
-2: addcc %g6, %g1, %g3
- sll %g1, 3, %g1
- andn %o5, FPRS_DU, %g2
- stb %g2, [%g3 + TI_FPSAVED]
-
- rd %gsr, %g2
- add %g6, %g1, %g3
- stx %g2, [%g3 + TI_GSR]
- add %g6, %g1, %g2
- stx %fsr, [%g2 + TI_XFSR]
- sll %g1, 5, %g1
-3: andcc %o5, FPRS_DL, %g0
- be,pn %icc, 4f
- add %g6, TI_FPREGS, %g2
-
- add %g6, TI_FPREGS+0x40, %g3
- membar #Sync
- stda %f0, [%g2 + %g1] ASI_BLK_P
- stda %f16, [%g3 + %g1] ASI_BLK_P
- membar #Sync
- ba,pt %xcc, 4f
- nop
-
- .align 32
-4: and %o5, FPRS_DU, %o5
- jmpl %g7 + %g0, %g0
- wr %o5, FPRS_FEF, %fprs
diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
index 1d649a9..8069ce1 100644
--- a/arch/sparc/lib/ksyms.c
+++ b/arch/sparc/lib/ksyms.c
@@ -135,10 +135,6 @@ EXPORT_SYMBOL(copy_user_page);
void VISenter(void);
EXPORT_SYMBOL(VISenter);
-/* CRYPTO code needs this */
-void VISenterhalf(void);
-EXPORT_SYMBOL(VISenterhalf);
-
extern void xor_vis_2(unsigned long, unsigned long *, unsigned long *);
extern void xor_vis_3(unsigned long, unsigned long *, unsigned long *,
unsigned long *);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 095/102] rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (94 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 094/102] sparc64: Fix userspace FPU register corruptions Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 096/102] net/tipc: initialize security state for new connection socket Kamal Mostafa
` (6 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Chris Wright, Sucheta Chakraborty, Greg Rose, Jeff Kirsher,
Rony Efraim, Vlad Zolotarov, Nicolas Dichtel, Thomas Graf,
Jason Gunthorpe, Daniel Borkmann, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 4f7d2cdfdde71ffe962399b7020c674050329423 ]
Jason Gunthorpe reported that since commit c02db8c6290b ("rtnetlink: make
SR-IOV VF interface symmetric"), we don't verify IFLA_VF_INFO attributes
anymore with respect to their policy, that is, ifla_vfinfo_policy[].
Before, they were part of ifla_policy[], but they have been nested since
placed under IFLA_VFINFO_LIST, that contains the attribute IFLA_VF_INFO,
which is another nested attribute for the actual VF attributes such as
IFLA_VF_MAC, IFLA_VF_VLAN, etc.
Despite the policy being split out from ifla_policy[] in this commit,
it's never applied anywhere. nla_for_each_nested() only does basic nla_ok()
testing for struct nlattr, but it doesn't know about the data context and
their requirements.
Fix, on top of Jason's initial work, does 1) parsing of the attributes
with the right policy, and 2) using the resulting parsed attribute table
from 1) instead of the nla_for_each_nested() loop (just like we used to
do when still part of ifla_policy[]).
Reference: http://thread.gmane.org/gmane.linux.network/368913
Fixes: c02db8c6290b ("rtnetlink: make SR-IOV VF interface symmetric")
Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Cc: Greg Rose <gregory.v.rose@intel.com>
Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Cc: Rony Efraim <ronye@mellanox.com>
Cc: Vlad Zolotarov <vladz@cloudius-systems.com>
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Vlad Zolotarov <vladz@cloudius-systems.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/rtnetlink.c | 166 ++++++++++++++++++++++++++-------------------------
1 file changed, 85 insertions(+), 81 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index b73d29c..e732b7e 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1232,10 +1232,6 @@ static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
[IFLA_INFO_SLAVE_DATA] = { .type = NLA_NESTED },
};
-static const struct nla_policy ifla_vfinfo_policy[IFLA_VF_INFO_MAX+1] = {
- [IFLA_VF_INFO] = { .type = NLA_NESTED },
-};
-
static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
[IFLA_VF_MAC] = { .len = sizeof(struct ifla_vf_mac) },
[IFLA_VF_VLAN] = { .len = sizeof(struct ifla_vf_vlan) },
@@ -1381,85 +1377,86 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[])
return 0;
}
-static int do_setvfinfo(struct net_device *dev, struct nlattr *attr)
+static int do_setvfinfo(struct net_device *dev, struct nlattr **tb)
{
- int rem, err = -EINVAL;
- struct nlattr *vf;
const struct net_device_ops *ops = dev->netdev_ops;
+ int err = -EINVAL;
- nla_for_each_nested(vf, attr, rem) {
- switch (nla_type(vf)) {
- case IFLA_VF_MAC: {
- struct ifla_vf_mac *ivm;
- ivm = nla_data(vf);
- err = -EOPNOTSUPP;
- if (ops->ndo_set_vf_mac)
- err = ops->ndo_set_vf_mac(dev, ivm->vf,
- ivm->mac);
- break;
- }
- case IFLA_VF_VLAN: {
- struct ifla_vf_vlan *ivv;
- ivv = nla_data(vf);
- err = -EOPNOTSUPP;
- if (ops->ndo_set_vf_vlan)
- err = ops->ndo_set_vf_vlan(dev, ivv->vf,
- ivv->vlan,
- ivv->qos);
- break;
- }
- case IFLA_VF_TX_RATE: {
- struct ifla_vf_tx_rate *ivt;
- struct ifla_vf_info ivf;
- ivt = nla_data(vf);
- err = -EOPNOTSUPP;
- if (ops->ndo_get_vf_config)
- err = ops->ndo_get_vf_config(dev, ivt->vf,
- &ivf);
- if (err)
- break;
- err = -EOPNOTSUPP;
- if (ops->ndo_set_vf_rate)
- err = ops->ndo_set_vf_rate(dev, ivt->vf,
- ivf.min_tx_rate,
- ivt->rate);
- break;
- }
- case IFLA_VF_RATE: {
- struct ifla_vf_rate *ivt;
- ivt = nla_data(vf);
- err = -EOPNOTSUPP;
- if (ops->ndo_set_vf_rate)
- err = ops->ndo_set_vf_rate(dev, ivt->vf,
- ivt->min_tx_rate,
- ivt->max_tx_rate);
- break;
- }
- case IFLA_VF_SPOOFCHK: {
- struct ifla_vf_spoofchk *ivs;
- ivs = nla_data(vf);
- err = -EOPNOTSUPP;
- if (ops->ndo_set_vf_spoofchk)
- err = ops->ndo_set_vf_spoofchk(dev, ivs->vf,
- ivs->setting);
- break;
- }
- case IFLA_VF_LINK_STATE: {
- struct ifla_vf_link_state *ivl;
- ivl = nla_data(vf);
- err = -EOPNOTSUPP;
- if (ops->ndo_set_vf_link_state)
- err = ops->ndo_set_vf_link_state(dev, ivl->vf,
- ivl->link_state);
- break;
- }
- default:
- err = -EINVAL;
- break;
- }
- if (err)
- break;
+ if (tb[IFLA_VF_MAC]) {
+ struct ifla_vf_mac *ivm = nla_data(tb[IFLA_VF_MAC]);
+
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_mac)
+ err = ops->ndo_set_vf_mac(dev, ivm->vf,
+ ivm->mac);
+ if (err < 0)
+ return err;
+ }
+
+ if (tb[IFLA_VF_VLAN]) {
+ struct ifla_vf_vlan *ivv = nla_data(tb[IFLA_VF_VLAN]);
+
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_vlan)
+ err = ops->ndo_set_vf_vlan(dev, ivv->vf, ivv->vlan,
+ ivv->qos);
+ if (err < 0)
+ return err;
+ }
+
+ if (tb[IFLA_VF_TX_RATE]) {
+ struct ifla_vf_tx_rate *ivt = nla_data(tb[IFLA_VF_TX_RATE]);
+ struct ifla_vf_info ivf;
+
+ err = -EOPNOTSUPP;
+ if (ops->ndo_get_vf_config)
+ err = ops->ndo_get_vf_config(dev, ivt->vf, &ivf);
+ if (err < 0)
+ return err;
+
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_rate)
+ err = ops->ndo_set_vf_rate(dev, ivt->vf,
+ ivf.min_tx_rate,
+ ivt->rate);
+ if (err < 0)
+ return err;
}
+
+ if (tb[IFLA_VF_RATE]) {
+ struct ifla_vf_rate *ivt = nla_data(tb[IFLA_VF_RATE]);
+
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_rate)
+ err = ops->ndo_set_vf_rate(dev, ivt->vf,
+ ivt->min_tx_rate,
+ ivt->max_tx_rate);
+ if (err < 0)
+ return err;
+ }
+
+ if (tb[IFLA_VF_SPOOFCHK]) {
+ struct ifla_vf_spoofchk *ivs = nla_data(tb[IFLA_VF_SPOOFCHK]);
+
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_spoofchk)
+ err = ops->ndo_set_vf_spoofchk(dev, ivs->vf,
+ ivs->setting);
+ if (err < 0)
+ return err;
+ }
+
+ if (tb[IFLA_VF_LINK_STATE]) {
+ struct ifla_vf_link_state *ivl = nla_data(tb[IFLA_VF_LINK_STATE]);
+
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_link_state)
+ err = ops->ndo_set_vf_link_state(dev, ivl->vf,
+ ivl->link_state);
+ if (err < 0)
+ return err;
+ }
+
return err;
}
@@ -1655,14 +1652,21 @@ static int do_setlink(const struct sk_buff *skb,
}
if (tb[IFLA_VFINFO_LIST]) {
+ struct nlattr *vfinfo[IFLA_VF_MAX + 1];
struct nlattr *attr;
int rem;
+
nla_for_each_nested(attr, tb[IFLA_VFINFO_LIST], rem) {
- if (nla_type(attr) != IFLA_VF_INFO) {
+ if (nla_type(attr) != IFLA_VF_INFO ||
+ nla_len(attr) < NLA_HDRLEN) {
err = -EINVAL;
goto errout;
}
- err = do_setvfinfo(dev, attr);
+ err = nla_parse_nested(vfinfo, IFLA_VF_MAX, attr,
+ ifla_vf_policy);
+ if (err < 0)
+ goto errout;
+ err = do_setvfinfo(dev, vfinfo);
if (err < 0)
goto errout;
status |= DO_SETLINK_NOTIFY;
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 096/102] net/tipc: initialize security state for new connection socket
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (95 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 095/102] rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 097/102] net: pktgen: fix race between pktgen_thread_worker() and kthread_stop() Kamal Mostafa
` (5 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Stephen Smalley, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley <sds@tycho.nsa.gov>
[ Upstream commit fdd75ea8df370f206a8163786e7470c1277a5064 ]
Calling connect() with an AF_TIPC socket would trigger a series
of error messages from SELinux along the lines of:
SELinux: Invalid class 0
type=AVC msg=audit(1434126658.487:34500): avc: denied { <unprintable> }
for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable>
permissive=0
This was due to a failure to initialize the security state of the new
connection sock by the tipc code, leaving it with junk in the security
class field and an unlabeled secid. Add a call to security_sk_clone()
to inherit the security state from the parent socket.
Reported-by: Tim Shearer <tim.shearer@overturenetworks.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/tipc/socket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 4731cad..84cf2f8 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1971,6 +1971,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags)
res = tipc_sk_create(sock_net(sock->sk), new_sock, 0, 1);
if (res)
goto exit;
+ security_sk_clone(sock->sk, new_sock->sk);
new_sk = new_sock->sk;
new_tsock = tipc_sk(new_sk);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 097/102] net: pktgen: fix race between pktgen_thread_worker() and kthread_stop()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (96 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 096/102] net/tipc: initialize security state for new connection socket Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 098/102] net: Fix skb csum races when peeking Kamal Mostafa
` (4 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oleg Nesterov, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit fecdf8be2d91e04b0a9a4f79ff06499a36f5d14f ]
pktgen_thread_worker() is obviously racy, kthread_stop() can come
between the kthread_should_stop() check and set_current_state().
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Stancek <jstancek@redhat.com>
Reported-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/pktgen.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index de4dc84..0fab2c4 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -3493,8 +3493,10 @@ static int pktgen_thread_worker(void *arg)
pktgen_rem_thread(t);
/* Wait for kthread_stop */
- while (!kthread_should_stop()) {
+ for (;;) {
set_current_state(TASK_INTERRUPTIBLE);
+ if (kthread_should_stop())
+ break;
schedule();
}
__set_current_state(TASK_RUNNING);
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 098/102] net: Fix skb csum races when peeking
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (97 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 097/102] net: pktgen: fix race between pktgen_thread_worker() and kthread_stop() Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 099/102] ipv6: lock socket in ip6_datagram_connect() Kamal Mostafa
` (3 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Herbert Xu, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 89c22d8c3b278212eef6a8cc66b570bc840a6f5a ]
When we calculate the checksum on the recv path, we store the
result in the skb as an optimisation in case we need the checksum
again down the line.
This is in fact bogus for the MSG_PEEK case as this is done without
any locking. So multiple threads can peek and then store the result
to the same skb, potentially resulting in bogus skb states.
This patch fixes this by only storing the result if the skb is not
shared. This preserves the optimisations for the few cases where
it can be done safely due to locking or other reasons, e.g., SIOCINQ.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/datagram.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/net/core/datagram.c b/net/core/datagram.c
index f5cce20..e0a31cc 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -658,7 +658,8 @@ __sum16 __skb_checksum_complete_head(struct sk_buff *skb, int len)
!skb->csum_complete_sw)
netdev_rx_csum_fault(skb->dev);
}
- skb->csum_valid = !sum;
+ if (!skb_shared(skb))
+ skb->csum_valid = !sum;
return sum;
}
EXPORT_SYMBOL(__skb_checksum_complete_head);
@@ -678,11 +679,13 @@ __sum16 __skb_checksum_complete(struct sk_buff *skb)
netdev_rx_csum_fault(skb->dev);
}
- /* Save full packet checksum */
- skb->csum = csum;
- skb->ip_summed = CHECKSUM_COMPLETE;
- skb->csum_complete_sw = 1;
- skb->csum_valid = !sum;
+ if (!skb_shared(skb)) {
+ /* Save full packet checksum */
+ skb->csum = csum;
+ skb->ip_summed = CHECKSUM_COMPLETE;
+ skb->csum_complete_sw = 1;
+ skb->csum_valid = !sum;
+ }
return sum;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 099/102] ipv6: lock socket in ip6_datagram_connect()
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (98 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 098/102] net: Fix skb csum races when peeking Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 100/102] Revert "sit: Add gro callbacks to sit_offload" Kamal Mostafa
` (2 subsequent siblings)
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 03645a11a570d52e70631838cb786eb4253eb463 ]
ip6_datagram_connect() is doing a lot of socket changes without
socket being locked.
This looks wrong, at least for udp_lib_rehash() which could corrupt
lists because of concurrent udp_sk(sk)->udp_portaddr_hash accesses.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/net/ip.h | 1 +
net/ipv4/datagram.c | 16 ++++++++++++----
net/ipv6/datagram.c | 20 +++++++++++++++-----
3 files changed, 28 insertions(+), 9 deletions(-)
diff --git a/include/net/ip.h b/include/net/ip.h
index c0c26c3..d00ebdf 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -160,6 +160,7 @@ static inline __u8 get_rtconn_flags(struct ipcm_cookie* ipc, struct sock* sk)
}
/* datagram.c */
+int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len);
int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len);
void ip4_datagram_release_cb(struct sock *sk);
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index 90c0e83..574fad9 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -20,7 +20,7 @@
#include <net/route.h>
#include <net/tcp_states.h>
-int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
{
struct inet_sock *inet = inet_sk(sk);
struct sockaddr_in *usin = (struct sockaddr_in *) uaddr;
@@ -39,8 +39,6 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
sk_dst_reset(sk);
- lock_sock(sk);
-
oif = sk->sk_bound_dev_if;
saddr = inet->inet_saddr;
if (ipv4_is_multicast(usin->sin_addr.s_addr)) {
@@ -82,9 +80,19 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
sk_dst_set(sk, &rt->dst);
err = 0;
out:
- release_sock(sk);
return err;
}
+EXPORT_SYMBOL(__ip4_datagram_connect);
+
+int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+{
+ int res;
+
+ lock_sock(sk);
+ res = __ip4_datagram_connect(sk, uaddr, addr_len);
+ release_sock(sk);
+ return res;
+}
EXPORT_SYMBOL(ip4_datagram_connect);
/* Because UDP xmit path can manipulate sk_dst_cache without holding
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 49f5e73..31fb5da 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -40,7 +40,7 @@ static bool ipv6_mapped_addr_any(const struct in6_addr *a)
return ipv6_addr_v4mapped(a) && (a->s6_addr32[3] == 0);
}
-int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
{
struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
struct inet_sock *inet = inet_sk(sk);
@@ -56,7 +56,7 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
if (usin->sin6_family == AF_INET) {
if (__ipv6_only_sock(sk))
return -EAFNOSUPPORT;
- err = ip4_datagram_connect(sk, uaddr, addr_len);
+ err = __ip4_datagram_connect(sk, uaddr, addr_len);
goto ipv4_connected;
}
@@ -98,9 +98,9 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
sin.sin_addr.s_addr = daddr->s6_addr32[3];
sin.sin_port = usin->sin6_port;
- err = ip4_datagram_connect(sk,
- (struct sockaddr *) &sin,
- sizeof(sin));
+ err = __ip4_datagram_connect(sk,
+ (struct sockaddr *) &sin,
+ sizeof(sin));
ipv4_connected:
if (err)
@@ -204,6 +204,16 @@ out:
fl6_sock_release(flowlabel);
return err;
}
+
+int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+{
+ int res;
+
+ lock_sock(sk);
+ res = __ip6_datagram_connect(sk, uaddr, addr_len);
+ release_sock(sk);
+ return res;
+}
EXPORT_SYMBOL_GPL(ip6_datagram_connect);
int ip6_datagram_connect_v6_only(struct sock *sk, struct sockaddr *uaddr,
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 100/102] Revert "sit: Add gro callbacks to sit_offload"
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (99 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 099/102] ipv6: lock socket in ip6_datagram_connect() Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 101/102] bonding: correct the MAC address for "follow" fail_over_mac policy Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 102/102] netlink: don't hold mutex in rcu callback when releasing mmapd ring Kamal Mostafa
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Herbert Xu, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit fdbf5b097bbd9693a86c0b8bfdd071a9a2117cfc ]
This patch reverts 19424e052fb44da2f00d1a868cbb51f3e9f4bbb5 ("sit:
Add gro callbacks to sit_offload") because it generates packets
that cannot be handled even by our own GSO.
Reported-by: Wolfgang Walter <linux@stwm.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv6/ip6_offload.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 46d452a..2f83e33 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -292,8 +292,6 @@ static struct packet_offload ipv6_packet_offload __read_mostly = {
static const struct net_offload sit_offload = {
.callbacks = {
.gso_segment = ipv6_gso_segment,
- .gro_receive = ipv6_gro_receive,
- .gro_complete = ipv6_gro_complete,
},
};
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 101/102] bonding: correct the MAC address for "follow" fail_over_mac policy
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (100 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 100/102] Revert "sit: Add gro callbacks to sit_offload" Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 102/102] netlink: don't hold mutex in rcu callback when releasing mmapd ring Kamal Mostafa
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ding Tianhong, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: dingtianhong <dingtianhong@huawei.com>
[ Upstream commit a951bc1e6ba58f11df5ed5ddc41311e10f5fd20b ]
The "follow" fail_over_mac policy is useful for multiport devices that
either become confused or incur a performance penalty when multiple
ports are programmed with the same MAC address, but the same MAC
address still may happened by this steps for this policy:
1) echo +eth0 > /sys/class/net/bond0/bonding/slaves
bond0 has the same mac address with eth0, it is MAC1.
2) echo +eth1 > /sys/class/net/bond0/bonding/slaves
eth1 is backup, eth1 has MAC2.
3) ifconfig eth0 down
eth1 became active slave, bond will swap MAC for eth0 and eth1,
so eth1 has MAC1, and eth0 has MAC2.
4) ifconfig eth1 down
there is no active slave, and eth1 still has MAC1, eth2 has MAC2.
5) ifconfig eth0 up
the eth0 became active slave again, the bond set eth0 to MAC1.
Something wrong here, then if you set eth1 up, the eth0 and eth1 will have the same
MAC address, it will break this policy for ACTIVE_BACKUP mode.
This patch will fix this problem by finding the old active slave and
swap them MAC address before change active slave.
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Tested-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/bonding/bond_main.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 58b687c..d3b9436 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -622,6 +622,23 @@ static void bond_set_dev_addr(struct net_device *bond_dev,
call_netdevice_notifiers(NETDEV_CHANGEADDR, bond_dev);
}
+static struct slave *bond_get_old_active(struct bonding *bond,
+ struct slave *new_active)
+{
+ struct slave *slave;
+ struct list_head *iter;
+
+ bond_for_each_slave(bond, slave, iter) {
+ if (slave == new_active)
+ continue;
+
+ if (ether_addr_equal(bond->dev->dev_addr, slave->dev->dev_addr))
+ return slave;
+ }
+
+ return NULL;
+}
+
/* bond_do_fail_over_mac
*
* Perform special MAC address swapping for fail_over_mac settings
@@ -649,6 +666,9 @@ static void bond_do_fail_over_mac(struct bonding *bond,
if (!new_active)
return;
+ if (!old_active)
+ old_active = bond_get_old_active(bond, new_active);
+
if (old_active) {
ether_addr_copy(tmp_mac, new_active->dev->dev_addr);
ether_addr_copy(saddr.sa_data,
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
* [PATCH 3.19.y-ckt 102/102] netlink: don't hold mutex in rcu callback when releasing mmapd ring
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
` (101 preceding siblings ...)
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 101/102] bonding: correct the MAC address for "follow" fail_over_mac policy Kamal Mostafa
@ 2015-09-22 17:52 ` Kamal Mostafa
102 siblings, 0 replies; 104+ messages in thread
From: Kamal Mostafa @ 2015-09-22 17:52 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Florian Westphal, David S. Miller, Kamal Mostafa
3.19.8-ckt7 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 0470eb99b4721586ccac954faac3fa4472da0845 ]
Kirill A. Shutemov says:
This simple test-case trigers few locking asserts in kernel:
int main(int argc, char **argv)
{
unsigned int block_size = 16 * 4096;
struct nl_mmap_req req = {
.nm_block_size = block_size,
.nm_block_nr = 64,
.nm_frame_size = 16384,
.nm_frame_nr = 64 * block_size / 16384,
};
unsigned int ring_size;
int fd;
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
exit(1);
if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
exit(1);
ring_size = req.nm_block_nr * req.nm_block_size;
mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
return 0;
}
+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
#0: (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
#1: ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
#2: (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20
CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 #253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
<IRQ> [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
[<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
[<ffffffff81085bed>] __might_sleep+0x4d/0x90
[<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
[<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
[<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
[<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
[<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
[<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
[<ffffffff817e484d>] __sk_free+0x1d/0x160
[<ffffffff817e49a9>] sk_free+0x19/0x20
[..]
Cong Wang says:
We can't hold mutex lock in a rcu callback, [..]
Thomas Graf says:
The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.
Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/netlink/af_netlink.c | 79 ++++++++++++++++++++++++++++--------------------
1 file changed, 47 insertions(+), 32 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 4b4a2a4..c47affe 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -366,25 +366,52 @@ err1:
return NULL;
}
+
+static void
+__netlink_set_ring(struct sock *sk, struct nl_mmap_req *req, bool tx_ring, void **pg_vec,
+ unsigned int order)
+{
+ struct netlink_sock *nlk = nlk_sk(sk);
+ struct sk_buff_head *queue;
+ struct netlink_ring *ring;
+
+ queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
+ ring = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
+
+ spin_lock_bh(&queue->lock);
+
+ ring->frame_max = req->nm_frame_nr - 1;
+ ring->head = 0;
+ ring->frame_size = req->nm_frame_size;
+ ring->pg_vec_pages = req->nm_block_size / PAGE_SIZE;
+
+ swap(ring->pg_vec_len, req->nm_block_nr);
+ swap(ring->pg_vec_order, order);
+ swap(ring->pg_vec, pg_vec);
+
+ __skb_queue_purge(queue);
+ spin_unlock_bh(&queue->lock);
+
+ WARN_ON(atomic_read(&nlk->mapped));
+
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->nm_block_nr);
+}
+
static int netlink_set_ring(struct sock *sk, struct nl_mmap_req *req,
- bool closing, bool tx_ring)
+ bool tx_ring)
{
struct netlink_sock *nlk = nlk_sk(sk);
struct netlink_ring *ring;
- struct sk_buff_head *queue;
void **pg_vec = NULL;
unsigned int order = 0;
- int err;
ring = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
- queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
- if (!closing) {
- if (atomic_read(&nlk->mapped))
- return -EBUSY;
- if (atomic_read(&ring->pending))
- return -EBUSY;
- }
+ if (atomic_read(&nlk->mapped))
+ return -EBUSY;
+ if (atomic_read(&ring->pending))
+ return -EBUSY;
if (req->nm_block_nr) {
if (ring->pg_vec != NULL)
@@ -416,31 +443,19 @@ static int netlink_set_ring(struct sock *sk, struct nl_mmap_req *req,
return -EINVAL;
}
- err = -EBUSY;
mutex_lock(&nlk->pg_vec_lock);
- if (closing || atomic_read(&nlk->mapped) == 0) {
- err = 0;
- spin_lock_bh(&queue->lock);
-
- ring->frame_max = req->nm_frame_nr - 1;
- ring->head = 0;
- ring->frame_size = req->nm_frame_size;
- ring->pg_vec_pages = req->nm_block_size / PAGE_SIZE;
-
- swap(ring->pg_vec_len, req->nm_block_nr);
- swap(ring->pg_vec_order, order);
- swap(ring->pg_vec, pg_vec);
-
- __skb_queue_purge(queue);
- spin_unlock_bh(&queue->lock);
-
- WARN_ON(atomic_read(&nlk->mapped));
+ if (atomic_read(&nlk->mapped) == 0) {
+ __netlink_set_ring(sk, req, tx_ring, pg_vec, order);
+ mutex_unlock(&nlk->pg_vec_lock);
+ return 0;
}
+
mutex_unlock(&nlk->pg_vec_lock);
if (pg_vec)
free_pg_vec(pg_vec, order, req->nm_block_nr);
- return err;
+
+ return -EBUSY;
}
static void netlink_mm_open(struct vm_area_struct *vma)
@@ -909,10 +924,10 @@ static void netlink_sock_destruct(struct sock *sk)
memset(&req, 0, sizeof(req));
if (nlk->rx_ring.pg_vec)
- netlink_set_ring(sk, &req, true, false);
+ __netlink_set_ring(sk, &req, false, NULL, 0);
memset(&req, 0, sizeof(req));
if (nlk->tx_ring.pg_vec)
- netlink_set_ring(sk, &req, true, true);
+ __netlink_set_ring(sk, &req, true, NULL, 0);
}
#endif /* CONFIG_NETLINK_MMAP */
@@ -2183,7 +2198,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
return -EINVAL;
if (copy_from_user(&req, optval, sizeof(req)))
return -EFAULT;
- err = netlink_set_ring(sk, &req, false,
+ err = netlink_set_ring(sk, &req,
optname == NETLINK_TX_RING);
break;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 104+ messages in thread
end of thread, other threads:[~2015-09-22 18:35 UTC | newest]
Thread overview: 104+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-22 17:50 [3.19.y-ckt stable] Linux 3.19.8-ckt7 stable review Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 001/102] [3.19-stable only] Revert "dmaengine: pl330: Fix overflow when reporting residue in memcpy" Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 002/102] x86/ldt: Make modify_ldt synchronous Kamal Mostafa
2015-09-22 17:50 ` Kamal Mostafa
2015-09-22 17:50 ` [PATCH 3.19.y-ckt 003/102] x86/ldt: Correct LDT access in single stepping logic Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 004/102] x86/ldt: Correct FPU emulation access to LDT Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 005/102] md: flush ->event_work before stopping array Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 006/102] ipmi/powernv: Fix minor locking bug Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 007/102] ipv6: addrconf: validate new MTU before applying it Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 008/102] virtio-net: drop NETIF_F_FRAGLIST Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 009/102] RDS: verify the underlying transport exists before creating a connection Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 010/102] xen/gntdev: convert priv->lock to a mutex Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 011/102] xen/gntdevt: Fix race condition in gntdev_release() Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 012/102] PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 013/102] USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355 Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 014/102] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 015/102] nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 016/102] usb: chipidea: ehci_init_driver is intended to call one time Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 017/102] crypto: qat - Fix invalid synchronization between register/unregister sym algs Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 018/102] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 019/102] mfd: arizona: Fix initialisation of the PM runtime Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 020/102] xen-blkfront: don't add indirect pages to list when !feature_persistent Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 021/102] xen-blkback: replace work_pending with work_busy in purge_persistent_gnt() Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 022/102] usb: gadget: f_uac2: fix calculation of uac2->p_interval Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 023/102] hwrng: core - correct error check of kthread_run call Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 024/102] USB: sierra: add 1199:68AB device ID Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 025/102] regmap: regcache-rbtree: Clean new present bits on present bitmap resize Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 026/102] target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 027/102] rbd: fix copyup completion race Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 028/102] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 029/102] target: REPORT LUNS should return LUN 0 even for dynamic ACLs Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 030/102] MIPS: Fix sched_getaffinity with MT FPAFF enabled Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 031/102] MIPS: Malta: Don't reinitialise RTC Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 032/102] MIPS: do_mcheck: Fix kernel code dump with EVA Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 033/102] MIPS: show_stack: Fix stack trace " Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 034/102] MIPS: Export get_c0_perfcount_int() Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 035/102] rtlwifi: rtl8723be: Add module parameter for MSI interrupts Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 036/102] MIPS: Flush RPS on kernel entry with EVA Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 037/102] usb: udc: core: add device_del() call to error pathway Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 038/102] xhci: fix off by one error in TRB DMA address boundary check Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 039/102] drivers/usb: Delete XHCI command timer if necessary Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 040/102] staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 041/102] dm: fix dm_merge_bvec regression on 32 bit systems Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 042/102] perf: Fix fasync handling on inherited events Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 043/102] drm/dp-mst: Remove debug WARN_ON Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 044/102] ALSA: fireworks/firewire-lib: add support for recent firmware quirk Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 045/102] mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 046/102] MIPS: Make set_pte() SMP safe Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 047/102] ipc: modify message queue accounting to not take kernel data structures into account Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 048/102] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 049/102] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 050/102] KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 051/102] x86/xen: build "Xen PV" APIC driver for domU as well Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 052/102] cpuset: use trialcs->mems_allowed as a temp variable Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 053/102] drm/dp/mst: Remove port after removing connector Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 054/102] localmodconfig: Use Kbuild files too Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 055/102] dm thin metadata: delete btrees when releasing metadata snapshot Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 056/102] dm btree: add ref counting ops for the leaves of top level btrees Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 057/102] drm/radeon: add new OLAND pci id Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 058/102] libiscsi: Fix host busy blocking during connection teardown Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 059/102] libfc: Fix fc_exch_recv_req() error path Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 060/102] libfc: Fix fc_fcp_cleanup_each_cmd() Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 061/102] sd: Fix maximum I/O size for BLOCK_PC requests Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 062/102] EDAC, ppc4xx: Access mci->csrows array elements properly Kamal Mostafa
2015-09-22 17:51 ` [PATCH 3.19.y-ckt 063/102] crypto: caam - fix memory corruption in ahash_final_ctx Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 064/102] drm/vmwgfx: Fix execbuf locking issues Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 065/102] mm/hwpoison: fix page refcount of unknown non LRU page Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 066/102] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 067/102] ipc/sem.c: update/correct memory barriers Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 068/102] MIPS: Fix seccomp syscall argument for MIPS64 Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 069/102] x86/ldt: Further fix FPU emulation Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 070/102] drm/i915: Flag the execlists context object as dirty after every use Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 071/102] fnic: Use the local variable instead of I/O flag to acquire io_req_lock in fnic_queuecommand() to avoid deadloack Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 072/102] SCSI: Fix NULL pointer dereference in runtime PM Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 073/102] ALSA: usb-audio: Fix runtime PM unbalance Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 074/102] x86/xen: make CONFIG_XEN depend on CONFIG_X86_LOCAL_APIC Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 075/102] Input: gpio_keys_polled - request GPIO pin as input Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 076/102] PCI: Don't use 64-bit bus addresses on PA-RISC Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 077/102] ALSA: usb: Add native DSD support for Gustard DAC-X20U Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 078/102] Add factory recertified Crucial M500s to blacklist Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 079/102] arm64: KVM: Fix host crash when injecting a fault into a 32bit guest Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 080/102] batman-adv: protect tt_local_entry from concurrent delete events Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 081/102] ip6_gre: release cached dst on tunnel removal Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 082/102] perf: Fix PERF_EVENT_IOC_PERIOD migration race Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 083/102] net: Fix RCU splat in af_key Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 084/102] bna: fix interrupts storm caused by erroneous packets Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 085/102] net: Fix skb_set_peeked use-after-free bug Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 086/102] rds: fix an integer overflow test in rds_info_getsockopt() Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 087/102] fq_codel: explicitly reset flows in ->reset() Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 088/102] bridge: netlink: account for the IFLA_BRPORT_PROXYARP attribute size and policy Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 089/102] batman-adv: fix kernel crash due to missing NULL checks Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 090/102] fbdev: select versatile helpers for the integrator Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 091/102] rocker: free netdevice during netdevice removal Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 092/102] udp: fix dst races with multicast early demux Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 093/102] net: phy: add locking to phy_read_mmd_indirect()/phy_write_mmd_indirect() Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 094/102] sparc64: Fix userspace FPU register corruptions Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 095/102] rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 096/102] net/tipc: initialize security state for new connection socket Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 097/102] net: pktgen: fix race between pktgen_thread_worker() and kthread_stop() Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 098/102] net: Fix skb csum races when peeking Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 099/102] ipv6: lock socket in ip6_datagram_connect() Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 100/102] Revert "sit: Add gro callbacks to sit_offload" Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 101/102] bonding: correct the MAC address for "follow" fail_over_mac policy Kamal Mostafa
2015-09-22 17:52 ` [PATCH 3.19.y-ckt 102/102] netlink: don't hold mutex in rcu callback when releasing mmapd ring Kamal Mostafa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.