From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 19:08:34 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v3.10.91~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e05494b81ef6540eda3e84a697461ddf41cd97b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: lib-iommu-common.c-do-not-try-to-deref-a-null-iommu-lazy_flush-pointer-when-n-pool-hint.patch mm-hugetlbfs-skip-shared-vmas-when-unmapping-private-pages-to-satisfy-a-fault.patch mm-migrate-hugetlb-putback-destination-hugepage-to-active-list.patch ocfs2-dlm-fix-deadlock-when-dispatch-assert-master.patch spi-fix-documentation-of-spi_alloc_master.patch spi-spi-pxa2xx-check-status-register-to-determine-if-sssr_tint-is-disabled.patch spi-spidev-fix-possible-null-dereference.patch spi-xtensa-xtfpga-fix-register-endianness.patch --- diff --git a/queue-4.1/lib-iommu-common.c-do-not-try-to-deref-a-null-iommu-lazy_flush-pointer-when-n-pool-hint.patch b/queue-4.1/lib-iommu-common.c-do-not-try-to-deref-a-null-iommu-lazy_flush-pointer-when-n-pool-hint.patch new file mode 100644 index 00000000000..ecb6598a539 --- /dev/null +++ b/queue-4.1/lib-iommu-common.c-do-not-try-to-deref-a-null-iommu-lazy_flush-pointer-when-n-pool-hint.patch @@ -0,0 +1,51 @@ +From d046b770c9fc36ccb19c27afdb8322220108cbc7 Mon Sep 17 00:00:00 2001 +From: Sowmini Varadhan +Date: Tue, 22 Sep 2015 14:59:20 -0700 +Subject: lib/iommu-common.c: do not try to deref a null iommu->lazy_flush() pointer when n < pool->hint + +From: Sowmini Varadhan + +commit d046b770c9fc36ccb19c27afdb8322220108cbc7 upstream. + +The check for invoking iommu->lazy_flush() from iommu_tbl_range_alloc() +has to be refactored so that we only call ->lazy_flush() if it is +non-null. + +I had a sparc kernel that was crashing when I was trying to process some +very large perf.data files- the crash happens when the scsi driver calls +into dma_4v_map_sg and thus the iommu_tbl_range_alloc(). + +Signed-off-by: Sowmini Varadhan +Cc: Benjamin Herrenschmidt +Cc: Guenter Roeck +Cc: David S. Miller +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/iommu-common.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/lib/iommu-common.c ++++ b/lib/iommu-common.c +@@ -21,8 +21,7 @@ static DEFINE_PER_CPU(unsigned int, iomm + + static inline bool need_flush(struct iommu_map_table *iommu) + { +- return (iommu->lazy_flush != NULL && +- (iommu->flags & IOMMU_NEED_FLUSH) != 0); ++ return ((iommu->flags & IOMMU_NEED_FLUSH) != 0); + } + + static inline void set_flush(struct iommu_map_table *iommu) +@@ -211,7 +210,8 @@ unsigned long iommu_tbl_range_alloc(stru + goto bail; + } + } +- if (n < pool->hint || need_flush(iommu)) { ++ if (iommu->lazy_flush && ++ (n < pool->hint || need_flush(iommu))) { + clear_flush(iommu); + iommu->lazy_flush(iommu); + } diff --git a/queue-4.1/mm-hugetlbfs-skip-shared-vmas-when-unmapping-private-pages-to-satisfy-a-fault.patch b/queue-4.1/mm-hugetlbfs-skip-shared-vmas-when-unmapping-private-pages-to-satisfy-a-fault.patch new file mode 100644 index 00000000000..ba61e16a74b --- /dev/null +++ b/queue-4.1/mm-hugetlbfs-skip-shared-vmas-when-unmapping-private-pages-to-satisfy-a-fault.patch @@ -0,0 +1,87 @@ +From 2f84a8990ebbe235c59716896e017c6b2ca1200f Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 1 Oct 2015 15:36:57 -0700 +Subject: mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault + +From: Mel Gorman + +commit 2f84a8990ebbe235c59716896e017c6b2ca1200f upstream. + +SunDong reported the following on + + https://bugzilla.kernel.org/show_bug.cgi?id=103841 + + I think I find a linux bug, I have the test cases is constructed. I + can stable recurring problems in fedora22(4.0.4) kernel version, + arch for x86_64. I construct transparent huge page, when the parent + and child process with MAP_SHARE, MAP_PRIVATE way to access the same + huge page area, it has the opportunity to lead to huge page copy on + write failure, and then it will munmap the child corresponding mmap + area, but then the child mmap area with VM_MAYSHARE attributes, child + process munmap this area can trigger VM_BUG_ON in set_vma_resv_flags + functions (vma - > vm_flags & VM_MAYSHARE). + +There were a number of problems with the report (e.g. it's hugetlbfs that +triggers this, not transparent huge pages) but it was fundamentally +correct in that a VM_BUG_ON in set_vma_resv_flags() can be triggered that +looks like this + + vma ffff8804651fd0d0 start 00007fc474e00000 end 00007fc475e00000 + next ffff8804651fd018 prev ffff8804651fd188 mm ffff88046b1b1800 + prot 8000000000000027 anon_vma (null) vm_ops ffffffff8182a7a0 + pgoff 0 file ffff88106bdb9800 private_data (null) + flags: 0x84400fb(read|write|shared|mayread|maywrite|mayexec|mayshare|dontexpand|hugetlb) + ------------ + kernel BUG at mm/hugetlb.c:462! + SMP + Modules linked in: xt_pkttype xt_LOG xt_limit [..] + CPU: 38 PID: 26839 Comm: map Not tainted 4.0.4-default #1 + Hardware name: Dell Inc. PowerEdge R810/0TT6JF, BIOS 2.7.4 04/26/2012 + set_vma_resv_flags+0x2d/0x30 + +The VM_BUG_ON is correct because private and shared mappings have +different reservation accounting but the warning clearly shows that the +VMA is shared. + +When a private COW fails to allocate a new page then only the process +that created the VMA gets the page -- all the children unmap the page. +If the children access that data in the future then they get killed. + +The problem is that the same file is mapped shared and private. During +the COW, the allocation fails, the VMAs are traversed to unmap the other +private pages but a shared VMA is found and the bug is triggered. This +patch identifies such VMAs and skips them. + +Signed-off-by: Mel Gorman +Reported-by: SunDong +Reviewed-by: Michal Hocko +Cc: Andrea Arcangeli +Cc: Hugh Dickins +Cc: Naoya Horiguchi +Cc: David Rientjes +Reviewed-by: Naoya Horiguchi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2897,6 +2897,14 @@ static void unmap_ref_private(struct mm_ + continue; + + /* ++ * Shared VMAs have their own reserves and do not affect ++ * MAP_PRIVATE accounting but it is possible that a shared ++ * VMA is using the same page so check and skip such VMAs. ++ */ ++ if (iter_vma->vm_flags & VM_MAYSHARE) ++ continue; ++ ++ /* + * Unmap the page from other VMAs without their own reserves. + * They get marked to be SIGKILLed if they fault in these + * areas. This is because a future no-page fault on this VMA diff --git a/queue-4.1/mm-migrate-hugetlb-putback-destination-hugepage-to-active-list.patch b/queue-4.1/mm-migrate-hugetlb-putback-destination-hugepage-to-active-list.patch new file mode 100644 index 00000000000..cc088273ae4 --- /dev/null +++ b/queue-4.1/mm-migrate-hugetlb-putback-destination-hugepage-to-active-list.patch @@ -0,0 +1,41 @@ +From 3aaa76e125c1dd58c9b599baa8c6021896874c12 Mon Sep 17 00:00:00 2001 +From: Naoya Horiguchi +Date: Tue, 22 Sep 2015 14:59:14 -0700 +Subject: mm: migrate: hugetlb: putback destination hugepage to active list + +From: Naoya Horiguchi + +commit 3aaa76e125c1dd58c9b599baa8c6021896874c12 upstream. + +Since commit bcc54222309c ("mm: hugetlb: introduce page_huge_active") +each hugetlb page maintains its active flag to avoid a race condition +betwe= en multiple calls of isolate_huge_page(), but current kernel +doesn't set the f= lag on a hugepage allocated by migration because the +proper putback routine isn= 't called. This means that users could +still encounter the race referred to by bcc54222309c in this special +case, so this patch fixes it. + +Fixes: bcc54222309c ("mm: hugetlb: introduce page_huge_active") +Signed-off-by: Naoya Horiguchi +Cc: Michal Hocko +Cc: Andi Kleen +Cc: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/migrate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -1062,7 +1062,7 @@ out: + if (rc != MIGRATEPAGE_SUCCESS && put_new_page) + put_new_page(new_hpage, private); + else +- put_page(new_hpage); ++ putback_active_hugepage(new_hpage); + + if (result) { + if (rc) diff --git a/queue-4.1/ocfs2-dlm-fix-deadlock-when-dispatch-assert-master.patch b/queue-4.1/ocfs2-dlm-fix-deadlock-when-dispatch-assert-master.patch new file mode 100644 index 00000000000..5ad18df0990 --- /dev/null +++ b/queue-4.1/ocfs2-dlm-fix-deadlock-when-dispatch-assert-master.patch @@ -0,0 +1,104 @@ +From 012572d4fc2e4ddd5c8ec8614d51414ec6cae02a Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Tue, 22 Sep 2015 14:59:20 -0700 +Subject: ocfs2/dlm: fix deadlock when dispatch assert master + +From: Joseph Qi + +commit 012572d4fc2e4ddd5c8ec8614d51414ec6cae02a upstream. + +The order of the following three spinlocks should be: +dlm_domain_lock < dlm_ctxt->spinlock < dlm_lock_resource->spinlock + +But dlm_dispatch_assert_master() is called while holding +dlm_ctxt->spinlock and dlm_lock_resource->spinlock, and then it calls +dlm_grab() which will take dlm_domain_lock. + +Once another thread (for example, dlm_query_join_handler) has already +taken dlm_domain_lock, and tries to take dlm_ctxt->spinlock deadlock +happens. + +Signed-off-by: Joseph Qi +Cc: Joel Becker +Cc: Mark Fasheh +Cc: "Junxiao Bi" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlm/dlmmaster.c | 9 ++++++--- + fs/ocfs2/dlm/dlmrecovery.c | 8 ++++++-- + 2 files changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/ocfs2/dlm/dlmmaster.c ++++ b/fs/ocfs2/dlm/dlmmaster.c +@@ -1439,6 +1439,7 @@ int dlm_master_request_handler(struct o2 + int found, ret; + int set_maybe; + int dispatch_assert = 0; ++ int dispatched = 0; + + if (!dlm_grab(dlm)) + return DLM_MASTER_RESP_NO; +@@ -1658,15 +1659,18 @@ send_response: + mlog(ML_ERROR, "failed to dispatch assert master work\n"); + response = DLM_MASTER_RESP_ERROR; + dlm_lockres_put(res); +- } else ++ } else { ++ dispatched = 1; + __dlm_lockres_grab_inflight_worker(dlm, res); ++ } + spin_unlock(&res->spinlock); + } else { + if (res) + dlm_lockres_put(res); + } + +- dlm_put(dlm); ++ if (!dispatched) ++ dlm_put(dlm); + return response; + } + +@@ -2090,7 +2094,6 @@ int dlm_dispatch_assert_master(struct dl + + + /* queue up work for dlm_assert_master_worker */ +- dlm_grab(dlm); /* get an extra ref for the work item */ + dlm_init_work_item(dlm, item, dlm_assert_master_worker, NULL); + item->u.am.lockres = res; /* already have a ref */ + /* can optionally ignore node numbers higher than this node */ +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1694,6 +1694,7 @@ int dlm_master_requery_handler(struct o2 + unsigned int hash; + int master = DLM_LOCK_RES_OWNER_UNKNOWN; + u32 flags = DLM_ASSERT_MASTER_REQUERY; ++ int dispatched = 0; + + if (!dlm_grab(dlm)) { + /* since the domain has gone away on this +@@ -1719,8 +1720,10 @@ int dlm_master_requery_handler(struct o2 + dlm_put(dlm); + /* sender will take care of this and retry */ + return ret; +- } else ++ } else { ++ dispatched = 1; + __dlm_lockres_grab_inflight_worker(dlm, res); ++ } + spin_unlock(&res->spinlock); + } else { + /* put.. incase we are not the master */ +@@ -1730,7 +1733,8 @@ int dlm_master_requery_handler(struct o2 + } + spin_unlock(&dlm->spinlock); + +- dlm_put(dlm); ++ if (!dispatched) ++ dlm_put(dlm); + return master; + } + diff --git a/queue-4.1/series b/queue-4.1/series index 7f3c593a314..9adb09e6242 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -50,3 +50,11 @@ leds-led-class-add-missing-put_device.patch sched-core-fix-task_dead-race-in-finish_task_switch.patch s390-compat-correct-uc_sigmask-of-the-compat-signal-frame.patch s390-boot-decompression-disable-floating-point-in-decompressor.patch +spi-fix-documentation-of-spi_alloc_master.patch +spi-xtensa-xtfpga-fix-register-endianness.patch +spi-spi-pxa2xx-check-status-register-to-determine-if-sssr_tint-is-disabled.patch +spi-spidev-fix-possible-null-dereference.patch +mm-migrate-hugetlb-putback-destination-hugepage-to-active-list.patch +lib-iommu-common.c-do-not-try-to-deref-a-null-iommu-lazy_flush-pointer-when-n-pool-hint.patch +ocfs2-dlm-fix-deadlock-when-dispatch-assert-master.patch +mm-hugetlbfs-skip-shared-vmas-when-unmapping-private-pages-to-satisfy-a-fault.patch diff --git a/queue-4.1/spi-fix-documentation-of-spi_alloc_master.patch b/queue-4.1/spi-fix-documentation-of-spi_alloc_master.patch new file mode 100644 index 00000000000..2336a2bb658 --- /dev/null +++ b/queue-4.1/spi-fix-documentation-of-spi_alloc_master.patch @@ -0,0 +1,47 @@ +From a394d635193b641f2c86ead5ada5b115d57c51f8 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sun, 6 Sep 2015 01:46:54 +0300 +Subject: spi: Fix documentation of spi_alloc_master() + +From: Guenter Roeck + +commit a394d635193b641f2c86ead5ada5b115d57c51f8 upstream. + +Actually, spi_master_put() after spi_alloc_master() must _not_ be followed +by kfree(). The memory is already freed with the call to spi_master_put() +through spi_master_class, which registers a release function. Calling both +spi_master_put() and kfree() results in often nasty (and delayed) crashes +elsewhere in the kernel, often in the networking stack. + +This reverts commit eb4af0f5349235df2e4a5057a72fc8962d00308a. + +Link to patch and concerns: https://lkml.org/lkml/2012/9/3/269 +or +http://lkml.iu.edu/hypermail/linux/kernel/1209.0/00790.html + +Alexey Klimov: This revert becomes valid after +94c69f765f1b4a658d96905ec59928e3e3e07e6a when spi-imx.c +has been fixed and there is no need to call kfree() so comment +for spi_alloc_master() should be fixed. + +Signed-off-by: Guenter Roeck +Signed-off-by: Alexey Klimov +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1427,8 +1427,7 @@ static struct class spi_master_class = { + * + * The caller is responsible for assigning the bus number and initializing + * the master's methods before calling spi_register_master(); and (after errors +- * adding the device) calling spi_master_put() and kfree() to prevent a memory +- * leak. ++ * adding the device) calling spi_master_put() to prevent a memory leak. + */ + struct spi_master *spi_alloc_master(struct device *dev, unsigned size) + { diff --git a/queue-4.1/spi-spi-pxa2xx-check-status-register-to-determine-if-sssr_tint-is-disabled.patch b/queue-4.1/spi-spi-pxa2xx-check-status-register-to-determine-if-sssr_tint-is-disabled.patch new file mode 100644 index 00000000000..6ca83a56234 --- /dev/null +++ b/queue-4.1/spi-spi-pxa2xx-check-status-register-to-determine-if-sssr_tint-is-disabled.patch @@ -0,0 +1,46 @@ +From 02bc933ebb59208f42c2e6305b2c17fd306f695d Mon Sep 17 00:00:00 2001 +From: "Tan, Jui Nee" +Date: Tue, 1 Sep 2015 10:22:51 +0800 +Subject: spi: spi-pxa2xx: Check status register to determine if SSSR_TINT is disabled + +From: "Tan, Jui Nee" + +commit 02bc933ebb59208f42c2e6305b2c17fd306f695d upstream. + +On Intel Baytrail, there is case when interrupt handler get called, no SPI +message is captured. The RX FIFO is indeed empty when RX timeout pending +interrupt (SSSR_TINT) happens. + +Use the BIOS version where both HSUART and SPI are on the same IRQ. Both +drivers are using IRQF_SHARED when calling the request_irq function. When +running two separate and independent SPI and HSUART application that +generate data traffic on both components, user will see messages like +below on the console: + + pxa2xx-spi pxa2xx-spi.0: bad message state in interrupt handler + +This commit will fix this by first checking Receiver Time-out Interrupt, +if it is disabled, ignore the request and return without servicing. + +Signed-off-by: Tan, Jui Nee +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -624,6 +624,10 @@ static irqreturn_t ssp_int(int irq, void + if (!(sccr1_reg & SSCR1_TIE)) + mask &= ~SSSR_TFS; + ++ /* Ignore RX timeout interrupt if it is disabled */ ++ if (!(sccr1_reg & SSCR1_TINTE)) ++ mask &= ~SSSR_TINT; ++ + if (!(status & mask)) + return IRQ_NONE; + diff --git a/queue-4.1/spi-spidev-fix-possible-null-dereference.patch b/queue-4.1/spi-spidev-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..c7621136af4 --- /dev/null +++ b/queue-4.1/spi-spidev-fix-possible-null-dereference.patch @@ -0,0 +1,36 @@ +From dd85ebf681ef0ee1fc985c353dd45e8b53b5dc1e Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Thu, 10 Sep 2015 16:48:13 +0530 +Subject: spi: spidev: fix possible NULL dereference + +From: Sudip Mukherjee + +commit dd85ebf681ef0ee1fc985c353dd45e8b53b5dc1e upstream. + +During the last close we are freeing spidev if spidev->spi is NULL, but +just before checking if spidev->spi is NULL we are dereferencing it. +Lets add a check there to avoid the NULL dereference. + +Fixes: 9169051617df ("spi: spidev: Don't mangle max_speed_hz in underlying spi device") +Signed-off-by: Sudip Mukherjee +Reviewed-by: Jarkko Nikula +Tested-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spidev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -664,7 +664,8 @@ static int spidev_release(struct inode * + kfree(spidev->rx_buffer); + spidev->rx_buffer = NULL; + +- spidev->speed_hz = spidev->spi->max_speed_hz; ++ if (spidev->spi) ++ spidev->speed_hz = spidev->spi->max_speed_hz; + + /* ... after we unbound from the underlying device? */ + spin_lock_irq(&spidev->spi_lock); diff --git a/queue-4.1/spi-xtensa-xtfpga-fix-register-endianness.patch b/queue-4.1/spi-xtensa-xtfpga-fix-register-endianness.patch new file mode 100644 index 00000000000..675124039dc --- /dev/null +++ b/queue-4.1/spi-xtensa-xtfpga-fix-register-endianness.patch @@ -0,0 +1,38 @@ +From b0b4855099e301c8603ea37da9a0103a96c2e0b1 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 22 Sep 2015 14:32:03 +0300 +Subject: spi: xtensa-xtfpga: fix register endianness + +From: Max Filippov + +commit b0b4855099e301c8603ea37da9a0103a96c2e0b1 upstream. + +XTFPGA SPI controller has native endian registers. +Fix register acessors so that they work in big-endian configurations. + +Signed-off-by: Max Filippov +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-xtensa-xtfpga.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-xtensa-xtfpga.c ++++ b/drivers/spi/spi-xtensa-xtfpga.c +@@ -34,13 +34,13 @@ struct xtfpga_spi { + static inline void xtfpga_spi_write32(const struct xtfpga_spi *spi, + unsigned addr, u32 val) + { +- iowrite32(val, spi->regs + addr); ++ __raw_writel(val, spi->regs + addr); + } + + static inline unsigned int xtfpga_spi_read32(const struct xtfpga_spi *spi, + unsigned addr) + { +- return ioread32(spi->regs + addr); ++ return __raw_readl(spi->regs + addr); + } + + static inline void xtfpga_spi_wait_busy(struct xtfpga_spi *xspi)