From: Greg Kroah-Hartman Date: Tue, 17 Apr 2012 23:25:14 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.2.16~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b31f8225a9e1b08725e7ed5940757eed782bede;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: nohz-fix-stale-jiffies-update-in-tick_nohz_restart.patch perf-hists-catch-and-handle-out-of-date-hist-entry-maps.patch usb-serial-fix-race-between-probe-and-open.patch video-uvesafb-fix-oops-that-uvesafb-try-to-execute-nx-protected-page.patch --- diff --git a/queue-3.0/nohz-fix-stale-jiffies-update-in-tick_nohz_restart.patch b/queue-3.0/nohz-fix-stale-jiffies-update-in-tick_nohz_restart.patch new file mode 100644 index 00000000000..775760c4775 --- /dev/null +++ b/queue-3.0/nohz-fix-stale-jiffies-update-in-tick_nohz_restart.patch @@ -0,0 +1,51 @@ +From 6f103929f8979d2638e58d7f7fda0beefcb8ee7e Mon Sep 17 00:00:00 2001 +From: Neal Cardwell +Date: Tue, 27 Mar 2012 15:09:37 -0400 +Subject: nohz: Fix stale jiffies update in tick_nohz_restart() + +From: Neal Cardwell + +commit 6f103929f8979d2638e58d7f7fda0beefcb8ee7e upstream. + +Fix tick_nohz_restart() to not use a stale ktime_t "now" value when +calling tick_do_update_jiffies64(now). + +If we reach this point in the loop it means that we crossed a tick +boundary since we grabbed the "now" timestamp, so at this point "now" +refers to a time in the old jiffy, so using the old value for "now" is +incorrect, and is likely to give us a stale jiffies value. + +In particular, the first time through the loop the +tick_do_update_jiffies64(now) call is always a no-op, since the +caller, tick_nohz_restart_sched_tick(), will have already called +tick_do_update_jiffies64(now) with that "now" value. + +Note that tick_nohz_stop_sched_tick() already uses the correct +approach: when we notice we cross a jiffy boundary, grab a new +timestamp with ktime_get(), and *then* update jiffies. + +Signed-off-by: Neal Cardwell +Cc: Ben Segall +Cc: Ingo Molnar +Link: http://lkml.kernel.org/r/1332875377-23014-1-git-send-email-ncardwell@google.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/tick-sched.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -484,9 +484,9 @@ static void tick_nohz_restart(struct tic + hrtimer_get_expires(&ts->sched_timer), 0)) + break; + } +- /* Update jiffies and reread time */ +- tick_do_update_jiffies64(now); ++ /* Reread time and update jiffies */ + now = ktime_get(); ++ tick_do_update_jiffies64(now); + } + } + diff --git a/queue-3.0/perf-hists-catch-and-handle-out-of-date-hist-entry-maps.patch b/queue-3.0/perf-hists-catch-and-handle-out-of-date-hist-entry-maps.patch new file mode 100644 index 00000000000..d83bae3a95f --- /dev/null +++ b/queue-3.0/perf-hists-catch-and-handle-out-of-date-hist-entry-maps.patch @@ -0,0 +1,56 @@ +From 63fa471dd49e9c9ce029d910d1024330d9b1b145 Mon Sep 17 00:00:00 2001 +From: David Miller +Date: Tue, 27 Mar 2012 03:14:18 -0400 +Subject: perf hists: Catch and handle out-of-date hist entry maps. + +From: David Miller + +commit 63fa471dd49e9c9ce029d910d1024330d9b1b145 upstream. + +When a process exec()'s, all the maps are retired, but we keep the hist +entries around which hold references to those outdated maps. + +If the same library gets mapped in for which we have hist entries, a new +map will be created. But when we take a perf entry hit within that map, +we'll find the existing hist entry with the older map. + +This causes symbol translations to be done incorrectly. For example, +the perf entry processing will lookup the correct uptodate map entry and +use that to calculate the symbol and DSO relative address. But later +when we update the histogram we'll translate the address using the +outdated map file instead leading to conditions such as out-of-range +offsets in symbol__inc_addr_samples(). + +Therefore, update the map of the hist_entry dynamically at lookup/ +creation time. + +Signed-off-by: David S. Miller +Link: http://lkml.kernel.org/r/20120327.031418.1220315351537060808.davem@davemloft.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/hist.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -158,6 +158,18 @@ struct hist_entry *__hists__add_entry(st + if (!cmp) { + he->period += period; + ++he->nr_events; ++ ++ /* If the map of an existing hist_entry has ++ * become out-of-date due to an exec() or ++ * similar, update it. Otherwise we will ++ * mis-adjust symbol addresses when computing ++ * the history counter to increment. ++ */ ++ if (he->ms.map != entry->ms.map) { ++ he->ms.map = entry->ms.map; ++ if (he->ms.map) ++ he->ms.map->referenced = true; ++ } + goto out; + } + diff --git a/queue-3.0/series b/queue-3.0/series index 890c2667c0b..b4d82a07be0 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -12,3 +12,7 @@ sparc64-eliminate-obsolete-__handle_softirq-function.patch sparc64-fix-bootup-crash-on-sun4v.patch cciss-initialize-scsi-host-max_sectors-for-tape-drive-support.patch cciss-fix-scsi-tape-io-with-more-than-255-scatter-gather-elements.patch +perf-hists-catch-and-handle-out-of-date-hist-entry-maps.patch +video-uvesafb-fix-oops-that-uvesafb-try-to-execute-nx-protected-page.patch +nohz-fix-stale-jiffies-update-in-tick_nohz_restart.patch +usb-serial-fix-race-between-probe-and-open.patch diff --git a/queue-3.0/usb-serial-fix-race-between-probe-and-open.patch b/queue-3.0/usb-serial-fix-race-between-probe-and-open.patch new file mode 100644 index 00000000000..0706e913dbe --- /dev/null +++ b/queue-3.0/usb-serial-fix-race-between-probe-and-open.patch @@ -0,0 +1,95 @@ +From a65a6f14dc24a90bde3f5d0073ba2364476200bf Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 20 Mar 2012 16:59:33 +0100 +Subject: USB: serial: fix race between probe and open + +From: Johan Hovold + +commit a65a6f14dc24a90bde3f5d0073ba2364476200bf upstream. + +Fix race between probe and open by making sure that the disconnected +flag is not cleared until all ports have been registered. + +A call to tty_open while probe is running may get a reference to the +serial structure in serial_install before its ports have been +registered. This may lead to usb_serial_core calling driver open before +port is fully initialised. + +With ftdi_sio this result in the following NULL-pointer dereference as +the private data has not been initialised at open: + +[ 199.698286] IP: [] ftdi_open+0x59/0xe0 [ftdi_sio] +[ 199.698297] *pde = 00000000 +[ 199.698303] Oops: 0000 [#1] PREEMPT SMP +[ 199.698313] Modules linked in: ftdi_sio usbserial +[ 199.698323] +[ 199.698327] Pid: 1146, comm: ftdi_open Not tainted 3.2.11 #70 Dell Inc. Vostro 1520/0T816J +[ 199.698339] EIP: 0060:[] EFLAGS: 00010286 CPU: 0 +[ 199.698344] EIP is at ftdi_open+0x59/0xe0 [ftdi_sio] +[ 199.698348] EAX: 0000003e EBX: f5067000 ECX: 00000000 EDX: 80000600 +[ 199.698352] ESI: f48d8800 EDI: 00000001 EBP: f515dd54 ESP: f515dcfc +[ 199.698356] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 +[ 199.698361] Process ftdi_open (pid: 1146, ti=f515c000 task=f481e040 task.ti=f515c000) +[ 199.698364] Stack: +[ 199.698368] f811a9fe f811a9e0 f811b3ef 00000000 00000000 00001388 00000000 f4a86800 +[ 199.698387] 00000002 00000000 f806e68e 00000000 f532765c f481e040 00000246 22222222 +[ 199.698479] 22222222 22222222 22222222 f5067004 f5327600 f5327638 f515dd74 f806e6ab +[ 199.698496] Call Trace: +[ 199.698504] [] ? serial_activate+0x2e/0x70 [usbserial] +[ 199.698511] [] serial_activate+0x4b/0x70 [usbserial] +[ 199.698521] [] tty_port_open+0x7c/0xd0 +[ 199.698527] [] ? serial_set_termios+0xa0/0xa0 [usbserial] +[ 199.698534] [] serial_open+0x2f/0x70 [usbserial] +[ 199.698540] [] tty_open+0x20c/0x510 +[ 199.698546] [] chrdev_open+0xe7/0x230 +[ 199.698553] [] __dentry_open+0x1f2/0x390 +[ 199.698559] [] ? _raw_spin_unlock+0x2c/0x50 +[ 199.698565] [] nameidata_to_filp+0x66/0x80 +[ 199.698570] [] ? cdev_put+0x20/0x20 +[ 199.698576] [] do_last+0x198/0x730 +[ 199.698581] [] path_openat+0xa0/0x350 +[ 199.698587] [] do_filp_open+0x35/0x80 +[ 199.698593] [] ? _raw_spin_unlock+0x2c/0x50 +[ 199.698599] [] ? alloc_fd+0xc0/0x100 +[ 199.698605] [] ? getname_flags+0x72/0x120 +[ 199.698611] [] do_sys_open+0xf0/0x1c0 +[ 199.698617] [] ? trace_hardirqs_on_thunk+0xc/0x10 +[ 199.698623] [] sys_open+0x2e/0x40 +[ 199.698628] [] sysenter_do_call+0x12/0x36 +[ 199.698632] Code: 85 89 00 00 00 8b 16 8b 4d c0 c1 e2 08 c7 44 24 14 88 13 00 00 81 ca 00 00 00 80 c7 44 24 10 00 00 00 00 c7 44 24 0c 00 00 00 00 <0f> b7 41 78 31 c9 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24 +[ 199.698884] EIP: [] ftdi_open+0x59/0xe0 [ftdi_sio] SS:ESP 0068:f515dcfc +[ 199.698893] CR2: 0000000000000078 +[ 199.698925] ---[ end trace 77c43ec023940cff ]--- + +Reported-and-tested-by: Ken Huang +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -1059,6 +1059,12 @@ int usb_serial_probe(struct usb_interfac + serial->attached = 1; + } + ++ /* Avoid race with tty_open and serial_install by setting the ++ * disconnected flag and not clearing it until all ports have been ++ * registered. ++ */ ++ serial->disconnected = 1; ++ + if (get_free_serial(serial, num_ports, &minor) == NULL) { + dev_err(&interface->dev, "No more free serial devices\n"); + goto probe_error; +@@ -1083,6 +1089,8 @@ int usb_serial_probe(struct usb_interfac + } + } + ++ serial->disconnected = 0; ++ + usb_serial_console_init(debug, minor); + + exit: diff --git a/queue-3.0/video-uvesafb-fix-oops-that-uvesafb-try-to-execute-nx-protected-page.patch b/queue-3.0/video-uvesafb-fix-oops-that-uvesafb-try-to-execute-nx-protected-page.patch new file mode 100644 index 00000000000..815dfbfa839 --- /dev/null +++ b/queue-3.0/video-uvesafb-fix-oops-that-uvesafb-try-to-execute-nx-protected-page.patch @@ -0,0 +1,115 @@ +From b78f29ca0516266431688c5eb42d39ce42ec039a Mon Sep 17 00:00:00 2001 +From: Wang YanQing +Date: Sun, 1 Apr 2012 08:54:02 +0800 +Subject: video:uvesafb: Fix oops that uvesafb try to execute NX-protected page + +From: Wang YanQing + +commit b78f29ca0516266431688c5eb42d39ce42ec039a upstream. + +This patch fix the oops below that catched in my machine + +[ 81.560602] uvesafb: NVIDIA Corporation, GT216 Board - 0696a290, Chip Rev , OEM: NVIDIA, VBE v3.0 +[ 81.609384] uvesafb: protected mode interface info at c000:d350 +[ 81.609388] uvesafb: pmi: set display start = c00cd3b3, set palette = c00cd40e +[ 81.609390] uvesafb: pmi: ports = 3b4 3b5 3ba 3c0 3c1 3c4 3c5 3c6 3c7 3c8 3c9 3cc 3ce 3cf 3d0 3d1 3d2 3d3 3d4 3d5 3da +[ 81.614558] uvesafb: VBIOS/hardware doesn't support DDC transfers +[ 81.614562] uvesafb: no monitor limits have been set, default refresh rate will be used +[ 81.614994] uvesafb: scrolling: ypan using protected mode interface, yres_virtual=4915 +[ 81.744147] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) +[ 81.744153] BUG: unable to handle kernel paging request at c00cd3b3 +[ 81.744159] IP: [] 0xc00cd3b2 +[ 81.744167] *pdpt = 00000000016d6001 *pde = 0000000001c7b067 *pte = 80000000000cd163 +[ 81.744171] Oops: 0011 [#1] SMP +[ 81.744174] Modules linked in: uvesafb(+) cfbcopyarea cfbimgblt cfbfillrect +[ 81.744178] +[ 81.744181] Pid: 3497, comm: modprobe Not tainted 3.3.0-rc4NX+ #71 Acer Aspire 4741 /Aspire 4741 +[ 81.744185] EIP: 0060:[] EFLAGS: 00010246 CPU: 0 +[ 81.744187] EIP is at 0xc00cd3b3 +[ 81.744189] EAX: 00004f07 EBX: 00000000 ECX: 00000000 EDX: 00000000 +[ 81.744191] ESI: f763f000 EDI: f763f6e8 EBP: f57f3a0c ESP: f57f3a00 +[ 81.744192] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 +[ 81.744195] Process modprobe (pid: 3497, ti=f57f2000 task=f748c600 task.ti=f57f2000) +[ 81.744196] Stack: +[ 81.744197] f82512c5 f759341c 00000000 f57f3a30 c124a9bc 00000001 00000001 000001e0 +[ 81.744202] f8251280 f763f000 f7593400 00000000 f57f3a40 c12598dd f5c0c000 00000000 +[ 81.744206] f57f3b10 c1255efe c125a21a 00000006 f763f09c 00000000 c1c6cb60 f7593400 +[ 81.744210] Call Trace: +[ 81.744215] [] ? uvesafb_pan_display+0x45/0x60 [uvesafb] +[ 81.744222] [] fb_pan_display+0x10c/0x160 +[ 81.744226] [] ? uvesafb_vbe_find_mode+0x180/0x180 [uvesafb] +[ 81.744230] [] bit_update_start+0x1d/0x50 +[ 81.744232] [] fbcon_switch+0x39e/0x550 +[ 81.744235] [] ? bit_cursor+0x4ea/0x560 +[ 81.744240] [] redraw_screen+0x12b/0x220 +[ 81.744245] [] ? tty_do_resize+0x3b/0xc0 +[ 81.744247] [] vc_do_resize+0x3d2/0x3e0 +[ 81.744250] [] vc_resize+0x14/0x20 +[ 81.744253] [] fbcon_init+0x29d/0x500 +[ 81.744255] [] ? set_inverse_trans_unicode+0xe4/0x110 +[ 81.744258] [] visual_init+0xb8/0x150 +[ 81.744261] [] bind_con_driver+0x16c/0x360 +[ 81.744264] [] ? register_con_driver+0x6e/0x190 +[ 81.744267] [] take_over_console+0x41/0x50 +[ 81.744269] [] fbcon_takeover+0x6a/0xd0 +[ 81.744272] [] fbcon_event_notify+0x758/0x790 +[ 81.744277] [] notifier_call_chain+0x42/0xb0 +[ 81.744280] [] __blocking_notifier_call_chain+0x60/0x90 +[ 81.744283] [] blocking_notifier_call_chain+0x1a/0x20 +[ 81.744285] [] fb_notifier_call_chain+0x11/0x20 +[ 81.744288] [] register_framebuffer+0x1d9/0x2b0 +[ 81.744293] [] ? ioremap_wc+0x33/0x40 +[ 81.744298] [] uvesafb_probe+0xaba/0xc40 [uvesafb] +[ 81.744302] [] platform_drv_probe+0xf/0x20 +[ 81.744306] [] driver_probe_device+0x68/0x170 +[ 81.744309] [] __device_attach+0x41/0x50 +[ 81.744313] [] bus_for_each_drv+0x48/0x70 +[ 81.744316] [] device_attach+0x83/0xa0 +[ 81.744319] [] ? __driver_attach+0x90/0x90 +[ 81.744321] [] bus_probe_device+0x6f/0x90 +[ 81.744324] [] device_add+0x5e5/0x680 +[ 81.744329] [] ? kvasprintf+0x43/0x60 +[ 81.744332] [] ? kobject_set_name_vargs+0x64/0x70 +[ 81.744335] [] ? kobject_set_name_vargs+0x64/0x70 +[ 81.744339] [] platform_device_add+0xff/0x1b0 +[ 81.744343] [] uvesafb_init+0x50/0x9b [uvesafb] +[ 81.744346] [] do_one_initcall+0x2f/0x170 +[ 81.744350] [] ? uvesafb_is_valid_mode+0x66/0x66 [uvesafb] +[ 81.744355] [] sys_init_module+0xf4/0x1410 +[ 81.744359] [] ? vfsmount_lock_local_unlock_cpu+0x30/0x30 +[ 81.744363] [] sysenter_do_call+0x12/0x36 +[ 81.744365] Code: f5 00 00 00 32 f6 66 8b da 66 d1 e3 66 ba d4 03 8a e3 b0 1c 66 ef b0 1e 66 ef 8a e7 b0 1d 66 ef b0 1f 66 ef e8 fa 00 00 00 61 c3 <60> e8 c8 00 00 00 66 8b f3 66 8b da 66 ba d4 03 b0 0c 8a e5 66 +[ 81.744388] EIP: [] 0xc00cd3b3 SS:ESP 0068:f57f3a00 +[ 81.744391] CR2: 00000000c00cd3b3 +[ 81.744393] ---[ end trace 18b2c87c925b54d6 ]--- + +Signed-off-by: Wang YanQing +Cc: Michal Januszewski +Cc: Alan Cox +Signed-off-by: Florian Tobias Schandinat +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/uvesafb.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/video/uvesafb.c ++++ b/drivers/video/uvesafb.c +@@ -815,8 +815,15 @@ static int __devinit uvesafb_vbe_init(st + par->pmi_setpal = pmi_setpal; + par->ypan = ypan; + +- if (par->pmi_setpal || par->ypan) +- uvesafb_vbe_getpmi(task, par); ++ if (par->pmi_setpal || par->ypan) { ++ if (__supported_pte_mask & _PAGE_NX) { ++ par->pmi_setpal = par->ypan = 0; ++ printk(KERN_WARNING "uvesafb: NX protection is actively." ++ "We have better not to use the PMI.\n"); ++ } else { ++ uvesafb_vbe_getpmi(task, par); ++ } ++ } + #else + /* The protected mode interface is not available on non-x86. */ + par->pmi_setpal = par->ypan = 0;