From 830bff0bdd7a0fb52a2dca812331fa7f2b3e22f0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 26 May 2013 09:24:46 +0900 Subject: [PATCH] 3.9-stable patches added patches: ath9k-fix-crash-on-module-unload.patch ath9k_hw-enable-manual-peak-calibration-for-ar9485.patch drivers-block-brd.c-fix-brd_lookup_page-race.patch drivers-leds-leds-ot200.c-fix-error-caused-by-shifted-mask.patch kirkwood-enable-pcie-port-1-on-qnap-ts-11x-ts-21x.patch klist-del-waiter-from-klist_remove_waiters-before-wakeup-waitting-process.patch mm-compaction-fix-of-improper-cache-flush-in-migration-code.patch mm-memcg-remove-incorrect-vm_bug_on-for-swap-cache-pages-in-uncharge.patch mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch nilfs2-fix-issue-of-nilfs_set_page_dirty-for-page-at-eof-boundary.patch ocfs2-goto-out_unlock-if-ocfs2_get_clusters_nocache-failed-in-ocfs2_fiemap.patch perf-net_dropmonitor-fix-symbol-relative-addresses.patch perf-net_dropmonitor-fix-trace-parameter-order.patch rapidio-tsi721-fix-bug-in-msi-interrupt-handling.patch scsi-ipr-need-to-reset-adapter-after-the-6th-eeh-error.patch tg3-fix-data-corruption-on-5725-with-tso.patch tg3-skip-powering-down-function-0-on-certain-serdes-devices.patch um-serve-io_remap_pfn_range.patch wait-fix-false-timeouts-when-using-wait_event_timeout.patch --- .../ath9k-fix-crash-on-module-unload.patch | 153 +++++++++++++++ ...e-manual-peak-calibration-for-ar9485.patch | 44 +++++ ...block-brd.c-fix-brd_lookup_page-race.patch | 43 +++++ ...0.c-fix-error-caused-by-shifted-mask.patch | 74 +++++++ ...le-pcie-port-1-on-qnap-ts-11x-ts-21x.patch | 34 ++++ ...iters-before-wakeup-waitting-process.patch | 40 ++++ ...proper-cache-flush-in-migration-code.patch | 55 ++++++ ..._on-for-swap-cache-pages-in-uncharge.patch | 71 +++++++ ...d-page-still-mapped-in-secondary-mmu.patch | 181 ++++++++++++++++++ ...e_range-should-avoid-vm_pfnmap-areas.patch | 151 +++++++++++++++ ...pdate-the-pmd-with-pgtable_t-pointer.patch | 45 +++++ ..._page_dirty-for-page-at-eof-boundary.patch | 153 +++++++++++++++ ...sters_nocache-failed-in-ocfs2_fiemap.patch | 41 ++++ ...onitor-fix-symbol-relative-addresses.patch | 37 ++++ ...ropmonitor-fix-trace-parameter-order.patch | 30 +++ ...21-fix-bug-in-msi-interrupt-handling.patch | 59 ++++++ ...eset-adapter-after-the-6th-eeh-error.patch | 63 ++++++ queue-3.9/series | 21 ++ ...fix-data-corruption-on-5725-with-tso.patch | 55 ++++++ ...function-0-on-certain-serdes-devices.patch | 74 +++++++ queue-3.9/um-serve-io_remap_pfn_range.patch | 31 +++ ...meouts-when-using-wait_event_timeout.patch | 91 +++++++++ 22 files changed, 1546 insertions(+) create mode 100644 queue-3.9/ath9k-fix-crash-on-module-unload.patch create mode 100644 queue-3.9/ath9k_hw-enable-manual-peak-calibration-for-ar9485.patch create mode 100644 queue-3.9/drivers-block-brd.c-fix-brd_lookup_page-race.patch create mode 100644 queue-3.9/drivers-leds-leds-ot200.c-fix-error-caused-by-shifted-mask.patch create mode 100644 queue-3.9/kirkwood-enable-pcie-port-1-on-qnap-ts-11x-ts-21x.patch create mode 100644 queue-3.9/klist-del-waiter-from-klist_remove_waiters-before-wakeup-waitting-process.patch create mode 100644 queue-3.9/mm-compaction-fix-of-improper-cache-flush-in-migration-code.patch create mode 100644 queue-3.9/mm-memcg-remove-incorrect-vm_bug_on-for-swap-cache-pages-in-uncharge.patch create mode 100644 queue-3.9/mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch create mode 100644 queue-3.9/mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch create mode 100644 queue-3.9/mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch create mode 100644 queue-3.9/nilfs2-fix-issue-of-nilfs_set_page_dirty-for-page-at-eof-boundary.patch create mode 100644 queue-3.9/ocfs2-goto-out_unlock-if-ocfs2_get_clusters_nocache-failed-in-ocfs2_fiemap.patch create mode 100644 queue-3.9/perf-net_dropmonitor-fix-symbol-relative-addresses.patch create mode 100644 queue-3.9/perf-net_dropmonitor-fix-trace-parameter-order.patch create mode 100644 queue-3.9/rapidio-tsi721-fix-bug-in-msi-interrupt-handling.patch create mode 100644 queue-3.9/scsi-ipr-need-to-reset-adapter-after-the-6th-eeh-error.patch create mode 100644 queue-3.9/tg3-fix-data-corruption-on-5725-with-tso.patch create mode 100644 queue-3.9/tg3-skip-powering-down-function-0-on-certain-serdes-devices.patch create mode 100644 queue-3.9/um-serve-io_remap_pfn_range.patch create mode 100644 queue-3.9/wait-fix-false-timeouts-when-using-wait_event_timeout.patch diff --git a/queue-3.9/ath9k-fix-crash-on-module-unload.patch b/queue-3.9/ath9k-fix-crash-on-module-unload.patch new file mode 100644 index 00000000000..ef721c72172 --- /dev/null +++ b/queue-3.9/ath9k-fix-crash-on-module-unload.patch @@ -0,0 +1,153 @@ +From af690092ce91a2a6d807cdfcc0b0b9b71ae54d3e Mon Sep 17 00:00:00 2001 +From: Sujith Manoharan +Date: Fri, 10 May 2013 18:41:06 +0530 +Subject: ath9k: Fix crash on module unload + +From: Sujith Manoharan + +commit af690092ce91a2a6d807cdfcc0b0b9b71ae54d3e upstream. + +Make sure that any open relayfs files are closed before +unregistering with mac80211, otherwise this crash is seen: + +[ 1331.097846] BUG: unable to handle kernel paging request at 6b6b6b8b +[ 1331.098170] IP: [] debugfs_remove+0x26/0x80 +[ 1331.098170] *pdpt = 000000002f9aa001 *pde = 0000000000000000 +[ 1331.098170] Oops: 0000 [#1] PREEMPT SMP +[ 1331.098170] Modules linked in: iptable_raw xt_CT nf_conntrack_ipv4 nf_defrag] +[ 1331.098170] Pid: 4794, comm: rmmod Tainted: G WC 3.9.1+ #5 To Be Fi. +[ 1331.098170] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 +[ 1331.098170] EIP is at debugfs_remove+0x26/0x80 +[ 1331.098170] EAX: f2f3acd0 EBX: f2f3acd0 ECX: 00000006 EDX: f8622348 +[ 1331.098170] ESI: 6b6b6b6b EDI: 00000001 EBP: ee251e14 ESP: ee251e0c +[ 1331.098170] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +[ 1331.098170] CR0: 8005003b CR2: 6b6b6b8b CR3: 2e7b7000 CR4: 000007e0 +[ 1331.098170] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 +[ 1331.098170] DR6: ffff0ff0 DR7: 00000400 +[ 1331.098170] Process rmmod (pid: 4794, ti=ee250000 task=efaa2560 task.ti=ee25) +[ 1331.098170] Stack: +[ 1331.098170] f241e170 0000000a ee251e1c f861394d ee251e28 c04e3088 f241e170 4 +[ 1331.098170] c04e30fe f45482b0 ee251e54 c04e3187 f25e86b0 ee251e54 f8618748 0 +[ 1331.098170] 0000000a 00000001 ee251e68 f860065b f2509e20 f25085a0 f5b6e8a4 8 +[ 1331.098170] Call Trace: +[ 1331.098170] [] remove_buf_file_handler+0xd/0x20 [ath9k] +[ 1331.098170] [] relay_remove_buf+0x18/0x30 +[ 1331.098170] [] relay_close_buf+0x2e/0x40 +[ 1331.098170] [] relay_close+0x77/0xf0 +[ 1331.098170] [] ? dpd_exit+0x38/0x40 [ath9k] +[ 1331.098170] [] ath9k_deinit_softc+0x8b/0xa0 [ath9k] +[ 1331.098170] [] ath9k_deinit_device+0x48/0x60 [ath9k] +[ 1331.098170] [] ath_pci_remove+0x31/0x50 [ath9k] +[ 1331.098170] [] pci_device_remove+0x38/0xc0 +[ 1331.098170] [] __device_release_driver+0x64/0xc0 +[ 1331.098170] [] driver_detach+0x97/0xa0 +[ 1331.098170] [] bus_remove_driver+0x6c/0xe0 +[ 1331.098170] [] ? bus_put+0x17/0x20 +[ 1331.098170] [] ? bus_remove_driver+0x83/0xe0 +[ 1331.098170] [] driver_unregister+0x49/0x80 +[ 1331.098170] [] pci_unregister_driver+0x18/0x80 +[ 1331.098170] [] ath_pci_exit+0x12/0x20 [ath9k] +[ 1331.098170] [] ath9k_exit+0x17/0x337 [ath9k] +[ 1331.098170] [] ? mutex_unlock+0xd/0x10 +[ 1331.098170] [] sys_delete_module+0x17c/0x250 +[ 1331.098170] [] ? do_munmap+0x244/0x2d0 +[ 1331.098170] [] ? vm_munmap+0x46/0x60 +[ 1331.098170] [] ? restore_all+0xf/0xf +[ 1331.098170] [] ? __do_page_fault+0x4c0/0x4c0 +[ 1331.098170] [] ? trace_hardirqs_on_caller+0xf4/0x180 +[ 1331.098170] [] sysenter_do_call+0x12/0x38 +[ 1331.098170] Code: 90 8d 74 26 00 55 89 e5 83 ec 08 89 1c 24 89 74 24 04 3e 82 +[ 1331.098170] EIP: [] debugfs_remove+0x26/0x80 SS:ESP 0068:ee251e0c +[ 1331.098170] CR2: 000000006b6b6b8b +[ 1331.727971] ---[ end trace b5bb9f2066cef7f9 ]--- + +Acked-by: Simon Wunderlich +Tested-by: Ben Greear +Signed-off-by: Sujith Manoharan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/debug.c | 8 ++++++++ + drivers/net/wireless/ath/ath9k/debug.h | 5 +++++ + drivers/net/wireless/ath/ath9k/init.c | 10 ++++------ + 3 files changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/debug.c ++++ b/drivers/net/wireless/ath/ath9k/debug.c +@@ -2003,6 +2003,14 @@ void ath9k_get_et_stats(struct ieee80211 + WARN_ON(i != ATH9K_SSTATS_LEN); + } + ++void ath9k_deinit_debug(struct ath_softc *sc) ++{ ++ if (config_enabled(CONFIG_ATH9K_DEBUGFS) && sc->rfs_chan_spec_scan) { ++ relay_close(sc->rfs_chan_spec_scan); ++ sc->rfs_chan_spec_scan = NULL; ++ } ++} ++ + int ath9k_init_debug(struct ath_hw *ah) + { + struct ath_common *common = ath9k_hw_common(ah); +--- a/drivers/net/wireless/ath/ath9k/debug.h ++++ b/drivers/net/wireless/ath/ath9k/debug.h +@@ -302,6 +302,7 @@ struct ath9k_debug { + }; + + int ath9k_init_debug(struct ath_hw *ah); ++void ath9k_deinit_debug(struct ath_softc *sc); + + void ath_debug_stat_interrupt(struct ath_softc *sc, enum ath9k_int status); + void ath_debug_stat_tx(struct ath_softc *sc, struct ath_buf *bf, +@@ -337,6 +338,10 @@ static inline int ath9k_init_debug(struc + return 0; + } + ++static inline void ath9k_deinit_debug(struct ath_softc *sc) ++{ ++} ++ + static inline void ath_debug_stat_interrupt(struct ath_softc *sc, + enum ath9k_int status) + { +--- a/drivers/net/wireless/ath/ath9k/init.c ++++ b/drivers/net/wireless/ath/ath9k/init.c +@@ -885,7 +885,7 @@ int ath9k_init_device(u16 devid, struct + if (!ath_is_world_regd(reg)) { + error = regulatory_hint(hw->wiphy, reg->alpha2); + if (error) +- goto unregister; ++ goto debug_cleanup; + } + + ath_init_leds(sc); +@@ -893,6 +893,8 @@ int ath9k_init_device(u16 devid, struct + + return 0; + ++debug_cleanup: ++ ath9k_deinit_debug(sc); + unregister: + ieee80211_unregister_hw(hw); + rx_cleanup: +@@ -921,11 +923,6 @@ static void ath9k_deinit_softc(struct at + sc->dfs_detector->exit(sc->dfs_detector); + + ath9k_eeprom_release(sc); +- +- if (config_enabled(CONFIG_ATH9K_DEBUGFS) && sc->rfs_chan_spec_scan) { +- relay_close(sc->rfs_chan_spec_scan); +- sc->rfs_chan_spec_scan = NULL; +- } + } + + void ath9k_deinit_device(struct ath_softc *sc) +@@ -939,6 +936,7 @@ void ath9k_deinit_device(struct ath_soft + + ath9k_ps_restore(sc); + ++ ath9k_deinit_debug(sc); + ieee80211_unregister_hw(hw); + ath_rx_cleanup(sc); + ath9k_deinit_softc(sc); diff --git a/queue-3.9/ath9k_hw-enable-manual-peak-calibration-for-ar9485.patch b/queue-3.9/ath9k_hw-enable-manual-peak-calibration-for-ar9485.patch new file mode 100644 index 00000000000..cebf31f53b3 --- /dev/null +++ b/queue-3.9/ath9k_hw-enable-manual-peak-calibration-for-ar9485.patch @@ -0,0 +1,44 @@ +From e99c60b58b595eaa1c279922ae29d5397c787294 Mon Sep 17 00:00:00 2001 +From: Sujith Manoharan +Date: Thu, 16 May 2013 22:47:34 +0530 +Subject: ath9k_hw: Enable manual peak calibration for AR9485 + +From: Sujith Manoharan + +commit e99c60b58b595eaa1c279922ae29d5397c787294 upstream. + +Manual peak calibration is currently enabled only for +AR9462 and AR9565. This is also required for AR9485. +The initvals are also modified to disable HW peak calibration. + +Signed-off-by: Sujith Manoharan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/ar9003_calib.c | 2 +- + drivers/net/wireless/ath/ath9k/ar9485_initvals.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/ar9003_calib.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_calib.c +@@ -965,7 +965,7 @@ static void ar9003_hw_do_manual_peak_cal + { + int i; + +- if (!AR_SREV_9462(ah) && !AR_SREV_9565(ah)) ++ if (!AR_SREV_9462(ah) && !AR_SREV_9565(ah) && !AR_SREV_9485(ah)) + return; + + for (i = 0; i < AR9300_MAX_CHAINS; i++) { +--- a/drivers/net/wireless/ath/ath9k/ar9485_initvals.h ++++ b/drivers/net/wireless/ath/ath9k/ar9485_initvals.h +@@ -1020,7 +1020,7 @@ static const u32 ar9485_1_1_baseband_pos + {0x0000a284, 0x00000000, 0x00000000, 0x000002a0, 0x000002a0}, + {0x0000a288, 0x00000000, 0x00000000, 0x00000000, 0x00000000}, + {0x0000a28c, 0x00000000, 0x00000000, 0x00000000, 0x00000000}, +- {0x0000a2c4, 0x00158d18, 0x00158d18, 0x00158d18, 0x00158d18}, ++ {0x0000a2c4, 0x00158d18, 0x00158d18, 0x00058d18, 0x00058d18}, + {0x0000a2d0, 0x00071981, 0x00071981, 0x00071982, 0x00071982}, + {0x0000a2d8, 0xf999a83a, 0xf999a83a, 0xf999a83a, 0xf999a83a}, + {0x0000a358, 0x00000000, 0x00000000, 0x00000000, 0x00000000}, diff --git a/queue-3.9/drivers-block-brd.c-fix-brd_lookup_page-race.patch b/queue-3.9/drivers-block-brd.c-fix-brd_lookup_page-race.patch new file mode 100644 index 00000000000..1d5c97f0091 --- /dev/null +++ b/queue-3.9/drivers-block-brd.c-fix-brd_lookup_page-race.patch @@ -0,0 +1,43 @@ +From dfd20b2b174d3a9b258ea3b7a35ead33576587b1 Mon Sep 17 00:00:00 2001 +From: Brian Behlendorf +Date: Fri, 24 May 2013 15:55:28 -0700 +Subject: drivers/block/brd.c: fix brd_lookup_page() race + +From: Brian Behlendorf + +commit dfd20b2b174d3a9b258ea3b7a35ead33576587b1 upstream. + +The index on the page must be set before it is inserted in the radix +tree. Otherwise there is a small race which can occur during lookup +where the page can be found with the incorrect index. This will trigger +the BUG_ON() in brd_lookup_page(). + +Signed-off-by: Brian Behlendorf +Reported-by: Chris Wedgwood +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/brd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -117,13 +117,13 @@ static struct page *brd_insert_page(stru + + spin_lock(&brd->brd_lock); + idx = sector >> PAGE_SECTORS_SHIFT; ++ page->index = idx; + if (radix_tree_insert(&brd->brd_pages, idx, page)) { + __free_page(page); + page = radix_tree_lookup(&brd->brd_pages, idx); + BUG_ON(!page); + BUG_ON(page->index != idx); +- } else +- page->index = idx; ++ } + spin_unlock(&brd->brd_lock); + + radix_tree_preload_end(); diff --git a/queue-3.9/drivers-leds-leds-ot200.c-fix-error-caused-by-shifted-mask.patch b/queue-3.9/drivers-leds-leds-ot200.c-fix-error-caused-by-shifted-mask.patch new file mode 100644 index 00000000000..2a43085da35 --- /dev/null +++ b/queue-3.9/drivers-leds-leds-ot200.c-fix-error-caused-by-shifted-mask.patch @@ -0,0 +1,74 @@ +From 4b949b8af12e24b8a48fa5bb775a13b558d9f4da Mon Sep 17 00:00:00 2001 +From: Christian Gmeiner +Date: Fri, 24 May 2013 15:55:22 -0700 +Subject: drivers/leds/leds-ot200.c: fix error caused by shifted mask + +From: Christian Gmeiner + +commit 4b949b8af12e24b8a48fa5bb775a13b558d9f4da upstream. + +During the development of this driver an in-house register documentation +was used. The last week some integration tests were done and this +problem was found. It turned out that the released register +documentation is wrong. + +The fix is very simple: shift all masks by one. + +Signed-off-by: Christian Gmeiner +Cc: Bryan Wu +Cc: Sebastian Andrzej Siewior +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/leds/leds-ot200.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/leds/leds-ot200.c ++++ b/drivers/leds/leds-ot200.c +@@ -47,37 +47,37 @@ static struct ot200_led leds[] = { + { + .name = "led_1", + .port = 0x49, +- .mask = BIT(7), ++ .mask = BIT(6), + }, + { + .name = "led_2", + .port = 0x49, +- .mask = BIT(6), ++ .mask = BIT(5), + }, + { + .name = "led_3", + .port = 0x49, +- .mask = BIT(5), ++ .mask = BIT(4), + }, + { + .name = "led_4", + .port = 0x49, +- .mask = BIT(4), ++ .mask = BIT(3), + }, + { + .name = "led_5", + .port = 0x49, +- .mask = BIT(3), ++ .mask = BIT(2), + }, + { + .name = "led_6", + .port = 0x49, +- .mask = BIT(2), ++ .mask = BIT(1), + }, + { + .name = "led_7", + .port = 0x49, +- .mask = BIT(1), ++ .mask = BIT(0), + } + }; + diff --git a/queue-3.9/kirkwood-enable-pcie-port-1-on-qnap-ts-11x-ts-21x.patch b/queue-3.9/kirkwood-enable-pcie-port-1-on-qnap-ts-11x-ts-21x.patch new file mode 100644 index 00000000000..4913bb52e78 --- /dev/null +++ b/queue-3.9/kirkwood-enable-pcie-port-1-on-qnap-ts-11x-ts-21x.patch @@ -0,0 +1,34 @@ +From 99e11334dcb846f9b76fb808196c7f47aa83abb3 Mon Sep 17 00:00:00 2001 +From: Martin Michlmayr +Date: Sun, 21 Apr 2013 17:14:00 +0100 +Subject: Kirkwood: Enable PCIe port 1 on QNAP TS-11x/TS-21x + +From: Martin Michlmayr + +commit 99e11334dcb846f9b76fb808196c7f47aa83abb3 upstream. + +Enable KW_PCIE1 on QNAP TS-11x/TS-21x devices as newer revisions +(rev 1.3) have a USB 3.0 chip from Etron on PCIe port 1. Thanks +to Marek Vasut for identifying this issue! + +Signed-off-by: Martin Michlmayr +Tested-by: Marek Vasut +Acked-by: Andrew Lunn +Signed-off-by: Jason Cooper +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-kirkwood/ts219-setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-kirkwood/ts219-setup.c ++++ b/arch/arm/mach-kirkwood/ts219-setup.c +@@ -124,7 +124,7 @@ static void __init qnap_ts219_init(void) + static int __init ts219_pci_init(void) + { + if (machine_is_ts219()) +- kirkwood_pcie_init(KW_PCIE0); ++ kirkwood_pcie_init(KW_PCIE1 | KW_PCIE0); + + return 0; + } diff --git a/queue-3.9/klist-del-waiter-from-klist_remove_waiters-before-wakeup-waitting-process.patch b/queue-3.9/klist-del-waiter-from-klist_remove_waiters-before-wakeup-waitting-process.patch new file mode 100644 index 00000000000..9545f0a9a95 --- /dev/null +++ b/queue-3.9/klist-del-waiter-from-klist_remove_waiters-before-wakeup-waitting-process.patch @@ -0,0 +1,40 @@ +From ac5a2962b02f57dea76d314ef2521a2170b28ab6 Mon Sep 17 00:00:00 2001 +From: "wang, biao" +Date: Thu, 16 May 2013 09:50:13 +0800 +Subject: klist: del waiter from klist_remove_waiters before wakeup waitting process + +From: "wang, biao" + +commit ac5a2962b02f57dea76d314ef2521a2170b28ab6 upstream. + +There is a race between klist_remove and klist_release. klist_remove +uses a local var waiter saved on stack. When klist_release calls +wake_up_process(waiter->process) to wake up the waiter, waiter might run +immediately and reuse the stack. Then, klist_release calls +list_del(&waiter->list) to change previous +wait data and cause prior waiter thread corrupt. + +The patch fixes it against kernel 3.9. + +Signed-off-by: wang, biao +Acked-by: Peter Zijlstra +Signed-off-by: Greg Kroah-Hartman + +--- + lib/klist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/klist.c ++++ b/lib/klist.c +@@ -193,10 +193,10 @@ static void klist_release(struct kref *k + if (waiter->node != n) + continue; + ++ list_del(&waiter->list); + waiter->woken = 1; + mb(); + wake_up_process(waiter->process); +- list_del(&waiter->list); + } + spin_unlock(&klist_remove_lock); + knode_set_klist(n, NULL); diff --git a/queue-3.9/mm-compaction-fix-of-improper-cache-flush-in-migration-code.patch b/queue-3.9/mm-compaction-fix-of-improper-cache-flush-in-migration-code.patch new file mode 100644 index 00000000000..df9e519f271 --- /dev/null +++ b/queue-3.9/mm-compaction-fix-of-improper-cache-flush-in-migration-code.patch @@ -0,0 +1,55 @@ +From c2cc499c5bcf9040a738f49e8051b42078205748 Mon Sep 17 00:00:00 2001 +From: Leonid Yegoshin +Date: Fri, 24 May 2013 15:55:18 -0700 +Subject: mm compaction: fix of improper cache flush in migration code + +From: Leonid Yegoshin + +commit c2cc499c5bcf9040a738f49e8051b42078205748 upstream. + +Page 'new' during MIGRATION can't be flushed with flush_cache_page(). +Using flush_cache_page(vma, addr, pfn) is justified only if the page is +already placed in process page table, and that is done right after +flush_cache_page(). But without it the arch function has no knowledge +of process PTE and does nothing. + +Besides that, flush_cache_page() flushes an application cache page, but +the kernel has a different page virtual address and dirtied it. + +Replace it with flush_dcache_page(new) which is the proper usage. + +The old page is flushed in try_to_unmap_one() before migration. + +This bug takes place in Sead3 board with M14Kc MIPS CPU without cache +aliasing (but Harvard arch - separate I and D cache) in tight memory +environment (128MB) each 1-3days on SOAK test. It fails in cc1 during +kernel build (SIGILL, SIGBUS, SIGSEG) if CONFIG_COMPACTION is switched +ON. + +Signed-off-by: Leonid Yegoshin +Cc: Leonid Yegoshin +Acked-by: Rik van Riel +Cc: Michal Hocko +Acked-by: Mel Gorman +Cc: Ralf Baechle +Cc: Russell King +Cc: David Miller +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/migrate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -165,7 +165,7 @@ static int remove_migration_pte(struct p + pte = arch_make_huge_pte(pte, vma, new, 0); + } + #endif +- flush_cache_page(vma, addr, pte_pfn(pte)); ++ flush_dcache_page(new); + set_pte_at(mm, addr, ptep, pte); + + if (PageHuge(new)) { diff --git a/queue-3.9/mm-memcg-remove-incorrect-vm_bug_on-for-swap-cache-pages-in-uncharge.patch b/queue-3.9/mm-memcg-remove-incorrect-vm_bug_on-for-swap-cache-pages-in-uncharge.patch new file mode 100644 index 00000000000..9dbfd32f36e --- /dev/null +++ b/queue-3.9/mm-memcg-remove-incorrect-vm_bug_on-for-swap-cache-pages-in-uncharge.patch @@ -0,0 +1,71 @@ +From 28ccddf7952c496df2a51ce5aee4f2a058a98bab Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Fri, 24 May 2013 15:55:15 -0700 +Subject: mm: memcg: remove incorrect VM_BUG_ON for swap cache pages in uncharge + +From: Johannes Weiner + +commit 28ccddf7952c496df2a51ce5aee4f2a058a98bab upstream. + +Commit 0c59b89c81ea ("mm: memcg: push down PageSwapCache check into +uncharge entry functions") added a VM_BUG_ON() on PageSwapCache in the +uncharge path after checking that page flag once, assuming that the +state is stable in all paths, but this is not the case and the condition +triggers in user environments. An uncharge after the last page table +reference to the page goes away can race with reclaim adding the page to +swap cache. + +Swap cache pages are usually uncharged when they are freed after +swapout, from a path that also handles swap usage accounting and memcg +lifetime management. However, since the last page table reference is +gone and thus no references to the swap slot left, the swap slot will be +freed shortly when reclaim attempts to write the page to disk. The +whole swap accounting is not even necessary. + +So while the race condition for which this VM_BUG_ON was added is real +and actually existed all along, there are no negative effects. Remove +the VM_BUG_ON again. + +Reported-by: Heiko Carstens +Reported-by: Lingzhu Xiang +Signed-off-by: Johannes Weiner +Acked-by: Hugh Dickins +Acked-by: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -3991,8 +3991,6 @@ __mem_cgroup_uncharge_common(struct page + if (mem_cgroup_disabled()) + return NULL; + +- VM_BUG_ON(PageSwapCache(page)); +- + if (PageTransHuge(page)) { + nr_pages <<= compound_order(page); + VM_BUG_ON(!PageTransHuge(page)); +@@ -4088,6 +4086,18 @@ void mem_cgroup_uncharge_page(struct pag + if (page_mapped(page)) + return; + VM_BUG_ON(page->mapping && !PageAnon(page)); ++ /* ++ * If the page is in swap cache, uncharge should be deferred ++ * to the swap path, which also properly accounts swap usage ++ * and handles memcg lifetime. ++ * ++ * Note that this check is not stable and reclaim may add the ++ * page to swap cache at any time after this. However, if the ++ * page is not in swap cache by the time page->mapcount hits ++ * 0, there won't be any page table references to the swap ++ * slot, and reclaim will free it and not actually write the ++ * page to disk. ++ */ + if (PageSwapCache(page)) + return; + __mem_cgroup_uncharge_common(page, MEM_CGROUP_CHARGE_TYPE_ANON, false); diff --git a/queue-3.9/mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch b/queue-3.9/mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch new file mode 100644 index 00000000000..77ab3481e2b --- /dev/null +++ b/queue-3.9/mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch @@ -0,0 +1,181 @@ +From d34883d4e35c0a994e91dd847a82b4c9e0c31d83 Mon Sep 17 00:00:00 2001 +From: Xiao Guangrong +Date: Fri, 24 May 2013 15:55:11 -0700 +Subject: mm: mmu_notifier: re-fix freed page still mapped in secondary MMU + +From: Xiao Guangrong + +commit d34883d4e35c0a994e91dd847a82b4c9e0c31d83 upstream. + +Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and +multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: +fix freed page still mapped in secondary MMU"). + +Since hlist_for_each_entry_rcu() is changed now, we can not revert that +patch directly, so this patch reverts the commit and simply fix the bug +spotted by that patch + +This bug spotted by commit 751efd8610d3 is: + + There is a race condition between mmu_notifier_unregister() and + __mmu_notifier_release(). + + Assume two tasks, one calling mmu_notifier_unregister() as a result + of a filp_close() ->flush() callout (task A), and the other calling + mmu_notifier_release() from an mmput() (task B). + + A B + t1 srcu_read_lock() + t2 if (!hlist_unhashed()) + t3 srcu_read_unlock() + t4 srcu_read_lock() + t5 hlist_del_init_rcu() + t6 synchronize_srcu() + t7 srcu_read_unlock() + t8 hlist_del_rcu() <--- NULL pointer deref. + +This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. + +The another issue spotted in the commit is "multiple ->release() +callouts", we needn't care it too much because it is really rare (e.g, +can not happen on kvm since mmu-notify is unregistered after +exit_mmap()) and the later call of multiple ->release should be fast +since all the pages have already been released by the first call. +Anyway, this issue should be fixed in a separate patch. + +-stable suggestions: Any version that has commit 751efd8610d3 need to be +backported. I find the oldest version has this commit is 3.0-stable. + +[akpm@linux-foundation.org: tweak comments] +Signed-off-by: Xiao Guangrong +Tested-by: Robin Holt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------- + 1 file changed, 39 insertions(+), 40 deletions(-) + +--- a/mm/mmu_notifier.c ++++ b/mm/mmu_notifier.c +@@ -40,48 +40,44 @@ void __mmu_notifier_release(struct mm_st + int id; + + /* +- * srcu_read_lock() here will block synchronize_srcu() in +- * mmu_notifier_unregister() until all registered +- * ->release() callouts this function makes have +- * returned. ++ * SRCU here will block mmu_notifier_unregister until ++ * ->release returns. + */ + id = srcu_read_lock(&srcu); ++ hlist_for_each_entry_rcu(mn, &mm->mmu_notifier_mm->list, hlist) ++ /* ++ * If ->release runs before mmu_notifier_unregister it must be ++ * handled, as it's the only way for the driver to flush all ++ * existing sptes and stop the driver from establishing any more ++ * sptes before all the pages in the mm are freed. ++ */ ++ if (mn->ops->release) ++ mn->ops->release(mn, mm); ++ srcu_read_unlock(&srcu, id); ++ + spin_lock(&mm->mmu_notifier_mm->lock); + while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) { + mn = hlist_entry(mm->mmu_notifier_mm->list.first, + struct mmu_notifier, + hlist); +- + /* +- * Unlink. This will prevent mmu_notifier_unregister() +- * from also making the ->release() callout. ++ * We arrived before mmu_notifier_unregister so ++ * mmu_notifier_unregister will do nothing other than to wait ++ * for ->release to finish and for mmu_notifier_unregister to ++ * return. + */ + hlist_del_init_rcu(&mn->hlist); +- spin_unlock(&mm->mmu_notifier_mm->lock); +- +- /* +- * Clear sptes. (see 'release' description in mmu_notifier.h) +- */ +- if (mn->ops->release) +- mn->ops->release(mn, mm); +- +- spin_lock(&mm->mmu_notifier_mm->lock); + } + spin_unlock(&mm->mmu_notifier_mm->lock); + + /* +- * All callouts to ->release() which we have done are complete. +- * Allow synchronize_srcu() in mmu_notifier_unregister() to complete +- */ +- srcu_read_unlock(&srcu, id); +- +- /* +- * mmu_notifier_unregister() may have unlinked a notifier and may +- * still be calling out to it. Additionally, other notifiers +- * may have been active via vmtruncate() et. al. Block here +- * to ensure that all notifier callouts for this mm have been +- * completed and the sptes are really cleaned up before returning +- * to exit_mmap(). ++ * synchronize_srcu here prevents mmu_notifier_release from returning to ++ * exit_mmap (which would proceed with freeing all pages in the mm) ++ * until the ->release method returns, if it was invoked by ++ * mmu_notifier_unregister. ++ * ++ * The mmu_notifier_mm can't go away from under us because one mm_count ++ * is held by exit_mmap. + */ + synchronize_srcu(&srcu); + } +@@ -292,31 +288,34 @@ void mmu_notifier_unregister(struct mmu_ + { + BUG_ON(atomic_read(&mm->mm_count) <= 0); + +- spin_lock(&mm->mmu_notifier_mm->lock); + if (!hlist_unhashed(&mn->hlist)) { ++ /* ++ * SRCU here will force exit_mmap to wait for ->release to ++ * finish before freeing the pages. ++ */ + int id; + ++ id = srcu_read_lock(&srcu); + /* +- * Ensure we synchronize up with __mmu_notifier_release(). ++ * exit_mmap will block in mmu_notifier_release to guarantee ++ * that ->release is called before freeing the pages. + */ +- id = srcu_read_lock(&srcu); +- +- hlist_del_rcu(&mn->hlist); +- spin_unlock(&mm->mmu_notifier_mm->lock); +- + if (mn->ops->release) + mn->ops->release(mn, mm); ++ srcu_read_unlock(&srcu, id); + ++ spin_lock(&mm->mmu_notifier_mm->lock); + /* +- * Allow __mmu_notifier_release() to complete. ++ * Can not use list_del_rcu() since __mmu_notifier_release ++ * can delete it before we hold the lock. + */ +- srcu_read_unlock(&srcu, id); +- } else ++ hlist_del_init_rcu(&mn->hlist); + spin_unlock(&mm->mmu_notifier_mm->lock); ++ } + + /* +- * Wait for any running method to finish, including ->release() if it +- * was run by __mmu_notifier_release() instead of us. ++ * Wait for any running method to finish, of course including ++ * ->release if it was run by mmu_notifier_relase instead of us. + */ + synchronize_srcu(&srcu); + diff --git a/queue-3.9/mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch b/queue-3.9/mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch new file mode 100644 index 00000000000..4386775bdde --- /dev/null +++ b/queue-3.9/mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch @@ -0,0 +1,151 @@ +From a9ff785e4437c83d2179161e012f5bdfbd6381f0 Mon Sep 17 00:00:00 2001 +From: Cliff Wickman +Date: Fri, 24 May 2013 15:55:36 -0700 +Subject: mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas + +From: Cliff Wickman + +commit a9ff785e4437c83d2179161e012f5bdfbd6381f0 upstream. + +A panic can be caused by simply cat'ing /proc//smaps while an +application has a VM_PFNMAP range. It happened in-house when a +benchmarker was trying to decipher the memory layout of his program. + +/proc//smaps and similar walks through a user page table should not +be looking at VM_PFNMAP areas. + +Certain tests in walk_page_range() (specifically split_huge_page_pmd()) +assume that all the mapped PFN's are backed with page structures. And +this is not usually true for VM_PFNMAP areas. This can result in panics +on kernel page faults when attempting to address those page structures. + +There are a half dozen callers of walk_page_range() that walk through a +task's entire page table (as N. Horiguchi pointed out). So rather than +change all of them, this patch changes just walk_page_range() to ignore +VM_PFNMAP areas. + +The logic of hugetlb_vma() is moved back into walk_page_range(), as we +want to test any vma in the range. + +VM_PFNMAP areas are used by: +- graphics memory manager gpu/drm/drm_gem.c +- global reference unit sgi-gru/grufile.c +- sgi special memory char/mspec.c +- and probably several out-of-tree modules + +[akpm@linux-foundation.org: remove now-unused hugetlb_vma() stub] +Signed-off-by: Cliff Wickman +Reviewed-by: Naoya Horiguchi +Cc: Mel Gorman +Cc: Andrea Arcangeli +Cc: Dave Hansen +Cc: David Sterba +Cc: Johannes Weiner +Cc: KOSAKI Motohiro +Cc: "Kirill A. Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/pagewalk.c | 70 +++++++++++++++++++++++++++++----------------------------- + 1 file changed, 36 insertions(+), 34 deletions(-) + +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -127,28 +127,7 @@ static int walk_hugetlb_range(struct vm_ + return 0; + } + +-static struct vm_area_struct* hugetlb_vma(unsigned long addr, struct mm_walk *walk) +-{ +- struct vm_area_struct *vma; +- +- /* We don't need vma lookup at all. */ +- if (!walk->hugetlb_entry) +- return NULL; +- +- VM_BUG_ON(!rwsem_is_locked(&walk->mm->mmap_sem)); +- vma = find_vma(walk->mm, addr); +- if (vma && vma->vm_start <= addr && is_vm_hugetlb_page(vma)) +- return vma; +- +- return NULL; +-} +- + #else /* CONFIG_HUGETLB_PAGE */ +-static struct vm_area_struct* hugetlb_vma(unsigned long addr, struct mm_walk *walk) +-{ +- return NULL; +-} +- + static int walk_hugetlb_range(struct vm_area_struct *vma, + unsigned long addr, unsigned long end, + struct mm_walk *walk) +@@ -198,30 +177,53 @@ int walk_page_range(unsigned long addr, + if (!walk->mm) + return -EINVAL; + ++ VM_BUG_ON(!rwsem_is_locked(&walk->mm->mmap_sem)); ++ + pgd = pgd_offset(walk->mm, addr); + do { +- struct vm_area_struct *vma; ++ struct vm_area_struct *vma = NULL; + + next = pgd_addr_end(addr, end); + + /* +- * handle hugetlb vma individually because pagetable walk for +- * the hugetlb page is dependent on the architecture and +- * we can't handled it in the same manner as non-huge pages. ++ * This function was not intended to be vma based. ++ * But there are vma special cases to be handled: ++ * - hugetlb vma's ++ * - VM_PFNMAP vma's + */ +- vma = hugetlb_vma(addr, walk); ++ vma = find_vma(walk->mm, addr); + if (vma) { +- if (vma->vm_end < next) ++ /* ++ * There are no page structures backing a VM_PFNMAP ++ * range, so do not allow split_huge_page_pmd(). ++ */ ++ if ((vma->vm_start <= addr) && ++ (vma->vm_flags & VM_PFNMAP)) { + next = vma->vm_end; ++ pgd = pgd_offset(walk->mm, next); ++ continue; ++ } + /* +- * Hugepage is very tightly coupled with vma, so +- * walk through hugetlb entries within a given vma. ++ * Handle hugetlb vma individually because pagetable ++ * walk for the hugetlb page is dependent on the ++ * architecture and we can't handled it in the same ++ * manner as non-huge pages. + */ +- err = walk_hugetlb_range(vma, addr, next, walk); +- if (err) +- break; +- pgd = pgd_offset(walk->mm, next); +- continue; ++ if (walk->hugetlb_entry && (vma->vm_start <= addr) && ++ is_vm_hugetlb_page(vma)) { ++ if (vma->vm_end < next) ++ next = vma->vm_end; ++ /* ++ * Hugepage is very tightly coupled with vma, ++ * so walk through hugetlb entries within a ++ * given vma. ++ */ ++ err = walk_hugetlb_range(vma, addr, next, walk); ++ if (err) ++ break; ++ pgd = pgd_offset(walk->mm, next); ++ continue; ++ } + } + + if (pgd_none_or_clear_bad(pgd)) { diff --git a/queue-3.9/mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch b/queue-3.9/mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch new file mode 100644 index 00000000000..8f8384dbfb8 --- /dev/null +++ b/queue-3.9/mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch @@ -0,0 +1,45 @@ +From 7c3425123ddfdc5f48e7913ff59d908789712b18 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Fri, 24 May 2013 15:55:21 -0700 +Subject: mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer + +From: "Aneesh Kumar K.V" + +commit 7c3425123ddfdc5f48e7913ff59d908789712b18 upstream. + +We should not use set_pmd_at to update pmd_t with pgtable_t pointer. +set_pmd_at is used to set pmd with huge pte entries and architectures +like ppc64, clear few flags from the pte when saving a new entry. +Without this change we observe bad pte errors like below on ppc64 with +THP enabled. + + BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 + +Signed-off-by: Aneesh Kumar K.V +Cc: Hugh Dickins +Cc: Benjamin Herrenschmidt +Reviewed-by: Andrea Arcangeli +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/huge_memory.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2318,7 +2318,12 @@ static void collapse_huge_page(struct mm + pte_unmap(pte); + spin_lock(&mm->page_table_lock); + BUG_ON(!pmd_none(*pmd)); +- set_pmd_at(mm, address, pmd, _pmd); ++ /* ++ * We can only use set_pmd_at when establishing ++ * hugepmds and never for establishing regular pmds that ++ * points to regular pagetables. Use pmd_populate for that ++ */ ++ pmd_populate(mm, pmd, pmd_pgtable(_pmd)); + spin_unlock(&mm->page_table_lock); + anon_vma_unlock_write(vma->anon_vma); + goto out; diff --git a/queue-3.9/nilfs2-fix-issue-of-nilfs_set_page_dirty-for-page-at-eof-boundary.patch b/queue-3.9/nilfs2-fix-issue-of-nilfs_set_page_dirty-for-page-at-eof-boundary.patch new file mode 100644 index 00000000000..bb06fcd89a9 --- /dev/null +++ b/queue-3.9/nilfs2-fix-issue-of-nilfs_set_page_dirty-for-page-at-eof-boundary.patch @@ -0,0 +1,153 @@ +From 136e8770cd5d1fe38b3c613100dd6dc4db6d4fa6 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 24 May 2013 15:55:29 -0700 +Subject: nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary + +From: Ryusuke Konishi + +commit 136e8770cd5d1fe38b3c613100dd6dc4db6d4fa6 upstream. + +nilfs2: fix issue of nilfs_set_page_dirty for page at EOF boundary + +DESCRIPTION: + There are use-cases when NILFS2 file system (formatted with block size +lesser than 4 KB) can be remounted in RO mode because of encountering of +"broken bmap" issue. + +The issue was reported by Anthony Doggett : + "The machine I've been trialling nilfs on is running Debian Testing, + Linux version 3.2.0-4-686-pae (debian-kernel@lists.debian.org) (gcc + version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.35-2), but I've + also reproduced it (identically) with Debian Unstable amd64 and Debian + Experimental (using the 3.8-trunk kernel). The problematic partitions + were formatted with "mkfs.nilfs2 -b 1024 -B 8192"." + +SYMPTOMS: +(1) System log contains error messages likewise: + + [63102.496756] nilfs_direct_assign: invalid pointer: 0 + [63102.496786] NILFS error (device dm-17): nilfs_bmap_assign: broken bmap (inode number=28) + [63102.496798] + [63102.524403] Remounting filesystem read-only + +(2) The NILFS2 file system is remounted in RO mode. + +REPRODUSING PATH: +(1) Create volume group with name "unencrypted" by means of vgcreate utility. +(2) Run script (prepared by Anthony Doggett ): + +----------------[BEGIN SCRIPT]-------------------- + +VG=unencrypted +lvcreate --size 2G --name ntest $VG +mkfs.nilfs2 -b 1024 -B 8192 /dev/mapper/$VG-ntest +mkdir /var/tmp/n +mkdir /var/tmp/n/ntest +mount /dev/mapper/$VG-ntest /var/tmp/n/ntest +mkdir /var/tmp/n/ntest/thedir +cd /var/tmp/n/ntest/thedir +sleep 2 +date +darcs init +sleep 2 +dmesg|tail -n 5 +date +darcs whatsnew || true +date +sleep 2 +dmesg|tail -n 5 +----------------[END SCRIPT]-------------------- + +REPRODUCIBILITY: 100% + +INVESTIGATION: +As it was discovered, the issue takes place during segment +construction after executing such sequence of user-space operations: + + open("_darcs/index", O_RDWR|O_CREAT|O_NOCTTY, 0666) = 7 + fstat(7, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 + ftruncate(7, 60) + +The error message "NILFS error (device dm-17): nilfs_bmap_assign: broken +bmap (inode number=28)" takes place because of trying to get block +number for third block of the file with logical offset #3072 bytes. As +it is possible to see from above output, the file has 60 bytes of the +whole size. So, it is enough one block (1 KB in size) allocation for +the whole file. Trying to operate with several blocks instead of one +takes place because of discovering several dirty buffers for this file +in nilfs_segctor_scan_file() method. + +The root cause of this issue is in nilfs_set_page_dirty function which +is called just before writing to an mmapped page. + +When nilfs_page_mkwrite function handles a page at EOF boundary, it +fills hole blocks only inside EOF through __block_page_mkwrite(). + +The __block_page_mkwrite() function calls set_page_dirty() after filling +hole blocks, thus nilfs_set_page_dirty function (= +a_ops->set_page_dirty) is called. However, the current implementation +of nilfs_set_page_dirty() wrongly marks all buffers dirty even for page +at EOF boundary. + +As a result, buffers outside EOF are inconsistently marked dirty and +queued for write even though they are not mapped with nilfs_get_block +function. + +FIX: +This modifies nilfs_set_page_dirty() not to mark hole blocks dirty. + +Thanks to Vyacheslav Dubeyko for his effort on analysis and proposals +for this issue. + +Signed-off-by: Ryusuke Konishi +Reported-by: Anthony Doggett +Reported-by: Vyacheslav Dubeyko +Cc: Vyacheslav Dubeyko +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/inode.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -202,13 +202,32 @@ static int nilfs_writepage(struct page * + + static int nilfs_set_page_dirty(struct page *page) + { +- int ret = __set_page_dirty_buffers(page); ++ int ret = __set_page_dirty_nobuffers(page); + +- if (ret) { ++ if (page_has_buffers(page)) { + struct inode *inode = page->mapping->host; +- unsigned nr_dirty = 1 << (PAGE_SHIFT - inode->i_blkbits); ++ unsigned nr_dirty = 0; ++ struct buffer_head *bh, *head; + +- nilfs_set_file_dirty(inode, nr_dirty); ++ /* ++ * This page is locked by callers, and no other thread ++ * concurrently marks its buffers dirty since they are ++ * only dirtied through routines in fs/buffer.c in ++ * which call sites of mark_buffer_dirty are protected ++ * by page lock. ++ */ ++ bh = head = page_buffers(page); ++ do { ++ /* Do not mark hole blocks dirty */ ++ if (buffer_dirty(bh) || !buffer_mapped(bh)) ++ continue; ++ ++ set_buffer_dirty(bh); ++ nr_dirty++; ++ } while (bh = bh->b_this_page, bh != head); ++ ++ if (nr_dirty) ++ nilfs_set_file_dirty(inode, nr_dirty); + } + return ret; + } diff --git a/queue-3.9/ocfs2-goto-out_unlock-if-ocfs2_get_clusters_nocache-failed-in-ocfs2_fiemap.patch b/queue-3.9/ocfs2-goto-out_unlock-if-ocfs2_get_clusters_nocache-failed-in-ocfs2_fiemap.patch new file mode 100644 index 00000000000..a2d48ea375f --- /dev/null +++ b/queue-3.9/ocfs2-goto-out_unlock-if-ocfs2_get_clusters_nocache-failed-in-ocfs2_fiemap.patch @@ -0,0 +1,41 @@ +From b4ca2b4b577c3530e34dcfaafccb2cc680ce95d1 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Fri, 24 May 2013 15:55:34 -0700 +Subject: ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in ocfs2_fiemap() + +From: Joseph Qi + +commit b4ca2b4b577c3530e34dcfaafccb2cc680ce95d1 upstream. + +Last time we found there is lock/unlock bug in ocfs2_file_aio_write, and +then we did a thorough search for all lock resources in +ocfs2_inode_info, including rw, inode and open lockres and found this +bug. My kernel version is 3.0.13, and it is also in the lastest version +3.9. In ocfs2_fiemap, once ocfs2_get_clusters_nocache failed, it should +goto out_unlock instead of out, because we need release buffer head, up +read alloc sem and unlock inode. + +Signed-off-by: Joseph Qi +Reviewed-by: Jie Liu +Cc: Mark Fasheh +Cc: Joel Becker +Acked-by: Sunil Mushran +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/extent_map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/extent_map.c ++++ b/fs/ocfs2/extent_map.c +@@ -790,7 +790,7 @@ int ocfs2_fiemap(struct inode *inode, st + &hole_size, &rec, &is_last); + if (ret) { + mlog_errno(ret); +- goto out; ++ goto out_unlock; + } + + if (rec.e_blkno == 0ULL) { diff --git a/queue-3.9/perf-net_dropmonitor-fix-symbol-relative-addresses.patch b/queue-3.9/perf-net_dropmonitor-fix-symbol-relative-addresses.patch new file mode 100644 index 00000000000..8310e0008da --- /dev/null +++ b/queue-3.9/perf-net_dropmonitor-fix-symbol-relative-addresses.patch @@ -0,0 +1,37 @@ +From 5a1e99dd2028e00998d42029be86835d8ef4a46e Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 20 May 2013 14:45:26 +0000 +Subject: perf: net_dropmonitor: Fix symbol-relative addresses + +From: Ben Hutchings + +commit 5a1e99dd2028e00998d42029be86835d8ef4a46e upstream. + +The comparison between traced and symbol addresses is backwards: if +the traced address doesn't exactly match a symbol (which we don't +expect it to), we'll show the next symbol and the offset to it, +whereas we should show the previous symbol and the offset from it. + +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/scripts/python/net_dropmonitor.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/scripts/python/net_dropmonitor.py ++++ b/tools/perf/scripts/python/net_dropmonitor.py +@@ -40,9 +40,9 @@ def get_kallsyms_table(): + + def get_sym(sloc): + loc = int(sloc) +- for i in kallsyms: +- if (i['loc'] >= loc): +- return (i['name'], i['loc']-loc) ++ for i in kallsyms[::-1]: ++ if loc >= i['loc']: ++ return (i['name'], loc - i['loc']) + return (None, 0) + + def print_drop_table(): diff --git a/queue-3.9/perf-net_dropmonitor-fix-trace-parameter-order.patch b/queue-3.9/perf-net_dropmonitor-fix-trace-parameter-order.patch new file mode 100644 index 00000000000..ddd19526112 --- /dev/null +++ b/queue-3.9/perf-net_dropmonitor-fix-trace-parameter-order.patch @@ -0,0 +1,30 @@ +From 140c3c6a2bcd2c31e2f7f5a8d59689724776c8e5 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 20 May 2013 14:44:43 +0000 +Subject: perf: net_dropmonitor: Fix trace parameter order + +From: Ben Hutchings + +commit 140c3c6a2bcd2c31e2f7f5a8d59689724776c8e5 upstream. + +This works much better if we don't treat protocol numbers as addresses. + +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/scripts/python/net_dropmonitor.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/scripts/python/net_dropmonitor.py ++++ b/tools/perf/scripts/python/net_dropmonitor.py +@@ -64,7 +64,7 @@ def trace_end(): + + # called from perf, when it finds a correspoinding event + def skb__kfree_skb(name, context, cpu, sec, nsec, pid, comm, +- skbaddr, protocol, location): ++ skbaddr, location, protocol): + slocation = str(location) + try: + drop_log[slocation] = drop_log[slocation] + 1 diff --git a/queue-3.9/rapidio-tsi721-fix-bug-in-msi-interrupt-handling.patch b/queue-3.9/rapidio-tsi721-fix-bug-in-msi-interrupt-handling.patch new file mode 100644 index 00000000000..44154667a77 --- /dev/null +++ b/queue-3.9/rapidio-tsi721-fix-bug-in-msi-interrupt-handling.patch @@ -0,0 +1,59 @@ +From 1ccc819da6fda9bee10ab8b72e9adbb5ad3e4959 Mon Sep 17 00:00:00 2001 +From: Alexandre Bounine +Date: Fri, 24 May 2013 15:55:17 -0700 +Subject: rapidio/tsi721: fix bug in MSI interrupt handling + +From: Alexandre Bounine + +commit 1ccc819da6fda9bee10ab8b72e9adbb5ad3e4959 upstream. + +Fix bug in MSI interrupt handling which causes loss of event +notifications. + +Typical indication of lost MSI interrupts are stalled message and +doorbell transfers between RapidIO endpoints. To avoid loss of MSI +interrupts all interrupts from the device must be disabled on entering +the interrupt handler routine and re-enabled when exiting it. +Re-enabling device interrupts will trigger new MSI message(s) if Tsi721 +registered new events since entering interrupt handler routine. + +This patch is applicable to kernel versions starting from v3.2. + +Signed-off-by: Alexandre Bounine +Cc: Matt Porter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rapidio/devices/tsi721.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/rapidio/devices/tsi721.c ++++ b/drivers/rapidio/devices/tsi721.c +@@ -471,6 +471,10 @@ static irqreturn_t tsi721_irqhandler(int + u32 intval; + u32 ch_inte; + ++ /* For MSI mode disable all device-level interrupts */ ++ if (priv->flags & TSI721_USING_MSI) ++ iowrite32(0, priv->regs + TSI721_DEV_INTE); ++ + dev_int = ioread32(priv->regs + TSI721_DEV_INT); + if (!dev_int) + return IRQ_NONE; +@@ -560,6 +564,14 @@ static irqreturn_t tsi721_irqhandler(int + } + } + #endif ++ ++ /* For MSI mode re-enable device-level interrupts */ ++ if (priv->flags & TSI721_USING_MSI) { ++ dev_int = TSI721_DEV_INT_SR2PC_CH | TSI721_DEV_INT_SRIO | ++ TSI721_DEV_INT_SMSG_CH | TSI721_DEV_INT_BDMA_CH; ++ iowrite32(dev_int, priv->regs + TSI721_DEV_INTE); ++ } ++ + return IRQ_HANDLED; + } + diff --git a/queue-3.9/scsi-ipr-need-to-reset-adapter-after-the-6th-eeh-error.patch b/queue-3.9/scsi-ipr-need-to-reset-adapter-after-the-6th-eeh-error.patch new file mode 100644 index 00000000000..869c5e238af --- /dev/null +++ b/queue-3.9/scsi-ipr-need-to-reset-adapter-after-the-6th-eeh-error.patch @@ -0,0 +1,63 @@ +From 96b04db9f2c16e77c31ef0e17e143da1e0cbfd78 Mon Sep 17 00:00:00 2001 +From: "wenxiong@linux.vnet.ibm.com" +Date: Wed, 17 Apr 2013 09:34:06 -0500 +Subject: SCSI: ipr: Need to reset adapter after the 6th EEH error + +From: "wenxiong@linux.vnet.ibm.com" + +commit 96b04db9f2c16e77c31ef0e17e143da1e0cbfd78 upstream. + +Add reset adapter after the 6th EEH errors in ipr driver. This triggers +the adapter reset via the PCI config space even when the slot is frozen. + +Signed-off-by: Wen Xiong +Acked-by: Brian King +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ipr.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -4777,7 +4777,7 @@ static int ipr_eh_host_reset(struct scsi + ioa_cfg = (struct ipr_ioa_cfg *) cmd->device->host->hostdata; + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); + +- if (!ioa_cfg->in_reset_reload) { ++ if (!ioa_cfg->in_reset_reload && !ioa_cfg->hrrq[IPR_INIT_HRRQ].ioa_is_dead) { + ipr_initiate_ioa_reset(ioa_cfg, IPR_SHUTDOWN_ABBREV); + dev_err(&ioa_cfg->pdev->dev, + "Adapter being reset as a result of error recovery.\n"); +@@ -6739,6 +6739,7 @@ static int ipr_invalid_adapter(struct ip + static int ipr_ioa_bringdown_done(struct ipr_cmnd *ipr_cmd) + { + struct ipr_ioa_cfg *ioa_cfg = ipr_cmd->ioa_cfg; ++ int i; + + ENTER; + if (!ioa_cfg->hrrq[IPR_INIT_HRRQ].removing_ioa) { +@@ -6750,6 +6751,13 @@ static int ipr_ioa_bringdown_done(struct + + ioa_cfg->in_reset_reload = 0; + ioa_cfg->reset_retries = 0; ++ for (i = 0; i < ioa_cfg->hrrq_num; i++) { ++ spin_lock(&ioa_cfg->hrrq[i]._lock); ++ ioa_cfg->hrrq[i].ioa_is_dead = 1; ++ spin_unlock(&ioa_cfg->hrrq[i]._lock); ++ } ++ wmb(); ++ + list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + wake_up_all(&ioa_cfg->reset_wait_q); + LEAVE; +@@ -8651,7 +8659,7 @@ static void ipr_pci_perm_failure(struct + spin_lock_irqsave(ioa_cfg->host->host_lock, flags); + if (ioa_cfg->sdt_state == WAIT_FOR_DUMP) + ioa_cfg->sdt_state = ABORT_DUMP; +- ioa_cfg->reset_retries = IPR_NUM_RESET_RELOAD_RETRIES; ++ ioa_cfg->reset_retries = IPR_NUM_RESET_RELOAD_RETRIES - 1; + ioa_cfg->in_ioa_bringdown = 1; + for (i = 0; i < ioa_cfg->hrrq_num; i++) { + spin_lock(&ioa_cfg->hrrq[i]._lock); diff --git a/queue-3.9/series b/queue-3.9/series index afb17d60acb..adbee3fca92 100644 --- a/queue-3.9/series +++ b/queue-3.9/series @@ -34,3 +34,24 @@ arc-copy_-to-from-_user-to-honor-usermode-access-permissions.patch drivers-char-random.c-fix-priming-of-last_data.patch random-fix-accounting-race-condition-with-lockless-irq-entropy_count-update.patch fat-fix-possible-overflow-for-fat_clusters.patch +tg3-skip-powering-down-function-0-on-certain-serdes-devices.patch +tg3-fix-data-corruption-on-5725-with-tso.patch +perf-net_dropmonitor-fix-trace-parameter-order.patch +perf-net_dropmonitor-fix-symbol-relative-addresses.patch +ath9k-fix-crash-on-module-unload.patch +ath9k_hw-enable-manual-peak-calibration-for-ar9485.patch +ocfs2-goto-out_unlock-if-ocfs2_get_clusters_nocache-failed-in-ocfs2_fiemap.patch +kirkwood-enable-pcie-port-1-on-qnap-ts-11x-ts-21x.patch +drivers-leds-leds-ot200.c-fix-error-caused-by-shifted-mask.patch +rapidio-tsi721-fix-bug-in-msi-interrupt-handling.patch +mm-compaction-fix-of-improper-cache-flush-in-migration-code.patch +klist-del-waiter-from-klist_remove_waiters-before-wakeup-waitting-process.patch +wait-fix-false-timeouts-when-using-wait_event_timeout.patch +nilfs2-fix-issue-of-nilfs_set_page_dirty-for-page-at-eof-boundary.patch +mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch +mm-memcg-remove-incorrect-vm_bug_on-for-swap-cache-pages-in-uncharge.patch +drivers-block-brd.c-fix-brd_lookup_page-race.patch +mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch +mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch +um-serve-io_remap_pfn_range.patch +scsi-ipr-need-to-reset-adapter-after-the-6th-eeh-error.patch diff --git a/queue-3.9/tg3-fix-data-corruption-on-5725-with-tso.patch b/queue-3.9/tg3-fix-data-corruption-on-5725-with-tso.patch new file mode 100644 index 00000000000..db1b713b3eb --- /dev/null +++ b/queue-3.9/tg3-fix-data-corruption-on-5725-with-tso.patch @@ -0,0 +1,55 @@ +From 0f0d15100a8ac875bdd408324c473e16d73d3557 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Mon, 13 May 2013 11:04:16 +0000 +Subject: tg3: Fix data corruption on 5725 with TSO + +From: Michael Chan + +commit 0f0d15100a8ac875bdd408324c473e16d73d3557 upstream. + +The 5725 family of devices (asic rev 5762), corrupts TSO packets where +the buffer is within MSS bytes of a 4G boundary (4G, 8G etc.). Detect +this condition and trigger the workaround path. + +Signed-off-by: Michael Chan +Signed-off-by: Nithin Nayak Sujir +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -7078,6 +7078,20 @@ static inline int tg3_4g_overflow_test(d + return (base > 0xffffdcc0) && (base + len + 8 < base); + } + ++/* Test for TSO DMA buffers that cross into regions which are within MSS bytes ++ * of any 4GB boundaries: 4G, 8G, etc ++ */ ++static inline int tg3_4g_tso_overflow_test(struct tg3 *tp, dma_addr_t mapping, ++ u32 len, u32 mss) ++{ ++ if (tg3_asic_rev(tp) == ASIC_REV_5762 && mss) { ++ u32 base = (u32) mapping & 0xffffffff; ++ ++ return ((base + len + (mss & 0x3fff)) < base); ++ } ++ return 0; ++} ++ + /* Test for DMA addresses > 40-bit */ + static inline int tg3_40bit_overflow_test(struct tg3 *tp, dma_addr_t mapping, + int len) +@@ -7114,6 +7128,9 @@ static bool tg3_tx_frag_set(struct tg3_n + if (tg3_4g_overflow_test(map, len)) + hwbug = true; + ++ if (tg3_4g_tso_overflow_test(tp, map, len, mss)) ++ hwbug = true; ++ + if (tg3_40bit_overflow_test(tp, map, len)) + hwbug = true; + diff --git a/queue-3.9/tg3-skip-powering-down-function-0-on-certain-serdes-devices.patch b/queue-3.9/tg3-skip-powering-down-function-0-on-certain-serdes-devices.patch new file mode 100644 index 00000000000..f32ebd999fc --- /dev/null +++ b/queue-3.9/tg3-skip-powering-down-function-0-on-certain-serdes-devices.patch @@ -0,0 +1,74 @@ +From 44f3b503c16425c8e9db4bbaa2fc9cd0c9d0ba91 Mon Sep 17 00:00:00 2001 +From: Nithin Sujir +Date: Mon, 13 May 2013 11:04:15 +0000 +Subject: tg3: Skip powering down function 0 on certain serdes devices + +From: Nithin Sujir + +commit 44f3b503c16425c8e9db4bbaa2fc9cd0c9d0ba91 upstream. + +On the 5718, 5719 and 5720 serdes devices, powering down function 0 +results in all the other ports being powered down. Add code to skip +function 0 power down. + +v2: + - Modify tg3_phy_power_bug() function to use a switch instead of a + complicated if statement. Suggested by Joe Perches. + +Signed-off-by: Michael Chan +Signed-off-by: Nithin Nayak Sujir +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -2921,6 +2921,31 @@ static int tg3_5700_link_polarity(struct + return 0; + } + ++static bool tg3_phy_power_bug(struct tg3 *tp) ++{ ++ switch (tg3_asic_rev(tp)) { ++ case ASIC_REV_5700: ++ case ASIC_REV_5704: ++ return true; ++ case ASIC_REV_5780: ++ if (tp->phy_flags & TG3_PHYFLG_MII_SERDES) ++ return true; ++ return false; ++ case ASIC_REV_5717: ++ if (!tp->pci_fn) ++ return true; ++ return false; ++ case ASIC_REV_5719: ++ case ASIC_REV_5720: ++ if ((tp->phy_flags & TG3_PHYFLG_PHY_SERDES) && ++ !tp->pci_fn) ++ return true; ++ return false; ++ } ++ ++ return false; ++} ++ + static void tg3_power_down_phy(struct tg3 *tp, bool do_low_power) + { + u32 val; +@@ -2977,12 +3002,7 @@ static void tg3_power_down_phy(struct tg + /* The PHY should not be powered down on some chips because + * of bugs. + */ +- if (tg3_asic_rev(tp) == ASIC_REV_5700 || +- tg3_asic_rev(tp) == ASIC_REV_5704 || +- (tg3_asic_rev(tp) == ASIC_REV_5780 && +- (tp->phy_flags & TG3_PHYFLG_MII_SERDES)) || +- (tg3_asic_rev(tp) == ASIC_REV_5717 && +- !tp->pci_fn)) ++ if (tg3_phy_power_bug(tp)) + return; + + if (tg3_chip_rev(tp) == CHIPREV_5784_AX || diff --git a/queue-3.9/um-serve-io_remap_pfn_range.patch b/queue-3.9/um-serve-io_remap_pfn_range.patch new file mode 100644 index 00000000000..22a08dd1760 --- /dev/null +++ b/queue-3.9/um-serve-io_remap_pfn_range.patch @@ -0,0 +1,31 @@ +From 4d94d6d030adfdea4837694d293ec6918d133ab2 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 7 Feb 2012 01:22:47 +0100 +Subject: um: Serve io_remap_pfn_range() + +From: Richard Weinberger + +commit 4d94d6d030adfdea4837694d293ec6918d133ab2 upstream. + +At some places io_remap_pfn_range() is needed. +UML has to serve it like all other archs do. + +Signed-off-by: Richard Weinberger +Cc: Antoine Martin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/include/asm/pgtable.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/um/include/asm/pgtable.h ++++ b/arch/um/include/asm/pgtable.h +@@ -71,6 +71,8 @@ extern unsigned long end_iomem; + + #define io_remap_pfn_range remap_pfn_range + ++#define io_remap_pfn_range remap_pfn_range ++ + /* + * The i386 can't do page protection for execute, and considers that the same + * are read. diff --git a/queue-3.9/wait-fix-false-timeouts-when-using-wait_event_timeout.patch b/queue-3.9/wait-fix-false-timeouts-when-using-wait_event_timeout.patch new file mode 100644 index 00000000000..25cdf68c5f1 --- /dev/null +++ b/queue-3.9/wait-fix-false-timeouts-when-using-wait_event_timeout.patch @@ -0,0 +1,91 @@ +From 4c663cfc523a88d97a8309b04a089c27dc57fd7e Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 May 2013 15:55:09 -0700 +Subject: wait: fix false timeouts when using wait_event_timeout() + +From: Imre Deak + +commit 4c663cfc523a88d97a8309b04a089c27dc57fd7e upstream. + +Many callers of the wait_event_timeout() and +wait_event_interruptible_timeout() expect that the return value will be +positive if the specified condition becomes true before the timeout +elapses. However, at the moment this isn't guaranteed. If the wake-up +handler is delayed enough, the time remaining until timeout will be +calculated as 0 - and passed back as a return value - even if the +condition became true before the timeout has passed. + +Fix this by returning at least 1 if the condition becomes true. This +semantic is in line with what wait_for_condition_timeout() does; see +commit bb10ed09 ("sched: fix wait_for_completion_timeout() spurious +failure under heavy load"). + +Daniel said "We have 3 instances of this bug in drm/i915. One case even +where we switch between the interruptible and not interruptible +wait_event_timeout variants, foolishly presuming they have the same +semantics. I very much like this." + +One such bug is reported at + https://bugs.freedesktop.org/show_bug.cgi?id=64133 + +Signed-off-by: Imre Deak +Acked-by: Daniel Vetter +Acked-by: David Howells +Acked-by: Jens Axboe +Cc: "Paul E. McKenney" +Cc: Dave Jones +Cc: Lukas Czerner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/wait.h | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/include/linux/wait.h ++++ b/include/linux/wait.h +@@ -217,6 +217,8 @@ do { \ + if (!ret) \ + break; \ + } \ ++ if (!ret && (condition)) \ ++ ret = 1; \ + finish_wait(&wq, &__wait); \ + } while (0) + +@@ -233,8 +235,9 @@ do { \ + * wake_up() has to be called after changing any variable that could + * change the result of the wait condition. + * +- * The function returns 0 if the @timeout elapsed, and the remaining +- * jiffies if the condition evaluated to true before the timeout elapsed. ++ * The function returns 0 if the @timeout elapsed, or the remaining ++ * jiffies (at least 1) if the @condition evaluated to %true before ++ * the @timeout elapsed. + */ + #define wait_event_timeout(wq, condition, timeout) \ + ({ \ +@@ -302,6 +305,8 @@ do { \ + ret = -ERESTARTSYS; \ + break; \ + } \ ++ if (!ret && (condition)) \ ++ ret = 1; \ + finish_wait(&wq, &__wait); \ + } while (0) + +@@ -318,9 +323,10 @@ do { \ + * wake_up() has to be called after changing any variable that could + * change the result of the wait condition. + * +- * The function returns 0 if the @timeout elapsed, -ERESTARTSYS if it +- * was interrupted by a signal, and the remaining jiffies otherwise +- * if the condition evaluated to true before the timeout elapsed. ++ * Returns: ++ * 0 if the @timeout elapsed, -%ERESTARTSYS if it was interrupted by ++ * a signal, or the remaining jiffies (at least 1) if the @condition ++ * evaluated to %true before the @timeout elapsed. + */ + #define wait_event_interruptible_timeout(wq, condition, timeout) \ + ({ \ -- 2.47.3