From cb15bcadafe3558c7d144a82ebe5a0cb98d1082e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 2 Jul 2014 16:20:42 -0700 Subject: [PATCH] 3.4-stable patches added patches: ubifs-remove-incorrect-assertion-in-shrink_tnc.patch watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch --- queue-3.4/series | 2 + ...ve-incorrect-assertion-in-shrink_tnc.patch | 104 ++++++++++++++++++ ...hdog_device-timeout-from-set_timeout.patch | 50 +++++++++ 3 files changed, 156 insertions(+) create mode 100644 queue-3.4/ubifs-remove-incorrect-assertion-in-shrink_tnc.patch create mode 100644 queue-3.4/watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch diff --git a/queue-3.4/series b/queue-3.4/series index 6bd135b5df2..00226ca86c0 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -3,3 +3,5 @@ pci-add-new-id-for-intel-gpu-spurious-interrupt-quirk.patch pci-fix-incorrect-vgaarb-conditional-in-warn_on.patch recordmcount-mips-fix-possible-incorrect-mcount_loc-table-entries-in-modules.patch mips-msc-prevent-out-of-bounds-writes-to-mips-sc-ioremap-d-region.patch +ubifs-remove-incorrect-assertion-in-shrink_tnc.patch +watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch diff --git a/queue-3.4/ubifs-remove-incorrect-assertion-in-shrink_tnc.patch b/queue-3.4/ubifs-remove-incorrect-assertion-in-shrink_tnc.patch new file mode 100644 index 00000000000..a87039b5d7e --- /dev/null +++ b/queue-3.4/ubifs-remove-incorrect-assertion-in-shrink_tnc.patch @@ -0,0 +1,104 @@ +From 72abc8f4b4e8574318189886de627a2bfe6cd0da Mon Sep 17 00:00:00 2001 +From: hujianyang +Date: Sat, 31 May 2014 11:39:32 +0800 +Subject: UBIFS: Remove incorrect assertion in shrink_tnc() + +From: hujianyang + +commit 72abc8f4b4e8574318189886de627a2bfe6cd0da upstream. + +I hit the same assert failed as Dolev Raviv reported in Kernel v3.10 +shows like this: + +[ 9641.164028] UBIFS assert failed in shrink_tnc at 131 (pid 13297) +[ 9641.234078] CPU: 1 PID: 13297 Comm: mmap.test Tainted: G O 3.10.40 #1 +[ 9641.234116] [] (unwind_backtrace+0x0/0x12c) from [] (show_stack+0x20/0x24) +[ 9641.234137] [] (show_stack+0x20/0x24) from [] (dump_stack+0x20/0x28) +[ 9641.234188] [] (dump_stack+0x20/0x28) from [] (shrink_tnc_trees+0x25c/0x350 [ubifs]) +[ 9641.234265] [] (shrink_tnc_trees+0x25c/0x350 [ubifs]) from [] (ubifs_shrinker+0x25c/0x310 [ubifs]) +[ 9641.234307] [] (ubifs_shrinker+0x25c/0x310 [ubifs]) from [] (shrink_slab+0x1d4/0x2f8) +[ 9641.234327] [] (shrink_slab+0x1d4/0x2f8) from [] (do_try_to_free_pages+0x300/0x544) +[ 9641.234344] [] (do_try_to_free_pages+0x300/0x544) from [] (try_to_free_pages+0x2d0/0x398) +[ 9641.234363] [] (try_to_free_pages+0x2d0/0x398) from [] (__alloc_pages_nodemask+0x494/0x7e8) +[ 9641.234382] [] (__alloc_pages_nodemask+0x494/0x7e8) from [] (new_slab+0x78/0x238) +[ 9641.234400] [] (new_slab+0x78/0x238) from [] (__slab_alloc.constprop.42+0x1a4/0x50c) +[ 9641.234419] [] (__slab_alloc.constprop.42+0x1a4/0x50c) from [] (kmem_cache_alloc_trace+0x54/0x188) +[ 9641.234459] [] (kmem_cache_alloc_trace+0x54/0x188) from [] (do_readpage+0x168/0x468 [ubifs]) +[ 9641.234553] [] (do_readpage+0x168/0x468 [ubifs]) from [] (ubifs_readpage+0x424/0x464 [ubifs]) +[ 9641.234606] [] (ubifs_readpage+0x424/0x464 [ubifs]) from [] (filemap_fault+0x304/0x418) +[ 9641.234638] [] (filemap_fault+0x304/0x418) from [] (__do_fault+0xd4/0x530) +[ 9641.234665] [] (__do_fault+0xd4/0x530) from [] (handle_pte_fault+0x480/0xf54) +[ 9641.234690] [] (handle_pte_fault+0x480/0xf54) from [] (handle_mm_fault+0x140/0x184) +[ 9641.234716] [] (handle_mm_fault+0x140/0x184) from [] (do_page_fault+0x150/0x3ac) +[ 9641.234737] [] (do_page_fault+0x150/0x3ac) from [] (do_DataAbort+0x3c/0xa0) +[ 9641.234759] [] (do_DataAbort+0x3c/0xa0) from [] (__dabt_usr+0x38/0x40) + +After analyzing the code, I found a condition that may cause this failed +in correct operations. Thus, I think this assertion is wrong and should be +removed. + +Suppose there are two clean znodes and one dirty znode in TNC. So the +per-filesystem atomic_t @clean_zn_cnt is (2). If commit start, dirty_znode +is set to COW_ZNODE in get_znodes_to_commit() in case of potentially ops +on this znode. We clear COW bit and DIRTY bit in write_index() without +@tnc_mutex locked. We don't increase @clean_zn_cnt in this place. As the +comments in write_index() shows, if another process hold @tnc_mutex and +dirty this znode after we clean it, @clean_zn_cnt would be decreased to (1). +We will increase @clean_zn_cnt to (2) with @tnc_mutex locked in +free_obsolete_znodes() to keep it right. + +If shrink_tnc() performs between decrease and increase, it will release +other 2 clean znodes it holds and found @clean_zn_cnt is less than zero +(1 - 2 = -1), then hit the assertion. Because free_obsolete_znodes() will +soon correct @clean_zn_cnt and no harm to fs in this case, I think this +assertion could be removed. + +2 clean zondes and 1 dirty znode, @clean_zn_cnt == 2 + +Thread A (commit) Thread B (write or others) Thread C (shrinker) +->write_index + ->clear_bit(DIRTY_NODE) + ->clear_bit(COW_ZNODE) + + @clean_zn_cnt == 2 + ->mutex_locked(&tnc_mutex) + ->dirty_cow_znode + ->!ubifs_zn_cow(znode) + ->!test_and_set_bit(DIRTY_NODE) + ->atomic_dec(&clean_zn_cnt) + ->mutex_unlocked(&tnc_mutex) + + @clean_zn_cnt == 1 + ->mutex_locked(&tnc_mutex) + ->shrink_tnc + ->destroy_tnc_subtree + ->atomic_sub(&clean_zn_cnt, 2) + ->ubifs_assert <- hit + ->mutex_unlocked(&tnc_mutex) + + @clean_zn_cnt == -1 +->mutex_lock(&tnc_mutex) +->free_obsolete_znodes + ->atomic_inc(&clean_zn_cnt) +->mutux_unlock(&tnc_mutex) + + @clean_zn_cnt == 0 (correct after shrink) + +Signed-off-by: hujianyang +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/shrinker.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/ubifs/shrinker.c ++++ b/fs/ubifs/shrinker.c +@@ -128,7 +128,6 @@ static int shrink_tnc(struct ubifs_info + freed = ubifs_destroy_tnc_subtree(znode); + atomic_long_sub(freed, &ubifs_clean_zn_cnt); + atomic_long_sub(freed, &c->clean_zn_cnt); +- ubifs_assert(atomic_long_read(&c->clean_zn_cnt) >= 0); + total_freed += freed; + znode = zprev; + } diff --git a/queue-3.4/watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch b/queue-3.4/watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch new file mode 100644 index 00000000000..00385f44745 --- /dev/null +++ b/queue-3.4/watchdog-sp805-set-watchdog_device-timeout-from-set_timeout.patch @@ -0,0 +1,50 @@ +From 938626d96a3ffb9eb54552bb0d3a4f2b30ffdeb0 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Thu, 15 May 2014 10:01:59 +0530 +Subject: watchdog: sp805: Set watchdog_device->timeout from ->set_timeout() + +From: Viresh Kumar + +commit 938626d96a3ffb9eb54552bb0d3a4f2b30ffdeb0 upstream. + +Implementation of ->set_timeout() is supposed to set 'timeout' field of 'struct +watchdog_device' passed to it. sp805 was rather setting this in a local +variable. Fix it. + +Reported-by: Arun Ramamurthy +Signed-off-by: Viresh Kumar +Reviewed-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/sp805_wdt.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/watchdog/sp805_wdt.c ++++ b/drivers/watchdog/sp805_wdt.c +@@ -62,7 +62,6 @@ + * @adev: amba device structure of wdt + * @status: current status of wdt + * @load_val: load value to be set for current timeout +- * @timeout: current programmed timeout + */ + struct sp805_wdt { + spinlock_t lock; +@@ -73,7 +72,6 @@ struct sp805_wdt { + #define WDT_BUSY 0 + #define WDT_CAN_BE_CLOSED 1 + unsigned int load_val; +- unsigned int timeout; + }; + + /* local variables */ +@@ -101,7 +99,7 @@ static void wdt_setload(unsigned int tim + spin_lock(&wdt->lock); + wdt->load_val = load; + /* roundup timeout to closest positive integer value */ +- wdt->timeout = div_u64((load + 1) * 2 + (rate / 2), rate); ++ wdd->timeout = div_u64((load + 1) * 2 + (rate / 2), rate); + spin_unlock(&wdt->lock); + } + -- 2.47.3