Nadav Amit [Tue, 30 Sep 2014 17:49:18 +0000 (20:49 +0300)]
KVM: x86: Wrong assertion on paging_tmpl.h
Even after the recent fix, the assertion on paging_tmpl.h is triggered.
Apparently, the assertion wants to check that the PAE is always set on
long-mode, but does it in incorrect way. Note that the assertion is not
enabled unless the code is debugged by defining MMU_DEBUG.
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
The third parameter of kvm_unpin_pages() when called from
kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
and not the page size.
This error was facilitated with an inconsistent API: kvm_pin_pages() takes
a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
by matching the two.
This was introduced by commit 34d4982 ("kvm: iommu: fix the third parameter
of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
un-pinning for pages intended to be un-pinned (i.e. memory leak) but
unfortunately potentially aggravated the number of pages we un-pin that
should have stayed pinned. As far as I understand though, the same
practical mitigations apply.
This issue was found during review of Red Hat 6.6 patches to prepare
Ksplice rebootless updates.
Thanks to Vegard for his time on a late Friday evening to help me in
understanding this code.
Nadav Amit [Mon, 13 Oct 2014 10:04:14 +0000 (13:04 +0300)]
KVM: x86: PREFETCH and HINT_NOP should have SrcMem flag
The decode phase of the x86 emulator assumes that every instruction with the
ModRM flag, and which can be used with RIP-relative addressing, has either
SrcMem or DstMem. This is not the case for several instructions - prefetch,
hint-nop and clflush.
Adding SrcMem|NoAccess for prefetch and hint-nop and SrcMem for clflush.
This fixes CVE-2014-8480.
Fixes: aaade02e9f3996e965e97758ff8852b2da44a983 Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Nadav Amit [Mon, 13 Oct 2014 10:04:13 +0000 (13:04 +0300)]
KVM: x86: Emulator does not decode clflush well
Currently, all group15 instructions are decoded as clflush (e.g., mfence,
xsave). In addition, the clflush instruction requires no prefix (66/f2/f3)
would exist. If prefix exists it may encode a different instruction (e.g.,
clflushopt).
Creating a group for clflush, and different group for each prefix.
This has been the case forever, but the next patch needs the cflush group
in order to fix a bug introduced in 3.17.
Fixes: aaade02e9f3996e965e97758ff8852b2da44a983 Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Thu, 23 Oct 2014 12:54:14 +0000 (14:54 +0200)]
KVM: emulate: avoid accessing NULL ctxt->memopp
A failure to decode the instruction can cause a NULL pointer access.
This is fixed simply by moving the "done" label as close as possible
to the return.
This fixes CVE-2014-8481.
Reported-by: Andy Lutomirski <luto@amacapital.net> Cc: stable@vger.kernel.org Fixes: aaade02e9f3996e965e97758ff8852b2da44a983 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Nadav Amit [Thu, 2 Oct 2014 22:10:04 +0000 (01:10 +0300)]
KVM: x86: Decoding guest instructions which cross page boundary may fail
Once an instruction crosses a page boundary, the size read from the second page
disregards the common case that part of the operand resides on the first page.
As a result, fetch of long insturctions may fail, and thereby cause the
decoding to fail as well.
Cc: stable@vger.kernel.org Fixes: 027eec54a2c8a2e43b14410deb135313d1174021 Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
triggered by a priveledged application. Let's not kill the guest: WARN
and inject #UD instead.
Cc: stable@vger.kernel.org Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Petr Matousek [Tue, 23 Sep 2014 18:22:30 +0000 (20:22 +0200)]
kvm: vmx: handle invvpid vm exit gracefully
On systems with invvpid instruction support (corresponding bit in
IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
causes vm exit, which is currently not handled and results in
propagation of unknown exit to userspace.
Fix this by installing an invvpid vm exit handler.
This is CVE-2014-3646.
Cc: stable@vger.kernel.org Signed-off-by: Petr Matousek <pmatouse@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Nadav Amit [Thu, 18 Sep 2014 19:39:39 +0000 (22:39 +0300)]
KVM: x86: Handle errors when RIP is set during far jumps
Far jmp/call/ret may fault while loading a new RIP. Currently KVM does not
handle this case, and may result in failed vm-entry once the assignment is
done. The tricky part of doing so is that loading the new CS affects the
VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
unconsistent state. Therefore, this patch saves on 64-bit the old CS
descriptor and restores it if loading RIP failed.
This fixes CVE-2014-3647.
Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Nadav Amit [Thu, 18 Sep 2014 19:39:38 +0000 (22:39 +0300)]
KVM: x86: Emulator fixes for eip canonical checks on near branches
Before changing rip (during jmp, call, ret, etc.) the target should be asserted
to be canonical one, as real CPUs do. During sysret, both target rsp and rip
should be canonical. If any of these values is noncanonical, a #GP exception
should occur. The exception to this rule are syscall and sysenter instructions
in which the assigned rip is checked during the assignment to the relevant
MSRs.
This patch fixes the emulator to behave as real CPUs do for near branches.
Far branches are handled by the next patch.
This fixes CVE-2014-3647.
Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Andy Honig [Wed, 27 Aug 2014 21:42:54 +0000 (14:42 -0700)]
KVM: x86: Improve thread safety in pit
There's a race condition in the PIT emulation code in KVM. In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization. If the race condition occurs at the wrong time this
can crash the host kernel.
This fixes CVE-2014-3611.
Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Andy Honig [Wed, 27 Aug 2014 18:16:44 +0000 (11:16 -0700)]
KVM: x86: Prevent host from panicking on shared MSR writes.
The previous patch blocked invalid writes directly when the MSR
is written. As a precaution, prevent future similar mistakes by
gracefulling handle GPs caused by writes to shared MSRs.
Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig <ahonig@google.com>
[Remove parts obsoleted by Nadav's patch. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Nadav Amit [Tue, 16 Sep 2014 00:24:05 +0000 (03:24 +0300)]
KVM: x86: Check non-canonical addresses upon WRMSR
Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
written to certain MSRs. The behavior is "almost" identical for AMD and Intel
(ignoring MSRs that are not implemented in either architecture since they would
anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
non-canonical address is written on Intel but not on AMD (which ignores the top
32-bits).
Accordingly, this patch injects a #GP on the MSRs which behave identically on
Intel and AMD. To eliminate the differences between the architecutres, the
value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
canonical value before writing instead of injecting a #GP.
Some references from Intel and AMD manuals:
According to Intel SDM description of WRMSR instruction #GP is expected on
WRMSR "If the source register contains a non-canonical address and ECX
specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
According to AMD manual instruction manual:
LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical
form, a general-protection exception (#GP) occurs."
IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
base field must be in canonical form or a #GP fault will occur."
IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
be in canonical form."
This patch fixes CVE-2014-3610.
Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Linus Torvalds [Tue, 21 Oct 2014 20:06:38 +0000 (13:06 -0700)]
Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending
Pull SCSI target updates from Nicholas Bellinger:
"Here are the target updates for v3.18-rc2 code. These where
originally destined for -rc1, but due to the combination of travel
last week for KVM Forum and my mistake of taking the three week merge
window literally, the pull request slipped.. Apologies for that.
Things where reasonably quiet this round. The highlights include:
- New userspace backend driver (target_core_user.ko) by Shaohua Li
and Andy Grover
- A number of cleanups in target, iscsi-taret and qla_target code
from Joern Engel
- Fix an OOPs related to queue full handling with CHECK_CONDITION
status from Quinn Tran
- Fix to disable TX completion interrupt coalescing in iser-target,
that was causing problems on some hardware
- Fix for PR APTPL metadata handling with demo-mode ACLs
I'm most excited about the new backend driver that uses UIO + shared
memory ring to dispatch I/O and control commands into user-space.
This was probably the most requested feature by users over the last
couple of years, and opens up a new area of development + porting of
existing user-space storage applications to LIO. Thanks to Shaohua +
Andy for making this happen.
Also another honorable mention, a new Xen PV SCSI driver was merged
via the xen/tip.git tree recently, which puts us now at 10 target
drivers in upstream! Thanks to David Vrabel + Juergen Gross for their
work to get this code merged"
* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (40 commits)
target/file: fix inclusive vfs_fsync_range() end
iser-target: Disable TX completion interrupt coalescing
target: Add force_pr_aptpl device attribute
target: Fix APTPL metadata handling for dynamic MappedLUNs
qla_target: don't delete changed nacls
target/user: Recalculate pad size inside is_ring_space_avail()
tcm_loop: Fixup tag handling
iser-target: Fix smatch warning
target/user: Fix up smatch warnings in tcmu_netlink_event
target: Add a user-passthrough backstore
target: Add documentation on the target userspace pass-through driver
uio: Export definition of struct uio_device
target: Remove unneeded check in sbc_parse_cdb
target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
qla_target: rearrange struct qla_tgt_prm
qla_target: improve qlt_unmap_sg()
qla_target: make some global functions static
qla_target: remove unused parameter
target: simplify core_tmr_abort_task
target: encapsulate smp_mb__after_atomic()
...
Linus Torvalds [Tue, 21 Oct 2014 18:21:19 +0000 (11:21 -0700)]
Merge branch 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration
Pull mailbox framework from Jassi Brar:
"A framework for Mailbox controllers and clients have been cooking for
more than a year now.
Everybody in the CC list had been copied on patchset revisions and
most of them have made sounds of approval, though just one concrete
Reviewed-by. The patchset has also been in linux-next for a couple of
weeks now and no conflict has been reported. The framework has the
backing of at least 5 platforms, though I can't say if/when they
upstream their drivers (some businesses have 'changed')"
(Further acked-by by Arnd Bergmann and Suman Anna in the pull request
thread)
* 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
dt: mailbox: add generic bindings
doc: add documentation for mailbox framework
mailbox: Introduce framework for mailbox
mailbox: rename pl320-ipc specific mailbox.h
Linus Torvalds [Tue, 21 Oct 2014 15:18:38 +0000 (08:18 -0700)]
Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds
Pull LED update from Bryan Wu:
"Basically we have some bug fixing and clean up and one big thing is we
start to merge patch to add support LED Flash class"
* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds:
leds: gpio: cleanup the leds-gpio driver
led: gpio: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
led: gpio: Sort include headers alphabetically
leds: Improve and export led_update_brightness
leds: trigger: gpio: fix warning in gpio trigger for gpios whose accessor function may sleep
leds: lp3944: fix sparse warning
leds: avoid using DEVICE_ATTR macro for max_brightness attribute
leds: make brightness type consistent across whole subsystem
leds: Reorder include directives
Linus Torvalds [Tue, 21 Oct 2014 15:17:43 +0000 (08:17 -0700)]
Merge tag 'pwm/for-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm
Pull pwm changes from Thierry Reding:
"There are no new drivers here, only a couple of fixes all over the
place"
* tag 'pwm/for-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm:
pwm: Let PWM_CLPS711X depend on HAS_IOMEM
pwm: atmel: Fix calculation of prescale value
pwm: Fix uninitialized warnings in pwm_get()
pwm: rockchip: Allow polarity invert on rk3288
pwm: imx: Avoid sample FIFO overflow for i.MX PWM version2
pwm: imx: Cleanup indentation for register definitions
pwm: imx: Fix the macro MX3_PWMCR_PRESCALER(x) definition
pwm: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
pwm: lpss: make it buildable only on X86
pwm: lpss: use c99 initializers in structures
pwm: lpss: Fix build failure on PowerPC
pwm: lpss: pci: Move to use pcim_enable_device()
pwm: lpss: Properly split driver to parts
pwm: lpss: Add ACPI and PCI IDs for Intel Braswell
pwm: fsl-ftm: Select REGMAP_MMIO
pwm: fsl-ftm: Document 'big-endian' property
pwm: fsl-ftm: Convert to direct regmap API usage
pwm: fsl-ftm: Clean up the code
Linus Torvalds [Tue, 21 Oct 2014 14:50:02 +0000 (07:50 -0700)]
Merge tag 'arc-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc
Pull ARC updates from Vineet Gupta:
"Sorry for the late pull request. Current stuff was ready for a while
but I was hoping to squeeze in support for almost ready ARC SDP
platform (and avoid a 2nd pull request), however it seems there are
still some loose ends which warrant more time.
- Platform code reduction/moving-up (TB10X no longer needs any
callbacks)
- updated boot printing
- kgdb update for arc gdb 7.5
- bug fixes (some marked for stable)
- more code refactoring/consolidation"
* tag 'arc-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
ARC: boot: cpu feature print enhancements
ARC: boot: consolidate cross-checking of h/w and s/w
ARC: unbork FPU save/restore
ARC: remove extraneous __KERNEL__ guards
ARC: Update order of registers in KGDB to match GDB 7.5
ARC: Remove unneeded Kconfig entry NO_DMA
ARC: BUG() dumps stack after @msg (@msg now same as in generic BUG))
ARC: refactoring: reduce the scope of some local vars
ARC: remove gcc mpy heuristics
ARC: RIP @running_on_hw
ARC: Update comments about uncached address space
ARC: rename kconfig option for unaligned emulation
ARC: [nsimosci] Allow "headless" models to boot
ARC: [arcfpga] Get rid of ARC_BOARD_ANGEL4 and ARC_BOARD_ML509
ARC: [arcfpga] Remove more dead code
ARC: [plat*] move code out of .init_machine into common
ARC: [arcfpga] consolidate machine description, DT
ARC: Allow SMP kernel to build/boot on UP-only infrastructure
Linus Torvalds [Tue, 21 Oct 2014 14:48:56 +0000 (07:48 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Pull more powerpc updates from Michael Ellerman:
"Here's some more updates for powerpc for 3.18.
They are a bit late I know, though must are actually bug fixes. In my
defence I nearly cut the top of my finger off last weekend in a
gruesome bike maintenance accident, so I spent a good part of the week
waiting around for doctors. True story, I can send photos if you like :)
Probably the most interesting fix is the sys_call_table one, which
enables syscall tracing for powerpc. There's a fix for HMI handling
for old firmware, more endian fixes for firmware interfaces, more EEH
fixes, Anton fixed our routine that gets the current stack pointer,
and a few other misc bits"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux: (22 commits)
powerpc: Only do dynamic DMA zone limits on platforms that need it
powerpc: sync pseries_le_defconfig with pseries_defconfig
powerpc: Add printk levels to setup_system output
powerpc/vphn: NUMA node code expects big-endian
powerpc/msi: Use WARN_ON() in msi bitmap selftests
powerpc/msi: Fix the msi bitmap alignment tests
powerpc/eeh: Block CFG upon frozen Shiner adapter
powerpc/eeh: Don't collect logs on PE with blocked config space
powerpc/eeh: Block PCI config access upon frozen PE
powerpc/pseries: Drop config requests in EEH accessors
powerpc/powernv: Drop config requests in EEH accessors
powerpc/eeh: Rename flag EEH_PE_RESET to EEH_PE_CFG_BLOCKED
powerpc/eeh: Fix condition for isolated state
powerpc/pseries: Make CPU hotplug path endian safe
powerpc/pseries: Use dump_stack instead of show_stack
powerpc: Rename __get_SP() to current_stack_pointer()
powerpc: Reimplement __get_SP() as a function not a define
powerpc/numa: Add ability to disable and debug topology updates
powerpc/numa: check error return from proc_create
powerpc/powernv: Fallback to old HMI handling behavior for old firmware
...
Carlo Caione [Thu, 9 Oct 2014 19:59:16 +0000 (21:59 +0200)]
watchdog: meson: remove magic value for reboot
This patch removes the magic value used for rebooting the board. This
value is useless and leads to a static checker warning as reported by
Dan Carpenter.
Signed-off-by: Carlo Caione <carlo@caione.org> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
This patch adds support for the watchdog hardware found in A31 and
newer SoCs. This new hardware has registers at different offsets, and
the system reset control has been split out of the "mode" register
into a new "configuration" register.
Differences not supported by this driver include separate interrupt
lines for each watchdog, instead of sharing an interrupt line and
registers with the timer block.
watchdog: sunxi: support parameterized compatible strings
This patch adds support for hardware parameters tied to compatible
strings, so similar hardware can reuse the driver.
This will be used to support the newer watchdog found in A31 and
later SoCs. Differences in the new hardware include separate
interrupt lines for each watchdog, and corresponding interrupt
control/status registers. Watchdog control registers were also
slightly rearranged.
Also replace ioread32()/iowrite32() with readl()/writel() in various
places changed.
Jingchang Lu [Fri, 12 Sep 2014 07:24:36 +0000 (15:24 +0800)]
watchdog: imx2_wdt: add restart handler support
Register the watchdog as the system restart function
to the new introducing kernel restart call chain in the
driver instead of providing the restart in machine desc.
This restart handler function is from the mxc_restart()
in arch/arm/mach-imx/system.c
Signed-off-by: Jingchang Lu <jingchang.lu@freescale.com> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
The WDT's BITE_TIME warm-reset behavior can be leveraged as a last
resort mechanism for triggering chip reset. Usually, other restart
methods (such as PS_HOLD) are preferrable for issuing a more complete
reset of the chip. As such, keep the priority of the watchdog notifier
low.
Heiko Stuebner [Wed, 20 Aug 2014 00:45:36 +0000 (17:45 -0700)]
watchdog: s3c2410: add restart handler
On a lot of Samsung systems the watchdog is responsible for restarting the
system and until now this code was contained in plat-samsung/watchdog-reset.c.
With the introduction of the restart handlers, this code can now move into
driver itself, removing the need for arch-specific code.
Tested on a S3C2442 based GTA02
Signed-off-by: Heiko Stuebner <heiko@sntech.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@iguana.be> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
This adds a driver for the watchdog timer available in Ricoh RN5T618
PMIC. The device supports a programmable expiration time of 1, 8, 32
or 128 seconds.
The Qualcomm Krait Processor Sub-system (KPSS) contains one or more
instances of the WDT. Provide documentation on how to describe these in
the device tree.
watchdog: dw_wdt: initialise TOP_INIT in dw_wdt_set_top()
The TOP_INIT, ie bit 4-7 of the WDOG_TIMEOUT_RANGE_REG_OFFSET register
may be zero, so the timeout period may be very short after initialization
is done, thus the system may be reset soon after enabling. We fix this
problem by also initialising the TOP_INIT when setting TOP in function
dw_wdt_set_top().
Pranith Kumar [Wed, 20 Aug 2014 19:26:46 +0000 (15:26 -0400)]
powerpc: booke_wdt: Fix build error as a module
Building booke_wdt fails when trying to build as a module as there is no
early_param() in module. Fix by using module_param() instead of early_param().
Michal Simek [Wed, 13 Aug 2014 11:51:28 +0000 (13:51 +0200)]
watchdog: xilinx: Remove .owner field for driver
There is no need to init .owner field.
Based on the patch from Peter Griffin <peter.griffin@linaro.org>
"mmc: remove .owner field for drivers using module_platform_driver"
This patch removes the superflous .owner field for drivers which
use the module_platform_driver API, as this is overriden in
platform_driver_register anyway."
Signed-off-by: Michal Simek <michal.simek@xilinx.com> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Linus Torvalds [Mon, 20 Oct 2014 16:50:11 +0000 (09:50 -0700)]
Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 updates from Ted Ts'o:
"A large number of cleanups and bug fixes, with some (minor) journal
optimizations"
[ This got sent to me before -rc1, but was stuck in my spam folder. - Linus ]
* tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: (67 commits)
ext4: check s_chksum_driver when looking for bg csum presence
ext4: move error report out of atomic context in ext4_init_block_bitmap()
ext4: Replace open coded mdata csum feature to helper function
ext4: delete useless comments about ext4_move_extents
ext4: fix reservation overflow in ext4_da_write_begin
ext4: add ext4_iget_normal() which is to be used for dir tree lookups
ext4: don't orphan or truncate the boot loader inode
ext4: grab missed write_count for EXT4_IOC_SWAP_BOOT
ext4: optimize block allocation on grow indepth
ext4: get rid of code duplication
ext4: fix over-defensive complaint after journal abort
ext4: fix return value of ext4_do_update_inode
ext4: fix mmap data corruption when blocksize < pagesize
vfs: fix data corruption when blocksize < pagesize for mmaped data
ext4: fold ext4_nojournal_sops into ext4_sops
ext4: support freezing ext2 (nojournal) file systems
ext4: fold ext4_sync_fs_nojournal() into ext4_sync_fs()
ext4: don't check quota format when there are no quota files
jbd2: simplify calling convention around __jbd2_journal_clean_checkpoint_list
jbd2: avoid pointless scanning of checkpoint lists
...
Linus Torvalds [Mon, 20 Oct 2014 00:43:06 +0000 (17:43 -0700)]
Merge tag 'arm-soc-fixes-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Olof Johansson:
"A batch of fixes that have come in during the merge window.
Some of them are defconfig updates for things that have now landed,
some errata additions and a few general scattered fixes.
There's also a qcom DT update that adds support for SATA on AP148, and
basic support for Sony Xperia Z1 and CM-QS600 platforms that seemed
isolated enough that we could merge it even if it's late"
* tag 'arm-soc-fixes-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
MAINTAINERS: corrected bcm2835 search
ARM: dts: Explicitly set dr_mode on exynos5420-arndale-octa
ARM: dts: Explicitly set dr_mode on exynos Peach boards
ARM: dts: qcom: add CM-QS600 board
ARM: dts: qcom: Add initial DTS file for Sony Xperia Z1 phone
ARM: dts: qcom: Add SATA support on IPQ8064/AP148
MAINTAINERS: Update Santosh Shilimkar's email id
ARM: sunxi_defconfig: enable CONFIG_REGULATOR
ARM: dts: Disable smc91x on n900 until bootloader dependency is removed
ARM: omap2plus_defconfig: Enable ARM erratum 430973 for omap3
ARM: exynos_defconfig: enable USB gadget support
ARM: exynos_defconfig: Enable Maxim 77693 and I2C GPIO drivers
ARM: mm: Fix ifdef around cpu_*_do_[suspend, resume] ops
ARM: EXYNOS: Fix build with PM_SLEEP=n and ARM_EXYNOS_CPUIDLE=n
ARM: SAMSUNG: Restore Samsung PM Debug functionality
ARM: dts: Fix pull setting in sd4_width8 pin group for exynos4x12
ARM: exynos_defconfig: Enable SBS battery support
ARM: exynos_defconfig: Enable Control Groups support
ARM: exynos_defconfig: Enable Atmel maXTouch support
ARM: exynos_defconfig: Enable MAX77802
Linus Torvalds [Sun, 19 Oct 2014 23:25:56 +0000 (16:25 -0700)]
Merge git://git.infradead.org/users/eparis/audit
Pull audit updates from Eric Paris:
"So this change across a whole bunch of arches really solves one basic
problem. We want to audit when seccomp is killing a process. seccomp
hooks in before the audit syscall entry code. audit_syscall_entry
took as an argument the arch of the given syscall. Since the arch is
part of what makes a syscall number meaningful it's an important part
of the record, but it isn't available when seccomp shoots the
syscall...
For most arch's we have a better way to get the arch (syscall_get_arch)
So the solution was two fold: Implement syscall_get_arch() everywhere
there is audit which didn't have it. Use syscall_get_arch() in the
seccomp audit code. Having syscall_get_arch() everywhere meant it was
a useless flag on the stack and we could get rid of it for the typical
syscall entry.
The other changes inside the audit system aren't grand, fixed some
records that had invalid spaces. Better locking around the task comm
field. Removing some dead functions and structs. Make some things
static. Really minor stuff"
* git://git.infradead.org/users/eparis/audit: (31 commits)
audit: rename audit_log_remove_rule to disambiguate for trees
audit: cull redundancy in audit_rule_change
audit: WARN if audit_rule_change called illegally
audit: put rule existence check in canonical order
next: openrisc: Fix build
audit: get comm using lock to avoid race in string printing
audit: remove open_arg() function that is never used
audit: correct AUDIT_GET_FEATURE return message type
audit: set nlmsg_len for multicast messages.
audit: use union for audit_field values since they are mutually exclusive
audit: invalid op= values for rules
audit: use atomic_t to simplify audit_serial()
kernel/audit.c: use ARRAY_SIZE instead of sizeof/sizeof[0]
audit: reduce scope of audit_log_fcaps
audit: reduce scope of audit_net_id
audit: arm64: Remove the audit arch argument to audit_syscall_entry
arm64: audit: Add audit hook in syscall_trace_enter/exit()
audit: x86: drop arch from __audit_syscall_entry() interface
sparc: implement is_32bit_task
sparc: properly conditionalize use of TIF_32BIT
...
Olof Johansson [Sun, 19 Oct 2014 20:39:08 +0000 (13:39 -0700)]
Merge tag 'qcom-dt-for-3.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/galak/linux-qcom into fixes
Merge "qcom DT changes for v3.18-3" from Kumar Gala:
Qualcomm ARM Based Device Tree Updates for v3.18-3
* Added Board support for CM-QS600 and Sony Xperia Z1 phone
* Added SATA support on IPQ8064/AP148
* tag 'qcom-dt-for-3.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/galak/linux-qcom:
ARM: dts: qcom: add CM-QS600 board
ARM: dts: qcom: Add initial DTS file for Sony Xperia Z1 phone
ARM: dts: qcom: Add SATA support on IPQ8064/AP148
Olof Johansson [Sun, 19 Oct 2014 20:34:52 +0000 (13:34 -0700)]
Merge tag 'samsung-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung into fixes
Pull more fixes from Kukjin Kim:
2nd Samsung fixes for v3.18
- Explicitly set dr_mode on exynos5800-peach-pi, exynos5420-peach-pit
and exynos5420-arndale-octa boards, because the USB dwc3 controller
will not work properly without dr_mode as host on above boards if
the USB host and gadget are enabled in kernel configuration both.
* tag 'samsung-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
ARM: dts: Explicitly set dr_mode on exynos5420-arndale-octa
ARM: dts: Explicitly set dr_mode on exynos Peach boards
Scott Branden [Fri, 17 Oct 2014 03:57:16 +0000 (21:57 -0600)]
MAINTAINERS: corrected bcm2835 search
Corrected bcm2835 maintainer info by using N: to specify any files with
bcm2835 in are directed to the proper maintainer.
Also corrected minor mispelling of ARCHITECTURE in 2 comment locations.
Signed-off-by: Scott Branden <sbranden@broadcom.com> Signed-off-by: Stephen Warren <swarren@wwwdotorg.org> Signed-off-by: Olof Johansson <olof@lixom.net>
Linus Torvalds [Sun, 19 Oct 2014 19:58:22 +0000 (12:58 -0700)]
Merge tag 'ntb-3.18' of git://github.com/jonmason/ntb
Pull ntb (non-transparent bridge) updates from Jon Mason:
"Add support for Haswell NTB split BARs, a debugfs entry for basic
debugging info, and some code clean-ups"
* tag 'ntb-3.18' of git://github.com/jonmason/ntb:
ntb: Adding split BAR support for Haswell platforms
ntb: use errata flag set via DID to implement workaround
ntb: conslidate reading of PPD to move platform detection earlier
ntb: move platform detection to separate function
NTB: debugfs device entry
Linus Torvalds [Sun, 19 Oct 2014 19:50:44 +0000 (12:50 -0700)]
Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c updates from Wolfram Sang:
"Highlights from the I2C subsystem for 3.18:
- new drivers for Axxia AM55xx, and Hisilicon hix5hd2 SoC.
- designware driver gained AMD support, exynos gained exynos7 support
The rest is usual driver stuff. Hopefully no lowlights this time"
* 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: i801: Add Device IDs for Intel Sunrise Point PCH
i2c: hix5hd2: add i2c controller driver
i2c-imx: Disable the clock on probe failure
i2c: designware: Add support for AMD I2C controller
i2c: designware: Rework probe() to get clock a bit later
i2c: designware: Default to fast mode in case of ACPI
i2c: axxia: Add I2C driver for AXM55xx
i2c: exynos: add support for HSI2C module on Exynos7
i2c: mxs: detect No Slave Ack on SELECT in PIO mode
i2c: cros_ec: Remove EC_I2C_FLAG_10BIT
i2c: cros-ec-tunnel: Add of match table
i2c: rcar: remove sign-compare flaw
i2c: ismt: Use minimum descriptor size
i2c: imx: Add arbitration lost check
i2c: rk3x: Remove unlikely() annotations
i2c: rcar: check for no IRQ in rcar_i2c_irq()
i2c: rcar: make rcar_i2c_prepare_msg() *void*
i2c: rcar: simplify check for last message
i2c: designware: add support of platform data to set I2C mode
i2c: designware: add support of I2C standard mode
Linus Torvalds [Sun, 19 Oct 2014 19:45:36 +0000 (12:45 -0700)]
Merge tag 'sound-fix-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"Here are a collection of small fixes after 3.18 merge.
The urgent one is the fix for kernel panics with linked PCM substream
triggered by the recent nonatomic PCM ops support. Other two fixes
(emu10k1 and bebob) are stable fixes, and one easy PCI ID addition for
a new Intel HD-audio controller"
* tag 'sound-fix-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda_intel: Add Device IDs for Intel Sunrise Point PCH
ALSA: emu10k1: Fix deadlock in synth voice lookup
ALSA: pcm: Fix referred substream in snd_pcm_action_group() unlock loop
ALSA: bebob: Fix failure to detect source of clock for Terratec Phase 88
Linus Torvalds [Sun, 19 Oct 2014 19:40:24 +0000 (12:40 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull second round of input updates from Dmitry Torokhov:
"Mostly simple bug fixes, although we do have one brand new driver for
Microchip AR1021 i2c touchscreen.
Also there is the change to stop trying to use i8042 active
multiplexing by default (it is still possible to activate it via
i8042.nomux=0 on boxes that implement it)"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: xpad - add Thrustmaster as Xbox 360 controller vendor
Input: xpad - add USB ID for Thrustmaster Ferrari 458 Racing Wheel
Input: max77693-haptic - fix state check in imax77693_haptic_disable()
Input: xen-kbdfront - free grant table entry in xenkbd_disconnect_backend
Input: alps - fix v4 button press recognition
Input: i8042 - disable active multiplexing by default
Input: i8042 - add noloop quirk for Asus X750LN
Input: synaptics - gate forcepad support by DMI check
Input: Add Microchip AR1021 i2c touchscreen
Input: cros_ec_keyb - add of match table
Input: serio - avoid negative serio device numbers
Input: avoid negative input device numbers
Input: automatically set EV_ABS bit in input_set_abs_params
Input: adp5588-keys - cancel workqueue in failure path
Input: opencores-kbd - switch to using managed resources
Input: evdev - fix EVIOCG{type} ioctl
Linus Torvalds [Sun, 19 Oct 2014 19:29:23 +0000 (12:29 -0700)]
Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
Pull infiniband/RDMA updates from Roland Dreier:
- large set of iSER initiator improvements
- hardware driver fixes for cxgb4, mlx5 and ocrdma
- small fixes to core midlayer
* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: (47 commits)
RDMA/cxgb4: Fix ntuple calculation for ipv6 and remove duplicate line
RDMA/cxgb4: Add missing neigh_release in find_route
RDMA/cxgb4: Take IPv6 into account for best_mtu and set_emss
RDMA/cxgb4: Make c4iw_wr_log_size_order static
IB/core: Fix XRC race condition in ib_uverbs_open_qp
IB/core: Clear AH attr variable to prevent garbage data
RDMA/ocrdma: Save the bit environment, spare unncessary parenthesis
RDMA/ocrdma: The kernel has a perfectly good BIT() macro - use it
RDMA/ocrdma: Don't memset() buffers we just allocated with kzalloc()
RDMA/ocrdma: Remove a unused-label warning
RDMA/ocrdma: Convert kernel VA to PA for mmap in user
RDMA/ocrdma: Get vlan tag from ib_qp_attrs
RDMA/ocrdma: Add default GID at index 0
IB/mlx5, iser, isert: Add Signature API additions
Target/iser: Centralize ib_sig_domain setting
IB/iser: Centralize ib_sig_domain settings
IB/mlx5: Use extended internal signature layout
IB/iser: Set IP_CSUM as default guard type
IB/iser: Remove redundant assignment
IB/mlx5: Use enumerations for PI copy mask
...
Linus Torvalds [Sun, 19 Oct 2014 18:55:41 +0000 (11:55 -0700)]
Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull more perf updates from Ingo Molnar:
"A second (and last) round of late coming fixes and changes, almost all
of them in perf tooling:
User visible tooling changes:
- Add period data column and make it default in 'perf script' (Jiri
Olsa)
- Add a visual cue for toggle zeroing of samples in 'perf top'
(Taeung Song)
- Improve callchains when using libunwind (Namhyung Kim)
Tooling fixes and infrastructure changes:
- Fix for double free in 'perf stat' when using some specific invalid
command line combo (Yasser Shalabi)
- Fix off-by-one bugs in map->end handling (Stephane Eranian)
- Fix off-by-one bug in maps__find(), also related to map->end
handling (Namhyung Kim)
- Make struct symbol->end be the first addr after the symbol range,
to make it match the convention used for struct map->end. (Arnaldo
Carvalho de Melo)
- Fix perf_evlist__add_pollfd() error handling in 'perf kvm stat
live' (Jiri Olsa)
- Fix python test build by moving callchain_param to an object linked
into the python binding (Jiri Olsa)
- Document sysfs events/ interfaces (Cody P Schafer)
- Add option to copy events when queuing for sorting across cpu
buffers and enable it for 'perf kvm stat live', to avoid having
events left in the queue pointing to the ring buffer be rewritten
in high volume sessions. (Alexander Yarygin, improving work done
by David Ahern):
- Do not include a struct hists per perf_evsel, untangling the
histogram code from perf_evsel, to pave the way for exporting a
minimalistic tools/lib/api/perf/ library usable by tools/perf and
initially by the rasd daemon being developed by Borislav Petkov,
Robert Richter and Jean Pihet. (Arnaldo Carvalho de Melo)
- Make perf_evlist__open(evlist, NULL, NULL), i.e. without cpu and
thread maps mean syswide monitoring, reducing the boilerplate for
tools that only want system wide mode. (Arnaldo Carvalho de Melo)
- Move exit stuff from perf_evsel__delete to perf_evsel__exit, delete
should be just a front end for exit + free (Arnaldo Carvalho de
Melo)
- Add support to new style format of kernel PMU event. (Kan Liang)
and other misc fixes"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (45 commits)
perf script: Add period as a default output column
perf script: Add period data column
perf evsel: No need to drag util/cgroup.h
perf evlist: Add missing 'struct option' forward declaration
perf evsel: Move exit stuff from __delete to __exit
kprobes/x86: Remove stale ARCH_SUPPORTS_KPROBES_ON_FTRACE define
perf kvm stat live: Enable events copying
perf session: Add option to copy events when queueing
perf Documentation: Fix typos in perf/Documentation
perf trace: Use thread_{,_set}_priv helpers
perf kvm: Use thread_{,_set}_priv helpers
perf callchain: Create an address space per thread
perf report: Set callchain_param.record_mode for future use
perf evlist: Fix for double free in tools/perf stat
perf test: Add test case for pmu event new style format
perf tools: Add support to new style format of kernel PMU event
perf tools: Parse the pmu event prefix and suffix
Revert "perf tools: Default to cpu// for events v5"
perf Documentation: Remove Ruplicated docs for powerpc cpu specific events
perf Documentation: sysfs events/ interfaces
...
Pull sparc fixes from David Miller:
"Here we have two bug fixes:
1) The current thread's fault_code is not setup properly upon entry to
do_sparc64_fault() in some paths, leading to spurious SIGBUS.
2) Don't use a zero length array at the end of thread_info on sparc64,
otherwise end_of_stack() isn't right"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
sparc64: Do not define thread fpregs save area as zero-length array.
sparc64: Fix corrupted thread fault code.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
Net: DSA: Fix checking for get_phy_flags function
ipv6: fix a potential use after free in sit.c
ipv6: fix a potential use after free in ip6_offload.c
ipv4: fix a potential use after free in gre_offload.c
tcp: fix build error if IPv6 is not enabled
Andrew Lunn [Sun, 19 Oct 2014 14:41:47 +0000 (16:41 +0200)]
Net: DSA: Fix checking for get_phy_flags function
The check for the presence or not of the optional switch function
get_phy_flags() called the function, rather than checked to see if it
is a NULL pointer. This causes a derefernce of a NULL pointer on all
switch chips except the sf2, the only switch to implement this call.
Signed-off-by: Andrew Lunn <andrew@lunn.ch> Fixes: 4dce9205c7bc ("net: dsa: allow switch drivers to specify phy_device::dev_flags") Cc: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sun, 19 Oct 2014 03:12:33 +0000 (23:12 -0400)]
sparc64: Do not define thread fpregs save area as zero-length array.
This breaks the stack end corruption detection facility.
What that facility does it write a magic value to "end_of_stack()"
and checking to see if it gets overwritten.
"end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is
the beginning of the FPU register save area.
So once the user uses the FPU, the magic value is overwritten and the
debug checks trigger.
Fix this by making the size explicit.
Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we
are limited to 7 levels of FPU state saves. So each FPU register set
is 256 bytes, allocate 256 * 7 for the fpregs area.
Reported-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sun, 19 Oct 2014 03:03:09 +0000 (23:03 -0400)]
sparc64: Fix corrupted thread fault code.
Every path that ends up at do_sparc64_fault() must install a valid
FAULT_CODE_* bitmask in the per-thread fault code byte.
Two paths leading to the label winfix_trampoline (which expects the
FAULT_CODE_* mask in register %g4) were not doing so:
1) For pre-hypervisor TLB protection violation traps, if we took
the 'winfix_trampoline' path we wouldn't have %g4 initialized
with the FAULT_CODE_* value yet. Resulting in using the
TLB_TAG_ACCESS register address value instead.
2) In the TSB miss path, when we notice that we are going to use a
hugepage mapping, but we haven't allocated the hugepage TSB yet, we
still have to take the window fixup case into consideration and
in that particular path we leave %g4 not setup properly.
Errors on this sort were largely invisible previously, but after
commit 1f8af230c05015d82bfeee60d0e5f661012cf230 ("sparc64: sun4v TLB
error power off events") we now have a fault_code mask bit
(FAULT_CODE_BAD_RA) that triggers due to this bug.
FAULT_CODE_BAD_RA triggers because this bit is set in TLB_TAG_ACCESS
(see #1 above) and thus we get seemingly random bus errors triggered
for user processes.
Fixes: 1f8af230c050 ("sparc64: sun4v TLB error power off events") Reported-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 19 Oct 2014 01:11:04 +0000 (18:11 -0700)]
Merge branch 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma
Pull slave-dmaengine updates from Vinod Koul:
"For dmaengine contributions we have:
- designware cleanup by Andy
- my series moving device_control users to dmanegine_xxx APIs for
later removal of device_control API
- minor fixes spread over drivers mainly mv_xor, pl330, mmp, imx-sdma
etc"
* 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma: (60 commits)
serial: atmel: add missing dmaengine header
dmaengine: remove FSLDMA_EXTERNAL_START
dmaengine: freescale: remove FSLDMA_EXTERNAL_START control method
carma-fpga: move to fsl_dma_external_start()
carma-fpga: use dmaengine_xxx() API
dmaengine: freescale: add and export fsl_dma_external_start()
dmaengine: add dmaengine_prep_dma_sg() helper
video: mx3fb: use dmaengine_terminate_all() API
serial: sh-sci: use dmaengine_terminate_all() API
net: ks8842: use dmaengine_terminate_all() API
mtd: sh_flctl: use dmaengine_terminate_all() API
mtd: fsmc_nand: use dmaengine_terminate_all() API
V4L2: mx3_camer: use dmaengine_pause() API
dmaengine: coh901318: use dmaengine_terminate_all() API
pata_arasan_cf: use dmaengine_terminate_all() API
dmaengine: edma: check for echan->edesc => NULL in edma_dma_pause()
dmaengine: dw: export probe()/remove() and Co to users
dmaengine: dw: enable and disable controller when needed
dmaengine: dw: always export dw_dma_{en,dis}able
dmaengine: dw: introduce dw_dma_on() helper
...
Linus Torvalds [Sun, 19 Oct 2014 01:03:02 +0000 (18:03 -0700)]
Merge tag 'fbdev-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux
Pull fbdev updates from Tomi Valkeinen:
- new 6x10 font
- various small fixes and cleanups
* tag 'fbdev-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux: (30 commits)
fonts: Add 6x10 font
videomode: provide dummy inline functions for !CONFIG_OF
video/atmel_lcdfb: Introduce regulator support
fbdev: sh_mobile_hdmi: Re-init regs before irq re-enable on resume
framebuffer: fix screen corruption when copying
framebuffer: fix border color
arm, fbdev, omap2, LLVMLinux: Remove nested function from omapfb
arm, fbdev, omap2, LLVMLinux: Remove nested function from omap2 dss
video: fbdev: valkyriefb.c: use container_of to resolve fb_info_valkyrie from fb_info
video: fbdev: pxafb.c: use container_of to resolve pxafb_info/layer from fb_info
video: fbdev: cyber2000fb.c: use container_of to resolve cfb_info from fb_info
video: fbdev: controlfb.c: use container_of to resolve fb_info_control from fb_info
video: fbdev: sa1100fb.c: use container_of to resolve sa1100fb_info from fb_info
video: fbdev: stifb.c: use container_of to resolve stifb_info from fb_info
video: fbdev: sis: sis_main.c: Cleaning up missing null-terminate in conjunction with strncpy
video: valkyriefb: Fix unused variable warning in set_valkyrie_clock()
video: fbdev: use %*ph specifier to dump small buffers
video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT
video: fbdev: au1200fb: delete double assignment
video: fbdev: sis: delete double assignment
...
Linus Torvalds [Sat, 18 Oct 2014 21:32:31 +0000 (14:32 -0700)]
Merge tag 'kvm-arm-for-3.18-take-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm
Pull second batch of changes for KVM/{arm,arm64} from Marc Zyngier:
"The most obvious thing is the sizeable MMU changes to support 48bit
VAs on arm64.
Summary:
- support for 48bit IPA and VA (EL2)
- a number of fixes for devices mapped into guests
- yet another VGIC fix for BE
- a fix for CPU hotplug
- a few compile fixes (disabled VGIC, strict mm checks)"
[ I'm pulling directly from Marc at the request of Paolo Bonzini, whose
backpack was stolen at Düsseldorf airport and will do new keys and
rebuild his web of trust. - Linus ]
* tag 'kvm-arm-for-3.18-take-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm:
arm/arm64: KVM: Fix BE accesses to GICv2 EISR and ELRSR regs
arm: kvm: STRICT_MM_TYPECHECKS fix for user_mem_abort
arm/arm64: KVM: Ensure memslots are within KVM_PHYS_SIZE
arm64: KVM: Implement 48 VA support for KVM EL2 and Stage-2
arm/arm64: KVM: map MMIO regions at creation time
arm64: kvm: define PAGE_S2_DEVICE as read-only by default
ARM: kvm: define PAGE_S2_DEVICE as read-only by default
arm/arm64: KVM: add 'writable' parameter to kvm_phys_addr_ioremap
arm/arm64: KVM: fix potential NULL dereference in user_mem_abort()
arm/arm64: KVM: use __GFP_ZERO not memset() to get zeroed pages
ARM: KVM: fix vgic-disabled build
arm: kvm: fix CPU hotplug
Linus Torvalds [Sat, 18 Oct 2014 21:24:36 +0000 (14:24 -0700)]
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS updates from Ralf Baechle:
"This is the MIPS pull request for the next kernel:
- Zubair's patch series adds CMA support for MIPS. Doing so it also
touches ARM64 and x86.
- remove the last instance of IRQF_DISABLED from arch/mips
- updates to two of the MIPS defconfig files.
- cleanup of how cache coherency bits are handled on MIPS and
implement support for write-combining.
- platform upgrades for Alchemy
- move MIPS DTS files to arch/mips/boot/dts/"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: (24 commits)
MIPS: ralink: remove deprecated IRQF_DISABLED
MIPS: pgtable.h: Implement the pgprot_writecombine function for MIPS
MIPS: cpu-probe: Set the write-combine CCA value on per core basis
MIPS: pgtable-bits: Define the CCA bit for WC writes on Ingenic cores
MIPS: pgtable-bits: Move the CCA bits out of the core's ifdef blocks
MIPS: DMA: Add cma support
x86: use generic dma-contiguous.h
arm64: use generic dma-contiguous.h
asm-generic: Add dma-contiguous.h
MIPS: BPF: Add new emit_long_instr macro
MIPS: ralink: Move device-trees to arch/mips/boot/dts/
MIPS: Netlogic: Move device-trees to arch/mips/boot/dts/
MIPS: sead3: Move device-trees to arch/mips/boot/dts/
MIPS: Lantiq: Move device-trees to arch/mips/boot/dts/
MIPS: Octeon: Move device-trees to arch/mips/boot/dts/
MIPS: Add support for building device-tree binaries
MIPS: Create common infrastructure for building built-in device-trees
MIPS: SEAD3: Enable DEVTMPFS
MIPS: SEAD3: Regenerate defconfigs
MIPS: Alchemy: DB1300: Add touch penirq support
...
Linus Torvalds [Sat, 18 Oct 2014 21:22:32 +0000 (14:22 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Pull powerpc fix from Michael Ellerman:
"There was a bit of a misunderstanding between us and the ARM guys in
the device tree PCI code, which is breaking virtio on powerpc.
This is the minimal fix until we can sort it out properly"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
powerpc/pci: Fix IO space breakage after of_pci_range_to_resource() change
Linus Torvalds [Sat, 18 Oct 2014 20:39:19 +0000 (13:39 -0700)]
Merge branch 'for-linus' of git://git.samba.org/sfrench/cifs-2.6
Pull cifs/smb3 updates from Steve French:
"Improved SMB3 support (symlink and device emulation, and remapping by
default the 7 reserved posix characters) and a workaround for cifs
mounts to Mac (working around a commonly encountered Mac server bug)"
* 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
[CIFS] Remove obsolete comment
Check minimum response length on query_network_interface
Workaround Mac server problem
Remap reserved posix characters by default (part 3/3)
Allow conversion of characters in Mac remap range (part 2)
Allow conversion of characters in Mac remap range. Part 1
mfsymlinks support for SMB2.1/SMB3. Part 2 query symlink
Add mfsymlinks support for SMB2.1/SMB3. Part 1 create symlink
Allow mknod and mkfifo on SMB2/SMB3 mounts
add defines for two new file attributes
Linus Torvalds [Sat, 18 Oct 2014 20:32:17 +0000 (13:32 -0700)]
Merge branch 'for-linus-update' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs data corruption fix from Chris Mason:
"I'm testing a pull with more fixes, but wanted to get this one out so
Greg can pick it up.
The corruption isn't easy to hit, you have to do a readonly snapshot
and have orphans in the snapshot. But my review and testing missed
the bug. Filipe has added a better xfstest to cover it"
* 'for-linus-update' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
Revert "Btrfs: race free update of commit root for ro snapshots"
Pull NTFS update from Anton Altaparmakov:
"Here is a small NTFS update notably implementing FIBMAP ioctl for NTFS
by adding the bmap address space operation. People seem to still want
FIBMAP"
* git://git.kernel.org/pub/scm/linux/kernel/git/aia21/ntfs:
NTFS: Bump version to 2.1.31.
NTFS: Add bmap address space operation needed for FIBMAP ioctl.
NTFS: Remove changelog from Documentation/filesystems/ntfs.txt.
NTFS: Split ntfs_aops into ntfs_normal_aops and ntfs_compressed_aops in preparation for them diverging.
Linus Torvalds [Sat, 18 Oct 2014 19:52:08 +0000 (12:52 -0700)]
Merge tag 'nfs-for-3.18-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
Pull NFS client updates from Trond Myklebust:
"Highlights include:
Stable fixes:
- fix an uninitialised pointer Oops in the writeback error path
- fix a bogus warning (and early exit from the loop) in nfs_generic_pgio()
Features:
- Add NFSv4.2 SEEK feature and client support for lseek(SEEK_HOLE/SEEK_DATA)
Other fixes:
- pnfs: replace broken pnfs_put_lseg_async
- Remove dead prototype for nfs4_insert_deviceid_node"
* tag 'nfs-for-3.18-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFS: Fix a bogus warning in nfs_generic_pgio
NFS: Fix an uninitialised pointer Oops in the writeback error path
NFSv4.1/pnfs: replace broken pnfs_put_lseg_async
NFSv4: Remove dead prototype for nfs4_insert_deviceid_node()
NFS: Implement SEEK
Linus Torvalds [Sat, 18 Oct 2014 19:25:30 +0000 (12:25 -0700)]
Merge tag 'dm-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
Pull device-mapper updates from Mike Snitzer:
"I rebased the DM tree ontop of linux-block.git's 'for-3.18/core' at
the beginning of October because DM core now depends on the newly
introduced bioset_create_nobvec() interface.
Summary:
- fix DM's long-standing excessive use of memory by leveraging the
new bioset_create_nobvec() interface when creating the DM's bioset
- fix a few bugs in dm-bufio and dm-log-userspace
- add DM core support for a DM multipath use-case that requires
loading DM tables that contain devices that have failed (by
allowing active and inactive DM tables to share dm_devs)
- add discard support to the DM raid target; like MD raid456 the user
must opt-in to raid456 discard support be specifying the
devices_handle_discard_safely=Y module param"
* tag 'dm-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
dm log userspace: fix memory leak in dm_ulog_tfr_init failure path
dm bufio: when done scanning return from __scan immediately
dm bufio: update last_accessed when relinking a buffer
dm raid: add discard support for RAID levels 4, 5 and 6
dm raid: add discard support for RAID levels 1 and 10
dm: allow active and inactive tables to share dm_devs
dm mpath: stop queueing IO when no valid paths exist
dm: use bioset_create_nobvec()
dm: remove nr_iovecs parameter from alloc_tio()
Linus Torvalds [Sat, 18 Oct 2014 19:12:45 +0000 (12:12 -0700)]
Merge branch 'for-3.18/drivers' of git://git.kernel.dk/linux-block
Pull block layer driver update from Jens Axboe:
"This is the block driver pull request for 3.18. Not a lot in there
this round, and nothing earth shattering.
- A round of drbd fixes from the linbit team, and an improvement in
asender performance.
- Removal of deprecated (and unused) IRQF_DISABLED flag in rsxx and
hd from Michael Opdenacker.
- Disable entropy collection from flash devices by default, from Mike
Snitzer.
- A small collection of xen blkfront/back fixes from Roger Pau Monné
and Vitaly Kuznetsov"
* 'for-3.18/drivers' of git://git.kernel.dk/linux-block:
block: disable entropy contributions for nonrot devices
xen, blkfront: factor out flush-related checks from do_blkif_request()
xen-blkback: fix leak on grant map error path
xen/blkback: unmap all persistent grants when frontend gets disconnected
rsxx: Remove deprecated IRQF_DISABLED
block: hd: remove deprecated IRQF_DISABLED
drbd: use RB_DECLARE_CALLBACKS() to define augment callbacks
drbd: compute the end before rb_insert_augmented()
drbd: Add missing newline in resync progress display in /proc/drbd
drbd: reduce lock contention in drbd_worker
drbd: Improve asender performance
drbd: Get rid of the WORK_PENDING macro
drbd: Get rid of the __no_warn and __cond_lock macros
drbd: Avoid inconsistent locking warning
drbd: Remove superfluous newline from "resync_extents" debugfs entry.
drbd: Use consistent names for all the bi_end_io callbacks
drbd: Use better variable names
Linus Torvalds [Sat, 18 Oct 2014 18:53:51 +0000 (11:53 -0700)]
Merge branch 'for-3.18/core' of git://git.kernel.dk/linux-block
Pull core block layer changes from Jens Axboe:
"This is the core block IO pull request for 3.18. Apart from the new
and improved flush machinery for blk-mq, this is all mostly bug fixes
and cleanups.
- blk-mq timeout updates and fixes from Christoph.
- Removal of REQ_END, also from Christoph. We pass it through the
->queue_rq() hook for blk-mq instead, freeing up one of the request
bits. The space was overly tight on 32-bit, so Martin also killed
REQ_KERNEL since it's no longer used.
- blk integrity updates and fixes from Martin and Gu Zheng.
- Update to the flush machinery for blk-mq from Ming Lei. Now we
have a per hardware context flush request, which both cleans up the
code should scale better for flush intensive workloads on blk-mq.
- Improve the error printing, from Rob Elliott.
- Backing device improvements and cleanups from Tejun.
- Fixup of a misplaced rq_complete() tracepoint from Hannes.
- Make blk_get_request() return error pointers, fixing up issues
where we NULL deref when a device goes bad or missing. From Joe
Lawrence.
- Prep work for drastically reducing the memory consumption of dm
devices from Junichi Nomura. This allows creating clone bio sets
without preallocating a lot of memory.
- Fix a blk-mq hang on certain combinations of queue depths and
hardware queues from me.
- Limit memory consumption for blk-mq devices for crash dump
scenarios and drivers that use crazy high depths (certain SCSI
shared tag setups). We now just use a single queue and limited
depth for that"
* 'for-3.18/core' of git://git.kernel.dk/linux-block: (58 commits)
block: Remove REQ_KERNEL
blk-mq: allocate cpumask on the home node
bio-integrity: remove the needless fail handle of bip_slab creating
block: include func name in __get_request prints
block: make blk_update_request print prefix match ratelimited prefix
blk-merge: don't compute bi_phys_segments from bi_vcnt for cloned bio
block: fix alignment_offset math that assumes io_min is a power-of-2
blk-mq: Make bt_clear_tag() easier to read
blk-mq: fix potential hang if rolling wakeup depth is too high
block: add bioset_create_nobvec()
block: use bio_clone_fast() in blk_rq_prep_clone()
block: misplaced rq_complete tracepoint
sd: Honor block layer integrity handling flags
block: Replace strnicmp with strncasecmp
block: Add T10 Protection Information functions
block: Don't merge requests if integrity flags differ
block: Integrity checksum flag
block: Relocate bio integrity flags
block: Add a disk flag to block integrity profile
block: Add prefix to block integrity profile flags
...
Linus Torvalds [Sat, 18 Oct 2014 18:48:03 +0000 (11:48 -0700)]
Merge tag 'for-linus-20141015' of git://git.infradead.org/linux-mtd
Pull MTD update from Brian Norris:
"Sorry for delaying this a bit later than usual. There's one mild
regression from 3.16 that was noticed during the 3.17 cycle, and I
meant to send a fix for it along with this pull request. I'll
probably try to queue it up for a later pull request once I've had a
better look at it, hopefully by -rc2 at the latest.
Summary for this pull:
NAND
- Cleanup for Denali driver
- Atmel: add support for new page sizes
- Atmel: fix up 'raw' mode support
- Atmel: miscellaneous cleanups
- New timing mode helpers for non-ONFI NAND
- OMAP: allow driver to be (properly) built as a module
- bcm47xx: RESET support and other cleanups
SPI NOR
- Miscellaneous cleanups, to prepare framework for wider use (some
further work still pending)
- Compile-time configuration to select 4K vs. 64K support for flash
that support both (necessary for using UBIFS on some SPI NOR)
A few scattered code quality fixes, detected by Coverity
See the changesets for more"
* tag 'for-linus-20141015' of git://git.infradead.org/linux-mtd: (59 commits)
mtd: nand: omap: Correct CONFIG_MTD_NAND_OMAP_BCH help message
mtd: nand: Force omap_elm to be built as a module if omap2_nand is a module
mtd: move support for struct flash_platform_data into m25p80
mtd: spi-nor: add Kconfig option to disable 4K sectors
mtd: nand: Move ELM driver and rename as omap_elm
nand: omap2: Replace pr_err with dev_err
nand: omap2: Remove horrible ifdefs to fix module probe
mtd: nand: add Hynix's H27UCG8T2ATR-BC to nand_ids table
mtd: nand: support ONFI timing mode retrieval for non-ONFI NANDs
mtd: physmap_of: Add non-obsolete map_rom probe
mtd: physmap_of: Fix ROM support via OF
MAINTAINERS: add l2-mtd.git, 'next' tree for MTD
mtd: denali: fix indents and other trivial things
mtd: denali: remove unnecessary parentheses
mtd: denali: remove another set-but-unused variable
mtd: denali: fix include guard and license block of denali.h
mtd: nand: don't break long print messages
mtd: bcm47xxnflash: replace some magic numbers
mtd: bcm47xxnflash: NAND_CMD_RESET support
mtd: bcm47xxnflash: add cmd_ctrl handler
...
Linus Torvalds [Sat, 18 Oct 2014 18:39:52 +0000 (11:39 -0700)]
Merge tag 'md/3.18' of git://neil.brown.name/md
Pull md updates from Neil Brown:
- a few minor bug fixes
- quite a lot of code tidy-up and simplification
- remove PRINT_RAID_DEBUG ioctl. I'm fairly sure it is unused, and it
isn't particularly useful.
* tag 'md/3.18' of git://neil.brown.name/md: (21 commits)
lib/raid6: Add log level to printks
md: move EXPORT_SYMBOL to after function in md.c
md: discard PRINT_RAID_DEBUG ioctl
md: remove MD_BUG()
md: clean up 'exit' labels in md_ioctl().
md: remove unnecessary test for MD_MAJOR in md_ioctl()
md: don't allow "-sync" to be set for device in an active array.
md: remove unwanted white space from md.c
md: don't start resync thread directly from md thread.
md: Just use RCU when checking for overlap between arrays.
md: avoid potential long delay under pers_lock
md: simplify export_array()
md: discard find_rdev_nr in favour of find_rdev_nr_rcu
md: use wait_event() to simplify md_super_wait()
md: be more relaxed about stopping an array which isn't started.
md/raid1: process_checks doesn't use its return value.
md/raid5: fix init_stripe() inconsistencies
md/raid10: another memory leak due to reshape.
md: use set_bit/clear_bit instead of shift/mask for bi_flags changes.
md/raid1: minor typos and reformatting.
...
Linus Torvalds [Sat, 18 Oct 2014 17:25:09 +0000 (10:25 -0700)]
Merge tag 'virtio-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux
Pull virtio updates from Rusty Russell:
"One cc: stable commit, the rest are a series of minor cleanups which
have been sitting in MST's tree during my vacation. I changed a
function name and made one trivial change, then they spent two days in
linux-next"
* tag 'virtio-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (25 commits)
virtio-rng: refactor probe error handling
virtio_scsi: drop scan callback
virtio_balloon: enable VQs early on restore
virtio_scsi: fix race on device removal
virito_scsi: use freezable WQ for events
virtio_net: enable VQs early on restore
virtio_console: enable VQs early on restore
virtio_scsi: enable VQs early on restore
virtio_blk: enable VQs early on restore
virtio_scsi: move kick event out from virtscsi_init
virtio_net: fix use after free on allocation failure
9p/trans_virtio: enable VQs early
virtio_console: enable VQs early
virtio_blk: enable VQs early
virtio_net: enable VQs early
virtio: add API to enable VQs early
virtio_net: minor cleanup
virtio-net: drop config_mutex
virtio_net: drop config_enable
virtio-blk: drop config_mutex
...
Jonathan Corbet [Fri, 17 Oct 2014 12:59:26 +0000 (08:59 -0400)]
MAINTAINERS: Become the docs maintainer
It seems it's my turn to be the documentation maintainer for a bit. My
plan is to work to ensure that docs patches don't fall through the cracks;
I assume most changes will continue to flow through subsystem-specific
trees.
Andy Lutomirski [Wed, 8 Oct 2014 16:02:13 +0000 (09:02 -0700)]
x86,kvm,vmx: Preserve CR4 across VM entry
CR4 isn't constant; at least the TSD and PCE bits can vary.
TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks
like it's correct.
This adds a branch and a read from cr4 to each vm entry. Because it is
extremely likely that consecutive entries into the same vcpu will have
the same host cr4 value, this fixes up the vmcs instead of restoring cr4
after the fact. A subsequent patch will add a kernel-wide cr4 shadow,
reducing the overhead in the common case to just two memory reads and a
branch.
Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Cc: Petr Matousek <pmatouse@redhat.com> Cc: Gleb Natapov <gleb@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Li RongQing [Sat, 18 Oct 2014 09:33:38 +0000 (17:33 +0800)]
ipv6: fix a potential use after free in sit.c
pskb_may_pull() maybe change skb->data and make iph pointer oboslete,
fix it by geting ip header length directly.
Fixes: 885386de (sit: generate icmpv6 error when receiving icmpv4 error) Cc: Oussama Ghorbel <ghorbel@pivasoftware.com> Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Li RongQing [Sat, 18 Oct 2014 09:26:04 +0000 (17:26 +0800)]
ipv4: fix a potential use after free in gre_offload.c
pskb_may_pull() may change skb->data and make greh pointer oboslete;
so need to reassign greh;
but since first calling pskb_may_pull already ensured that skb->data
has enough space for greh, so move the reference of greh before second
calling pskb_may_pull(), to avoid reassign greh.
Fixes: 441045ea38("ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC") Cc: Wei-Chun Chao <weichunc@plumgrid.com> Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sat, 18 Oct 2014 15:34:37 +0000 (08:34 -0700)]
tcp: fix build error if IPv6 is not enabled
$ make M=net/ipv4
CC net/ipv4/route.o
In file included from net/ipv4/route.c:102:0:
include/net/tcp.h: In function ‘tcp_v6_iif’:
include/net/tcp.h:738:32: error: ‘union <anonymous>’ has no member named ‘h6’
return TCP_SKB_CB(skb)->header.h6.iif;
Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: eec4b1cab305 ("ipv6: introduce tcp_v6_iif()") Signed-off-by: David S. Miller <davem@davemloft.net>
1) Include fixes for netrom and dsa (Fabian Frederick and Florian
Fainelli)
2) Fix FIXED_PHY support in stmmac, from Giuseppe CAVALLARO.
3) Several SKB use after free fixes (vxlan, openvswitch, vxlan,
ip_tunnel, fou), from Li ROngQing.
4) fec driver PTP support fixes from Luwei Zhou and Nimrod Andy.
5) Use after free in virtio_net, from Michael S Tsirkin.
6) Fix flow mask handling for megaflows in openvswitch, from Pravin B
Shelar.
7) ISDN gigaset and capi bug fixes from Tilman Schmidt.
8) Fix route leak in ip_send_unicast_reply(), from Vasily Averin.
9) Fix two eBPF JIT bugs on x86, from Alexei Starovoitov.
10) TCP_SKB_CB() reorganization caused a few regressions, fixed by Cong
Wang and Eric Dumazet.
11) Don't overwrite end of SKB when parsing malformed sctp ASCONF
chunks, from Daniel Borkmann.
12) Don't call sock_kfree_s() with NULL pointers, this function also has
the side effect of adjusting the socket memory usage. From Cong Wang.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (90 commits)
bna: fix skb->truesize underestimation
net: dsa: add includes for ethtool and phy_fixed definitions
openvswitch: Set flow-key members.
netrom: use linux/uaccess.h
dsa: Fix conversion from host device to mii bus
tipc: fix bug in bundled buffer reception
ipv6: introduce tcp_v6_iif()
sfc: add support for skb->xmit_more
r8152: return -EBUSY for runtime suspend
ipv4: fix a potential use after free in fou.c
ipv4: fix a potential use after free in ip_tunnel_core.c
hyperv: Add handling of IP header with option field in netvsc_set_hash()
openvswitch: Create right mask with disabled megaflows
vxlan: fix a free after use
openvswitch: fix a use after free
ipv4: dst_entry leak in ip_send_unicast_reply()
ipv4: clean up cookie_v4_check()
ipv4: share tcp_v4_save_options() with cookie_v4_check()
ipv4: call __ip_options_echo() in cookie_v4_check()
atm: simplify lanai.c by using module_pci_driver
...
Catalin Marinas [Fri, 17 Oct 2014 16:38:49 +0000 (17:38 +0100)]
futex: Ensure get_futex_key_refs() always implies a barrier
Commit bcb32d2a7ac1 (futexes: Avoid taking the hb->lock if there's
nothing to wake up) changes the futex code to avoid taking a lock when
there are no waiters. This code has been subsequently fixed in commit 6f377c1bba74 (futex: revert back to the explicit waiter counting code).
Both the original commit and the fix-up rely on get_futex_key_refs() to
always imply a barrier.
However, for private futexes, none of the cases in the switch statement
of get_futex_key_refs() would be hit and the function completes without
a memory barrier as required before checking the "waiters" in
futex_wake() -> hb_waiters_pending(). The consequence is a race with a
thread waiting on a futex on another CPU, allowing the waker thread to
read "waiters == 0" while the waiter thread to have read "futex_val ==
locked" (in kernel).
Without this fix, the problem (user space deadlocks) can be seen with
Android bionic's mutex implementation on an arm64 multi-cluster system.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Reported-by: Matteo Franchin <Matteo.Franchin@arm.com> Fixes: bcb32d2a7ac1 (futexes: Avoid taking the hb->lock if there's nothing to wake up) Acked-by: Davidlohr Bueso <dave@stgolabs.net> Tested-by: Mike Galbraith <umgwanakikbuti@gmail.com> Cc: <stable@vger.kernel.org> Cc: Darren Hart <dvhart@linux.intel.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>