1. 25 Oct, 2012 21 commits
    • Kees Cook's avatar
      fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check · 12176503
      Kees Cook authored
      The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
      while converting ioctl arguments.  This could lead to leaking kernel
      stack contents into userspace.
      
      Patch extracted from existing fix in grsecurity.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: David Miller <davem@davemloft.net>
      Cc: Brad Spengler <spender@grsecurity.net>
      Cc: PaX Team <pageexec@freemail.hu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      12176503
    • Kees Cook's avatar
      gen_init_cpio: avoid stack overflow when expanding · 20f1de65
      Kees Cook authored
      Fix possible overflow of the buffer used for expanding environment
      variables when building file list.
      
      In the extremely unlikely case of an attacker having control over the
      environment variables visible to gen_init_cpio, control over the
      contents of the file gen_init_cpio parses, and gen_init_cpio was built
      without compiler hardening, the attacker can gain arbitrary execution
      control via a stack buffer overflow.
      
        $ cat usr/crash.list
        file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
        $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
        *** buffer overflow detected ***: ./usr/gen_init_cpio terminated
      
      This also replaces the space-indenting with tabs.
      
      Patch based on existing fix extracted from grsecurity.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Michal Marek <mmarek@suse.cz>
      Cc: Brad Spengler <spender@grsecurity.net>
      Cc: PaX Team <pageexec@freemail.hu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20f1de65
    • Jan Luebbe's avatar
      drivers/rtc/rtc-imxdi.c: add missing spin lock initialization · fee0de77
      Jan Luebbe authored
      Signed-off-by: default avatarJan Luebbe <jlu@pengutronix.de>
      Cc: Alessandro Zummo <a.zummo@towertech.it>
      Cc: Roland Stigge <stigge@antcom.de>
      Cc: Grant Likely <grant.likely@secretlab.ca>
      Tested-by: default avatarRoland Stigge <stigge@antcom.de>
      Cc: Sascha Hauer <kernel@pengutronix.de>
      Cc: Russell King <linux@arm.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fee0de77
    • David Rientjes's avatar
      mm, numa: avoid setting zone_reclaim_mode unless a node is sufficiently distant · 6b187d02
      David Rientjes authored
      Commit 957f822a ("mm, numa: reclaim from all nodes within reclaim
      distance") caused zone_reclaim_mode to be set for all systems where two
      nodes are within RECLAIM_DISTANCE of each other.  This is the opposite
      of what we actually want: zone_reclaim_mode should be set if two nodes
      are sufficiently distant.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Reported-by: default avatarJulian Wollrath <jwollrath@web.de>
      Tested-by: default avatarJulian Wollrath <jwollrath@web.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Patrik Kullman <patrik.kullman@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6b187d02
    • Andrew Vagin's avatar
      pidns: limit the nesting depth of pid namespaces · f2302505
      Andrew Vagin authored
      'struct pid' is a "variable sized struct" - a header with an array of
      upids at the end.
      
      The size of the array depends on a level (depth) of pid namespaces.  Now a
      level of pidns is not limited, so 'struct pid' can be more than one page.
      
      Looks reasonable, that it should be less than a page.  MAX_PIS_NS_LEVEL is
      not calculated from PAGE_SIZE, because in this case it depends on
      architectures, config options and it will be reduced, if someone adds a
      new fields in struct pid or struct upid.
      
      I suggest to set MAX_PIS_NS_LEVEL = 32, because it saves ability to expand
      "struct pid" and it's more than enough for all known for me use-cases.
      When someone finds a reasonable use case, we can add a config option or a
      sysctl parameter.
      
      In addition it will reduce the effect of another problem, when we have
      many nested namespaces and the oldest one starts dying.
      zap_pid_ns_processe will be called for each namespace and find_vpid will
      be called for each process in a namespace.  find_vpid will be called
      minimum max_level^2 / 2 times.  The reason of that is that when we found a
      bit in pidmap, we can't determine this pidns is top for this process or it
      isn't.
      
      vpid is a heavy operation, so a fork bomb, which create many nested
      namespace, can make a system inaccessible for a long time.  For example my
      system becomes inaccessible for a few minutes with 4000 processes.
      
      [akpm@linux-foundation.org: return -EINVAL in response to excessive nesting, not -ENOMEM]
      Signed-off-by: default avatarAndrew Vagin <avagin@openvz.org>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f2302505
    • Hein Tibosch's avatar
      drivers/dma/dw_dmac: make driver's endianness configurable · d5ea7b5e
      Hein Tibosch authored
      The dw_dmac driver was originally developed for avr32 to be used with the
      Synopsys DesignWare AHB DMA controller.  Starting from 2.6.38, access to
      the device's i/o memory was done with the little-endian readl/writel
      functions(1)
      
      This broke the driver for the avr32 platform, because it needs big
      (native) endian accessors.  This patch makes the endianness configurable
      using 'DW_DMAC_BIG_ENDIAN_IO', which will default be true for AVR32
      
      I submitted this patch before(2) but then waited for Andy to finish other
      changes to the same module(3).
      
      (1) https://patchwork.kernel.org/patch/608211
      (2) https://lkml.org/lkml/2012/8/26/148
      (3) https://lkml.org/lkml/2012/9/21/173Signed-off-by: default avatarHein Tibosch <hein_tibosch@yahoo.es>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Cc: Hans-Christian Egtvedt <egtvedt@samfundet.no>
      Cc: Ludovic Desroches <ludovic.desroches@atmel.com>
      Cc: Havard Skinnemoen <havard@skinnemoen.net>
      Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d5ea7b5e
    • Gavin Shan's avatar
      mm/mmu_notifier: allocate mmu_notifier in advance · 35cfa2b0
      Gavin Shan authored
      While allocating mmu_notifier with parameter GFP_KERNEL, swap would start
      to work in case of tight available memory.  Eventually, that would lead to
      a deadlock while the swap deamon swaps anonymous pages.  It was caused by
      commit e0f3c3f7 ("mm/mmu_notifier: init notifier if necessary").
      
        =================================
        [ INFO: inconsistent lock state ]
        3.7.0-rc1+ #518 Not tainted
        ---------------------------------
        inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-W} usage.
        kswapd0/35 [HC0[0]:SC0[0]:HE1:SE1] takes:
         (&mapping->i_mmap_mutex){+.+.?.}, at: page_referenced+0x9c/0x2e0
        {RECLAIM_FS-ON-W} state was registered at:
           mark_held_locks+0x86/0x150
           lockdep_trace_alloc+0x67/0xc0
           kmem_cache_alloc_trace+0x33/0x230
           do_mmu_notifier_register+0x87/0x180
           mmu_notifier_register+0x13/0x20
           kvm_dev_ioctl+0x428/0x510
           do_vfs_ioctl+0x98/0x570
           sys_ioctl+0x91/0xb0
           system_call_fastpath+0x16/0x1b
        irq event stamp: 825
        hardirqs last  enabled at (825): _raw_spin_unlock_irq+0x30/0x60
        hardirqs last disabled at (824): _raw_spin_lock_irq+0x19/0x80
        softirqs last  enabled at (0): copy_process+0x630/0x17c0
        softirqs last disabled at (0): (null)
        ...
      
      Simply back out the above commit, which was a small performance
      optimization.
      Signed-off-by: default avatarGavin Shan <shangw@linux.vnet.ibm.com>
      Reported-by: default avatarAndrea Righi <andrea@betterlinux.com>
      Tested-by: default avatarAndrea Righi <andrea@betterlinux.com>
      Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Avi Kivity <avi@redhat.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
      Cc: Sagi Grimberg <sagig@mellanox.co.il>
      Cc: Haggai Eran <haggaie@mellanox.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      35cfa2b0
    • Daniel Hazelton's avatar
      tools/testing/selftests/epoll/test_epoll.c: fix build · fc314d0a
      Daniel Hazelton authored
      Latest Linus head run of "make selftests" in the tools directory failed
      with references to undefined variables.  Reference was to
      'write_thread_data' which is the name of a struct that is being used, not
      the variable itself.  Change reference so it points to the variable.
      Signed-off-by: default avatarDaniel Hazelton <dshadowwolf@gmail.com>
      Cc: "Paton J. Lewis" <palewis@adobe.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fc314d0a
    • David Howells's avatar
      UAPI: fix tools/vm/page-types.c · 59ce8764
      David Howells authored
      Fix tools/vm/page-types.c to use the UAPI variant of linux/kernel-page-flags.h
      lest the following error appear:
      
        In file included from page-types.c:38:0:
          ../../include/linux/kernel-page-flags.h:4:42: fatal error:
          uapi/linux/kernel-page-flags.h: No such file or directory
      Reported-by: default avatarDaniel Hazelton <dshadowwolf@gmail.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Tested-by: default avatarDaniel Hazelton <dshadowwolf@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      59ce8764
    • Bob Liu's avatar
      mm/page_alloc.c:alloc_contig_range(): return early for err path · 86a595f9
      Bob Liu authored
      If start_isolate_page_range() failed, unset_migratetype_isolate() has been
      done inside it.
      Signed-off-by: default avatarBob Liu <lliubbo@gmail.com>
      Cc: Ni zhan Chen <nizhan.chen@gmail.com>
      Cc: Marek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      86a595f9
    • Will Deacon's avatar
      rbtree: include linux/compiler.h for definition of __always_inline · 29fc7c5a
      Will Deacon authored
      rb_erase_augmented() is a static function annotated with
      __always_inline.  This causes a compile failure when attempting to use
      the rbtree implementation as a library (e.g.  kvm tool):
      
        rbtree_augmented.h:125:24: error: expected `=', `,', `;', `asm' or `__attribute__' before `void'
      
      Include linux/compiler.h in rbtree_augmented.h so that the __always_inline
      macro is resolved correctly.
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Reviewed-by: default avatarMichel Lespinasse <walken@google.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      29fc7c5a
    • Thadeu Lima de Souza Cascardo's avatar
      genalloc: stop crashing the system when destroying a pool · eedce141
      Thadeu Lima de Souza Cascardo authored
      The genalloc code uses the bitmap API from include/linux/bitmap.h and
      lib/bitmap.c, which is based on long values.  Both bitmap_set from
      lib/bitmap.c and bitmap_set_ll, which is the lockless version from
      genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in
      the bitmap.
      
      That one uses (1 << bits) - 1, 0b111, if you are setting the first three
      bits.  This means that the API counts from the least significant bits
      (LSB from now on) to the MSB.  The LSB in the first long is bit 0, then.
      The same works for the lookup functions.
      
      The genalloc code uses longs for the bitmap, as it should.  In
      include/linux/genalloc.h, struct gen_pool_chunk has unsigned long
      bits[0] as its last member.  When allocating the struct, genalloc should
      reserve enough space for the bitmap.  This should be a proper number of
      longs that can fit the amount of bits in the bitmap.
      
      However, genalloc allocates an integer number of bytes that fit the
      amount of bits, but may not be an integer amount of longs.  9 bytes, for
      example, could be allocated for 70 bits.
      
      This is a problem in itself if the Least Significat Bit in a long is in
      the byte with the largest address, which happens in Big Endian machines.
      This means genalloc is not allocating the byte in which it will try to
      set or check for a bit.
      
      This may end up in memory corruption, where genalloc will try to set the
      bits it has not allocated.  In fact, genalloc may not set these bits
      because it may find them already set, because they were not zeroed since
      they were not allocated.  And that's what causes a BUG when
      gen_pool_destroy is called and check for any set bits.
      
      What really happens is that genalloc uses kmalloc_node with __GFP_ZERO
      on gen_pool_add_virt.  With SLAB and SLUB, this means the whole slab
      will be cleared, not only the requested bytes.  Since struct
      gen_pool_chunk has a size that is a multiple of 8, and slab sizes are
      multiples of 8, we get lucky and allocate and clear the right amount of
      bytes.
      
      Hower, this is not the case with SLOB or with older code that did memset
      after allocating instead of using __GFP_ZERO.
      
      So, a simple module as this (running 3.6.0), will cause a crash when
      rmmod'ed.
      
        [root@phantom-lp2 foo]# cat foo.c
        #include <linux/kernel.h>
        #include <linux/module.h>
        #include <linux/init.h>
        #include <linux/genalloc.h>
      
        MODULE_LICENSE("GPL");
        MODULE_VERSION("0.1");
      
        static struct gen_pool *foo_pool;
      
        static __init int foo_init(void)
        {
                int ret;
                foo_pool = gen_pool_create(10, -1);
                if (!foo_pool)
                        return -ENOMEM;
                ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1);
                if (ret) {
                        gen_pool_destroy(foo_pool);
                        return ret;
                }
                return 0;
        }
      
        static __exit void foo_exit(void)
        {
                gen_pool_destroy(foo_pool);
        }
      
        module_init(foo_init);
        module_exit(foo_exit);
        [root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB
        CONFIG_SLOB=y
        [root@phantom-lp2 foo]# insmod ./foo.ko
        [root@phantom-lp2 foo]# rmmod foo
        ------------[ cut here ]------------
        kernel BUG at lib/genalloc.c:243!
        cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960]
            pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110
            lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110
            sp: c0000000bb0e7be0
           msr: 8000000000029032
          current = 0xc0000000bb0e0000
          paca    = 0xc000000006d30e00   softe: 0        irq_happened: 0x01
            pid   = 13044, comm = rmmod
        kernel BUG at lib/genalloc.c:243!
        [c0000000bb0e7ca0] d000000004b00020 .foo_exit+0x20/0x38 [foo]
        [c0000000bb0e7d20] c0000000000dff98 .SyS_delete_module+0x1a8/0x290
        [c0000000bb0e7e30] c0000000000097d4 syscall_exit+0x0/0x94
        --- Exception: c00 (System Call) at 000000800753d1a0
        SP (fffd0b0e640) is in userspace
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
      Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
      Cc: Benjamin Gaignard <benjamin.gaignard@stericsson.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      eedce141
    • Jingoo Han's avatar
      backlight: ili9320: add missing SPI dependency · fd6de530
      Jingoo Han authored
      Add this missing SPI dependency and prevent the driver from building
      without SPI, because functions of the spi driver are used in this
      driver.
      
        drivers/video/backlight/ili9320.c:51: undefined reference to `spi_sync'
      
      Also, a prompt string for CONFIG_LCD_ILI9320 is added for explicit
      selection.
      Signed-off-by: default avatarJingoo Han <jg1.han@samsung.com>
      Cc: Richard Purdie <rpurdie@rpsys.net>
      Cc: Ben Dooks <ben-linux@fluff.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fd6de530
    • Aristeu Rozanski's avatar
      device_cgroup: add proper checking when changing default behavior · 4cef7299
      Aristeu Rozanski authored
      Before changing a group's default behavior to ALLOW, we must check if
      its parent's behavior is also ALLOW.
      Signed-off-by: default avatarAristeu Rozanski <aris@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4cef7299
    • Aristeu Rozanski's avatar
      device_cgroup: stop using simple_strtoul() · 26fd8405
      Aristeu Rozanski authored
      Convert the code to use kstrtou32() instead of simple_strtoul() which is
      deprecated.  The real size of the variables are u32, so use kstrtou32
      instead of kstrtoul
      Signed-off-by: default avatarAristeu Rozanski <aris@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      26fd8405
    • Aristeu Rozanski's avatar
      device_cgroup: rename deny_all to behavior · 5b7aa7d5
      Aristeu Rozanski authored
      This was done in a v2 patch but v1 ended up being committed.  The
      variable name is less confusing and stores the default behavior when no
      matching exception exists.
      Signed-off-by: default avatarAristeu Rozanski <aris@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5b7aa7d5
    • Jiri Slaby's avatar
      cgroup: fix invalid rcu dereference · 8c9506d1
      Jiri Slaby authored
      Commit ad676077 ("device_cgroup: convert device_cgroup internally to
      policy + exceptions") removed rcu locks which are needed in
      task_devcgroup called in this chain:
      
        devcgroup_inode_mknod OR __devcgroup_inode_permission ->
          __devcgroup_inode_permission ->
            task_devcgroup ->
              task_subsys_state ->
                task_subsys_state_check.
      
      Change the code so that task_devcgroup is safely called with rcu read
      lock held.
      
        ===============================
        [ INFO: suspicious RCU usage. ]
        3.6.0-rc5-next-20120913+ #42 Not tainted
        -------------------------------
        include/linux/cgroup.h:553 suspicious rcu_dereference_check() usage!
      
        other info that might help us debug this:
      
        rcu_scheduler_active = 1, debug_locks = 0
        2 locks held by kdevtmpfs/23:
         #0:  (sb_writers){.+.+.+}, at: [<ffffffff8116873f>]
        mnt_want_write+0x1f/0x50
         #1:  (&sb->s_type->i_mutex_key#3/1){+.+.+.}, at: [<ffffffff811558af>]
        kern_path_create+0x7f/0x170
      
        stack backtrace:
        Pid: 23, comm: kdevtmpfs Not tainted 3.6.0-rc5-next-20120913+ #42
        Call Trace:
          lockdep_rcu_suspicious+0xfd/0x130
          devcgroup_inode_mknod+0x19d/0x240
          vfs_mknod+0x71/0xf0
          handle_create.isra.2+0x72/0x200
          devtmpfsd+0x114/0x140
          ? handle_create.isra.2+0x200/0x200
          kthread+0xd6/0xe0
          kernel_thread_helper+0x4/0x10
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8c9506d1
    • Jan Kara's avatar
      mm: fix XFS oops due to dirty pages without buffers on s390 · ef5d437f
      Jan Kara authored
      On s390 any write to a page (even from kernel itself) sets architecture
      specific page dirty bit.  Thus when a page is written to via buffered
      write, HW dirty bit gets set and when we later map and unmap the page,
      page_remove_rmap() finds the dirty bit and calls set_page_dirty().
      
      Dirtying of a page which shouldn't be dirty can cause all sorts of
      problems to filesystems.  The bug we observed in practice is that
      buffers from the page get freed, so when the page gets later marked as
      dirty and writeback writes it, XFS crashes due to an assertion
      BUG_ON(!PagePrivate(page)) in page_buffers() called from
      xfs_count_page_state().
      
      Similar problem can also happen when zero_user_segment() call from
      xfs_vm_writepage() (or block_write_full_page() for that matter) set the
      hardware dirty bit during writeback, later buffers get freed, and then
      page unmapped.
      
      Fix the issue by ignoring s390 HW dirty bit for page cache pages of
      mappings with mapping_cap_account_dirty().  This is safe because for
      such mappings when a page gets marked as writeable in PTE it is also
      marked dirty in do_wp_page() or do_page_fault().  When the dirty bit is
      cleared by clear_page_dirty_for_io(), the page gets writeprotected in
      page_mkclean().  So pagecache page is writeable if and only if it is
      dirty.
      
      Thanks to Hugh Dickins for pointing out mapping has to have
      mapping_cap_account_dirty() for things to work and proposing a cleaned
      up variant of the patch.
      
      The patch has survived about two hours of running fsx-linux on tmpfs
      while heavily swapping and several days of running on out build machines
      where the original problem was triggered.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: <stable@vger.kernel.org>		[3.0+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ef5d437f
    • Linus Torvalds's avatar
      Merge tag 'spi-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc · 4864ccbb
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A bunch of fixes here, mostly minor except for the pl022 which has
        just been a bit of a shambles all round, the recent runtime PM changes
        have as far as I can tell never worked so they're just getting thrown
        out."
      
      * tag 'spi-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
        spi/pl022: Revert recent runtime PM changes
        spi: tsc2005: delete soon-obsolete e-mail address
        spi: spi-rspi: fix build error for the latest shdma driver
      4864ccbb
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v3.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 735f0a98
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "Two fixes this time:
      
         1. Another fix for a broken BIOS to detect when AMD IOMMU interrupt
            remapping can not work reliably
         2. Typo fix for NVidia IOMMU driver"
      
      * tag 'iommu-fixes-v3.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/tegra: smmu: Fix deadly typo
        iommu/amd: Work around wrong IOAPIC device-id in IVRS table
      735f0a98
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v3.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 99103f77
      Linus Torvalds authored
      Pull pinctrl fixes from Linus Walleij:
       "This fixes a few pinctrl problems seen since v3.7-rc1:
         - Section tagging for init code
         - Use proper pointers to lookup struct device * in the bcm2835
           (a.k.a.  Raspberry Pi)
         - Remove duplicate #includes
         - Fix bad return values in errorpath
         - Remove extraneous pull function from the sirf driver causing build
           errors
         - Provide compilation stubs for the Nomadik pinctrl driver when used
           with legacy systems without PRCMU units
         - Various irqdomain fixes in the Nomadik driver as predicted
         - Various smallish bugs in the Tegra driver, most also targeted for
           stable
         - Removed a deadlocking mutex in the groups debugfs show function"
      
      * tag 'pinctrl-v3.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl/nomadik: pass DT node to the irqdomain
        pinctrl/nomadik: use zero as default irq_start
        pinctrl: fix missing unlock on error in pinctrl_groups_show()
        pinctrl/nomadik: use irq_create_mapping()
        pinctrl: remove mutex lock in groups show
        pinctrl: tegra: correct bank for pingroup and drv pingroup
        pinctrl: tegra: set low power mode bank width to 2
        dt: Document: correct tegra20/30 pinctrl slew-rate name
      99103f77
  2. 24 Oct, 2012 16 commits
  3. 23 Oct, 2012 3 commits