1. 31 Jul, 2015 1 commit
  2. 30 Jul, 2015 6 commits
  3. 29 Jul, 2015 9 commits
    • Mike Snitzer's avatar
      dm cache: fix device destroy hang due to improper prealloc_used accounting · 795e633a
      Mike Snitzer authored
      Commit 665022d7 ("dm cache: avoid calls to prealloc_free_structs() if
      possible") introduced a regression that caused the removal of a DM cache
      device to hang in cache_postsuspend()'s call to wait_for_migrations()
      with the following stack trace:
      
        [<ffffffff81651457>] schedule+0x37/0x80
        [<ffffffffa041e21b>] cache_postsuspend+0xbb/0x470 [dm_cache]
        [<ffffffff810ba970>] ? prepare_to_wait_event+0xf0/0xf0
        [<ffffffffa0006f77>] dm_table_postsuspend_targets+0x47/0x60 [dm_mod]
        [<ffffffffa0001eb5>] __dm_destroy+0x215/0x250 [dm_mod]
        [<ffffffffa0004113>] dm_destroy+0x13/0x20 [dm_mod]
        [<ffffffffa00098cd>] dev_remove+0x10d/0x170 [dm_mod]
        [<ffffffffa00097c0>] ? dev_suspend+0x240/0x240 [dm_mod]
        [<ffffffffa0009f85>] ctl_ioctl+0x255/0x4d0 [dm_mod]
        [<ffffffff8127ac00>] ? SYSC_semtimedop+0x280/0xe10
        [<ffffffffa000a213>] dm_ctl_ioctl+0x13/0x20 [dm_mod]
        [<ffffffff811fd432>] do_vfs_ioctl+0x2d2/0x4b0
        [<ffffffff81117d5f>] ? __audit_syscall_entry+0xaf/0x100
        [<ffffffff81022636>] ? do_audit_syscall_entry+0x66/0x70
        [<ffffffff811fd689>] SyS_ioctl+0x79/0x90
        [<ffffffff81023e58>] ? syscall_trace_leave+0xb8/0x110
        [<ffffffff81654f6e>] entry_SYSCALL_64_fastpath+0x12/0x71
      
      Fix this by accounting for the call to prealloc_data_structs()
      immediately _before_ the call as opposed to after.  This is needed
      because it is possible to break out of the control loop after the call
      to prealloc_data_structs() but before prealloc_used was set to true.
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      795e633a
    • Mike Snitzer's avatar
      Revert "dm cache: do not wake_worker() in free_migration()" · 3508e659
      Mike Snitzer authored
      This reverts commit 386cb7cd.
      
      Taking the wake_worker() out of free_migration() will slow writeback
      dramatically, and hence adaptability.
      
      Say we have 10k blocks that need writing back, but are only able to
      issue 5 concurrently due to the migration bandwidth: it's imperative
      that we wake_worker() immediately after migration completion; waiting
      for the next 1 second wake up (via do_waker) means it'll take a long
      time to write that all back.
      Reported-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      3508e659
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 86ea07ca
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
       "Two bug fixes:
      
         - fix a crash on pre-z10 hardware due to cache-info
      
         - fix an issue with classic BPF programs in the eBPF JIT"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/cachinfo: add missing facility check to init_cache_level()
        s390/bpf: clear correct BPF accumulator register
      86ea07ca
    • Linus Torvalds's avatar
      Merge tag 'vfio-v4.2-rc5' of git://github.com/awilliam/linux-vfio · d9065f44
      Linus Torvalds authored
      Pull VFIO fix from Alex Williamson:
       "Fix a lockdep reported deadlock in device open error path"
      
      * tag 'vfio-v4.2-rc5' of git://github.com/awilliam/linux-vfio:
        vfio: Fix lockdep issue
      d9065f44
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · 733db573
      Linus Torvalds authored
      Pull SCSI target fixes from Nicholas Bellinger:
       "This series is larger than what I'd normally be conformable with
        sending for a -rc5 PULL request..
      
        However, the bulk of the series is localized to qla2xxx target
        specific fixes that address a number of real-world correctness issues,
        that have been outstanding on the list for ~6 weeks now.  They where
        submitted + verified + acked by the HW LLD vendor, contributed by a
        major production customer of the code, and are marked for v3.18.y
        stable code.
      
        That said, I don't see a good reason to wait another month to get
        these fixes into mainline.
      
        Beyond the qla2xx specific fixes, this series also includes:
      
         - bugfix for a long standing use-after-free in iscsi-target during
           TPG shutdown + demo-mode sessions.
      
         - bugfix for a >= v4.0 regression OOPs in iscsi-target during a
           iscsi_start_kthreads() failure.
      
         - bugfix for a >= v4.0 regression hang in iscsi-target for iser
           explicit session/connection logout.
      
         - bugfix for a iser-target bug where a early CMA REJECTED status
           during login triggers a NULL pointer dereference OOPs.
      
         - bugfixes for a handful of v4.2-rc1 specific regressions related to
           the larger set of recent backend configfs attribute changes.
      
        A big thanks to QLogic + Pure Storage for the qla2xxx target bugfixes"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (28 commits)
        Documentation/target: Fix tcm_mod_builder.py build breakage
        iser-target: Fix REJECT CM event use-after-free OOPs
        iscsi-target: Fix iser explicit logout TX kthread leak
        iscsi-target: Fix iscsit_start_kthreads failure OOPs
        iscsi-target: Fix use-after-free during TPG session shutdown
        qla2xxx: terminate exchange when command is aborted by LIO
        qla2xxx: drop cmds/tmrs arrived while session is being deleted
        qla2xxx: disable scsi_transport_fc registration in target mode
        qla2xxx: added sess generations to detect RSCN update races
        qla2xxx: Abort stale cmds on qla_tgt_wq when plogi arrives
        qla2xxx: delay plogi/prli ack until existing sessions are deleted
        qla2xxx: cleanup cmd in qla workqueue before processing TMR
        qla2xxx: kill sessions/log out initiator on RSCN and port down events
        qla2xxx: fix command initialization in target mode.
        qla2xxx: Remove msleep in qlt_send_term_exchange
        qla2xxx: adjust debug flags
        qla2xxx: release request queue reservation.
        qla2xxx: Add flush after updating ATIOQ consumer index.
        qla2xxx: Enable target mode for ISP27XX
        qla2xxx: Fix hardware lock/unlock issue causing kernel panic.
        ...
      733db573
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-cpufreq' and 'acpi-pm' · d29809b8
      Rafael J. Wysocki authored
      * pm-cpufreq:
        cpufreq: Avoid attempts to create duplicate symbolic links
        intel_pstate: Add get_scaling cpu_defaults param to Knights Landing
      
      * acpi-pm:
        ACPI / PM: Use target_state to set the device power state
      d29809b8
    • Dave Chinner's avatar
      xfs: remote attributes need to be considered data · df150ed1
      Dave Chinner authored
      We don't log remote attribute contents, and instead write them
      synchronously before we commit the block allocation and attribute
      tree update transaction. As a result we are writing to the allocated
      space before the allcoation has been made permanent.
      
      As a result, we cannot consider this allocation to be a metadata
      allocation. Metadata allocation can take blocks from the free list
      and so reuse them before the transaction that freed the block is
      committed to disk. This behaviour is perfectly fine for journalled
      metadata changes as log recovery will ensure the free operation is
      replayed before the overwrite, but for remote attribute writes this
      is not the case.
      
      Hence we have to consider the remote attribute blocks to contain
      data and allocate accordingly. We do this by dropping the
      XFS_BMAPI_METADATA flag from the block allocation. This means the
      allocation will not use blocks that are on the busy list without
      first ensuring that the freeing transaction has been committed to
      disk and the blocks removed from the busy list. This ensures we will
      never overwrite a freed block without first ensuring that it is
      really free.
      
      cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      
      df150ed1
    • Dave Chinner's avatar
      xfs: remote attribute headers contain an invalid LSN · e3c32ee9
      Dave Chinner authored
      In recent testing, a system that crashed failed log recovery on
      restart with a bad symlink buffer magic number:
      
      XFS (vda): Starting recovery (logdev: internal)
      XFS (vda): Bad symlink block magic!
      XFS: Assertion failed: 0, file: fs/xfs/xfs_log_recover.c, line: 2060
      
      On examination of the log via xfs_logprint, none of the symlink
      buffers in the log had a bad magic number, nor were any other types
      of buffer log format headers mis-identified as symlink buffers.
      Tracing was used to find the buffer the kernel was tripping over,
      and xfs_db identified it's contents as:
      
      000: 5841524d 00000000 00000346 64d82b48 8983e692 d71e4680 a5f49e2c b317576e
      020: 00000000 00602038 00000000 006034ce d0020000 00000000 4d4d4d4d 4d4d4d4d
      040: 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d
      060: 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d
      .....
      
      This is a remote attribute buffer, which are notable in that they
      are not logged but are instead written synchronously by the remote
      attribute code so that they exist on disk before the attribute
      transactions are committed to the journal.
      
      The above remote attribute block has an invalid LSN in it - cycle
      0xd002000, block 0 - which means when log recovery comes along to
      determine if the transaction that writes to the underlying block
      should be replayed, it sees a block that has a future LSN and so
      does not replay the buffer data in the transaction. Instead, it
      validates the buffer magic number and attaches the buffer verifier
      to it.  It is this buffer magic number check that is failing in the
      above assert, indicating that we skipped replay due to the LSN of
      the underlying buffer.
      
      The problem here is that the remote attribute buffers cannot have a
      valid LSN placed into them, because the transaction that contains 
      the attribute tree pointer changes and the block allocation that the
      attribute data is being written to hasn't yet been committed. Hence
      the LSN field in the attribute block is completely unwritten,
      thereby leaving the underlying contents of the block in the LSN
      field. It could have any value, and hence a future overwrite of the
      block by log recovery may or may not work correctly.
      
      Fix this by always writing an invalid LSN to the remote attribute
      block, as any buffer in log recovery that needs to write over the
      remote attribute should occur. We are protected from having old data
      written over the attribute by the fact that freeing the block before
      the remote attribute is written will result in the buffer being
      marked stale in the log and so all changes prior to the buffer stale
      transaction will be cancelled by log recovery.
      
      Hence it is safe to ignore the LSN in the case or synchronously
      written, unlogged metadata such as remote attribute blocks, and to
      ensure we do that correctly, we need to write an invalid LSN to all
      remote attribute blocks to trigger immediate recovery of metadata
      that is written over the top.
      
      As a further protection for filesystems that may already have remote
      attribute blocks with bad LSNs on disk, change the log recovery code
      to always trigger immediate recovery of metadata over remote
      attribute blocks.
      
      cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      e3c32ee9
    • Dave Chinner's avatar
      xfs: call dax_fault on read page faults for DAX · b2442c5a
      Dave Chinner authored
      When modifying the patch series to handle the XFS MMAP_LOCK nesting
      of page faults, I botched the conversion of the read page fault
      path, and so it is only every calling through the page cache. Re-add
      the necessary __dax_fault() call for such files.
      
      Because the get_blocks callback on read faults may not set up the
      mapping buffer correctly to allow unwritten extent completion to be
      run, we need to allow callers of __dax_fault() to pass a null
      complete_unwritten() callback. The DAX code always zeros the
      unwritten page when it is read faulted so there are no stale data
      exposure issues with not doing the conversion. The only downside
      will be the potential for increased CPU overhead on repeated read
      faults of the same page. If this proves to be a problem, then the
      filesystem needs to fix it's get_block callback and provide a
      convert_unwritten() callback to the read fault path.
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarMatthew Wilcox <willy@linux.intel.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      b2442c5a
  4. 28 Jul, 2015 16 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · 956325bd
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
      
       - two minor bug fixes
      
       - relicense ocrdma driver to dual license, GPL or BSD
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        RDMA/ocrdma: update ocrdma module license string
        RDMA/ocrdma: update ocrdma license to dual-license
        IB/ipoib: Fix CONFIG_INFINIBAND_IPOIB_CM
        RDMA/cxgb3: fail get_dma_mr on 64 bit arches
      956325bd
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · d4ec1f18
      Linus Torvalds authored
      Pull key fix from James Morris.
      
      Fix memory leak.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        KEYS: ensure we free the assoc array edit if edit is valid
      d4ec1f18
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · d61be4b3
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Fix buffer overflow when UTF-16 UEFI vendor string is copied from the
        system table into a char array with a size of 100 bytes"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/efi: map the entire UEFI vendor string before reading it
      d61be4b3
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/egtvedt/linux-avr32 · 67eb890e
      Linus Torvalds authored
      Pull AVR32 fix from Hans-Christian Egtvedt.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/egtvedt/linux-avr32:
        avr32: handle NULL as a valid clock object
      67eb890e
    • Dmitry Torokhov's avatar
      Revert "Input: zforce - don't overwrite the stack" · 3213afb8
      Dmitry Torokhov authored
      This reverts commit 7d01cd26 because
      with given FRAME_MAXSIZE of 257 the check will never trigger and it
      causes warnings from GCC (with -Wtype-limits). Also the check was
      incorrect as it was not accounting for the already read 2 bytes of data
      stored in the buffer.
      3213afb8
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 02ff371a
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
       "A handful of DT related fixes for 4.2-rc"
      
      * tag 'devicetree-fixes-for-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        of: Drop owner assignment from platform and i2c driver
        DEVICETREE: Misc fix for the AR7100 SPI controller binding
        of: constify drv arg of of_driver_match_device stub
        of: add HAS_IOMEM depends to OF_ADDRESS
      02ff371a
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · 90c8acce
      Linus Torvalds authored
      Pull vhost fixes from Michael Tsirkin:
       "Two bugfixes only here"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vhost: fix error handling for memory region alloc
        vhost: actually track log eventfd file
      90c8acce
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-4.2-rc5' of... · 30b4f0fa
      Linus Torvalds authored
      Merge tag 'linux-kselftest-4.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fix from Shuah Khan.
      
      * tag 'linux-kselftest-4.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/futex: Fix futex_cmp_requeue_pi() error handling
      30b4f0fa
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.2-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · d8132e08
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       "Highlights include:
      
        Stable patches:
         - Fix a situation where the client uses the wrong (zero) stateid.
         - Fix a memory leak in nfs_do_recoalesce
      
        Bugfixes:
         - Plug a memory leak when ->prepare_layoutcommit fails
         - Fix an Oops in the NFSv4 open code
         - Fix a backchannel deadlock
         - Fix a livelock in sunrpc when sendmsg fails due to low memory
           availability
         - Don't revalidate the mapping if both size and change attr are up to
           date
         - Ensure we don't miss a file extension when doing pNFS
         - Several fixes to handle NFSv4.1 sequence operation status bits
           correctly
         - Several pNFS layout return bugfixes"
      
      * tag 'nfs-for-4.2-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: (28 commits)
        nfs: Fix an oops caused by using other thread's stack space in ASYNC mode
        nfs: plug memory leak when ->prepare_layoutcommit fails
        SUNRPC: Report TCP errors to the caller
        sunrpc: translate -EAGAIN to -ENOBUFS when socket is writable.
        NFSv4.2: handle NFS-specific llseek errors
        NFS: Don't clear desc->pg_moreio in nfs_do_recoalesce()
        NFS: Fix a memory leak in nfs_do_recoalesce
        NFS: nfs_mark_for_revalidate should always set NFS_INO_REVAL_PAGECACHE
        NFS: Remove the "NFS_CAP_CHANGE_ATTR" capability
        NFS: Set NFS_INO_REVAL_PAGECACHE if the change attribute is uninitialised
        NFS: Don't revalidate the mapping if both size and change attr are up to date
        NFSv4/pnfs: Ensure we don't miss a file extension
        NFSv4: We must set NFS_OPEN_STATE flag in nfs_resync_open_stateid_locked
        SUNRPC: xprt_complete_bc_request must also decrement the free slot count
        SUNRPC: Fix a backchannel deadlock
        pNFS: Don't throw out valid layout segments
        pNFS: pnfs_roc_drain() fix a race with open
        pNFS: Fix races between return-on-close and layoutreturn.
        pNFS: pnfs_roc_drain should return 'true' when sleeping
        pNFS: Layoutreturn must invalidate all existing layout segments.
        ...
      d8132e08
    • Linus Torvalds's avatar
      Merge tag 'for-f2fs-v4.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs · 2ee6b000
      Linus Torvalds authored
      Pull f2fs fixes from Jaegeuk Kim.
      
      * tag 'for-f2fs-v4.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs:
        f2fs: call set_page_dirty to attach i_wb for cgroup
        f2fs: handle error cases in move_encrypted_block
      2ee6b000
    • Rafael J. Wysocki's avatar
      cpufreq: Avoid attempts to create duplicate symbolic links · 559ed407
      Rafael J. Wysocki authored
      After commit 87549141 (cpufreq: Stop migrating sysfs files on
      hotplug) there is a problem with CPUs that share cpufreq policy
      objects with other CPUs and are initially offline.
      
      Say CPU1 shares a policy with CPU0 which is online and is registered
      first.  As part of the registration process, cpufreq_add_dev() is
      called for it.  It creates the policy object and a symbolic link
      to it from the CPU1's sysfs directory.  If CPU1 is registered
      subsequently and it is offline at that time, cpufreq_add_dev() will
      attempt to create a symbolic link to the policy object for it, but
      that link is present already, so a warning about that will be
      triggered.
      
      To avoid that warning, make cpufreq use an additional CPU mask
      containing related CPUs that are actually present for each policy
      object.  That mask is initialized when the policy object is populated
      after its creation (for the first online CPU using it) and it includes
      CPUs from the "policy CPUs" mask returned by the cpufreq driver's
      ->init() callback that are physically present at that time.  Symbolic
      links to the policy are created only for the CPUs in that mask.
      
      If cpufreq_add_dev() is invoked for an offline CPU, it checks the
      new mask and only creates the symlink if the CPU was not in it (the
      CPU is added to the mask at the same time).
      
      In turn, cpufreq_remove_dev() drops the given CPU from the new mask,
      removes its symlink to the policy object and returns, unless it is
      the CPU owning the policy object.  In that case, the policy object
      is moved to a new CPU's sysfs directory or deleted if the CPU being
      removed was the last user of the policy.
      
      While at it, notice that cpufreq_remove_dev() can't fail, because
      its return value is ignored, so make it ignore return values from
      __cpufreq_remove_dev_prepare() and __cpufreq_remove_dev_finish()
      and prevent these functions from aborting on errors returned by
      __cpufreq_governor().  Also drop the now unused sif argument from
      them.
      
      Fixes: 87549141 (cpufreq: Stop migrating sysfs files on hotplug)
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Reported-and-tested-by: default avatarRussell King <linux@arm.linux.org.uk>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      559ed407
    • Mika Westerberg's avatar
      ACPI / PM: Use target_state to set the device power state · 71b65445
      Mika Westerberg authored
      Commit 20dacb71 ("ACPI / PM: Rework device power management to follow
      ACPI 6") changed the device power management to use D3hot if the device
      in question does not have _PR3 method even if D3cold was requested by the
      caller.
      
      However, if the device has _PR3 device->power.state is also set to D3hot
      instead of D3Cold after power resources have been turned off because
      device->power.state will be assigned from "state" instead of
      "target_state".
      
      Next time the device is transitioned to D0, acpi_power_transition() will
      find that the current power state of the device is D3hot instead of D3cold
      which causes it to power down all resources required for the current
      (wrong) state D3hot.
      
      Below is a simplified ASL example of a real touch panel device which
      triggers the problem:
      
        Scope (TPL1)
        {
            Name (_PR0, Package (1) { \_SB.PCI0.I2C1.PXTC })
            Name (_PR3, Package (1) { \_SB.PCI0.I2C1.PXTC })
            ...
        }
      
      In both D0 and D3hot the same power resource is required. However, when
      acpi_power_transition() turns off power resources required for D3hot (as
      the device is transitioned to D0) it powers down PXTC which then makes the
      device to lose its power.
      
      Fix this by assigning "target_state" to the device power state instead of
      "state" that is always D3hot even for devices with valid _PR3.
      
      Fixes: 20dacb71 (ACPI / PM: Rework device power management to follow ACPI 6)
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      71b65445
    • Kinglong Mee's avatar
      nfs: Fix an oops caused by using other thread's stack space in ASYNC mode · a49c2691
      Kinglong Mee authored
      An oops caused by using other thread's stack space in sunrpc ASYNC sending thread.
      
      [ 9839.007187] ------------[ cut here ]------------
      [ 9839.007923] kernel BUG at fs/nfs/nfs4xdr.c:910!
      [ 9839.008069] invalid opcode: 0000 [#1] SMP
      [ 9839.008069] Modules linked in: blocklayoutdriver rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache snd_hda_codec_generic snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm joydev iosf_mbi crct10dif_pclmul snd_timer crc32_pclmul crc32c_intel ghash_clmulni_intel snd soundcore ppdev pvpanic parport_pc i2c_piix4 serio_raw virtio_balloon parport acpi_cpufreq nfsd nfs_acl lockd grace auth_rpcgss sunrpc qxl drm_kms_helper virtio_net virtio_console virtio_blk ttm drm virtio_pci virtio_ring virtio ata_generic pata_acpi
      [ 9839.008069] CPU: 0 PID: 308 Comm: kworker/0:1H Not tainted 4.0.0-0.rc4.git1.3.fc23.x86_64 #1
      [ 9839.008069] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [ 9839.008069] Workqueue: rpciod rpc_async_schedule [sunrpc]
      [ 9839.008069] task: ffff8800d8b4d8e0 ti: ffff880036678000 task.ti: ffff880036678000
      [ 9839.008069] RIP: 0010:[<ffffffffa0339cc9>]  [<ffffffffa0339cc9>] reserve_space.part.73+0x9/0x10 [nfsv4]
      [ 9839.008069] RSP: 0018:ffff88003667ba58  EFLAGS: 00010246
      [ 9839.008069] RAX: 0000000000000000 RBX: 000000001fc15e18 RCX: ffff8800c0193800
      [ 9839.008069] RDX: ffff8800e4ae3f24 RSI: 000000001fc15e2c RDI: ffff88003667bcd0
      [ 9839.008069] RBP: ffff88003667ba58 R08: ffff8800d9173008 R09: 0000000000000003
      [ 9839.008069] R10: ffff88003667bcd0 R11: 000000000000000c R12: 0000000000010000
      [ 9839.008069] R13: ffff8800d9173350 R14: 0000000000000000 R15: ffff8800c0067b98
      [ 9839.008069] FS:  0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
      [ 9839.008069] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 9839.008069] CR2: 00007f988c9c8bb0 CR3: 00000000d99b6000 CR4: 00000000000407f0
      [ 9839.008069] Stack:
      [ 9839.008069]  ffff88003667bbc8 ffffffffa03412c5 00000000c6c55680 ffff880000000003
      [ 9839.008069]  0000000000000088 00000010c6c55680 0001000000000002 ffffffff816e87e9
      [ 9839.008069]  0000000000000000 00000000477290e2 ffff88003667bab8 ffffffff81327ba3
      [ 9839.008069] Call Trace:
      [ 9839.008069]  [<ffffffffa03412c5>] encode_attrs+0x435/0x530 [nfsv4]
      [ 9839.008069]  [<ffffffff816e87e9>] ? inet_sendmsg+0x69/0xb0
      [ 9839.008069]  [<ffffffff81327ba3>] ? selinux_socket_sendmsg+0x23/0x30
      [ 9839.008069]  [<ffffffff8164c1df>] ? do_sock_sendmsg+0x9f/0xc0
      [ 9839.008069]  [<ffffffff8164c278>] ? kernel_sendmsg+0x58/0x70
      [ 9839.008069]  [<ffffffffa011acc0>] ? xdr_reserve_space+0x20/0x170 [sunrpc]
      [ 9839.008069]  [<ffffffffa011acc0>] ? xdr_reserve_space+0x20/0x170 [sunrpc]
      [ 9839.008069]  [<ffffffffa0341b40>] ? nfs4_xdr_enc_open_noattr+0x130/0x130 [nfsv4]
      [ 9839.008069]  [<ffffffffa03419a5>] encode_open+0x2d5/0x340 [nfsv4]
      [ 9839.008069]  [<ffffffffa0341b40>] ? nfs4_xdr_enc_open_noattr+0x130/0x130 [nfsv4]
      [ 9839.008069]  [<ffffffffa011ab89>] ? xdr_encode_opaque+0x19/0x20 [sunrpc]
      [ 9839.008069]  [<ffffffffa0339cfb>] ? encode_string+0x2b/0x40 [nfsv4]
      [ 9839.008069]  [<ffffffffa0341bf3>] nfs4_xdr_enc_open+0xb3/0x140 [nfsv4]
      [ 9839.008069]  [<ffffffffa0110a4c>] rpcauth_wrap_req+0xac/0xf0 [sunrpc]
      [ 9839.008069]  [<ffffffffa01017db>] call_transmit+0x18b/0x2d0 [sunrpc]
      [ 9839.008069]  [<ffffffffa0101650>] ? call_decode+0x860/0x860 [sunrpc]
      [ 9839.008069]  [<ffffffffa0101650>] ? call_decode+0x860/0x860 [sunrpc]
      [ 9839.008069]  [<ffffffffa010caa0>] __rpc_execute+0x90/0x460 [sunrpc]
      [ 9839.008069]  [<ffffffffa010ce85>] rpc_async_schedule+0x15/0x20 [sunrpc]
      [ 9839.008069]  [<ffffffff810b452b>] process_one_work+0x1bb/0x410
      [ 9839.008069]  [<ffffffff810b47d3>] worker_thread+0x53/0x470
      [ 9839.008069]  [<ffffffff810b4780>] ? process_one_work+0x410/0x410
      [ 9839.008069]  [<ffffffff810b4780>] ? process_one_work+0x410/0x410
      [ 9839.008069]  [<ffffffff810ba7b8>] kthread+0xd8/0xf0
      [ 9839.008069]  [<ffffffff810ba6e0>] ? kthread_worker_fn+0x180/0x180
      [ 9839.008069]  [<ffffffff81786418>] ret_from_fork+0x58/0x90
      [ 9839.008069]  [<ffffffff810ba6e0>] ? kthread_worker_fn+0x180/0x180
      [ 9839.008069] Code: 00 00 48 c7 c7 21 fa 37 a0 e8 94 1c d6 e0 c6 05 d2 17 05 00 01 8b 03 eb d7 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 <0f> 0b 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5 41 54 53 89 f3
      [ 9839.008069] RIP  [<ffffffffa0339cc9>] reserve_space.part.73+0x9/0x10 [nfsv4]
      [ 9839.008069]  RSP <ffff88003667ba58>
      [ 9839.071114] ---[ end trace cc14c03adb522e94 ]---
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      a49c2691
    • Jeff Layton's avatar
      nfs: plug memory leak when ->prepare_layoutcommit fails · 3471648a
      Jeff Layton authored
      "data" is currently leaked when the prepare_layoutcommit operation
      returns an error. Put the cred before taking the spinlock in that
      case, take the lock and then goto out_unlock which will drop the
      lock and then free "data".
      Signed-off-by: default avatarJeff Layton <jeff.layton@primarydata.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      3471648a
    • Heiko Carstens's avatar
      s390/cachinfo: add missing facility check to init_cache_level() · 0b991f5c
      Heiko Carstens authored
      Stephen Powell reported the following crash on a z890 machine:
      
      Kernel BUG at 00000000001219d0 [verbose debug info unavailable]
      illegal operation: 0001 ilc:3 [#1] SMP
      Krnl PSW : 0704e00180000000 00000000001219d0 (init_cache_level+0x38/0xe0)
      	   R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3
      Krnl Code: 00000000001219c2: a7840056		brc	8,121a6e
      	   00000000001219c6: a7190000		lghi	%r1,0
      	  #00000000001219ca: eb101000004c	ecag	%r1,%r0,0(%r1)
      	  >00000000001219d0: a7390000		lghi	%r3,0
      	   00000000001219d4: e310f0a00024	stg	%r1,160(%r15)
      	   00000000001219da: a7080000		lhi	%r0,0
      	   00000000001219de: a7b9f000		lghi	%r11,-4096
      	   00000000001219e2: c0a0002899d9	larl	%r10,634d94
      Call Trace:
       [<0000000000478ee2>] detect_cache_attributes+0x2a/0x2b8
       [<000000000097c9b0>] cacheinfo_sysfs_init+0x60/0xc8
       [<00000000001001c0>] do_one_initcall+0x98/0x1c8
       [<000000000094fdc2>] kernel_init_freeable+0x212/0x2d8
       [<000000000062352e>] kernel_init+0x26/0x118
       [<000000000062fd2e>] kernel_thread_starter+0x6/0xc
      
      The illegal operation was executed because of a missing facility check,
      which should have made sure that the ECAG execution would only be executed
      on machines which have the general-instructions-extension facility
      installed.
      Reported-and-tested-by: default avatarStephen Powell <zlinuxman@wowway.com>
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      0b991f5c
    • Colin Ian King's avatar
      KEYS: ensure we free the assoc array edit if edit is valid · ca4da5dd
      Colin Ian King authored
      __key_link_end is not freeing the associated array edit structure
      and this leads to a 512 byte memory leak each time an identical
      existing key is added with add_key().
      
      The reason the add_key() system call returns okay is that
      key_create_or_update() calls __key_link_begin() before checking to see
      whether it can update a key directly rather than adding/replacing - which
      it turns out it can.  Thus __key_link() is not called through
      __key_instantiate_and_link() and __key_link_end() must cancel the edit.
      
      CVE-2015-1333
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      ca4da5dd
  5. 27 Jul, 2015 8 commits