1. 05 Jul, 2015 13 commits
    • Catalin Marinas's avatar
      mm: kmemleak: allow safe memory scanning during kmemleak disabling · 53109852
      Catalin Marinas authored
      [ Upstream commit c5f3b1a5 ]
      
      The kmemleak scanning thread can run for minutes.  Callbacks like
      kmemleak_free() are allowed during this time, the race being taken care
      of by the object->lock spinlock.  Such lock also prevents a memory block
      from being freed or unmapped while it is being scanned by blocking the
      kmemleak_free() -> ...  -> __delete_object() function until the lock is
      released in scan_object().
      
      When a kmemleak error occurs (e.g.  it fails to allocate its metadata),
      kmemleak_enabled is set and __delete_object() is no longer called on
      freed objects.  If kmemleak_scan is running at the same time,
      kmemleak_free() no longer waits for the object scanning to complete,
      allowing the corresponding memory block to be freed or unmapped (in the
      case of vfree()).  This leads to kmemleak_scan potentially triggering a
      page fault.
      
      This patch separates the kmemleak_free() enabling/disabling from the
      overall kmemleak_enabled nob so that we can defer the disabling of the
      object freeing tracking until the scanning thread completed.  The
      kmemleak_free_part() is deliberately ignored by this patch since this is
      only called during boot before the scanning thread started.
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Reported-by: default avatarVignesh Radhakrishnan <vigneshr@codeaurora.org>
      Tested-by: default avatarVignesh Radhakrishnan <vigneshr@codeaurora.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      53109852
    • Vineet Gupta's avatar
      ARC: add smp barriers around atomics per Documentation/atomic_ops.txt · e965e3a1
      Vineet Gupta authored
      [ Upstream commit 2576c28e ]
      
       - arch_spin_lock/unlock were lacking the ACQUIRE/RELEASE barriers
         Since ARCv2 only provides load/load, store/store and all/all, we need
         the full barrier
      
       - LLOCK/SCOND based atomics, bitops, cmpxchg, which return modified
         values were lacking the explicit smp barriers.
      
       - Non LLOCK/SCOND varaints don't need the explicit barriers since that
         is implicity provided by the spin locks used to implement the
         critical section (the spin lock barriers in turn are also fixed in
         this commit as explained above
      
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e965e3a1
    • Vineet Gupta's avatar
      ARC: add compiler barrier to LLSC based cmpxchg · c71c2487
      Vineet Gupta authored
      [ Upstream commit d57f7272 ]
      
      When auditing cmpxchg call sites, Chuck noted that gcc was optimizing
      away some of the desired LDs.
      
      |	do {
      |		new = old = *ipi_data_ptr;
      |		new |= 1U << msg;
      |	} while (cmpxchg(ipi_data_ptr, old, new) != old);
      
      was generating to below
      
      | 8015cef8:	ld         r2,[r4,0]  <-- First LD
      | 8015cefc:	bset       r1,r2,r1
      |
      | 8015cf00:	llock      r3,[r4]  <-- atomic op
      | 8015cf04:	brne       r3,r2,8015cf10
      | 8015cf08:	scond      r1,[r4]
      | 8015cf0c:	bnz        8015cf00
      |
      | 8015cf10:	brne       r3,r2,8015cf00  <-- Branch doesn't go to orig LD
      
      Although this was fixed by adding a ACCESS_ONCE in this call site, it
      seems safer (for now at least) to add compiler barrier to LLSC based
      cmpxchg
      Reported-by: default avatarChuck Jordan <cjordan@synopsys,com>
      Cc: <stable@vger.kernel.org>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c71c2487
    • Takashi Iwai's avatar
      PM / sleep: Increase default DPM watchdog timeout to 60 · 8e15f153
      Takashi Iwai authored
      [ Upstream commit fff3b16d ]
      
      Many harddisks (mostly WD ones) have firmware problems and take too
      long, more than 10 seconds, to resume from suspend.  And this often
      exceeds the default DPM watchdog timeout (12 seconds), resulting in a
      kernel panic out of sudden.
      
      Since most distros just take the default as is, we should give a bit
      more safer value.  This patch increases the default value from 12
      seconds to one minute, which has been confirmed to be long enough for
      such problematic disks.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=91921
      Fixes: 70fea60d (PM / Sleep: Detect device suspend/resume lockup and log event)
      Cc: 3.13+ <stable@vger.kernel.org> # 3.13+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      8e15f153
    • Alexey Brodkin's avatar
      stmmac: troubleshoot unexpected bits in des0 & des1 · d89e99a3
      Alexey Brodkin authored
      [ Upstream commit f1590670 ]
      
      Current implementation of descriptor init procedure only takes
      care about setting/clearing ownership flag in "des0"/"des1"
      fields while it is perfectly possible to get unexpected bits
      set because of the following factors:
      
       [1] On driver probe underlying memory allocated with
           dma_alloc_coherent() might not be zeroed and so
           it will be filled with garbage.
      
       [2] During driver operation some bits could be set by SD/MMC
           controller (for example error flags etc).
      
      And unexpected and/or randomly set flags in "des0"/"des1"
      fields may lead to unpredictable behavior of GMAC DMA block.
      
      This change addresses both items above with:
      
       [1] Use of dma_zalloc_coherent() instead of simple
           dma_alloc_coherent() to make sure allocated memory is
           zeroed. That shouldn't affect performance because
           this allocation only happens once on driver probe.
      
       [2] Do explicit zeroing of both "des0" and "des1" fields
           of all buffer descriptors during initialization of
           DMA transfer.
      
      And while at it fixed identation of dma_free_coherent()
      counterpart as well.
      Signed-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: arc-linux-dev@synopsys.com
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d89e99a3
    • Jingoo Han's avatar
      of/address: use atomic allocation in pci_register_io_range() · d42b6b46
      Jingoo Han authored
      [ Upstream commit 294240ff ]
      
      When kzalloc() is called under spin_lock(), GFP_ATOMIC should be
      used to avoid sleeping allocation.
      The call tree is:
        of_pci_range_to_resource()
          --> pci_register_io_range() <-- takes spin_lock(&io_range_lock);
             --> kzalloc()
      Signed-off-by: default avatarJingoo Han <jingoohan1@gmail.com>
      Cc: stable@vger.kernel.org # 3.18+
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d42b6b46
    • Eric W. Biederman's avatar
      netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook · b396bdb5
      Eric W. Biederman authored
      [ Upstream commit 8405a8ff ]
      
      Add code to nf_unregister_hook to flush the nf_queue when a hook is
      unregistered.  This guarantees that the pointer that the nf_queue code
      retains into the nf_hook list will remain valid while a packet is
      queued.
      
      I tested what would happen if we do not flush queued packets and was
      trivially able to obtain the oops below.  All that was required was
      to stop the nf_queue listening process, to delete all of the nf_tables,
      and to awaken the nf_queue listening process.
      
      > BUG: unable to handle kernel paging request at 0000000100000001
      > IP: [<0000000100000001>] 0x100000001
      > PGD b9c35067 PUD 0
      > Oops: 0010 [#1] SMP
      > Modules linked in:
      > CPU: 0 PID: 519 Comm: lt-nfqnl_test Not tainted
      > task: ffff8800b9c8c050 ti: ffff8800ba9d8000 task.ti: ffff8800ba9d8000
      > RIP: 0010:[<0000000100000001>]  [<0000000100000001>] 0x100000001
      > RSP: 0018:ffff8800ba9dba40  EFLAGS: 00010a16
      > RAX: ffff8800bab48a00 RBX: ffff8800ba9dba90 RCX: ffff8800ba9dba90
      > RDX: ffff8800b9c10128 RSI: ffff8800ba940900 RDI: ffff8800bab48a00
      > RBP: ffff8800b9c10128 R08: ffffffff82976660 R09: ffff8800ba9dbb28
      > R10: dead000000100100 R11: dead000000200200 R12: ffff8800ba940900
      > R13: ffffffff8313fd50 R14: ffff8800b9c95200 R15: 0000000000000000
      > FS:  00007fb91fc34700(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
      > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      > CR2: 0000000100000001 CR3: 00000000babfb000 CR4: 00000000000007f0
      > Stack:
      >  ffffffff8206ab0f ffffffff82982240 ffff8800bab48a00 ffff8800b9c100a8
      >  ffff8800b9c10100 0000000000000001 ffff8800ba940900 ffff8800b9c10128
      >  ffffffff8206bd65 ffff8800bfb0d5e0 ffff8800bab48a00 0000000000014dc0
      > Call Trace:
      >  [<ffffffff8206ab0f>] ? nf_iterate+0x4f/0xa0
      >  [<ffffffff8206bd65>] ? nf_reinject+0x125/0x190
      >  [<ffffffff8206dee5>] ? nfqnl_recv_verdict+0x255/0x360
      >  [<ffffffff81386290>] ? nla_parse+0x80/0xf0
      >  [<ffffffff8206c42c>] ? nfnetlink_rcv_msg+0x13c/0x240
      >  [<ffffffff811b2fec>] ? __memcg_kmem_get_cache+0x4c/0x150
      >  [<ffffffff8206c2f0>] ? nfnl_lock+0x20/0x20
      >  [<ffffffff82068159>] ? netlink_rcv_skb+0xa9/0xc0
      >  [<ffffffff820677bf>] ? netlink_unicast+0x12f/0x1c0
      >  [<ffffffff82067ade>] ? netlink_sendmsg+0x28e/0x650
      >  [<ffffffff81fdd814>] ? sock_sendmsg+0x44/0x50
      >  [<ffffffff81fde07b>] ? ___sys_sendmsg+0x2ab/0x2c0
      >  [<ffffffff810e8f73>] ? __wake_up+0x43/0x70
      >  [<ffffffff8141a134>] ? tty_write+0x1c4/0x2a0
      >  [<ffffffff81fde9f4>] ? __sys_sendmsg+0x44/0x80
      >  [<ffffffff823ff8d7>] ? system_call_fastpath+0x12/0x6a
      > Code:  Bad RIP value.
      > RIP  [<0000000100000001>] 0x100000001
      >  RSP <ffff8800ba9dba40>
      > CR2: 0000000100000001
      > ---[ end trace 08eb65d42362793f ]---
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b396bdb5
    • Ralf Baechle's avatar
      NET: ROSE: Don't dereference NULL neighbour pointer. · d46c266a
      Ralf Baechle authored
      [ Upstream commit d496f784 ]
      
      A ROSE socket doesn't necessarily always have a neighbour pointer so check
      if the neighbour pointer is valid before dereferencing it.
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Tested-by: default avatarBernard Pidoux <f6bvp@free.fr>
      Cc: stable@vger.kernel.org #2.6.11+
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d46c266a
    • Dave Airlie's avatar
      drm/dp/mst: take lock around looking up the branch device on hpd irq · c44ed568
      Dave Airlie authored
      [ Upstream commit 9eb1e57f ]
      
      If we are doing an MST transaction and we've gotten HPD and we
      lookup the device from the incoming msg, we should take the mgr
      lock around it, so that mst_primary and mstb->ports are valid.
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c44ed568
    • Daniel Vetter's avatar
      drm/dp/mst: make sure mst_primary mstb is valid in work function · 0e266aad
      Daniel Vetter authored
      [ Upstream commit 9254ec49 ]
      
      This validates the mst_primary under the lock, and then calls
      into the check and send function. This makes the code a lot
      easier to understand the locking rules in.
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0e266aad
    • Darrick J. Wong's avatar
      ext4: don't retry file block mapping on bigalloc fs with non-extent file · 9b7da0c6
      Darrick J. Wong authored
      [ Upstream commit 292db1bc ]
      
      ext4 isn't willing to map clusters to a non-extent file.  Don't signal
      this with an out of space error, since the FS will retry the
      allocation (which didn't fail) forever.  Instead, return EUCLEAN so
      that the operation will fail immediately all the way back to userspace.
      
      (The fix is either to run e2fsck -E bmap2extent, or to chattr +e the file.)
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9b7da0c6
    • Eric Sandeen's avatar
      xfs: fix remote symlinks on V5/CRC filesystems · c56932bd
      Eric Sandeen authored
      [ Upstream commit 2ac56d3d ]
      
      If we create a CRC filesystem, mount it, and create a symlink with
      a path long enough that it can't live in the inode, we get a very
      strange result upon remount:
      
      # ls -l mnt
      total 4
      lrwxrwxrwx. 1 root root 929 Jun 15 16:58 link -> XSLM
      
      XSLM is the V5 symlink block header magic (which happens to be
      followed by a NUL, so the string looks terminated).
      
      xfs_readlink_bmap() advanced cur_chunk by the size of the header
      for CRC filesystems, but never actually used that pointer; it
      kept reading from bp->b_addr, which is the start of the block,
      rather than the start of the symlink data after the header.
      
      Looks like this problem goes back to v3.10.
      
      Fixing this gets us reading the proper link target, again.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c56932bd
    • James Hogan's avatar
      MIPS: Fix KVM guest fixmap address · 19194bca
      James Hogan authored
      [ Upstream commit 8e748c8d ]
      
      KVM guest kernels for trap & emulate run in user mode, with a modified
      set of kernel memory segments. However the fixmap address is still in
      the normal KSeg3 region at 0xfffe0000 regardless, causing problems when
      cache alias handling makes use of them when handling copy on write.
      
      Therefore define FIXADDR_TOP as 0x7ffe0000 in the guest kernel mapped
      region when CONFIG_KVM_GUEST is defined.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # v3.10+
      Patchwork: https://patchwork.linux-mips.org/patch/9887/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      19194bca
  2. 04 Jul, 2015 27 commits