From: Greg Kroah-Hartman Date: Mon, 7 Jul 2014 22:58:04 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.4.98~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=860111e661c59b1e139b4bd323d618e2f28c6fcf;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: aio-block-io_destroy-until-all-context-requests-are-completed.patch alsa-usb-audio-prevent-printk-ratelimiting-from-spamming-kernel-log-while-debug-not-defined.patch alsa-usb-audio-suppress-repetitive-debug-messages-from-retire_playback_urb.patch arch-unicore32-mm-alignment.c-include-asm-pgtable.h-to-avoid-compiling-error.patch audit-remove-superfluous-new-prefix-in-audit_login-messages.patch drivers-video-fbdev-fb-puv3.c-add-header-files-for-function-unifb_mmap.patch drm-i915-fix-display-power-sw-state-reporting.patch mm-numa-remove-bug_on-in-__handle_mm_fault.patch slab-fix-oops-when-reading-proc-slab_allocators.patch --- diff --git a/queue-3.14/aio-block-io_destroy-until-all-context-requests-are-completed.patch b/queue-3.14/aio-block-io_destroy-until-all-context-requests-are-completed.patch new file mode 100644 index 00000000000..8a2170e2ace --- /dev/null +++ b/queue-3.14/aio-block-io_destroy-until-all-context-requests-are-completed.patch @@ -0,0 +1,140 @@ +From e02ba72aabfade4c9cd6e3263e9b57bf890ad25c Mon Sep 17 00:00:00 2001 +From: Anatol Pomozov +Date: Tue, 15 Apr 2014 11:31:33 -0700 +Subject: aio: block io_destroy() until all context requests are completed + +From: Anatol Pomozov + +commit e02ba72aabfade4c9cd6e3263e9b57bf890ad25c upstream. + +deletes aio context and all resources related to. It makes sense that +no IO operations connected to the context should be running after the context +is destroyed. As we removed io_context we have no chance to +get requests status or call io_getevents(). + +man page for io_destroy says that this function may block until +all context's requests are completed. Before kernel 3.11 io_destroy() +blocked indeed, but since aio refactoring in 3.11 it is not true anymore. + +Here is a pseudo-code that shows a testcase for a race condition discovered +in 3.11: + + initialize io_context + io_submit(read to buffer) + io_destroy() + + // context is destroyed so we can free the resources + free(buffers); + + // if the buffer is allocated by some other user he'll be surprised + // to learn that the buffer still filled by an outstanding operation + // from the destroyed io_context + +The fix is straight-forward - add a completion struct and wait on it +in io_destroy, complete() should be called when number of in-fligh requests +reaches zero. + +If two or more io_destroy() called for the same context simultaneously then +only the first one waits for IO completion, other calls behaviour is undefined. + +Tested: ran http://pastebin.com/LrPsQ4RL testcase for several hours and + do not see the race condition anymore. + +Signed-off-by: Anatol Pomozov +Signed-off-by: Benjamin LaHaise +Cc: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 36 ++++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -112,6 +112,11 @@ struct kioctx { + + struct work_struct free_work; + ++ /* ++ * signals when all in-flight requests are done ++ */ ++ struct completion *requests_done; ++ + struct { + /* + * This counts the number of available slots in the ringbuffer, +@@ -508,6 +513,10 @@ static void free_ioctx_reqs(struct percp + { + struct kioctx *ctx = container_of(ref, struct kioctx, reqs); + ++ /* At this point we know that there are no any in-flight requests */ ++ if (ctx->requests_done) ++ complete(ctx->requests_done); ++ + INIT_WORK(&ctx->free_work, free_ioctx); + schedule_work(&ctx->free_work); + } +@@ -718,7 +727,8 @@ err: + * when the processes owning a context have all exited to encourage + * the rapid destruction of the kioctx. + */ +-static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx) ++static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx, ++ struct completion *requests_done) + { + if (!atomic_xchg(&ctx->dead, 1)) { + struct kioctx_table *table; +@@ -747,7 +757,11 @@ static void kill_ioctx(struct mm_struct + if (ctx->mmap_size) + vm_munmap(ctx->mmap_base, ctx->mmap_size); + ++ ctx->requests_done = requests_done; + percpu_ref_kill(&ctx->users); ++ } else { ++ if (requests_done) ++ complete(requests_done); + } + } + +@@ -809,7 +823,7 @@ void exit_aio(struct mm_struct *mm) + */ + ctx->mmap_size = 0; + +- kill_ioctx(mm, ctx); ++ kill_ioctx(mm, ctx, NULL); + } + } + +@@ -1187,7 +1201,7 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_e + if (!IS_ERR(ioctx)) { + ret = put_user(ioctx->user_id, ctxp); + if (ret) +- kill_ioctx(current->mm, ioctx); ++ kill_ioctx(current->mm, ioctx, NULL); + percpu_ref_put(&ioctx->users); + } + +@@ -1205,8 +1219,22 @@ SYSCALL_DEFINE1(io_destroy, aio_context_ + { + struct kioctx *ioctx = lookup_ioctx(ctx); + if (likely(NULL != ioctx)) { +- kill_ioctx(current->mm, ioctx); ++ struct completion requests_done = ++ COMPLETION_INITIALIZER_ONSTACK(requests_done); ++ ++ /* Pass requests_done to kill_ioctx() where it can be set ++ * in a thread-safe way. If we try to set it here then we have ++ * a race condition if two io_destroy() called simultaneously. ++ */ ++ kill_ioctx(current->mm, ioctx, &requests_done); + percpu_ref_put(&ioctx->users); ++ ++ /* Wait until all IO for the context are done. Otherwise kernel ++ * keep using user-space buffers even if user thinks the context ++ * is destroyed. ++ */ ++ wait_for_completion(&requests_done); ++ + return 0; + } + pr_debug("EINVAL: io_destroy: invalid context id\n"); diff --git a/queue-3.14/alsa-usb-audio-prevent-printk-ratelimiting-from-spamming-kernel-log-while-debug-not-defined.patch b/queue-3.14/alsa-usb-audio-prevent-printk-ratelimiting-from-spamming-kernel-log-while-debug-not-defined.patch new file mode 100644 index 00000000000..153c4436e3f --- /dev/null +++ b/queue-3.14/alsa-usb-audio-prevent-printk-ratelimiting-from-spamming-kernel-log-while-debug-not-defined.patch @@ -0,0 +1,49 @@ +From b7a7723513dc89f83d6df13206df55d4dc26e825 Mon Sep 17 00:00:00 2001 +From: Sander Eikelenboom +Date: Fri, 2 May 2014 15:09:27 +0200 +Subject: ALSA: usb-audio: Prevent printk ratelimiting from spamming kernel log while DEBUG not defined + +From: Sander Eikelenboom + +commit b7a7723513dc89f83d6df13206df55d4dc26e825 upstream. + +This (widely used) construction: + +if(printk_ratelimit()) + dev_dbg() + +Causes the ratelimiting to spam the kernel log with the "callbacks suppressed" +message below, even while the dev_dbg it is supposed to rate limit wouldn't +print anything because DEBUG is not defined for this device. + +[ 533.803964] retire_playback_urb: 852 callbacks suppressed +[ 538.807930] retire_playback_urb: 852 callbacks suppressed +[ 543.811897] retire_playback_urb: 852 callbacks suppressed +[ 548.815745] retire_playback_urb: 852 callbacks suppressed +[ 553.819826] retire_playback_urb: 852 callbacks suppressed + +So use dev_dbg_ratelimited() instead of this construction. + +Signed-off-by: Sander Eikelenboom +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1487,9 +1487,9 @@ static void retire_playback_urb(struct s + * The error should be lower than 2ms since the estimate relies + * on two reads of a counter updated every ms. + */ +- if (printk_ratelimit() && +- abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2) +- snd_printk(KERN_DEBUG "delay: estimated %d, actual %d\n", ++ if (abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2) ++ dev_dbg_ratelimited(&subs->dev->dev, ++ "delay: estimated %d, actual %d\n", + est_delay, subs->last_delay); + + if (!subs->running) { diff --git a/queue-3.14/alsa-usb-audio-suppress-repetitive-debug-messages-from-retire_playback_urb.patch b/queue-3.14/alsa-usb-audio-suppress-repetitive-debug-messages-from-retire_playback_urb.patch new file mode 100644 index 00000000000..dc0e1a6bff4 --- /dev/null +++ b/queue-3.14/alsa-usb-audio-suppress-repetitive-debug-messages-from-retire_playback_urb.patch @@ -0,0 +1,44 @@ +From a5065eb6da55b226661456e6a7435f605df98111 Mon Sep 17 00:00:00 2001 +From: Tim Gardner +Date: Wed, 9 Apr 2014 11:30:44 -0600 +Subject: ALSA: usb-audio: Suppress repetitive debug messages from retire_playback_urb() + +From: Tim Gardner + +commit a5065eb6da55b226661456e6a7435f605df98111 upstream. + +BugLink: http://bugs.launchpad.net/bugs/1305133 + +Malfunctioning or slow devices can cause a flood of dmesg SPAM. + +I've ignored checkpatch.pl complaints about the use of printk_ratelimit() in favour +of prior art in sound/usb/pcm.c. + +WARNING: Prefer printk_ratelimited or pr__ratelimited to printk_ratelimit ++ if (printk_ratelimit() && + +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: Eldad Zack +Cc: Daniel Mack +Cc: Clemens Ladisch +Signed-off-by: Tim Gardner +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/pcm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1487,7 +1487,8 @@ static void retire_playback_urb(struct s + * The error should be lower than 2ms since the estimate relies + * on two reads of a counter updated every ms. + */ +- if (abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2) ++ if (printk_ratelimit() && ++ abs(est_delay - subs->last_delay) * 1000 > runtime->rate * 2) + snd_printk(KERN_DEBUG "delay: estimated %d, actual %d\n", + est_delay, subs->last_delay); + diff --git a/queue-3.14/arch-unicore32-mm-alignment.c-include-asm-pgtable.h-to-avoid-compiling-error.patch b/queue-3.14/arch-unicore32-mm-alignment.c-include-asm-pgtable.h-to-avoid-compiling-error.patch new file mode 100644 index 00000000000..cc43ac6ab3e --- /dev/null +++ b/queue-3.14/arch-unicore32-mm-alignment.c-include-asm-pgtable.h-to-avoid-compiling-error.patch @@ -0,0 +1,43 @@ +From 1ff38c56cbd095c4c0dfa581a859ba3557830f78 Mon Sep 17 00:00:00 2001 +From: Chen Gang +Date: Mon, 24 Mar 2014 20:17:44 +0800 +Subject: arch/unicore32/mm/alignment.c: include "asm/pgtable.h" to avoid compiling error + +From: Chen Gang + +commit 1ff38c56cbd095c4c0dfa581a859ba3557830f78 upstream. + +Need include "asm/pgtable.h" to include "asm-generic/pgtable-nopmd.h", +so can let 'pmd_t' defined. The related error with allmodconfig: + + CC arch/unicore32/mm/alignment.o + In file included from arch/unicore32/mm/alignment.c:24: + arch/unicore32/include/asm/tlbflush.h:135: error: expected .). before .*. token + arch/unicore32/include/asm/tlbflush.h:154: error: expected .). before .*. token + In file included from arch/unicore32/mm/alignment.c:27: + arch/unicore32/mm/mm.h:15: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token + arch/unicore32/mm/mm.h:20: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token + arch/unicore32/mm/mm.h:25: error: expected .=., .,., .;., .sm. or ._attribute__. before .*. token + make[1]: *** [arch/unicore32/mm/alignment.o] Error 1 + make: *** [arch/unicore32/mm] Error 2 + +Signed-off-by: Chen Gang +Acked-by: Xuetao Guan +Signed-off-by: Xuetao Guan +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + arch/unicore32/mm/alignment.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/unicore32/mm/alignment.c ++++ b/arch/unicore32/mm/alignment.c +@@ -21,6 +21,7 @@ + #include + #include + ++#include + #include + #include + diff --git a/queue-3.14/audit-remove-superfluous-new-prefix-in-audit_login-messages.patch b/queue-3.14/audit-remove-superfluous-new-prefix-in-audit_login-messages.patch new file mode 100644 index 00000000000..1473e85038e --- /dev/null +++ b/queue-3.14/audit-remove-superfluous-new-prefix-in-audit_login-messages.patch @@ -0,0 +1,30 @@ +From aa589a13b5d00d3c643ee4114d8cbc3addb4e99f Mon Sep 17 00:00:00 2001 +From: Richard Guy Briggs +Date: Mon, 24 Feb 2014 12:31:11 -0500 +Subject: audit: remove superfluous new- prefix in AUDIT_LOGIN messages + +From: Richard Guy Briggs + +commit aa589a13b5d00d3c643ee4114d8cbc3addb4e99f upstream. + +The new- prefix on ses and auid are un-necessary and break ausearch. + +Signed-off-by: Richard Guy Briggs +Reported-by: Steve Grubb +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1991,7 +1991,7 @@ static void audit_log_set_loginuid(kuid_ + if (!ab) + return; + audit_log_format(ab, "pid=%d uid=%u" +- " old-auid=%u new-auid=%u old-ses=%u new-ses=%u" ++ " old-auid=%u auid=%u old-ses=%u ses=%u" + " res=%d", + current->pid, uid, + oldloginuid, loginuid, oldsessionid, sessionid, diff --git a/queue-3.14/drivers-video-fbdev-fb-puv3.c-add-header-files-for-function-unifb_mmap.patch b/queue-3.14/drivers-video-fbdev-fb-puv3.c-add-header-files-for-function-unifb_mmap.patch new file mode 100644 index 00000000000..b66ebafb924 --- /dev/null +++ b/queue-3.14/drivers-video-fbdev-fb-puv3.c-add-header-files-for-function-unifb_mmap.patch @@ -0,0 +1,50 @@ +From fbc6c4a13bbfb420eedfdb26a0a859f9c07e8a7b Mon Sep 17 00:00:00 2001 +From: Zhichuang SUN +Date: Wed, 21 May 2014 14:13:30 +0800 +Subject: drivers/video/fbdev/fb-puv3.c: Add header files for function unifb_mmap + +From: Zhichuang SUN + +commit fbc6c4a13bbfb420eedfdb26a0a859f9c07e8a7b upstream. + +Function unifb_mmap calls functions which are defined in linux/mm.h +and asm/pgtable.h + +The related error (for unicore32 with unicore32_defconfig): + CC drivers/video/fbdev/fb-puv3.o + drivers/video/fbdev/fb-puv3.c: In function 'unifb_mmap': + drivers/video/fbdev/fb-puv3.c:646: error: implicit declaration of + function 'vm_iomap_memory' + drivers/video/fbdev/fb-puv3.c:646: error: implicit declaration of + function 'pgprot_noncached' + +Signed-off-by: Zhichuang Sun +Cc: Jean-Christophe Plagniol-Villard +Cc: Tomi Valkeinen +Cc: Jingoo Han +Cc: Daniel Vetter +Cc: Joe Perches +Cc: Laurent Pinchart +Cc: linux-fbdev@vger.kernel.org +Acked-by: Xuetao Guan +Signed-off-by: Tomi Valkeinen +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fb-puv3.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fb-puv3.c ++++ b/drivers/video/fb-puv3.c +@@ -18,8 +18,10 @@ + #include + #include + #include ++#include + + #include ++#include + #include + + /* Platform_data reserved for unifb registers. */ diff --git a/queue-3.14/drm-i915-fix-display-power-sw-state-reporting.patch b/queue-3.14/drm-i915-fix-display-power-sw-state-reporting.patch new file mode 100644 index 00000000000..9b495ce1a19 --- /dev/null +++ b/queue-3.14/drm-i915-fix-display-power-sw-state-reporting.patch @@ -0,0 +1,62 @@ +From b8c000d9bf23e7c1155ef421f595d1cbc25262da Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Mon, 2 Jun 2014 14:21:10 +0300 +Subject: drm/i915: fix display power sw state reporting + +From: Imre Deak + +commit b8c000d9bf23e7c1155ef421f595d1cbc25262da upstream. + +Atm, we refcount both power domains and power wells and +intel_display_power_enabled_sw() returns the power domain refcount. What +the callers are really interested in though is the sw state of the +underlying power wells. Due to this we will report incorrectly that a +given power domain is off if its power wells were enabled via another +power domain, for example POWER_DOMAIN_INIT which enables all power +wells. + +As a fix return instead the state based on the refcount of all power +wells included in the passed in power domain. + +References: https://bugs.freedesktop.org/show_bug.cgi?id=79505 +References: https://bugs.freedesktop.org/show_bug.cgi?id=79038 +Reported-by: Chris Wilson +Signed-off-by: Imre Deak +Reviewed-by: Damien Lespiau +Signed-off-by: Daniel Vetter +Acked-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_pm.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -5138,10 +5138,25 @@ bool intel_display_power_enabled_sw(stru + { + struct drm_i915_private *dev_priv = dev->dev_private; + struct i915_power_domains *power_domains; ++ struct i915_power_well *power_well; ++ bool is_enabled; ++ int i; ++ ++ if (dev_priv->pm.suspended) ++ return false; + + power_domains = &dev_priv->power_domains; ++ is_enabled = true; ++ for_each_power_well_rev(i, power_well, BIT(domain), power_domains) { ++ if (power_well->always_on) ++ continue; + +- return power_domains->domain_use_count[domain]; ++ if (!power_well->count) { ++ is_enabled = false; ++ break; ++ } ++ } ++ return is_enabled; + } + + bool intel_display_power_enabled(struct drm_device *dev, diff --git a/queue-3.14/md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch b/queue-3.14/md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch deleted file mode 100644 index 3f24ef84515..00000000000 --- a/queue-3.14/md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9bd359203210efeb5d8f0d81c155079f34b47449 Mon Sep 17 00:00:00 2001 -From: NeilBrown -Date: Wed, 2 Jul 2014 11:35:06 +1000 -Subject: md: make sure GET_ARRAY_INFO ioctl reports correct "clean" status - -From: NeilBrown - -commit 9bd359203210efeb5d8f0d81c155079f34b47449 upstream. - -If an array has a bitmap, the when we set the "has bitmap" flag we -incorrectly clear the "is clean" flag. - -"is clean" isn't really important when a bitmap is present, but it is -best to get it right anyway. - -Reported-by: George Duffield -Link: http://lkml.kernel.org/CAG__1a4MRV6gJL38XLAurtoSiD3rLBTmWpcS5HYvPpSfPR88UQ@mail.gmail.com -Fixes: 36fa30636fb84b209210299684e1be66d9e58217 (v2.6.14) -Signed-off-by: NeilBrown -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/md/md.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -5620,7 +5620,7 @@ static int get_array_info(struct mddev * - if (mddev->in_sync) - info.state = (1<bitmap && mddev->bitmap_info.offset) -- info.state = (1< +Date: Tue, 29 Apr 2014 15:36:15 -0400 +Subject: mm/numa: Remove BUG_ON() in __handle_mm_fault() + +From: Rik van Riel + +commit 107437febd495a50e2cd09c81bbaa84d30e57b07 upstream. + +Changing PTEs and PMDs to pte_numa & pmd_numa is done with the +mmap_sem held for reading, which means a pmd can be instantiated +and turned into a numa one while __handle_mm_fault() is examining +the value of old_pmd. + +If that happens, __handle_mm_fault() should just return and let +the page fault retry, instead of throwing an oops. This is +handled by the test for pmd_trans_huge(*pmd) below. + +Signed-off-by: Rik van Riel +Reviewed-by: Naoya Horiguchi +Reported-by: Sunil Pandey +Signed-off-by: Peter Zijlstra +Cc: Andrew Morton +Cc: Johannes Weiner +Cc: Kirill A. Shutemov +Cc: Linus Torvalds +Cc: Mel Gorman +Cc: linux-mm@kvack.org +Cc: lwoodman@redhat.com +Cc: dave.hansen@intel.com +Link: http://lkml.kernel.org/r/20140429153615.2d72098e@annuminas.surriel.com +Signed-off-by: Ingo Molnar +Patrick McLean +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3756,9 +3756,6 @@ static int __handle_mm_fault(struct mm_s + } + } + +- /* THP should already have been handled */ +- BUG_ON(pmd_numa(*pmd)); +- + /* + * Use __pte_alloc instead of pte_alloc_map, because we can't + * run pte_offset_map on the pmd, if an huge pmd could diff --git a/queue-3.14/series b/queue-3.14/series index 5efd7f03d43..30885606fad 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -74,7 +74,6 @@ nfsd-fix-rare-symlink-decoding-bug.patch tools-ffs-test-fix-header-values-endianess.patch tracing-remove-ftrace_stop-start-from-reading-the-trace-file.patch md-flush-writes-before-starting-a-recovery.patch -md-make-sure-get_array_info-ioctl-reports-correct-clean-status.patch irqchip-spear_shirq-fix-interrupt-offset.patch mm-page_alloc-fix-cma-area-initialisation-when-pageblock-max_order.patch proc-stat-convert-to-single_open_size.patch @@ -86,3 +85,12 @@ tty-correct-inpck-handling.patch netfilter-nf_nat-fix-oops-on-netns-removal.patch brcmfmac-fix-brcmf_chip_ai_coredisable-not-applying-reset.patch mmc-rtsx-add-r1-no-crc-mmc-command-type-handle.patch +drm-i915-fix-display-power-sw-state-reporting.patch +aio-block-io_destroy-until-all-context-requests-are-completed.patch +audit-remove-superfluous-new-prefix-in-audit_login-messages.patch +alsa-usb-audio-suppress-repetitive-debug-messages-from-retire_playback_urb.patch +alsa-usb-audio-prevent-printk-ratelimiting-from-spamming-kernel-log-while-debug-not-defined.patch +arch-unicore32-mm-alignment.c-include-asm-pgtable.h-to-avoid-compiling-error.patch +drivers-video-fbdev-fb-puv3.c-add-header-files-for-function-unifb_mmap.patch +mm-numa-remove-bug_on-in-__handle_mm_fault.patch +slab-fix-oops-when-reading-proc-slab_allocators.patch diff --git a/queue-3.14/slab-fix-oops-when-reading-proc-slab_allocators.patch b/queue-3.14/slab-fix-oops-when-reading-proc-slab_allocators.patch new file mode 100644 index 00000000000..b262ca7e986 --- /dev/null +++ b/queue-3.14/slab-fix-oops-when-reading-proc-slab_allocators.patch @@ -0,0 +1,278 @@ +From 03787301420376ae41fbaf4267f4a6253d152ac5 Mon Sep 17 00:00:00 2001 +From: Joonsoo Kim +Date: Mon, 23 Jun 2014 13:22:06 -0700 +Subject: slab: fix oops when reading /proc/slab_allocators + +From: Joonsoo Kim + +commit 03787301420376ae41fbaf4267f4a6253d152ac5 upstream. + +Commit b1cb0982bdd6 ("change the management method of free objects of +the slab") introduced a bug on slab leak detector +('/proc/slab_allocators'). This detector works like as following +decription. + + 1. traverse all objects on all the slabs. + 2. determine whether it is active or not. + 3. if active, print who allocate this object. + +but that commit changed the way how to manage free objects, so the logic +determining whether it is active or not is also changed. In before, we +regard object in cpu caches as inactive one, but, with this commit, we +mistakenly regard object in cpu caches as active one. + +This intoduces kernel oops if DEBUG_PAGEALLOC is enabled. If +DEBUG_PAGEALLOC is enabled, kernel_map_pages() is used to detect who +corrupt free memory in the slab. It unmaps page table mapping if object +is free and map it if object is active. When slab leak detector check +object in cpu caches, it mistakenly think this object active so try to +access object memory to retrieve caller of allocation. At this point, +page table mapping to this object doesn't exist, so oops occurs. + +Following is oops message reported from Dave. + +It blew up when something tried to read /proc/slab_allocators +(Just cat it, and you should see the oops below) + + Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + Modules linked in: + [snip...] + CPU: 1 PID: 9386 Comm: trinity-c33 Not tainted 3.14.0-rc5+ #131 + task: ffff8801aa46e890 ti: ffff880076924000 task.ti: ffff880076924000 + RIP: 0010:[] [] handle_slab+0x8a/0x180 + RSP: 0018:ffff880076925de0 EFLAGS: 00010002 + RAX: 0000000000001000 RBX: 0000000000000000 RCX: 000000005ce85ce7 + RDX: ffffea00079be100 RSI: 0000000000001000 RDI: ffff880107458000 + RBP: ffff880076925e18 R08: 0000000000000001 R09: 0000000000000000 + R10: 0000000000000000 R11: 000000000000000f R12: ffff8801e6f84000 + R13: ffffea00079be100 R14: ffff880107458000 R15: ffff88022bb8d2c0 + FS: 00007fb769e45740(0000) GS:ffff88024d040000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff8801e6f84ff8 CR3: 00000000a22db000 CR4: 00000000001407e0 + DR0: 0000000002695000 DR1: 0000000002695000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000070602 + Call Trace: + leaks_show+0xce/0x240 + seq_read+0x28e/0x490 + proc_reg_read+0x3d/0x80 + vfs_read+0x9b/0x160 + SyS_read+0x58/0xb0 + tracesys+0xd4/0xd9 + Code: f5 00 00 00 0f 1f 44 00 00 48 63 c8 44 3b 0c 8a 0f 84 e3 00 00 00 83 c0 01 44 39 c0 72 eb 41 f6 47 1a 01 0f 84 e9 00 00 00 89 f0 <4d> 8b 4c 04 f8 4d 85 c9 0f 84 88 00 00 00 49 8b 7e 08 4d 8d 46 + RIP handle_slab+0x8a/0x180 + +To fix the problem, I introduce an object status buffer on each slab. +With this, we can track object status precisely, so slab leak detector +would not access active object and no kernel oops would occur. Memory +overhead caused by this fix is only imposed to CONFIG_DEBUG_SLAB_LEAK +which is mainly used for debugging, so memory overhead isn't big +problem. + +Signed-off-by: Joonsoo Kim +Reported-by: Dave Jones +Reported-by: Tetsuo Handa +Reviewed-by: Vladimir Davydov +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 68 insertions(+), 21 deletions(-) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -375,6 +375,39 @@ static void **dbg_userword(struct kmem_c + + #endif + ++#define OBJECT_FREE (0) ++#define OBJECT_ACTIVE (1) ++ ++#ifdef CONFIG_DEBUG_SLAB_LEAK ++ ++static void set_obj_status(struct page *page, int idx, int val) ++{ ++ int freelist_size; ++ char *status; ++ struct kmem_cache *cachep = page->slab_cache; ++ ++ freelist_size = cachep->num * sizeof(unsigned int); ++ status = (char *)page->freelist + freelist_size; ++ status[idx] = val; ++} ++ ++static inline unsigned int get_obj_status(struct page *page, int idx) ++{ ++ int freelist_size; ++ char *status; ++ struct kmem_cache *cachep = page->slab_cache; ++ ++ freelist_size = cachep->num * sizeof(unsigned int); ++ status = (char *)page->freelist + freelist_size; ++ ++ return status[idx]; ++} ++ ++#else ++static inline void set_obj_status(struct page *page, int idx, int val) {} ++ ++#endif ++ + /* + * Do not go above this order unless 0 objects fit into the slab or + * overridden on the command line. +@@ -565,9 +598,18 @@ static inline struct array_cache *cpu_ca + return cachep->array[smp_processor_id()]; + } + +-static size_t slab_mgmt_size(size_t nr_objs, size_t align) ++static size_t calculate_freelist_size(int nr_objs, size_t align) + { +- return ALIGN(nr_objs * sizeof(unsigned int), align); ++ size_t freelist_size; ++ ++ freelist_size = nr_objs * sizeof(unsigned int); ++ if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK)) ++ freelist_size += nr_objs * sizeof(char); ++ ++ if (align) ++ freelist_size = ALIGN(freelist_size, align); ++ ++ return freelist_size; + } + + /* +@@ -600,6 +642,10 @@ static void cache_estimate(unsigned long + nr_objs = slab_size / buffer_size; + + } else { ++ int extra_space = 0; ++ ++ if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK)) ++ extra_space = sizeof(char); + /* + * Ignore padding for the initial guess. The padding + * is at most @align-1 bytes, and @buffer_size is at +@@ -608,17 +654,18 @@ static void cache_estimate(unsigned long + * into the memory allocation when taking the padding + * into account. + */ +- nr_objs = (slab_size) / (buffer_size + sizeof(unsigned int)); ++ nr_objs = (slab_size) / ++ (buffer_size + sizeof(unsigned int) + extra_space); + + /* + * This calculated number will be either the right + * amount, or one greater than what we want. + */ +- if (slab_mgmt_size(nr_objs, align) + nr_objs*buffer_size +- > slab_size) ++ if (calculate_freelist_size(nr_objs, align) > ++ slab_size - nr_objs * buffer_size) + nr_objs--; + +- mgmt_size = slab_mgmt_size(nr_objs, align); ++ mgmt_size = calculate_freelist_size(nr_objs, align); + } + *num = nr_objs; + *left_over = slab_size - nr_objs*buffer_size - mgmt_size; +@@ -2011,13 +2058,16 @@ static size_t calculate_slab_order(struc + continue; + + if (flags & CFLGS_OFF_SLAB) { ++ size_t freelist_size_per_obj = sizeof(unsigned int); + /* + * Max number of objs-per-slab for caches which + * use off-slab slabs. Needed to avoid a possible + * looping condition in cache_grow(). + */ ++ if (IS_ENABLED(CONFIG_DEBUG_SLAB_LEAK)) ++ freelist_size_per_obj += sizeof(char); + offslab_limit = size; +- offslab_limit /= sizeof(unsigned int); ++ offslab_limit /= freelist_size_per_obj; + + if (num > offslab_limit) + break; +@@ -2258,8 +2308,7 @@ __kmem_cache_create (struct kmem_cache * + if (!cachep->num) + return -E2BIG; + +- freelist_size = +- ALIGN(cachep->num * sizeof(unsigned int), cachep->align); ++ freelist_size = calculate_freelist_size(cachep->num, cachep->align); + + /* + * If the slab has been placed off-slab, and we have enough space then +@@ -2272,7 +2321,7 @@ __kmem_cache_create (struct kmem_cache * + + if (flags & CFLGS_OFF_SLAB) { + /* really off slab. No need for manual alignment */ +- freelist_size = cachep->num * sizeof(unsigned int); ++ freelist_size = calculate_freelist_size(cachep->num, 0); + + #ifdef CONFIG_PAGE_POISONING + /* If we're going to use the generic kernel_map_pages() +@@ -2589,6 +2638,7 @@ static void cache_init_objs(struct kmem_ + if (cachep->ctor) + cachep->ctor(objp); + #endif ++ set_obj_status(page, i, OBJECT_FREE); + slab_freelist(page)[i] = i; + } + } +@@ -2797,6 +2847,7 @@ static void *cache_free_debugcheck(struc + BUG_ON(objnr >= cachep->num); + BUG_ON(objp != index_to_obj(cachep, page, objnr)); + ++ set_obj_status(page, objnr, OBJECT_FREE); + if (cachep->flags & SLAB_POISON) { + #ifdef CONFIG_DEBUG_PAGEALLOC + if ((cachep->size % PAGE_SIZE)==0 && OFF_SLAB(cachep)) { +@@ -2930,6 +2981,8 @@ static inline void cache_alloc_debugchec + static void *cache_alloc_debugcheck_after(struct kmem_cache *cachep, + gfp_t flags, void *objp, unsigned long caller) + { ++ struct page *page; ++ + if (!objp) + return objp; + if (cachep->flags & SLAB_POISON) { +@@ -2960,6 +3013,9 @@ static void *cache_alloc_debugcheck_afte + *dbg_redzone1(cachep, objp) = RED_ACTIVE; + *dbg_redzone2(cachep, objp) = RED_ACTIVE; + } ++ ++ page = virt_to_head_page(objp); ++ set_obj_status(page, obj_to_index(cachep, page, objp), OBJECT_ACTIVE); + objp += obj_offset(cachep); + if (cachep->ctor && cachep->flags & SLAB_POISON) + cachep->ctor(objp); +@@ -4201,21 +4257,12 @@ static void handle_slab(unsigned long *n + struct page *page) + { + void *p; +- int i, j; ++ int i; + + if (n[0] == n[1]) + return; + for (i = 0, p = page->s_mem; i < c->num; i++, p += c->size) { +- bool active = true; +- +- for (j = page->active; j < c->num; j++) { +- /* Skip freed item */ +- if (slab_freelist(page)[j] == i) { +- active = false; +- break; +- } +- } +- if (!active) ++ if (get_obj_status(page, i) != OBJECT_ACTIVE) + continue; + + if (!add_caller(n, (unsigned long)*dbg_userword(c, p)))