1. 10 Aug, 2015 36 commits
    • Haggai Eran's avatar
      dma-debug: skip debug_dma_assert_idle() when disabled · 39a0ac96
      Haggai Eran authored
      commit c9d120b0 upstream.
      
      If dma-debug is disabled due to a memory error, DMA unmaps do not affect
      the dma_active_cacheline radix tree anymore, and debug_dma_assert_idle()
      can print false warnings.
      
      Disable debug_dma_assert_idle() when dma_debug_disabled() is true.
      Signed-off-by: default avatarHaggai Eran <haggaie@mellanox.com>
      Fixes: 0abdd7a8 ("dma-debug: introduce debug_dma_assert_idle()")
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Vinod Koul <vinod.koul@intel.com>
      Cc: Russell King <rmk+kernel@arm.linux.org.uk>
      Cc: James Bottomley <JBottomley@Parallels.com>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
      Cc: Jiri Kosina <jkosina@suse.cz>
      Cc: Horia Geanta <horia.geanta@freescale.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39a0ac96
    • Mike Snitzer's avatar
      bio integrity: do not assume bio_integrity_pool exists if bioset exists · 62a3fb23
      Mike Snitzer authored
      commit bb8bd38b upstream.
      
      bio_integrity_alloc() and bio_integrity_free() assume that if a bio was
      allocated from a bioset that that bioset also had its bio_integrity_pool
      allocated using bioset_integrity_create().  This is a very bad
      assumption given that bioset_create() and bioset_integrity_create() are
      completely disjoint.  Not all callers of bioset_create() have been
      trained to also call bioset_integrity_create() -- and they may not care
      to be.
      
      Fix this by falling back to kmalloc'ing 'struct bio_integrity_payload'
      rather than force all bioset consumers to (wastefully) preallocate a
      bio_integrity_pool that they very likely won't actually need (given the
      niche nature of the current block integrity support).
      
      Otherwise, a NULL pointer "Kernel BUG" with a trace like the following
      will be observed (as seen on s390x using zfcp storage) because dm-io
      doesn't use bioset_integrity_create() when creating its bioset:
      
          [  791.643338] Call Trace:
          [  791.643339] ([<00000003df98b848>] 0x3df98b848)
          [  791.643341]  [<00000000002c5de8>] bio_integrity_alloc+0x48/0xf8
          [  791.643348]  [<00000000002c6486>] bio_integrity_prep+0xae/0x2f0
          [  791.643349]  [<0000000000371e38>] blk_queue_bio+0x1c8/0x3d8
          [  791.643355]  [<000000000036f8d0>] generic_make_request+0xc0/0x100
          [  791.643357]  [<000000000036f9b2>] submit_bio+0xa2/0x198
          [  791.643406]  [<000003ff801f9774>] dispatch_io+0x15c/0x3b0 [dm_mod]
          [  791.643419]  [<000003ff801f9b3e>] dm_io+0x176/0x2f0 [dm_mod]
          [  791.643423]  [<000003ff8074b28a>] do_reads+0x13a/0x1a8 [dm_mirror]
          [  791.643425]  [<000003ff8074b43a>] do_mirror+0x142/0x298 [dm_mirror]
          [  791.643428]  [<0000000000154fca>] process_one_work+0x18a/0x3f8
          [  791.643432]  [<000000000015598a>] worker_thread+0x132/0x3b0
          [  791.643435]  [<000000000015d49a>] kthread+0xd2/0xd8
          [  791.643438]  [<00000000005bc0ca>] kernel_thread_starter+0x6/0xc
          [  791.643446]  [<00000000005bc0c4>] kernel_thread_starter+0x0/0xc
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62a3fb23
    • Michal Marek's avatar
      kbuild: Allow arch Makefiles to override {cpp,ld,c}flags · 32469b12
      Michal Marek authored
      commit 61754c18 upstream.
      
      Since commit a1c48bb1 (Makefile: Fix unrecognized cross-compiler command
      line options), the arch Makefile is included earlier by the main
      Makefile, preventing the arc architecture to set its -O3 compiler
      option. Since there might be more use cases for an arch Makefile to
      fine-tune the options, add support for ARCH_CPPFLAGS, ARCH_AFLAGS and
      ARCH_CFLAGS variables that are appended to the respective kbuild
      variables. The user still has the final say via the KCPPFLAGS, KAFLAGS
      and KCFLAGS variables.
      Reported-by: default avatarVineet Gupta <Vineet.Gupta1@synopsys.com>
      Signed-off-by: default avatarMichal Marek <mmarek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32469b12
    • Alexey Brodkin's avatar
      ARC: make sure instruction_pointer() returns unsigned value · a783168d
      Alexey Brodkin authored
      commit f51e2f19 upstream.
      
      Currently instruction_pointer() returns pt_regs->ret and so return value
      is of type "long", which implicitly stands for "signed long".
      
      While that's perfectly fine when dealing with 32-bit values if return
      value of instruction_pointer() gets assigned to 64-bit variable sign
      extension may happen.
      
      And at least in one real use-case it happens already.
      In perf_prepare_sample() return value of perf_instruction_pointer()
      (which is an alias to instruction_pointer() in case of ARC) is assigned
      to (struct perf_sample_data)->ip (which type is "u64").
      
      And what we see if instuction pointer points to user-space application
      that in case of ARC lays below 0x8000_0000 "ip" gets set properly with
      leading 32 zeros. But if instruction pointer points to kernel address
      space that starts from 0x8000_0000 then "ip" is set with 32 leadig
      "f"-s. I.e. id instruction_pointer() returns 0x8100_0000, "ip" will be
      assigned with 0xffff_ffff__8100_0000. Which is obviously wrong.
      
      In particular that issuse broke output of perf, because perf was unable
      to associate addresses like 0xffff_ffff__8100_0000 with anything from
      /proc/kallsyms.
      
      That's what we used to see:
       ----------->8----------
        6.27%  ls       [unknown]                [k] 0xffffffff8046c5cc
        2.96%  ls       libuClibc-0.9.34-git.so  [.] memcpy
        2.25%  ls       libuClibc-0.9.34-git.so  [.] memset
        1.66%  ls       [unknown]                [k] 0xffffffff80666536
        1.54%  ls       libuClibc-0.9.34-git.so  [.] 0x000224d6
        1.18%  ls       libuClibc-0.9.34-git.so  [.] 0x00022472
       ----------->8----------
      
      With that change perf output looks much better now:
       ----------->8----------
        8.21%  ls       [kernel.kallsyms]        [k] memset
        3.52%  ls       libuClibc-0.9.34-git.so  [.] memcpy
        2.11%  ls       libuClibc-0.9.34-git.so  [.] malloc
        1.88%  ls       libuClibc-0.9.34-git.so  [.] memset
        1.64%  ls       [kernel.kallsyms]        [k] _raw_spin_unlock_irqrestore
        1.41%  ls       [kernel.kallsyms]        [k] __d_lookup_rcu
       ----------->8----------
      Signed-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Cc: arc-linux-dev@synopsys.com
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a783168d
    • Vineet Gupta's avatar
      ARC: Override toplevel default -O2 with -O3 · bad8eab0
      Vineet Gupta authored
      commit 97709069 upstream.
      
      ARC kernels have historically been built with -O3, despite top level
      Makefile defaulting to -O2. This was facilitated by implicitly ordering
      of arch makefile include AFTER top level assigned -O2.
      
      An upstream fix to top level a1c48bb1 ("Makefile: Fix unrecognized
      cross-compiler command line options") changed the ordering, making ARC
      -O3 defunct.
      
      Fix that by NOT relying on any ordering whatsoever and use the proper
      arch override facility now present in kbuild (ARCH_*FLAGS)
      
      Depends-on: ("kbuild: Allow arch Makefiles to override {cpp,ld,c}flags")
      Suggested-by: default avatarMichal Marek <mmarek@suse.cz>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bad8eab0
    • Heiko Carstens's avatar
      s390/cachinfo: add missing facility check to init_cache_level() · a2bfecc4
      Heiko Carstens authored
      commit 0b991f5c upstream.
      
      Stephen Powell reported the following crash on a z890 machine:
      
      Kernel BUG at 00000000001219d0 [verbose debug info unavailable]
      illegal operation: 0001 ilc:3 [#1] SMP
      Krnl PSW : 0704e00180000000 00000000001219d0 (init_cache_level+0x38/0xe0)
      	   R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3
      Krnl Code: 00000000001219c2: a7840056		brc	8,121a6e
      	   00000000001219c6: a7190000		lghi	%r1,0
      	  #00000000001219ca: eb101000004c	ecag	%r1,%r0,0(%r1)
      	  >00000000001219d0: a7390000		lghi	%r3,0
      	   00000000001219d4: e310f0a00024	stg	%r1,160(%r15)
      	   00000000001219da: a7080000		lhi	%r0,0
      	   00000000001219de: a7b9f000		lghi	%r11,-4096
      	   00000000001219e2: c0a0002899d9	larl	%r10,634d94
      Call Trace:
       [<0000000000478ee2>] detect_cache_attributes+0x2a/0x2b8
       [<000000000097c9b0>] cacheinfo_sysfs_init+0x60/0xc8
       [<00000000001001c0>] do_one_initcall+0x98/0x1c8
       [<000000000094fdc2>] kernel_init_freeable+0x212/0x2d8
       [<000000000062352e>] kernel_init+0x26/0x118
       [<000000000062fd2e>] kernel_thread_starter+0x6/0xc
      
      The illegal operation was executed because of a missing facility check,
      which should have made sure that the ECAG execution would only be executed
      on machines which have the general-instructions-extension facility
      installed.
      Reported-and-tested-by: default avatarStephen Powell <zlinuxman@wowway.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2bfecc4
    • Michael Holzheu's avatar
      s390/bpf: clear correct BPF accumulator register · 19d95928
      Michael Holzheu authored
      commit 30342fe6 upstream.
      
      Currently we assumed the following BPF to eBPF register mapping:
      
       - BPF_REG_A -> BPF_REG_7
       - BPF_REG_X -> BPF_REG_8
      
      Unfortunately this mapping is wrong. The correct mapping is:
      
       - BPF_REG_A -> BPF_REG_0
       - BPF_REG_X -> BPF_REG_7
      
      So clear the correct registers and use the BPF_REG_A and BPF_REG_X
      macros instead of BPF_REG_0/7.
      
      Fixes: 05462310 ("s390/bpf: Add s390x eBPF JIT compiler backend")
      Signed-off-by: default avatarMichael Holzheu <holzheu@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19d95928
    • Heiko Carstens's avatar
      s390/nmi: fix vector register corruption · 36566f6d
      Heiko Carstens authored
      commit cad49cfc upstream.
      
      If a machine check happens, the machine has the vector facility installed
      and the extended save area exists, the cpu will save vector register
      contents into the extended save area. This is regardless of control
      register 0 contents, which enables and disables the vector facility during
      runtime.
      
      On each machine check we should validate the vector registers. The current
      code however tries to validate the registers only if the running task is
      using vector registers in user space.
      
      However even the current code is broken and causes vector register
      corruption on machine checks, if user space uses them:
      the prefix area contains a pointer (absolute address) to the machine check
      extended save area. In order to save some space the save area was put into
      an unused area of the second prefix page.
      When validating vector register contents the code uses the absolute address
      of the extended save area, which is wrong. Due to prefixing the vector
      instructions will then access contents using absolute addresses instead
      of real addresses, where the machine stored the contents.
      
      If the above would work there is still the problem that register validition
      would only happen if user space uses vector registers. If kernel space uses
      them also, this may also lead to vector register content corruption:
      if the kernel makes use of vector instructions, but the current running
      user space context does not, the machine check handler will validate
      floating point registers instead of vector registers.
      Given the fact that writing to a floating point register may change the
      upper halve of the corresponding vector register, we also experience vector
      register corruption in this case.
      
      Fix all of these issues, and always validate vector registers on each
      machine check, if the machine has the vector facility installed and the
      extended save area is defined.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36566f6d
    • Martin Schwidefsky's avatar
      s390/sclp: clear upper register halves in _sclp_print_early · 88b7166f
      Martin Schwidefsky authored
      commit f9c87a6f upstream.
      
      If the kernel is compiled with gcc 5.1 and the XZ compression option
      the decompress_kernel function calls _sclp_print_early in 64-bit mode
      while the content of the upper register half of %r6 is non-zero.
      This causes a specification exception on the servc instruction in
      _sclp_servc.
      
      The _sclp_print_early function saves and restores the upper registers
      halves but it fails to clear them for the 31-bit code of the mini sclp
      driver.
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88b7166f
    • Heiko Carstens's avatar
      s390/process: fix sfpc inline assembly · 5e62f684
      Heiko Carstens authored
      commit e47994dd upstream.
      
      The sfpc inline assembly within execve_tail() may incorrectly set bits
      28-31 of the sfpc instruction to a value which is not zero.
      These bits however are currently unused and therefore should be zero
      so we won't get surprised if these bits will be used in the future.
      
      Therefore remove the second operand from the inline assembly.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e62f684
    • Vutla, Lokesh's avatar
      crypto: omap-des - Fix unmapping of dma channels · f662ffe3
      Vutla, Lokesh authored
      commit acb33cc5 upstream.
      
      dma_unmap_sg() is being called twice after completing the
      task. Looks like this is a copy paste error when creating
      des driver.
      With this the following warn appears during boot:
      
      [    4.210457] ------------[ cut here ]------------
      [    4.215114] WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:1080 check_unmap+0x710/0x9a0()
      [    4.222899] omap-des 480a5000.des: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0x00000000ab2ce000] [size=8 bytes]
      [    4.236785] Modules linked in:
      [    4.239860] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.14.39-02999-g1bc045a-dirty #182
      [    4.247918] [<c001678c>] (unwind_backtrace) from [<c0012574>] (show_stack+0x10/0x14)
      [    4.255710] [<c0012574>] (show_stack) from [<c05a37e8>] (dump_stack+0x84/0xb8)
      [    4.262977] [<c05a37e8>] (dump_stack) from [<c0046464>] (warn_slowpath_common+0x68/0x8c)
      [    4.271107] [<c0046464>] (warn_slowpath_common) from [<c004651c>] (warn_slowpath_fmt+0x30/0x40)
      [    4.279854] [<c004651c>] (warn_slowpath_fmt) from [<c02d50a4>] (check_unmap+0x710/0x9a0)
      [    4.287991] [<c02d50a4>] (check_unmap) from [<c02d5478>] (debug_dma_unmap_sg+0x90/0x19c)
      [    4.296128] [<c02d5478>] (debug_dma_unmap_sg) from [<c04a77d8>] (omap_des_done_task+0x1cc/0x3e4)
      [    4.304963] [<c04a77d8>] (omap_des_done_task) from [<c004a090>] (tasklet_action+0x84/0x124)
      [    4.313370] [<c004a090>] (tasklet_action) from [<c004a4ac>] (__do_softirq+0xf0/0x20c)
      [    4.321235] [<c004a4ac>] (__do_softirq) from [<c004a840>] (irq_exit+0x98/0xec)
      [    4.328500] [<c004a840>] (irq_exit) from [<c000f9ac>] (handle_IRQ+0x50/0xb0)
      [    4.335589] [<c000f9ac>] (handle_IRQ) from [<c0008688>] (gic_handle_irq+0x28/0x5c)
      
      Removing the duplicate call to dma_unmap_sg().
      Reported-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarLokesh Vutla <lokeshvutla@ti.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f662ffe3
    • Andrey Ryabinin's avatar
      x86/kasan: Fix boot crash on AMD processors · 6b12a75d
      Andrey Ryabinin authored
      commit d4f86bea upstream.
      
      While populating zero shadow wrong bits in upper level page
      tables used. __PAGE_KERNEL_RO that was used for pgd/pud/pmd has
      _PAGE_BIT_GLOBAL set. Global bit is present only in the lowest
      level of the page translation hierarchy (ptes), and it should be
      zero in upper levels.
      
      This bug seems doesn't cause any troubles on Intel cpus, while
      on AMDs it cause kernel crash on boot.
      
      Use _KERNPG_TABLE bits for pgds/puds/pmds to fix this.
      Reported-by: default avatarBorislav Petkov <bp@alien8.de>
      Signed-off-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Cc: Alexander Popov <alpopov@ptsecurity.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Konovalov <adech.fo@gmail.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1435828178-10975-5-git-send-email-a.ryabinin@samsung.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b12a75d
    • Andrey Ryabinin's avatar
      x86/kasan: Flush TLBs after switching CR3 · bcb87bb5
      Andrey Ryabinin authored
      commit 241d2c54 upstream.
      
      load_cr3() doesn't cause tlb_flush if PGE enabled.
      
      This may cause tons of false positive reports spamming the
      kernel to death.
      
      To fix this __flush_tlb_all() should be called explicitly
      after CR3 changed.
      Signed-off-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Cc: Alexander Popov <alpopov@ptsecurity.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Konovalov <adech.fo@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1435828178-10975-4-git-send-email-a.ryabinin@samsung.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcb87bb5
    • Alexander Popov's avatar
      x86/kasan: Fix KASAN shadow region page tables · 2fe36f4f
      Alexander Popov authored
      commit 5d5aa3cf upstream.
      
      Currently KASAN shadow region page tables created without
      respect of physical offset (phys_base). This causes kernel halt
      when phys_base is not zero.
      
      So let's initialize KASAN shadow region page tables in
      kasan_early_init() using __pa_nodebug() which considers
      phys_base.
      
      This patch also separates x86_64_start_kernel() from KASAN low
      level details by moving kasan_map_early_shadow(init_level4_pgt)
      into kasan_early_init().
      
      Remove the comment before clear_bss() which stopped bringing
      much profit to the code readability. Otherwise describing all
      the new order dependencies would be too verbose.
      Signed-off-by: default avatarAlexander Popov <alpopov@ptsecurity.com>
      Signed-off-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Konovalov <adech.fo@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1435828178-10975-3-git-send-email-a.ryabinin@samsung.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fe36f4f
    • Andrey Ryabinin's avatar
      x86/init: Clear 'init_level4_pgt' earlier · 16e28fc1
      Andrey Ryabinin authored
      commit d0f77d4d upstream.
      
      Currently x86_64_start_kernel() has two KASAN related
      function calls. The first call maps shadow to early_level4_pgt,
      the second maps shadow to init_level4_pgt.
      
      If we move clear_page(init_level4_pgt) earlier, we could hide
      KASAN low level detail from generic x86_64 initialization code.
      The next patch will do it.
      Signed-off-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Cc: Alexander Popov <alpopov@ptsecurity.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andrey Konovalov <adech.fo@gmail.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/1435828178-10975-2-git-send-email-a.ryabinin@samsung.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16e28fc1
    • Al Viro's avatar
      freeing unlinked file indefinitely delayed · 025a294a
      Al Viro authored
      commit 75a6f82a upstream.
      
      	Normally opening a file, unlinking it and then closing will have
      the inode freed upon close() (provided that it's not otherwise busy and
      has no remaining links, of course).  However, there's one case where that
      does *not* happen.  Namely, if you open it by fhandle with cold dcache,
      then unlink() and close().
      
      	In normal case you get d_delete() in unlink(2) notice that dentry
      is busy and unhash it; on the final dput() it will be forcibly evicted from
      dcache, triggering iput() and inode removal.  In this case, though, we end
      up with *two* dentries - disconnected (created by open-by-fhandle) and
      regular one (used by unlink()).  The latter will have its reference to inode
      dropped just fine, but the former will not - it's considered hashed (it
      is on the ->s_anon list), so it will stay around until the memory pressure
      will finally do it in.  As the result, we have the final iput() delayed
      indefinitely.  It's trivial to reproduce -
      
      void flush_dcache(void)
      {
              system("mount -o remount,rw /");
      }
      
      static char buf[20 * 1024 * 1024];
      
      main()
      {
              int fd;
              union {
                      struct file_handle f;
                      char buf[MAX_HANDLE_SZ];
              } x;
              int m;
      
              x.f.handle_bytes = sizeof(x);
              chdir("/root");
              mkdir("foo", 0700);
              fd = open("foo/bar", O_CREAT | O_RDWR, 0600);
              close(fd);
              name_to_handle_at(AT_FDCWD, "foo/bar", &x.f, &m, 0);
              flush_dcache();
              fd = open_by_handle_at(AT_FDCWD, &x.f, O_RDWR);
              unlink("foo/bar");
              write(fd, buf, sizeof(buf));
              system("df .");			/* 20Mb eaten */
              close(fd);
              system("df .");			/* should've freed those 20Mb */
              flush_dcache();
              system("df .");			/* should be the same as #2 */
      }
      
      will spit out something like
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 303843      1131 100% /
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 303843      1131 100% /
      Filesystem     1K-blocks   Used Available Use% Mounted on
      /dev/root         322023 283282     21692  93% /
      - inode gets freed only when dentry is finally evicted (here we trigger
      than by remount; normally it would've happened in response to memory
      pressure hell knows when).
      Acked-by: default avatarJ. Bruce Fields <bfields@fieldses.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      025a294a
    • Stefan Agner's avatar
      can: mcp251x: fix resume when device is down · 8a5d1e37
      Stefan Agner authored
      commit 25b401c1 upstream.
      
      If a valid power regulator or a dummy regulator is used (which
      happens to be the case when no regulator is specified), restart_work
      is queued no matter whether the device was running or not at suspend
      time. Since work queues get initialized in the ndo_open callback,
      resuming leads to a NULL pointer exception.
      
      Reverse exactly the steps executed at suspend time:
      - Enable the power regulator in any case
      - Enable the transceiver regulator if the device was running, even in
        case we have a power regulator
      - Queue restart_work only in case the device was running
      
      Fixes: bf66f373 ("can: mcp251x: Move to threaded interrupts instead of workqueues.")
      Signed-off-by: default avatarStefan Agner <stefan@agner.ch>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a5d1e37
    • Sergei Shtylyov's avatar
      can: rcar_can: print signed IRQ # · 23596d7d
      Sergei Shtylyov authored
      commit c1a4c87b upstream.
      
      Printing IRQ # using "%x" and "%u" unsigned formats isn't quite correct as
      'ndev->irq' is of  type *int*, so  the "%d" format  needs to be used instead.
      
      While fixing this, beautify the dev_info() message in rcar_can_probe() a bit.
      
      Fixes: fd115931 ("can: add Renesas R-Car CAN driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23596d7d
    • J.D. Schroeder's avatar
      can: c_can: Fix default pinmux glitch at init · 436eacc4
      J.D. Schroeder authored
      commit 03336519 upstream.
      
      The previous change 3973c526 (net: can: c_can: Disable pins when CAN
      interface is down) causes a slight glitch on the pinctrl settings when used.
      Since commit ab78029e (drivers/pinctrl: grab default handles from device core),
      the device core will automatically set the default pins. This causes the pins
      to be momentarily set to the default and then to the sleep state in
      register_c_can_dev(). By adding an optional "enable" state, boards can set the
      default pin state to be disabled and avoid the glitch when the switch from
      default to sleep first occurs. If the "enable" state is not available
      c_can_pinctrl_select_state() falls back to using the "default" pinctrl state.
      
      [Roger Q] - Forward port to v4.2 and use pinctrl_get_select().
      Signed-off-by: default avatarJ.D. Schroeder <jay.schroeder@garmin.com>
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Reviewed-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      436eacc4
    • Sergei Shtylyov's avatar
      can: rcar_can: fix IRQ check · 78574b4b
      Sergei Shtylyov authored
      commit 5e63e6ba upstream.
      
      rcar_can_probe() regards 0 as a wrong IRQ #, despite platform_get_irq() that it
      calls returns negative error code in that case. This leads to the following
      being printed to the console when attempting to open the device:
      
      error requesting interrupt fffffffa
      
      because  rcar_can_open() calls request_irq() with a negative IRQ #, and that
      function naturally fails with -EINVAL.
      
      Check for the negative error codes instead and propagate them upstream instead
      of just returning -ENODEV.
      
      Fixes: fd115931 ("can: add Renesas R-Car CAN driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      78574b4b
    • Oliver Hartkopp's avatar
      can: replace timestamp as unique skb attribute · 153fa24b
      Oliver Hartkopp authored
      commit d3b58c47 upstream.
      
      Commit 514ac99c "can: fix multiple delivery of a single CAN frame for
      overlapping CAN filters" requires the skb->tstamp to be set to check for
      identical CAN skbs.
      
      Without timestamping to be required by user space applications this timestamp
      was not generated which lead to commit 36c01245 "can: fix loss of CAN frames
      in raw_rcv" - which forces the timestamp to be set in all CAN related skbuffs
      by introducing several __net_timestamp() calls.
      
      This forces e.g. out of tree drivers which are not using alloc_can{,fd}_skb()
      to add __net_timestamp() after skbuff creation to prevent the frame loss fixed
      in mainline Linux.
      
      This patch removes the timestamp dependency and uses an atomic counter to
      create an unique identifier together with the skbuff pointer.
      
      Btw: the new skbcnt element introduced in struct can_skb_priv has to be
      initialized with zero in out-of-tree drivers which are not using
      alloc_can{,fd}_skb() too.
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      153fa24b
    • Markos Chandras's avatar
      MIPS: fpu.h: Allow 64-bit FPU on a 64-bit MIPS R6 CPU · cea0f568
      Markos Chandras authored
      commit fcc53b5f upstream.
      
      Commit 6134d949 ("MIPS: asm: fpu: Allow 64-bit FPU on MIPS32 R6")
      added support for 64-bit FPU on a 32-bit MIPS R6 processor but it missed
      the 64-bit CPU case leading to FPU failures when requesting FR=1 mode
      (which is always the case for MIPS R6 userland) when running a 32-bit
      kernel on a 64-bit CPU. We also fix the MIPS R2 case.
      Signed-off-by: default avatarMarkos Chandras <markos.chandras@imgtec.com>
      Fixes: 6134d949 ("MIPS: asm: fpu: Allow 64-bit FPU on MIPS32 R6")
      Reviewed-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/10734/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cea0f568
    • Paul Burton's avatar
      MIPS: Require O32 FP64 support for MIPS64 with O32 compat · 219485e3
      Paul Burton authored
      commit 4e9d324d upstream.
      
      MIPS32r6 code requires FP64 (ie. FR=1) support. Building a kernel with
      support for MIPS32r6 binaries but without support for O32 with FP64 is
      therefore a problem which can lead to incorrectly executed userland.
      
      CONFIG_MIPS_O32_FP64_SUPPORT is already selected when the kernel is
      configured for MIPS32r6, but not when the kernel is configured for
      MIPS64r6 with O32 compat support. Select CONFIG_MIPS_O32_FP64_SUPPORT in
      such configurations to prevent building kernels which execute MIPS32r6
      userland incorrectly.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: Markos Chandras <markos.chandras@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Matthew Fortune <matthew.fortune@imgtec.com>
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/10674/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      219485e3
    • Markos Chandras's avatar
      MIPS: c-r4k: Fix cache flushing for MT cores · 7ed06198
      Markos Chandras authored
      commit cccf34e9 upstream.
      
      MT_SMP is not the only SMP option for MT cores. The MT_SMP option
      allows more than one VPE per core to appear as a secondary CPU in the
      system. Because of how CM works, it propagates the address-based
      cache ops to the secondary cores but not the index-based ones.
      Because of that, the code does not use IPIs to flush the L1 caches on
      secondary cores because the CM would have done that already. However,
      the CM functionality is independent of the type of SMP kernel so even in
      non-MT kernels, IPIs are not necessary. As a result of which, we change
      the conditional to depend on the CM presence. Moreover, since VPEs on
      the same core share the same L1 caches, there is no need to send an
      IPI on all of them so we calculate a suitable cpumask with only one
      VPE per core.
      Signed-off-by: default avatarMarkos Chandras <markos.chandras@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/10654/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ed06198
    • Markos Chandras's avatar
      MIPS: Fix erroneous JR emulation for MIPS R6 · a6130c5e
      Markos Chandras authored
      commit 143fefc8 upstream.
      
      Commit 5f9f41c4 ("MIPS: kernel: Prepare
      the JR instruction for emulation on MIPS R6") added support for
      emulating the JR instruction on MIPS R6 cores but that introduced a bug
      which could be triggered when hitting a JALR opcode because the code used
      the wrong field in the 'r_format' struct to determine the instruction
      opcode. This lead to crashes because an emulated JALR instruction was
      treated as a JR one when the R6 emulator was turned off.
      
      Fixes: 5f9f41c4 ("MIPS: kernel: Prepare the JR instruction for emulation on MIPS R6")
      Signed-off-by: default avatarMarkos Chandras <markos.chandras@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/10583/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6130c5e
    • Lucas Stach's avatar
      ARM: imx6: gpc: always enable PU domain if CONFIG_PM is not set · 9af14dc3
      Lucas Stach authored
      commit d438462c upstream.
      
      If CONFIG_PM is not set the PU power domain needs to be enabled always,
      otherwise there are two failure scenarios which will hang the system if
      one of the devices in the PU domain is accessed.
      
      1. New DTs (4.1+) drop the "always-on" property from the PU regulator, so
      if it isn't properly enabled by the GPC code it will be disabled at the
      end of boot.
      
      2. If the bootloader already disabled the PU domain the GPC explicitly
      needs to enable it again, even if the kernel doesn't do any power
      management. This is a bit hypothetical, as it requires to boot a
      mainline kernel on a downstream bootloader, as no mainline bootloader
      disables the PM domains.
      Signed-off-by: default avatarLucas Stach <l.stach@pengutronix.de>
      Acked-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: default avatarShawn Guo <shawn.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9af14dc3
    • Marek Szyprowski's avatar
      ARM: 8404/1: dma-mapping: fix off-by-one error in bitmap size check · 50c30137
      Marek Szyprowski authored
      commit 462859aa upstream.
      
      nr_bitmaps member of mapping structure stores the number of already
      allocated bitmaps and it is interpreted as loop iterator (it starts from
      0 not from 1), so a comparison against number of possible bitmap
      extensions should include this fact. This patch fixes this by changing
      the extension failure condition. This issue has been introduced by
      commit 4d852ef8 ("arm: dma-mapping: Add
      support to extend DMA IOMMU mappings").
      Reported-by: default avatarHyungwon Hwang <human.hwang@samsung.com>
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Reviewed-by: default avatarHyungwon Hwang <human.hwang@samsung.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      50c30137
    • Roger Quadros's avatar
      ARM: dts: am57xx-beagle-x15: Provide supply for usb2_phy2 · 0784a0b5
      Roger Quadros authored
      commit 9ab402ae upstream.
      
      Without this USB2 breaks if USB1 is disabled or USB1
      initializes after USB2 e.g. due to deferred probing.
      
      Fixes: 5a0f93c6 ("ARM: dts: Add am57xx-beagle-x15")
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0784a0b5
    • Roger Quadros's avatar
      ARM: dts: dra7x-evm: Prevent glitch on DCAN1 pinmux · c0c4945b
      Roger Quadros authored
      commit 2acb5c30 upstream.
      
      Driver core sets "default" pinmux on on probe and CAN driver
      sets "sleep" pinmux during register. This causes a small window
      where the CAN pins are in "default" state with the DCAN module
      being disabled.
      
      Change the "default" state to be like sleep so this glitch is
      avoided. Add a new "active" state that is used by the driver
      when CAN is actually active.
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0c4945b
    • Robert Jarzmik's avatar
      ARM: pxa: fix dm9000 platform data regression · 7185dab0
      Robert Jarzmik authored
      commit a927ef89 upstream.
      
      Since dm9000 driver added support for a vcc regulator, platform data
      based platforms have their ethernet broken, as the regulator claiming
      returns -EPROBE_DEFER and prevents dm9000 loading.
      
      This patch fixes this for all pxa boards using dm9000, by using the
      specific regulator_has_full_constraints() function.
      
      This was discovered and tested on the cm-x300 board.
      
      Fixes: 7994fe55 ("dm9000: Add regulator and reset support to dm9000")
      Signed-off-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      Acked-by: default avatarIgor Grinberg <grinberg@compulab.co.il>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7185dab0
    • Christophe Jaillet's avatar
      parisc: mm: Fix a memory leak related to pmd not attached to the pgd · 0ab58712
      Christophe Jaillet authored
      commit 4c4ac9a4 upstream.
      
      Commit 0e0da48d ("parisc: mm: don't count preallocated pmds")
      introduced a memory leak.
      
      After this commit, the 'return' statement in pmd_free is executed in all
      cases. Even for pmd that are not attached to the pgd.  So 'free_pages'
      can never be called anymore, leading to a memory leak.
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ab58712
    • John David Anglin's avatar
      parisc: Fix some PTE/TLB race conditions and optimize __flush_tlb_range based on timing results · 78eb5efb
      John David Anglin authored
      commit 01ab6057 upstream.
      
      The increased use of pdtlb/pitlb instructions seemed to increase the
      frequency of random segmentation faults building packages. Further, we
      had a number of cases where TLB inserts would repeatedly fail and all
      forward progress would stop. The Haskell ghc package caused a lot of
      trouble in this area. The final indication of a race in pte handling was
      this syslog entry on sibaris (C8000):
      
       swap_free: Unused swap offset entry 00000004
       BUG: Bad page map in process mysqld  pte:00000100 pmd:019bbec5
       addr:00000000ec464000 vm_flags:00100073 anon_vma:0000000221023828 mapping: (null) index:ec464
       CPU: 1 PID: 9176 Comm: mysqld Not tainted 4.0.0-2-parisc64-smp #1 Debian 4.0.5-1
       Backtrace:
        [<0000000040173eb0>] show_stack+0x20/0x38
        [<0000000040444424>] dump_stack+0x9c/0x110
        [<00000000402a0d38>] print_bad_pte+0x1a8/0x278
        [<00000000402a28b8>] unmap_single_vma+0x3d8/0x770
        [<00000000402a4090>] zap_page_range+0xf0/0x198
        [<00000000402ba2a4>] SyS_madvise+0x404/0x8c0
      
      Note that the pte value is 0 except for the accessed bit 0x100. This bit
      shouldn't be set without the present bit.
      
      It should be noted that the madvise system call is probably a trigger for many
      of the random segmentation faults.
      
      In looking at the kernel code, I found the following problems:
      
      1) The pte_clear define didn't take TLB lock when clearing a pte.
      2) We didn't test pte present bit inside lock in exception support.
      3) The pte and tlb locks needed to merged in order to ensure consistency
      between page table and TLB. This also has the effect of serializing TLB
      broadcasts on SMP systems.
      
      The attached change implements the above and a few other tweaks to try
      to improve performance. Based on the timing code, TLB purges are very
      slow (e.g., ~ 209 cycles per page on rp3440). Thus, I think it
      beneficial to test the split_tlb variable to avoid duplicate purges.
      Probably, all PA 2.0 machines have combined TLBs.
      
      I dropped using __flush_tlb_range in flush_tlb_mm as I realized all
      applications and most threads have a stack size that is too large to
      make this useful. I added some comments to this effect.
      
      Since implementing 1 through 3, I haven't had any random segmentation
      faults on mx3210 (rp3440) in about one week of building code and running
      as a Debian buildd.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      78eb5efb
    • Dmitry Torokhov's avatar
      Revert "Input: synaptics - allocate 3 slots to keep stability in image sensors" · d474669e
      Dmitry Torokhov authored
      commit dbf3c370 upstream.
      
      This reverts commit 63c4fda3 as it
      causes issues with detecting 3-finger taps.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=100481Acked-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      d474669e
    • Shreyas B. Prabhu's avatar
      powerpc/powernv: Fix race in updating core_idle_state · 5f0f854a
      Shreyas B. Prabhu authored
      commit b32aadc1 upstream.
      
      core_idle_state is maintained for each core. It uses 0-7 bits to track
      whether a thread in the core has entered fastsleep or winkle. 8th bit is
      used as a lock bit.
      The lock bit is set in these 2 scenarios-
       - The thread is first in subcore to wakeup from sleep/winkle.
       - If its the last thread in the core about to enter sleep/winkle
      
      While the lock bit is set, if any other thread in the core wakes up, it
      loops until the lock bit is cleared before proceeding in the wakeup
      path. This helps prevent race conditions w.r.t fastsleep workaround and
      prevents threads from switching to process context before core/subcore
      resources are restored.
      
      But, in the path to sleep/winkle entry, we currently don't check for
      lock-bit. This exposes us to following race when running with subcore
      on-
      
      First thread in the subcorea		Another thread in the same
      waking up		   		core entering sleep/winkle
      
      lwarx   r15,0,r14
      ori     r15,r15,PNV_CORE_IDLE_LOCK_BIT
      stwcx.  r15,0,r14
      [Code to restore subcore state]
      
      						lwarx   r15,0,r14
      						[clear thread bit]
      						stwcx.  r15,0,r14
      
      andi.   r15,r15,PNV_CORE_IDLE_THREAD_BITS
      stw     r15,0(r14)
      
      Here, after the thread entering sleep clears its thread bit in
      core_idle_state, the value is overwritten by the thread waking up.
      In such cases when the core enters fastsleep, code mistakes an idle
      thread as running. Because of this, the first thread waking up from
      fastsleep which is supposed to resync timebase skips it. So we can
      end up having a core with stale timebase value.
      
      This patch fixes the above race by looping on the lock bit even while
      entering the idle states.
      Signed-off-by: default avatarShreyas B. Prabhu <shreyas@linux.vnet.ibm.com>
      Fixes: 7b54e9f213f76 'powernv/powerpc: Add winkle support for offline cpus'
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f0f854a
    • Daniel Axtens's avatar
      cxl: Check if afu is not null in cxl_slbia · 4a0c377c
      Daniel Axtens authored
      commit 2c069a11 upstream.
      
      The pointer to an AFU in the adapter's list of AFUs can be null
      if we're in the process of removing AFUs. The afu_list_lock
      doesn't guard against this.
      
      Say we have 2 slices, and we're in the process of removing cxl.
       - We remove the AFUs in order (see cxl_remove). In cxl_remove_afu
         for AFU 0, we take the lock, set adapter->afu[0] = NULL, and
         release the lock.
       - Then we get an slbia. In cxl_slbia we take the lock, and set
         afu = adapter->afu[0], which is NULL.
       - Therefore our attempt to check afu->enabled will blow up.
      
      Therefore, check if afu is a null pointer before dereferencing it.
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Acked-by: default avatarMichael Neuling <mikey@neuling.org>
      Acked-by: default avatarIan Munsie <imunsie@au1.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a0c377c
    • Ian Munsie's avatar
      cxl: Fix off by one error allowing subsequent mmap page to be accessed · bbf9f2c9
      Ian Munsie authored
      commit 10a5894f upstream.
      
      It was discovered that if a process mmaped their problem state area they
      were able to access one page more than expected, potentially allowing
      them to access the problem state area of an unrelated process.
      
      This was due to a simple off by one error in the mmap fault handler
      introduced in 0712dc7e ("cxl: Fix issues
      when unmapping contexts"), which is fixed in this patch.
      
      Fixes: 0712dc7e ("cxl: Fix issues when unmapping contexts")
      Signed-off-by: default avatarIan Munsie <imunsie@au1.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbf9f2c9
  2. 03 Aug, 2015 4 commits