From: Greg Kroah-Hartman Date: Wed, 4 Mar 2015 05:21:06 +0000 (-0800) Subject: 3.19-stable patches X-Git-Tag: v3.10.71~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f2d3d66071d472363a458b2cd58c80e8364dc9e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.19-stable patches added patches: blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch btrfs-fix-fsync-data-loss-after-adding-hard-link-to-inode.patch btrfs-fix-leak-of-path-in-btrfs_find_item.patch btrfs-set-proper-message-level-for-skinny-metadata.patch clocksource-mtk-fix-race-conditions-in-probe-code.patch edac-amd64_edac-prevent-oops-with-16-memory-controllers.patch gpio-tps65912-fix-wrong-container_of-arguments.patch gpiolib-of-allow-of_gpiochip_find_and_xlate-to-find-more-than-one-chip-per-node.patch jffs2-fix-handling-of-corrupted-summary-length.patch libceph-fix-double-__remove_osd-problem.patch md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch metag-fix-kstk_eip-and-kstk_esp-macros.patch perf-tools-fix-probing-for-perf_flag_fd_cloexec-flag.patch samsung-laptop-add-use_native_backlight-quirk-and-enable-it-on-some-models.patch sb_edac-fix-detection-on-snb-machines.patch x86-efi-avoid-triple-faults-during-efi-mixed-mode-calls.patch x86-irq-fix-regression-caused-by-commit-b568b8601f05.patch x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch x86-pmc-atom-assign-debugfs-node-as-soon-as-possible.patch xfs-fix-quota-type-in-quota-structures-when-reusing-quota-file.patch --- diff --git a/queue-3.19/blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch b/queue-3.19/blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch new file mode 100644 index 00000000000..cc25a7b6d73 --- /dev/null +++ b/queue-3.19/blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch @@ -0,0 +1,121 @@ +From 045c47ca306acf30c740c285a77a4b4bda6be7c5 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 16 Feb 2015 17:16:45 -0200 +Subject: blk-throttle: check stats_cpu before reading it from sysfs + +From: Thadeu Lima de Souza Cascardo + +commit 045c47ca306acf30c740c285a77a4b4bda6be7c5 upstream. + +When reading blkio.throttle.io_serviced in a recently created blkio +cgroup, it's possible to race against the creation of a throttle policy, +which delays the allocation of stats_cpu. + +Like other functions in the throttle code, just checking for a NULL +stats_cpu prevents the following oops caused by that race. + +[ 1117.285199] Unable to handle kernel paging request for data at address 0x7fb4d0020 +[ 1117.285252] Faulting instruction address: 0xc0000000003efa2c +[ 1137.733921] Oops: Kernel access of bad area, sig: 11 [#1] +[ 1137.733945] SMP NR_CPUS=2048 NUMA PowerNV +[ 1137.734025] Modules linked in: bridge stp llc kvm_hv kvm binfmt_misc autofs4 +[ 1137.734102] CPU: 3 PID: 5302 Comm: blkcgroup Not tainted 3.19.0 #5 +[ 1137.734132] task: c000000f1d188b00 ti: c000000f1d210000 task.ti: c000000f1d210000 +[ 1137.734167] NIP: c0000000003efa2c LR: c0000000003ef9f0 CTR: c0000000003ef980 +[ 1137.734202] REGS: c000000f1d213500 TRAP: 0300 Not tainted (3.19.0) +[ 1137.734230] MSR: 9000000000009032 CR: 42008884 XER: 20000000 +[ 1137.734325] CFAR: 0000000000008458 DAR: 00000007fb4d0020 DSISR: 40000000 SOFTE: 0 +GPR00: c0000000003ed3a0 c000000f1d213780 c000000000c59538 0000000000000000 +GPR04: 0000000000000800 0000000000000000 0000000000000000 0000000000000000 +GPR08: ffffffffffffffff 00000007fb4d0020 00000007fb4d0000 c000000000780808 +GPR12: 0000000022000888 c00000000fdc0d80 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +GPR20: 000001003e120200 c000000f1d5b0cc0 0000000000000200 0000000000000000 +GPR24: 0000000000000001 c000000000c269e0 0000000000000020 c000000f1d5b0c80 +GPR28: c000000000ca3a08 c000000000ca3dec c000000f1c667e00 c000000f1d213850 +[ 1137.734886] NIP [c0000000003efa2c] .tg_prfill_cpu_rwstat+0xac/0x180 +[ 1137.734915] LR [c0000000003ef9f0] .tg_prfill_cpu_rwstat+0x70/0x180 +[ 1137.734943] Call Trace: +[ 1137.734952] [c000000f1d213780] [d000000005560520] 0xd000000005560520 (unreliable) +[ 1137.734996] [c000000f1d2138a0] [c0000000003ed3a0] .blkcg_print_blkgs+0xe0/0x1a0 +[ 1137.735039] [c000000f1d213960] [c0000000003efb50] .tg_print_cpu_rwstat+0x50/0x70 +[ 1137.735082] [c000000f1d2139e0] [c000000000104b48] .cgroup_seqfile_show+0x58/0x150 +[ 1137.735125] [c000000f1d213a70] [c0000000002749dc] .kernfs_seq_show+0x3c/0x50 +[ 1137.735161] [c000000f1d213ae0] [c000000000218630] .seq_read+0xe0/0x510 +[ 1137.735197] [c000000f1d213bd0] [c000000000275b04] .kernfs_fop_read+0x164/0x200 +[ 1137.735240] [c000000f1d213c80] [c0000000001eb8e0] .__vfs_read+0x30/0x80 +[ 1137.735276] [c000000f1d213cf0] [c0000000001eb9c4] .vfs_read+0x94/0x1b0 +[ 1137.735312] [c000000f1d213d90] [c0000000001ebb38] .SyS_read+0x58/0x100 +[ 1137.735349] [c000000f1d213e30] [c000000000009218] syscall_exit+0x0/0x98 +[ 1137.735383] Instruction dump: +[ 1137.735405] 7c6307b4 7f891800 409d00b8 60000000 60420000 3d420004 392a63b0 786a1f24 +[ 1137.735471] 7d49502a e93e01c8 7d495214 7d2ad214 <7cead02a> e9090008 e9490010 e9290018 + +And here is one code that allows to easily reproduce this, although this +has first been found by running docker. + +void run(pid_t pid) +{ + int n; + int status; + int fd; + char *buffer; + buffer = memalign(BUFFER_ALIGN, BUFFER_SIZE); + n = snprintf(buffer, BUFFER_SIZE, "%d\n", pid); + fd = open(CGPATH "/test/tasks", O_WRONLY); + write(fd, buffer, n); + close(fd); + if (fork() > 0) { + fd = open("/dev/sda", O_RDONLY | O_DIRECT); + read(fd, buffer, 512); + close(fd); + wait(&status); + } else { + fd = open(CGPATH "/test/blkio.throttle.io_serviced", O_RDONLY); + n = read(fd, buffer, BUFFER_SIZE); + close(fd); + } + free(buffer); + exit(0); +} + +void test(void) +{ + int status; + mkdir(CGPATH "/test", 0666); + if (fork() > 0) + wait(&status); + else + run(getpid()); + rmdir(CGPATH "/test"); +} + +int main(int argc, char **argv) +{ + int i; + for (i = 0; i < NR_TESTS; i++) + test(); + return 0; +} + +Reported-by: Ricardo Marin Matinata +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-throttle.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/blk-throttle.c ++++ b/block/blk-throttle.c +@@ -1292,6 +1292,9 @@ static u64 tg_prfill_cpu_rwstat(struct s + struct blkg_rwstat rwstat = { }, tmp; + int i, cpu; + ++ if (tg->stats_cpu == NULL) ++ return 0; ++ + for_each_possible_cpu(cpu) { + struct tg_stats_cpu *sc = per_cpu_ptr(tg->stats_cpu, cpu); + diff --git a/queue-3.19/btrfs-fix-fsync-data-loss-after-adding-hard-link-to-inode.patch b/queue-3.19/btrfs-fix-fsync-data-loss-after-adding-hard-link-to-inode.patch new file mode 100644 index 00000000000..7c71bd10247 --- /dev/null +++ b/queue-3.19/btrfs-fix-fsync-data-loss-after-adding-hard-link-to-inode.patch @@ -0,0 +1,300 @@ +From 1a4bcf470c886b955adf36486f4c86f2441d85cb Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 13 Feb 2015 12:30:56 +0000 +Subject: Btrfs: fix fsync data loss after adding hard link to inode + +From: Filipe Manana + +commit 1a4bcf470c886b955adf36486f4c86f2441d85cb upstream. + +We have a scenario where after the fsync log replay we can lose file data +that had been previously fsync'ed if we added an hard link for our inode +and after that we sync'ed the fsync log (for example by fsync'ing some +other file or directory). + +This is because when adding an hard link we updated the inode item in the +log tree with an i_size value of 0. At that point the new inode item was +in memory only and a subsequent fsync log replay would not make us lose +the file data. However if after adding the hard link we sync the log tree +to disk, by fsync'ing some other file or directory for example, we ended +up losing the file data after log replay, because the inode item in the +persisted log tree had an an i_size of zero. + +This is easy to reproduce, and the following excerpt from my test for +xfstests shows this: + + _scratch_mkfs >> $seqres.full 2>&1 + _init_flakey + _mount_flakey + + # Create one file with data and fsync it. + # This made the btrfs fsync log persist the data and the inode metadata with + # a correct inode->i_size (4096 bytes). + $XFS_IO_PROG -f -c "pwrite -S 0xaa -b 4K 0 4K" -c "fsync" \ + $SCRATCH_MNT/foo | _filter_xfs_io + + # Now add one hard link to our file. This made the btrfs code update the fsync + # log, in memory only, with an inode metadata having a size of 0. + ln $SCRATCH_MNT/foo $SCRATCH_MNT/foo_link + + # Now force persistence of the fsync log to disk, for example, by fsyncing some + # other file. + touch $SCRATCH_MNT/bar + $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/bar + + # Before a power loss or crash, we could read the 4Kb of data from our file as + # expected. + echo "File content before:" + od -t x1 $SCRATCH_MNT/foo + + # Simulate a crash/power loss. + _load_flakey_table $FLAKEY_DROP_WRITES + _unmount_flakey + + _load_flakey_table $FLAKEY_ALLOW_WRITES + _mount_flakey + + # After the fsync log replay, because the fsync log had a value of 0 for our + # inode's i_size, we couldn't read anymore the 4Kb of data that we previously + # wrote and fsync'ed. The size of the file became 0 after the fsync log replay. + echo "File content after:" + od -t x1 $SCRATCH_MNT/foo + +Another alternative test, that doesn't need to fsync an inode in the same +transaction it was created, is: + + _scratch_mkfs >> $seqres.full 2>&1 + _init_flakey + _mount_flakey + + # Create our test file with some data. + $XFS_IO_PROG -f -c "pwrite -S 0xaa -b 8K 0 8K" \ + $SCRATCH_MNT/foo | _filter_xfs_io + + # Make sure the file is durably persisted. + sync + + # Append some data to our file, to increase its size. + $XFS_IO_PROG -f -c "pwrite -S 0xcc -b 4K 8K 4K" \ + $SCRATCH_MNT/foo | _filter_xfs_io + + # Fsync the file, so from this point on if a crash/power failure happens, our + # new data is guaranteed to be there next time the fs is mounted. + $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo + + # Add one hard link to our file. This made btrfs write into the in memory fsync + # log a special inode with generation 0 and an i_size of 0 too. Note that this + # didn't update the inode in the fsync log on disk. + ln $SCRATCH_MNT/foo $SCRATCH_MNT/foo_link + + # Now make sure the in memory fsync log is durably persisted. + # Creating and fsync'ing another file will do it. + touch $SCRATCH_MNT/bar + $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/bar + + # As expected, before the crash/power failure, we should be able to read the + # 12Kb of file data. + echo "File content before:" + od -t x1 $SCRATCH_MNT/foo + + # Simulate a crash/power loss. + _load_flakey_table $FLAKEY_DROP_WRITES + _unmount_flakey + + _load_flakey_table $FLAKEY_ALLOW_WRITES + _mount_flakey + + # After mounting the fs again, the fsync log was replayed. + # The btrfs fsync log replay code didn't update the i_size of the persisted + # inode because the inode item in the log had a special generation with a + # value of 0 (and it couldn't know the correct i_size, since that inode item + # had a 0 i_size too). This made the last 4Kb of file data inaccessible and + # effectively lost. + echo "File content after:" + od -t x1 $SCRATCH_MNT/foo + +This isn't a new issue/regression. This problem has been around since the +log tree code was added in 2008: + + Btrfs: Add a write ahead tree log to optimize synchronous operations + (commit e02119d5a7b4396c5a872582fddc8bd6d305a70a) + +Test cases for xfstests follow soon. + +Signed-off-by: Filipe Manana +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 73 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -488,8 +488,20 @@ insert: + src_item = (struct btrfs_inode_item *)src_ptr; + dst_item = (struct btrfs_inode_item *)dst_ptr; + +- if (btrfs_inode_generation(eb, src_item) == 0) ++ if (btrfs_inode_generation(eb, src_item) == 0) { ++ struct extent_buffer *dst_eb = path->nodes[0]; ++ ++ if (S_ISREG(btrfs_inode_mode(eb, src_item)) && ++ S_ISREG(btrfs_inode_mode(dst_eb, dst_item))) { ++ struct btrfs_map_token token; ++ u64 ino_size = btrfs_inode_size(eb, src_item); ++ ++ btrfs_init_map_token(&token); ++ btrfs_set_token_inode_size(dst_eb, dst_item, ++ ino_size, &token); ++ } + goto no_copy; ++ } + + if (overwrite_root && + S_ISDIR(btrfs_inode_mode(eb, src_item)) && +@@ -3228,7 +3240,8 @@ static int drop_objectid_items(struct bt + static void fill_inode_item(struct btrfs_trans_handle *trans, + struct extent_buffer *leaf, + struct btrfs_inode_item *item, +- struct inode *inode, int log_inode_only) ++ struct inode *inode, int log_inode_only, ++ u64 logged_isize) + { + struct btrfs_map_token token; + +@@ -3241,7 +3254,7 @@ static void fill_inode_item(struct btrfs + * to say 'update this inode with these values' + */ + btrfs_set_token_inode_generation(leaf, item, 0, &token); +- btrfs_set_token_inode_size(leaf, item, 0, &token); ++ btrfs_set_token_inode_size(leaf, item, logged_isize, &token); + } else { + btrfs_set_token_inode_generation(leaf, item, + BTRFS_I(inode)->generation, +@@ -3293,7 +3306,7 @@ static int log_inode_item(struct btrfs_t + return ret; + inode_item = btrfs_item_ptr(path->nodes[0], path->slots[0], + struct btrfs_inode_item); +- fill_inode_item(trans, path->nodes[0], inode_item, inode, 0); ++ fill_inode_item(trans, path->nodes[0], inode_item, inode, 0, 0); + btrfs_release_path(path); + return 0; + } +@@ -3302,7 +3315,8 @@ static noinline int copy_items(struct bt + struct inode *inode, + struct btrfs_path *dst_path, + struct btrfs_path *src_path, u64 *last_extent, +- int start_slot, int nr, int inode_only) ++ int start_slot, int nr, int inode_only, ++ u64 logged_isize) + { + unsigned long src_offset; + unsigned long dst_offset; +@@ -3359,7 +3373,8 @@ static noinline int copy_items(struct bt + dst_path->slots[0], + struct btrfs_inode_item); + fill_inode_item(trans, dst_path->nodes[0], inode_item, +- inode, inode_only == LOG_INODE_EXISTS); ++ inode, inode_only == LOG_INODE_EXISTS, ++ logged_isize); + } else { + copy_extent_buffer(dst_path->nodes[0], src, dst_offset, + src_offset, ins_sizes[i]); +@@ -3911,6 +3926,33 @@ process: + return ret; + } + ++static int logged_inode_size(struct btrfs_root *log, struct inode *inode, ++ struct btrfs_path *path, u64 *size_ret) ++{ ++ struct btrfs_key key; ++ int ret; ++ ++ key.objectid = btrfs_ino(inode); ++ key.type = BTRFS_INODE_ITEM_KEY; ++ key.offset = 0; ++ ++ ret = btrfs_search_slot(NULL, log, &key, path, 0, 0); ++ if (ret < 0) { ++ return ret; ++ } else if (ret > 0) { ++ *size_ret = i_size_read(inode); ++ } else { ++ struct btrfs_inode_item *item; ++ ++ item = btrfs_item_ptr(path->nodes[0], path->slots[0], ++ struct btrfs_inode_item); ++ *size_ret = btrfs_inode_size(path->nodes[0], item); ++ } ++ ++ btrfs_release_path(path); ++ return 0; ++} ++ + /* log a single inode in the tree log. + * At least one parent directory for this inode must exist in the tree + * or be logged already. +@@ -3948,6 +3990,7 @@ static int btrfs_log_inode(struct btrfs_ + bool fast_search = false; + u64 ino = btrfs_ino(inode); + struct extent_map_tree *em_tree = &BTRFS_I(inode)->extent_tree; ++ u64 logged_isize = 0; + + path = btrfs_alloc_path(); + if (!path) +@@ -4001,6 +4044,25 @@ static int btrfs_log_inode(struct btrfs_ + max_key_type = BTRFS_XATTR_ITEM_KEY; + ret = drop_objectid_items(trans, log, path, ino, max_key_type); + } else { ++ if (inode_only == LOG_INODE_EXISTS) { ++ /* ++ * Make sure the new inode item we write to the log has ++ * the same isize as the current one (if it exists). ++ * This is necessary to prevent data loss after log ++ * replay, and also to prevent doing a wrong expanding ++ * truncate - for e.g. create file, write 4K into offset ++ * 0, fsync, write 4K into offset 4096, add hard link, ++ * fsync some other file (to sync log), power fail - if ++ * we use the inode's current i_size, after log replay ++ * we get a 8Kb file, with the last 4Kb extent as a hole ++ * (zeroes), as if an expanding truncate happened, ++ * instead of getting a file of 4Kb only. ++ */ ++ err = logged_inode_size(log, inode, path, ++ &logged_isize); ++ if (err) ++ goto out_unlock; ++ } + if (test_and_clear_bit(BTRFS_INODE_NEEDS_FULL_SYNC, + &BTRFS_I(inode)->runtime_flags)) { + clear_bit(BTRFS_INODE_COPY_EVERYTHING, +@@ -4056,7 +4118,8 @@ again: + } + + ret = copy_items(trans, inode, dst_path, path, &last_extent, +- ins_start_slot, ins_nr, inode_only); ++ ins_start_slot, ins_nr, inode_only, ++ logged_isize); + if (ret < 0) { + err = ret; + goto out_unlock; +@@ -4080,7 +4143,7 @@ next_slot: + if (ins_nr) { + ret = copy_items(trans, inode, dst_path, path, + &last_extent, ins_start_slot, +- ins_nr, inode_only); ++ ins_nr, inode_only, logged_isize); + if (ret < 0) { + err = ret; + goto out_unlock; +@@ -4101,7 +4164,8 @@ next_slot: + } + if (ins_nr) { + ret = copy_items(trans, inode, dst_path, path, &last_extent, +- ins_start_slot, ins_nr, inode_only); ++ ins_start_slot, ins_nr, inode_only, ++ logged_isize); + if (ret < 0) { + err = ret; + goto out_unlock; diff --git a/queue-3.19/btrfs-fix-leak-of-path-in-btrfs_find_item.patch b/queue-3.19/btrfs-fix-leak-of-path-in-btrfs_find_item.patch new file mode 100644 index 00000000000..b7cc18cea47 --- /dev/null +++ b/queue-3.19/btrfs-fix-leak-of-path-in-btrfs_find_item.patch @@ -0,0 +1,113 @@ +From 381cf6587f8a8a8e981bc0c1aaaa8859b51dc756 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 2 Jan 2015 18:45:16 +0100 +Subject: btrfs: fix leak of path in btrfs_find_item + +From: David Sterba + +commit 381cf6587f8a8a8e981bc0c1aaaa8859b51dc756 upstream. + +If btrfs_find_item is called with NULL path it allocates one locally but +does not free it. Affected paths are inserting an orphan item for a file +and for a subvol root. + +Move the path allocation to the callers. + +Fixes: 3f870c289900 ("btrfs: expand btrfs_find_item() to include find_orphan_item functionality") +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ctree.c | 17 ++++------------- + fs/btrfs/disk-io.c | 9 ++++++++- + fs/btrfs/tree-log.c | 11 ++++++++++- + 3 files changed, 22 insertions(+), 15 deletions(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -2609,32 +2609,23 @@ static int key_search(struct extent_buff + return 0; + } + +-int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *found_path, ++int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *path, + u64 iobjectid, u64 ioff, u8 key_type, + struct btrfs_key *found_key) + { + int ret; + struct btrfs_key key; + struct extent_buffer *eb; +- struct btrfs_path *path; ++ ++ ASSERT(path); + + key.type = key_type; + key.objectid = iobjectid; + key.offset = ioff; + +- if (found_path == NULL) { +- path = btrfs_alloc_path(); +- if (!path) +- return -ENOMEM; +- } else +- path = found_path; +- + ret = btrfs_search_slot(NULL, fs_root, &key, path, 0, 0); +- if ((ret < 0) || (found_key == NULL)) { +- if (path != found_path) +- btrfs_free_path(path); ++ if ((ret < 0) || (found_key == NULL)) + return ret; +- } + + eb = path->nodes[0]; + if (ret && path->slots[0] >= btrfs_header_nritems(eb)) { +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1630,6 +1630,7 @@ struct btrfs_root *btrfs_get_fs_root(str + bool check_ref) + { + struct btrfs_root *root; ++ struct btrfs_path *path; + int ret; + + if (location->objectid == BTRFS_ROOT_TREE_OBJECTID) +@@ -1669,8 +1670,14 @@ again: + if (ret) + goto fail; + +- ret = btrfs_find_item(fs_info->tree_root, NULL, BTRFS_ORPHAN_OBJECTID, ++ path = btrfs_alloc_path(); ++ if (!path) { ++ ret = -ENOMEM; ++ goto fail; ++ } ++ ret = btrfs_find_item(fs_info->tree_root, path, BTRFS_ORPHAN_OBJECTID, + location->objectid, BTRFS_ORPHAN_ITEM_KEY, NULL); ++ btrfs_free_path(path); + if (ret < 0) + goto fail; + if (ret == 0) +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1257,10 +1257,19 @@ static int insert_orphan_item(struct btr + struct btrfs_root *root, u64 offset) + { + int ret; +- ret = btrfs_find_item(root, NULL, BTRFS_ORPHAN_OBJECTID, ++ struct btrfs_path *path; ++ ++ path = btrfs_alloc_path(); ++ if (!path) ++ return -ENOMEM; ++ ++ ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID, + offset, BTRFS_ORPHAN_ITEM_KEY, NULL); + if (ret > 0) + ret = btrfs_insert_orphan_item(trans, root, offset); ++ ++ btrfs_free_path(path); ++ + return ret; + } + diff --git a/queue-3.19/btrfs-set-proper-message-level-for-skinny-metadata.patch b/queue-3.19/btrfs-set-proper-message-level-for-skinny-metadata.patch new file mode 100644 index 00000000000..5d1ff8b9bf4 --- /dev/null +++ b/queue-3.19/btrfs-set-proper-message-level-for-skinny-metadata.patch @@ -0,0 +1,31 @@ +From 5efa0490cc94aee06cd8d282683e22a8ce0a0026 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 19 Dec 2014 18:38:47 +0100 +Subject: btrfs: set proper message level for skinny metadata + +From: David Sterba + +commit 5efa0490cc94aee06cd8d282683e22a8ce0a0026 upstream. + +This has been confusing people for too long, the message is really just +informative. + +Signed-off-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2498,7 +2498,7 @@ int open_ctree(struct super_block *sb, + features |= BTRFS_FEATURE_INCOMPAT_COMPRESS_LZO; + + if (features & BTRFS_FEATURE_INCOMPAT_SKINNY_METADATA) +- printk(KERN_ERR "BTRFS: has skinny extents\n"); ++ printk(KERN_INFO "BTRFS: has skinny extents\n"); + + /* + * flag our filesystem as having big metadata blocks if diff --git a/queue-3.19/clocksource-mtk-fix-race-conditions-in-probe-code.patch b/queue-3.19/clocksource-mtk-fix-race-conditions-in-probe-code.patch new file mode 100644 index 00000000000..529cd9f2c90 --- /dev/null +++ b/queue-3.19/clocksource-mtk-fix-race-conditions-in-probe-code.patch @@ -0,0 +1,65 @@ +From d4a19eb3b15a4ba98f627182f48d5bc0cffae670 Mon Sep 17 00:00:00 2001 +From: Matthias Brugger +Date: Thu, 19 Feb 2015 11:41:33 +0100 +Subject: clocksource: mtk: Fix race conditions in probe code + +From: Matthias Brugger + +commit d4a19eb3b15a4ba98f627182f48d5bc0cffae670 upstream. + +We have two race conditions in the probe code which could lead to a null +pointer dereference in the interrupt handler. + +The interrupt handler accesses the clockevent device, which may not yet be +registered. + +First race condition happens when the interrupt handler gets registered before +the interrupts get disabled. The second race condition happens when the +interrupts get enabled, but the clockevent device is not yet registered. + +Fix that by disabling the interrupts before we register the interrupt and enable +the interrupts after the clockevent device got registered. + +Reported-by: Gongbae Park +Signed-off-by: Matthias Brugger +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clocksource/mtk_timer.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/clocksource/mtk_timer.c ++++ b/drivers/clocksource/mtk_timer.c +@@ -224,6 +224,8 @@ static void __init mtk_timer_init(struct + } + rate = clk_get_rate(clk); + ++ mtk_timer_global_reset(evt); ++ + if (request_irq(evt->dev.irq, mtk_timer_interrupt, + IRQF_TIMER | IRQF_IRQPOLL, "mtk_timer", evt)) { + pr_warn("failed to setup irq %d\n", evt->dev.irq); +@@ -232,8 +234,6 @@ static void __init mtk_timer_init(struct + + evt->ticks_per_jiffy = DIV_ROUND_UP(rate, HZ); + +- mtk_timer_global_reset(evt); +- + /* Configure clock source */ + mtk_timer_setup(evt, GPT_CLK_SRC, TIMER_CTRL_OP_FREERUN); + clocksource_mmio_init(evt->gpt_base + TIMER_CNT_REG(GPT_CLK_SRC), +@@ -241,10 +241,11 @@ static void __init mtk_timer_init(struct + + /* Configure clock event */ + mtk_timer_setup(evt, GPT_CLK_EVT, TIMER_CTRL_OP_REPEAT); +- mtk_timer_enable_irq(evt, GPT_CLK_EVT); +- + clockevents_config_and_register(&evt->dev, rate, 0x3, + 0xffffffff); ++ ++ mtk_timer_enable_irq(evt, GPT_CLK_EVT); ++ + return; + + err_clk_disable: diff --git a/queue-3.19/edac-amd64_edac-prevent-oops-with-16-memory-controllers.patch b/queue-3.19/edac-amd64_edac-prevent-oops-with-16-memory-controllers.patch new file mode 100644 index 00000000000..6024f4318e6 --- /dev/null +++ b/queue-3.19/edac-amd64_edac-prevent-oops-with-16-memory-controllers.patch @@ -0,0 +1,96 @@ +From 0c510cc83bdbaac8406f4f7caef34f4da0ba35ea Mon Sep 17 00:00:00 2001 +From: Daniel J Blueman +Date: Tue, 17 Feb 2015 11:34:38 +0800 +Subject: EDAC, amd64_edac: Prevent OOPS with >16 memory controllers + +From: Daniel J Blueman + +commit 0c510cc83bdbaac8406f4f7caef34f4da0ba35ea upstream. + +When DRAM errors occur on memory controllers after EDAC_MAX_MCS (16), +the kernel fatally dereferences unallocated structures, see splat below; +this occurs on at least NumaConnect systems. + +Fix by checking if a memory controller info structure was found. + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000320 +IP: [] decode_bus_error+0x2f/0x2b0 +PGD 2f8b5a3067 PUD 2f8b5a2067 PMD 0 +Oops: 0000 [#2] SMP +Modules linked in: +CPU: 224 PID: 11930 Comm: stream_c.exe.gn Tainted: G D 3.19.0 #1 +Hardware name: Supermicro H8QGL/H8QGL, BIOS 3.5b 01/28/2015 +task: ffff8807dbfb8c00 ti: ffff8807dd16c000 task.ti: ffff8807dd16c000 +RIP: 0010:[] [] decode_bus_error+0x2f/0x2b0 +RSP: 0000:ffff8907dfc03c48 EFLAGS: 00010297 +RAX: 0000000000000001 RBX: 9c67400010080a13 RCX: 0000000000001dc6 +RDX: 000000001dc61dc6 RSI: ffff8907dfc03df0 RDI: 000000000000001c +RBP: ffff8907dfc03ce8 R08: 0000000000000000 R09: 0000000000000022 +R10: ffff891fffa30380 R11: 00000000001cfc90 R12: 0000000000000008 +R13: 0000000000000000 R14: 000000000000001c R15: 00009c6740001000 +FS: 00007fa97ee18700(0000) GS:ffff8907dfc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000320 CR3: 0000003f889b8000 CR4: 00000000000407e0 +Stack: + 0000000000000000 ffff8907dfc03df0 0000000000000008 9c67400010080a13 + 000000000000001c 00009c6740001000 ffff8907dfc03c88 ffffffff810e4f9a + ffff8907dfc03ce8 ffffffff81b375b9 0000000000000000 0000000000000010 +Call Trace: + + ? vprintk_default + ? printk + amd_decode_mce + notifier_call_chain + atomic_notifier_call_chain + mce_log + machine_check_poll + mce_timer_fn + ? mce_cpu_restart + call_timer_fn.isra.29 + run_timer_softirq + __do_softirq + irq_exit + smp_apic_timer_interrupt + apic_timer_interrupt + + ? down_read_trylock + __do_page_fault + ? __schedule + do_page_fault + page_fault + +Signed-off-by: Daniel J Blueman +Link: http://lkml.kernel.org/r/1424144078-24589-1-git-send-email-daniel@numascale.com +[ Boris: massage commit message ] +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/amd64_edac.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -2174,14 +2174,20 @@ static void __log_bus_error(struct mem_c + + static inline void decode_bus_error(int node_id, struct mce *m) + { +- struct mem_ctl_info *mci = mcis[node_id]; +- struct amd64_pvt *pvt = mci->pvt_info; ++ struct mem_ctl_info *mci; ++ struct amd64_pvt *pvt; + u8 ecc_type = (m->status >> 45) & 0x3; + u8 xec = XEC(m->status, 0x1f); + u16 ec = EC(m->status); + u64 sys_addr; + struct err_info err; + ++ mci = edac_mc_find(node_id); ++ if (!mci) ++ return; ++ ++ pvt = mci->pvt_info; ++ + /* Bail out early if this was an 'observed' error */ + if (PP(ec) == NBSL_PP_OBS) + return; diff --git a/queue-3.19/gpio-tps65912-fix-wrong-container_of-arguments.patch b/queue-3.19/gpio-tps65912-fix-wrong-container_of-arguments.patch new file mode 100644 index 00000000000..f3d302cefe7 --- /dev/null +++ b/queue-3.19/gpio-tps65912-fix-wrong-container_of-arguments.patch @@ -0,0 +1,67 @@ +From 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 Mon Sep 17 00:00:00 2001 +From: Nicolas Saenz Julienne +Date: Thu, 19 Feb 2015 01:52:25 +0000 +Subject: gpio: tps65912: fix wrong container_of arguments + +From: Nicolas Saenz Julienne + +commit 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 upstream. + +The gpio_chip operations receive a pointer the gpio_chip struct which is +contained in the driver's private struct, yet the container_of call in those +functions point to the mfd struct defined in include/linux/mfd/tps65912.h. + +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-tps65912.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-tps65912.c ++++ b/drivers/gpio/gpio-tps65912.c +@@ -26,9 +26,12 @@ struct tps65912_gpio_data { + struct gpio_chip gpio_chip; + }; + ++#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip) ++ + static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + int val; + + val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset); +@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio + static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, + int value) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + if (value) + tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset, +@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpi + static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, + int value) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + /* Set the initial value */ + tps65912_gpio_set(gc, offset, value); +@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct g + + static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset, + GPIO_CFG_MASK); diff --git a/queue-3.19/gpiolib-of-allow-of_gpiochip_find_and_xlate-to-find-more-than-one-chip-per-node.patch b/queue-3.19/gpiolib-of-allow-of_gpiochip_find_and_xlate-to-find-more-than-one-chip-per-node.patch new file mode 100644 index 00000000000..213e756fd46 --- /dev/null +++ b/queue-3.19/gpiolib-of-allow-of_gpiochip_find_and_xlate-to-find-more-than-one-chip-per-node.patch @@ -0,0 +1,52 @@ +From 9cf75e9e4ddd587ac12e88e8751c358b7b27e95f Mon Sep 17 00:00:00 2001 +From: Hans Holmberg +Date: Tue, 10 Feb 2015 09:48:27 +0100 +Subject: gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node + +From: Hans Holmberg + +commit 9cf75e9e4ddd587ac12e88e8751c358b7b27e95f upstream. + +The change: + +7b8792bbdffdff3abda704f89c6a45ea97afdc62 +gpiolib: of: Correct error handling in of_get_named_gpiod_flags + +assumed that only one gpio-chip is registred per of-node. +Some drivers register more than one chip per of-node, so +adjust the matching function of_gpiochip_find_and_xlate to +not stop looking for chips if a node-match is found and +the translation fails. + +Fixes: 7b8792bbdffd ("gpiolib: of: Correct error handling in of_get_named_gpiod_flags") +Signed-off-by: Hans Holmberg +Acked-by: Alexandre Courbot +Tested-by: Robert Jarzmik +Tested-by: Tyler Hall +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib-of.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -46,12 +46,13 @@ static int of_gpiochip_find_and_xlate(st + + ret = gc->of_xlate(gc, &gg_data->gpiospec, gg_data->flags); + if (ret < 0) { +- /* We've found the gpio chip, but the translation failed. +- * Return true to stop looking and return the translation +- * error via out_gpio ++ /* We've found a gpio chip, but the translation failed. ++ * Store translation error in out_gpio. ++ * Return false to keep looking, as more than one gpio chip ++ * could be registered per of-node. + */ + gg_data->out_gpio = ERR_PTR(ret); +- return true; ++ return false; + } + + gg_data->out_gpio = gpiochip_get_desc(gc, ret); diff --git a/queue-3.19/jffs2-fix-handling-of-corrupted-summary-length.patch b/queue-3.19/jffs2-fix-handling-of-corrupted-summary-length.patch new file mode 100644 index 00000000000..2412f6d05ce --- /dev/null +++ b/queue-3.19/jffs2-fix-handling-of-corrupted-summary-length.patch @@ -0,0 +1,76 @@ +From 164c24063a3eadee11b46575c5482b2f1417be49 Mon Sep 17 00:00:00 2001 +From: Chen Jie +Date: Tue, 10 Feb 2015 12:49:48 -0800 +Subject: jffs2: fix handling of corrupted summary length + +From: Chen Jie + +commit 164c24063a3eadee11b46575c5482b2f1417be49 upstream. + +sm->offset maybe wrong but magic maybe right, the offset do not have CRC. + +Badness at c00c7580 [verbose debug info unavailable] +NIP: c00c7580 LR: c00c718c CTR: 00000014 +REGS: df07bb40 TRAP: 0700 Not tainted (2.6.34.13-WR4.3.0.0_standard) +MSR: 00029000 CR: 22084f84 XER: 00000000 +TASK = df84d6e0[908] 'mount' THREAD: df07a000 +GPR00: 00000001 df07bbf0 df84d6e0 00000000 00000001 00000000 df07bb58 00000041 +GPR08: 00000041 c0638860 00000000 00000010 22084f88 100636c8 df814ff8 00000000 +GPR16: df84d6e0 dfa558cc c05adb90 00000048 c0452d30 00000000 000240d0 000040d0 +GPR24: 00000014 c05ae734 c05be2e0 00000000 00000001 00000000 00000000 c05ae730 +NIP [c00c7580] __alloc_pages_nodemask+0x4d0/0x638 +LR [c00c718c] __alloc_pages_nodemask+0xdc/0x638 +Call Trace: +[df07bbf0] [c00c718c] __alloc_pages_nodemask+0xdc/0x638 (unreliable) +[df07bc90] [c00c7708] __get_free_pages+0x20/0x48 +[df07bca0] [c00f4a40] __kmalloc+0x15c/0x1ec +[df07bcd0] [c01fc880] jffs2_scan_medium+0xa58/0x14d0 +[df07bd70] [c01ff38c] jffs2_do_mount_fs+0x1f4/0x6b4 +[df07bdb0] [c020144c] jffs2_do_fill_super+0xa8/0x260 +[df07bdd0] [c020230c] jffs2_fill_super+0x104/0x184 +[df07be00] [c0335814] get_sb_mtd_aux+0x9c/0xec +[df07be20] [c033596c] get_sb_mtd+0x84/0x1e8 +[df07be60] [c0201ed0] jffs2_get_sb+0x1c/0x2c +[df07be70] [c0103898] vfs_kern_mount+0x78/0x1e8 +[df07bea0] [c0103a58] do_kern_mount+0x40/0x100 +[df07bec0] [c011fe90] do_mount+0x240/0x890 +[df07bf10] [c0120570] sys_mount+0x90/0xd8 +[df07bf40] [c00110d8] ret_from_syscall+0x0/0x4 + +=== Exception: c01 at 0xff61a34 + LR = 0x100135f0 +Instruction dump: +38800005 38600000 48010f41 4bfffe1c 4bfc2d15 4bfffe8c 72e90200 4082fc28 +3d20c064 39298860 8809000d 68000001 <0f000000> 2f800000 419efc0c 38000001 +mount: mounting /dev/mtdblock3 on /common failed: Input/output error + +Signed-off-by: Chen Jie +Signed-off-by: Andrew Morton +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/scan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -510,6 +510,10 @@ static int jffs2_scan_eraseblock (struct + sumlen = c->sector_size - je32_to_cpu(sm->offset); + sumptr = buf + buf_size - sumlen; + ++ /* sm->offset maybe wrong but MAGIC maybe right */ ++ if (sumlen > c->sector_size) ++ goto full_scan; ++ + /* Now, make sure the summary itself is available */ + if (sumlen > buf_size) { + /* Need to kmalloc for this. */ +@@ -544,6 +548,7 @@ static int jffs2_scan_eraseblock (struct + } + } + ++full_scan: + buf_ofs = jeb->offset; + + if (!buf_size) { diff --git a/queue-3.19/libceph-fix-double-__remove_osd-problem.patch b/queue-3.19/libceph-fix-double-__remove_osd-problem.patch new file mode 100644 index 00000000000..0ddf2094eab --- /dev/null +++ b/queue-3.19/libceph-fix-double-__remove_osd-problem.patch @@ -0,0 +1,118 @@ +From 7eb71e0351fbb1b242ae70abb7bb17107fe2f792 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 17 Feb 2015 19:37:15 +0300 +Subject: libceph: fix double __remove_osd() problem + +From: Ilya Dryomov + +commit 7eb71e0351fbb1b242ae70abb7bb17107fe2f792 upstream. + +It turns out it's possible to get __remove_osd() called twice on the +same OSD. That doesn't sit well with rb_erase() - depending on the +shape of the tree we can get a NULL dereference, a soft lockup or +a random crash at some point in the future as we end up touching freed +memory. One scenario that I was able to reproduce is as follows: + + + +con_fault_finish() + osd_reset() + + ceph_osdc_handle_map() + + kick_requests() + + reset_changed_osds() + __reset_osd() + __remove_osd() + + + + + __kick_osd_requests() + __reset_osd() + __remove_osd() <-- !!! + +A case can be made that osd refcounting is imperfect and reworking it +would be a proper resolution, but for now Sage and I decided to fix +this by adding a safe guard around __remove_osd(). + +Fixes: http://tracker.ceph.com/issues/8087 + +Cc: Sage Weil +Signed-off-by: Ilya Dryomov +Reviewed-by: Sage Weil +Reviewed-by: Alex Elder +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/osd_client.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -1048,14 +1048,24 @@ static void put_osd(struct ceph_osd *osd + */ + static void __remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) + { +- dout("__remove_osd %p\n", osd); ++ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); + WARN_ON(!list_empty(&osd->o_requests)); + WARN_ON(!list_empty(&osd->o_linger_requests)); + +- rb_erase(&osd->o_node, &osdc->osds); + list_del_init(&osd->o_osd_lru); +- ceph_con_close(&osd->o_con); +- put_osd(osd); ++ rb_erase(&osd->o_node, &osdc->osds); ++ RB_CLEAR_NODE(&osd->o_node); ++} ++ ++static void remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd) ++{ ++ dout("%s %p osd%d\n", __func__, osd, osd->o_osd); ++ ++ if (!RB_EMPTY_NODE(&osd->o_node)) { ++ ceph_con_close(&osd->o_con); ++ __remove_osd(osdc, osd); ++ put_osd(osd); ++ } + } + + static void remove_all_osds(struct ceph_osd_client *osdc) +@@ -1065,7 +1075,7 @@ static void remove_all_osds(struct ceph_ + while (!RB_EMPTY_ROOT(&osdc->osds)) { + struct ceph_osd *osd = rb_entry(rb_first(&osdc->osds), + struct ceph_osd, o_node); +- __remove_osd(osdc, osd); ++ remove_osd(osdc, osd); + } + mutex_unlock(&osdc->request_mutex); + } +@@ -1106,7 +1116,7 @@ static void remove_old_osds(struct ceph_ + list_for_each_entry_safe(osd, nosd, &osdc->osd_lru, o_osd_lru) { + if (time_before(jiffies, osd->lru_ttl)) + break; +- __remove_osd(osdc, osd); ++ remove_osd(osdc, osd); + } + mutex_unlock(&osdc->request_mutex); + } +@@ -1121,8 +1131,7 @@ static int __reset_osd(struct ceph_osd_c + dout("__reset_osd %p osd%d\n", osd, osd->o_osd); + if (list_empty(&osd->o_requests) && + list_empty(&osd->o_linger_requests)) { +- __remove_osd(osdc, osd); +- ++ remove_osd(osdc, osd); + return -ENODEV; + } + +@@ -1926,6 +1935,7 @@ static void reset_changed_osds(struct ce + { + struct rb_node *p, *n; + ++ dout("%s %p\n", __func__, osdc); + for (p = rb_first(&osdc->osds); p; p = n) { + struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node); + diff --git a/queue-3.19/md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch b/queue-3.19/md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch new file mode 100644 index 00000000000..4e3969773ab --- /dev/null +++ b/queue-3.19/md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch @@ -0,0 +1,63 @@ +From d1901ef099c38afd11add4cfb3312c02ef21ec4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= +Date: Mon, 23 Feb 2015 11:00:38 +1100 +Subject: md/raid1: fix read balance when a drive is write-mostly. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= + +commit d1901ef099c38afd11add4cfb3312c02ef21ec4a upstream. + +When a drive is marked write-mostly it should only be the +target of reads if there is no other option. + +This behaviour was broken by + +commit 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc + md/raid1: read balance chooses idlest disk for SSD + +which causes a write-mostly device to be *preferred* is some cases. + +Restore correct behaviour by checking and setting +best_dist_disk and best_pending_disk rather than best_disk. + +We only need to test one of these as they are both changed +from -1 or >=0 at the same time. + +As we leave min_pending and best_dist unchanged, any non-write-mostly +device will appear better than the write-mostly device. + +Reported-by: Tomáš Hodek +Reported-by: Dark Penguin +Signed-off-by: NeilBrown +Link: http://marc.info/?l=linux-raid&m=135982797322422 +Fixes: 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -560,7 +560,7 @@ static int read_balance(struct r1conf *c + if (test_bit(WriteMostly, &rdev->flags)) { + /* Don't balance among write-mostly, just + * use the first as a last resort */ +- if (best_disk < 0) { ++ if (best_dist_disk < 0) { + if (is_badblock(rdev, this_sector, sectors, + &first_bad, &bad_sectors)) { + if (first_bad < this_sector) +@@ -569,7 +569,8 @@ static int read_balance(struct r1conf *c + best_good_sectors = first_bad - this_sector; + } else + best_good_sectors = sectors; +- best_disk = disk; ++ best_dist_disk = disk; ++ best_pending_disk = disk; + } + continue; + } diff --git a/queue-3.19/md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch b/queue-3.19/md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch new file mode 100644 index 00000000000..0ec9f6e6f46 --- /dev/null +++ b/queue-3.19/md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch @@ -0,0 +1,44 @@ +From 26ac107378c4742978216be1005b7291b799c7b2 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 18 Feb 2015 11:35:14 +1100 +Subject: md/raid5: Fix livelock when array is both resyncing and degraded. + +From: NeilBrown + +commit 26ac107378c4742978216be1005b7291b799c7b2 upstream. + +Commit a7854487cd7128a30a7f4f5259de9f67d5efb95f: + md: When RAID5 is dirty, force reconstruct-write instead of read-modify-write. + +Causes an RCW cycle to be forced even when the array is degraded. +A degraded array cannot support RCW as that requires reading all data +blocks, and one may be missing. + +Forcing an RCW when it is not possible causes a live-lock and the code +spins, repeatedly deciding to do something that cannot succeed. + +So change the condition to only force RCW on non-degraded arrays. + +Reported-by: Manibalan P +Bisected-by: Jes Sorensen +Tested-by: Jes Sorensen +Signed-off-by: NeilBrown +Fixes: a7854487cd7128a30a7f4f5259de9f67d5efb95f +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3102,7 +3102,8 @@ static void handle_stripe_dirtying(struc + * generate correct data from the parity. + */ + if (conf->max_degraded == 2 || +- (recovery_cp < MaxSector && sh->sector >= recovery_cp)) { ++ (recovery_cp < MaxSector && sh->sector >= recovery_cp && ++ s->failed == 0)) { + /* Calculate the real rcw later - for now make it + * look like rcw is cheaper + */ diff --git a/queue-3.19/metag-fix-kstk_eip-and-kstk_esp-macros.patch b/queue-3.19/metag-fix-kstk_eip-and-kstk_esp-macros.patch new file mode 100644 index 00000000000..4cf590f86cc --- /dev/null +++ b/queue-3.19/metag-fix-kstk_eip-and-kstk_esp-macros.patch @@ -0,0 +1,75 @@ +From c2996cb29bfb73927a79dc96e598a718e843f01a Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 24 Feb 2015 12:25:25 +0000 +Subject: metag: Fix KSTK_EIP() and KSTK_ESP() macros + +From: James Hogan + +commit c2996cb29bfb73927a79dc96e598a718e843f01a upstream. + +The KSTK_EIP() and KSTK_ESP() macros should return the user program +counter (PC) and stack pointer (A0StP) of the given task. These are used +to determine which VMA corresponds to the user stack in +/proc//maps, and for the user PC & A0StP in /proc//stat. + +However for Meta the PC & A0StP from the task's kernel context are used, +resulting in broken output. For example in following /proc//maps +output, the 3afff000-3b021000 VMA should be described as the stack: + + # cat /proc/self/maps + ... + 100b0000-100b1000 rwxp 00000000 00:00 0 [heap] + 3afff000-3b021000 rwxp 00000000 00:00 0 + +And in the following /proc//stat output, the PC is in kernel code +(1074234964 = 0x40078654) and the A0StP is in the kernel heap +(1335981392 = 0x4fa17550): + + # cat /proc/self/stat + 51 (cat) R ... 1335981392 1074234964 ... + +Fix the definitions of KSTK_EIP() and KSTK_ESP() to use +task_pt_regs(tsk)->ctx rather than (tsk)->thread.kernel_context. This +gets the registers from the user context stored after the thread info at +the base of the kernel stack, which is from the last entry into the +kernel from userland, regardless of where in the kernel the task may +have been interrupted, which results in the following more correct +/proc//maps output: + + # cat /proc/self/maps + ... + 0800b000-08070000 r-xp 00000000 00:02 207 /lib/libuClibc-0.9.34-git.so + ... + 100b0000-100b1000 rwxp 00000000 00:00 0 [heap] + 3afff000-3b021000 rwxp 00000000 00:00 0 [stack] + +And /proc//stat now correctly reports the PC in libuClibc +(134320308 = 0x80190b4) and the A0StP in the [stack] region (989864576 = +0x3b002280): + + # cat /proc/self/stat + 51 (cat) R ... 989864576 134320308 ... + +Reported-by: Alexey Brodkin +Reported-by: Vineet Gupta +Signed-off-by: James Hogan +Cc: linux-metag@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/processor.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/metag/include/asm/processor.h ++++ b/arch/metag/include/asm/processor.h +@@ -149,8 +149,8 @@ extern void exit_thread(void); + + unsigned long get_wchan(struct task_struct *p); + +-#define KSTK_EIP(tsk) ((tsk)->thread.kernel_context->CurrPC) +-#define KSTK_ESP(tsk) ((tsk)->thread.kernel_context->AX[0].U0) ++#define KSTK_EIP(tsk) (task_pt_regs(tsk)->ctx.CurrPC) ++#define KSTK_ESP(tsk) (task_pt_regs(tsk)->ctx.AX[0].U0) + + #define user_stack_pointer(regs) ((regs)->ctx.AX[0].U0) + diff --git a/queue-3.19/perf-tools-fix-probing-for-perf_flag_fd_cloexec-flag.patch b/queue-3.19/perf-tools-fix-probing-for-perf_flag_fd_cloexec-flag.patch new file mode 100644 index 00000000000..8e802df83aa --- /dev/null +++ b/queue-3.19/perf-tools-fix-probing-for-perf_flag_fd_cloexec-flag.patch @@ -0,0 +1,79 @@ +From 48536c9195ae8c2a00fd8f400bac72ab613feaab Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 24 Feb 2015 13:20:59 +0200 +Subject: perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag + +From: Adrian Hunter + +commit 48536c9195ae8c2a00fd8f400bac72ab613feaab upstream. + +Commit f6edb53c4993ffe92ce521fb449d1c146cea6ec2 converted the probe to +a CPU wide event first (pid == -1). For kernels that do not support +the PERF_FLAG_FD_CLOEXEC flag the probe fails with EINVAL. Since this +errno is not handled pid is not reset to 0 and the subsequent use of +pid = -1 as an argument brings in an additional failure path if +perf_event_paranoid > 0: + +$ perf record -- sleep 1 +perf_event_open(..., 0) failed unexpectedly with error 13 (Permission denied) +[ perf record: Woken up 1 times to write data ] +[ perf record: Captured and wrote 0.007 MB /tmp/perf.data (11 samples) ] + +Also, ensure the fd of the confirmation check is closed and comment why +pid = -1 is used. + +Needs to go to 3.18 stable tree as well. + +Signed-off-by: Adrian Hunter +Based-on-patch-by: David Ahern +Acked-by: David Ahern +Cc: David Ahern +Link: http://lkml.kernel.org/r/54EC610C.8000403@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/cloexec.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/cloexec.c ++++ b/tools/perf/util/cloexec.c +@@ -25,6 +25,10 @@ static int perf_flag_probe(void) + if (cpu < 0) + cpu = 0; + ++ /* ++ * Using -1 for the pid is a workaround to avoid gratuitous jump label ++ * changes. ++ */ + while (1) { + /* check cloexec flag */ + fd = sys_perf_event_open(&attr, pid, cpu, -1, +@@ -47,16 +51,24 @@ static int perf_flag_probe(void) + err, strerror_r(err, sbuf, sizeof(sbuf))); + + /* not supported, confirm error related to PERF_FLAG_FD_CLOEXEC */ +- fd = sys_perf_event_open(&attr, pid, cpu, -1, 0); ++ while (1) { ++ fd = sys_perf_event_open(&attr, pid, cpu, -1, 0); ++ if (fd < 0 && pid == -1 && errno == EACCES) { ++ pid = 0; ++ continue; ++ } ++ break; ++ } + err = errno; + ++ if (fd >= 0) ++ close(fd); ++ + if (WARN_ONCE(fd < 0 && err != EBUSY, + "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n", + err, strerror_r(err, sbuf, sizeof(sbuf)))) + return -1; + +- close(fd); +- + return 0; + } + diff --git a/queue-3.19/samsung-laptop-add-use_native_backlight-quirk-and-enable-it-on-some-models.patch b/queue-3.19/samsung-laptop-add-use_native_backlight-quirk-and-enable-it-on-some-models.patch new file mode 100644 index 00000000000..19e221d84c0 --- /dev/null +++ b/queue-3.19/samsung-laptop-add-use_native_backlight-quirk-and-enable-it-on-some-models.patch @@ -0,0 +1,109 @@ +From 4690555e13c48fef07f2762f6b0cd6b181e326d0 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 9 Jan 2015 15:10:01 +0100 +Subject: samsung-laptop: Add use_native_backlight quirk, and enable it on some models + +From: Hans de Goede + +commit 4690555e13c48fef07f2762f6b0cd6b181e326d0 upstream. + +Since kernel 3.14 the backlight control has been broken on various Samsung +Atom based netbooks. This has been bisected and this problem happens since +commit b35684b8fa94 ("drm/i915: do full backlight setup at enable time") + +This has been reported and discussed in detail here: +http://lists.freedesktop.org/archives/intel-gfx/2014-July/049395.html + +Unfortunately no-one has been able to fix this. This only affects Samsung +Atom netbooks, and the Linux kernel and the BIOS of those laptops have never +worked well together. All affected laptops already have a quirk to avoid using +the standard acpi-video interface and instead use the samsung specific SABI +interface which samsung-laptop uses. It seems that recent fixes to the i915 +driver have also broken backlight control through the SABI interface. + +The intel_backlight driver OTOH works fine, and also allows for finer grained +backlight control. So add a new use_native_backlight quirk, and replace the +broken_acpi_video quirk with this quirk for affected models. This new quirk +disables acpi-video as before and also stops samsung-laptop from registering +the SABI based samsung_laptop backlight interface, leaving only the working +intel_backlight interface. + +This commit enables this new quirk for 3 models which are known to be affected, +chances are that it needs to be used on other models too. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1094948 # N145P +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1115713 # N250P +Reported-by: Bertrik Sikken # N150P +Cc: stable@vger.kernel.org # 3.16 +Signed-off-by: Hans de Goede +Signed-off-by: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/samsung-laptop.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/samsung-laptop.c ++++ b/drivers/platform/x86/samsung-laptop.c +@@ -353,6 +353,7 @@ struct samsung_quirks { + bool broken_acpi_video; + bool four_kbd_backlight_levels; + bool enable_kbd_backlight; ++ bool use_native_backlight; + }; + + static struct samsung_quirks samsung_unknown = {}; +@@ -361,6 +362,10 @@ static struct samsung_quirks samsung_bro + .broken_acpi_video = true, + }; + ++static struct samsung_quirks samsung_use_native_backlight = { ++ .use_native_backlight = true, ++}; ++ + static struct samsung_quirks samsung_np740u3e = { + .four_kbd_backlight_levels = true, + .enable_kbd_backlight = true, +@@ -1507,7 +1512,7 @@ static struct dmi_system_id __initdata s + DMI_MATCH(DMI_PRODUCT_NAME, "N150P"), + DMI_MATCH(DMI_BOARD_NAME, "N150P"), + }, +- .driver_data = &samsung_broken_acpi_video, ++ .driver_data = &samsung_use_native_backlight, + }, + { + .callback = samsung_dmi_matched, +@@ -1517,7 +1522,7 @@ static struct dmi_system_id __initdata s + DMI_MATCH(DMI_PRODUCT_NAME, "N145P/N250P/N260P"), + DMI_MATCH(DMI_BOARD_NAME, "N145P/N250P/N260P"), + }, +- .driver_data = &samsung_broken_acpi_video, ++ .driver_data = &samsung_use_native_backlight, + }, + { + .callback = samsung_dmi_matched, +@@ -1557,7 +1562,7 @@ static struct dmi_system_id __initdata s + DMI_MATCH(DMI_PRODUCT_NAME, "N250P"), + DMI_MATCH(DMI_BOARD_NAME, "N250P"), + }, +- .driver_data = &samsung_broken_acpi_video, ++ .driver_data = &samsung_use_native_backlight, + }, + { + .callback = samsung_dmi_matched, +@@ -1616,6 +1621,15 @@ static int __init samsung_init(void) + pr_info("Disabling ACPI video driver\n"); + acpi_video_unregister(); + } ++ ++ if (samsung->quirks->use_native_backlight) { ++ pr_info("Using native backlight driver\n"); ++ /* Tell acpi-video to not handle the backlight */ ++ acpi_video_dmi_promote_vendor(); ++ acpi_video_unregister(); ++ /* And also do not handle it ourselves */ ++ samsung->handle_backlight = false; ++ } + #endif + + ret = samsung_platform_init(samsung); diff --git a/queue-3.19/sb_edac-fix-detection-on-snb-machines.patch b/queue-3.19/sb_edac-fix-detection-on-snb-machines.patch new file mode 100644 index 00000000000..f09d7653782 --- /dev/null +++ b/queue-3.19/sb_edac-fix-detection-on-snb-machines.patch @@ -0,0 +1,80 @@ +From 11249e73992981e31fd50e7231da24fad68e3320 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Thu, 5 Feb 2015 12:39:36 +0100 +Subject: sb_edac: Fix detection on SNB machines + +From: Borislav Petkov + +commit 11249e73992981e31fd50e7231da24fad68e3320 upstream. + +d0585cd815fa ("sb_edac: Claim a different PCI device") changed the +probing of sb_edac to look for PCI device 0x3ca0: + +3f:0e.0 System peripheral: Intel Corporation Xeon E5/Core i7 Processor Home Agent (rev 07) +00: 86 80 a0 3c 00 00 00 00 07 00 80 08 00 00 80 00 +... + +but we're matching for 0x3ca8, i.e. PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TA +in sbridge_probe() therefore the probing fails. + +Changing it to probe for 0x3ca0 (PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_HA0), +.i.e., the 14.0 device, fixes the issue and driver loads successfully +again: + +[ 2449.013120] EDAC DEBUG: sbridge_init: +[ 2449.017029] EDAC sbridge: Seeking for: PCI ID 8086:3ca0 +[ 2449.022368] EDAC DEBUG: sbridge_get_onedevice: Detected 8086:3ca0 +[ 2449.028498] EDAC sbridge: Seeking for: PCI ID 8086:3ca0 +[ 2449.033768] EDAC sbridge: Seeking for: PCI ID 8086:3ca8 +[ 2449.039028] EDAC DEBUG: sbridge_get_onedevice: Detected 8086:3ca8 +[ 2449.045155] EDAC sbridge: Seeking for: PCI ID 8086:3ca8 +... + +Add a debug printk while at it to be able to catch the failure in the +future and dump driver version on successful load. + +Fixes: d0585cd815fa ("sb_edac: Claim a different PCI device") +Acked-by: Aristeu Rozanski +Cc: Tony Luck +Acked-by: Andy Lutomirski +Acked-by: Mauro Carvalho Chehab +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/sb_edac.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -2447,7 +2447,7 @@ static int sbridge_probe(struct pci_dev + rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_ibridge_table); + type = IVY_BRIDGE; + break; +- case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TA: ++ case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_HA0: + rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_sbridge_table); + type = SANDY_BRIDGE; + break; +@@ -2460,8 +2460,11 @@ static int sbridge_probe(struct pci_dev + type = BROADWELL; + break; + } +- if (unlikely(rc < 0)) ++ if (unlikely(rc < 0)) { ++ edac_dbg(0, "couldn't get all devices for 0x%x\n", pdev->device); + goto fail0; ++ } ++ + mc = 0; + + list_for_each_entry(sbridge_dev, &sbridge_edac_list, list) { +@@ -2474,7 +2477,7 @@ static int sbridge_probe(struct pci_dev + goto fail1; + } + +- sbridge_printk(KERN_INFO, "Driver loaded.\n"); ++ sbridge_printk(KERN_INFO, "%s\n", SBRIDGE_REVISION); + + mutex_unlock(&sbridge_edac_lock); + return 0; diff --git a/queue-3.19/series b/queue-3.19/series index 525fbe56e9b..a35a3062422 100644 --- a/queue-3.19/series +++ b/queue-3.19/series @@ -147,3 +147,24 @@ kvm-s390-floating-irqs-fix-user-triggerable-endless-loop.patch kvm-s390-avoid-memory-leaks-if-__inject_vm-fails.patch hx4700-regulator-declare-full-constraints.patch arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch +gpiolib-of-allow-of_gpiochip_find_and_xlate-to-find-more-than-one-chip-per-node.patch +gpio-tps65912-fix-wrong-container_of-arguments.patch +xfs-fix-quota-type-in-quota-structures-when-reusing-quota-file.patch +metag-fix-kstk_eip-and-kstk_esp-macros.patch +clocksource-mtk-fix-race-conditions-in-probe-code.patch +perf-tools-fix-probing-for-perf_flag_fd_cloexec-flag.patch +md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch +md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch +sb_edac-fix-detection-on-snb-machines.patch +edac-amd64_edac-prevent-oops-with-16-memory-controllers.patch +jffs2-fix-handling-of-corrupted-summary-length.patch +samsung-laptop-add-use_native_backlight-quirk-and-enable-it-on-some-models.patch +libceph-fix-double-__remove_osd-problem.patch +btrfs-set-proper-message-level-for-skinny-metadata.patch +btrfs-fix-leak-of-path-in-btrfs_find_item.patch +btrfs-fix-fsync-data-loss-after-adding-hard-link-to-inode.patch +blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch +x86-efi-avoid-triple-faults-during-efi-mixed-mode-calls.patch +x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch +x86-irq-fix-regression-caused-by-commit-b568b8601f05.patch +x86-pmc-atom-assign-debugfs-node-as-soon-as-possible.patch diff --git a/queue-3.19/x86-efi-avoid-triple-faults-during-efi-mixed-mode-calls.patch b/queue-3.19/x86-efi-avoid-triple-faults-during-efi-mixed-mode-calls.patch new file mode 100644 index 00000000000..56756187675 --- /dev/null +++ b/queue-3.19/x86-efi-avoid-triple-faults-during-efi-mixed-mode-calls.patch @@ -0,0 +1,607 @@ +From 96738c69a7fcdbf0d7c9df0c8a27660011e82a7b Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Tue, 13 Jan 2015 15:25:00 +0000 +Subject: x86/efi: Avoid triple faults during EFI mixed mode calls + +From: Matt Fleming + +commit 96738c69a7fcdbf0d7c9df0c8a27660011e82a7b upstream. + +Andy pointed out that if an NMI or MCE is received while we're in the +middle of an EFI mixed mode call a triple fault will occur. This can +happen, for example, when issuing an EFI mixed mode call while running +perf. + +The reason for the triple fault is that we execute the mixed mode call +in 32-bit mode with paging disabled but with 64-bit kernel IDT handlers +installed throughout the call. + +At Andy's suggestion, stop playing the games we currently do at runtime, +such as disabling paging and installing a 32-bit GDT for __KERNEL_CS. We +can simply switch to the __KERNEL32_CS descriptor before invoking +firmware services, and run in compatibility mode. This way, if an +NMI/MCE does occur the kernel IDT handler will execute correctly, since +it'll jump to __KERNEL_CS automatically. + +However, this change is only possible post-ExitBootServices(). Before +then the firmware "owns" the machine and expects for its 32-bit IDT +handlers to be left intact to service interrupts, etc. + +So, we now need to distinguish between early boot and runtime +invocations of EFI services. During early boot, we need to restore the +GDT that the firmware expects to be present. We can only jump to the +__KERNEL32_CS code segment for mixed mode calls after ExitBootServices() +has been invoked. + +A liberal sprinkling of comments in the thunking code should make the +differences in early and late environments more apparent. + +Reported-by: Andy Lutomirski +Tested-by: Borislav Petkov +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/Makefile | 1 + arch/x86/boot/compressed/efi_stub_64.S | 25 ---- + arch/x86/boot/compressed/efi_thunk_64.S | 196 ++++++++++++++++++++++++++++++++ + arch/x86/platform/efi/efi_stub_64.S | 161 -------------------------- + arch/x86/platform/efi/efi_thunk_64.S | 121 ++++++++++++++++--- + 5 files changed, 301 insertions(+), 203 deletions(-) + +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -49,6 +49,7 @@ $(obj)/eboot.o: KBUILD_CFLAGS += -fshort + + vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \ + $(objtree)/drivers/firmware/efi/libstub/lib.a ++vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o + + $(obj)/vmlinux: $(vmlinux-objs-y) FORCE + $(call if_changed,ld) +--- a/arch/x86/boot/compressed/efi_stub_64.S ++++ b/arch/x86/boot/compressed/efi_stub_64.S +@@ -3,28 +3,3 @@ + #include + + #include "../../platform/efi/efi_stub_64.S" +- +-#ifdef CONFIG_EFI_MIXED +- .code64 +- .text +-ENTRY(efi64_thunk) +- push %rbp +- push %rbx +- +- subq $16, %rsp +- leaq efi_exit32(%rip), %rax +- movl %eax, 8(%rsp) +- leaq efi_gdt64(%rip), %rax +- movl %eax, 4(%rsp) +- movl %eax, 2(%rax) /* Fixup the gdt base address */ +- leaq efi32_boot_gdt(%rip), %rax +- movl %eax, (%rsp) +- +- call __efi64_thunk +- +- addq $16, %rsp +- pop %rbx +- pop %rbp +- ret +-ENDPROC(efi64_thunk) +-#endif /* CONFIG_EFI_MIXED */ +--- /dev/null ++++ b/arch/x86/boot/compressed/efi_thunk_64.S +@@ -0,0 +1,196 @@ ++/* ++ * Copyright (C) 2014, 2015 Intel Corporation; author Matt Fleming ++ * ++ * Early support for invoking 32-bit EFI services from a 64-bit kernel. ++ * ++ * Because this thunking occurs before ExitBootServices() we have to ++ * restore the firmware's 32-bit GDT before we make EFI serivce calls, ++ * since the firmware's 32-bit IDT is still currently installed and it ++ * needs to be able to service interrupts. ++ * ++ * On the plus side, we don't have to worry about mangling 64-bit ++ * addresses into 32-bits because we're executing with an identify ++ * mapped pagetable and haven't transitioned to 64-bit virtual addresses ++ * yet. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++ .code64 ++ .text ++ENTRY(efi64_thunk) ++ push %rbp ++ push %rbx ++ ++ subq $8, %rsp ++ leaq efi_exit32(%rip), %rax ++ movl %eax, 4(%rsp) ++ leaq efi_gdt64(%rip), %rax ++ movl %eax, (%rsp) ++ movl %eax, 2(%rax) /* Fixup the gdt base address */ ++ ++ movl %ds, %eax ++ push %rax ++ movl %es, %eax ++ push %rax ++ movl %ss, %eax ++ push %rax ++ ++ /* ++ * Convert x86-64 ABI params to i386 ABI ++ */ ++ subq $32, %rsp ++ movl %esi, 0x0(%rsp) ++ movl %edx, 0x4(%rsp) ++ movl %ecx, 0x8(%rsp) ++ movq %r8, %rsi ++ movl %esi, 0xc(%rsp) ++ movq %r9, %rsi ++ movl %esi, 0x10(%rsp) ++ ++ sgdt save_gdt(%rip) ++ ++ leaq 1f(%rip), %rbx ++ movq %rbx, func_rt_ptr(%rip) ++ ++ /* ++ * Switch to gdt with 32-bit segments. This is the firmware GDT ++ * that was installed when the kernel started executing. This ++ * pointer was saved at the EFI stub entry point in head_64.S. ++ */ ++ leaq efi32_boot_gdt(%rip), %rax ++ lgdt (%rax) ++ ++ pushq $__KERNEL_CS ++ leaq efi_enter32(%rip), %rax ++ pushq %rax ++ lretq ++ ++1: addq $32, %rsp ++ ++ lgdt save_gdt(%rip) ++ ++ pop %rbx ++ movl %ebx, %ss ++ pop %rbx ++ movl %ebx, %es ++ pop %rbx ++ movl %ebx, %ds ++ ++ /* ++ * Convert 32-bit status code into 64-bit. ++ */ ++ test %rax, %rax ++ jz 1f ++ movl %eax, %ecx ++ andl $0x0fffffff, %ecx ++ andl $0xf0000000, %eax ++ shl $32, %rax ++ or %rcx, %rax ++1: ++ addq $8, %rsp ++ pop %rbx ++ pop %rbp ++ ret ++ENDPROC(efi64_thunk) ++ ++ENTRY(efi_exit32) ++ movq func_rt_ptr(%rip), %rax ++ push %rax ++ mov %rdi, %rax ++ ret ++ENDPROC(efi_exit32) ++ ++ .code32 ++/* ++ * EFI service pointer must be in %edi. ++ * ++ * The stack should represent the 32-bit calling convention. ++ */ ++ENTRY(efi_enter32) ++ movl $__KERNEL_DS, %eax ++ movl %eax, %ds ++ movl %eax, %es ++ movl %eax, %ss ++ ++ /* Reload pgtables */ ++ movl %cr3, %eax ++ movl %eax, %cr3 ++ ++ /* Disable paging */ ++ movl %cr0, %eax ++ btrl $X86_CR0_PG_BIT, %eax ++ movl %eax, %cr0 ++ ++ /* Disable long mode via EFER */ ++ movl $MSR_EFER, %ecx ++ rdmsr ++ btrl $_EFER_LME, %eax ++ wrmsr ++ ++ call *%edi ++ ++ /* We must preserve return value */ ++ movl %eax, %edi ++ ++ /* ++ * Some firmware will return with interrupts enabled. Be sure to ++ * disable them before we switch GDTs. ++ */ ++ cli ++ ++ movl 56(%esp), %eax ++ movl %eax, 2(%eax) ++ lgdtl (%eax) ++ ++ movl %cr4, %eax ++ btsl $(X86_CR4_PAE_BIT), %eax ++ movl %eax, %cr4 ++ ++ movl %cr3, %eax ++ movl %eax, %cr3 ++ ++ movl $MSR_EFER, %ecx ++ rdmsr ++ btsl $_EFER_LME, %eax ++ wrmsr ++ ++ xorl %eax, %eax ++ lldt %ax ++ ++ movl 60(%esp), %eax ++ pushl $__KERNEL_CS ++ pushl %eax ++ ++ /* Enable paging */ ++ movl %cr0, %eax ++ btsl $X86_CR0_PG_BIT, %eax ++ movl %eax, %cr0 ++ lret ++ENDPROC(efi_enter32) ++ ++ .data ++ .balign 8 ++ .global efi32_boot_gdt ++efi32_boot_gdt: .word 0 ++ .quad 0 ++ ++save_gdt: .word 0 ++ .quad 0 ++func_rt_ptr: .quad 0 ++ ++ .global efi_gdt64 ++efi_gdt64: ++ .word efi_gdt64_end - efi_gdt64 ++ .long 0 /* Filled out by user */ ++ .word 0 ++ .quad 0x0000000000000000 /* NULL descriptor */ ++ .quad 0x00af9a000000ffff /* __KERNEL_CS */ ++ .quad 0x00cf92000000ffff /* __KERNEL_DS */ ++ .quad 0x0080890000000000 /* TS descriptor */ ++ .quad 0x0000000000000000 /* TS continued */ ++efi_gdt64_end: +--- a/arch/x86/platform/efi/efi_stub_64.S ++++ b/arch/x86/platform/efi/efi_stub_64.S +@@ -91,167 +91,6 @@ ENTRY(efi_call) + ret + ENDPROC(efi_call) + +-#ifdef CONFIG_EFI_MIXED +- +-/* +- * We run this function from the 1:1 mapping. +- * +- * This function must be invoked with a 1:1 mapped stack. +- */ +-ENTRY(__efi64_thunk) +- movl %ds, %eax +- push %rax +- movl %es, %eax +- push %rax +- movl %ss, %eax +- push %rax +- +- subq $32, %rsp +- movl %esi, 0x0(%rsp) +- movl %edx, 0x4(%rsp) +- movl %ecx, 0x8(%rsp) +- movq %r8, %rsi +- movl %esi, 0xc(%rsp) +- movq %r9, %rsi +- movl %esi, 0x10(%rsp) +- +- sgdt save_gdt(%rip) +- +- leaq 1f(%rip), %rbx +- movq %rbx, func_rt_ptr(%rip) +- +- /* Switch to gdt with 32-bit segments */ +- movl 64(%rsp), %eax +- lgdt (%rax) +- +- leaq efi_enter32(%rip), %rax +- pushq $__KERNEL_CS +- pushq %rax +- lretq +- +-1: addq $32, %rsp +- +- lgdt save_gdt(%rip) +- +- pop %rbx +- movl %ebx, %ss +- pop %rbx +- movl %ebx, %es +- pop %rbx +- movl %ebx, %ds +- +- /* +- * Convert 32-bit status code into 64-bit. +- */ +- test %rax, %rax +- jz 1f +- movl %eax, %ecx +- andl $0x0fffffff, %ecx +- andl $0xf0000000, %eax +- shl $32, %rax +- or %rcx, %rax +-1: +- ret +-ENDPROC(__efi64_thunk) +- +-ENTRY(efi_exit32) +- movq func_rt_ptr(%rip), %rax +- push %rax +- mov %rdi, %rax +- ret +-ENDPROC(efi_exit32) +- +- .code32 +-/* +- * EFI service pointer must be in %edi. +- * +- * The stack should represent the 32-bit calling convention. +- */ +-ENTRY(efi_enter32) +- movl $__KERNEL_DS, %eax +- movl %eax, %ds +- movl %eax, %es +- movl %eax, %ss +- +- /* Reload pgtables */ +- movl %cr3, %eax +- movl %eax, %cr3 +- +- /* Disable paging */ +- movl %cr0, %eax +- btrl $X86_CR0_PG_BIT, %eax +- movl %eax, %cr0 +- +- /* Disable long mode via EFER */ +- movl $MSR_EFER, %ecx +- rdmsr +- btrl $_EFER_LME, %eax +- wrmsr +- +- call *%edi +- +- /* We must preserve return value */ +- movl %eax, %edi +- +- /* +- * Some firmware will return with interrupts enabled. Be sure to +- * disable them before we switch GDTs. +- */ +- cli +- +- movl 68(%esp), %eax +- movl %eax, 2(%eax) +- lgdtl (%eax) +- +- movl %cr4, %eax +- btsl $(X86_CR4_PAE_BIT), %eax +- movl %eax, %cr4 +- +- movl %cr3, %eax +- movl %eax, %cr3 +- +- movl $MSR_EFER, %ecx +- rdmsr +- btsl $_EFER_LME, %eax +- wrmsr +- +- xorl %eax, %eax +- lldt %ax +- +- movl 72(%esp), %eax +- pushl $__KERNEL_CS +- pushl %eax +- +- /* Enable paging */ +- movl %cr0, %eax +- btsl $X86_CR0_PG_BIT, %eax +- movl %eax, %cr0 +- lret +-ENDPROC(efi_enter32) +- +- .data +- .balign 8 +- .global efi32_boot_gdt +-efi32_boot_gdt: .word 0 +- .quad 0 +- +-save_gdt: .word 0 +- .quad 0 +-func_rt_ptr: .quad 0 +- +- .global efi_gdt64 +-efi_gdt64: +- .word efi_gdt64_end - efi_gdt64 +- .long 0 /* Filled out by user */ +- .word 0 +- .quad 0x0000000000000000 /* NULL descriptor */ +- .quad 0x00af9a000000ffff /* __KERNEL_CS */ +- .quad 0x00cf92000000ffff /* __KERNEL_DS */ +- .quad 0x0080890000000000 /* TS descriptor */ +- .quad 0x0000000000000000 /* TS continued */ +-efi_gdt64_end: +-#endif /* CONFIG_EFI_MIXED */ +- + .data + ENTRY(efi_scratch) + .fill 3,8,0 +--- a/arch/x86/platform/efi/efi_thunk_64.S ++++ b/arch/x86/platform/efi/efi_thunk_64.S +@@ -1,9 +1,26 @@ + /* + * Copyright (C) 2014 Intel Corporation; author Matt Fleming ++ * ++ * Support for invoking 32-bit EFI runtime services from a 64-bit ++ * kernel. ++ * ++ * The below thunking functions are only used after ExitBootServices() ++ * has been called. This simplifies things considerably as compared with ++ * the early EFI thunking because we can leave all the kernel state ++ * intact (GDT, IDT, etc) and simply invoke the the 32-bit EFI runtime ++ * services from __KERNEL32_CS. This means we can continue to service ++ * interrupts across an EFI mixed mode call. ++ * ++ * We do however, need to handle the fact that we're running in a full ++ * 64-bit virtual address space. Things like the stack and instruction ++ * addresses need to be accessible by the 32-bit firmware, so we rely on ++ * using the identity mappings in the EFI page table to access the stack ++ * and kernel text (see efi_setup_page_tables()). + */ + + #include + #include ++#include + + .text + .code64 +@@ -33,14 +50,6 @@ ENTRY(efi64_thunk) + leaq efi_exit32(%rip), %rbx + subq %rax, %rbx + movl %ebx, 8(%rsp) +- leaq efi_gdt64(%rip), %rbx +- subq %rax, %rbx +- movl %ebx, 2(%ebx) +- movl %ebx, 4(%rsp) +- leaq efi_gdt32(%rip), %rbx +- subq %rax, %rbx +- movl %ebx, 2(%ebx) +- movl %ebx, (%rsp) + + leaq __efi64_thunk(%rip), %rbx + subq %rax, %rbx +@@ -52,14 +61,92 @@ ENTRY(efi64_thunk) + retq + ENDPROC(efi64_thunk) + +- .data +-efi_gdt32: +- .word efi_gdt32_end - efi_gdt32 +- .long 0 /* Filled out above */ +- .word 0 +- .quad 0x0000000000000000 /* NULL descriptor */ +- .quad 0x00cf9a000000ffff /* __KERNEL_CS */ +- .quad 0x00cf93000000ffff /* __KERNEL_DS */ +-efi_gdt32_end: ++/* ++ * We run this function from the 1:1 mapping. ++ * ++ * This function must be invoked with a 1:1 mapped stack. ++ */ ++ENTRY(__efi64_thunk) ++ movl %ds, %eax ++ push %rax ++ movl %es, %eax ++ push %rax ++ movl %ss, %eax ++ push %rax ++ ++ subq $32, %rsp ++ movl %esi, 0x0(%rsp) ++ movl %edx, 0x4(%rsp) ++ movl %ecx, 0x8(%rsp) ++ movq %r8, %rsi ++ movl %esi, 0xc(%rsp) ++ movq %r9, %rsi ++ movl %esi, 0x10(%rsp) ++ ++ leaq 1f(%rip), %rbx ++ movq %rbx, func_rt_ptr(%rip) ++ ++ /* Switch to 32-bit descriptor */ ++ pushq $__KERNEL32_CS ++ leaq efi_enter32(%rip), %rax ++ pushq %rax ++ lretq ++ ++1: addq $32, %rsp ++ ++ pop %rbx ++ movl %ebx, %ss ++ pop %rbx ++ movl %ebx, %es ++ pop %rbx ++ movl %ebx, %ds + ++ /* ++ * Convert 32-bit status code into 64-bit. ++ */ ++ test %rax, %rax ++ jz 1f ++ movl %eax, %ecx ++ andl $0x0fffffff, %ecx ++ andl $0xf0000000, %eax ++ shl $32, %rax ++ or %rcx, %rax ++1: ++ ret ++ENDPROC(__efi64_thunk) ++ ++ENTRY(efi_exit32) ++ movq func_rt_ptr(%rip), %rax ++ push %rax ++ mov %rdi, %rax ++ ret ++ENDPROC(efi_exit32) ++ ++ .code32 ++/* ++ * EFI service pointer must be in %edi. ++ * ++ * The stack should represent the 32-bit calling convention. ++ */ ++ENTRY(efi_enter32) ++ movl $__KERNEL_DS, %eax ++ movl %eax, %ds ++ movl %eax, %es ++ movl %eax, %ss ++ ++ call *%edi ++ ++ /* We must preserve return value */ ++ movl %eax, %edi ++ ++ movl 72(%esp), %eax ++ pushl $__KERNEL_CS ++ pushl %eax ++ ++ lret ++ENDPROC(efi_enter32) ++ ++ .data ++ .balign 8 ++func_rt_ptr: .quad 0 + efi_saved_sp: .quad 0 diff --git a/queue-3.19/x86-irq-fix-regression-caused-by-commit-b568b8601f05.patch b/queue-3.19/x86-irq-fix-regression-caused-by-commit-b568b8601f05.patch new file mode 100644 index 00000000000..a7240024db8 --- /dev/null +++ b/queue-3.19/x86-irq-fix-regression-caused-by-commit-b568b8601f05.patch @@ -0,0 +1,54 @@ +From 1ea76fbadd667b19c4fa4466f3a3b55a505e83d9 Mon Sep 17 00:00:00 2001 +From: Jiang Liu +Date: Mon, 16 Feb 2015 10:11:13 +0800 +Subject: x86/irq: Fix regression caused by commit b568b8601f05 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiang Liu + +commit 1ea76fbadd667b19c4fa4466f3a3b55a505e83d9 upstream. + +Commit b568b8601f05 ("Treat SCI interrupt as normal GSI interrupt") +accidently removes support of legacy PIC interrupt when fixing a +regression for Xen, which causes a nasty regression on HP/Compaq +nc6000 where we fail to register the ACPI interrupt, and thus +lose eg. thermal notifications leading a potentially overheated +machine. + +So reintroduce support of legacy PIC based ACPI SCI interrupt. + +Reported-by: Ville Syrjälä +Tested-by: Ville Syrjälä +Signed-off-by: Jiang Liu +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Pavel Machek +Cc: H. Peter Anvin +Cc: Len Brown +Cc: Linus Torvalds +Cc: Rafael J. Wysocki +Cc: Sander Eikelenboom +Cc: linux-pm@vger.kernel.org +Link: http://lkml.kernel.org/r/1424052673-22974-1-git-send-email-jiang.liu@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/acpi/boot.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -613,6 +613,11 @@ int acpi_gsi_to_irq(u32 gsi, unsigned in + { + int rc, irq, trigger, polarity; + ++ if (acpi_irq_model == ACPI_IRQ_MODEL_PIC) { ++ *irqp = gsi; ++ return 0; ++ } ++ + rc = acpi_get_override_irq(gsi, &trigger, &polarity); + if (rc == 0) { + trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE; diff --git a/queue-3.19/x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch b/queue-3.19/x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch new file mode 100644 index 00000000000..757e63f8128 --- /dev/null +++ b/queue-3.19/x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch @@ -0,0 +1,110 @@ +From 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert +Date: Sat, 14 Feb 2015 09:33:50 -0800 +Subject: x86, mm/ASLR: Fix stack randomization on 64-bit systems + +From: Hector Marco-Gisbert + +commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream. + +The issue is that the stack for processes is not properly randomized on +64 bit architectures due to an integer overflow. + +The affected function is randomize_stack_top() in file +"fs/binfmt_elf.c": + + static unsigned long randomize_stack_top(unsigned long stack_top) + { + unsigned int random_variable = 0; + + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { + random_variable = get_random_int() & STACK_RND_MASK; + random_variable <<= PAGE_SHIFT; + } + return PAGE_ALIGN(stack_top) + random_variable; + return PAGE_ALIGN(stack_top) - random_variable; + } + +Note that, it declares the "random_variable" variable as "unsigned int". +Since the result of the shifting operation between STACK_RND_MASK (which +is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64): + + random_variable <<= PAGE_SHIFT; + +then the two leftmost bits are dropped when storing the result in the +"random_variable". This variable shall be at least 34 bits long to hold +the (22+12) result. + +These two dropped bits have an impact on the entropy of process stack. +Concretely, the total stack entropy is reduced by four: from 2^28 to +2^30 (One fourth of expected entropy). + +This patch restores back the entropy by correcting the types involved +in the operations in the functions randomize_stack_top() and +stack_maxrandom_size(). + +The successful fix can be tested with: + + $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done + 7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack] + 7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack] + 7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack] + 7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack] + ... + +Once corrected, the leading bytes should be between 7ffc and 7fff, +rather than always being 7fff. + +Signed-off-by: Hector Marco-Gisbert +Signed-off-by: Ismael Ripoll +[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ] +Signed-off-by: Kees Cook +Cc: Linus Torvalds +Cc: Andrew Morton +Cc: Al Viro +Fixes: CVE-2015-1593 +Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mmap.c | 6 +++--- + fs/binfmt_elf.c | 5 +++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_ali + .flags = -1, + }; + +-static unsigned int stack_maxrandom_size(void) ++static unsigned long stack_maxrandom_size(void) + { +- unsigned int max = 0; ++ unsigned long max = 0; + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { +- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; ++ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT; + } + + return max; +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -645,11 +645,12 @@ out: + + static unsigned long randomize_stack_top(unsigned long stack_top) + { +- unsigned int random_variable = 0; ++ unsigned long random_variable = 0; + + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { +- random_variable = get_random_int() & STACK_RND_MASK; ++ random_variable = (unsigned long) get_random_int(); ++ random_variable &= STACK_RND_MASK; + random_variable <<= PAGE_SHIFT; + } + #ifdef CONFIG_STACK_GROWSUP diff --git a/queue-3.19/x86-pmc-atom-assign-debugfs-node-as-soon-as-possible.patch b/queue-3.19/x86-pmc-atom-assign-debugfs-node-as-soon-as-possible.patch new file mode 100644 index 00000000000..53213f5b4ca --- /dev/null +++ b/queue-3.19/x86-pmc-atom-assign-debugfs-node-as-soon-as-possible.patch @@ -0,0 +1,47 @@ +From 1b43d7125f3b6f7d46e72da64f65f3187a83b66b Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 14 Jan 2015 18:39:31 +0200 +Subject: x86: pmc-atom: Assign debugfs node as soon as possible + +From: Andy Shevchenko + +commit 1b43d7125f3b6f7d46e72da64f65f3187a83b66b upstream. + +pmc_dbgfs_unregister() will be called when pmc->dbgfs_dir is unconditionally +NULL on error path in pmc_dbgfs_register(). To prevent this we move the +assignment to where is should be. + +Fixes: f855911c1f48 (x86/pmc_atom: Expose PMC device state and platform sleep state) +Reported-by: Thomas Gleixner +Signed-off-by: Andy Shevchenko +Cc: Aubrey Li +Cc: Rafael J. Wysocki +Cc: Kumar P. Mahesh +Link: http://lkml.kernel.org/r/1421253575-22509-2-git-send-email-andriy.shevchenko@linux.intel.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/pmc_atom.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/pmc_atom.c ++++ b/arch/x86/kernel/pmc_atom.c +@@ -217,6 +217,8 @@ static int pmc_dbgfs_register(struct pmc + if (!dir) + return -ENOMEM; + ++ pmc->dbgfs_dir = dir; ++ + f = debugfs_create_file("dev_state", S_IFREG | S_IRUGO, + dir, pmc, &pmc_dev_state_ops); + if (!f) { +@@ -229,7 +231,7 @@ static int pmc_dbgfs_register(struct pmc + dev_err(&pdev->dev, "sleep_state register failed\n"); + goto err; + } +- pmc->dbgfs_dir = dir; ++ + return 0; + err: + pmc_dbgfs_unregister(pmc); diff --git a/queue-3.19/xfs-fix-quota-type-in-quota-structures-when-reusing-quota-file.patch b/queue-3.19/xfs-fix-quota-type-in-quota-structures-when-reusing-quota-file.patch new file mode 100644 index 00000000000..bd66e86f326 --- /dev/null +++ b/queue-3.19/xfs-fix-quota-type-in-quota-structures-when-reusing-quota-file.patch @@ -0,0 +1,48 @@ +From dfcc70a8c868fe03276fa59864149708fb41930b Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 23 Feb 2015 22:34:17 +1100 +Subject: xfs: Fix quota type in quota structures when reusing quota file + +From: Jan Kara + +commit dfcc70a8c868fe03276fa59864149708fb41930b upstream. + +For filesystems without separate project quota inode field in the +superblock we just reuse project quota file for group quotas (and vice +versa) if project quota file is allocated and we need group quota file. +When we reuse the file, quota structures on disk suddenly have wrong +type stored in d_flags though. Nobody really cares about this (although +structure type reported to userspace was wrong as well) except +that after commit 14bf61ffe6ac (quota: Switch ->get_dqblk() and +->set_dqblk() to use bytes as space units) assertion in +xfs_qm_scall_getquota() started to trigger on xfs/106 test (apparently I +was testing without XFS_DEBUG so I didn't notice when submitting the +above commit). + +Fix the problem by properly resetting ddq->d_flags when running quotacheck +for a quota file. + +Reported-by: Al Viro +Signed-off-by: Jan Kara +Reviewed-by: Dave Chinner +Signed-off-by: Dave Chinner +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_qm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/xfs/xfs_qm.c ++++ b/fs/xfs/xfs_qm.c +@@ -842,6 +842,11 @@ xfs_qm_reset_dqcounts( + */ + xfs_dqcheck(mp, ddq, id+j, type, XFS_QMOPT_DQREPAIR, + "xfs_quotacheck"); ++ /* ++ * Reset type in case we are reusing group quota file for ++ * project quotas or vice versa ++ */ ++ ddq->d_flags = type; + ddq->d_bcount = 0; + ddq->d_icount = 0; + ddq->d_rtbcount = 0;