From: Greg Kroah-Hartman Date: Tue, 1 Mar 2016 22:18:00 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.99~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=351a2f9710a6a993190fde608e5b2709b674a549;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch kvm-async_pf-do-not-warn-on-page-allocation-failures.patch nfs-fix-nfs_size_to_loff_t.patch sunrpc-cache-fix-off-by-one-in-qword_get.patch tracing-fix-showing-function-event-in-available_events.patch xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch --- diff --git a/queue-3.10/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch b/queue-3.10/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch new file mode 100644 index 00000000000..b45f95bd83b --- /dev/null +++ b/queue-3.10/do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch @@ -0,0 +1,35 @@ +From c80567c82ae4814a41287618e315a60ecf513be6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 27 Feb 2016 19:17:33 -0500 +Subject: do_last(): don't let a bogus return value from ->open() et.al. to confuse us + +From: Al Viro + +commit c80567c82ae4814a41287618e315a60ecf513be6 upstream. + +... into returning a positive to path_openat(), which would interpret that +as "symlink had been encountered" and proceed to corrupt memory, etc. +It can only happen due to a bug in some ->open() instance or in some LSM +hook, etc., so we report any such event *and* make sure it doesn't trick +us into further unpleasantness. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2917,6 +2917,10 @@ opened: + goto exit_fput; + } + out: ++ if (unlikely(error > 0)) { ++ WARN_ON(1); ++ error = -EINVAL; ++ } + if (got_write) + mnt_drop_write(nd->path.mnt); + path_put(&save_parent); diff --git a/queue-3.10/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch b/queue-3.10/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch new file mode 100644 index 00000000000..e58f96d2d8b --- /dev/null +++ b/queue-3.10/kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch @@ -0,0 +1,53 @@ +From 59ceeaaf355fa0fb16558ef7c24413c804932ada Mon Sep 17 00:00:00 2001 +From: Simon Guinot +Date: Thu, 10 Sep 2015 00:15:18 +0200 +Subject: kernel/resource.c: fix muxed resource handling in __request_region() + +From: Simon Guinot + +commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream. + +In __request_region, if a conflict with a BUSY and MUXED resource is +detected, then the caller goes to sleep and waits for the resource to be +released. A pointer on the conflicting resource is kept. At wake-up +this pointer is used as a parent to retry to request the region. + +A first problem is that this pointer might well be invalid (if for +example the conflicting resource have already been freed). Another +problem is that the next call to __request_region() fails to detect a +remaining conflict. The previously conflicting resource is passed as a +parameter and __request_region() will look for a conflict among the +children of this resource and not at the resource itself. It is likely +to succeed anyway, even if there is still a conflict. + +Instead, the parent of the conflicting resource should be passed to +__request_region(). + +As a fix, this patch doesn't update the parent resource pointer in the +case we have to wait for a muxed region right after. + +Reported-and-tested-by: Vincent Pelletier +Signed-off-by: Simon Guinot +Tested-by: Vincent Donnefort +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/resource.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -961,9 +961,10 @@ struct resource * __request_region(struc + if (!conflict) + break; + if (conflict != parent) { +- parent = conflict; +- if (!(conflict->flags & IORESOURCE_BUSY)) ++ if (!(conflict->flags & IORESOURCE_BUSY)) { ++ parent = conflict; + continue; ++ } + } + if (conflict->flags & flags & IORESOURCE_MUXED) { + add_wait_queue(&muxed_resource_wait, &wait); diff --git a/queue-3.10/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch b/queue-3.10/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch new file mode 100644 index 00000000000..cfd1c3e4b1a --- /dev/null +++ b/queue-3.10/kvm-async_pf-do-not-warn-on-page-allocation-failures.patch @@ -0,0 +1,52 @@ +From d7444794a02ff655eda87e3cc54e86b940e7736f Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 19 Feb 2016 13:11:46 +0100 +Subject: KVM: async_pf: do not warn on page allocation failures + +From: Christian Borntraeger + +commit d7444794a02ff655eda87e3cc54e86b940e7736f upstream. + +In async_pf we try to allocate with NOWAIT to get an element quickly +or fail. This code also handle failures gracefully. Lets silence +potential page allocation failures under load. + +qemu-system-s39: page allocation failure: order:0,mode:0x2200000 +[...] +Call Trace: +([<00000000001146b8>] show_trace+0xf8/0x148) +[<000000000011476a>] show_stack+0x62/0xe8 +[<00000000004a36b8>] dump_stack+0x70/0x98 +[<0000000000272c3a>] warn_alloc_failed+0xd2/0x148 +[<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38 +[<00000000002cd36a>] new_slab+0x382/0x400 +[<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378 +[<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0 +[<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198 +[<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58 +[<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690 +[<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510 +[<00000000002f68ec>] SyS_ioctl+0xa4/0xb8 +[<0000000000781c5e>] system_call+0xd6/0x264 +[<000003ffa24fa06a>] 0x3ffa24fa06a + +Signed-off-by: Christian Borntraeger +Reviewed-by: Dominik Dingel +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/async_pf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/async_pf.c ++++ b/virt/kvm/async_pf.c +@@ -158,7 +158,7 @@ int kvm_setup_async_pf(struct kvm_vcpu * + * do alloc nowait since if we are going to sleep anyway we + * may as well sleep faulting in page + */ +- work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT); ++ work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN); + if (!work) + return 0; + diff --git a/queue-3.10/nfs-fix-nfs_size_to_loff_t.patch b/queue-3.10/nfs-fix-nfs_size_to_loff_t.patch new file mode 100644 index 00000000000..b14b72ce188 --- /dev/null +++ b/queue-3.10/nfs-fix-nfs_size_to_loff_t.patch @@ -0,0 +1,39 @@ +From 50ab8ec74a153eb30db26529088bc57dd700b24c Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 8 Feb 2016 21:11:50 +0100 +Subject: nfs: fix nfs_size_to_loff_t + +From: Christoph Hellwig + +commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream. + +See http: //www.infradead.org/rpr.html +X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org +Content-Transfer-Encoding: 8bit +Mime-Version: 1.0 + +We support OFFSET_MAX just fine, so don't round down below it. Also +switch to using min_t to make the helper more readable. + +Signed-off-by: Christoph Hellwig +Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nfs_fs.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -578,9 +578,7 @@ static inline void nfs3_forget_cached_ac + + static inline loff_t nfs_size_to_loff_t(__u64 size) + { +- if (size > (__u64) OFFSET_MAX - 1) +- return OFFSET_MAX - 1; +- return (loff_t) size; ++ return min_t(u64, size, OFFSET_MAX); + } + + static inline ino_t diff --git a/queue-3.10/series b/queue-3.10/series index 08960710c9d..88d48770404 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -71,3 +71,10 @@ rfkill-fix-rfkill_fop_read-wait_event-usage.patch revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch libata-fix-sff-host-state-machine-locking-while-polling.patch pci-aer-flush-workqueue-on-device-remove-to-avoid-use-after-free.patch +nfs-fix-nfs_size_to_loff_t.patch +kvm-async_pf-do-not-warn-on-page-allocation-failures.patch +tracing-fix-showing-function-event-in-available_events.patch +sunrpc-cache-fix-off-by-one-in-qword_get.patch +kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch +do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch +xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch diff --git a/queue-3.10/sunrpc-cache-fix-off-by-one-in-qword_get.patch b/queue-3.10/sunrpc-cache-fix-off-by-one-in-qword_get.patch new file mode 100644 index 00000000000..704768f90d6 --- /dev/null +++ b/queue-3.10/sunrpc-cache-fix-off-by-one-in-qword_get.patch @@ -0,0 +1,48 @@ +From b7052cd7bcf3c1478796e93e3dff2b44c9e82943 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Thu, 18 Feb 2016 18:55:54 +0000 +Subject: sunrpc/cache: fix off-by-one in qword_get() + +From: Stefan Hajnoczi + +commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream. + +The qword_get() function NUL-terminates its output buffer. If the input +string is in hex format \xXXXX... and the same length as the output +buffer, there is an off-by-one: + + int qword_get(char **bpp, char *dest, int bufsize) + { + ... + while (len < bufsize) { + ... + *dest++ = (h << 4) | l; + len++; + } + ... + *dest = '\0'; + return len; + } + +This patch ensures the NUL terminator doesn't fall outside the output +buffer. + +Signed-off-by: Stefan Hajnoczi +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1221,7 +1221,7 @@ int qword_get(char **bpp, char *dest, in + if (bp[0] == '\\' && bp[1] == 'x') { + /* HEX STRING */ + bp += 2; +- while (len < bufsize) { ++ while (len < bufsize - 1) { + int h, l; + + h = hex_to_bin(bp[0]); diff --git a/queue-3.10/tracing-fix-showing-function-event-in-available_events.patch b/queue-3.10/tracing-fix-showing-function-event-in-available_events.patch new file mode 100644 index 00000000000..73b90617f68 --- /dev/null +++ b/queue-3.10/tracing-fix-showing-function-event-in-available_events.patch @@ -0,0 +1,54 @@ +From d045437a169f899dfb0f6f7ede24cc042543ced9 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 24 Feb 2016 09:04:24 -0500 +Subject: tracing: Fix showing function event in available_events + +From: Steven Rostedt (Red Hat) + +commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream. + +The ftrace:function event is only displayed for parsing the function tracer +data. It is not used to enable function tracing, and does not include an +"enable" file in its event directory. + +Originally, this event was kept separate from other events because it did +not have a ->reg parameter. But perf added a "reg" parameter for its use +which caused issues, because it made the event available to functions where +it was not compatible for. + +Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable" +added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event +from being enabled by normal trace events. But this commit missed keeping +the function event from being displayed by the "available_events" directory, +which is used to show what events can be enabled by set_event. + +One documented way to enable all events is to: + + cat available_events > set_event + +But because the function event is displayed in the available_events, this +now causes an INVALID error: + + cat: write error: Invalid argument + +Reported-by: Chunyu Hu +Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable" +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -602,7 +602,8 @@ t_next(struct seq_file *m, void *v, loff + * The ftrace subsystem is for showing formats only. + * They can not be enabled or disabled via the event files. + */ +- if (call->class && call->class->reg) ++ if (call->class && call->class->reg && ++ !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) + return file; + } + diff --git a/queue-3.10/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch b/queue-3.10/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch new file mode 100644 index 00000000000..4288e5818fb --- /dev/null +++ b/queue-3.10/xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch @@ -0,0 +1,111 @@ +From 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Thu, 11 Feb 2016 16:10:26 -0500 +Subject: xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted. + +From: Konrad Rzeszutek Wilk + +commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e upstream. + +Occasionaly PV guests would crash with: + +pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16 +BUG: unable to handle kernel paging request at 0000000d1a8c0be0 +.. snip.. + ] find_next_bit+0xb/0x10 + [] cpumask_next_and+0x22/0x40 + [] pci_device_probe+0xb8/0x120 + [] ? driver_sysfs_add+0x77/0xa0 + [] driver_probe_device+0x1a4/0x2d0 + [] ? pci_match_device+0xdd/0x110 + [] __device_attach_driver+0xa7/0xb0 + [] ? __driver_attach+0xa0/0xa0 + [] bus_for_each_drv+0x62/0x90 + [] __device_attach+0xbd/0x110 + [] device_attach+0xb/0x10 + [] pci_bus_add_device+0x3c/0x70 + [] pci_bus_add_devices+0x38/0x80 + [] pcifront_scan_root+0x13e/0x1a0 + [] pcifront_backend_changed+0x262/0x60b + [] ? xenbus_gather+0xd6/0x160 + [] ? put_object+0x2f/0x50 + [] xenbus_otherend_changed+0x9d/0xa0 + [] backend_changed+0xe/0x10 + [] xenwatch_thread+0xc8/0x190 + [] ? woken_wake_function+0x10/0x10 + +which was the result of two things: + +When we call pci_scan_root_bus we would pass in 'sd' (sysdata) +pointer which was an 'pcifront_sd' structure. However in the +pci_device_add it expects that the 'sd' is 'struct sysdata' and +sets the dev->node to what is in sd->node (offset 4): + +set_dev_node(&dev->dev, pcibus_to_node(bus)); + + __pcibus_to_node(const struct pci_bus *bus) +{ + const struct pci_sysdata *sd = bus->sysdata; + + return sd->node; +} + +However our structure was pcifront_sd which had nothing at that +offset: + +struct pcifront_sd { + int domain; /* 0 4 */ + /* XXX 4 bytes hole, try to pack */ + struct pcifront_device * pdev; /* 8 8 */ +} + +That is an hole - filled with garbage as we used kmalloc instead of +kzalloc (the second problem). + +This patch fixes the issue by: + 1) Use kzalloc to initialize to a well known state. + 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That + way access to the 'node' will access the right offset. + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Boris Ostrovsky +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/xen-pcifront.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/pci/xen-pcifront.c ++++ b/drivers/pci/xen-pcifront.c +@@ -51,7 +51,7 @@ struct pcifront_device { + }; + + struct pcifront_sd { +- int domain; ++ struct pci_sysdata sd; + struct pcifront_device *pdev; + }; + +@@ -65,7 +65,9 @@ static inline void pcifront_init_sd(stru + unsigned int domain, unsigned int bus, + struct pcifront_device *pdev) + { +- sd->domain = domain; ++ /* Because we do not expose that information via XenBus. */ ++ sd->sd.node = first_online_node; ++ sd->sd.domain = domain; + sd->pdev = pdev; + } + +@@ -463,8 +465,8 @@ static int pcifront_scan_root(struct pci + dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n", + domain, bus); + +- bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL); +- sd = kmalloc(sizeof(*sd), GFP_KERNEL); ++ bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL); ++ sd = kzalloc(sizeof(*sd), GFP_KERNEL); + if (!bus_entry || !sd) { + err = -ENOMEM; + goto err_out;