From da1ce37e310649816bb32a35d007955774ada2b4 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 5 Aug 2014 11:05:56 -0700 Subject: [PATCH] 3.14-stable patches added patches: cpufreq-move-policy-kobj-to-policy-cpu-at-resume.patch lib-btree.c-fix-leak-of-whole-btree-nodes.patch net-l2tp-don-t-fall-back-on-udp-sockopt.patch x86-xen-no-need-to-explicitly-register-an-nmi-callback.patch xtensa-add-fixup-for-double-exception-raised-in-window-overflow.patch --- ...-policy-kobj-to-policy-cpu-at-resume.patch | 63 +++++ ...tree.c-fix-leak-of-whole-btree-nodes.patch | 47 ++++ ...-l2tp-don-t-fall-back-on-udp-sockopt.patch | 54 ++++ queue-3.14/series | 5 + ...-explicitly-register-an-nmi-callback.patch | 52 ++++ ...-exception-raised-in-window-overflow.patch | 262 ++++++++++++++++++ 6 files changed, 483 insertions(+) create mode 100644 queue-3.14/cpufreq-move-policy-kobj-to-policy-cpu-at-resume.patch create mode 100644 queue-3.14/lib-btree.c-fix-leak-of-whole-btree-nodes.patch create mode 100644 queue-3.14/net-l2tp-don-t-fall-back-on-udp-sockopt.patch create mode 100644 queue-3.14/x86-xen-no-need-to-explicitly-register-an-nmi-callback.patch create mode 100644 queue-3.14/xtensa-add-fixup-for-double-exception-raised-in-window-overflow.patch diff --git a/queue-3.14/cpufreq-move-policy-kobj-to-policy-cpu-at-resume.patch b/queue-3.14/cpufreq-move-policy-kobj-to-policy-cpu-at-resume.patch new file mode 100644 index 00000000000..df03747d9c9 --- /dev/null +++ b/queue-3.14/cpufreq-move-policy-kobj-to-policy-cpu-at-resume.patch @@ -0,0 +1,63 @@ +From 92c14bd9477a20a83144f08c0ca25b0308bf0730 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Thu, 17 Jul 2014 10:48:25 +0530 +Subject: cpufreq: move policy kobj to policy->cpu at resume + +From: Viresh Kumar + +commit 92c14bd9477a20a83144f08c0ca25b0308bf0730 upstream. + +This is only relevant to implementations with multiple clusters, where clusters +have separate clock lines but all CPUs within a cluster share it. + +Consider a dual cluster platform with 2 cores per cluster. During suspend we +start hot unplugging CPUs in order 1 to 3. When CPU2 is removed, policy->kobj +would be moved to CPU3 and when CPU3 goes down we wouldn't free policy or its +kobj as we want to retain permissions/values/etc. + +Now on resume, we will get CPU2 before CPU3 and will call __cpufreq_add_dev(). +We will recover the old policy and update policy->cpu from 3 to 2 from +update_policy_cpu(). + +But the kobj is still tied to CPU3 and isn't moved to CPU2. We wouldn't create a +link for CPU2, but would try that for CPU3 while bringing it online. Which will +report errors as CPU3 already has kobj assigned to it. + +This bug got introduced with commit 42f921a, which overlooked this scenario. + +To fix this, lets move kobj to the new policy->cpu while bringing first CPU of a +cluster back. Also do a WARN_ON() if kobject_move failed, as we would reach here +only for the first CPU of a non-boot cluster. And we can't recover from this +situation, if kobject_move() fails. + +Fixes: 42f921a6f10c (cpufreq: remove sysfs files for CPUs which failed to come back after resume) +Cc: 3.13+ # 3.13+ +Reported-and-tested-by: Bu Yitian +Reported-by: Saravana Kannan +Reviewed-by: Srivatsa S. Bhat +Signed-off-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/cpufreq/cpufreq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1089,10 +1089,12 @@ static int __cpufreq_add_dev(struct devi + * the creation of a brand new one. So we need to perform this update + * by invoking update_policy_cpu(). + */ +- if (frozen && cpu != policy->cpu) ++ if (frozen && cpu != policy->cpu) { + update_policy_cpu(policy, cpu); +- else ++ WARN_ON(kobject_move(&policy->kobj, &dev->kobj)); ++ } else { + policy->cpu = cpu; ++ } + + policy->governor = CPUFREQ_DEFAULT_GOVERNOR; + cpumask_copy(policy->cpus, cpumask_of(cpu)); diff --git a/queue-3.14/lib-btree.c-fix-leak-of-whole-btree-nodes.patch b/queue-3.14/lib-btree.c-fix-leak-of-whole-btree-nodes.patch new file mode 100644 index 00000000000..0ed9ffea432 --- /dev/null +++ b/queue-3.14/lib-btree.c-fix-leak-of-whole-btree-nodes.patch @@ -0,0 +1,47 @@ +From c75b53af2f0043aff500af0a6f878497bef41bca Mon Sep 17 00:00:00 2001 +From: Minfei Huang +Date: Wed, 4 Jun 2014 16:11:53 -0700 +Subject: lib/btree.c: fix leak of whole btree nodes + +From: Minfei Huang + +commit c75b53af2f0043aff500af0a6f878497bef41bca upstream. + +I use btree from 3.14-rc2 in my own module. When the btree module is +removed, a warning arises: + + kmem_cache_destroy btree_node: Slab cache still has objects + CPU: 13 PID: 9150 Comm: rmmod Tainted: GF O 3.14.0-rc2 #1 + Hardware name: Inspur NF5270M3/NF5270M3, BIOS CHEETAH_2.1.3 09/10/2013 + Call Trace: + dump_stack+0x49/0x5d + kmem_cache_destroy+0xcf/0xe0 + btree_module_exit+0x10/0x12 [btree] + SyS_delete_module+0x198/0x1f0 + system_call_fastpath+0x16/0x1b + +The cause is that it doesn't release the last btree node, when height = 1 +and fill = 1. + +[akpm@linux-foundation.org: remove unneeded test of NULL] +Signed-off-by: Minfei Huang +Cc: Joern Engel +Cc: Johannes Berg +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/btree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/btree.c ++++ b/lib/btree.c +@@ -198,6 +198,7 @@ EXPORT_SYMBOL_GPL(btree_init); + + void btree_destroy(struct btree_head *head) + { ++ mempool_free(head->node, head->mempool); + mempool_destroy(head->mempool); + head->mempool = NULL; + } diff --git a/queue-3.14/net-l2tp-don-t-fall-back-on-udp-sockopt.patch b/queue-3.14/net-l2tp-don-t-fall-back-on-udp-sockopt.patch new file mode 100644 index 00000000000..9ddfc8cbf3c --- /dev/null +++ b/queue-3.14/net-l2tp-don-t-fall-back-on-udp-sockopt.patch @@ -0,0 +1,54 @@ +From 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2014 17:02:31 -0700 +Subject: net/l2tp: don't fall back on UDP [get|set]sockopt + +From: Sasha Levin + +commit 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf upstream. + +The l2tp [get|set]sockopt() code has fallen back to the UDP functions +for socket option levels != SOL_PPPOL2TP since day one, but that has +never actually worked, since the l2tp socket isn't an inet socket. + +As David Miller points out: + + "If we wanted this to work, it'd have to look up the tunnel and then + use tunnel->sk, but I wonder how useful that would be" + +Since this can never have worked so nobody could possibly have depended +on that functionality, just remove the broken code and return -EINVAL. + +Reported-by: Sasha Levin +Acked-by: James Chapman +Acked-by: David Miller +Cc: Phil Turnbull +Cc: Vegard Nossum +Cc: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/l2tp/l2tp_ppp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1368,7 +1368,7 @@ static int pppol2tp_setsockopt(struct so + int err; + + if (level != SOL_PPPOL2TP) +- return udp_prot.setsockopt(sk, level, optname, optval, optlen); ++ return -EINVAL; + + if (optlen < sizeof(int)) + return -EINVAL; +@@ -1494,7 +1494,7 @@ static int pppol2tp_getsockopt(struct so + struct pppol2tp_session *ps; + + if (level != SOL_PPPOL2TP) +- return udp_prot.getsockopt(sk, level, optname, optval, optlen); ++ return -EINVAL; + + if (get_user(len, optlen)) + return -EFAULT; diff --git a/queue-3.14/series b/queue-3.14/series index 593b81f13ed..642cad2135c 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -31,3 +31,8 @@ pinctrl-dra-dt-bindings-fix-pull-enable-disable.patch arm-dts-dra7-evm-make-vdda_1v8_phy-supply-always-on.patch staging-vt6655-fix-warning-on-boot-handle_irq_event_percpu.patch revert-mac80211-move-bufferable-mmpdu-check-to-fix-ap-mode-scan.patch +cpufreq-move-policy-kobj-to-policy-cpu-at-resume.patch +x86-xen-no-need-to-explicitly-register-an-nmi-callback.patch +xtensa-add-fixup-for-double-exception-raised-in-window-overflow.patch +net-l2tp-don-t-fall-back-on-udp-sockopt.patch +lib-btree.c-fix-leak-of-whole-btree-nodes.patch diff --git a/queue-3.14/x86-xen-no-need-to-explicitly-register-an-nmi-callback.patch b/queue-3.14/x86-xen-no-need-to-explicitly-register-an-nmi-callback.patch new file mode 100644 index 00000000000..0df7e5efc09 --- /dev/null +++ b/queue-3.14/x86-xen-no-need-to-explicitly-register-an-nmi-callback.patch @@ -0,0 +1,52 @@ +From ea9f9274bf4337ba7cbab241c780487651642d63 Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Mon, 16 Jun 2014 13:07:00 +0200 +Subject: x86/xen: no need to explicitly register an NMI callback + +From: David Vrabel + +commit ea9f9274bf4337ba7cbab241c780487651642d63 upstream. + +Remove xen_enable_nmi() to fix a 64-bit guest crash when registering +the NMI callback on Xen 3.1 and earlier. + +It's not needed since the NMI callback is set by a set_trap_table +hypercall (in xen_load_idt() or xen_write_idt_entry()). + +It's also broken since it only set the current VCPU's callback. + +Signed-off-by: David Vrabel +Reported-by: Vitaly Kuznetsov +Tested-by: Vitaly Kuznetsov +Cc: Steven Noonan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/setup.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -574,13 +574,7 @@ void xen_enable_syscall(void) + } + #endif /* CONFIG_X86_64 */ + } +-void xen_enable_nmi(void) +-{ +-#ifdef CONFIG_X86_64 +- if (register_callback(CALLBACKTYPE_nmi, (char *)nmi)) +- BUG(); +-#endif +-} ++ + void __init xen_pvmmu_arch_setup(void) + { + HYPERVISOR_vm_assist(VMASST_CMD_enable, VMASST_TYPE_4gb_segments); +@@ -595,7 +589,6 @@ void __init xen_pvmmu_arch_setup(void) + + xen_enable_sysenter(); + xen_enable_syscall(); +- xen_enable_nmi(); + } + + /* This function is not called for HVM domains */ diff --git a/queue-3.14/xtensa-add-fixup-for-double-exception-raised-in-window-overflow.patch b/queue-3.14/xtensa-add-fixup-for-double-exception-raised-in-window-overflow.patch new file mode 100644 index 00000000000..b8a9282a1d6 --- /dev/null +++ b/queue-3.14/xtensa-add-fixup-for-double-exception-raised-in-window-overflow.patch @@ -0,0 +1,262 @@ +From 17290231df16eeee5dfc198dbf5ee4b419996dcd Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 24 May 2014 21:48:28 +0400 +Subject: xtensa: add fixup for double exception raised in window overflow + +From: Max Filippov + +commit 17290231df16eeee5dfc198dbf5ee4b419996dcd upstream. + +There are two FIXMEs in the double exception handler 'for the extremely +unlikely case'. This case gets hit by gcc during kernel build once in +a few hours, resulting in an unrecoverable exception condition. + +Provide missing fixup routine to handle this case. Double exception +literals now need 8 more bytes, add them to the linker script. + +Also replace bbsi instructions with bbsi.l as we're branching depending +on 8th and 7th LSB-based bits of exception address. + +This may be tested by adding the explicit DTLB invalidation to window +overflow handlers, like the following: + +# --- a/arch/xtensa/kernel/vectors.S +# +++ b/arch/xtensa/kernel/vectors.S +# @@ -592,6 +592,14 @@ ENDPROC(_WindowUnderflow4) +# ENTRY_ALIGN64(_WindowOverflow8) +# +# s32e a0, a9, -16 +# + bbsi.l a9, 31, 1f +# + rsr a0, ccount +# + bbsi.l a0, 4, 1f +# + pdtlb a0, a9 +# + idtlb a0 +# + movi a0, 9 +# + idtlb a0 +# +1: +# l32e a0, a1, -12 +# s32e a2, a9, -8 +# s32e a1, a9, -12 + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/vectors.S | 158 +++++++++++++++++++++++++++++++++------ + arch/xtensa/kernel/vmlinux.lds.S | 4 + 2 files changed, 138 insertions(+), 24 deletions(-) + +--- a/arch/xtensa/kernel/vectors.S ++++ b/arch/xtensa/kernel/vectors.S +@@ -376,38 +376,42 @@ _DoubleExceptionVector_WindowOverflow: + beqz a2, 1f # if at start of vector, don't restore + + addi a0, a0, -128 +- bbsi a0, 8, 1f # don't restore except for overflow 8 and 12 +- bbsi a0, 7, 2f ++ bbsi.l a0, 8, 1f # don't restore except for overflow 8 and 12 ++ ++ /* ++ * This fixup handler is for the extremely unlikely case where the ++ * overflow handler's reference thru a0 gets a hardware TLB refill ++ * that bumps out the (distinct, aliasing) TLB entry that mapped its ++ * prior references thru a9/a13, and where our reference now thru ++ * a9/a13 gets a 2nd-level miss exception (not hardware TLB refill). ++ */ ++ movi a2, window_overflow_restore_a0_fixup ++ s32i a2, a3, EXC_TABLE_FIXUP ++ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE ++ xsr a3, excsave1 ++ ++ bbsi.l a0, 7, 2f + + /* + * Restore a0 as saved by _WindowOverflow8(). +- * +- * FIXME: we really need a fixup handler for this L32E, +- * for the extremely unlikely case where the overflow handler's +- * reference thru a0 gets a hardware TLB refill that bumps out +- * the (distinct, aliasing) TLB entry that mapped its prior +- * references thru a9, and where our reference now thru a9 +- * gets a 2nd-level miss exception (not hardware TLB refill). + */ + +- l32e a2, a9, -16 +- wsr a2, depc # replace the saved a0 +- j 1f ++ l32e a0, a9, -16 ++ wsr a0, depc # replace the saved a0 ++ j 3f + + 2: + /* + * Restore a0 as saved by _WindowOverflow12(). +- * +- * FIXME: we really need a fixup handler for this L32E, +- * for the extremely unlikely case where the overflow handler's +- * reference thru a0 gets a hardware TLB refill that bumps out +- * the (distinct, aliasing) TLB entry that mapped its prior +- * references thru a13, and where our reference now thru a13 +- * gets a 2nd-level miss exception (not hardware TLB refill). + */ + +- l32e a2, a13, -16 +- wsr a2, depc # replace the saved a0 ++ l32e a0, a13, -16 ++ wsr a0, depc # replace the saved a0 ++3: ++ xsr a3, excsave1 ++ movi a0, 0 ++ s32i a0, a3, EXC_TABLE_FIXUP ++ s32i a2, a3, EXC_TABLE_DOUBLE_SAVE + 1: + /* + * Restore WindowBase while leaving all address registers restored. +@@ -449,6 +453,7 @@ _DoubleExceptionVector_WindowOverflow: + + s32i a0, a2, PT_DEPC + ++_DoubleExceptionVector_handle_exception: + addx4 a0, a0, a3 + l32i a0, a0, EXC_TABLE_FAST_USER + xsr a3, excsave1 +@@ -464,11 +469,120 @@ _DoubleExceptionVector_WindowOverflow: + rotw -3 + j 1b + +- .end literal_prefix + + ENDPROC(_DoubleExceptionVector) + + /* ++ * Fixup handler for TLB miss in double exception handler for window owerflow. ++ * We get here with windowbase set to the window that was being spilled and ++ * a0 trashed. a0 bit 7 determines if this is a call8 (bit clear) or call12 ++ * (bit set) window. ++ * ++ * We do the following here: ++ * - go to the original window retaining a0 value; ++ * - set up exception stack to return back to appropriate a0 restore code ++ * (we'll need to rotate window back and there's no place to save this ++ * information, use different return address for that); ++ * - handle the exception; ++ * - go to the window that was being spilled; ++ * - set up window_overflow_restore_a0_fixup as a fixup routine; ++ * - reload a0; ++ * - restore the original window; ++ * - reset the default fixup routine; ++ * - return to user. By the time we get to this fixup handler all information ++ * about the conditions of the original double exception that happened in ++ * the window overflow handler is lost, so we just return to userspace to ++ * retry overflow from start. ++ * ++ * a0: value of depc, original value in depc ++ * a2: trashed, original value in EXC_TABLE_DOUBLE_SAVE ++ * a3: exctable, original value in excsave1 ++ */ ++ ++ENTRY(window_overflow_restore_a0_fixup) ++ ++ rsr a0, ps ++ extui a0, a0, PS_OWB_SHIFT, PS_OWB_WIDTH ++ rsr a2, windowbase ++ sub a0, a2, a0 ++ extui a0, a0, 0, 3 ++ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE ++ xsr a3, excsave1 ++ ++ _beqi a0, 1, .Lhandle_1 ++ _beqi a0, 3, .Lhandle_3 ++ ++ .macro overflow_fixup_handle_exception_pane n ++ ++ rsr a0, depc ++ rotw -\n ++ ++ xsr a3, excsave1 ++ wsr a2, depc ++ l32i a2, a3, EXC_TABLE_KSTK ++ s32i a0, a2, PT_AREG0 ++ ++ movi a0, .Lrestore_\n ++ s32i a0, a2, PT_DEPC ++ rsr a0, exccause ++ j _DoubleExceptionVector_handle_exception ++ ++ .endm ++ ++ overflow_fixup_handle_exception_pane 2 ++.Lhandle_1: ++ overflow_fixup_handle_exception_pane 1 ++.Lhandle_3: ++ overflow_fixup_handle_exception_pane 3 ++ ++ .macro overflow_fixup_restore_a0_pane n ++ ++ rotw \n ++ /* Need to preserve a0 value here to be able to handle exception ++ * that may occur on a0 reload from stack. It may occur because ++ * TLB miss handler may not be atomic and pointer to page table ++ * may be lost before we get here. There are no free registers, ++ * so we need to use EXC_TABLE_DOUBLE_SAVE area. ++ */ ++ xsr a3, excsave1 ++ s32i a2, a3, EXC_TABLE_DOUBLE_SAVE ++ movi a2, window_overflow_restore_a0_fixup ++ s32i a2, a3, EXC_TABLE_FIXUP ++ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE ++ xsr a3, excsave1 ++ bbsi.l a0, 7, 1f ++ l32e a0, a9, -16 ++ j 2f ++1: ++ l32e a0, a13, -16 ++2: ++ rotw -\n ++ ++ .endm ++ ++.Lrestore_2: ++ overflow_fixup_restore_a0_pane 2 ++ ++.Lset_default_fixup: ++ xsr a3, excsave1 ++ s32i a2, a3, EXC_TABLE_DOUBLE_SAVE ++ movi a2, 0 ++ s32i a2, a3, EXC_TABLE_FIXUP ++ l32i a2, a3, EXC_TABLE_DOUBLE_SAVE ++ xsr a3, excsave1 ++ rfe ++ ++.Lrestore_1: ++ overflow_fixup_restore_a0_pane 1 ++ j .Lset_default_fixup ++.Lrestore_3: ++ overflow_fixup_restore_a0_pane 3 ++ j .Lset_default_fixup ++ ++ENDPROC(window_overflow_restore_a0_fixup) ++ ++ .end literal_prefix ++/* + * Debug interrupt vector + * + * There is not much space here, so simply jump to another handler. +--- a/arch/xtensa/kernel/vmlinux.lds.S ++++ b/arch/xtensa/kernel/vmlinux.lds.S +@@ -269,13 +269,13 @@ SECTIONS + .UserExceptionVector.literal) + SECTION_VECTOR (_DoubleExceptionVector_literal, + .DoubleExceptionVector.literal, +- DOUBLEEXC_VECTOR_VADDR - 16, ++ DOUBLEEXC_VECTOR_VADDR - 40, + SIZEOF(.UserExceptionVector.text), + .UserExceptionVector.text) + SECTION_VECTOR (_DoubleExceptionVector_text, + .DoubleExceptionVector.text, + DOUBLEEXC_VECTOR_VADDR, +- 32, ++ 40, + .DoubleExceptionVector.literal) + + . = (LOADADDR( .DoubleExceptionVector.text ) + SIZEOF( .DoubleExceptionVector.text ) + 3) & ~ 3; -- 2.47.3