From: Greg Kroah-Hartman Date: Fri, 14 Aug 2015 01:38:41 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.10.87~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=505e0a065a0891732419f706515ee2aa1a9cf9f3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: alsa-hda-fix-cs4210_spdif_automute.patch ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-account.patch md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch --- diff --git a/queue-3.10/alsa-hda-fix-cs4210_spdif_automute.patch b/queue-3.10/alsa-hda-fix-cs4210_spdif_automute.patch new file mode 100644 index 00000000000..4cf9bea89bc --- /dev/null +++ b/queue-3.10/alsa-hda-fix-cs4210_spdif_automute.patch @@ -0,0 +1,35 @@ +From 44008f0896ae205b02b0882dbf807f0de149efc4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 25 Jul 2015 03:03:38 +0300 +Subject: ALSA: hda - fix cs4210_spdif_automute() + +From: Dan Carpenter + +commit 44008f0896ae205b02b0882dbf807f0de149efc4 upstream. + +Smatch complains that we have nested checks for "spdif_present". It +turns out the current behavior isn't correct, we should remove the first +check and keep the second. + +Fixes: 1077a024812d ('ALSA: hda - Use generic parser for Cirrus codec driver') +Signed-off-by: Dan Carpenter +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_cirrus.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -787,9 +787,7 @@ static void cs4210_spdif_automute(struct + + spec->spdif_present = spdif_present; + /* SPDIF TX on/off */ +- if (spdif_present) +- snd_hda_set_pin_ctl(codec, spdif_pin, +- spdif_present ? PIN_OUT : 0); ++ snd_hda_set_pin_ctl(codec, spdif_pin, spdif_present ? PIN_OUT : 0); + + cs_automute(codec); + } diff --git a/queue-3.10/ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-account.patch b/queue-3.10/ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-account.patch new file mode 100644 index 00000000000..5871c4af14f --- /dev/null +++ b/queue-3.10/ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-account.patch @@ -0,0 +1,110 @@ +From de54b9ac253787c366bbfb28d901a31954eb3511 Mon Sep 17 00:00:00 2001 +From: Marcus Gelderie +Date: Thu, 6 Aug 2015 15:46:10 -0700 +Subject: ipc: modify message queue accounting to not take kernel data structures into account + +From: Marcus Gelderie + +commit de54b9ac253787c366bbfb28d901a31954eb3511 upstream. + +A while back, the message queue implementation in the kernel was +improved to use btrees to speed up retrieval of messages, in commit +d6629859b36d ("ipc/mqueue: improve performance of send/recv"). + +That patch introducing the improved kernel handling of message queues +(using btrees) has, as a by-product, changed the meaning of the QSIZE +field in the pseudo-file created for the queue. Before, this field +reflected the size of the user-data in the queue. Since, it also takes +kernel data structures into account. For example, if 13 bytes of user +data are in the queue, on my machine the file reports a size of 61 +bytes. + +There was some discussion on this topic before (for example +https://lkml.org/lkml/2014/10/1/115). Commenting on a th lkml, Michael +Kerrisk gave the following background +(https://lkml.org/lkml/2015/6/16/74): + + The pseudofiles in the mqueue filesystem (usually mounted at + /dev/mqueue) expose fields with metadata describing a message + queue. One of these fields, QSIZE, as originally implemented, + showed the total number of bytes of user data in all messages in + the message queue, and this feature was documented from the + beginning in the mq_overview(7) page. In 3.5, some other (useful) + work happened to break the user-space API in a couple of places, + including the value exposed via QSIZE, which now includes a measure + of kernel overhead bytes for the queue, a figure that renders QSIZE + useless for its original purpose, since there's no way to deduce + the number of overhead bytes consumed by the implementation. + (The other user-space breakage was subsequently fixed.) + +This patch removes the accounting of kernel data structures in the +queue. Reporting the size of these data-structures in the QSIZE field +was a breaking change (see Michael's comment above). Without the QSIZE +field reporting the total size of user-data in the queue, there is no +way to deduce this number. + +It should be noted that the resource limit RLIMIT_MSGQUEUE is counted +against the worst-case size of the queue (in both the old and the new +implementation). Therefore, the kernel overhead accounting in QSIZE is +not necessary to help the user understand the limitations RLIMIT imposes +on the processes. + +Signed-off-by: Marcus Gelderie +Acked-by: Doug Ledford +Acked-by: Michael Kerrisk +Acked-by: Davidlohr Bueso +Cc: David Howells +Cc: Alexander Viro +Cc: John Duffy +Cc: Arto Bendiken +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/mqueue.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *ms + if (!leaf) + return -ENOMEM; + INIT_LIST_HEAD(&leaf->msg_list); +- info->qsize += sizeof(*leaf); + } + leaf->priority = msg->m_type; + rb_link_node(&leaf->rb_node, parent, p); +@@ -188,7 +187,6 @@ try_again: + "lazy leaf delete!\n"); + rb_erase(&leaf->rb_node, &info->msg_tree); + if (info->node_cache) { +- info->qsize -= sizeof(*leaf); + kfree(leaf); + } else { + info->node_cache = leaf; +@@ -201,7 +199,6 @@ try_again: + if (list_empty(&leaf->msg_list)) { + rb_erase(&leaf->rb_node, &info->msg_tree); + if (info->node_cache) { +- info->qsize -= sizeof(*leaf); + kfree(leaf); + } else { + info->node_cache = leaf; +@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqd + /* Save our speculative allocation into the cache */ + INIT_LIST_HEAD(&new_leaf->msg_list); + info->node_cache = new_leaf; +- info->qsize += sizeof(*new_leaf); + new_leaf = NULL; + } else { + kfree(new_leaf); +@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, + /* Save our speculative allocation into the cache */ + INIT_LIST_HEAD(&new_leaf->msg_list); + info->node_cache = new_leaf; +- info->qsize += sizeof(*new_leaf); + } else { + kfree(new_leaf); + } diff --git a/queue-3.10/md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch b/queue-3.10/md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch new file mode 100644 index 00000000000..7ea7835ff54 --- /dev/null +++ b/queue-3.10/md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch @@ -0,0 +1,76 @@ +From 423f04d63cf421ea436bcc5be02543d549ce4b28 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 27 Jul 2015 11:48:52 +1000 +Subject: md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies + +From: NeilBrown + +commit 423f04d63cf421ea436bcc5be02543d549ce4b28 upstream. + +raid1_end_read_request() assumes that the In_sync bits are consistent +with the ->degaded count. +raid1_spare_active updates the In_sync bit before the ->degraded count +and so exposes an inconsistency, as does error() +So extend the spinlock in raid1_spare_active() and error() to hide those +inconsistencies. + +This should probably be part of + Commit: 34cab6f42003 ("md/raid1: fix test for 'was read error from + last working device'.") +as it addresses the same issue. It fixes the same bug and should go +to -stable for same reasons. + +Fixes: 76073054c95b ("md/raid1: clean up read_balance.") +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1382,6 +1382,7 @@ static void error(struct mddev *mddev, s + { + char b[BDEVNAME_SIZE]; + struct r1conf *conf = mddev->private; ++ unsigned long flags; + + /* + * If it is not operational, then we have already marked it as dead +@@ -1401,14 +1402,13 @@ static void error(struct mddev *mddev, s + return; + } + set_bit(Blocked, &rdev->flags); ++ spin_lock_irqsave(&conf->device_lock, flags); + if (test_and_clear_bit(In_sync, &rdev->flags)) { +- unsigned long flags; +- spin_lock_irqsave(&conf->device_lock, flags); + mddev->degraded++; + set_bit(Faulty, &rdev->flags); +- spin_unlock_irqrestore(&conf->device_lock, flags); + } else + set_bit(Faulty, &rdev->flags); ++ spin_unlock_irqrestore(&conf->device_lock, flags); + /* + * if recovery is running, make sure it aborts. + */ +@@ -1466,7 +1466,10 @@ static int raid1_spare_active(struct mdd + * Find all failed disks within the RAID1 configuration + * and mark them readable. + * Called under mddev lock, so rcu protection not needed. ++ * device_lock used to avoid races with raid1_end_read_request ++ * which expects 'In_sync' flags and ->degraded to be consistent. + */ ++ spin_lock_irqsave(&conf->device_lock, flags); + for (i = 0; i < conf->raid_disks; i++) { + struct md_rdev *rdev = conf->mirrors[i].rdev; + struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev; +@@ -1496,7 +1499,6 @@ static int raid1_spare_active(struct mdd + sysfs_notify_dirent_safe(rdev->sysfs_state); + } + } +- spin_lock_irqsave(&conf->device_lock, flags); + mddev->degraded -= count; + spin_unlock_irqrestore(&conf->device_lock, flags); + diff --git a/queue-3.10/ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch b/queue-3.10/ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch new file mode 100644 index 00000000000..f4ba13cf508 --- /dev/null +++ b/queue-3.10/ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch @@ -0,0 +1,49 @@ +From 209f7512d007980fd111a74a064d70a3656079cf Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Thu, 6 Aug 2015 15:46:23 -0700 +Subject: ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() + +From: Joseph Qi + +commit 209f7512d007980fd111a74a064d70a3656079cf upstream. + +The "BUG_ON(list_empty(&osb->blocked_lock_list))" in +ocfs2_downconvert_thread_do_work can be triggered in the following case: + +ocfs2dc has firstly saved osb->blocked_lock_count to local varibale +processed, and then processes the dentry lockres. During the dentry +put, it calls iput and then deletes rw, inode and open lockres from +blocked list in ocfs2_mark_lockres_freeing. And this causes the +variable `processed' to not reflect the number of blocked lockres to be +processed, which triggers the BUG. + +Signed-off-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlmglue.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -3971,9 +3971,13 @@ static void ocfs2_downconvert_thread_do_ + osb->dc_work_sequence = osb->dc_wake_sequence; + + processed = osb->blocked_lock_count; +- while (processed) { +- BUG_ON(list_empty(&osb->blocked_lock_list)); +- ++ /* ++ * blocked lock processing in this loop might call iput which can ++ * remove items off osb->blocked_lock_list. Downconvert up to ++ * 'processed' number of locks, but stop short if we had some ++ * removed in ocfs2_mark_lockres_freeing when downconverting. ++ */ ++ while (processed && !list_empty(&osb->blocked_lock_list)) { + lockres = list_entry(osb->blocked_lock_list.next, + struct ocfs2_lock_res, l_blocked_list); + list_del_init(&lockres->l_blocked_list); diff --git a/queue-3.10/series b/queue-3.10/series index 738daacdade..d4d46f06e46 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -19,3 +19,8 @@ xen-gntdevt-fix-race-condition-in-gntdev_release.patch crypto-ixp4xx-remove-bogus-bug_on-on-scattered-dst-buffer.patch rbd-fix-copyup-completion-race.patch iscsi-target-fix-iscsit_start_kthreads-failure-oops.patch +alsa-hda-fix-cs4210_spdif_automute.patch +ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-account.patch +ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch +md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch +sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch diff --git a/queue-3.10/sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch b/queue-3.10/sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch new file mode 100644 index 00000000000..06d6cc4d5dd --- /dev/null +++ b/queue-3.10/sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch @@ -0,0 +1,39 @@ +From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 21 Mar 2015 20:08:18 -0400 +Subject: sg_start_req(): make sure that there's not too many elements in iovec + +From: Al Viro + +commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream. + +unfortunately, allowing an arbitrary 16bit value means a possibility of +overflow in the calculation of total number of pages in bio_map_user_iov() - +we rely on there being no more than PAGE_SIZE members of sum in the +first loop there. If that sum wraps around, we end up allocating +too small array of pointers to pages and it's easy to overflow it in +the second loop. + +X-Coverup: TINC (and there's no lumber cartel either) +Signed-off-by: Al Viro +[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit + fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have + that function.] +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp, + md->from_user = 0; + } + ++ if (unlikely(iov_count > UIO_MAXIOV)) ++ return -EINVAL; ++ + if (iov_count) { + int len, size = sizeof(struct sg_iovec) * iov_count; + struct iovec *iov;