From: Greg Kroah-Hartman Date: Fri, 9 Aug 2013 00:08:11 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.0.90~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=460de936b8d810adfb51fc39b48dcf56befa11e9;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: perf-use-css_tryget-to-avoid-propping-up-css-refcount.patch x86-fpu-correct-the-asm-constraints-for-fxsave-unbreak-mxcsr.daz.patch --- diff --git a/queue-3.0/perf-use-css_tryget-to-avoid-propping-up-css-refcount.patch b/queue-3.0/perf-use-css_tryget-to-avoid-propping-up-css-refcount.patch new file mode 100644 index 00000000000..15ff4e7b5bf --- /dev/null +++ b/queue-3.0/perf-use-css_tryget-to-avoid-propping-up-css-refcount.patch @@ -0,0 +1,100 @@ +From 9c5da09d266ca9b32eb16cf940f8161d949c2fe5 Mon Sep 17 00:00:00 2001 +From: Salman Qazi +Date: Thu, 14 Jun 2012 15:31:09 -0700 +Subject: perf: Use css_tryget() to avoid propping up css refcount + +From: Salman Qazi + +commit 9c5da09d266ca9b32eb16cf940f8161d949c2fe5 upstream. + +An rmdir pushes css's ref count to zero. However, if the associated +directory is open at the time, the dentry ref count is non-zero. If +the fd for this directory is then passed into perf_event_open, it +does a css_get(). This bounces the ref count back up from zero. This +is a problem by itself. But what makes it turn into a crash is the +fact that we end up doing an extra dput, since we perform a dput +when css_put sees the ref count go down to zero. + +css_tryget() does not fall into that trap. So, we use that instead. + +Reproduction test-case for the bug: + + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define PERF_FLAG_PID_CGROUP (1U << 2) + + int perf_event_open(struct perf_event_attr *hw_event_uptr, + pid_t pid, int cpu, int group_fd, unsigned long flags) { + return syscall(__NR_perf_event_open,hw_event_uptr, pid, cpu, + group_fd, flags); + } + + /* + * Directly poke at the perf_event bug, since it's proving hard to repro + * depending on where in the kernel tree. what moved? + */ + int main(int argc, char **argv) + { + int fd; + struct perf_event_attr attr; + memset(&attr, 0, sizeof(attr)); + attr.exclude_kernel = 1; + attr.size = sizeof(attr); + mkdir("/dev/cgroup/perf_event/blah", 0777); + fd = open("/dev/cgroup/perf_event/blah", O_RDONLY); + perror("open"); + rmdir("/dev/cgroup/perf_event/blah"); + sleep(2); + perf_event_open(&attr, fd, 0, -1, PERF_FLAG_PID_CGROUP); + perror("perf_event_open"); + close(fd); + return 0; + } + +Signed-off-by: Salman Qazi +Signed-off-by: Peter Zijlstra +Acked-by: Tejun Heo +Link: http://lkml.kernel.org/r/20120614223108.1025.2503.stgit@dungbeetle.mtv.corp.google.com +Signed-off-by: Ingo Molnar +Cc: Li Zefan +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -223,9 +223,9 @@ perf_cgroup_match(struct perf_event *eve + return !event->cgrp || event->cgrp == cpuctx->cgrp; + } + +-static inline void perf_get_cgroup(struct perf_event *event) ++static inline bool perf_tryget_cgroup(struct perf_event *event) + { +- css_get(&event->cgrp->css); ++ return css_tryget(&event->cgrp->css); + } + + static inline void perf_put_cgroup(struct perf_event *event) +@@ -415,7 +415,11 @@ static inline int perf_cgroup_connect(in + event->cgrp = cgrp; + + /* must be done before we fput() the file */ +- perf_get_cgroup(event); ++ if (!perf_tryget_cgroup(event)) { ++ event->cgrp = NULL; ++ ret = -ENOENT; ++ goto out; ++ } + + /* + * all events in a group must monitor diff --git a/queue-3.0/series b/queue-3.0/series index 458bdcc5b33..b9b2c3ba3b7 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -10,3 +10,5 @@ sched-fix-the-broken-sched_rr_get_interval.patch fanotify-info-leak-in-copy_event_to_user.patch maintainers-fix-up-stable_kernel_rules.txt-location.patch perf-fix-event-group-context-move.patch +x86-fpu-correct-the-asm-constraints-for-fxsave-unbreak-mxcsr.daz.patch +perf-use-css_tryget-to-avoid-propping-up-css-refcount.patch diff --git a/queue-3.0/x86-fpu-correct-the-asm-constraints-for-fxsave-unbreak-mxcsr.daz.patch b/queue-3.0/x86-fpu-correct-the-asm-constraints-for-fxsave-unbreak-mxcsr.daz.patch new file mode 100644 index 00000000000..5d28950e374 --- /dev/null +++ b/queue-3.0/x86-fpu-correct-the-asm-constraints-for-fxsave-unbreak-mxcsr.daz.patch @@ -0,0 +1,45 @@ +From eaa5a990191d204ba0f9d35dbe5505ec2cdd1460 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Fri, 26 Jul 2013 09:11:56 -0700 +Subject: x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz + +From: "H.J. Lu" + +commit eaa5a990191d204ba0f9d35dbe5505ec2cdd1460 upstream. + +GCC will optimize mxcsr_feature_mask_init in arch/x86/kernel/i387.c: + + memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct)); + asm volatile("fxsave %0" : : "m" (fx_scratch)); + mask = fx_scratch.mxcsr_mask; + if (mask == 0) + mask = 0x0000ffbf; + +to + + memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct)); + asm volatile("fxsave %0" : : "m" (fx_scratch)); + mask = 0x0000ffbf; + +since asm statement doesn’t say it will update fx_scratch. As the +result, the DAZ bit will be cleared. This patch fixes it. This bug +dates back to at least kernel 2.6.12. + +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/i387.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/i387.c ++++ b/arch/x86/kernel/i387.c +@@ -51,7 +51,7 @@ void __cpuinit mxcsr_feature_mask_init(v + clts(); + if (cpu_has_fxsr) { + memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct)); +- asm volatile("fxsave %0" : : "m" (fx_scratch)); ++ asm volatile("fxsave %0" : "+m" (fx_scratch)); + mask = fx_scratch.mxcsr_mask; + if (mask == 0) + mask = 0x0000ffbf;