--- /dev/null
+From e02ba72aabfade4c9cd6e3263e9b57bf890ad25c Mon Sep 17 00:00:00 2001
+From: Anatol Pomozov <anatol.pomozov@gmail.com>
+Date: Tue, 15 Apr 2014 11:31:33 -0700
+Subject: aio: block io_destroy() until all context requests are completed
+
+From: Anatol Pomozov <anatol.pomozov@gmail.com>
+
+commit e02ba72aabfade4c9cd6e3263e9b57bf890ad25c upstream.
+
+deletes aio context and all resources related to. It makes sense that
+no IO operations connected to the context should be running after the context
+is destroyed. As we removed io_context we have no chance to
+get requests status or call io_getevents().
+
+man page for io_destroy says that this function may block until
+all context's requests are completed. Before kernel 3.11 io_destroy()
+blocked indeed, but since aio refactoring in 3.11 it is not true anymore.
+
+Here is a pseudo-code that shows a testcase for a race condition discovered
+in 3.11:
+
+ initialize io_context
+ io_submit(read to buffer)
+ io_destroy()
+
+ // context is destroyed so we can free the resources
+ free(buffers);
+
+ // if the buffer is allocated by some other user he'll be surprised
+ // to learn that the buffer still filled by an outstanding operation
+ // from the destroyed io_context
+
+The fix is straight-forward - add a completion struct and wait on it
+in io_destroy, complete() should be called when number of in-fligh requests
+reaches zero.
+
+If two or more io_destroy() called for the same context simultaneously then
+only the first one waits for IO completion, other calls behaviour is undefined.
+
+Tested: ran http://pastebin.com/LrPsQ4RL testcase for several hours and
+ do not see the race condition anymore.
+
+Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 36 ++++++++++++++++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 4 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -112,6 +112,11 @@ struct kioctx {
+
+ struct work_struct free_work;
+
++ /*
++ * signals when all in-flight requests are done
++ */
++ struct completion *requests_done;
++
+ struct {
+ /*
+ * This counts the number of available slots in the ringbuffer,
+@@ -508,6 +513,10 @@ static void free_ioctx_reqs(struct percp
+ {
+ struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
+
++ /* At this point we know that there are no any in-flight requests */
++ if (ctx->requests_done)
++ complete(ctx->requests_done);
++
+ INIT_WORK(&ctx->free_work, free_ioctx);
+ schedule_work(&ctx->free_work);
+ }
+@@ -718,7 +727,8 @@ err:
+ * when the processes owning a context have all exited to encourage
+ * the rapid destruction of the kioctx.
+ */
+-static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx)
++static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
++ struct completion *requests_done)
+ {
+ if (!atomic_xchg(&ctx->dead, 1)) {
+ struct kioctx_table *table;
+@@ -747,7 +757,11 @@ static void kill_ioctx(struct mm_struct
+ if (ctx->mmap_size)
+ vm_munmap(ctx->mmap_base, ctx->mmap_size);
+
++ ctx->requests_done = requests_done;
+ percpu_ref_kill(&ctx->users);
++ } else {
++ if (requests_done)
++ complete(requests_done);
+ }
+ }
+
+@@ -809,7 +823,7 @@ void exit_aio(struct mm_struct *mm)
+ */
+ ctx->mmap_size = 0;
+
+- kill_ioctx(mm, ctx);
++ kill_ioctx(mm, ctx, NULL);
+ }
+ }
+
+@@ -1187,7 +1201,7 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_e
+ if (!IS_ERR(ioctx)) {
+ ret = put_user(ioctx->user_id, ctxp);
+ if (ret)
+- kill_ioctx(current->mm, ioctx);
++ kill_ioctx(current->mm, ioctx, NULL);
+ percpu_ref_put(&ioctx->users);
+ }
+
+@@ -1205,8 +1219,22 @@ SYSCALL_DEFINE1(io_destroy, aio_context_
+ {
+ struct kioctx *ioctx = lookup_ioctx(ctx);
+ if (likely(NULL != ioctx)) {
+- kill_ioctx(current->mm, ioctx);
++ struct completion requests_done =
++ COMPLETION_INITIALIZER_ONSTACK(requests_done);
++
++ /* Pass requests_done to kill_ioctx() where it can be set
++ * in a thread-safe way. If we try to set it here then we have
++ * a race condition if two io_destroy() called simultaneously.
++ */
++ kill_ioctx(current->mm, ioctx, &requests_done);
+ percpu_ref_put(&ioctx->users);
++
++ /* Wait until all IO for the context are done. Otherwise kernel
++ * keep using user-space buffers even if user thinks the context
++ * is destroyed.
++ */
++ wait_for_completion(&requests_done);
++
+ return 0;
+ }
+ pr_debug("EINVAL: io_destroy: invalid context id\n");
--- /dev/null
+From b7a7723513dc89f83d6df13206df55d4dc26e825 Mon Sep 17 00:00:00 2001
+From: Sander Eikelenboom <linux@eikelenboom.it>
+Date: Fri, 2 May 2014 15:09:27 +0200
+Subject: ALSA: usb-audio: Prevent printk ratelimiting from spamming kernel log while DEBUG not defined
+
+From: Sander Eikelenboom <linux@eikelenboom.it>
+
+commit b7a7723513dc89f83d6df13206df55d4dc26e825 upstream.
+
+This (widely used) construction:
+
+if(printk_ratelimit())
+ dev_dbg()
+
+Causes the ratelimiting to spam the kernel log with the "callbacks suppressed"
+message below, even while the dev_dbg it is supposed to rate limit wouldn't
+print anything because DEBUG is not defined for this device.
+
+[ 533.803964] retire_playback_urb: 852 callbacks suppressed
+[ 538.807930] retire_playback_urb: 852 callbacks suppressed
+[ 543.811897] retire_playback_urb: 852 callbacks suppressed
+[ 548.815745] retire_playback_urb: 852 callbacks suppressed
+[ 553.819826] retire_playback_urb: 852 callbacks suppressed
+
+So use dev_dbg_ratelimited() instead of this construction.
+
+Signed-off-by: Sander Eikelenboom <linux@eikelenboom.it>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -1487,9 +1487,9 @@ static void retire_playback_urb(struct s
+ * The error should be lower than 2ms since the estimate relies
+ * on two reads of a counter updated every ms.
+ */
+- if (printk_ratelimit() &&
+- abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2)
+- snd_printk(KERN_DEBUG "delay: estimated %d, actual %d\n",
++ if (abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2)
++ dev_dbg_ratelimited(&subs->dev->dev,
++ "delay: estimated %d, actual %d\n",
+ est_delay, subs->last_delay);
+
+ if (!subs->running) {
--- /dev/null
+From a5065eb6da55b226661456e6a7435f605df98111 Mon Sep 17 00:00:00 2001
+From: Tim Gardner <tim.gardner@canonical.com>
+Date: Wed, 9 Apr 2014 11:30:44 -0600
+Subject: ALSA: usb-audio: Suppress repetitive debug messages from retire_playback_urb()
+
+From: Tim Gardner <tim.gardner@canonical.com>
+
+commit a5065eb6da55b226661456e6a7435f605df98111 upstream.
+
+BugLink: http://bugs.launchpad.net/bugs/1305133
+
+Malfunctioning or slow devices can cause a flood of dmesg SPAM.
+
+I've ignored checkpatch.pl complaints about the use of printk_ratelimit() in favour
+of prior art in sound/usb/pcm.c.
+
+WARNING: Prefer printk_ratelimited or pr_<level>_ratelimited to printk_ratelimit
++ if (printk_ratelimit() &&
+
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.de>
+Cc: Eldad Zack <eldad@fogrefinery.com>
+Cc: Daniel Mack <zonque@gmail.com>
+Cc: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -1487,7 +1487,8 @@ static void retire_playback_urb(struct s
+ * The error should be lower than 2ms since the estimate relies
+ * on two reads of a counter updated every ms.
+ */
+- if (abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2)
++ if (printk_ratelimit() &&
++ abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2)
+ snd_printk(KERN_DEBUG "delay: estimated %d, actual %d\n",
+ est_delay, subs->last_delay);
+
--- /dev/null
+From 1ff38c56cbd095c4c0dfa581a859ba3557830f78 Mon Sep 17 00:00:00 2001
+From: Chen Gang <gang.chen.5i5j@gmail.com>
+Date: Mon, 24 Mar 2014 20:17:44 +0800
+Subject: arch/unicore32/mm/alignment.c: include "asm/pgtable.h" to avoid compiling error
+
+From: Chen Gang <gang.chen.5i5j@gmail.com>
+
+commit 1ff38c56cbd095c4c0dfa581a859ba3557830f78 upstream.
+
+Need include "asm/pgtable.h" to include "asm-generic/pgtable-nopmd.h",
+so can let 'pmd_t' defined. The related error with allmodconfig:
+
+ CC arch/unicore32/mm/alignment.o
+ In file included from arch/unicore32/mm/alignment.c:24:
+ arch/unicore32/include/asm/tlbflush.h:135: error: expected .). before .*. token
+ arch/unicore32/include/asm/tlbflush.h:154: error: expected .). before .*. token
+ In file included from arch/unicore32/mm/alignment.c:27:
+ arch/unicore32/mm/mm.h:15: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token
+ arch/unicore32/mm/mm.h:20: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token
+ arch/unicore32/mm/mm.h:25: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token
+ make[1]: *** [arch/unicore32/mm/alignment.o] Error 1
+ make: *** [arch/unicore32/mm] Error 2
+
+Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
+Acked-by: Xuetao Guan <gxt@mprc.pku.edu.cn>
+Signed-off-by: Xuetao Guan <gxt@mprc.pku.edu.cn>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/unicore32/mm/alignment.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/unicore32/mm/alignment.c
++++ b/arch/unicore32/mm/alignment.c
+@@ -21,6 +21,7 @@
+ #include <linux/sched.h>
+ #include <linux/uaccess.h>
+
++#include <asm/pgtable.h>
+ #include <asm/tlbflush.h>
+ #include <asm/unaligned.h>
+
--- /dev/null
+From aa589a13b5d00d3c643ee4114d8cbc3addb4e99f Mon Sep 17 00:00:00 2001
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Mon, 24 Feb 2014 12:31:11 -0500
+Subject: audit: remove superfluous new- prefix in AUDIT_LOGIN messages
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+commit aa589a13b5d00d3c643ee4114d8cbc3addb4e99f upstream.
+
+The new- prefix on ses and auid are un-necessary and break ausearch.
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Reported-by: Steve Grubb <sgrubb@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1991,7 +1991,7 @@ static void audit_log_set_loginuid(kuid_
+ if (!ab)
+ return;
+ audit_log_format(ab, "pid=%d uid=%u"
+- " old-auid=%u new-auid=%u old-ses=%u new-ses=%u"
++ " old-auid=%u auid=%u old-ses=%u ses=%u"
+ " res=%d",
+ current->pid, uid,
+ oldloginuid, loginuid, oldsessionid, sessionid,
--- /dev/null
+From fbc6c4a13bbfb420eedfdb26a0a859f9c07e8a7b Mon Sep 17 00:00:00 2001
+From: Zhichuang SUN <sunzc522@gmail.com>
+Date: Wed, 21 May 2014 14:13:30 +0800
+Subject: drivers/video/fbdev/fb-puv3.c: Add header files for function unifb_mmap
+
+From: Zhichuang SUN <sunzc522@gmail.com>
+
+commit fbc6c4a13bbfb420eedfdb26a0a859f9c07e8a7b upstream.
+
+Function unifb_mmap calls functions which are defined in linux/mm.h
+and asm/pgtable.h
+
+The related error (for unicore32 with unicore32_defconfig):
+ CC drivers/video/fbdev/fb-puv3.o
+ drivers/video/fbdev/fb-puv3.c: In function 'unifb_mmap':
+ drivers/video/fbdev/fb-puv3.c:646: error: implicit declaration of
+ function 'vm_iomap_memory'
+ drivers/video/fbdev/fb-puv3.c:646: error: implicit declaration of
+ function 'pgprot_noncached'
+
+Signed-off-by: Zhichuang Sun <sunzc522@gmail.com>
+Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Jingoo Han <jg1.han@samsung.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Joe Perches <joe@perches.com>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: linux-fbdev@vger.kernel.org
+Acked-by: Xuetao Guan <gxt@mprc.pku.edu.cn>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fb-puv3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fb-puv3.c
++++ b/drivers/video/fb-puv3.c
+@@ -18,8 +18,10 @@
+ #include <linux/fb.h>
+ #include <linux/init.h>
+ #include <linux/console.h>
++#include <linux/mm.h>
+
+ #include <asm/sizes.h>
++#include <asm/pgtable.h>
+ #include <mach/hardware.h>
+
+ /* Platform_data reserved for unifb registers. */
--- /dev/null
+From b8c000d9bf23e7c1155ef421f595d1cbc25262da Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Mon, 2 Jun 2014 14:21:10 +0300
+Subject: drm/i915: fix display power sw state reporting
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit b8c000d9bf23e7c1155ef421f595d1cbc25262da upstream.
+
+Atm, we refcount both power domains and power wells and
+intel_display_power_enabled_sw() returns the power domain refcount. What
+the callers are really interested in though is the sw state of the
+underlying power wells. Due to this we will report incorrectly that a
+given power domain is off if its power wells were enabled via another
+power domain, for example POWER_DOMAIN_INIT which enables all power
+wells.
+
+As a fix return instead the state based on the refcount of all power
+wells included in the passed in power domain.
+
+References: https://bugs.freedesktop.org/show_bug.cgi?id=79505
+References: https://bugs.freedesktop.org/show_bug.cgi?id=79038
+Reported-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Damien Lespiau <damien.lespiau@intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -5138,10 +5138,25 @@ bool intel_display_power_enabled_sw(stru
+ {
+ struct drm_i915_private *dev_priv = dev->dev_private;
+ struct i915_power_domains *power_domains;
++ struct i915_power_well *power_well;
++ bool is_enabled;
++ int i;
++
++ if (dev_priv->pm.suspended)
++ return false;
+
+ power_domains = &dev_priv->power_domains;
++ is_enabled = true;
++ for_each_power_well_rev(i, power_well, BIT(domain), power_domains) {
++ if (power_well->always_on)
++ continue;
+
+- return power_domains->domain_use_count[domain];
++ if (!power_well->count) {
++ is_enabled = false;
++ break;
++ }
++ }
++ return is_enabled;
+ }
+
+ bool intel_display_power_enabled(struct drm_device *dev,
+++ /dev/null
-From 9bd359203210efeb5d8f0d81c155079f34b47449 Mon Sep 17 00:00:00 2001
-From: NeilBrown <neilb@suse.de>
-Date: Wed, 2 Jul 2014 11:35:06 +1000
-Subject: md: make sure GET_ARRAY_INFO ioctl reports correct "clean" status
-
-From: NeilBrown <neilb@suse.de>
-
-commit 9bd359203210efeb5d8f0d81c155079f34b47449 upstream.
-
-If an array has a bitmap, the when we set the "has bitmap" flag we
-incorrectly clear the "is clean" flag.
-
-"is clean" isn't really important when a bitmap is present, but it is
-best to get it right anyway.
-
-Reported-by: George Duffield <forumscollective@gmail.com>
-Link: http://lkml.kernel.org/CAG__1a4MRV6gJL38XLAurtoSiD3rLBTmWpcS5HYvPpSfPR88UQ@mail.gmail.com
-Fixes: 36fa30636fb84b209210299684e1be66d9e58217 (v2.6.14)
-Signed-off-by: NeilBrown <neilb@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/md/md.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -5620,7 +5620,7 @@ static int get_array_info(struct mddev *
- if (mddev->in_sync)
- info.state = (1<<MD_SB_CLEAN);
- if (mddev->bitmap && mddev->bitmap_info.offset)
-- info.state = (1<<MD_SB_BITMAP_PRESENT);
-+ info.state |= (1<<MD_SB_BITMAP_PRESENT);
- info.active_disks = insync;
- info.working_disks = working;
- info.failed_disks = failed;
--- /dev/null
+From 107437febd495a50e2cd09c81bbaa84d30e57b07 Mon Sep 17 00:00:00 2001
+From: Rik van Riel <riel@redhat.com>
+Date: Tue, 29 Apr 2014 15:36:15 -0400
+Subject: mm/numa: Remove BUG_ON() in __handle_mm_fault()
+
+From: Rik van Riel <riel@redhat.com>
+
+commit 107437febd495a50e2cd09c81bbaa84d30e57b07 upstream.
+
+Changing PTEs and PMDs to pte_numa & pmd_numa is done with the
+mmap_sem held for reading, which means a pmd can be instantiated
+and turned into a numa one while __handle_mm_fault() is examining
+the value of old_pmd.
+
+If that happens, __handle_mm_fault() should just return and let
+the page fault retry, instead of throwing an oops. This is
+handled by the test for pmd_trans_huge(*pmd) below.
+
+Signed-off-by: Rik van Riel <riel@redhat.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Reported-by: Sunil Pandey <sunil.k.pandey@intel.com>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: linux-mm@kvack.org
+Cc: lwoodman@redhat.com
+Cc: dave.hansen@intel.com
+Link: http://lkml.kernel.org/r/20140429153615.2d72098e@annuminas.surriel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Patrick McLean <chutzpah@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3756,9 +3756,6 @@ static int __handle_mm_fault(struct mm_s
+ }
+ }
+
+- /* THP should already have been handled */
+- BUG_ON(pmd_numa(*pmd));
+-
+ /*
+ * Use __pte_alloc instead of pte_alloc_map, because we can't
+ * run pte_offset_map on the pmd, if an huge pmd could
tools-ffs-test-fix-header-values-endianess.patch
tracing-remove-ftrace_stop-start-from-reading-the-trace-file.patch
md-flush-writes-before-starting-a-recovery.patch
-md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch
irqchip-spear_shirq-fix-interrupt-offset.patch
mm-page_alloc-fix-cma-area-initialisation-when-pageblock-max_order.patch
proc-stat-convert-to-single_open_size.patch
netfilter-nf_nat-fix-oops-on-netns-removal.patch
brcmfmac-fix-brcmf_chip_ai_coredisable-not-applying-reset.patch
mmc-rtsx-add-r1-no-crc-mmc-command-type-handle.patch
+drm-i915-fix-display-power-sw-state-reporting.patch
+aio-block-io_destroy-until-all-context-requests-are-completed.patch
+audit-remove-superfluous-new-prefix-in-audit_login-messages.patch
+alsa-usb-audio-suppress-repetitive-debug-messages-from-retire_playback_urb.patch
+alsa-usb-audio-prevent-printk-ratelimiting-from-spamming-kernel-log-while-debug-not-defined.patch
+arch-unicore32-mm-alignment.c-include-asm-pgtable.h-to-avoid-compiling-error.patch
+drivers-video-fbdev-fb-puv3.c-add-header-files-for-function-unifb_mmap.patch
+mm-numa-remove-bug_on-in-__handle_mm_fault.patch
+slab-fix-oops-when-reading-proc-slab_allocators.patch
--- /dev/null
+From 03787301420376ae41fbaf4267f4a6253d152ac5 Mon Sep 17 00:00:00 2001
+From: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Date: Mon, 23 Jun 2014 13:22:06 -0700
+Subject: slab: fix oops when reading /proc/slab_allocators
+
+From: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+
+commit 03787301420376ae41fbaf4267f4a6253d152ac5 upstream.
+
+Commit b1cb0982bdd6 ("change the management method of free objects of
+the slab") introduced a bug on slab leak detector
+('/proc/slab_allocators'). This detector works like as following
+decription.
+
+ 1. traverse all objects on all the slabs.
+ 2. determine whether it is active or not.
+ 3. if active, print who allocate this object.
+
+but that commit changed the way how to manage free objects, so the logic
+determining whether it is active or not is also changed. In before, we
+regard object in cpu caches as inactive one, but, with this commit, we
+mistakenly regard object in cpu caches as active one.
+
+This intoduces kernel oops if DEBUG_PAGEALLOC is enabled. If
+DEBUG_PAGEALLOC is enabled, kernel_map_pages() is used to detect who
+corrupt free memory in the slab. It unmaps page table mapping if object
+is free and map it if object is active. When slab leak detector check
+object in cpu caches, it mistakenly think this object active so try to
+access object memory to retrieve caller of allocation. At this point,
+page table mapping to this object doesn't exist, so oops occurs.
+
+Following is oops message reported from Dave.
+
+It blew up when something tried to read /proc/slab_allocators
+(Just cat it, and you should see the oops below)
+
+ Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ Modules linked in:
+ [snip...]
+ CPU: 1 PID: 9386 Comm: trinity-c33 Not tainted 3.14.0-rc5+ #131
+ task: ffff8801aa46e890 ti: ffff880076924000 task.ti: ffff880076924000
+ RIP: 0010:[<ffffffffaa1a8f4a>] [<ffffffffaa1a8f4a>] handle_slab+0x8a/0x180
+ RSP: 0018:ffff880076925de0 EFLAGS: 00010002
+ RAX: 0000000000001000 RBX: 0000000000000000 RCX: 000000005ce85ce7
+ RDX: ffffea00079be100 RSI: 0000000000001000 RDI: ffff880107458000
+ RBP: ffff880076925e18 R08: 0000000000000001 R09: 0000000000000000
+ R10: 0000000000000000 R11: 000000000000000f R12: ffff8801e6f84000
+ R13: ffffea00079be100 R14: ffff880107458000 R15: ffff88022bb8d2c0
+ FS: 00007fb769e45740(0000) GS:ffff88024d040000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffff8801e6f84ff8 CR3: 00000000a22db000 CR4: 00000000001407e0
+ DR0: 0000000002695000 DR1: 0000000002695000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000070602
+ Call Trace:
+ leaks_show+0xce/0x240
+ seq_read+0x28e/0x490
+ proc_reg_read+0x3d/0x80
+ vfs_read+0x9b/0x160
+ SyS_read+0x58/0xb0
+ tracesys+0xd4/0xd9
+ Code: f5 00 00 00 0f 1f 44 00 00 48 63 c8 44 3b 0c 8a 0f 84 e3 00 00 00 83 c0 01 44 39 c0 72 eb 41 f6 47 1a 01 0f 84 e9 00 00 00 89 f0 <4d> 8b 4c 04 f8 4d 85 c9 0f 84 88 00 00 00 49 8b 7e 08 4d 8d 46
+ RIP handle_slab+0x8a/0x180
+
+To fix the problem, I introduce an object status buffer on each slab.
+With this, we can track object status precisely, so slab leak detector
+would not access active object and no kernel oops would occur. Memory
+overhead caused by this fix is only imposed to CONFIG_DEBUG_SLAB_LEAK
+which is mainly used for debugging, so memory overhead isn't big
+problem.
+
+Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Reported-by: Dave Jones <davej@redhat.com>
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Vladimir Davydov <vdavydov@parallels.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slab.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 68 insertions(+), 21 deletions(-)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -375,6 +375,39 @@ static void **dbg_userword(struct kmem_c
+
+ #endif
+
++#define OBJECT_FREE (0)
++#define OBJECT_ACTIVE (1)
++
++#ifdef CONFIG_DEBUG_SLAB_LEAK
++
++static void set_obj_status(struct page *page, int idx, int val)
++{
++ int freelist_size;
++ char *status;
++ struct kmem_cache *cachep = page->slab_cache;
++
++ freelist_size = cachep->num * sizeof(unsigned int);
++ status = (char *)page->freelist + freelist_size;
++ status[idx] = val;
++}
++
++static inline unsigned int get_obj_status(struct page *page, int idx)
++{
++ int freelist_size;
++ char *status;
++ struct kmem_cache *cachep = page->slab_cache;
++
++ freelist_size = cachep->num * sizeof(unsigned int);
++ status = (char *)page->freelist + freelist_size;
++
++ return status[idx];
++}
++
++#else
++static inline void set_obj_status(struct page *page, int idx, int val) {}
++
++#endif
++
+ /*
+ * Do not go above this order unless 0 objects fit into the slab or
+ * overridden on the command line.
+@@ -565,9 +598,18 @@ static inline struct array_cache *cpu_ca
+ return cachep->array[smp_processor_id()];
+ }
+
+-static size_t slab_mgmt_size(size_t nr_objs, size_t align)
++static size_t calculate_freelist_size(int nr_objs, size_t align)
+ {
+- return ALIGN(nr_objs * sizeof(unsigned int), align);
++ size_t freelist_size;
++
++ freelist_size = nr_objs * sizeof(unsigned int);
++ if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK))
++ freelist_size += nr_objs * sizeof(char);
++
++ if (align)
++ freelist_size = ALIGN(freelist_size, align);
++
++ return freelist_size;
+ }
+
+ /*
+@@ -600,6 +642,10 @@ static void cache_estimate(unsigned long
+ nr_objs = slab_size / buffer_size;
+
+ } else {
++ int extra_space = 0;
++
++ if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK))
++ extra_space = sizeof(char);
+ /*
+ * Ignore padding for the initial guess. The padding
+ * is at most @align-1 bytes, and @buffer_size is at
+@@ -608,17 +654,18 @@ static void cache_estimate(unsigned long
+ * into the memory allocation when taking the padding
+ * into account.
+ */
+- nr_objs = (slab_size) / (buffer_size + sizeof(unsigned int));
++ nr_objs = (slab_size) /
++ (buffer_size + sizeof(unsigned int) + extra_space);
+
+ /*
+ * This calculated number will be either the right
+ * amount, or one greater than what we want.
+ */
+- if (slab_mgmt_size(nr_objs, align) + nr_objs*buffer_size
+- > slab_size)
++ if (calculate_freelist_size(nr_objs, align) >
++ slab_size - nr_objs * buffer_size)
+ nr_objs--;
+
+- mgmt_size = slab_mgmt_size(nr_objs, align);
++ mgmt_size = calculate_freelist_size(nr_objs, align);
+ }
+ *num = nr_objs;
+ *left_over = slab_size - nr_objs*buffer_size - mgmt_size;
+@@ -2011,13 +2058,16 @@ static size_t calculate_slab_order(struc
+ continue;
+
+ if (flags & CFLGS_OFF_SLAB) {
++ size_t freelist_size_per_obj = sizeof(unsigned int);
+ /*
+ * Max number of objs-per-slab for caches which
+ * use off-slab slabs. Needed to avoid a possible
+ * looping condition in cache_grow().
+ */
++ if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK))
++ freelist_size_per_obj += sizeof(char);
+ offslab_limit = size;
+- offslab_limit /= sizeof(unsigned int);
++ offslab_limit /= freelist_size_per_obj;
+
+ if (num > offslab_limit)
+ break;
+@@ -2258,8 +2308,7 @@ __kmem_cache_create (struct kmem_cache *
+ if (!cachep->num)
+ return -E2BIG;
+
+- freelist_size =
+- ALIGN(cachep->num * sizeof(unsigned int), cachep->align);
++ freelist_size = calculate_freelist_size(cachep->num, cachep->align);
+
+ /*
+ * If the slab has been placed off-slab, and we have enough space then
+@@ -2272,7 +2321,7 @@ __kmem_cache_create (struct kmem_cache *
+
+ if (flags & CFLGS_OFF_SLAB) {
+ /* really off slab. No need for manual alignment */
+- freelist_size = cachep->num * sizeof(unsigned int);
++ freelist_size = calculate_freelist_size(cachep->num, 0);
+
+ #ifdef CONFIG_PAGE_POISONING
+ /* If we're going to use the generic kernel_map_pages()
+@@ -2589,6 +2638,7 @@ static void cache_init_objs(struct kmem_
+ if (cachep->ctor)
+ cachep->ctor(objp);
+ #endif
++ set_obj_status(page, i, OBJECT_FREE);
+ slab_freelist(page)[i] = i;
+ }
+ }
+@@ -2797,6 +2847,7 @@ static void *cache_free_debugcheck(struc
+ BUG_ON(objnr >= cachep->num);
+ BUG_ON(objp != index_to_obj(cachep, page, objnr));
+
++ set_obj_status(page, objnr, OBJECT_FREE);
+ if (cachep->flags & SLAB_POISON) {
+ #ifdef CONFIG_DEBUG_PAGEALLOC
+ if ((cachep->size % PAGE_SIZE)==0 && OFF_SLAB(cachep)) {
+@@ -2930,6 +2981,8 @@ static inline void cache_alloc_debugchec
+ static void *cache_alloc_debugcheck_after(struct kmem_cache *cachep,
+ gfp_t flags, void *objp, unsigned long caller)
+ {
++ struct page *page;
++
+ if (!objp)
+ return objp;
+ if (cachep->flags & SLAB_POISON) {
+@@ -2960,6 +3013,9 @@ static void *cache_alloc_debugcheck_afte
+ *dbg_redzone1(cachep, objp) = RED_ACTIVE;
+ *dbg_redzone2(cachep, objp) = RED_ACTIVE;
+ }
++
++ page = virt_to_head_page(objp);
++ set_obj_status(page, obj_to_index(cachep, page, objp), OBJECT_ACTIVE);
+ objp += obj_offset(cachep);
+ if (cachep->ctor && cachep->flags & SLAB_POISON)
+ cachep->ctor(objp);
+@@ -4201,21 +4257,12 @@ static void handle_slab(unsigned long *n
+ struct page *page)
+ {
+ void *p;
+- int i, j;
++ int i;
+
+ if (n[0] == n[1])
+ return;
+ for (i = 0, p = page->s_mem; i < c->num; i++, p += c->size) {
+- bool active = true;
+-
+- for (j = page->active; j < c->num; j++) {
+- /* Skip freed item */
+- if (slab_freelist(page)[j] == i) {
+- active = false;
+- break;
+- }
+- }
+- if (!active)
++ if (get_obj_status(page, i) != OBJECT_ACTIVE)
+ continue;
+
+ if (!add_caller(n, (unsigned long)*dbg_userword(c, p)))
projects / thirdparty / kernel / stable-queue.git / commitdiff
