1. 30 Dec, 2015 11 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 866be88a
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "9 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm/vmstat: fix overflow in mod_zone_page_state()
        ocfs2/dlm: clear migration_pending when migration target goes down
        mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone()
        ocfs2: fix flock panic issue
        m32r: add io*_rep helpers
        m32r: fix build failure
        arch/x86/xen/suspend.c: include xen/xen.h
        mm: memcontrol: fix possible memcg leak due to interrupted reclaim
        ocfs2: fix BUG when calculate new backup super
      866be88a
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · e25bd6ca
      Linus Torvalds authored
      Pull vfs fix from Al Viro:
       "Fix for 3.15 breakage of fcntl64() in arm OABI compat.  -stable
        fodder"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()
      e25bd6ca
    • Heiko Carstens's avatar
      mm/vmstat: fix overflow in mod_zone_page_state() · 6cdb18ad
      Heiko Carstens authored
      mod_zone_page_state() takes a "delta" integer argument.  delta contains
      the number of pages that should be added or subtracted from a struct
      zone's vm_stat field.
      
      If a zone is larger than 8TB this will cause overflows.  E.g.  for a
      zone with a size slightly larger than 8TB the line
      
          mod_zone_page_state(zone, NR_ALLOC_BATCH, zone->managed_pages);
      
      in mm/page_alloc.c:free_area_init_core() will result in a negative
      result for the NR_ALLOC_BATCH entry within the zone's vm_stat, since 8TB
      contain 0x8xxxxxxx pages which will be sign extended to a negative
      value.
      
      Fix this by changing the delta argument to long type.
      
      This could fix an early boot problem seen on s390, where we have a 9TB
      system with only one node.  ZONE_DMA contains 2GB and ZONE_NORMAL the
      rest.  The system is trying to allocate a GFP_DMA page but ZONE_DMA is
      completely empty, so it tries to reclaim pages in an endless loop.
      
      This was seen on a heavily patched 3.10 kernel.  One possible
      explaination seem to be the overflows caused by mod_zone_page_state().
      Unfortunately I did not have the chance to verify that this patch
      actually fixes the problem, since I don't have access to the system
      right now.  However the overflow problem does exist anyway.
      
      Given the description that a system with slightly less than 8TB does
      work, this seems to be a candidate for the observed problem.
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Christoph Lameter <cl@linux.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6cdb18ad
    • xuejiufei's avatar
      ocfs2/dlm: clear migration_pending when migration target goes down · cc28d6d8
      xuejiufei authored
      We have found a BUG on res->migration_pending when migrating lock
      resources.  The situation is as follows.
      
      dlm_mark_lockres_migration
        res->migration_pending = 1;
        __dlm_lockres_reserve_ast
        dlm_lockres_release_ast returns with res->migration_pending remains
            because other threads reserve asts
        wait dlm_migration_can_proceed returns 1
        >>>>>>> o2hb found that target goes down and remove target
                from domain_map
        dlm_migration_can_proceed returns 1
        dlm_mark_lockres_migrating returns -ESHOTDOWN with
            res->migration_pending still remains.
      
      When reentering dlm_mark_lockres_migrating(), it will trigger the BUG_ON
      with res->migration_pending.  So clear migration_pending when target is
      down.
      Signed-off-by: default avatarJiufei Xue <xuejiufei@huawei.com>
      Reviewed-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cc28d6d8
    • Andrew Banman's avatar
      mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() · 5f0f2887
      Andrew Banman authored
      test_pages_in_a_zone() does not account for the possibility of missing
      sections in the given pfn range.  pfn_valid_within always returns 1 when
      CONFIG_HOLES_IN_ZONE is not set, allowing invalid pfns from missing
      sections to pass the test, leading to a kernel oops.
      
      Wrap an additional pfn loop with PAGES_PER_SECTION granularity to check
      for missing sections before proceeding into the zone-check code.
      
      This also prevents a crash from offlining memory devices with missing
      sections.  Despite this, it may be a good idea to keep the related patch
      '[PATCH 3/3] drivers: memory: prohibit offlining of memory blocks with
      missing sections' because missing sections in a memory block may lead to
      other problems not covered by the scope of this fix.
      Signed-off-by: default avatarAndrew Banman <abanman@sgi.com>
      Acked-by: default avatarAlex Thorlton <athorlton@sgi.com>
      Cc: Russ Anderson <rja@sgi.com>
      Cc: Alex Thorlton <athorlton@sgi.com>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: Greg KH <greg@kroah.com>
      Cc: Seth Jennings <sjennings@variantweb.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5f0f2887
    • Junxiao Bi's avatar
      ocfs2: fix flock panic issue · b5a8bc33
      Junxiao Bi authored
      Commit 4f656367 ("Move locks API users to locks_lock_inode_wait()")
      move flock/posix lock indentify code to locks_lock_inode_wait(), but
      missed to set fl_flags to FL_FLOCK which caused the following kernel
      panic on 4.4.0_rc5.
      
        kernel BUG at fs/locks.c:1895!
        invalid opcode: 0000 [#1] SMP
        Modules linked in: ocfs2(O) ocfs2_dlmfs(O) ocfs2_stack_o2cb(O) ocfs2_dlm(O) ocfs2_nodemanager(O) ocfs2_stackglue(O) iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xen_kbdfront xen_netfront xen_fbfront xen_blkfront
        CPU: 0 PID: 20268 Comm: flock_unit_test Tainted: G           O    4.4.0-rc5-next-20151217 #1
        Hardware name: Xen HVM domU, BIOS 4.3.1OVM 05/14/2014
        task: ffff88007b3672c0 ti: ffff880028b58000 task.ti: ffff880028b58000
        RIP: locks_lock_inode_wait+0x2e/0x160
        Call Trace:
          ocfs2_do_flock+0x91/0x160 [ocfs2]
          ocfs2_flock+0x76/0xd0 [ocfs2]
          SyS_flock+0x10f/0x1a0
          entry_SYSCALL_64_fastpath+0x12/0x71
        Code: e5 41 57 41 56 49 89 fe 41 55 41 54 53 48 89 f3 48 81 ec 88 00 00 00 8b 46 40 83 e0 03 83 f8 01 0f 84 ad 00 00 00 83 f8 02 74 04 <0f> 0b eb fe 4c 8d ad 60 ff ff ff 4c 8d 7b 58 e8 0e 8e 73 00 4d
        RIP  locks_lock_inode_wait+0x2e/0x160
         RSP <ffff880028b5bce8>
        ---[ end trace dfca74ec9b5b274c ]---
      
      Fixes: 4f656367 ("Move locks API users to locks_lock_inode_wait()")
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b5a8bc33
    • Sudip Mukherjee's avatar
      m32r: add io*_rep helpers · 92a8ed4c
      Sudip Mukherjee authored
      m32r allmodconfig was failing with the error:
      
        error: implicit declaration of function 'read'
      
      On checking io.h it turned out that 'read' is not defined but 'readb' is
      defined and 'ioread8' will then obviously mean 'readb'.
      
      At the same time some of the helper functions ioreadN_rep() and
      iowriteN_rep() were missing which also led to the build failure.
      Signed-off-by: default avatarSudip Mukherjee <sudip@vectorindia.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      92a8ed4c
    • Sudip Mukherjee's avatar
      m32r: fix build failure · 6122192e
      Sudip Mukherjee authored
      m32r allmodconfig is failing with:
      
        In file included from ../include/linux/kvm_para.h:4:0,
                         from ../kernel/watchdog.c:26:
        ../include/uapi/linux/kvm_para.h:30:26: fatal error: asm/kvm_para.h: No such file or directory
      
      kvm_para.h was not included in the build.
      Signed-off-by: default avatarSudip Mukherjee <sudip@vectorindia.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6122192e
    • Andrew Morton's avatar
      arch/x86/xen/suspend.c: include xen/xen.h · facca616
      Andrew Morton authored
      Fix the build warning:
      
        arch/x86/xen/suspend.c: In function 'xen_arch_pre_suspend':
        arch/x86/xen/suspend.c:70:9: error: implicit declaration of function 'xen_pv_domain' [-Werror=implicit-function-declaration]
                if (xen_pv_domain())
                    ^
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      facca616
    • Vladimir Davydov's avatar
      mm: memcontrol: fix possible memcg leak due to interrupted reclaim · 6df38689
      Vladimir Davydov authored
      Memory cgroup reclaim can be interrupted with mem_cgroup_iter_break()
      once enough pages have been reclaimed, in which case, in contrast to a
      full round-trip over a cgroup sub-tree, the current position stored in
      mem_cgroup_reclaim_iter of the target cgroup does not get invalidated
      and so is left holding the reference to the last scanned cgroup.  If the
      target cgroup does not get scanned again (we might have just reclaimed
      the last page or all processes might exit and free their memory
      voluntary), we will leak it, because there is nobody to put the
      reference held by the iterator.
      
      The problem is easy to reproduce by running the following command
      sequence in a loop:
      
          mkdir /sys/fs/cgroup/memory/test
          echo 100M > /sys/fs/cgroup/memory/test/memory.limit_in_bytes
          echo $$ > /sys/fs/cgroup/memory/test/cgroup.procs
          memhog 150M
          echo $$ > /sys/fs/cgroup/memory/cgroup.procs
          rmdir test
      
      The cgroups generated by it will never get freed.
      
      This patch fixes this issue by making mem_cgroup_iter avoid taking
      reference to the current position.  In order not to hit use-after-free
      bug while running reclaim in parallel with cgroup deletion, we make use
      of ->css_released cgroup callback to clear references to the dying
      cgroup in all reclaim iterators that might refer to it.  This callback
      is called right before scheduling rcu work which will free css, so if we
      access iter->position from rcu read section, we might be sure it won't
      go away under us.
      
      [hannes@cmpxchg.org: clean up css ref handling]
      Fixes: 5ac8fb31 ("mm: memcontrol: convert reclaim iterator to simple css refcounting")
      Signed-off-by: default avatarVladimir Davydov <vdavydov@virtuozzo.com>
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarMichal Hocko <mhocko@kernel.org>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Cc: <stable@vger.kernel.org>	[3.19+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6df38689
    • Joseph Qi's avatar
      ocfs2: fix BUG when calculate new backup super · 5c9ee4cb
      Joseph Qi authored
      When resizing, it firstly extends the last gd.  Once it should backup
      super in the gd, it calculates new backup super and update the
      corresponding value.
      
      But it currently doesn't consider the situation that the backup super is
      already done.  And in this case, it still sets the bit in gd bitmap and
      then decrease from bg_free_bits_count, which leads to a corrupted gd and
      trigger the BUG in ocfs2_block_group_set_bits:
      
          BUG_ON(le16_to_cpu(bg->bg_free_bits_count) < num_bits);
      
      So check whether the backup super is done and then do the updates.
      Signed-off-by: default avatarJoseph Qi <joseph.qi@huawei.com>
      Reviewed-by: default avatarJiufei Xue <xuejiufei@huawei.com>
      Reviewed-by: default avatarYiwen Jiang <jiangyiwen@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5c9ee4cb
  2. 29 Dec, 2015 2 commits
    • Al Viro's avatar
      [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64() · 76cc404b
      Al Viro authored
      Cc: stable@vger.kernel.org # 3.15+
      Reviewed-by: default avatarJeff Layton <jeff.layton@primarydata.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      76cc404b
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · 1e60508c
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "Three late 4.4-rc fixes.
      
        The first two were very small in terms of number of lines, the third
        is more lines of change than I like this late in the cycle, but there
        are positive test results from Avagotech and from my own test setup
        with the target hardware, and given the problem was a 100% failure
        case, I sent it through.
      
         - A previous patch updated the mlx4 driver to use vmalloc when there
           was not enough memory to get a contiguous region large enough for
           our needs, so we need kvfree() whenever we free that item.  We
           missed one place, so fix that now.
      
         - A previous patch added code to match incoming packets against a
           specific device, but failed to compensate for devices that have
           both InfiniBand and Ethernet ports.  Fix that.
      
         - Under certain vlan conditions, the ocrdma driver would fail to
           bring up any vlan interfaces and would print out a circular locking
           failure.  Fix that"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        RDMA/be2net: Remove open and close entry points
        RDMA/ocrdma: Depend on async link events from CNA
        RDMA/ocrdma: Dispatch only port event when port state changes
        RDMA/ocrdma: Fix vlan-id assignment in qp parameters
        IB/mlx4: Replace kfree with kvfree in mlx4_ib_destroy_srq
        IB/cma: cma_match_net_dev needs to take into account port_num
      1e60508c
  3. 28 Dec, 2015 9 commits
  4. 27 Dec, 2015 5 commits
    • Al Viro's avatar
      MIPS: Fix bitrot in __get_user_unaligned() · 930c0f70
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      930c0f70
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-4.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 2c96961f
      Linus Torvalds authored
      Pull power management and ACPI fixes from Rafael Wysocki:
       "These fix an ACPI processor driver regression introduced during the
        4.3 cycle and a mistake in the recently added SCPI support in the
        arm_big_little cpufreq driver.
      
        Specifics:
      
         - Fix a thermal management issue introduced by an ACPI processor
           driver change made during the 4.3 development cycle that failed to
           return 0 from a function on success which triggered an error
           cleanup path every time it had been called that deleted useful data
           structures created previously (Srinivas Pandruvada).
      
         - Fix a variable data type issue in the arm_big_little cpufreq
           driver's SCPI support code added recently that prevents error
           handling in there from working correctly (Dan Carpenter)"
      
      * tag 'pm+acpi-4.4-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: scpi-cpufreq: signedness bug in scpi_get_dvfs_info()
        ACPI / processor: Fix thermal cooling device regression
      2c96961f
    • Linus Torvalds's avatar
      Merge tag 'md/4.4-rc6-fix' of git://neil.brown.name/md · f0cf008f
      Linus Torvalds authored
      Pull md bugfix from Neil Brown:
       "One more md fix for 4.4-rc
      
        Fix a regression which causes reshape to not start properly sometimes"
      
      * tag 'md/4.4-rc6-fix' of git://neil.brown.name/md:
        md: remove check for MD_RECOVERY_NEEDED in action_store.
      f0cf008f
    • Linus Torvalds's avatar
      Merge tag 'upstream-4.4-rc7' of git://git.infradead.org/linux-ubifs · 3bef22ee
      Linus Torvalds authored
      Pull UBI bug fixes from Richard Weinberger:
       "This contains four bug fixes for UBI"
      
      * tag 'upstream-4.4-rc7' of git://git.infradead.org/linux-ubifs:
        mtd: ubi: don't leak e if schedule_erase() fails
        mtd: ubi: fixup error correction in do_sync_erase()
        UBI: fix use of "VID" vs. "EC" in header self-check
        UBI: fix return error code
      3bef22ee
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.4-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · e2b0a161
      Linus Torvalds authored
      Pull ftrace/recordmcount fix from Steven Rostedt:
       "Russell King was reporting lots of warnings when he compiled his
        kernel with ftrace enabled.  With some investigation it was discovered
        that it was his compile setup.  He was using ccache with hard links,
        which allowed recordmcount to process the same .o twice.  When this
        happens, recordmcount will detect that it was already done and give a
        warning about it.
      
        Russell fixed this by having recordmcount detect that the object file
        has more than one hard link, and if it does, it unlinks the object
        file after it maps it and processes then.  This appears to fix the
        issue.
      
        As you did not like the fact that recordmcount modified the file in
        place and thought that it should do the modifications in memory and
        then write it out to disk and move it over the old file to prevent
        other more subtle issues like the one above, a second patch is added
        on top of Russell's to do just that.  Luckily the original code had
        write and lseek wrappers that I was able to modify to not do inplace
        writes, but simply keep track of the changes made in memory.  When a
        write is made, a "update" flag is set, and at the end of processing,
        if the update is set, then it writes the file with changes out to a
        new file, and then renames it over the original one.
      
        The file descriptor is still passed to the write and lseek wrappers
        because removing that would cause the change to be more intrusive.
        That can be removed in a follow up cleanup patch that can wait till
        the next merge window"
      
      * tag 'trace-v4.4-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace/scripts: Have recordmcount copy the object file
        scripts: recordmcount: break hardlinks
      e2b0a161
  5. 26 Dec, 2015 2 commits
    • Linus Torvalds's avatar
      Merge tag 'arc-4.4-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc · 12261f4e
      Linus Torvalds authored
      Pull ARC fixes from Vineet Gupta:
       "Sorry for this late pull request, but these are all important fixes
        for code introduced/updated in this release which we will otherwise
        end up back porting.
      
         - Unwinder rework (A revert followed by better fix)
         - Build errors: MMUv2, modules with -Os
         - highmem section mismatch build splat"
      
      * tag 'arc-4.4-rc7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
        ARC: dw2 unwind: Catch Dwarf SNAFUs early
        ARC: dw2 unwind: Don't bail for CIE.version != 1
        Revert "ARC: dw2 unwind: Ignore CIE version !=1 gracefully instead of bailing"
        ARC: Fix linking errors with CONFIG_MODULE + CONFIG_CC_OPTIMIZE_FOR_SIZE
        ARC: mm: fix building for MMU v2
        ARC: mm: HIGHMEM: Fix section mismatch splat
      12261f4e
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-processor' and 'pm-cpufreq' · 43b28ca8
      Rafael J. Wysocki authored
      * acpi-processor:
        ACPI / processor: Fix thermal cooling device regression
      
      * pm-cpufreq:
        cpufreq: scpi-cpufreq: signedness bug in scpi_get_dvfs_info()
      43b28ca8
  6. 25 Dec, 2015 2 commits
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 8db7b3c5
      Linus Torvalds authored
      Pull parisc system call restart fix from Helge Deller:
       "The architectural design of parisc always uses two instructions to
        call kernel syscalls (delayed branch feature).  This means that the
        instruction following the branch (located in the delay slot of the
        branch instruction) is executed before control passes to the branch
        destination.
      
        Depending on which assembler instruction and how it is used in
        usersapce in the delay slot, this sometimes made restarted syscalls
        like futex() and poll() failing with -ENOSYS"
      
      * 'parisc-4.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Fix syscall restarts
      8db7b3c5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 682cb0cd
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) Finally make perf stack backtraces stable on sparc, several problems
          (mostly due to the context in which the user copies from the stack
          are done) contributed to this.
      
          From Rob Gardner.
      
       2) Export ADI capability if the cpu supports it.
      
       3) Hook up userfaultfd system call.
      
       4) When faults happen during user copies we really have to clean up and
          restore the FPU state fully.  Also from Rob Gardner
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        tty/serial: Skip 'NULL' char after console break when sysrq enabled
        sparc64: fix FP corruption in user copy functions
        sparc64: Perf should save/restore fault info
        sparc64: Ensure perf can access user stacks
        sparc64: Don't set %pil in rtrap_nmi too early
        sparc64: Add ADI capability to cpu capabilities
        tty: serial: constify sunhv_ops structs
        sparc: Hook up userfaultfd system call
      682cb0cd
  7. 24 Dec, 2015 8 commits
    • Vijay Kumar's avatar
      tty/serial: Skip 'NULL' char after console break when sysrq enabled · 079317a6
      Vijay Kumar authored
      When sysrq is triggered from console, serial driver for SUN hypervisor
      console receives a console break and enables the sysrq. It expects a valid
      sysrq char following with break. Meanwhile if driver receives 'NULL'
      ASCII char then it disables sysrq and sysrq handler will never be invoked.
      
      This fix skips calling uart sysrq handler when 'NULL' is received while
      sysrq is enabled.
      Signed-off-by: default avatarVijay Kumar <vijay.ac.kumar@oracle.com>
      Acked-by: default avatarKarl Volz <karl.volz@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      079317a6
    • Rob Gardner's avatar
      sparc64: fix FP corruption in user copy functions · a7c5724b
      Rob Gardner authored
      Short story: Exception handlers used by some copy_to_user() and
      copy_from_user() functions do not diligently clean up floating point
      register usage, and this can result in a user process seeing invalid
      values in floating point registers. This sometimes makes the process
      fail.
      
      Long story: Several cpu-specific (NG4, NG2, U1, U3) memcpy functions
      use floating point registers and VIS alignaddr/faligndata to
      accelerate data copying when source and dest addresses don't align
      well. Linux uses a lazy scheme for saving floating point registers; It
      is not done upon entering the kernel since it's a very expensive
      operation. Rather, it is done only when needed. If the kernel ends up
      not using FP regs during the course of some trap or system call, then
      it can return to user space without saving or restoring them.
      
      The various memcpy functions begin their FP code with VISEntry (or a
      variation thereof), which saves the FP regs. They conclude their FP
      code with VISExit (or a variation) which essentially marks the FP regs
      "clean", ie, they contain no unsaved values. fprs.FPRS_FEF is turned
      off so that a lazy restore will be triggered when/if the user process
      accesses floating point regs again.
      
      The bug is that the user copy variants of memcpy, copy_from_user() and
      copy_to_user(), employ an exception handling mechanism to detect faults
      when accessing user space addresses, and when this handler is invoked,
      an immediate return from the function is forced, and VISExit is not
      executed, thus leaving the fprs register in an indeterminate state,
      but often with fprs.FPRS_FEF set and one or more dirty bits. This
      results in a return to user space with invalid values in the FP regs,
      and since fprs.FPRS_FEF is on, no lazy restore occurs.
      
      This bug affects copy_to_user() and copy_from_user() for NG4, NG2,
      U3, and U1. All are fixed by using a new exception handler for those
      loads and stores that are done during the time between VISEnter and
      VISExit.
      
      n.b. In NG4memcpy, the problematic code can be triggered by a copy
      size greater than 128 bytes and an unaligned source address.  This bug
      is known to be the cause of random user process memory corruptions
      while perf is running with the callgraph option (ie, perf record -g).
      This occurs because perf uses copy_from_user() to read user stacks,
      and may fault when it follows a stack frame pointer off to an
      invalid page. Validation checks on the stack address just obscure
      the underlying problem.
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7c5724b
    • Rob Gardner's avatar
      sparc64: Perf should save/restore fault info · 83352694
      Rob Gardner authored
      There have been several reports of random processes being killed with
      a bus error or segfault during userspace stack walking in perf.  One
      of the root causes of this problem is an asynchronous modification to
      thread_info fault_address and fault_code, which stems from a perf
      counter interrupt arriving during kernel processing of a "benign"
      fault, such as a TSB miss. Since perf_callchain_user() invokes
      copy_from_user() to read user stacks, a fault is not only possible,
      but probable. Validity checks on the stack address merely cover up the
      problem and reduce its frequency.
      
      The solution here is to save and restore fault_address and fault_code
      in perf_callchain_user() so that the benign fault handler is not
      disturbed by a perf interrupt.
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      83352694
    • Rob Gardner's avatar
      sparc64: Ensure perf can access user stacks · 3f74306a
      Rob Gardner authored
      When an interrupt (such as a perf counter interrupt) is delivered
      while executing in user space, the trap entry code puts ASI_AIUS in
      %asi so that copy_from_user() and copy_to_user() will access the
      correct memory. But if a perf counter interrupt is delivered while the
      cpu is already executing in kernel space, then the trap entry code
      will put ASI_P in %asi, and this will prevent copy_from_user() from
      reading any useful stack data in either of the perf_callchain_user_X
      functions, and thus no user callgraph data will be collected for this
      sample period. An additional problem is that a fault is guaranteed
      to occur, and though it will be silently covered up, it wastes time
      and could perturb state.
      
      In perf_callchain_user(), we ensure that %asi contains ASI_AIUS
      because we know for a fact that the subsequent calls to
      copy_from_user() are intended to read the user's stack.
      
      [ Use get_fs()/set_fs() -DaveM ]
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f74306a
    • Rob Gardner's avatar
      sparc64: Don't set %pil in rtrap_nmi too early · 1ca04a4c
      Rob Gardner authored
      Commit 28a1f533 delays setting %pil to avoid potential
      hardirq stack overflow in the common rtrap_irq path.
      Setting %pil also needs to be delayed in the rtrap_nmi
      path for the same reason.
      Signed-off-by: default avatarRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: default avatarDave Aldridge <david.j.aldridge@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ca04a4c
    • Khalid Aziz's avatar
      sparc64: Add ADI capability to cpu capabilities · 82924e54
      Khalid Aziz authored
      Add ADI (Application Data Integrity) capability to cpu capabilities list.
      ADI capability allows virtual addresses to be encoded with a tag in
      bits 63-60. This tag serves as an access control key for the regions
      of virtual address with ADI enabled and a key set on them. Hypervisor
      encodes this capability as "adp" in "hwcap-list" property in machine
      description.
      Signed-off-by: default avatarKhalid Aziz <khalid.aziz@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82924e54
    • Aya Mahfouz's avatar
      tty: serial: constify sunhv_ops structs · 01fd3c27
      Aya Mahfouz authored
      Constifies sunhv_ops structures in tty's serial
      driver since they are not modified after their
      initialization.
      
      Detected and found using Coccinelle.
      Suggested-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarAya Mahfouz <mahfouz.saif.elyazal@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      01fd3c27
    • Dan Carpenter's avatar
      cpufreq: scpi-cpufreq: signedness bug in scpi_get_dvfs_info() · a7def561
      Dan Carpenter authored
      The "domain" variable needs to be signed for the error handling to work.
      
      Fixes: 8def3103 (cpufreq: arm_big_little: add SCPI interface driver)
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Acked-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      a7def561
  8. 23 Dec, 2015 1 commit