From: Greg Kroah-Hartman Date: Fri, 11 Oct 2013 00:02:08 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.0.100~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e23bea8bfa820ba0f0dfc9d7d1d4335a310a966a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: can-flexcan-fix-flexcan_chip_start-on-imx6.patch ib_srpt-always-set-response-for-task-management.patch ib_srpt-destroy-cm_id-before-destroying-qp.patch irq-force-hardirq-exit-s-softirq-processing-on-its-own-stack.patch iscsi-target-only-perform-wait_for_tasks-when-performing-shutdown.patch mm-avoid-reinserting-isolated-balloon-pages-into-lru-lists.patch net-update-the-sysctl-permissions-handler-to-test-effective-uid-gid.patch p54usb-add-usb-id-for-corega-wlusb2gtst-usb-adapter.patch rtlwifi-align-private-space-in-rtl_priv-struct.patch xen-hvc-allow-xenboot-console-to-be-used-again.patch --- diff --git a/queue-3.10/can-flexcan-fix-flexcan_chip_start-on-imx6.patch b/queue-3.10/can-flexcan-fix-flexcan_chip_start-on-imx6.patch new file mode 100644 index 00000000000..4e5850f77db --- /dev/null +++ b/queue-3.10/can-flexcan-fix-flexcan_chip_start-on-imx6.patch @@ -0,0 +1,54 @@ +From 0d1862ea1a5bb876cf05555a7307080cb75bf379 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 27 Sep 2013 12:15:05 +0200 +Subject: can: flexcan: fix flexcan_chip_start() on imx6 + +From: Marc Kleine-Budde + +commit 0d1862ea1a5bb876cf05555a7307080cb75bf379 upstream. + +In the flexcan_chip_start() function first the flexcan core is going through +the soft reset sequence, then the RX FIFO is enabled. + +With the hardware is put into FIFO mode, message buffers 1...7 are reserved by +the FIFO engine. The remaining message buffers are in reset default values. +This patch removes the bogus initialization of the message buffers, as it +causes an imprecise external abort on imx6. + +Reported-by: Lothar Waßmann +Tested-by: Lothar Waßmann +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/flexcan.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -711,7 +711,6 @@ static int flexcan_chip_start(struct net + { + struct flexcan_priv *priv = netdev_priv(dev); + struct flexcan_regs __iomem *regs = priv->base; +- unsigned int i; + int err; + u32 reg_mcr, reg_ctrl; + +@@ -781,17 +780,6 @@ static int flexcan_chip_start(struct net + netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl); + flexcan_write(reg_ctrl, ®s->ctrl); + +- for (i = 0; i < ARRAY_SIZE(regs->cantxfg); i++) { +- flexcan_write(0, ®s->cantxfg[i].can_ctrl); +- flexcan_write(0, ®s->cantxfg[i].can_id); +- flexcan_write(0, ®s->cantxfg[i].data[0]); +- flexcan_write(0, ®s->cantxfg[i].data[1]); +- +- /* put MB into rx queue */ +- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4), +- ®s->cantxfg[i].can_ctrl); +- } +- + /* acceptance mask/acceptance code (accept everything) */ + flexcan_write(0x0, ®s->rxgmask); + flexcan_write(0x0, ®s->rx14mask); diff --git a/queue-3.10/ib_srpt-always-set-response-for-task-management.patch b/queue-3.10/ib_srpt-always-set-response-for-task-management.patch new file mode 100644 index 00000000000..3e254c55efe --- /dev/null +++ b/queue-3.10/ib_srpt-always-set-response-for-task-management.patch @@ -0,0 +1,53 @@ +From c807f64340932e19f0d2ac9b30c8381e1f60663a Mon Sep 17 00:00:00 2001 +From: Jack Wang +Date: Mon, 30 Sep 2013 10:09:05 +0200 +Subject: ib_srpt: always set response for task management + +From: Jack Wang + +commit c807f64340932e19f0d2ac9b30c8381e1f60663a upstream. + +The SRP specification requires: + + "Response data shall be provided in any SRP_RSP response that is sent in + response to an SRP_TSK_MGMT request (see 6.7). The information in the + RSP_CODE field (see table 24) shall indicate the completion status of + the task management function." + +So fix this to avoid the SRP initiator interprets task management functions +that succeeded as failed. + +Signed-off-by: Jack Wang +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -1588,7 +1588,7 @@ static int srpt_build_tskmgmt_rsp(struct + int resp_data_len; + int resp_len; + +- resp_data_len = (rsp_code == SRP_TSK_MGMT_SUCCESS) ? 0 : 4; ++ resp_data_len = 4; + resp_len = sizeof(*srp_rsp) + resp_data_len; + + srp_rsp = ioctx->ioctx.buf; +@@ -1600,11 +1600,9 @@ static int srpt_build_tskmgmt_rsp(struct + + atomic_xchg(&ch->req_lim_delta, 0)); + srp_rsp->tag = tag; + +- if (rsp_code != SRP_TSK_MGMT_SUCCESS) { +- srp_rsp->flags |= SRP_RSP_FLAG_RSPVALID; +- srp_rsp->resp_data_len = cpu_to_be32(resp_data_len); +- srp_rsp->data[3] = rsp_code; +- } ++ srp_rsp->flags |= SRP_RSP_FLAG_RSPVALID; ++ srp_rsp->resp_data_len = cpu_to_be32(resp_data_len); ++ srp_rsp->data[3] = rsp_code; + + return resp_len; + } diff --git a/queue-3.10/ib_srpt-destroy-cm_id-before-destroying-qp.patch b/queue-3.10/ib_srpt-destroy-cm_id-before-destroying-qp.patch new file mode 100644 index 00000000000..214caf3698d --- /dev/null +++ b/queue-3.10/ib_srpt-destroy-cm_id-before-destroying-qp.patch @@ -0,0 +1,53 @@ +From 0b41d6ca616ddeb3b6c0a80e8770b6f53cd42806 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Wed, 18 Sep 2013 12:48:27 -0700 +Subject: ib_srpt: Destroy cm_id before destroying QP. + +From: Nicholas Bellinger + +commit 0b41d6ca616ddeb3b6c0a80e8770b6f53cd42806 upstream. + +This patch fixes a bug where ib_destroy_cm_id() was incorrectly being called +after srpt_destroy_ch_ib() had destroyed the active QP. + +This would result in the following failed SRP_LOGIN_REQ messages: + +Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff1762bd, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c903009f8f41) +Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff1758f9, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 2 (guid=0xfe80000000000000:0x2c903009f8f42) +Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff175941, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 2 (guid=0xfe80000000000000:0x2c90300a3cfb2) +Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff176299, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c90300a3cfb1) +mlx4_core 0000:84:00.0: command 0x19 failed: fw status = 0x9 +rejected SRP_LOGIN_REQ because creating a new RDMA channel failed. +Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff176299, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c90300a3cfb1) +mlx4_core 0000:84:00.0: command 0x19 failed: fw status = 0x9 +rejected SRP_LOGIN_REQ because creating a new RDMA channel failed. +Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff176299, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c90300a3cfb1) + +Reported-by: Navin Ahuja +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2358,6 +2358,8 @@ static void srpt_release_channel_work(st + transport_deregister_session(se_sess); + ch->sess = NULL; + ++ ib_destroy_cm_id(ch->cm_id); ++ + srpt_destroy_ch_ib(ch); + + srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring, +@@ -2368,8 +2370,6 @@ static void srpt_release_channel_work(st + list_del(&ch->list); + spin_unlock_irq(&sdev->spinlock); + +- ib_destroy_cm_id(ch->cm_id); +- + if (ch->release_done) + complete(ch->release_done); + diff --git a/queue-3.10/irq-force-hardirq-exit-s-softirq-processing-on-its-own-stack.patch b/queue-3.10/irq-force-hardirq-exit-s-softirq-processing-on-its-own-stack.patch new file mode 100644 index 00000000000..e5e5ec442ba --- /dev/null +++ b/queue-3.10/irq-force-hardirq-exit-s-softirq-processing-on-its-own-stack.patch @@ -0,0 +1,154 @@ +From ded797547548a5b8e7b92383a41e4c0e6b0ecb7f Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Tue, 24 Sep 2013 00:50:25 +0200 +Subject: irq: Force hardirq exit's softirq processing on its own stack + +From: Frederic Weisbecker + +commit ded797547548a5b8e7b92383a41e4c0e6b0ecb7f upstream. + +The commit facd8b80c67a3cf64a467c4a2ac5fb31f2e6745b +("irq: Sanitize invoke_softirq") converted irq exit +calls of do_softirq() to __do_softirq() on all architectures, +assuming it was only used there for its irq disablement +properties. + +But as a side effect, the softirqs processed in the end +of the hardirq are always called on the inline current +stack that is used by irq_exit() instead of the softirq +stack provided by the archs that override do_softirq(). + +The result is mostly safe if the architecture runs irq_exit() +on a separate irq stack because then softirqs are processed +on that same stack that is near empty at this stage (assuming +hardirq aren't nesting). + +Otherwise irq_exit() runs in the task stack and so does the softirq +too. The interrupted call stack can be randomly deep already and +the softirq can dig through it even further. To add insult to the +injury, this softirq can be interrupted by a new hardirq, maximizing +the chances for a stack overrun as reported in powerpc for example: + + do_IRQ: stack overflow: 1920 + CPU: 0 PID: 1602 Comm: qemu-system-ppc Not tainted 3.10.4-300.1.fc19.ppc64p7 #1 + Call Trace: + [c0000000050a8740] .show_stack+0x130/0x200 (unreliable) + [c0000000050a8810] .dump_stack+0x28/0x3c + [c0000000050a8880] .do_IRQ+0x2b8/0x2c0 + [c0000000050a8930] hardware_interrupt_common+0x154/0x180 + --- Exception: 501 at .cp_start_xmit+0x3a4/0x820 [8139cp] + LR = .cp_start_xmit+0x390/0x820 [8139cp] + [c0000000050a8d40] .dev_hard_start_xmit+0x394/0x640 + [c0000000050a8e00] .sch_direct_xmit+0x110/0x260 + [c0000000050a8ea0] .dev_queue_xmit+0x260/0x630 + [c0000000050a8f40] .br_dev_queue_push_xmit+0xc4/0x130 [bridge] + [c0000000050a8fc0] .br_dev_xmit+0x198/0x270 [bridge] + [c0000000050a9070] .dev_hard_start_xmit+0x394/0x640 + [c0000000050a9130] .dev_queue_xmit+0x428/0x630 + [c0000000050a91d0] .ip_finish_output+0x2a4/0x550 + [c0000000050a9290] .ip_local_out+0x50/0x70 + [c0000000050a9310] .ip_queue_xmit+0x148/0x420 + [c0000000050a93b0] .tcp_transmit_skb+0x4e4/0xaf0 + [c0000000050a94a0] .__tcp_ack_snd_check+0x7c/0xf0 + [c0000000050a9520] .tcp_rcv_established+0x1e8/0x930 + [c0000000050a95f0] .tcp_v4_do_rcv+0x21c/0x570 + [c0000000050a96c0] .tcp_v4_rcv+0x734/0x930 + [c0000000050a97a0] .ip_local_deliver_finish+0x184/0x360 + [c0000000050a9840] .ip_rcv_finish+0x148/0x400 + [c0000000050a98d0] .__netif_receive_skb_core+0x4f8/0xb00 + [c0000000050a99d0] .netif_receive_skb+0x44/0x110 + [c0000000050a9a70] .br_handle_frame_finish+0x2bc/0x3f0 [bridge] + [c0000000050a9b20] .br_nf_pre_routing_finish+0x2ac/0x420 [bridge] + [c0000000050a9bd0] .br_nf_pre_routing+0x4dc/0x7d0 [bridge] + [c0000000050a9c70] .nf_iterate+0x114/0x130 + [c0000000050a9d30] .nf_hook_slow+0xb4/0x1e0 + [c0000000050a9e00] .br_handle_frame+0x290/0x330 [bridge] + [c0000000050a9ea0] .__netif_receive_skb_core+0x34c/0xb00 + [c0000000050a9fa0] .netif_receive_skb+0x44/0x110 + [c0000000050aa040] .napi_gro_receive+0xe8/0x120 + [c0000000050aa0c0] .cp_rx_poll+0x31c/0x590 [8139cp] + [c0000000050aa1d0] .net_rx_action+0x1dc/0x310 + [c0000000050aa2b0] .__do_softirq+0x158/0x330 + [c0000000050aa3b0] .irq_exit+0xc8/0x110 + [c0000000050aa430] .do_IRQ+0xdc/0x2c0 + [c0000000050aa4e0] hardware_interrupt_common+0x154/0x180 + --- Exception: 501 at .bad_range+0x1c/0x110 + LR = .get_page_from_freelist+0x908/0xbb0 + [c0000000050aa7d0] .list_del+0x18/0x50 (unreliable) + [c0000000050aa850] .get_page_from_freelist+0x908/0xbb0 + [c0000000050aa9e0] .__alloc_pages_nodemask+0x21c/0xae0 + [c0000000050aaba0] .alloc_pages_vma+0xd0/0x210 + [c0000000050aac60] .handle_pte_fault+0x814/0xb70 + [c0000000050aad50] .__get_user_pages+0x1a4/0x640 + [c0000000050aae60] .get_user_pages_fast+0xec/0x160 + [c0000000050aaf10] .__gfn_to_pfn_memslot+0x3b0/0x430 [kvm] + [c0000000050aafd0] .kvmppc_gfn_to_pfn+0x64/0x130 [kvm] + [c0000000050ab070] .kvmppc_mmu_map_page+0x94/0x530 [kvm] + [c0000000050ab190] .kvmppc_handle_pagefault+0x174/0x610 [kvm] + [c0000000050ab270] .kvmppc_handle_exit_pr+0x464/0x9b0 [kvm] + [c0000000050ab320] kvm_start_lightweight+0x1ec/0x1fc [kvm] + [c0000000050ab4f0] .kvmppc_vcpu_run_pr+0x168/0x3b0 [kvm] + [c0000000050ab9c0] .kvmppc_vcpu_run+0xc8/0xf0 [kvm] + [c0000000050aba50] .kvm_arch_vcpu_ioctl_run+0x5c/0x1a0 [kvm] + [c0000000050abae0] .kvm_vcpu_ioctl+0x478/0x730 [kvm] + [c0000000050abc90] .do_vfs_ioctl+0x4ec/0x7c0 + [c0000000050abd80] .SyS_ioctl+0xd4/0xf0 + [c0000000050abe30] syscall_exit+0x0/0x98 + +Since this is a regression, this patch proposes a minimalistic +and low-risk solution by blindly forcing the hardirq exit processing of +softirqs on the softirq stack. This way we should reduce significantly +the opportunities for task stack overflow dug by softirqs. + +Longer term solutions may involve extending the hardirq stack coverage to +irq_exit(), etc... + +Reported-by: Benjamin Herrenschmidt +Acked-by: Linus Torvalds +Signed-off-by: Frederic Weisbecker +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Paul Mackerras +Cc: James Hogan +Cc: James E.J. Bottomley +Cc: Helge Deller +Cc: Martin Schwidefsky +Cc: Heiko Carstens +Cc: David S. Miller +Cc: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/softirq.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -330,10 +330,19 @@ void irq_enter(void) + + static inline void invoke_softirq(void) + { +- if (!force_irqthreads) +- __do_softirq(); +- else ++ if (!force_irqthreads) { ++ /* ++ * We can safely execute softirq on the current stack if ++ * it is the irq stack, because it should be near empty ++ * at this stage. But we have no way to know if the arch ++ * calls irq_exit() on the irq stack. So call softirq ++ * in its own stack to prevent from any overrun on top ++ * of a potentially deep task stack. ++ */ ++ do_softirq(); ++ } else { + wakeup_softirqd(); ++ } + } + + static inline void tick_irq_exit(void) diff --git a/queue-3.10/iscsi-target-only-perform-wait_for_tasks-when-performing-shutdown.patch b/queue-3.10/iscsi-target-only-perform-wait_for_tasks-when-performing-shutdown.patch new file mode 100644 index 00000000000..626d22594fc --- /dev/null +++ b/queue-3.10/iscsi-target-only-perform-wait_for_tasks-when-performing-shutdown.patch @@ -0,0 +1,43 @@ +From e255a28598e8e63070322fc89bd34189dd660a89 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 3 Oct 2013 13:37:21 -0700 +Subject: iscsi-target: Only perform wait_for_tasks when performing shutdown + +From: Nicholas Bellinger + +commit e255a28598e8e63070322fc89bd34189dd660a89 upstream. + +This patch changes transport_generic_free_cmd() to only wait_for_tasks +when shutdown=true is passed to iscsit_free_cmd(). + +With the advent of >= v3.10 iscsi-target code using se_cmd->cmd_kref, +the extra wait_for_tasks with shutdown=false is unnecessary, and may +end up causing an extra context switch when releasing WRITEs. + +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -734,7 +734,7 @@ void iscsit_free_cmd(struct iscsi_cmd *c + * Fallthrough + */ + case ISCSI_OP_SCSI_TMFUNC: +- rc = transport_generic_free_cmd(&cmd->se_cmd, 1); ++ rc = transport_generic_free_cmd(&cmd->se_cmd, shutdown); + if (!rc && shutdown && se_cmd && se_cmd->se_sess) { + __iscsit_free_cmd(cmd, true, shutdown); + target_put_sess_cmd(se_cmd->se_sess, se_cmd); +@@ -750,7 +750,7 @@ void iscsit_free_cmd(struct iscsi_cmd *c + se_cmd = &cmd->se_cmd; + __iscsit_free_cmd(cmd, true, shutdown); + +- rc = transport_generic_free_cmd(&cmd->se_cmd, 1); ++ rc = transport_generic_free_cmd(&cmd->se_cmd, shutdown); + if (!rc && shutdown && se_cmd->se_sess) { + __iscsit_free_cmd(cmd, true, shutdown); + target_put_sess_cmd(se_cmd->se_sess, se_cmd); diff --git a/queue-3.10/mm-avoid-reinserting-isolated-balloon-pages-into-lru-lists.patch b/queue-3.10/mm-avoid-reinserting-isolated-balloon-pages-into-lru-lists.patch new file mode 100644 index 00000000000..2237bbecf8a --- /dev/null +++ b/queue-3.10/mm-avoid-reinserting-isolated-balloon-pages-into-lru-lists.patch @@ -0,0 +1,144 @@ +From 117aad1e9e4d97448d1df3f84b08bd65811e6d6a Mon Sep 17 00:00:00 2001 +From: Rafael Aquini +Date: Mon, 30 Sep 2013 13:45:16 -0700 +Subject: mm: avoid reinserting isolated balloon pages into LRU lists + +From: Rafael Aquini + +commit 117aad1e9e4d97448d1df3f84b08bd65811e6d6a upstream. + +Isolated balloon pages can wrongly end up in LRU lists when +migrate_pages() finishes its round without draining all the isolated +page list. + +The same issue can happen when reclaim_clean_pages_from_list() tries to +reclaim pages from an isolated page list, before migration, in the CMA +path. Such balloon page leak opens a race window against LRU lists +shrinkers that leads us to the following kernel panic: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 + IP: [] shrink_page_list+0x24e/0x897 + PGD 3cda2067 PUD 3d713067 PMD 0 + Oops: 0000 [#1] SMP + CPU: 0 PID: 340 Comm: kswapd0 Not tainted 3.12.0-rc1-22626-g4367597 #87 + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + RIP: shrink_page_list+0x24e/0x897 + RSP: 0000:ffff88003da499b8 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: ffff88003e82bd60 RCX: 00000000000657d5 + RDX: 0000000000000000 RSI: 000000000000031f RDI: ffff88003e82bd40 + RBP: ffff88003da49ab0 R08: 0000000000000001 R09: 0000000081121a45 + R10: ffffffff81121a45 R11: ffff88003c4a9a28 R12: ffff88003e82bd40 + R13: ffff88003da0e800 R14: 0000000000000001 R15: ffff88003da49d58 + FS: 0000000000000000(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000067d9000 CR3: 000000003ace5000 CR4: 00000000000407b0 + Call Trace: + shrink_inactive_list+0x240/0x3de + shrink_lruvec+0x3e0/0x566 + __shrink_zone+0x94/0x178 + shrink_zone+0x3a/0x82 + balance_pgdat+0x32a/0x4c2 + kswapd+0x2f0/0x372 + kthread+0xa2/0xaa + ret_from_fork+0x7c/0xb0 + Code: 80 7d 8f 01 48 83 95 68 ff ff ff 00 4c 89 e7 e8 5a 7b 00 00 48 85 c0 49 89 c5 75 08 80 7d 8f 00 74 3e eb 31 48 8b 80 18 01 00 00 <48> 8b 74 0d 48 8b 78 30 be 02 00 00 00 ff d2 eb + RIP [] shrink_page_list+0x24e/0x897 + RSP + CR2: 0000000000000028 + ---[ end trace 703d2451af6ffbfd ]--- + Kernel panic - not syncing: Fatal exception + +This patch fixes the issue, by assuring the proper tests are made at +putback_movable_pages() & reclaim_clean_pages_from_list() to avoid +isolated balloon pages being wrongly reinserted in LRU lists. + +[akpm@linux-foundation.org: clarify awkward comment text] +Signed-off-by: Rafael Aquini +Reported-by: Luiz Capitulino +Tested-by: Luiz Capitulino +Cc: Mel Gorman +Cc: Rik van Riel +Cc: Hugh Dickins +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/balloon_compaction.h | 25 +++++++++++++++++++++++++ + mm/migrate.c | 2 +- + mm/vmscan.c | 4 +++- + 3 files changed, 29 insertions(+), 2 deletions(-) + +--- a/include/linux/balloon_compaction.h ++++ b/include/linux/balloon_compaction.h +@@ -159,6 +159,26 @@ static inline bool balloon_page_movable( + } + + /* ++ * isolated_balloon_page - identify an isolated balloon page on private ++ * compaction/migration page lists. ++ * ++ * After a compaction thread isolates a balloon page for migration, it raises ++ * the page refcount to prevent concurrent compaction threads from re-isolating ++ * the same page. For that reason putback_movable_pages(), or other routines ++ * that need to identify isolated balloon pages on private pagelists, cannot ++ * rely on balloon_page_movable() to accomplish the task. ++ */ ++static inline bool isolated_balloon_page(struct page *page) ++{ ++ /* Already isolated balloon pages, by default, have a raised refcount */ ++ if (page_flags_cleared(page) && !page_mapped(page) && ++ page_count(page) >= 2) ++ return __is_movable_balloon_page(page); ++ ++ return false; ++} ++ ++/* + * balloon_page_insert - insert a page into the balloon's page list and make + * the page->mapping assignment accordingly. + * @page : page to be assigned as a 'balloon page' +@@ -242,6 +262,11 @@ static inline bool balloon_page_movable( + { + return false; + } ++ ++static inline bool isolated_balloon_page(struct page *page) ++{ ++ return false; ++} + + static inline bool balloon_page_isolate(struct page *page) + { +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -103,7 +103,7 @@ void putback_movable_pages(struct list_h + list_del(&page->lru); + dec_zone_page_state(page, NR_ISOLATED_ANON + + page_is_file_cache(page)); +- if (unlikely(balloon_page_movable(page))) ++ if (unlikely(isolated_balloon_page(page))) + balloon_page_putback(page); + else + putback_lru_page(page); +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -48,6 +48,7 @@ + #include + + #include ++#include + + #include "internal.h" + +@@ -978,7 +979,8 @@ unsigned long reclaim_clean_pages_from_l + LIST_HEAD(clean_pages); + + list_for_each_entry_safe(page, next, page_list, lru) { +- if (page_is_file_cache(page) && !PageDirty(page)) { ++ if (page_is_file_cache(page) && !PageDirty(page) && ++ !isolated_balloon_page(page)) { + ClearPageActive(page); + list_move(&page->lru, &clean_pages); + } diff --git a/queue-3.10/net-update-the-sysctl-permissions-handler-to-test-effective-uid-gid.patch b/queue-3.10/net-update-the-sysctl-permissions-handler-to-test-effective-uid-gid.patch new file mode 100644 index 00000000000..9fde330a77a --- /dev/null +++ b/queue-3.10/net-update-the-sysctl-permissions-handler-to-test-effective-uid-gid.patch @@ -0,0 +1,39 @@ +From 2433c8f094a008895e66f25bd1773cdb01c91d01 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sat, 5 Oct 2013 13:15:30 -0700 +Subject: net: Update the sysctl permissions handler to test effective uid/gid + +From: "Eric W. Biederman" + +commit 2433c8f094a008895e66f25bd1773cdb01c91d01 upstream. + +Modify the code to use current_euid(), and in_egroup_p, as in done +in fs/proc/proc_sysctl.c:test_perm() + +Reviewed-by: Eric Sandeen +Reported-by: Eric Sandeen +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/sysctl_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sysctl_net.c ++++ b/net/sysctl_net.c +@@ -47,12 +47,12 @@ static int net_ctl_permissions(struct ct + + /* Allow network administrator to have same access as root. */ + if (ns_capable(net->user_ns, CAP_NET_ADMIN) || +- uid_eq(root_uid, current_uid())) { ++ uid_eq(root_uid, current_euid())) { + int mode = (table->mode >> 6) & 7; + return (mode << 6) | (mode << 3) | mode; + } + /* Allow netns root group to have the same access as the root group */ +- if (gid_eq(root_gid, current_gid())) { ++ if (in_egroup_p(root_gid)) { + int mode = (table->mode >> 3) & 7; + return (mode << 3) | mode; + } diff --git a/queue-3.10/p54usb-add-usb-id-for-corega-wlusb2gtst-usb-adapter.patch b/queue-3.10/p54usb-add-usb-id-for-corega-wlusb2gtst-usb-adapter.patch new file mode 100644 index 00000000000..eebe8b1228d --- /dev/null +++ b/queue-3.10/p54usb-add-usb-id-for-corega-wlusb2gtst-usb-adapter.patch @@ -0,0 +1,30 @@ +From 1e43692cdb7cc445d6347d8a5207d9cef0c71434 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Tue, 24 Sep 2013 21:56:46 +0200 +Subject: p54usb: add USB ID for Corega WLUSB2GTST USB adapter + +From: Christian Lamparter + +commit 1e43692cdb7cc445d6347d8a5207d9cef0c71434 upstream. + +Added USB ID for Corega WLUSB2GTST USB adapter. + +Reported-by: Joerg Kalisch +Signed-off-by: Christian Lamparter +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/p54/p54usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/p54/p54usb.c ++++ b/drivers/net/wireless/p54/p54usb.c +@@ -83,6 +83,7 @@ static struct usb_device_id p54u_table[] + {USB_DEVICE(0x06a9, 0x000e)}, /* Westell 802.11g USB (A90-211WG-01) */ + {USB_DEVICE(0x06b9, 0x0121)}, /* Thomson SpeedTouch 121g */ + {USB_DEVICE(0x0707, 0xee13)}, /* SMC 2862W-G version 2 */ ++ {USB_DEVICE(0x07aa, 0x0020)}, /* Corega WLUSB2GTST USB */ + {USB_DEVICE(0x0803, 0x4310)}, /* Zoom 4410a */ + {USB_DEVICE(0x083a, 0x4521)}, /* Siemens Gigaset USB Adapter 54 version 2 */ + {USB_DEVICE(0x083a, 0x4531)}, /* T-Com Sinus 154 data II */ diff --git a/queue-3.10/rtlwifi-align-private-space-in-rtl_priv-struct.patch b/queue-3.10/rtlwifi-align-private-space-in-rtl_priv-struct.patch new file mode 100644 index 00000000000..c2c1bb6e600 --- /dev/null +++ b/queue-3.10/rtlwifi-align-private-space-in-rtl_priv-struct.patch @@ -0,0 +1,35 @@ +From 60ce314d1750fef843e9db70050e09e49f838b69 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 18 Sep 2013 21:21:35 -0500 +Subject: rtlwifi: Align private space in rtl_priv struct + +From: Larry Finger + +commit 60ce314d1750fef843e9db70050e09e49f838b69 upstream. + +The private array at the end of the rtl_priv struct is not aligned. +On ARM architecture, this causes an alignment trap and is fixed by aligning +that array with __align(sizeof(void *)). That should properly align that +space according to the requirements of all architectures. + +Reported-by: Jason Andrews +Tested-by: Jason Andrews +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/wifi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rtlwifi/wifi.h ++++ b/drivers/net/wireless/rtlwifi/wifi.h +@@ -2057,7 +2057,7 @@ struct rtl_priv { + that it points to the data allocated + beyond this structure like: + rtl_pci_priv or rtl_usb_priv */ +- u8 priv[0]; ++ u8 priv[0] __aligned(sizeof(void *)); + }; + + #define rtl_priv(hw) (((struct rtl_priv *)(hw)->priv)) diff --git a/queue-3.10/series b/queue-3.10/series index 75643a26484..6c7a6d84ffb 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -81,3 +81,13 @@ mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch mwifiex-fix-hang-issue-for-usb-chipsets.patch mwifiex-fix-pcie-hs_cfg-cancel-cmd-timeout.patch usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch +xen-hvc-allow-xenboot-console-to-be-used-again.patch +ib_srpt-destroy-cm_id-before-destroying-qp.patch +ib_srpt-always-set-response-for-task-management.patch +rtlwifi-align-private-space-in-rtl_priv-struct.patch +p54usb-add-usb-id-for-corega-wlusb2gtst-usb-adapter.patch +mm-avoid-reinserting-isolated-balloon-pages-into-lru-lists.patch +iscsi-target-only-perform-wait_for_tasks-when-performing-shutdown.patch +net-update-the-sysctl-permissions-handler-to-test-effective-uid-gid.patch +irq-force-hardirq-exit-s-softirq-processing-on-its-own-stack.patch +can-flexcan-fix-flexcan_chip_start-on-imx6.patch diff --git a/queue-3.10/xen-hvc-allow-xenboot-console-to-be-used-again.patch b/queue-3.10/xen-hvc-allow-xenboot-console-to-be-used-again.patch new file mode 100644 index 00000000000..242e30de229 --- /dev/null +++ b/queue-3.10/xen-hvc-allow-xenboot-console-to-be-used-again.patch @@ -0,0 +1,34 @@ +From a9fbf4d591da6cd1d3eaab826c7c15f77fc8f6a3 Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Tue, 1 Oct 2013 19:00:49 +0100 +Subject: xen/hvc: allow xenboot console to be used again + +From: David Vrabel + +commit a9fbf4d591da6cd1d3eaab826c7c15f77fc8f6a3 upstream. + +Commit d0380e6c3c0f6edb986d8798a23acfaf33d5df23 (early_printk: +consolidate random copies of identical code) added in 3.10 introduced +a check for con->index == -1 in early_console_register(). + +Initialize index to -1 for the xenboot console so earlyprintk=xen +works again. + +Signed-off-by: David Vrabel +Cc: Jiri Slaby +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/hvc/hvc_xen.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/hvc/hvc_xen.c ++++ b/drivers/tty/hvc/hvc_xen.c +@@ -636,6 +636,7 @@ struct console xenboot_console = { + .name = "xenboot", + .write = xenboot_write_console, + .flags = CON_PRINTBUFFER | CON_BOOT | CON_ANYTIME, ++ .index = -1, + }; + #endif /* CONFIG_EARLY_PRINTK */ +