From: Greg Kroah-Hartman Date: Wed, 14 Jan 2015 01:41:06 +0000 (-0800) Subject: 3.18-stable patches X-Git-Tag: v3.10.65~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b2941566068b9eb2d1e30fa57ac57eb12a43a40d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: cdc-acm-memory-leak-in-error-case.patch drbd-fix-state-change-in-case-of-connection-timeout.patch drbd-merge_bvec_fn-properly-remap-bvm-bi_bdev.patch drivers-hv-util-make-struct-hv_do_fcopy-match-hyper-v-host-messages.patch drivers-hv-vmbus-fix-a-race-condition-when-unregistering-a-device.patch genhd-check-for-int-overflow-in-disk_expand_part_tbl.patch n_tty-fix-read_buf-race-condition-increment-read_head-after-pushing-data.patch reiserfs-destroy-allocated-commit-workqueue.patch serial-samsung-wait-for-transfer-completion-before-clock-disable.patch tracing-sched-check-preempt_count-for-current-when-reading-task-state.patch tty-serial-men_z135_uart-add-terminating-entry-for-men_z135_ids.patch writeback-fix-a-subtle-race-condition-in-i_dirty-clearing.patch xtensa-fix-kmap_prot-definition.patch --- diff --git a/queue-3.18/cdc-acm-memory-leak-in-error-case.patch b/queue-3.18/cdc-acm-memory-leak-in-error-case.patch new file mode 100644 index 00000000000..ff883dfc5c0 --- /dev/null +++ b/queue-3.18/cdc-acm-memory-leak-in-error-case.patch @@ -0,0 +1,30 @@ +From d908f8478a8d18e66c80a12adb27764920c1f1ca Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 20 Nov 2014 14:54:35 +0100 +Subject: cdc-acm: memory leak in error case + +From: Oliver Neukum + +commit d908f8478a8d18e66c80a12adb27764920c1f1ca upstream. + +If probe() fails not only the attributes need to be removed +but also the memory freed. + +Reported-by: Ahmed Tamrawi +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1476,6 +1476,7 @@ alloc_fail8: + &dev_attr_wCountryCodes); + device_remove_file(&acm->control->dev, + &dev_attr_iCountryCodeRelDate); ++ kfree(acm->country_codes); + } + device_remove_file(&acm->control->dev, &dev_attr_bmCapabilities); + alloc_fail7: diff --git a/queue-3.18/drbd-fix-state-change-in-case-of-connection-timeout.patch b/queue-3.18/drbd-fix-state-change-in-case-of-connection-timeout.patch new file mode 100644 index 00000000000..ed5cc0f2711 --- /dev/null +++ b/queue-3.18/drbd-fix-state-change-in-case-of-connection-timeout.patch @@ -0,0 +1,42 @@ +From 9581f97a687724ea41cf2e145dda4751161198c1 Mon Sep 17 00:00:00 2001 +From: Philipp Reisner +Date: Mon, 10 Nov 2014 17:21:14 +0100 +Subject: drbd: Fix state change in case of connection timeout + +From: Philipp Reisner + +commit 9581f97a687724ea41cf2e145dda4751161198c1 upstream. + +A connection timeout affects all volumes of a resource! +Under the following conditions: + + A resource with multiple volumes + AND + ko-count >=1 + AND + a write request triggers the timeout (ko-count * timeout) + +DRBD's internal state gets confused. That in turn may +lead to very miss leading follow up failures. E.g. +"BUG: scheduling while atomic" + +Signed-off-by: Philipp Reisner +Signed-off-by: Lars Ellenberg +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/drbd/drbd_req.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/drbd/drbd_req.c ++++ b/drivers/block/drbd/drbd_req.c +@@ -1629,7 +1629,7 @@ void request_timer_fn(unsigned long data + time_after(now, req_peer->pre_send_jif + ent) && + !time_in_range(now, connection->last_reconnect_jif, connection->last_reconnect_jif + ent)) { + drbd_warn(device, "Remote failed to finish a request within ko-count * timeout\n"); +- _drbd_set_state(_NS(device, conn, C_TIMEOUT), CS_VERBOSE | CS_HARD, NULL); ++ _conn_request_state(connection, NS(conn, C_TIMEOUT), CS_VERBOSE | CS_HARD); + } + if (dt && oldest_submit_jif != now && + time_after(now, oldest_submit_jif + dt) && diff --git a/queue-3.18/drbd-merge_bvec_fn-properly-remap-bvm-bi_bdev.patch b/queue-3.18/drbd-merge_bvec_fn-properly-remap-bvm-bi_bdev.patch new file mode 100644 index 00000000000..ed49b8bccea --- /dev/null +++ b/queue-3.18/drbd-merge_bvec_fn-properly-remap-bvm-bi_bdev.patch @@ -0,0 +1,31 @@ +From 3b9d35d744bb5139f9fed57f38c019bb8c7d351c Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Mon, 10 Nov 2014 17:21:13 +0100 +Subject: drbd: merge_bvec_fn: properly remap bvm->bi_bdev + +From: Lars Ellenberg + +commit 3b9d35d744bb5139f9fed57f38c019bb8c7d351c upstream. + +This was not noticed for many years. Affects operation if +md raid is used a backing device for DRBD. + +Signed-off-by: Philipp Reisner +Signed-off-by: Lars Ellenberg +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/drbd/drbd_req.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/drbd/drbd_req.c ++++ b/drivers/block/drbd/drbd_req.c +@@ -1545,6 +1545,7 @@ int drbd_merge_bvec(struct request_queue + struct request_queue * const b = + device->ldev->backing_bdev->bd_disk->queue; + if (b->merge_bvec_fn) { ++ bvm->bi_bdev = device->ldev->backing_bdev; + backing_limit = b->merge_bvec_fn(b, bvm, bvec); + limit = min(limit, backing_limit); + } diff --git a/queue-3.18/drivers-hv-util-make-struct-hv_do_fcopy-match-hyper-v-host-messages.patch b/queue-3.18/drivers-hv-util-make-struct-hv_do_fcopy-match-hyper-v-host-messages.patch new file mode 100644 index 00000000000..8ce5a0c31d7 --- /dev/null +++ b/queue-3.18/drivers-hv-util-make-struct-hv_do_fcopy-match-hyper-v-host-messages.patch @@ -0,0 +1,42 @@ +From 31d4ea1a093fcf668d5f95af44b8d41488bdb7ec Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Fri, 24 Oct 2014 12:20:27 +0200 +Subject: Drivers: hv: util: make struct hv_do_fcopy match Hyper-V host messages + +From: Vitaly Kuznetsov + +commit 31d4ea1a093fcf668d5f95af44b8d41488bdb7ec upstream. + +An attempt to fix fcopy on i586 (bc5a5b0 Drivers: hv: util: Properly pack the data +for file copy functionality) led to a regression on x86_64 (and actually didn't fix +i586 breakage). Fcopy messages from Hyper-V host come in the following format: + +struct do_fcopy_hdr | 36 bytes +0000 | 4 bytes +offset | 8 bytes +size | 4 bytes +data | 6144 bytes + +On x86_64 struct hv_do_fcopy matched this format without ' __attribute__((packed))' +and on i586 adding ' __attribute__((packed))' to it doesn't change anything. Keep +the structure packed and add padding to match re reality. Tested both i586 and x86_64 +on Hyper-V Server 2012 R2. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/hyperv.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/uapi/linux/hyperv.h ++++ b/include/uapi/linux/hyperv.h +@@ -134,6 +134,7 @@ struct hv_start_fcopy { + + struct hv_do_fcopy { + struct hv_fcopy_hdr hdr; ++ __u32 pad; + __u64 offset; + __u32 size; + __u8 data[DATA_FRAGMENT]; diff --git a/queue-3.18/drivers-hv-vmbus-fix-a-race-condition-when-unregistering-a-device.patch b/queue-3.18/drivers-hv-vmbus-fix-a-race-condition-when-unregistering-a-device.patch new file mode 100644 index 00000000000..3a4d29dab13 --- /dev/null +++ b/queue-3.18/drivers-hv-vmbus-fix-a-race-condition-when-unregistering-a-device.patch @@ -0,0 +1,56 @@ +From 04a258c162a85c0f4ae56be67634dc43c9a4fa9b Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Tue, 4 Nov 2014 13:40:11 +0100 +Subject: Drivers: hv: vmbus: Fix a race condition when unregistering a device + +From: Vitaly Kuznetsov + +commit 04a258c162a85c0f4ae56be67634dc43c9a4fa9b upstream. + +When build with Debug the following crash is sometimes observed: +Call Trace: + [] string+0x40/0x100 + [] vsnprintf+0x218/0x5e0 + [] ? trace_hardirqs_off+0xd/0x10 + [] vscnprintf+0x11/0x30 + [] vprintk+0xd0/0x5c0 + [] ? vmbus_process_rescind_offer+0x0/0x110 [hv_vmbus] + [] printk+0x41/0x45 + [] vmbus_device_unregister+0x2c/0x40 [hv_vmbus] + [] vmbus_process_rescind_offer+0x2b/0x110 [hv_vmbus] +... + +This happens due to the following race: between 'if (channel->device_obj)' check +in vmbus_process_rescind_offer() and pr_debug() in vmbus_device_unregister() the +device can disappear. Fix the issue by taking an additional reference to the +device before proceeding to vmbus_device_unregister(). + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel_mgmt.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -216,9 +216,16 @@ static void vmbus_process_rescind_offer( + unsigned long flags; + struct vmbus_channel *primary_channel; + struct vmbus_channel_relid_released msg; ++ struct device *dev; ++ ++ if (channel->device_obj) { ++ dev = get_device(&channel->device_obj->device); ++ if (dev) { ++ vmbus_device_unregister(channel->device_obj); ++ put_device(dev); ++ } ++ } + +- if (channel->device_obj) +- vmbus_device_unregister(channel->device_obj); + memset(&msg, 0, sizeof(struct vmbus_channel_relid_released)); + msg.child_relid = channel->offermsg.child_relid; + msg.header.msgtype = CHANNELMSG_RELID_RELEASED; diff --git a/queue-3.18/genhd-check-for-int-overflow-in-disk_expand_part_tbl.patch b/queue-3.18/genhd-check-for-int-overflow-in-disk_expand_part_tbl.patch new file mode 100644 index 00000000000..474041c8262 --- /dev/null +++ b/queue-3.18/genhd-check-for-int-overflow-in-disk_expand_part_tbl.patch @@ -0,0 +1,44 @@ +From 5fabcb4c33fe11c7e3afdf805fde26c1a54d0953 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 19 Nov 2014 13:06:22 -0700 +Subject: genhd: check for int overflow in disk_expand_part_tbl() + +From: Jens Axboe + +commit 5fabcb4c33fe11c7e3afdf805fde26c1a54d0953 upstream. + +We can get here from blkdev_ioctl() -> blkpg_ioctl() -> add_partition() +with a user passed in partno value. If we pass in 0x7fffffff, the +new target in disk_expand_part_tbl() overflows the 'int' and we +access beyond the end of ptbl->part[] and even write to it when we +do the rcu_assign_pointer() to assign the new partition. + +Reported-by: David Ramos +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -1070,9 +1070,16 @@ int disk_expand_part_tbl(struct gendisk + struct disk_part_tbl *old_ptbl = disk->part_tbl; + struct disk_part_tbl *new_ptbl; + int len = old_ptbl ? old_ptbl->len : 0; +- int target = partno + 1; ++ int i, target; + size_t size; +- int i; ++ ++ /* ++ * check for int overflow, since we can get here from blkpg_ioctl() ++ * with a user passed 'partno'. ++ */ ++ target = partno + 1; ++ if (target < 0) ++ return -EINVAL; + + /* disk_max_parts() is zero during initialization, ignore if so */ + if (disk_max_parts(disk) && target > disk_max_parts(disk)) diff --git a/queue-3.18/n_tty-fix-read_buf-race-condition-increment-read_head-after-pushing-data.patch b/queue-3.18/n_tty-fix-read_buf-race-condition-increment-read_head-after-pushing-data.patch new file mode 100644 index 00000000000..35615aa26d6 --- /dev/null +++ b/queue-3.18/n_tty-fix-read_buf-race-condition-increment-read_head-after-pushing-data.patch @@ -0,0 +1,42 @@ +From 8bfbe2de769afda051c56aba5450391670e769fc Mon Sep 17 00:00:00 2001 +From: Christian Riesch +Date: Thu, 13 Nov 2014 05:53:26 +0100 +Subject: n_tty: Fix read_buf race condition, increment read_head after pushing data + +From: Christian Riesch + +commit 8bfbe2de769afda051c56aba5450391670e769fc upstream. + +Commit 19e2ad6a09f0c06dbca19c98e5f4584269d913dd ("n_tty: Remove overflow +tests from receive_buf() path") moved the increment of read_head into +the arguments list of read_buf_addr(). Function calls represent a +sequence point in C. Therefore read_head is incremented before the +character c is placed in the buffer. Since the circular read buffer is +a lock-less design since commit 6d76bd2618535c581f1673047b8341fd291abc67 +("n_tty: Make N_TTY ldisc receive path lockless"), this creates a race +condition that leads to communication errors. + +This patch modifies the code to increment read_head _after_ the data +is placed in the buffer and thus fixes the race for non-SMP machines. +To fix the problem for SMP machines, memory barriers must be added in +a separate patch. + +Signed-off-by: Christian Riesch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -321,7 +321,8 @@ static void n_tty_check_unthrottle(struc + + static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata) + { +- *read_buf_addr(ldata, ldata->read_head++) = c; ++ *read_buf_addr(ldata, ldata->read_head) = c; ++ ldata->read_head++; + } + + /** diff --git a/queue-3.18/reiserfs-destroy-allocated-commit-workqueue.patch b/queue-3.18/reiserfs-destroy-allocated-commit-workqueue.patch new file mode 100644 index 00000000000..6f99e1a2bf7 --- /dev/null +++ b/queue-3.18/reiserfs-destroy-allocated-commit-workqueue.patch @@ -0,0 +1,41 @@ +From fa0c5540739320258c3e3a45aaae9dae467b2504 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 12 Dec 2014 16:29:29 +0100 +Subject: reiserfs: destroy allocated commit workqueue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Slaby + +commit fa0c5540739320258c3e3a45aaae9dae467b2504 upstream. + +When resirefs is trying to mount a partition, it creates a commit +workqueue (sbi->commit_wq). But when mount fails later, the workqueue +is not freed. + +Signed-off-by: Jiri Slaby +Reported-by: auxsvr@gmail.com +Reported-by: Benoît Monin +Cc: Jan Kara +Cc: reiserfs-devel@vger.kernel.org +Fixes: 797d9016ceca69879bb273218810fa0beef46aac +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/super.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -2161,6 +2161,9 @@ error_unlocked: + reiserfs_write_unlock(s); + } + ++ if (sbi->commit_wq) ++ destroy_workqueue(sbi->commit_wq); ++ + cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); + + reiserfs_free_bitmap_cache(s); diff --git a/queue-3.18/serial-samsung-wait-for-transfer-completion-before-clock-disable.patch b/queue-3.18/serial-samsung-wait-for-transfer-completion-before-clock-disable.patch new file mode 100644 index 00000000000..bb30ae8fbc6 --- /dev/null +++ b/queue-3.18/serial-samsung-wait-for-transfer-completion-before-clock-disable.patch @@ -0,0 +1,41 @@ +From 1ff383a4c3eda8893ec61b02831826e1b1f46b41 Mon Sep 17 00:00:00 2001 +From: Robert Baldyga +Date: Mon, 24 Nov 2014 07:56:21 +0100 +Subject: serial: samsung: wait for transfer completion before clock disable + +From: Robert Baldyga + +commit 1ff383a4c3eda8893ec61b02831826e1b1f46b41 upstream. + +This patch adds waiting until transmit buffer and shifter will be empty +before clock disabling. + +Without this fix it's possible to have clock disabled while data was +not transmited yet, which causes unproper state of TX line and problems +in following data transfers. + +Signed-off-by: Robert Baldyga +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/samsung.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -559,11 +559,15 @@ static void s3c24xx_serial_pm(struct uar + unsigned int old) + { + struct s3c24xx_uart_port *ourport = to_ourport(port); ++ int timeout = 10000; + + ourport->pm_level = level; + + switch (level) { + case 3: ++ while (--timeout && !s3c24xx_serial_txempty_nofifo(port)) ++ udelay(100); ++ + if (!IS_ERR(ourport->baudclk)) + clk_disable_unprepare(ourport->baudclk); + diff --git a/queue-3.18/series b/queue-3.18/series index 85361132039..427a7640d00 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -86,3 +86,16 @@ usb-renesas_usbhs-gadget-fix-null-pointer-dereference-in-ep_disable.patch usb-gadget-at91_udc-move-prepare-clk-into-process-context.patch usb-qcserial-add-support-for-hp-lt4112-lte-hspa-gobi-4g-modem.patch add-usb_ehci_exynos-to-multi_v7_defconfig.patch +genhd-check-for-int-overflow-in-disk_expand_part_tbl.patch +cdc-acm-memory-leak-in-error-case.patch +drbd-merge_bvec_fn-properly-remap-bvm-bi_bdev.patch +drbd-fix-state-change-in-case-of-connection-timeout.patch +writeback-fix-a-subtle-race-condition-in-i_dirty-clearing.patch +tracing-sched-check-preempt_count-for-current-when-reading-task-state.patch +tty-serial-men_z135_uart-add-terminating-entry-for-men_z135_ids.patch +serial-samsung-wait-for-transfer-completion-before-clock-disable.patch +xtensa-fix-kmap_prot-definition.patch +reiserfs-destroy-allocated-commit-workqueue.patch +n_tty-fix-read_buf-race-condition-increment-read_head-after-pushing-data.patch +drivers-hv-vmbus-fix-a-race-condition-when-unregistering-a-device.patch +drivers-hv-util-make-struct-hv_do_fcopy-match-hyper-v-host-messages.patch diff --git a/queue-3.18/tracing-sched-check-preempt_count-for-current-when-reading-task-state.patch b/queue-3.18/tracing-sched-check-preempt_count-for-current-when-reading-task-state.patch new file mode 100644 index 00000000000..0abe2e50392 --- /dev/null +++ b/queue-3.18/tracing-sched-check-preempt_count-for-current-when-reading-task-state.patch @@ -0,0 +1,65 @@ +From aee4e5f3d3abb7a2239dd02f6d8fb173413fd02f Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 10 Dec 2014 17:31:07 -0500 +Subject: tracing/sched: Check preempt_count() for current when reading task->state + +From: "Steven Rostedt (Red Hat)" + +commit aee4e5f3d3abb7a2239dd02f6d8fb173413fd02f upstream. + +When recording the state of a task for the sched_switch tracepoint a check of +task_preempt_count() is performed to see if PREEMPT_ACTIVE is set. This is +because, technically, a task being preempted is really in the TASK_RUNNING +state, and that is what should be recorded when tracing a sched_switch, +even if the task put itself into another state (it hasn't scheduled out +in that state yet). + +But with the change to use per_cpu preempt counts, the +task_thread_info(p)->preempt_count is no longer used, and instead +task_preempt_count(p) is used. + +The problem is that this does not use the current preempt count but a stale +one from a previous sched_switch. The task_preempt_count(p) uses +saved_preempt_count and not preempt_count(). But for tracing sched_switch, +if p is current, we really want preempt_count(). + +I hit this bug when I was tracing sleep and the call from do_nanosleep() +scheduled out in the "RUNNING" state. + + sleep-4290 [000] 537272.259992: sched_switch: sleep:4290 [120] R ==> swapper/0:0 [120] + sleep-4290 [000] 537272.260015: kernel_stack: +=> __schedule (ffffffff8150864a) +=> schedule (ffffffff815089f8) +=> do_nanosleep (ffffffff8150b76c) +=> hrtimer_nanosleep (ffffffff8108d66b) +=> SyS_nanosleep (ffffffff8108d750) +=> return_to_handler (ffffffff8150e8e5) +=> tracesys_phase2 (ffffffff8150c844) + +After a bit of hair pulling, I found that the state was really +TASK_INTERRUPTIBLE, but the saved_preempt_count had an old PREEMPT_ACTIVE +set and caused the sched_switch tracepoint to show it as RUNNING. + +Link: http://lkml.kernel.org/r/20141210174428.3cb7542a@gandalf.local.home + +Acked-by: Ingo Molnar +Cc: Peter Zijlstra +Fixes: 01028747559a "sched: Create more preempt_count accessors" +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/trace/events/sched.h ++++ b/include/trace/events/sched.h +@@ -100,7 +100,7 @@ static inline long __trace_sched_switch_ + /* + * For all intents and purposes a preempted task is a running task. + */ +- if (task_preempt_count(p) & PREEMPT_ACTIVE) ++ if (preempt_count() & PREEMPT_ACTIVE) + state = TASK_RUNNING | TASK_STATE_MAX; + #endif + diff --git a/queue-3.18/tty-serial-men_z135_uart-add-terminating-entry-for-men_z135_ids.patch b/queue-3.18/tty-serial-men_z135_uart-add-terminating-entry-for-men_z135_ids.patch new file mode 100644 index 00000000000..770119a5697 --- /dev/null +++ b/queue-3.18/tty-serial-men_z135_uart-add-terminating-entry-for-men_z135_ids.patch @@ -0,0 +1,28 @@ +From 6b1f40cf4840820051d69646af0b6503878cb1bc Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Mon, 10 Nov 2014 16:05:03 +0800 +Subject: tty: serial: men_z135_uart: Add terminating entry for men_z135_ids + +From: Axel Lin + +commit 6b1f40cf4840820051d69646af0b6503878cb1bc upstream. + +The mcb_device_id table is supposed to be zero-terminated. + +Signed-off-by: Axel Lin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/men_z135_uart.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/men_z135_uart.c ++++ b/drivers/tty/serial/men_z135_uart.c +@@ -809,6 +809,7 @@ static void men_z135_remove(struct mcb_d + + static const struct mcb_device_id men_z135_ids[] = { + { .device = 0x87 }, ++ { } + }; + MODULE_DEVICE_TABLE(mcb, men_z135_ids); + diff --git a/queue-3.18/writeback-fix-a-subtle-race-condition-in-i_dirty-clearing.patch b/queue-3.18/writeback-fix-a-subtle-race-condition-in-i_dirty-clearing.patch new file mode 100644 index 00000000000..bea1ce6963c --- /dev/null +++ b/queue-3.18/writeback-fix-a-subtle-race-condition-in-i_dirty-clearing.patch @@ -0,0 +1,126 @@ +From 9c6ac78eb3521c5937b2dd8a7d1b300f41092f45 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 24 Oct 2014 15:38:21 -0400 +Subject: writeback: fix a subtle race condition in I_DIRTY clearing + +From: Tejun Heo + +commit 9c6ac78eb3521c5937b2dd8a7d1b300f41092f45 upstream. + +After invoking ->dirty_inode(), __mark_inode_dirty() does smp_mb() and +tests inode->i_state locklessly to see whether it already has all the +necessary I_DIRTY bits set. The comment above the barrier doesn't +contain any useful information - memory barriers can't ensure "changes +are seen by all cpus" by itself. + +And it sure enough was broken. Please consider the following +scenario. + + CPU 0 CPU 1 + ------------------------------------------------------------------------------- + + enters __writeback_single_inode() + grabs inode->i_lock + tests PAGECACHE_TAG_DIRTY which is clear + enters __set_page_dirty() + grabs mapping->tree_lock + sets PAGECACHE_TAG_DIRTY + releases mapping->tree_lock + leaves __set_page_dirty() + + enters __mark_inode_dirty() + smp_mb() + sees I_DIRTY_PAGES set + leaves __mark_inode_dirty() + clears I_DIRTY_PAGES + releases inode->i_lock + +Now @inode has dirty pages w/ I_DIRTY_PAGES clear. This doesn't seem +to lead to an immediately critical problem because requeue_inode() +later checks PAGECACHE_TAG_DIRTY instead of I_DIRTY_PAGES when +deciding whether the inode needs to be requeued for IO and there are +enough unintentional memory barriers inbetween, so while the inode +ends up with inconsistent I_DIRTY_PAGES flag, it doesn't fall off the +IO list. + +The lack of explicit barrier may also theoretically affect the other +I_DIRTY bits which deal with metadata dirtiness. There is no +guarantee that a strong enough barrier exists between +I_DIRTY_[DATA]SYNC clearing and write_inode() writing out the dirtied +inode. Filesystem inode writeout path likely has enough stuff which +can behave as full barrier but it's theoretically possible that the +writeout may not see all the updates from ->dirty_inode(). + +Fix it by adding an explicit smp_mb() after I_DIRTY clearing. Note +that I_DIRTY_PAGES needs a special treatment as it always needs to be +cleared to be interlocked with the lockless test on +__mark_inode_dirty() side. It's cleared unconditionally and +reinstated after smp_mb() if the mapping still has dirty pages. + +Also add comments explaining how and why the barriers are paired. + +Lightly tested. + +Signed-off-by: Tejun Heo +Cc: Jan Kara +Cc: Mikulas Patocka +Cc: Jens Axboe +Cc: Al Viro +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fs-writeback.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -479,12 +479,28 @@ __writeback_single_inode(struct inode *i + * write_inode() + */ + spin_lock(&inode->i_lock); +- /* Clear I_DIRTY_PAGES if we've written out all dirty pages */ +- if (!mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) +- inode->i_state &= ~I_DIRTY_PAGES; ++ + dirty = inode->i_state & I_DIRTY; +- inode->i_state &= ~(I_DIRTY_SYNC | I_DIRTY_DATASYNC); ++ inode->i_state &= ~I_DIRTY; ++ ++ /* ++ * Paired with smp_mb() in __mark_inode_dirty(). This allows ++ * __mark_inode_dirty() to test i_state without grabbing i_lock - ++ * either they see the I_DIRTY bits cleared or we see the dirtied ++ * inode. ++ * ++ * I_DIRTY_PAGES is always cleared together above even if @mapping ++ * still has dirty pages. The flag is reinstated after smp_mb() if ++ * necessary. This guarantees that either __mark_inode_dirty() ++ * sees clear I_DIRTY_PAGES or we see PAGECACHE_TAG_DIRTY. ++ */ ++ smp_mb(); ++ ++ if (mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) ++ inode->i_state |= I_DIRTY_PAGES; ++ + spin_unlock(&inode->i_lock); ++ + /* Don't write the inode if only I_DIRTY_PAGES was set */ + if (dirty & (I_DIRTY_SYNC | I_DIRTY_DATASYNC)) { + int err = write_inode(inode, wbc); +@@ -1148,12 +1164,11 @@ void __mark_inode_dirty(struct inode *in + } + + /* +- * make sure that changes are seen by all cpus before we test i_state +- * -- mikulas ++ * Paired with smp_mb() in __writeback_single_inode() for the ++ * following lockless i_state test. See there for details. + */ + smp_mb(); + +- /* avoid the locking if we can */ + if ((inode->i_state & flags) == flags) + return; + diff --git a/queue-3.18/xtensa-fix-kmap_prot-definition.patch b/queue-3.18/xtensa-fix-kmap_prot-definition.patch new file mode 100644 index 00000000000..78911c5884f --- /dev/null +++ b/queue-3.18/xtensa-fix-kmap_prot-definition.patch @@ -0,0 +1,30 @@ +From ff009ab6d4d4581b62fa055ab6233133aca25ab8 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 9 Dec 2014 03:04:24 +0300 +Subject: xtensa: fix kmap_prot definition + +From: Max Filippov + +commit ff009ab6d4d4581b62fa055ab6233133aca25ab8 upstream. + +Replace PAGE_KERNEL with PAGE_KERNEL_EXEC to allow copy_to_user_page +invalidate icache for pages mapped with kmap. + +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/include/asm/highmem.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/include/asm/highmem.h ++++ b/arch/xtensa/include/asm/highmem.h +@@ -25,7 +25,7 @@ + #define PKMAP_NR(virt) (((virt) - PKMAP_BASE) >> PAGE_SHIFT) + #define PKMAP_ADDR(nr) (PKMAP_BASE + ((nr) << PAGE_SHIFT)) + +-#define kmap_prot PAGE_KERNEL ++#define kmap_prot PAGE_KERNEL_EXEC + + #if DCACHE_WAY_SIZE > PAGE_SIZE + #define get_pkmap_color get_pkmap_color