From: Greg Kroah-Hartman Date: Mon, 7 Jul 2014 20:45:28 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.4.98~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=415fe50b84c04f3727eba604203c2dcac0ca6325;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: blkcg-fix-use-after-free-in-__blkg_release_rcu-by-making-blkcg_gq-refcnt-an-atomic_t.patch ext4-fix-buffer-double-free-in-ext4_alloc_branch.patch ext4-fix-hole-punching-for-files-with-indirect-blocks.patch fs-seq_file-fallback-to-vmalloc-allocation.patch iio-of_iio_channel_get_by_name-returns-non-null-pointers-for-error-legs.patch irqchip-spear_shirq-fix-interrupt-offset.patch kvm-fix-wrong-address-when-writing-hyper-v-tsc-page.patch kvm-x86-increase-the-number-of-fixed-mtrr-regs-to-10.patch kvm-x86-preserve-the-high-32-bits-of-the-pat-register.patch md-flush-writes-before-starting-a-recovery.patch md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch mlx4_core-fix-incorrect-flags1-bitmap-test-in-mlx4_query_func_cap.patch mm-page_alloc-fix-cma-area-initialisation-when-pageblock-max_order.patch nfsd-fix-rare-symlink-decoding-bug.patch nick-kvfree-from-apparmor.patch proc-stat-convert-to-single_open_size.patch staging-iio-ad7291-fix-error-code-in-ad7291_probe.patch tools-ffs-test-fix-header-values-endianess.patch tracing-remove-ftrace_stop-start-from-reading-the-trace-file.patch --- diff --git a/queue-3.14/blkcg-fix-use-after-free-in-__blkg_release_rcu-by-making-blkcg_gq-refcnt-an-atomic_t.patch b/queue-3.14/blkcg-fix-use-after-free-in-__blkg_release_rcu-by-making-blkcg_gq-refcnt-an-atomic_t.patch new file mode 100644 index 00000000000..fd2c8b454d1 --- /dev/null +++ b/queue-3.14/blkcg-fix-use-after-free-in-__blkg_release_rcu-by-making-blkcg_gq-refcnt-an-atomic_t.patch @@ -0,0 +1,169 @@ +From a5049a8ae34950249a7ae94c385d7c5c98914412 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 19 Jun 2014 17:42:57 -0400 +Subject: blkcg: fix use-after-free in __blkg_release_rcu() by making blkcg_gq refcnt an atomic_t + +From: Tejun Heo + +commit a5049a8ae34950249a7ae94c385d7c5c98914412 upstream. + +Hello, + +So, this patch should do. Joe, Vivek, can one of you guys please +verify that the oops goes away with this patch? + +Jens, the original thread can be read at + + http://thread.gmane.org/gmane.linux.kernel/1720729 + +The fix converts blkg->refcnt from int to atomic_t. It does some +overhead but it should be minute compared to everything else which is +going on and the involved cacheline bouncing, so I think it's highly +unlikely to cause any noticeable difference. Also, the refcnt in +question should be converted to a perpcu_ref for blk-mq anyway, so the +atomic_t is likely to go away pretty soon anyway. + +Thanks. + +------- 8< ------- +__blkg_release_rcu() may be invoked after the associated request_queue +is released with a RCU grace period inbetween. As such, the function +and callbacks invoked from it must not dereference the associated +request_queue. This is clearly indicated in the comment above the +function. + +Unfortunately, while trying to fix a different issue, 2a4fd070ee85 +("blkcg: move bulk of blkcg_gq release operations to the RCU +callback") ignored this and added [un]locking of @blkg->q->queue_lock +to __blkg_release_rcu(). This of course can cause oops as the +request_queue may be long gone by the time this code gets executed. + + general protection fault: 0000 [#1] SMP + CPU: 21 PID: 30 Comm: rcuos/21 Not tainted 3.15.0 #1 + Hardware name: Stratus ftServer 6400/G7LAZ, BIOS BIOS Version 6.3:57 12/25/2013 + task: ffff880854021de0 ti: ffff88085403c000 task.ti: ffff88085403c000 + RIP: 0010:[] [] _raw_spin_lock_irq+0x15/0x60 + RSP: 0018:ffff88085403fdf0 EFLAGS: 00010086 + RAX: 0000000000020000 RBX: 0000000000000010 RCX: 0000000000000000 + RDX: 000060ef80008248 RSI: 0000000000000286 RDI: 6b6b6b6b6b6b6b6b + RBP: ffff88085403fdf0 R08: 0000000000000286 R09: 0000000000009f39 + R10: 0000000000020001 R11: 0000000000020001 R12: ffff88103c17a130 + R13: ffff88103c17a080 R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff88107fca0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00000000006e5ab8 CR3: 000000000193d000 CR4: 00000000000407e0 + Stack: + ffff88085403fe18 ffffffff812cbfc2 ffff88103c17a130 0000000000000000 + ffff88103c17a130 ffff88085403fec0 ffffffff810d1d28 ffff880854021de0 + ffff880854021de0 ffff88107fcaec58 ffff88085403fe80 ffff88107fcaec30 + Call Trace: + [] __blkg_release_rcu+0x72/0x150 + [] rcu_nocb_kthread+0x1e8/0x300 + [] kthread+0xe1/0x100 + [] ret_from_fork+0x7c/0xb0 + Code: ff 47 04 48 8b 7d 08 be 00 02 00 00 e8 55 48 a4 ff 5d c3 0f 1f 00 66 66 66 66 90 55 48 89 e5 + +fa 66 66 90 66 66 90 b8 00 00 02 00 0f c1 07 89 c2 c1 ea 10 66 39 c2 75 02 5d c3 83 e2 fe 0f + +b7 + RIP [] _raw_spin_lock_irq+0x15/0x60 + RSP + +The request_queue locking was added because blkcg_gq->refcnt is an int +protected with the queue lock and __blkg_release_rcu() needs to put +the parent. Let's fix it by making blkcg_gq->refcnt an atomic_t and +dropping queue locking in the function. + +Given the general heavy weight of the current request_queue and blkcg +operations, this is unlikely to cause any noticeable overhead. +Moreover, blkcg_gq->refcnt is likely to be converted to percpu_ref in +the near future, so whatever (most likely negligible) overhead it may +add is temporary. + +Signed-off-by: Tejun Heo +Reported-by: Joe Lawrence +Acked-by: Vivek Goyal +Link: http://lkml.kernel.org/g/alpine.DEB.2.02.1406081816540.17948@jlaw-desktop.mno.stratus.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-cgroup.c | 7 ++----- + block/blk-cgroup.h | 17 +++++++---------- + 2 files changed, 9 insertions(+), 15 deletions(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -80,7 +80,7 @@ static struct blkcg_gq *blkg_alloc(struc + blkg->q = q; + INIT_LIST_HEAD(&blkg->q_node); + blkg->blkcg = blkcg; +- blkg->refcnt = 1; ++ atomic_set(&blkg->refcnt, 1); + + /* root blkg uses @q->root_rl, init rl only for !root blkgs */ + if (blkcg != &blkcg_root) { +@@ -399,11 +399,8 @@ void __blkg_release_rcu(struct rcu_head + + /* release the blkcg and parent blkg refs this blkg has been holding */ + css_put(&blkg->blkcg->css); +- if (blkg->parent) { +- spin_lock_irq(blkg->q->queue_lock); ++ if (blkg->parent) + blkg_put(blkg->parent); +- spin_unlock_irq(blkg->q->queue_lock); +- } + + blkg_free(blkg); + } +--- a/block/blk-cgroup.h ++++ b/block/blk-cgroup.h +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + /* Max limits for throttle policy */ + #define THROTL_IOPS_MAX UINT_MAX +@@ -104,7 +105,7 @@ struct blkcg_gq { + struct request_list rl; + + /* reference count */ +- int refcnt; ++ atomic_t refcnt; + + /* is this blkg online? protected by both blkcg and q locks */ + bool online; +@@ -253,13 +254,12 @@ static inline int blkg_path(struct blkcg + * blkg_get - get a blkg reference + * @blkg: blkg to get + * +- * The caller should be holding queue_lock and an existing reference. ++ * The caller should be holding an existing reference. + */ + static inline void blkg_get(struct blkcg_gq *blkg) + { +- lockdep_assert_held(blkg->q->queue_lock); +- WARN_ON_ONCE(!blkg->refcnt); +- blkg->refcnt++; ++ WARN_ON_ONCE(atomic_read(&blkg->refcnt) <= 0); ++ atomic_inc(&blkg->refcnt); + } + + void __blkg_release_rcu(struct rcu_head *rcu); +@@ -267,14 +267,11 @@ void __blkg_release_rcu(struct rcu_head + /** + * blkg_put - put a blkg reference + * @blkg: blkg to put +- * +- * The caller should be holding queue_lock. + */ + static inline void blkg_put(struct blkcg_gq *blkg) + { +- lockdep_assert_held(blkg->q->queue_lock); +- WARN_ON_ONCE(blkg->refcnt <= 0); +- if (!--blkg->refcnt) ++ WARN_ON_ONCE(atomic_read(&blkg->refcnt) <= 0); ++ if (atomic_dec_and_test(&blkg->refcnt)) + call_rcu(&blkg->rcu_head, __blkg_release_rcu); + } + diff --git a/queue-3.14/ext4-fix-buffer-double-free-in-ext4_alloc_branch.patch b/queue-3.14/ext4-fix-buffer-double-free-in-ext4_alloc_branch.patch new file mode 100644 index 00000000000..668e30205d7 --- /dev/null +++ b/queue-3.14/ext4-fix-buffer-double-free-in-ext4_alloc_branch.patch @@ -0,0 +1,50 @@ +From c5c7b8ddfbf8cb3b2291e515a34ab1b8982f5a2d Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Sun, 15 Jun 2014 23:46:28 -0400 +Subject: ext4: Fix buffer double free in ext4_alloc_branch() + +From: Jan Kara + +commit c5c7b8ddfbf8cb3b2291e515a34ab1b8982f5a2d upstream. + +Error recovery in ext4_alloc_branch() calls ext4_forget() even for +buffer corresponding to indirect block it did not allocate. This leads +to brelse() being called twice for that buffer (once from ext4_forget() +and once from cleanup in ext4_ind_map_blocks()) leading to buffer use +count misaccounting. Eventually (but often much later because there +are other users of the buffer) we will see messages like: +VFS: brelse: Trying to free free buffer + +Another manifestation of this problem is an error: +JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh); +inconsistent data on disk + +The fix is easy - don't forget buffer we did not allocate. Also add an +explanatory comment because the indexing at ext4_alloc_branch() is +somewhat subtle. + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/indirect.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -389,7 +389,13 @@ static int ext4_alloc_branch(handle_t *h + return 0; + failed: + for (; i >= 0; i--) { +- if (i != indirect_blks && branch[i].bh) ++ /* ++ * We want to ext4_forget() only freshly allocated indirect ++ * blocks. Buffer for new_blocks[i-1] is at branch[i].bh and ++ * buffer at branch[0].bh is indirect block / inode already ++ * existing before ext4_alloc_branch() was called. ++ */ ++ if (i > 0 && i != indirect_blks && branch[i].bh) + ext4_forget(handle, 1, inode, branch[i].bh, + branch[i].bh->b_blocknr); + ext4_free_blocks(handle, inode, NULL, new_blocks[i], diff --git a/queue-3.14/ext4-fix-hole-punching-for-files-with-indirect-blocks.patch b/queue-3.14/ext4-fix-hole-punching-for-files-with-indirect-blocks.patch new file mode 100644 index 00000000000..b00a35dc3fb --- /dev/null +++ b/queue-3.14/ext4-fix-hole-punching-for-files-with-indirect-blocks.patch @@ -0,0 +1,57 @@ +From a93cd4cf86466caa49cfe64607bea7f0bde3f916 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 26 Jun 2014 12:30:54 -0400 +Subject: ext4: Fix hole punching for files with indirect blocks + +From: Jan Kara + +commit a93cd4cf86466caa49cfe64607bea7f0bde3f916 upstream. + +Hole punching code for files with indirect blocks wrongly computed +number of blocks which need to be cleared when traversing the indirect +block tree. That could result in punching more blocks than actually +requested and thus effectively cause a data loss. For example: + +fallocate -n -p 10240000 4096 + +will punch the range 10240000 - 12632064 instead of the range 1024000 - +10244096. Fix the calculation. + +Fixes: 8bad6fc813a3a5300f51369c39d315679fd88c72 +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/indirect.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -1318,16 +1318,24 @@ static int free_hole_blocks(handle_t *ha + blk = *i_data; + if (level > 0) { + ext4_lblk_t first2; ++ ext4_lblk_t count2; ++ + bh = sb_bread(inode->i_sb, le32_to_cpu(blk)); + if (!bh) { + EXT4_ERROR_INODE_BLOCK(inode, le32_to_cpu(blk), + "Read failure"); + return -EIO; + } +- first2 = (first > offset) ? first - offset : 0; ++ if (first > offset) { ++ first2 = first - offset; ++ count2 = count; ++ } else { ++ first2 = 0; ++ count2 = count - (offset - first); ++ } + ret = free_hole_blocks(handle, inode, bh, + (__le32 *)bh->b_data, level - 1, +- first2, count - offset, ++ first2, count2, + inode->i_sb->s_blocksize >> 2); + if (ret) { + brelse(bh); diff --git a/queue-3.14/fs-seq_file-fallback-to-vmalloc-allocation.patch b/queue-3.14/fs-seq_file-fallback-to-vmalloc-allocation.patch new file mode 100644 index 00000000000..991e8e1cac7 --- /dev/null +++ b/queue-3.14/fs-seq_file-fallback-to-vmalloc-allocation.patch @@ -0,0 +1,156 @@ +From 058504edd02667eef8fac9be27ab3ea74332e9b4 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Wed, 2 Jul 2014 15:22:37 -0700 +Subject: fs/seq_file: fallback to vmalloc allocation + +From: Heiko Carstens + +commit 058504edd02667eef8fac9be27ab3ea74332e9b4 upstream. + +There are a couple of seq_files which use the single_open() interface. +This interface requires that the whole output must fit into a single +buffer. + +E.g. for /proc/stat allocation failures have been observed because an +order-4 memory allocation failed due to memory fragmentation. In such +situations reading /proc/stat is not possible anymore. + +Therefore change the seq_file code to fallback to vmalloc allocations +which will usually result in a couple of order-0 allocations and hence +also work if memory is fragmented. + +For reference a call trace where reading from /proc/stat failed: + + sadc: page allocation failure: order:4, mode:0x1040d0 + CPU: 1 PID: 192063 Comm: sadc Not tainted 3.10.0-123.el7.s390x #1 + [...] + Call Trace: + show_stack+0x6c/0xe8 + warn_alloc_failed+0xd6/0x138 + __alloc_pages_nodemask+0x9da/0xb68 + __get_free_pages+0x2e/0x58 + kmalloc_order_trace+0x44/0xc0 + stat_open+0x5a/0xd8 + proc_reg_open+0x8a/0x140 + do_dentry_open+0x1bc/0x2c8 + finish_open+0x46/0x60 + do_last+0x382/0x10d0 + path_openat+0xc8/0x4f8 + do_filp_open+0x46/0xa8 + do_sys_open+0x114/0x1f0 + sysc_tracego+0x14/0x1a + +Signed-off-by: Heiko Carstens +Tested-by: David Rientjes +Cc: Ian Kent +Cc: Hendrik Brueckner +Cc: Thorsten Diehl +Cc: Andrea Righi +Cc: Christoph Hellwig +Cc: Al Viro +Cc: Stefan Bader +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/seq_file.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -8,8 +8,10 @@ + #include + #include + #include ++#include + #include + #include ++#include + + #include + #include +@@ -30,6 +32,16 @@ static void seq_set_overflow(struct seq_ + m->count = m->size; + } + ++static void *seq_buf_alloc(unsigned long size) ++{ ++ void *buf; ++ ++ buf = kmalloc(size, GFP_KERNEL | __GFP_NOWARN); ++ if (!buf && size > PAGE_SIZE) ++ buf = vmalloc(size); ++ return buf; ++} ++ + /** + * seq_open - initialize sequential file + * @file: file we initialize +@@ -96,7 +108,7 @@ static int traverse(struct seq_file *m, + return 0; + } + if (!m->buf) { +- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); ++ m->buf = seq_buf_alloc(m->size = PAGE_SIZE); + if (!m->buf) + return -ENOMEM; + } +@@ -135,9 +147,9 @@ static int traverse(struct seq_file *m, + + Eoverflow: + m->op->stop(m, p); +- kfree(m->buf); ++ kvfree(m->buf); + m->count = 0; +- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); ++ m->buf = seq_buf_alloc(m->size <<= 1); + return !m->buf ? -ENOMEM : -EAGAIN; + } + +@@ -192,7 +204,7 @@ ssize_t seq_read(struct file *file, char + + /* grab buffer if we didn't have one */ + if (!m->buf) { +- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL); ++ m->buf = seq_buf_alloc(m->size = PAGE_SIZE); + if (!m->buf) + goto Enomem; + } +@@ -232,9 +244,9 @@ ssize_t seq_read(struct file *file, char + if (m->count < m->size) + goto Fill; + m->op->stop(m, p); +- kfree(m->buf); ++ kvfree(m->buf); + m->count = 0; +- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL); ++ m->buf = seq_buf_alloc(m->size <<= 1); + if (!m->buf) + goto Enomem; + m->version = 0; +@@ -350,7 +362,7 @@ EXPORT_SYMBOL(seq_lseek); + int seq_release(struct inode *inode, struct file *file) + { + struct seq_file *m = file->private_data; +- kfree(m->buf); ++ kvfree(m->buf); + kfree(m); + return 0; + } +@@ -605,13 +617,13 @@ EXPORT_SYMBOL(single_open); + int single_open_size(struct file *file, int (*show)(struct seq_file *, void *), + void *data, size_t size) + { +- char *buf = kmalloc(size, GFP_KERNEL); ++ char *buf = seq_buf_alloc(size); + int ret; + if (!buf) + return -ENOMEM; + ret = single_open(file, show, data); + if (ret) { +- kfree(buf); ++ kvfree(buf); + return ret; + } + ((struct seq_file *)file->private_data)->buf = buf; diff --git a/queue-3.14/iio-of_iio_channel_get_by_name-returns-non-null-pointers-for-error-legs.patch b/queue-3.14/iio-of_iio_channel_get_by_name-returns-non-null-pointers-for-error-legs.patch new file mode 100644 index 00000000000..4e2a68ea2a6 --- /dev/null +++ b/queue-3.14/iio-of_iio_channel_get_by_name-returns-non-null-pointers-for-error-legs.patch @@ -0,0 +1,54 @@ +From a2c12493ed7e63a18cef33a71686d12ffcd6600e Mon Sep 17 00:00:00 2001 +From: Adam Thomson +Date: Thu, 6 Nov 2014 12:11:00 +0000 +Subject: iio: of_iio_channel_get_by_name() returns non-null pointers for error legs + +From: Adam Thomson + +commit a2c12493ed7e63a18cef33a71686d12ffcd6600e upstream. + +Currently in the inkern.c code for IIO framework, the function +of_iio_channel_get_by_name() will return a non-NULL pointer when +it cannot find a channel using of_iio_channel_get() and when it +tries to search for 'io-channel-ranges' property and fails. This +is incorrect behaviour as the function which calls this expects +a NULL pointer for failure. This patch rectifies the issue. + +Signed-off-by: Adam Thomson +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/inkern.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -183,7 +183,7 @@ static struct iio_channel *of_iio_channe + else if (name && index >= 0) { + pr_err("ERROR: could not get IIO channel %s:%s(%i)\n", + np->full_name, name ? name : "", index); +- return chan; ++ return NULL; + } + + /* +@@ -193,8 +193,9 @@ static struct iio_channel *of_iio_channe + */ + np = np->parent; + if (np && !of_get_property(np, "io-channel-ranges", NULL)) +- break; ++ return NULL; + } ++ + return chan; + } + +@@ -317,6 +318,7 @@ struct iio_channel *iio_channel_get(stru + if (channel != NULL) + return channel; + } ++ + return iio_channel_get_sys(name, channel_name); + } + EXPORT_SYMBOL_GPL(iio_channel_get); diff --git a/queue-3.14/irqchip-spear_shirq-fix-interrupt-offset.patch b/queue-3.14/irqchip-spear_shirq-fix-interrupt-offset.patch new file mode 100644 index 00000000000..5e4a5dfe443 --- /dev/null +++ b/queue-3.14/irqchip-spear_shirq-fix-interrupt-offset.patch @@ -0,0 +1,39 @@ +From 4f4366033945419b0c52118c29d3057d7c558765 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 19 Jun 2014 21:34:37 +0000 +Subject: irqchip: spear_shirq: Fix interrupt offset + +From: Thomas Gleixner + +commit 4f4366033945419b0c52118c29d3057d7c558765 upstream. + +The ras3 block on spear320 claims to have 3 interrupts. In fact it has +one and 6 reserved interrupts. Account the 6 reserved to this block so +it has 7 interrupts total. That matches the datasheet and the device +tree entries. + +Broken since commit 80515a5a(ARM: SPEAr3xx: shirq: simplify and move +the shared irq multiplexor to DT). Testing is overrated.... + +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20140619212712.872379208@linutronix.de +Fixes: 80515a5a2e3c ('ARM: SPEAr3xx: shirq: simplify and move the shared irq multiplexor to DT') +Acked-by: Viresh Kumar +Signed-off-by: Jason Cooper +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/spear-shirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/spear-shirq.c ++++ b/drivers/irqchip/spear-shirq.c +@@ -125,7 +125,7 @@ static struct spear_shirq spear320_shirq + }; + + static struct spear_shirq spear320_shirq_ras3 = { +- .irq_nr = 3, ++ .irq_nr = 7, + .irq_bit_off = 0, + .invalid_irq = 1, + .regs = { diff --git a/queue-3.14/kvm-fix-wrong-address-when-writing-hyper-v-tsc-page.patch b/queue-3.14/kvm-fix-wrong-address-when-writing-hyper-v-tsc-page.patch new file mode 100644 index 00000000000..20a22cd625b --- /dev/null +++ b/queue-3.14/kvm-fix-wrong-address-when-writing-hyper-v-tsc-page.patch @@ -0,0 +1,35 @@ +From e1fa108d24697b78348fd4e5a531029a50d0d36d Mon Sep 17 00:00:00 2001 +From: Xiaoming Gao +Date: Thu, 19 Jun 2014 19:14:57 +0800 +Subject: kvm: fix wrong address when writing Hyper-V tsc page + +From: Xiaoming Gao + +commit e1fa108d24697b78348fd4e5a531029a50d0d36d upstream. + +When kvm_write_guest writes the tsc_ref structure to the guest, or it will lead +the low HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT bits of the TSC page address +must be cleared, or the guest can see a non-zero sequence number. + +Otherwise Windows guests would not be able to get a correct clocksource +(QueryPerformanceCounter will always return 0) which causes serious chaos. + +Signed-off-by: Xiaoming Gao +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1866,7 +1866,7 @@ static int set_msr_hyperv_pw(struct kvm_ + if (!(data & HV_X64_MSR_TSC_REFERENCE_ENABLE)) + break; + gfn = data >> HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT; +- if (kvm_write_guest(kvm, data, ++ if (kvm_write_guest(kvm, gfn << HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT, + &tsc_ref, sizeof(tsc_ref))) + return 1; + mark_page_dirty(kvm, gfn); diff --git a/queue-3.14/kvm-x86-increase-the-number-of-fixed-mtrr-regs-to-10.patch b/queue-3.14/kvm-x86-increase-the-number-of-fixed-mtrr-regs-to-10.patch new file mode 100644 index 00000000000..434dbe1c8c4 --- /dev/null +++ b/queue-3.14/kvm-x86-increase-the-number-of-fixed-mtrr-regs-to-10.patch @@ -0,0 +1,33 @@ +From 682367c494869008eb89ef733f196e99415ae862 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Wed, 18 Jun 2014 17:21:19 +0300 +Subject: KVM: x86: Increase the number of fixed MTRR regs to 10 + +From: Nadav Amit + +commit 682367c494869008eb89ef733f196e99415ae862 upstream. + +Recent Intel CPUs have 10 variable range MTRRs. Since operating systems +sometime make assumptions on CPUs while they ignore capability MSRs, it is +better for KVM to be consistent with recent CPUs. Reporting more MTRRs than +actually supported has no functional implications. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -99,7 +99,7 @@ static inline gfn_t gfn_to_index(gfn_t g + #define KVM_REFILL_PAGES 25 + #define KVM_MAX_CPUID_ENTRIES 80 + #define KVM_NR_FIXED_MTRR_REGION 88 +-#define KVM_NR_VAR_MTRR 8 ++#define KVM_NR_VAR_MTRR 10 + + #define ASYNC_PF_PER_VCPU 64 + diff --git a/queue-3.14/kvm-x86-preserve-the-high-32-bits-of-the-pat-register.patch b/queue-3.14/kvm-x86-preserve-the-high-32-bits-of-the-pat-register.patch new file mode 100644 index 00000000000..46bbbb02422 --- /dev/null +++ b/queue-3.14/kvm-x86-preserve-the-high-32-bits-of-the-pat-register.patch @@ -0,0 +1,32 @@ +From 7cb060a91c0efc5ff94f83c6df3ed705e143cdb9 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 19 Jun 2014 11:40:18 +0200 +Subject: KVM: x86: preserve the high 32-bits of the PAT register + +From: Paolo Bonzini + +commit 7cb060a91c0efc5ff94f83c6df3ed705e143cdb9 upstream. + +KVM does not really do much with the PAT, so this went unnoticed for a +long time. It is exposed however if you try to do rdmsr on the PAT +register. + +Reported-by: Valentine Sinitsyn +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -462,7 +462,7 @@ struct kvm_vcpu_arch { + bool nmi_injected; /* Trying to inject an NMI this entry */ + + struct mtrr_state_type mtrr_state; +- u32 pat; ++ u64 pat; + + int switch_db_regs; + unsigned long db[KVM_NR_DB_REGS]; diff --git a/queue-3.14/md-flush-writes-before-starting-a-recovery.patch b/queue-3.14/md-flush-writes-before-starting-a-recovery.patch new file mode 100644 index 00000000000..d1a737731c0 --- /dev/null +++ b/queue-3.14/md-flush-writes-before-starting-a-recovery.patch @@ -0,0 +1,63 @@ +From 133d4527eab8d199a62eee6bd433f0776842df2e Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 2 Jul 2014 12:04:14 +1000 +Subject: md: flush writes before starting a recovery. + +From: NeilBrown + +commit 133d4527eab8d199a62eee6bd433f0776842df2e upstream. + +When we write to a degraded array which has a bitmap, we +make sure the relevant bit in the bitmap remains set when +the write completes (so a 're-add' can quickly rebuilt a +temporarily-missing device). + +If, immediately after such a write starts, we incorporate a spare, +commence recovery, and skip over the region where the write is +happening (because the 'needs recovery' flag isn't set yet), +then that write will not get to the new device. + +Once the recovery finishes the new device will be trusted, but will +have incorrect data, leading to possible corruption. + +We cannot set the 'needs recovery' flag when we start the write as we +do not know easily if the write will be "degraded" or not. That +depends on details of the particular raid level and particular write +request. + +This patch fixes a corruption issue of long standing and so it +suitable for any -stable kernel. It applied correctly to 3.0 at +least and will minor editing to earlier kernels. + +Reported-by: Bill +Tested-by: Bill +Link: http://lkml.kernel.org/r/53A518BB.60709@sbcglobal.net +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7505,6 +7505,19 @@ void md_do_sync(struct md_thread *thread + rdev->recovery_offset < j) + j = rdev->recovery_offset; + rcu_read_unlock(); ++ ++ /* If there is a bitmap, we need to make sure all ++ * writes that started before we added a spare ++ * complete before we start doing a recovery. ++ * Otherwise the write might complete and (via ++ * bitmap_endwrite) set a bit in the bitmap after the ++ * recovery has checked that bit and skipped that ++ * region. ++ */ ++ if (mddev->bitmap) { ++ mddev->pers->quiesce(mddev, 1); ++ mddev->pers->quiesce(mddev, 0); ++ } + } + + printk(KERN_INFO "md: %s of RAID array %s\n", desc, mdname(mddev)); diff --git a/queue-3.14/md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch b/queue-3.14/md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch new file mode 100644 index 00000000000..3f24ef84515 --- /dev/null +++ b/queue-3.14/md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch @@ -0,0 +1,36 @@ +From 9bd359203210efeb5d8f0d81c155079f34b47449 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 2 Jul 2014 11:35:06 +1000 +Subject: md: make sure GET_ARRAY_INFO ioctl reports correct "clean" status + +From: NeilBrown + +commit 9bd359203210efeb5d8f0d81c155079f34b47449 upstream. + +If an array has a bitmap, the when we set the "has bitmap" flag we +incorrectly clear the "is clean" flag. + +"is clean" isn't really important when a bitmap is present, but it is +best to get it right anyway. + +Reported-by: George Duffield +Link: http://lkml.kernel.org/CAG__1a4MRV6gJL38XLAurtoSiD3rLBTmWpcS5HYvPpSfPR88UQ@mail.gmail.com +Fixes: 36fa30636fb84b209210299684e1be66d9e58217 (v2.6.14) +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5620,7 +5620,7 @@ static int get_array_info(struct mddev * + if (mddev->in_sync) + info.state = (1<bitmap && mddev->bitmap_info.offset) +- info.state = (1< +Date: Thu, 29 May 2014 16:31:00 +0300 +Subject: mlx4_core: Fix incorrect FLAGS1 bitmap test in mlx4_QUERY_FUNC_CAP + +From: Jack Morgenstein + +commit bc82878baa10c2a6a4a6affaf52c152935112142 upstream. + +Commit eb17711bc1d6 ("net/mlx4_core: Introduce nic_info new flag in +QUERY_FUNC_CAP") did: + + if (func_cap->flags1 & QUERY_FUNC_CAP_FLAGS1_OFFSET) { + +which should be: + + if (func_cap->flags1 & QUERY_FUNC_CAP_FLAGS1_FORCE_VLAN) { + +Fix that. + +Fixes: eb17711bc1d6 ("net/mlx4_core: Introduce nic_info new flag in QUERY_FUNC_CAP") +Signed-off-by: Jack Morgenstein +Signed-off-by: Or Gerlitz +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/fw.c ++++ b/drivers/net/ethernet/mellanox/mlx4/fw.c +@@ -398,7 +398,7 @@ int mlx4_QUERY_FUNC_CAP(struct mlx4_dev + + MLX4_GET(func_cap->flags1, outbox, QUERY_FUNC_CAP_FLAGS1_OFFSET); + if (dev->caps.port_type[gen_or_port] == MLX4_PORT_TYPE_ETH) { +- if (func_cap->flags1 & QUERY_FUNC_CAP_FLAGS1_OFFSET) { ++ if (func_cap->flags1 & QUERY_FUNC_CAP_FLAGS1_FORCE_VLAN) { + mlx4_err(dev, "VLAN is enforced on this port\n"); + err = -EPROTONOSUPPORT; + goto out; diff --git a/queue-3.14/mm-page_alloc-fix-cma-area-initialisation-when-pageblock-max_order.patch b/queue-3.14/mm-page_alloc-fix-cma-area-initialisation-when-pageblock-max_order.patch new file mode 100644 index 00000000000..134b695c882 --- /dev/null +++ b/queue-3.14/mm-page_alloc-fix-cma-area-initialisation-when-pageblock-max_order.patch @@ -0,0 +1,96 @@ +From dc78327c0ea7da5186d8cbc1647bd6088c5c9fa5 Mon Sep 17 00:00:00 2001 +From: Michal Nazarewicz +Date: Wed, 2 Jul 2014 15:22:35 -0700 +Subject: mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Nazarewicz + +commit dc78327c0ea7da5186d8cbc1647bd6088c5c9fa5 upstream. + +With a kernel configured with ARM64_64K_PAGES && !TRANSPARENT_HUGEPAGE, +the following is triggered at early boot: + + SMP: Total of 8 processors activated. + devtmpfs: initialized + Unable to handle kernel NULL pointer dereference at virtual address 00000008 + pgd = fffffe0000050000 + [00000008] *pgd=00000043fba00003, *pmd=00000043fba00003, *pte=00e0000078010407 + Internal error: Oops: 96000006 [#1] SMP + Modules linked in: + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.15.0-rc864k+ #44 + task: fffffe03bc040000 ti: fffffe03bc080000 task.ti: fffffe03bc080000 + PC is at __list_add+0x10/0xd4 + LR is at free_one_page+0x270/0x638 + ... + Call trace: + __list_add+0x10/0xd4 + free_one_page+0x26c/0x638 + __free_pages_ok.part.52+0x84/0xbc + __free_pages+0x74/0xbc + init_cma_reserved_pageblock+0xe8/0x104 + cma_init_reserved_areas+0x190/0x1e4 + do_one_initcall+0xc4/0x154 + kernel_init_freeable+0x204/0x2a8 + kernel_init+0xc/0xd4 + +This happens because init_cma_reserved_pageblock() calls +__free_one_page() with pageblock_order as page order but it is bigger +than MAX_ORDER. This in turn causes accesses past zone->free_list[]. + +Fix the problem by changing init_cma_reserved_pageblock() such that it +splits pageblock into individual MAX_ORDER pages if pageblock is bigger +than a MAX_ORDER page. + +In cases where !CONFIG_HUGETLB_PAGE_SIZE_VARIABLE, which is all +architectures expect for ia64, powerpc and tile at the moment, the +“pageblock_order > MAX_ORDER” condition will be optimised out since both +sides of the operator are constants. In cases where pageblock size is +variable, the performance degradation should not be significant anyway +since init_cma_reserved_pageblock() is called only at boot time at most +MAX_CMA_AREAS times which by default is eight. + +Signed-off-by: Michal Nazarewicz +Reported-by: Mark Salter +Tested-by: Mark Salter +Tested-by: Christopher Covington +Cc: Mel Gorman +Cc: David Rientjes +Cc: Marek Szyprowski +Cc: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -799,9 +799,21 @@ void __init init_cma_reserved_pageblock( + set_page_count(p, 0); + } while (++p, --i); + +- set_page_refcounted(page); + set_pageblock_migratetype(page, MIGRATE_CMA); +- __free_pages(page, pageblock_order); ++ ++ if (pageblock_order >= MAX_ORDER) { ++ i = pageblock_nr_pages; ++ p = page; ++ do { ++ set_page_refcounted(p); ++ __free_pages(p, MAX_ORDER - 1); ++ p += MAX_ORDER_NR_PAGES; ++ } while (i -= MAX_ORDER_NR_PAGES); ++ } else { ++ set_page_refcounted(page); ++ __free_pages(page, pageblock_order); ++ } ++ + adjust_managed_page_count(page, pageblock_nr_pages); + } + #endif diff --git a/queue-3.14/nfsd-fix-rare-symlink-decoding-bug.patch b/queue-3.14/nfsd-fix-rare-symlink-decoding-bug.patch new file mode 100644 index 00000000000..e8ee9a7e94d --- /dev/null +++ b/queue-3.14/nfsd-fix-rare-symlink-decoding-bug.patch @@ -0,0 +1,96 @@ +From 76f47128f9b33af1e96819746550d789054c9664 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 19 Jun 2014 16:44:48 -0400 +Subject: nfsd: fix rare symlink decoding bug + +From: "J. Bruce Fields" + +commit 76f47128f9b33af1e96819746550d789054c9664 upstream. + +An NFS operation that creates a new symlink includes the symlink data, +which is xdr-encoded as a length followed by the data plus 0 to 3 bytes +of zero-padding as required to reach a 4-byte boundary. + +The vfs, on the other hand, wants null-terminated data. + +The simple way to handle this would be by copying the data into a newly +allocated buffer with space for the final null. + +The current nfsd_symlink code tries to be more clever by skipping that +step in the (likely) case where the byte following the string is already +0. + +But that assumes that the byte following the string is ours to look at. +In fact, it might be the first byte of a page that we can't read, or of +some object that another task might modify. + +Worse, the NFSv4 code tries to fix the problem by actually writing to +that byte. + +In the NFSv2/v3 cases this actually appears to be safe: + + - nfs3svc_decode_symlinkargs explicitly null-terminates the data + (after first checking its length and copying it to a new + page). + - NFSv2 limits symlinks to 1k. The buffer holding the rpc + request is always at least a page, and the link data (and + previous fields) have maximum lengths that prevent the request + from reaching the end of a page. + +In the NFSv4 case the CREATE op is potentially just one part of a long +compound so can end up on the end of a page if you're unlucky. + +The minimal fix here is to copy and null-terminate in the NFSv4 case. +The nfsd_symlink() interface here seems too fragile, though. It should +really either do the copy itself every time or just require a +null-terminated string. + +Reported-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4proc.c | 9 --------- + fs/nfsd/nfs4xdr.c | 13 ++++++++++++- + 2 files changed, 12 insertions(+), 10 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -618,15 +618,6 @@ nfsd4_create(struct svc_rqst *rqstp, str + + switch (create->cr_type) { + case NF4LNK: +- /* ugh! we have to null-terminate the linktext, or +- * vfs_symlink() will choke. it is always safe to +- * null-terminate by brute force, since at worst we +- * will overwrite the first byte of the create namelen +- * in the XDR buffer, which has already been extracted +- * during XDR decode. +- */ +- create->cr_linkname[create->cr_linklen] = 0; +- + status = nfsd_symlink(rqstp, &cstate->current_fh, + create->cr_name, create->cr_namelen, + create->cr_linkname, create->cr_linklen, +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -602,7 +602,18 @@ nfsd4_decode_create(struct nfsd4_compoun + READ_BUF(4); + READ32(create->cr_linklen); + READ_BUF(create->cr_linklen); +- SAVEMEM(create->cr_linkname, create->cr_linklen); ++ /* ++ * The VFS will want a null-terminated string, and ++ * null-terminating in place isn't safe since this might ++ * end on a page boundary: ++ */ ++ create->cr_linkname = ++ kmalloc(create->cr_linklen + 1, GFP_KERNEL); ++ if (!create->cr_linkname) ++ return nfserr_jukebox; ++ memcpy(create->cr_linkname, p, create->cr_linklen); ++ create->cr_linkname[create->cr_linklen] = '\0'; ++ defer_free(argp, kfree, create->cr_linkname); + break; + case NF4BLK: + case NF4CHR: diff --git a/queue-3.14/nick-kvfree-from-apparmor.patch b/queue-3.14/nick-kvfree-from-apparmor.patch new file mode 100644 index 00000000000..e66aa8bd47e --- /dev/null +++ b/queue-3.14/nick-kvfree-from-apparmor.patch @@ -0,0 +1,88 @@ +From 39f1f78d53b9bcbca91967380c5f0f2305a5c55f Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 6 May 2014 14:02:53 -0400 +Subject: nick kvfree() from apparmor + +From: Al Viro + +commit 39f1f78d53b9bcbca91967380c5f0f2305a5c55f upstream. + +too many places open-code it + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mm.h | 2 ++ + mm/util.c | 10 ++++++++++ + security/apparmor/include/apparmor.h | 1 - + security/apparmor/lib.c | 14 -------------- + 4 files changed, 12 insertions(+), 15 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -362,6 +362,8 @@ static inline int is_vmalloc_or_module_a + } + #endif + ++extern void kvfree(const void *addr); ++ + static inline void compound_lock(struct page *page) + { + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +--- a/mm/util.c ++++ b/mm/util.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + #include + +@@ -386,6 +387,15 @@ unsigned long vm_mmap(struct file *file, + } + EXPORT_SYMBOL(vm_mmap); + ++void kvfree(const void *addr) ++{ ++ if (is_vmalloc_addr(addr)) ++ vfree(addr); ++ else ++ kfree(addr); ++} ++EXPORT_SYMBOL(kvfree); ++ + struct address_space *page_mapping(struct page *page) + { + struct address_space *mapping = page->mapping; +--- a/security/apparmor/include/apparmor.h ++++ b/security/apparmor/include/apparmor.h +@@ -66,7 +66,6 @@ extern int apparmor_initialized __initda + char *aa_split_fqname(char *args, char **ns_name); + void aa_info_message(const char *str); + void *__aa_kvmalloc(size_t size, gfp_t flags); +-void kvfree(void *buffer); + + static inline void *kvmalloc(size_t size) + { +--- a/security/apparmor/lib.c ++++ b/security/apparmor/lib.c +@@ -104,17 +104,3 @@ void *__aa_kvmalloc(size_t size, gfp_t f + } + return buffer; + } +- +-/** +- * kvfree - free an allocation do by kvmalloc +- * @buffer: buffer to free (MAYBE_NULL) +- * +- * Free a buffer allocated by kvmalloc +- */ +-void kvfree(void *buffer) +-{ +- if (is_vmalloc_addr(buffer)) +- vfree(buffer); +- else +- kfree(buffer); +-} diff --git a/queue-3.14/proc-stat-convert-to-single_open_size.patch b/queue-3.14/proc-stat-convert-to-single_open_size.patch new file mode 100644 index 00000000000..f20c81645a8 --- /dev/null +++ b/queue-3.14/proc-stat-convert-to-single_open_size.patch @@ -0,0 +1,80 @@ +From f74373a5cc7a0155d232c4e999648c7a95435bb2 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Wed, 2 Jul 2014 15:22:37 -0700 +Subject: /proc/stat: convert to single_open_size() + +From: Heiko Carstens + +commit f74373a5cc7a0155d232c4e999648c7a95435bb2 upstream. + +These two patches are supposed to "fix" failed order-4 memory +allocations which have been observed when reading /proc/stat. The +problem has been observed on s390 as well as on x86. + +To address the problem change the seq_file memory allocations to +fallback to use vmalloc, so that allocations also work if memory is +fragmented. + +This approach seems to be simpler and less intrusive than changing +/proc/stat to use an interator. Also it "fixes" other users as well, +which use seq_file's single_open() interface. + +This patch (of 2): + +Use seq_file's single_open_size() to preallocate a buffer that is large +enough to hold the whole output, instead of open coding it. Also +calculate the requested size using the number of online cpus instead of +possible cpus, since the size of the output only depends on the number +of online cpus. + +Signed-off-by: Heiko Carstens +Acked-by: David Rientjes +Cc: Ian Kent +Cc: Hendrik Brueckner +Cc: Thorsten Diehl +Cc: Andrea Righi +Cc: Christoph Hellwig +Cc: Al Viro +Cc: Stefan Bader +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/stat.c | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/fs/proc/stat.c ++++ b/fs/proc/stat.c +@@ -184,29 +184,11 @@ static int show_stat(struct seq_file *p, + + static int stat_open(struct inode *inode, struct file *file) + { +- size_t size = 1024 + 128 * num_possible_cpus(); +- char *buf; +- struct seq_file *m; +- int res; ++ size_t size = 1024 + 128 * num_online_cpus(); + + /* minimum size to display an interrupt count : 2 bytes */ + size += 2 * nr_irqs; +- +- /* don't ask for more than the kmalloc() max size */ +- if (size > KMALLOC_MAX_SIZE) +- size = KMALLOC_MAX_SIZE; +- buf = kmalloc(size, GFP_KERNEL); +- if (!buf) +- return -ENOMEM; +- +- res = single_open(file, show_stat, NULL); +- if (!res) { +- m = file->private_data; +- m->buf = buf; +- m->size = ksize(buf); +- } else +- kfree(buf); +- return res; ++ return single_open_size(file, show_stat, NULL, size); + } + + static const struct file_operations proc_stat_operations = { diff --git a/queue-3.14/series b/queue-3.14/series index 3776ae8aa19..cd8c70ffa1b 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -60,3 +60,22 @@ net-allwinner-emac-add-missing-free_irq.patch b43-fix-frequency-reported-on-g-phy-with-new-firmware.patch fs-cifs-fix-regression-in-cifs_create_mf_symlink.patch cifs-fix-mount-failure-with-broken-pathnames-when-smb3-mount-with-mapchars-option.patch +blkcg-fix-use-after-free-in-__blkg_release_rcu-by-making-blkcg_gq-refcnt-an-atomic_t.patch +ext4-fix-buffer-double-free-in-ext4_alloc_branch.patch +ext4-fix-hole-punching-for-files-with-indirect-blocks.patch +nick-kvfree-from-apparmor.patch +fs-seq_file-fallback-to-vmalloc-allocation.patch +kvm-x86-increase-the-number-of-fixed-mtrr-regs-to-10.patch +kvm-x86-preserve-the-high-32-bits-of-the-pat-register.patch +kvm-fix-wrong-address-when-writing-hyper-v-tsc-page.patch +iio-of_iio_channel_get_by_name-returns-non-null-pointers-for-error-legs.patch +staging-iio-ad7291-fix-error-code-in-ad7291_probe.patch +nfsd-fix-rare-symlink-decoding-bug.patch +tools-ffs-test-fix-header-values-endianess.patch +tracing-remove-ftrace_stop-start-from-reading-the-trace-file.patch +md-flush-writes-before-starting-a-recovery.patch +md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch +irqchip-spear_shirq-fix-interrupt-offset.patch +mm-page_alloc-fix-cma-area-initialisation-when-pageblock-max_order.patch +proc-stat-convert-to-single_open_size.patch +mlx4_core-fix-incorrect-flags1-bitmap-test-in-mlx4_query_func_cap.patch diff --git a/queue-3.14/staging-iio-ad7291-fix-error-code-in-ad7291_probe.patch b/queue-3.14/staging-iio-ad7291-fix-error-code-in-ad7291_probe.patch new file mode 100644 index 00000000000..ce49e1e7194 --- /dev/null +++ b/queue-3.14/staging-iio-ad7291-fix-error-code-in-ad7291_probe.patch @@ -0,0 +1,43 @@ +From b70e19c222a64018d308ebc80333575aff9f4e51 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 20 Jun 2014 20:22:00 +0100 +Subject: staging: iio/ad7291: fix error code in ad7291_probe() + +From: Dan Carpenter + +commit b70e19c222a64018d308ebc80333575aff9f4e51 upstream. + +We should be returning a negative error code instead of success here. + +This would have been detected by GCC, except that the "ret" variable was +initialized with a bogus value to disable GCC's uninitialized variable +warnings. I've cleaned that up, as well. + +Signed-off-by: Dan Carpenter +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/ad7291.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/iio/adc/ad7291.c ++++ b/drivers/staging/iio/adc/ad7291.c +@@ -465,7 +465,7 @@ static int ad7291_probe(struct i2c_clien + struct ad7291_platform_data *pdata = client->dev.platform_data; + struct ad7291_chip_info *chip; + struct iio_dev *indio_dev; +- int ret = 0; ++ int ret; + + indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*chip)); + if (!indio_dev) +@@ -475,7 +475,7 @@ static int ad7291_probe(struct i2c_clien + if (pdata && pdata->use_external_ref) { + chip->reg = devm_regulator_get(&client->dev, "vref"); + if (IS_ERR(chip->reg)) +- return ret; ++ return PTR_ERR(chip->reg); + + ret = regulator_enable(chip->reg); + if (ret) diff --git a/queue-3.14/tools-ffs-test-fix-header-values-endianess.patch b/queue-3.14/tools-ffs-test-fix-header-values-endianess.patch new file mode 100644 index 00000000000..dd3ca69eddb --- /dev/null +++ b/queue-3.14/tools-ffs-test-fix-header-values-endianess.patch @@ -0,0 +1,35 @@ +From f35f71244da6e51db4e1f2c7e318581f498ececf Mon Sep 17 00:00:00 2001 +From: Michal Nazarewicz +Date: Fri, 13 Jun 2014 15:38:05 +0200 +Subject: tools: ffs-test: fix header values endianess + +From: Michal Nazarewicz + +commit f35f71244da6e51db4e1f2c7e318581f498ececf upstream. + +It appears that no one ever run ffs-test on a big-endian machine, +since it used cpu-endianess for fs_count and hs_count fields which +should be in little-endian format. Fix by wrapping the numbers in +cpu_to_le32. + +Signed-off-by: Michal Nazarewicz +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + tools/usb/ffs-test.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/usb/ffs-test.c ++++ b/tools/usb/ffs-test.c +@@ -116,8 +116,8 @@ static const struct { + .header = { + .magic = cpu_to_le32(FUNCTIONFS_DESCRIPTORS_MAGIC), + .length = cpu_to_le32(sizeof descriptors), +- .fs_count = 3, +- .hs_count = 3, ++ .fs_count = cpu_to_le32(3), ++ .hs_count = cpu_to_le32(3), + }, + .fs_descs = { + .intf = { diff --git a/queue-3.14/tracing-remove-ftrace_stop-start-from-reading-the-trace-file.patch b/queue-3.14/tracing-remove-ftrace_stop-start-from-reading-the-trace-file.patch new file mode 100644 index 00000000000..98576566fbe --- /dev/null +++ b/queue-3.14/tracing-remove-ftrace_stop-start-from-reading-the-trace-file.patch @@ -0,0 +1,40 @@ +From 099ed151675cd1d2dbeae1dac697975f6a68716d Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 24 Jun 2014 23:50:09 -0400 +Subject: tracing: Remove ftrace_stop/start() from reading the trace file + +From: "Steven Rostedt (Red Hat)" + +commit 099ed151675cd1d2dbeae1dac697975f6a68716d upstream. + +Disabling reading and writing to the trace file should not be able to +disable all function tracing callbacks. There's other users today +(like kprobes and perf). Reading a trace file should not stop those +from happening. + +Reviewed-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1355,7 +1355,6 @@ void tracing_start(void) + + arch_spin_unlock(&ftrace_max_lock); + +- ftrace_start(); + out: + raw_spin_unlock_irqrestore(&global_trace.start_lock, flags); + } +@@ -1402,7 +1401,6 @@ void tracing_stop(void) + struct ring_buffer *buffer; + unsigned long flags; + +- ftrace_stop(); + raw_spin_lock_irqsave(&global_trace.start_lock, flags); + if (global_trace.stop_count++) + goto out;