From 84a8f1ac5a625844c946d66741fce9d2d73ce610 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 10 Apr 2013 15:40:55 -0700 Subject: [PATCH] 3.4-stable patches added patches: can-gw-use-kmem_cache_free-instead-of-kfree.patch mm-prevent-mmap_cache-race-in-find_vma.patch revert-mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch rt2x00-rt2x00pci_regbusy_read-only-print-register-access-failure-once.patch --- ...use-kmem_cache_free-instead-of-kfree.patch | 50 +++++++++++ ...-prevent-mmap_cache-race-in-find_vma.patch | 83 +++++++++++++++++++ ...nd-free-curr_cmd-in-shutdown-process.patch | 38 +++++++++ ...y-print-register-access-failure-once.patch | 43 ++++++++++ queue-3.4/series | 4 + 5 files changed, 218 insertions(+) create mode 100644 queue-3.4/can-gw-use-kmem_cache_free-instead-of-kfree.patch create mode 100644 queue-3.4/mm-prevent-mmap_cache-race-in-find_vma.patch create mode 100644 queue-3.4/revert-mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch create mode 100644 queue-3.4/rt2x00-rt2x00pci_regbusy_read-only-print-register-access-failure-once.patch diff --git a/queue-3.4/can-gw-use-kmem_cache_free-instead-of-kfree.patch b/queue-3.4/can-gw-use-kmem_cache_free-instead-of-kfree.patch new file mode 100644 index 00000000000..4641cbd6c2a --- /dev/null +++ b/queue-3.4/can-gw-use-kmem_cache_free-instead-of-kfree.patch @@ -0,0 +1,50 @@ +From 3480a2125923e4b7a56d79efc76743089bf273fc Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 9 Apr 2013 14:16:04 +0800 +Subject: can: gw: use kmem_cache_free() instead of kfree() + +From: Wei Yongjun + +commit 3480a2125923e4b7a56d79efc76743089bf273fc upstream. + +Memory allocated by kmem_cache_alloc() should be freed using +kmem_cache_free(), not kfree(). + +Signed-off-by: Wei Yongjun +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/gw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -436,7 +436,7 @@ static int cgw_notifier(struct notifier_ + if (gwj->src.dev == dev || gwj->dst.dev == dev) { + hlist_del(&gwj->list); + cgw_unregister_filter(gwj); +- kfree(gwj); ++ kmem_cache_free(cgw_cache, gwj); + } + } + } +@@ -850,7 +850,7 @@ static void cgw_remove_all_jobs(void) + hlist_for_each_entry_safe(gwj, n, nx, &cgw_list, list) { + hlist_del(&gwj->list); + cgw_unregister_filter(gwj); +- kfree(gwj); ++ kmem_cache_free(cgw_cache, gwj); + } + } + +@@ -903,7 +903,7 @@ static int cgw_remove_job(struct sk_buff + + hlist_del(&gwj->list); + cgw_unregister_filter(gwj); +- kfree(gwj); ++ kmem_cache_free(cgw_cache, gwj); + err = 0; + break; + } diff --git a/queue-3.4/mm-prevent-mmap_cache-race-in-find_vma.patch b/queue-3.4/mm-prevent-mmap_cache-race-in-find_vma.patch new file mode 100644 index 00000000000..e708604f333 --- /dev/null +++ b/queue-3.4/mm-prevent-mmap_cache-race-in-find_vma.patch @@ -0,0 +1,83 @@ +From hughd@google.com Wed Apr 10 13:39:41 2013 +From: Hugh Dickins +Date: Mon, 8 Apr 2013 13:00:02 -0700 (PDT) +Subject: mm: prevent mmap_cache race in find_vma() +To: gregkh@linuxfoundation.org +Cc: Ben Hutchings , jstancek@redhat.com, rientjes@google.com, torvalds@linux-foundation.org, stable@vger.kernel.org, stable-commits@vger.kernel.org +Message-ID: + +From: Jan Stancek + +commit b6a9b7f6b1f21735a7456d534dc0e68e61359d2c upstream. + +find_vma() can be called by multiple threads with read lock +held on mm->mmap_sem and any of them can update mm->mmap_cache. +Prevent compiler from re-fetching mm->mmap_cache, because other +readers could update it in the meantime: + + thread 1 thread 2 + | + find_vma() | find_vma() + struct vm_area_struct *vma = NULL; | + vma = mm->mmap_cache; | + if (!(vma && vma->vm_end > addr | + && vma->vm_start <= addr)) { | + | mm->mmap_cache = vma; + return vma; | + ^^ compiler may optimize this | + local variable out and re-read | + mm->mmap_cache | + +This issue can be reproduced with gcc-4.8.0-1 on s390x by running +mallocstress testcase from LTP, which triggers: + + kernel BUG at mm/rmap.c:1088! + Call Trace: + ([<000003d100c57000>] 0x3d100c57000) + [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 + [<000000000023baae>] handle_pte_fault+0x41a/0xac8 + [<000000000023d832>] handle_mm_fault+0x17a/0x268 + [<000000000060507a>] do_protection_exception+0x1e2/0x394 + [<0000000000603a04>] pgm_check_handler+0x138/0x13c + [<000003fffcf1f07a>] 0x3fffcf1f07a + Last Breaking-Event-Address: + [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 + +Thanks to Jakub Jelinek for his insight on gcc and helping to +track this down. + +Signed-off-by: Jan Stancek +Acked-by: David Rientjes +Signed-off-by: Hugh Dickins +Signed-off-by: Linus Torvalds +[bwh: Backported to 3.2: adjust context, indentation] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mmap.c | 2 +- + mm/nommu.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1619,7 +1619,7 @@ struct vm_area_struct *find_vma(struct m + if (mm) { + /* Check the cache first. */ + /* (Cache hit rate is typically around 35%.) */ +- vma = mm->mmap_cache; ++ vma = ACCESS_ONCE(mm->mmap_cache); + if (!(vma && vma->vm_end > addr && vma->vm_start <= addr)) { + struct rb_node * rb_node; + +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -807,7 +807,7 @@ struct vm_area_struct *find_vma(struct m + struct vm_area_struct *vma; + + /* check the cache first */ +- vma = mm->mmap_cache; ++ vma = ACCESS_ONCE(mm->mmap_cache); + if (vma && vma->vm_start <= addr && vma->vm_end > addr) + return vma; + diff --git a/queue-3.4/revert-mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch b/queue-3.4/revert-mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch new file mode 100644 index 00000000000..6ed5f55f4bc --- /dev/null +++ b/queue-3.4/revert-mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Apr 10 15:21:39 PDT 2013 +Date: Wed, 10 Apr 2013 15:21:39 -0700 +From: Greg Kroah-Hartman +To: Greg KH +Subject: Revert "mwifiex: cancel cmd timer and free curr_cmd in shutdown process +From: Greg Kroah-Hartman + +revert commit b9f1f48ce20a1b923429c216669d03b5a900a8cf which is commit +084c7189acb3f969c855536166042e27f5dd703f upstream. + +It shouldn't have been applied to the 3.4-stable tree. + +Reported-by: Ben Hutchings +Cc: Marco Cesarano +Reported-by: Bing Zhao +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/init.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/net/wireless/mwifiex/init.c ++++ b/drivers/net/wireless/mwifiex/init.c +@@ -584,14 +584,6 @@ mwifiex_shutdown_drv(struct mwifiex_adap + return ret; + } + +- /* cancel current command */ +- if (adapter->curr_cmd) { +- dev_warn(adapter->dev, "curr_cmd is still in processing\n"); +- del_timer(&adapter->cmd_timer); +- mwifiex_insert_cmd_to_free_q(adapter, adapter->curr_cmd); +- adapter->curr_cmd = NULL; +- } +- + /* shut down mwifiex */ + dev_dbg(adapter->dev, "info: shutdown mwifiex...\n"); + diff --git a/queue-3.4/rt2x00-rt2x00pci_regbusy_read-only-print-register-access-failure-once.patch b/queue-3.4/rt2x00-rt2x00pci_regbusy_read-only-print-register-access-failure-once.patch new file mode 100644 index 00000000000..4fe039251f3 --- /dev/null +++ b/queue-3.4/rt2x00-rt2x00pci_regbusy_read-only-print-register-access-failure-once.patch @@ -0,0 +1,43 @@ +From 83589b30f1e1dc9898986293c9336b8ce1705dec Mon Sep 17 00:00:00 2001 +From: Tim Gardner +Date: Mon, 18 Feb 2013 12:56:28 -0700 +Subject: rt2x00: rt2x00pci_regbusy_read() - only print register access failure once + +From: Tim Gardner + +commit 83589b30f1e1dc9898986293c9336b8ce1705dec upstream. + +BugLink: http://bugs.launchpad.net/bugs/1128840 + +It appears that when this register read fails it never recovers, so +I think there is no need to repeat the same error message ad infinitum. + +Signed-off-by: Tim Gardner +Cc: Ivo van Doorn +Cc: Gertjan van Wingerde +Cc: Helmut Schaa +Cc: "John W. Linville" +Cc: linux-wireless@vger.kernel.org +Cc: users@rt2x00.serialmonkey.com +Cc: netdev@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rt2x00/rt2x00pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2x00pci.c ++++ b/drivers/net/wireless/rt2x00/rt2x00pci.c +@@ -52,8 +52,8 @@ int rt2x00pci_regbusy_read(struct rt2x00 + udelay(REGISTER_BUSY_DELAY); + } + +- ERROR(rt2x00dev, "Indirect register access failed: " +- "offset=0x%.08x, value=0x%.08x\n", offset, *reg); ++ printk_once(KERN_ERR "%s() Indirect register access failed: " ++ "offset=0x%.08x, value=0x%.08x\n", __func__, offset, *reg); + *reg = ~0; + + return 0; diff --git a/queue-3.4/series b/queue-3.4/series index e63ab9d4ee7..b6322fc39b0 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -23,3 +23,7 @@ block-avoid-using-uninitialized-value-in-from-queue_var_store.patch x86-fix-rebuild-with-efi_stub-enabled.patch thermal-return-an-error-on-failure-to-register-thermal-class.patch panic-fix-a-possible-deadlock-in-panic.patch +mm-prevent-mmap_cache-race-in-find_vma.patch +revert-mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch +can-gw-use-kmem_cache_free-instead-of-kfree.patch +rt2x00-rt2x00pci_regbusy_read-only-print-register-access-failure-once.patch -- 2.47.3