Each page mapped in a process's address space must be correctly
accounted for in _mapcount. Normally the rules for this are
straightforward but hugetlbfs page table sharing is different. The page
table pages at the PMD level are reference counted while the mapcount
remains the same.
If this accounting is wrong, it causes bugs like this one reported by
Larry Woodman:
kernel BUG at mm/filemap.c:135!
invalid opcode: 0000 [#1] SMP
CPU 22
Modules linked in: bridge stp llc sunrpc binfmt_misc dcdbas microcode pcspkr acpi_pad acpi]
Pid: 18001, comm: mpitest Tainted: G W 3.3.0+ #4 Dell Inc. PowerEdge R620/07NDJ2
RIP: 0010:[<ffffffff8112cfed>] [<ffffffff8112cfed>] __delete_from_page_cache+0x15d/0x170
Process mpitest (pid: 18001, threadinfo ffff880428972000, task ffff880428b5cc20)
Call Trace:
delete_from_page_cache+0x40/0x80
truncate_hugepages+0x115/0x1f0
hugetlbfs_evict_inode+0x18/0x30
evict+0x9f/0x1b0
iput_final+0xe3/0x1e0
iput+0x3e/0x50
d_kill+0xf8/0x110
dput+0xe2/0x1b0
__fput+0x162/0x240
During fork(), copy_hugetlb_page_range() detects if huge_pte_alloc()
shared page tables with the check dst_pte == src_pte. The logic is if
the PMD page is the same, they must be shared. This assumes that the
sharing is between the parent and child. However, if the sharing is
with a different process entirely then this check fails as in this
diagram:
parent
|
------------>pmd
src_pte----------> data page
^
other--------->pmd--------------------|
^
child-----------|
dst_pte
For this situation to occur, it must be possible for Parent and Other to
have faulted and failed to share page tables with each other. This is
possible due to the following style of race.
PROC A PROC B
copy_hugetlb_page_range copy_hugetlb_page_range
src_pte == huge_pte_offset src_pte == huge_pte_offset
!src_pte so no sharing !src_pte so no sharing
(time passes)
hugetlb_fault hugetlb_fault
huge_pte_alloc huge_pte_alloc
huge_pmd_share huge_pmd_share
LOCK(i_mmap_mutex)
find nothing, no sharing
UNLOCK(i_mmap_mutex)
LOCK(i_mmap_mutex)
find nothing, no sharing
UNLOCK(i_mmap_mutex)
pmd_alloc pmd_alloc
LOCK(instantiation_mutex)
fault
UNLOCK(instantiation_mutex)
LOCK(instantiation_mutex)
fault
UNLOCK(instantiation_mutex)
These two processes are not poing to the same data page but are not
sharing page tables because the opportunity was missed. When either
process later forks, the src_pte == dst pte is potentially insufficient.
As the check falls through, the wrong PTE information is copied in
(harmless but wrong) and the mapcount is bumped for a page mapped by a
shared page table leading to the BUG_ON.
This patch addresses the issue by moving pmd_alloc into huge_pmd_share
which guarantees that the shared pud is populated in the same critical
section as pmd. This also means that huge_pte_offset test in
huge_pmd_share is serialized correctly now which in turn means that the
success of the sharing will be higher as the racing tasks see the pud
and pmd populated together.
Race identified and changelog written mostly by Mel Gorman.
{akpm@linux-foundation.org: attempt to make the huge_pmd_share() comment comprehensible, clean up coding style]
Reported-by: Larry Woodman <lwoodman@redhat.com>
Tested-by: Larry Woodman <lwoodman@redhat.com>
Reviewed-by: Mel Gorman <mgorman@suse.de>
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: Ken Chen <kenchen@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Delete code which sets SCSI status incorrectly as it's already been set
correctly above this incorrect code. The bug was introduced in 2009 by
commit b0e15f6db1 ("cciss: fix typo that causes scsi status to be
lost.")
Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Reported-by: Roel van Meer <roel.vanmeer@bokxing.nl>
Tested-by: Roel van Meer <roel.vanmeer@bokxing.nl>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Occasionally an isolated BUG_ON(mm->nr_ptes) gets reported, indicating
that not all the page tables allocated could be found and freed when
exit_mmap() tore down the user address space.
There's usually nothing we can say about it, beyond that it's probably a
sign of some bad memory or memory corruption; though it might still
indicate a bug in vma or page table management (and did recently reveal a
race in THP, fixed a few months ago).
But one overdue change we can make is from BUG_ON to WARN_ON.
It's fairly likely that the system will crash shortly afterwards in some
other way (for example, the BUG_ON(page_mapped(page)) in
__delete_from_page_cache(), once an inode mapped into the lost page tables
gets evicted); but might tell us more before that.
Change the BUG_ON(page_mapped) to WARN_ON too? Later perhaps: I'm less
eager, since that one has several times led to fixes.
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes the following sparse warning:
drivers/gpu/drm/drm_proc.c:92:5:
warning: symbol 'drm_proc_create_files' was not declared. Should it be static?
drivers/gpu/drm/drm_proc.c:175:5:
warning: symbol 'drm_proc_remove_files' was not declared. Should it be static?
Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
This turns off the crtc when its been disabled,
fixes it not turning off properly the whole time.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
If you do a page flip with no flags set then event is NULL. If event is
NULL then the vmw_gfx driver likes to go digging into NULL and extracts
NULL->base.file_priv.
On a modern kernel with NULL mapping protection it's just another oops,
without it there are some "intriguing" possibilities.
What it should do is an open question but that for the driver owners to
sort out.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel writes:
" Nothing too major:
- A few fixes around the edid handling from Jani, also fixing a regression
in 3.5 due to us using gmbus by default.
- Fixup hsw uncached pte flags.
- Fix suspend/resume crash when using hw contexts, from Ben.
- Try to tune gpu turbo a bit better, seems to help with some oddball
power regressions."
* 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
drm/i915: use hsw rps tuning values everywhere on gen6+
drm/i915: fall back to bit-banging if GMBUS fails in CRT EDID reads
drm/i915: extract connector update from intel_ddc_get_modes() for reuse
drm/i915: fix hsw uncached pte
drm/i915/contexts: fix list corruption
drm/i915: fix EDID memory leak in SDVO
Alex writes:
"This is the current set of radeon fixes for 3.6. Nothing too major.
Highlights:
- fix vbios fetch on pure uefi systems
- fix vbios fetch on thunderbolt systems
- MSAA fixes
- lockup timeout fix
- modesetting fix"
* 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux:
drm/radeon/ss: use num_crtc rather than hardcoded 6
Revert "drm/radeon: fix bo creation retry path"
drm/radeon: split ATRM support out from the ATPX handler (v3)
drm/radeon: convert radeon vfct code to use acpi_get_table_with_size
ACPI: export symbol acpi_get_table_with_size
drm/radeon: implement ACPI VFCT vbios fetch (v3)
drm/radeon/kms: extend the Fujitsu D3003-S2 board connector quirk to cover later silicon stepping
drm/radeon: fix checking of MSAA renderbuffers on r600-r700
drm/radeon: allow CMASK and FMASK in the CS checker on r600-r700
drm/radeon: init lockup timeout on ring init
drm/radeon: avoid turning off spread spectrum for used pll
If "l->stripe_unit" is zero the the mod on the next line will cause a
divide by zero bug. This comes from the copy_from_user() in
ceph_ioctl_set_layout_policy(). Passing 0 is valid, though (it means
"do not change") so avoid the % check in that case.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>
Because the Ceph client messenger uses a non-blocking connect, it is
possible for the sending of the client banner to race with the
arrival of the banner sent by the peer.
When ceph_sock_state_change() notices the connect has completed, it
schedules work to process the socket via con_work(). During this
time the peer is writing its banner, and arrival of the peer banner
races with con_work().
If con_work() calls try_read() before the peer banner arrives, there
is nothing for it to do, after which con_work() calls try_write() to
send the client's banner. In this case Ceph's protocol negotiation
can complete succesfully.
The server-side messenger immediately sends its banner and addresses
after accepting a connect request, *before* actually attempting to
read or verify the banner from the client. As a result, it is
possible for the banner from the server to arrive before con_work()
calls try_read(). If that happens, try_read() will read the banner
and prepare protocol negotiation info via prepare_write_connect().
prepare_write_connect() calls con_out_kvec_reset(), which discards
the as-yet-unsent client banner. Next, con_work() calls
try_write(), which sends the protocol negotiation info rather than
the banner that the peer is expecting.
The result is that the peer sees an invalid banner, and the client
reports "negotiation failed".
Fix this by moving con_out_kvec_reset() out of
prepare_write_connect() to its callers at all locations except the
one where the banner might still need to be sent.
[elder@inktak.com: added note about server-side behavior]
Signed-off-by: Jim Schutt <jaschut@sandia.gov>
Reviewed-by: Alex Elder <elder@inktank.com>
If the MDS gives us a dentry and we weren't prepared to handle it,
WARN_ON_ONCE instead of crashing.
Reported-by: Yan, Zheng <zheng.z.yan@intel.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>
This patch fixes a regresion introduced by commit 0998d063 (device-core: Ensure
drvdata = NULL when no driver is bound).
Suspend oopses in generic_ide_suspend() because dev_get_drvdata()
returns NULL (dev->p->driver_data == NULL) and this function is not
prepared for this.
Fix is based on Alan Stern's suggestion.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso discovered that avahi and
potentially NetworkManager accept spoofed Netlink messages because of a
kernel bug. The kernel passes all-zero SCM_CREDENTIALS ancillary data
to the receiver if the sender did not provide such data, instead of not
including any such data at all or including the correct data from the
peer (as it is the case with AF_UNIX).
This bug was introduced in commit 16e5726269
(af_unix: dont send SCM_CREDENTIALS by default)
This patch forces passing credentials for netlink, as
before the regression.
Another fix would be to not add SCM_CREDENTIALS in
netlink messages if not provided by the sender, but it
might break some programs.
With help from Florian Weimer & Petr Matousek
This issue is designated as CVE-2012-3520
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Christian Casteyde reported a kmemcheck 32-bit read from uninitialized
memory in __ip_select_ident().
It turns out that __ip_make_skb() called ip_select_ident() before
properly initializing iph->daddr.
This is a bug uncovered by commit 1d861aa4b3 (inet: Minimize use of
cached route inetpeer.)
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=46131
Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since 0e73441992 ("ipv4: Use inet_csk_route_child_sock() in DCCP and
TCP."), inet_csk_route_child_sock() is called instead of
inet_csk_route_req().
However, after creating the child-sock in tcp/dccp_v4_syn_recv_sock(),
ireq->opt is set to NULL, before calling inet_csk_route_child_sock().
Thus, inside inet_csk_route_child_sock() opt is always NULL and the
SRR-options are not respected anymore.
Packets sent by the server won't have the correct destination-IP.
This patch fixes it by accessing newinet->inet_opt instead of ireq->opt
inside inet_csk_route_child_sock().
Reported-by: Luca Boccassi <luca.boccassi@gmail.com>
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
This was originally for helping fabrics to determine overflow/underflow
status, and has been superceeded by SCF_OVERFLOW_BIT + SCF_UNDERFLOW_BIT.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Pull audit-tree fixes from Miklos Szeredi:
"The audit subsystem maintainers (Al and Eric) are not responding to
repeated resends. Eric did ack them a while ago, but no response
since then. So I'm sending these directly to you."
* 'audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
audit: clean up refcounting in audit-tree
audit: fix refcounting in audit-tree
audit: don't free_chunk() after fsnotify_add_mark()
Pull m68knommu arch fixes from Greg Ungerer:
"This contains 2 fixes. One fixes compilation of ColdFire clk code,
the other makes sure we use the generic atomic64 support on all m68k
targets."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
m68k: select CONFIG_GENERIC_ATOMIC64 for all m68k CPU types
m68knommu: select CONFIG_HAVE_CLK for ColdFire CPU types
- Fixed Nomadik errorpath
- Fixed documentation spelling errors
- Forward-declare struct device in a header file
- Remove some extraneous code lines when getting pinctrl states
- Correct the i.MX51 configure register number
- Fix the Nomadik keypad function group list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABAgAGBQJQMmrMAAoJEEEQszewGV1zFpEP/0tTUOT60A12qbMMgW7smwRM
jt/AqLxULX9iLawJtBZ3IY5iIoo8ZYpHDAUEIISKZEUnpCKGx3VDKHrHjsPxxfFf
oBZ8PAQIVJYN0jiUkCeGAeKGzqzNGALt8NvBghlJJC6/CDk89Fe8fAjeRUXRCPjo
hVY9hZ73TcqFAtZ80ETk5vDMMa3/OQukdbuVVBQTi+Y0mJ15zeFqNogPQRgX6oC7
VJiIpPSUbcmgE+wWRUxIdf2y4isHZum62EWLjFPsgrK3ms1c2ap6RCr9P7ORXWc7
lBq9uGDWa0ptXlI8drXVit8Pd4b98keEczyuNJFe7sSLYO4/BB8dUvp1jXdyjUWz
kY6aIIvWrG0607rafPyg/5EbPQcX3NLmp3wevL0XEV/mwalu7ZcXaqnUWUVunRMM
l8Y95T2uyoM+J4yPw8mUyPrRbN/THDqk9s53P+hQZEZjlkvGeaT2kRqbANkq/uKz
XNaH2Zzdt1duvM0HO+S4gl+gz/iCpebjeb6gLf1bzd/NRqKlopmWw6L2cGbyTInq
TohQQhYhvm+dib3a3teF4DEeJBRPmheNzdIoAnHQ1tbe6LNQzVSZzE3qEKGk7sSG
Rk5SASW575LNBV+I/g8P4uuV4qMdr6jJikTLYGU4FsTBRNNhFvZtRTUWVTS6gdxt
9KrpXkhZdV1dVElupOX/
=E7f4
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
- Fixed Nomadik errorpath
- Fixed documentation spelling errors
- Forward-declare struct device in a header file
- Remove some extraneous code lines when getting pinctrl states
- Correct the i.MX51 configure register number
- Fix the Nomadik keypad function group list
* tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl/nomadik: add kp_b_2 keyboard function group list
pinctrl: imx51: fix .conf_reg of MX51_PAD_SD2_CMD__CSPI_MOSI
trivial: pinctrl core: remove extraneous code lines
pinctrl: header: trivial: declare struct device
Documentation/pinctrl.txt: Fix some misspelled macros
pinctrl/nomadik: fix null in irqdomain errorpath
This update became slightly bigger than usual for rc3, but most of the
commits are small and trivial. A large chunk is found for HD-audio
ca0132 codec, which is mostly a clean up of the specific code, to make
SPDIF working properly, and also in the new ASoC Arizona driver.
One important fix is for usb-audio Oops fix since 3.5. We still see
some EHCI related bandwidth problem, but usb-audio should be more
stabilized now.
Other than that, a Kconfig fix is spread over files, and various
HD-audio and ASoC fixes as usual, in addition to Julia's error path
fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAABAgAGBQJQM0KtAAoJEGwxgFQ9KSmkgvkP/ifTaAQAJcuR15G8wHf4awPn
cy/S7M5I02MRFe2c4IltJiK/y21jSsYLNvq3ISlcVxWrBod4r9ee2/23y/1veI2Z
MhNXjN5vU/gNN/Ll5GTg/8dKaVTOSp3GqKJrEUDWhld42IZFS2OZwF6Qdx/jqoSS
eCDEBQnkGj5mxLGC53ZwWURLCBrj8gIaaLXcm3121+/MAM3y8o7HaU45pJCPMVRR
QdvVCW7FoPQ+S/j4eozElcGuACJTNvJnUhfSk0oAUoiZHfb8UThpexdF4K8l1qNB
9PP3Pc1X2Fu7Ta1HDFenY3eOqNEOUY1Kj3isxEj0QOZugRpHYsp0k4GakAyDd8Ik
2xUQumwzuxLEkkoHOVLM3lwppnD15KKm67OXeykNiI1xqlXNiuyhCL/pZIkxluuQ
dPyG3EP+8yyFIuB709oaGlrMcscPZcxUw2RMeWBGTEUY0ECnrz8pCQRseazcmBP6
LcyVlT3IWsmsogFU1OLGhl7kpmV3KisAJcUPPNNaq7wYEFtRxfUo0w3oXrn8jGe3
sPiUhDm6WULJDsQYa9kss1GzXJVsdkCzoPw9vMTb9x9cXFO5XYigY0Qf6ujtjdQy
WAvOYnuTfa2DAS+YCCFG0rO1H8Fv7SamDKyP4jJpnV7WHbDNOveWjtAC6VMcb9EY
v+ko6dxRohfjUbvgdLiS
=d2Si
-----END PGP SIGNATURE-----
Merge tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This update became slightly bigger than usual for rc3, but most of the
commits are small and trivial. A large chunk is found for HD-audio
ca0132 codec, which is mostly a clean up of the specific code, to make
SPDIF working properly, and also in the new ASoC Arizona driver.
One important fix is for usb-audio Oops fix since 3.5. We still see
some EHCI related bandwidth problem, but usb-audio should be more
stabilized now.
Other than that, a Kconfig fix is spread over files, and various
HD-audio and ASoC fixes as usual, in addition to Julia's error path
fixes."
* tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (42 commits)
ALSA: snd-als100: fix suspend/resume
ALSA: hda - Fix leftover codec->power_transition
ALSA: hda - don't create dysfunctional mixer controls for ca0132
ALSA: sound/ppc/snd_ps3.c: fix error return code
ALSA: sound/pci/rme9652/hdspm.c: fix error return code
ALSA: sound/pci/sis7019.c: fix error return code
ALSA: sound/pci/ctxfi/ctatc.c: fix error return code
ALSA: sound/atmel/ac97c.c: fix error return code
ALSA: sound/atmel/abdac.c: fix error return code
ALSA: fix pcm.h kernel-doc warning and notation
sound: oss/sb_audio: prevent divide by zero bug
ASoC: wm9712: Fix inverted capture volume
ASoC: wm9712: Fix microphone source selection
ASoC: wm5102: Remove DRC2
ALSA: hda - Don't send invalid volume knob command on IDT 92hd75bxx
ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream
ALSA: lx6464es: Add a missing error check
ALSA: hda - Fix 'Beep Playback Switch' with no underlying mute switch
ASoC: jack: Always notify full jack status
ASoC: wm5110: Add missing input PGA routes
...
It seems commit 4a9d4b024a ("switch fput to task_work_add") re-
introduced the problem addressed in 944be0b224 ("close_files(): add
scheduling point")
If a server process with a lot of files (say 2 million tcp sockets) is
killed, we can spend a lot of time in task_work_run() and trigger a soft
lockup.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
So we've had a fair few reports of fbcon handover breakage between
efi/vesafb and i915 surface recently, so I dedicated a couple of
days to finding the problem.
Essentially the last thing we saw was the conflicting framebuffer
message and that was all.
So after much tracing with direct netconsole writes (printks
under console_lock not so useful), I think I found the race.
Thread A (driver load) Thread B (timer thread)
unbind_con_driver -> |
bind_con_driver -> |
vc->vc_sw->con_deinit -> |
fbcon_deinit -> |
console_lock() |
| |
| fbcon_flashcursor timer fires
| console_lock() <- blocked for A
|
|
fbcon_del_cursor_timer ->
del_timer_sync
(BOOM)
Of course because all of this is under the console lock,
we never see anything, also since we also just unbound the active
console guess what we never see anything.
Hopefully this fixes the problem for anyone seeing vesafb->kms
driver handoff.
Signed-off-by: David Airlie <airlied@redhat.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: stable@vger.kernel.org
Tested-by: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
. Add missing object files needed to use the python binding, cherry-picked
from perf/core, got a report it affects Linus's too, fix it.
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQIcBAABAgAGBQJQM5adAAoJENZQFvNTUqpAsZ0P/0tbtY0F3rMiXq84ok/tzp06
ks3kpGA/8IODyOais3DI1IrmDknCBTYNIY5hhupYZwx8dVtRsKgRcsxVbp4pMGEp
3fGpmuQ/PGM4hcQPiCo+qeLmvtCzpJAnzTQ5bki+70ZzkwE8RkY4y2tI4gyEOagi
MucKuQ8SInUwG05OjrsnGQmA5RlH0u/ENhc61SDRg2tY8dH3fopgKnetqElg+vEh
TUbd/p3/lp/rDDKBHysAB8lXj9nD3RRMaR78wh4ta2qybt2FPnI31VJf8HfDDOEA
ASQXOQ3GR3aXCt93Eoe+oIK3sJjWXx/C80nW/vR/WSSzQl4f9ct6mFjipX7WGPHY
styQr70RErNIQU+Xf+LTuwozzJOHCj1747jku1PRz8f8q/KzlDWCzuivPC00R3L3
gqHE2NhZSQHoSEJXKMVVso/FUvcqrr1bQJ8WiNEAg/DZREiXH3UoH9dyU4qQLy/V
HixAbG8pSDlOaAn+D68aPNdEBOV3s2JPxXyQyhC1e75aLRSkLl7uLW7lIYux+iEK
xNT6TP9eO9KG7sfH/h0YZ9Mijiv5TmXQfFJNXkE7gNR+uCkZXSV5uEiiJhY/VCpt
lQEkel7AgEzYTAA0Jw9aCdnYKCPNdxSVs3wqPe+Rb9NuZF7eYiEcMzPMxEJpWTXS
lbbgjm6Qe1UUM+2i9Okm
=Mghe
-----END PGP SIGNATURE-----
Merge tag 'perf-urgent-for-mingo' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent
Pull perf/urgent fix from Arnaldo Carvalho de Melo:
* Add missing object files needed to use the python binding, cherry-picked
from perf/core, got a report it affects Linus's tree too, fix it.
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
This reverts commit d1c7871ddb.
ttm_bo_init() destroys the BO on failure. So this patch makes
the retry path work with freed memory. This ends up causing
kernel panics when this path is hit.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Commit "d51f17e UBIFS: simplify reply code a bit" introduces a bug with the
following symptoms:
UBIFS error (pid 1): replay_log_leb: first CS node at LEB 3:0 has wrong commit number 0 expected 1
The issue is that we start replaying the log from UBIFS_LOG_LNUM instead
of c->lhead_lnum. This patch fixes that.
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
This patch fixes a regression introduced by
"4994297 UBIFS: make ubifs_lpt_init clean-up in case of failure" which
I've hit while running the 'integck -p' test. When remount the file-system
from R/O mode to R/W mode and 'lpt_init_wr()' fails, we free _all_ LPT
resources by calling 'ubifs_lpt_free(c, 0)', even those needed for R/O
mode. This leads to subsequent crashes, e.g., if we try to unmount
the file-system.
Cc: stable@vger.kernel.org [v3.5+]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
This patch fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=843640
If mmap_region()->uprobe_mmap() fails, unmap_and_free_vma path
does unmap_region() but does not remove the soon-to-be-freed vma
from rb tree. Actually there are more problems but this is how
William noticed this bug.
Perhaps we could do do_munmap() + return in this case, but in
fact it is simply wrong to abort if uprobe_mmap() fails. Until
at least we move the !UPROBE_COPY_INSN code from
install_breakpoint() to uprobe_register().
For example, uprobe_mmap()->install_breakpoint() can fail if the
probed insn is not supported (remember, uprobe_register()
succeeds if nobody mmaps inode/offset), mmap() should not fail
in this case.
dup_mmap()->uprobe_mmap() is wrong too by the same reason,
fork() can race with uprobe_register() and fail for no reason if
it wins the race and does install_breakpoint() first.
And, if nothing else, both mmap_region() and dup_mmap() return
success if uprobe_mmap() fails. Change them to ignore the error
code from uprobe_mmap().
Reported-and-tested-by: William Cohen <wcohen@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> # v3.5
Cc: Anton Arapov <anton@redhat.com>
Cc: William Cohen <wcohen@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20120819171042.GB26957@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
snd_card_als100_probe() does not set pcm field in struct snd_sb.
As a result, PCM is not suspended and applications don't know that they need
to resume the playback.
Tested with Labway A381-F20 card (ALS120).
Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Pull PCI fixes from Bjorn Helgaas:
"Here are two patches from Rafael Wysocki.
One fixes an EHCI-related hibernation crash on ASUS boxes. We fixed a
similar suspend issue in v3.6-rc1, and this applies the same fix to
the hibernate path.
The other fixes D3/D3cold/D4 messages related to the D3cold support we
merged in v3.6-rc1."
(Removed redundant top non-fast-forward merge commit from pulled branch)
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: EHCI: Fix crash during hibernation on ASUS computers
PCI / PM: Fix D3/D3cold/D4 messages printed by acpi_pci_set_power_state()
The rpc server tries to ensure that there will be room to send a reply
before it receives a request.
It does this by tracking, in xpt_reserved, an upper bound on the total
size of the replies that is has already committed to for the socket.
Currently it is adding in the estimate for a new reply *before* it
checks whether there is space available. If it finds that there is not
space, it then subtracts the estimate back out.
This may lead the subsequent svc_xprt_enqueue to decide that there is
space after all.
The results is a svc_recv() that will repeatedly return -EAGAIN, causing
server threads to loop without doing any actual work.
Cc: stable@vger.kernel.org
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
svc_tcp_sendto sets XPT_CLOSE if we fail to transmit the entire reply.
However, the XPT_CLOSE won't be acted on immediately. Meanwhile other
threads could send further replies before the socket is really shut
down. This can manifest as data corruption: for example, if a truncated
read reply is followed by another rpc reply, that second reply will look
to the client like further read data.
Symptoms were data corruption preceded by svc_tcp_sendto logging
something like
kernel: rpc-srv/tcp: nfsd: sent only 963696 when sending 1048708 bytes - shutting down socket
Cc: stable@vger.kernel.org
Reported-by: Malahal Naineni <malahal@us.ibm.com>
Tested-by: Malahal Naineni <malahal@us.ibm.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Examination of svc_tcp_clear_pages shows that it assumes sk_tcplen is
consistent with sk_pages[] (in particular, sk_pages[n] can't be NULL if
sk_tcplen would lead us to expect n pages of data).
svc_tcp_restore_pages zeroes out sk_pages[] while leaving sk_tcplen.
This is OK, since both functions are serialized by XPT_BUSY. However,
that means the inconsistency must be repaired before dropping XPT_BUSY.
Therefore we should be ensuring that svc_tcp_save_pages repairs the
problem before exiting svc_tcp_recv_record on error.
Symptoms were a BUG() in svc_tcp_clear_pages.
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Commit d5497fc693 "nfsd4: move rq_flavor
into svc_cred" forgot to remove cl_flavor from the client, leaving two
places (cl_flavor and cl_cred.cr_flavor) for the flavor to be stored.
After that patch, the latter was the one that was updated, but the
former was the one that the callback used.
Symptoms were a long delay on utime(). This is because the utime()
generated a setattr which recalled a delegation, but the cb_recall was
ignored by the client because it had the wrong security flavor.
Cc: stable@vger.kernel.org
Tested-by: Jamie Heilman <jamie@audible.transient.net>
Reported-by: Jamie Heilman <jamie@audible.transient.net>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Use rcu_dereference_protected in order to prevent lockdep
complaint. Sequel of the patch 863555be
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Denis Efremov <yefremov.denis@gmail.com>
Acked-by: Mark D. Rustad <mark.d.rustad@intel.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Here TRANSPORT_IQN_LEN is 224, which is a multiple of 4.
Since vhost_tpgt is 2 bytes and abi_version is 4, the total size would
be 230. But gcc needs struct size be aligned to first field size, which
is 4 bytes, so it pads the structure by extra 2 bytes to the total of
232.
This padding is very undesirable in an ABI:
- it can not be initialized easily
- it can not be checked easily
- it can leak information between kernel and userspace
Simplest solution is probably just to make the padding
explicit.
(v2: Add check for zero'ed backend->reserved field for VHOST_SCSI_SET_ENDPOINT
and VHOST_SCSI_CLEAR_ENDPOINT ops as requested by MST)
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Here are 10 more USB patches for 3.6-rc3. They all fix reported
problems (build problems for one of them, and easily repeatable oopses
for the others.)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iEYEABECAAYFAlAyjj4ACgkQMUfUDdst+yn8gQCgkNpc92Ux5hBYJIX/AQYoBrTB
ktAAoLiXxIhVP+D4C42R1VLw9vGeB1QH
=+8kb
-----END PGP SIGNATURE-----
Merge tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull more USB patches from Greg Kroah-Hartman:
"Here are 10 more USB patches for 3.6-rc3. They all fix reported
problems (build problems for one of them, and easily repeatable oopses
for the others.)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
gpu/mfd/usb: Fix USB randconfig problems
USB: CDC ACM: Fix NULL pointer dereference
USB: emi62: remove __devinit* from the struct usb_device_id table
USB: winbond: remove __devinit* from the struct usb_device_id table
USB: vt6656: remove __devinit* from the struct usb_device_id table
USB: rtl8187: remove __devinit* from the struct usb_device_id table
USB: p54usb: remove __devinit* from the struct usb_device_id table
USB: spca506: remove __devinit* from the struct usb_device_id table
USB: jl2005bcd: remove __devinit* from the struct usb_device_id table
USB: smsusb: remove __devinit* from the struct usb_device_id table
Here is one fix for the dmesg line corruption problem that the previous
set of patches caused.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iEYEABECAAYFAlAyh14ACgkQMUfUDdst+yn2RQCbBissjdBqDhaX9schGTKyrxPM
UOUAn3o3KZpUzFWSGYXQGaSI7HtcyElz
=GWkA
-----END PGP SIGNATURE-----
Merge tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull one more driver core fix from Greg Kroah-Hartman:
"Here is one fix for the dmesg line corruption problem that the
previous set of patches caused.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
dyndbg: fix for SOH in logging messages
Pull x86 platform driver update from Matthew Garrett:
"Some small updates for a few drivers, and some hardware enablement for
new Ideapads and the gmux hardware in the latest Macs.
This code won't run on older devices and has been well tested on new
ones, so low risk of regressions."
* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
ideapad: add Lenovo IdeaPad Z570 support (part 3)
ideapad: add Lenovo IdeaPad Z570 support (part 2)
ideapad: add Lenovo IdeaPad Z570 support (part 1)
classmate-laptop: always call input_sync() after input_report_switch()
thinkpad-acpi: recognize latest V-Series using DMI_BIOS_VENDOR
dell-laptop: Fixed typo in touchpad LED quirk
vga_switcheroo: Don't require handler init callback
vga_switcheroo: Remove assumptions about registration/unregistration ordering
apple-gmux: Add display mux support
apple-gmux: Fix kconfig dependencies
asus-wmi: record wlan status while controlled by userapp
apple_gmux: Fix ACPI video unregister
apple_gmux: Add support for newer hardware
gmux: Add generic write32 function
Grant is still away so another pull request with some fairly minor
fixes, the most notable of which are several fixes for some common error
patterns with the reference counting spi_master_get/put do.
-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJQLrxzAAoJEFJkBDiqVpZ4xHIP+wQ8wi6X/HkB4I7EA9aET/hO
UzyUTZtK6UQGjpqOBK0S38BMweyC23rbeYCcyWgF7rKI7IEjlul1r4O3iChgmeWR
0ksrDfAIajb+9r1VoN7JQXnqk6miIIFdK2rotLNPnpbNlJTFCmmXD2FK5Zfc/pNA
e3OjFvtMcaOGjTo5xvN3RK3e2IcH3eKHLCeoj33bKqElT6loITHPnOaEWyIe6QCc
ExNCiv+D4apTRZ7nlvrttJrNtoMrL49rMy4rz0Z68nsClf1RZeZlTbVeT9+le3LQ
VhrHUeW8TqYYPBuyMgDyCCBmkVlTZCODBaW2ZtXaC32n72luJuDgq3cZBXhCYuKe
OPibJSY9j1P9CQBlro6Ccb/3pMjfegaLKCKsSHOdaMF730z9CImT78a2hVgMCNjQ
WsUDwsOp8l8iJpgTylD1ijQGhH5h7yfp1TXc8rdeEWsRlI2wovCJtU4G4okvFUID
UQFWShim73f6tDE5dzSYhzigg1ikbaOe5CpO3xk1foyNOx/o3/7U7Da0P5t6yVBa
zwW/zXdl3GWMLGkqL+oHHMDGLGPeALsgIzMwSMVQY6cK3qROL3fJI9ajk31a1zeP
sbWx53G2/AHDOqmvvXbuM/GJ8FOrQx7qJ/A2kLp+Fd+y8j/X15C28qVjQYNCJCXi
x/02RXln1MxLrFKVasvn
=8RgT
-----END PGP SIGNATURE-----
Merge tag 'spi-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc
Pull spi fixes from Mark Brown:
"Grant is still away so another pull request with some fairly minor
fixes, the most notable of which are several fixes for some common
error patterns with the reference counting spi_master_get/put do."
* tag 'spi-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
spi/coldfire-qspi: Drop extra calls to spi_master_get in suspend/resume functions
spi: spi-coldfire-qspi: Drop extra spi_master_put in device remove function
spi/pl022: fix spi-pl022 pm enable at probe
spi/bcm63xx: Ensure that memory is freed only after it is no longer used
spi: omap2-mcspi: Fix the error handling in probe
spi/s3c64xx: Add missing static storage class specifiers
commit 7c5763b845 (drivers:misc: Remove MISC_DEVICES config option) removed
CONFIG_MISC_DEVICES option, so remove the occurrences from the config files
as well.
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>