1. 29 10月, 2015 2 次提交
    • L
      arm64: kernel: fix tcr_el1.t0sz restore on systems with extended idmap · e13d918a
      Lorenzo Pieralisi 提交于
      Commit dd006da2 ("arm64: mm: increase VA range of identity map")
      introduced a mechanism to extend the virtual memory map range
      to support arm64 systems with system RAM located at very high offset,
      where the identity mapping used to enable/disable the MMU requires
      additional translation levels to map the physical memory at an equal
      virtual offset.
      
      The kernel detects at boot time the tcr_el1.t0sz value required by the
      identity mapping and sets-up the tcr_el1.t0sz register field accordingly,
      any time the identity map is required in the kernel (ie when enabling the
      MMU).
      
      After enabling the MMU, in the cold boot path the kernel resets the
      tcr_el1.t0sz to its default value (ie the actual configuration value for
      the system virtual address space) so that after enabling the MMU the
      memory space translated by ttbr0_el1 is restored as expected.
      
      Commit dd006da2 ("arm64: mm: increase VA range of identity map")
      also added code to set-up the tcr_el1.t0sz value when the kernel resumes
      from low-power states with the MMU off through cpu_resume() in order to
      effectively use the identity mapping to enable the MMU but failed to add
      the code required to restore the tcr_el1.t0sz to its default value, when
      the core returns to the kernel with the MMU enabled, so that the kernel
      might end up running with tcr_el1.t0sz value set-up for the identity
      mapping which can be lower than the value required by the actual virtual
      address space, resulting in an erroneous set-up.
      
      This patchs adds code in the resume path that restores the tcr_el1.t0sz
      default value upon core resume, mirroring this way the cold boot path
      behaviour therefore fixing the issue.
      
      Cc: <stable@vger.kernel.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Fixes: dd006da2 ("arm64: mm: increase VA range of identity map")
      Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      e13d918a
    • W
      arm64: compat: fix stxr failure case in SWP emulation · 589cb22b
      Will Deacon 提交于
      If the STXR instruction fails in the SWP emulation code, we leave *data
      overwritten with the loaded value, therefore corrupting the data written
      by a subsequent, successful attempt.
      
      This patch re-jigs the code so that we only write back to *data once we
      know that the update has happened.
      
      Cc: <stable@vger.kernel.org>
      Fixes: bd35a4ad ("arm64: Port SWP/SWPB emulation support from arm")
      Reported-by: NShengjiu Wang <shengjiu.wang@freescale.com>
      Reported-by: NVladimir Murzin <vladimir.murzin@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      589cb22b
  2. 25 10月, 2015 1 次提交
  3. 24 10月, 2015 13 次提交
    • L
      Merge tag 'usb-4.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 01815536
      Linus Torvalds 提交于
      Pull USB fixes from Greg KH:
       "Here are three xhci driver fixes for reported issues for 4.3-rc7
      
        All have been in linux-next for a while with no problems"
      
      * tag 'usb-4.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        xhci: Add spurious wakeup quirk for LynxPoint-LP controllers
        xhci: handle no ping response error properly
        xhci: don't finish a TD if we get a short transfer event mid TD
      01815536
    • L
      Merge tag 'tty-4.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · dd5ae681
      Linus Torvalds 提交于
      Pull tty/serial fixes from Greg KH:
       "Here are two fixes that resolve reported issues, one with the 8250
        driver, and the other with the generic fbcon driver.
      
        Both have been in linux-next for a while"
      
      * tag 'tty-4.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        fbcon: initialize blink interval before calling fb_set_par
        Revert "serial: 8250_dma: don't bother DMA with small transfers"
      dd5ae681
    • L
      Merge tag 'staging-4.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 4ee8019d
      Linus Torvalds 提交于
      Pull staging driver fixes from Greg KH:
       "Here are four iio driver fixes for 4.3-rc7, fixing some reported
        issues.  All of these have been in linux-next for a while"
      
      * tag 'staging-4.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio: mxs-lradc: Fix temperature offset
        iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
        iio: st_accel: fix interrupt handling on LIS3LV02
        iio: adc: twl4030: Fix ADC[3:6] readings
      4ee8019d
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · 410694e2
      Linus Torvalds 提交于
      Pull infiniband fixes from Doug Ledford:
       "It's late in the game, I know, but these fixes seemed important enough
        to warrant a late pull request.  They all involve oopses or use after
        frees or corruptions.
      
        Six serious fixes:
      
         - Hold the mutex around the find and corresponding update of our gid
      
         - The ifa list is rcu protected, copy its contents under rcu to avoid
           using a freed structure
      
         - On error, netdev might be null, so check it before trying to
           release it
      
         - On init, if workqueue alloc fails, fail init
      
         - The new demux patches exposed a bug in mlx5 and ipath drivers, we
           need to use the payload P_Key to determine the P_Key the packet
           arrived on because the hardware doesn't tell us the truth
      
         - Due to a couple convoluted error flows, it is possible for the CM
           to trigger a use_after_free and a double_free of rb nodes.  Add two
           checks to prevent that.  This code has worked for 10+ years.  It is
           likely that some of the recent changes have caused this issue to
           surface.  The current patch will protect us from nasty events for
           now while we track down why this is just now showing up"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        IB/cm: Fix rb-tree duplicate free and use-after-free
        IB/cma: Use inner P_Key to determine netdev
        IB/ucma: check workqueue allocation before usage
        IB/cma: Potential NULL dereference in cma_id_from_event
        IB/core: Fix use after free of ifa
        IB/core: Fix memory corruption in ib_cache_gid_set_default_gid
      410694e2
    • L
      Merge tag 'dm-4.3-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 35df017c
      Linus Torvalds 提交于
      Pull device mapper fixes from Mike Snitzer:
       "Three stable fixes (two in btree code used by DM thinp and one to
        properly store flags in DM cache metadata's superblock)"
      
      * tag 'dm-4.3-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm cache: the CLEAN_SHUTDOWN flag was not being set
        dm btree: fix leak of bufio-backed block in btree_split_beneath error path
        dm btree remove: fix a bug when rebalancing nodes after removal
      35df017c
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · ea1ee5ff
      Linus Torvalds 提交于
      Pull block layer fixes from Jens Axboe:
       "A final set of fixes for 4.3.
      
        It is (again) bigger than I would have liked, but it's all been
        through the testing mill and has been carefully reviewed by multiple
        parties.  Each fix is either a regression fix for this cycle, or is
        marked stable.  You can scold me at KS.  The pull request contains:
      
         - Three simple fixes for NVMe, fixing regressions since 4.3.  From
           Arnd, Christoph, and Keith.
      
         - A single xen-blkfront fix from Cathy, fixing a NULL dereference if
           an error is returned through the staste change callback.
      
         - Fixup for some bad/sloppy code in nbd that got introduced earlier
           in this cycle.  From Markus Pargmann.
      
         - A blk-mq tagset use-after-free fix from Junichi.
      
         - A backing device lifetime fix from Tejun, fixing a crash.
      
         - And finally, a set of regression/stable fixes for cgroup writeback
           from Tejun"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        writeback: remove broken rbtree_postorder_for_each_entry_safe() usage in cgwb_bdi_destroy()
        NVMe: Fix memory leak on retried commands
        block: don't release bdi while request_queue has live references
        nvme: use an integer value to Linux errno values
        blk-mq: fix use-after-free in blk_mq_free_tag_set()
        nvme: fix 32-bit build warning
        writeback: fix incorrect calculation of available memory for memcg domains
        writeback: memcg dirty_throttle_control should be initialized with wb->memcg_completions
        writeback: bdi_writeback iteration must not skip dying ones
        writeback: fix bdi_writeback iteration in wakeup_dirtytime_writeback()
        writeback: laptop_mode_timer_fn() needs rcu_read_lock() around bdi_writeback iteration
        nbd: Add locking for tasks
        xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing)
      ea1ee5ff
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · ef594c42
      Linus Torvalds 提交于
      Pull Ceph fixes from Sage Weil:
       "Two fixes.
      
        One is a stopgap to prevent a stack blowout when users have a deep
        chain of image clones.  (We'll rewrite this code to be non-recursive
        for the next window, but in the meantime this is a simple fix that
        avoids a crash.)
      
        The second fixes a refcount underflow"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        rbd: prevent kernel stack blow up on rbd map
        rbd: don't leak parent_spec in rbd_dev_probe_parent()
      ef594c42
    • L
      Merge branch 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 37902bc1
      Linus Torvalds 提交于
      Pull btrfs fixes from Chris Mason:
       "I have two more small fixes this week:
      
        Qu's fix avoids unneeded COW during fallocate, and Christian found a
        memory leak in the error handling of an earlier fix"
      
      * 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        btrfs: fix possible leak in btrfs_ioctl_balance()
        btrfs: Avoid truncate tailing page if fallocate range doesn't exceed inode size
      37902bc1
    • J
      dm cache: the CLEAN_SHUTDOWN flag was not being set · 3201ac45
      Joe Thornber 提交于
      If the CLEAN_SHUTDOWN flag is not set when a cache is loaded then all cache
      blocks are marked as dirty and a full writeback occurs.
      
      __commit_transaction() is responsible for setting/clearing
      CLEAN_SHUTDOWN (based the flags_mutator that is passed in).
      
      Fix this issue, of the cache's on-disk flags being wrong, by making sure
      __commit_transaction() does not reset the flags after the mutator has
      altered the flags in preparation for them being serialized to disk.
      
      before:
      
      sb_flags = mutator(le32_to_cpu(disk_super->flags));
      disk_super->flags = cpu_to_le32(sb_flags);
      disk_super->flags = cpu_to_le32(cmd->flags);
      
      after:
      
      disk_super->flags = cpu_to_le32(cmd->flags);
      sb_flags = mutator(le32_to_cpu(disk_super->flags));
      disk_super->flags = cpu_to_le32(sb_flags);
      Reported-by: NBogdan Vasiliev <bogdan.vasiliev@gmail.com>
      Signed-off-by: NJoe Thornber <ejt@redhat.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Cc: stable@vger.kernel.org
      3201ac45
    • M
      dm btree: fix leak of bufio-backed block in btree_split_beneath error path · 4dcb8b57
      Mike Snitzer 提交于
      btree_split_beneath()'s error path had an outstanding FIXME that speaks
      directly to the potential for _not_ cleaning up a previously allocated
      bufio-backed block.
      
      Fix this by releasing the previously allocated bufio block using
      unlock_block().
      Reported-by: NMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Acked-by: NJoe Thornber <thornber@redhat.com>
      Cc: stable@vger.kernel.org
      4dcb8b57
    • J
      dm btree remove: fix a bug when rebalancing nodes after removal · 2871c69e
      Joe Thornber 提交于
      Commit 4c7e3093 ("dm btree remove: fix bug in redistribute3") wasn't
      a complete fix for redistribute3().
      
      The redistribute3 function takes 3 btree nodes and shares out the entries
      evenly between them.  If the three nodes in total contained
      (MAX_ENTRIES * 3) - 1 entries between them then this was erroneously getting
      rebalanced as (MAX_ENTRIES - 1) on the left and right, and (MAX_ENTRIES + 1) in
      the center.
      
      Fix this issue by being more careful about calculating the target number
      of entries for the left and right nodes.
      
      Unit tested in userspace using this program:
      https://github.com/jthornber/redistribute3-test/blob/master/redistribute3_t.cSigned-off-by: NJoe Thornber <ejt@redhat.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Cc: stable@vger.kernel.org
      2871c69e
    • I
      rbd: prevent kernel stack blow up on rbd map · 6d69bb53
      Ilya Dryomov 提交于
      Mapping an image with a long parent chain (e.g. image foo, whose parent
      is bar, whose parent is baz, etc) currently leads to a kernel stack
      overflow, due to the following recursion in the reply path:
      
        rbd_osd_req_callback()
          rbd_obj_request_complete()
            rbd_img_obj_callback()
              rbd_img_parent_read_callback()
                rbd_obj_request_complete()
                  ...
      
      Limit the parent chain to 16 images, which is ~5K worth of stack.  When
      the above recursion is eliminated, this limit can be lifted.
      
      Fixes: http://tracker.ceph.com/issues/12538
      
      Cc: stable@vger.kernel.org # 3.10+, needs backporting for < 4.2
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: NJosh Durgin <jdurgin@redhat.com>
      6d69bb53
    • I
      rbd: don't leak parent_spec in rbd_dev_probe_parent() · 1f2c6651
      Ilya Dryomov 提交于
      Currently we leak parent_spec and trigger a "parent reference
      underflow" warning if rbd_dev_create() in rbd_dev_probe_parent() fails.
      The problem is we take the !parent out_err branch and that only drops
      refcounts; parent_spec that would've been freed had we called
      rbd_dev_unparent() remains and triggers rbd_warn() in
      rbd_dev_parent_put() - at that point we have parent_spec != NULL and
      parent_ref == 0, so counter ends up being -1 after the decrement.
      
      Redo rbd_dev_probe_parent() to fix this.
      
      Cc: stable@vger.kernel.org # 3.10+, needs backporting for < 4.2
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: NAlex Elder <elder@linaro.org>
      1f2c6651
  4. 23 10月, 2015 24 次提交