1. 05 11月, 2015 2 次提交
    • R
      sparc64: Don't restrict fp regs for no-fault loads · cae9af6a
      Rob Gardner 提交于
      The function handle_ldf_stq() deals with no-fault ASI
      loads and stores, but restricts fp registers to quad
      word regs (ie, %f0, %f4 etc). This is valid for the
      STQ case, but unnecessarily restricts loads, which
      may be single precision, double, or quad. This results
      in SIGFPE being raised for this instruction when the
      source address is invalid:
      	ldda [%g1] ASI_PNF, %f2
      but not for this one:
      	ldda [%g1] ASI_PNF, %f4
      The validation check for quad register is moved to
      within the STQ block so that loads are not affected
      by the check.
      
      An additional problem is that the calculation for freg
      is incorrect when a single precision load is being
      handled. This causes %f1 to be seen as %f32 etc,
      and the incorrect register ends up being overwritten.
      This code sequence demonstrates the problem:
      	ldd [%g1], %f32		! g1 = valid address
      	lda [%i3] ASI_PNF, %f1  ! i3 = invalid address
      	std %f32, [%g1]
      This is corrected by basing the freg calculation on
      the load size.
      Signed-off-by: NRob Gardner <rob.gardner@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cae9af6a
    • D
      iommu-common: Fix error code used in iommu_tbl_range_{alloc,free}(). · d618382b
      David S. Miller 提交于
      The value returned from iommu_tbl_range_alloc() (and the one passed
      in as a fourth argument to iommu_tbl_range_free) is not a DMA address,
      it is rather an index into the IOMMU page table.
      
      Therefore using DMA_ERROR_CODE is not appropriate.
      
      Use a more type matching error code define, IOMMU_ERROR_CODE, and
      update all users of this interface.
      Reported-by: NAndre Przywara <andre.przywara@arm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d618382b
  2. 08 8月, 2015 2 次提交
  3. 07 8月, 2015 26 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 49d7c655
      Linus Torvalds 提交于
      Pull sparc fix from David Miller:
       "FPU register corruption bug fix"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix userspace FPU register corruptions.
      49d7c655
    • L
      Merge branch 'akpm' (patches from Andrew) · 8664b90b
      Linus Torvalds 提交于
      Merge fixes from Andrew Morton:
       "21 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (21 commits)
        writeback: fix initial dirty limit
        mm/memory-failure: set PageHWPoison before migrate_pages()
        mm: check __PG_HWPOISON separately from PAGE_FLAGS_CHECK_AT_*
        mm/memory-failure: give up error handling for non-tail-refcounted thp
        mm/memory-failure: fix race in counting num_poisoned_pages
        mm/memory-failure: unlock_page before put_page
        ipc: use private shmem or hugetlbfs inodes for shm segments.
        mm: initialize hotplugged pages as reserved
        ocfs2: fix shift left overflow
        kthread: export kthread functions
        fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
        lib/iommu-common.c: do not use 0xffffffffffffffffl for computing align_mask
        mm/slub: allow merging when SLAB_DEBUG_FREE is set
        signalfd: fix information leak in signalfd_copyinfo
        signal: fix information leak in copy_siginfo_to_user
        signal: fix information leak in copy_siginfo_from_user32
        ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
        fs, file table: reinit files_stat.max_files after deferred memory initialisation
        mm, meminit: replace rwsem with completion
        mm, meminit: allow early_pfn_to_nid to be used during runtime
        ...
      8664b90b
    • D
      sparc64: Fix userspace FPU register corruptions. · 44922150
      David S. Miller 提交于
      If we have a series of events from userpsace, with %fprs=FPRS_FEF,
      like follows:
      
      ETRAP
      	ETRAP
      		VIS_ENTRY(fprs=0x4)
      		VIS_EXIT
      		RTRAP (kernel FPU restore with fpu_saved=0x4)
      	RTRAP
      
      We will not restore the user registers that were clobbered by the FPU
      using kernel code in the inner-most trap.
      
      Traps allocate FPU save slots in the thread struct, and FPU using
      sequences save the "dirty" FPU registers only.
      
      This works at the initial trap level because all of the registers
      get recorded into the top-level FPU save area, and we'll return
      to userspace with the FPU disabled so that any FPU use by the user
      will take an FPU disabled trap wherein we'll load the registers
      back up properly.
      
      But this is not how trap returns from kernel to kernel operate.
      
      The simplest fix for this bug is to always save all FPU register state
      for anything other than the top-most FPU save area.
      
      Getting rid of the optimized inner-slot FPU saving code ends up
      making VISEntryHalf degenerate into plain VISEntry.
      
      Longer term we need to do something smarter to reinstate the partial
      save optimizations.  Perhaps the fundament error is having trap entry
      and exit allocate FPU save slots and restore register state.  Instead,
      the VISEntry et al. calls should be doing that work.
      
      This bug is about two decades old.
      Reported-by: NJames Y Knight <jyknight@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      44922150
    • L
      Merge branch 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux · a58997e1
      Linus Torvalds 提交于
      Pull amdgpu fixes from Alex Deucher:
       "Just a few amdgpu fixes to make sure we report the proper firmware
        information and number of render buffers to userspace and a typo in a
        debugging function"
      
      [ Pulling directly from Alex since Dave Airlie is on vacation  - Linus ]
      
      * 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux:
        drm/amdgpu: set fw_version and feature_version for smu fw loading
        drm/amdgpu: add feature version for SDMA ucode
        drm/amdgpu: add feature version for RLC and MEC v2
        drm/amdgpu: increment queue when iterating on this variable.
        drm/amdgpu: fix rb setting for CZ
      a58997e1
    • L
      Merge branch 'drm-tda998x-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm · ebc90be6
      Linus Torvalds 提交于
      Pull TDA998x i2c driver fixes from Russell King:
       "This fixes the double-checksumming of the AVI infoframe which was
        resulting in the checksum always being zero.  It went unnoticed as
        none of my HDMI devices had a problem with this"
      
      [ Pulling directly from rmk since Dave Airlie is on vacation  - Linus ]
      
      * 'drm-tda998x-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
        drm/i2c: tda998x: fix bad checksum of the HDMI AVI infoframe
      ebc90be6
    • R
      writeback: fix initial dirty limit · a50fcb51
      Rabin Vincent 提交于
      The initial value of global_wb_domain.dirty_limit set by
      writeback_set_ratelimit() is zeroed out by the memset in
      wb_domain_init().
      Signed-off-by: NRabin Vincent <rabin.vincent@axis.com>
      Acked-by: NTejun Heo <tj@kernel.org>
      Cc: Jens Axboe <axboe@fb.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a50fcb51
    • N
      mm/memory-failure: set PageHWPoison before migrate_pages() · 4491f712
      Naoya Horiguchi 提交于
      Now page freeing code doesn't consider PageHWPoison as a bad page, so by
      setting it before completing the page containment, we can prevent the
      error page from being reused just after successful page migration.
      
      I added TTU_IGNORE_HWPOISON for try_to_unmap() to make sure that the
      page table entry is transformed into migration entry, not to hwpoison
      entry.
      Signed-off-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Dean Nelson <dnelson@redhat.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: David Rientjes <rientjes@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4491f712
    • N
      mm: check __PG_HWPOISON separately from PAGE_FLAGS_CHECK_AT_* · f4c18e6f
      Naoya Horiguchi 提交于
      The race condition addressed in commit add05cec ("mm: soft-offline:
      don't free target page in successful page migration") was not closed
      completely, because that can happen not only for soft-offline, but also
      for hard-offline.  Consider that a slab page is about to be freed into
      buddy pool, and then an uncorrected memory error hits the page just
      after entering __free_one_page(), then VM_BUG_ON_PAGE(page->flags &
      PAGE_FLAGS_CHECK_AT_PREP) is triggered, despite the fact that it's not
      necessary because the data on the affected page is not consumed.
      
      To solve it, this patch drops __PG_HWPOISON from page flag checks at
      allocation/free time.  I think it's justified because __PG_HWPOISON
      flags is defined to prevent the page from being reused, and setting it
      outside the page's alloc-free cycle is a designed behavior (not a bug.)
      
      For recent months, I was annoyed about BUG_ON when soft-offlined page
      remains on lru cache list for a while, which is avoided by calling
      put_page() instead of putback_lru_page() in page migration's success
      path.  This means that this patch reverts a major change from commit
      add05cec about the new refcounting rule of soft-offlined pages, so
      "reuse window" revives.  This will be closed by a subsequent patch.
      Signed-off-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Dean Nelson <dnelson@redhat.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: David Rientjes <rientjes@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f4c18e6f
    • N
      mm/memory-failure: give up error handling for non-tail-refcounted thp · 98ed2b00
      Naoya Horiguchi 提交于
      "non anonymous thp" case is still racy with freeing thp, which causes
      panic due to put_page() for refcount-0 page.  It seems that closing up
      this race might be hard (and/or not worth doing,) so let's give up the
      error handling for this case.
      Signed-off-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Dean Nelson <dnelson@redhat.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: David Rientjes <rientjes@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      98ed2b00
    • N
      mm/memory-failure: fix race in counting num_poisoned_pages · a209ef09
      Naoya Horiguchi 提交于
      When memory_failure() is called on a page which are just freed after
      page migration from soft offlining, the counter num_poisoned_pages is
      raised twi= ce.  So let's fix it with using TestSetPageHWPoison.
      Signed-off-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Dean Nelson <dnelson@redhat.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: David Rientjes <rientjes@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a209ef09
    • N
      mm/memory-failure: unlock_page before put_page · a09233f3
      Naoya Horiguchi 提交于
      Recently I addressed a few of hwpoison race problems and the patches are
      merged on v4.2-rc1.  It made progress, but unfortunately some problems
      still remain due to less coverage of my testing.  So I'm trying to fix
      or avoid them in this series.
      
      One point I'm expecting to discuss is that patch 4/5 changes the page
      flag set to be checked on free time.  In current behavior, __PG_HWPOISON
      is not supposed to be set when the page is freed.  I think that there is
      no strong reason for this behavior, and it causes a problem hard to fix
      only in error handler side (because __PG_HWPOISON could be set at
      arbitrary timing.) So I suggest to change it.
      
      With this patchset, hwpoison stress testing in official mce-test
      testsuite (which previously failed) passes.
      
      This patch (of 5):
      
      In "just unpoisoned" path, we do put_page and then unlock_page, which is
      a wrong order and causes "freeing locked page" bug.  So let's fix it.
      Signed-off-by: NNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Dean Nelson <dnelson@redhat.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
      Cc: Hugh Dickins <hughd@google.com>
      Acked-by: NDavid Rientjes <rientjes@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a09233f3
    • S
      ipc: use private shmem or hugetlbfs inodes for shm segments. · e1832f29
      Stephen Smalley 提交于
      The shm implementation internally uses shmem or hugetlbfs inodes for shm
      segments.  As these inodes are never directly exposed to userspace and
      only accessed through the shm operations which are already hooked by
      security modules, mark the inodes with the S_PRIVATE flag so that inode
      security initialization and permission checking is skipped.
      
      This was motivated by the following lockdep warning:
      
        ======================================================
         [ INFO: possible circular locking dependency detected ]
         4.2.0-0.rc3.git0.1.fc24.x86_64+debug #1 Tainted: G        W
        -------------------------------------------------------
         httpd/1597 is trying to acquire lock:
         (&ids->rwsem){+++++.}, at: shm_close+0x34/0x130
         but task is already holding lock:
         (&mm->mmap_sem){++++++}, at: SyS_shmdt+0x4b/0x180
         which lock already depends on the new lock.
         the existing dependency chain (in reverse order) is:
         -> #3 (&mm->mmap_sem){++++++}:
              lock_acquire+0xc7/0x270
              __might_fault+0x7a/0xa0
              filldir+0x9e/0x130
              xfs_dir2_block_getdents.isra.12+0x198/0x1c0 [xfs]
              xfs_readdir+0x1b4/0x330 [xfs]
              xfs_file_readdir+0x2b/0x30 [xfs]
              iterate_dir+0x97/0x130
              SyS_getdents+0x91/0x120
              entry_SYSCALL_64_fastpath+0x12/0x76
         -> #2 (&xfs_dir_ilock_class){++++.+}:
              lock_acquire+0xc7/0x270
              down_read_nested+0x57/0xa0
              xfs_ilock+0x167/0x350 [xfs]
              xfs_ilock_attr_map_shared+0x38/0x50 [xfs]
              xfs_attr_get+0xbd/0x190 [xfs]
              xfs_xattr_get+0x3d/0x70 [xfs]
              generic_getxattr+0x4f/0x70
              inode_doinit_with_dentry+0x162/0x670
              sb_finish_set_opts+0xd9/0x230
              selinux_set_mnt_opts+0x35c/0x660
              superblock_doinit+0x77/0xf0
              delayed_superblock_init+0x10/0x20
              iterate_supers+0xb3/0x110
              selinux_complete_init+0x2f/0x40
              security_load_policy+0x103/0x600
              sel_write_load+0xc1/0x750
              __vfs_write+0x37/0x100
              vfs_write+0xa9/0x1a0
              SyS_write+0x58/0xd0
              entry_SYSCALL_64_fastpath+0x12/0x76
        ...
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Reported-by: NMorten Stevens <mstevens@fedoraproject.org>
      Acked-by: NHugh Dickins <hughd@google.com>
      Acked-by: NPaul Moore <paul@paul-moore.com>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e1832f29
    • M
      mm: initialize hotplugged pages as reserved · e298ff75
      Mel Gorman 提交于
      Commit 92923ca3 ("mm: meminit: only set page reserved in the
      memblock region") broke memory hotplug which expects the memmap for
      newly added sections to be reserved until onlined by
      online_pages_range().  This patch marks hotplugged pages as reserved
      when adding new zones.
      Signed-off-by: NMel Gorman <mgorman@suse.de>
      Reported-by: NDavid Vrabel <david.vrabel@citrix.com>
      Tested-by: NDavid Vrabel <david.vrabel@citrix.com>
      Cc: Nathan Zimmer <nzimmer@sgi.com>
      Cc: Robin Holt <holt@sgi.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e298ff75
    • J
      ocfs2: fix shift left overflow · 32e5a2a2
      Joseph Qi 提交于
      When using a large volume, for example 9T volume with 2T already used,
      frequent creation of small files with O_DIRECT when the IO is not
      cluster aligned may clear sectors in the wrong place.  This will cause
      filesystem corruption.
      
      This is because p_cpos is a u32.  When calculating the corresponding
      sector it should be converted to u64 first, otherwise it may overflow.
      Signed-off-by: NJoseph Qi <joseph.qi@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: <stable@vger.kernel.org>	[4.0+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      32e5a2a2
    • D
      kthread: export kthread functions · 18896451
      David Kershner 提交于
      The s-Par visornic driver, currently in staging, processes a queue being
      serviced by the an s-Par service partition.  We can get a message that
      something has happened with the Service Partition, when that happens, we
      must not access the channel until we get a message that the service
      partition is back again.
      
      The visornic driver has a thread for processing the channel, when we get
      the message, we need to be able to park the thread and then resume it
      when the problem clears.
      
      We can do this with kthread_park and unpark but they are not exported
      from the kernel, this patch exports the needed functions.
      Signed-off-by: NDavid Kershner <david.kershner@unisys.com>
      Acked-by: NIngo Molnar <mingo@kernel.org>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Acked-by: NThomas Gleixner <tglx@linutronix.de>
      Cc: Richard Weinberger <richard.weinberger@gmail.com>
      Cc: Tejun Heo <tj@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      18896451
    • J
      fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() · 8f2f3eb5
      Jan Kara 提交于
      fsnotify_clear_marks_by_group_flags() can race with
      fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked()
      drops mark_mutex, a mark from the list iterated by
      fsnotify_clear_marks_by_group_flags() can be freed and thus the next
      entry pointer we have cached may become stale and we dereference free
      memory.
      
      Fix the problem by first moving marks to free to a special private list
      and then always free the first entry in the special list.  This method
      is safe even when entries from the list can disappear once we drop the
      lock.
      Signed-off-by: NJan Kara <jack@suse.com>
      Reported-by: NAshish Sangwan <a.sangwan@samsung.com>
      Reviewed-by: NAshish Sangwan <a.sangwan@samsung.com>
      Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8f2f3eb5
    • S
      lib/iommu-common.c: do not use 0xffffffffffffffffl for computing align_mask · 447f6a95
      Sowmini Varadhan 提交于
      Using a 64 bit constant generates "warning: integer constant is too
      large for 'long' type" on 32 bit platforms.  Instead use ~0ul and
      BITS_PER_LONG.
      
      Detected by Andrew Morton on ARMD.
      Signed-off-by: NSowmini Varadhan <sowmini.varadhan@oracle.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      447f6a95
    • K
      mm/slub: allow merging when SLAB_DEBUG_FREE is set · 3e810ae2
      Konstantin Khlebnikov 提交于
      This patch fixes creation of new kmem-caches after enabling
      sanity_checks for existing mergeable kmem-caches in runtime: before that
      patch creation fails because unique name in sysfs already taken by
      existing kmem-cache.
      
      Unlike other debug options this doesn't change object layout and could
      be enabled and disabled at any time.
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Acked-by: NChristoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Acked-by: NDavid Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3e810ae2
    • A
      signalfd: fix information leak in signalfd_copyinfo · 3ead7c52
      Amanieu d'Antras 提交于
      This function may copy the si_addr_lsb field to user mode when it hasn't
      been initialized, which can leak kernel stack data to user mode.
      
      Just checking the value of si_code is insufficient because the same
      si_code value is shared between multiple signals.  This is solved by
      checking the value of si_signo in addition to si_code.
      Signed-off-by: NAmanieu d'Antras <amanieu@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3ead7c52
    • A
      signal: fix information leak in copy_siginfo_to_user · 26135022
      Amanieu d'Antras 提交于
      This function may copy the si_addr_lsb, si_lower and si_upper fields to
      user mode when they haven't been initialized, which can leak kernel
      stack data to user mode.
      
      Just checking the value of si_code is insufficient because the same
      si_code value is shared between multiple signals.  This is solved by
      checking the value of si_signo in addition to si_code.
      Signed-off-by: NAmanieu d'Antras <amanieu@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Russell King <rmk@arm.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      26135022
    • A
      signal: fix information leak in copy_siginfo_from_user32 · 3c00cb5e
      Amanieu d'Antras 提交于
      This function can leak kernel stack data when the user siginfo_t has a
      positive si_code value.  The top 16 bits of si_code descibe which fields
      in the siginfo_t union are active, but they are treated inconsistently
      between copy_siginfo_from_user32, copy_siginfo_to_user32 and
      copy_siginfo_to_user.
      
      copy_siginfo_from_user32 is called from rt_sigqueueinfo and
      rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
      of si_code.
      
      This fixes the following information leaks:
      x86:   8 bytes leaked when sending a signal from a 32-bit process to
             itself. This leak grows to 16 bytes if the process uses x32.
             (si_code = __SI_CHLD)
      x86:   100 bytes leaked when sending a signal from a 32-bit process to
             a 64-bit process. (si_code = -1)
      sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
             64-bit process. (si_code = any)
      
      parsic and s390 have similar bugs, but they are not vulnerable because
      rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
      to a different process.  These bugs are also fixed for consistency.
      Signed-off-by: NAmanieu d'Antras <amanieu@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Russell King <rmk@arm.linux.org.uk>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Chris Metcalf <cmetcalf@ezchip.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3c00cb5e
    • J
      ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() · 209f7512
      Joseph Qi 提交于
      The "BUG_ON(list_empty(&osb->blocked_lock_list))" in
      ocfs2_downconvert_thread_do_work can be triggered in the following case:
      
      ocfs2dc has firstly saved osb->blocked_lock_count to local varibale
      processed, and then processes the dentry lockres.  During the dentry
      put, it calls iput and then deletes rw, inode and open lockres from
      blocked list in ocfs2_mark_lockres_freeing.  And this causes the
      variable `processed' to not reflect the number of blocked lockres to be
      processed, which triggers the BUG.
      Signed-off-by: NJoseph Qi <joseph.qi@huawei.com>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      209f7512
    • M
      fs, file table: reinit files_stat.max_files after deferred memory initialisation · 4248b0da
      Mel Gorman 提交于
      Dave Hansen reported the following;
      
      	My laptop has been behaving strangely with 4.2-rc2.  Once I log
      	in to my X session, I start getting all kinds of strange errors
      	from applications and see this in my dmesg:
      
              	VFS: file-max limit 8192 reached
      
      The problem is that the file-max is calculated before memory is fully
      initialised and miscalculates how much memory the kernel is using.  This
      patch recalculates file-max after deferred memory initialisation.  Note
      that using memory hotplug infrastructure would not have avoided this
      problem as the value is not recalculated after memory hot-add.
      
      4.1:             files_stat.max_files = 6582781
      4.2-rc2:         files_stat.max_files = 8192
      4.2-rc2 patched: files_stat.max_files = 6562467
      
      Small differences with the patch applied and 4.1 but not enough to matter.
      Signed-off-by: NMel Gorman <mgorman@suse.de>
      Reported-by: NDave Hansen <dave.hansen@intel.com>
      Cc: Nicolai Stange <nicstange@gmail.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Alex Ng <alexng@microsoft.com>
      Cc: Fengguang Wu <fengguang.wu@intel.com>
      Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4248b0da
    • N
      mm, meminit: replace rwsem with completion · d3cd131d
      Nicolai Stange 提交于
      Commit 0e1cc95b ("mm: meminit: finish initialisation of struct pages
      before basic setup") introduced a rwsem to signal completion of the
      initialization workers.
      
      Lockdep complains about possible recursive locking:
        =============================================
        [ INFO: possible recursive locking detected ]
        4.1.0-12802-g1dc51b82 #3 Not tainted
        ---------------------------------------------
        swapper/0/1 is trying to acquire lock:
        (pgdat_init_rwsem){++++.+},
          at: [<ffffffff8424c7fb>] page_alloc_init_late+0xc7/0xe6
      
        but task is already holding lock:
        (pgdat_init_rwsem){++++.+},
          at: [<ffffffff8424c772>] page_alloc_init_late+0x3e/0xe6
      
      Replace the rwsem by a completion together with an atomic
      "outstanding work counter".
      
      [peterz@infradead.org: Barrier removal on the grounds of being pointless]
      [mgorman@suse.de: Applied review feedback]
      Signed-off-by: NNicolai Stange <nicstange@gmail.com>
      Signed-off-by: NMel Gorman <mgorman@suse.de>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Alex Ng <alexng@microsoft.com>
      Cc: Fengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d3cd131d
    • M
      mm, meminit: allow early_pfn_to_nid to be used during runtime · 7ace9917
      Mel Gorman 提交于
      early_pfn_to_nid() historically was inherently not SMP safe but only
      used during boot which is inherently single threaded or during hotplug
      which is protected by a giant mutex.
      
      With deferred memory initialisation there was a thread-safe version
      introduced and the early_pfn_to_nid would trigger a BUG_ON if used
      unsafely.  Memory hotplug hit that check.  This patch makes
      early_pfn_to_nid introduces a lock to make it safe to use during
      hotplug.
      Signed-off-by: NMel Gorman <mgorman@suse.de>
      Reported-by: NAlex Ng <alexng@microsoft.com>
      Tested-by: NAlex Ng <alexng@microsoft.com>
      Acked-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Nicolai Stange <nicstange@gmail.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Fengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7ace9917
    • M
      ipc: modify message queue accounting to not take kernel data structures into account · de54b9ac
      Marcus Gelderie 提交于
      A while back, the message queue implementation in the kernel was
      improved to use btrees to speed up retrieval of messages, in commit
      d6629859 ("ipc/mqueue: improve performance of send/recv").
      
      That patch introducing the improved kernel handling of message queues
      (using btrees) has, as a by-product, changed the meaning of the QSIZE
      field in the pseudo-file created for the queue.  Before, this field
      reflected the size of the user-data in the queue.  Since, it also takes
      kernel data structures into account.  For example, if 13 bytes of user
      data are in the queue, on my machine the file reports a size of 61
      bytes.
      
      There was some discussion on this topic before (for example
      https://lkml.org/lkml/2014/10/1/115).  Commenting on a th lkml, Michael
      Kerrisk gave the following background
      (https://lkml.org/lkml/2015/6/16/74):
      
          The pseudofiles in the mqueue filesystem (usually mounted at
          /dev/mqueue) expose fields with metadata describing a message
          queue. One of these fields, QSIZE, as originally implemented,
          showed the total number of bytes of user data in all messages in
          the message queue, and this feature was documented from the
          beginning in the mq_overview(7) page. In 3.5, some other (useful)
          work happened to break the user-space API in a couple of places,
          including the value exposed via QSIZE, which now includes a measure
          of kernel overhead bytes for the queue, a figure that renders QSIZE
          useless for its original purpose, since there's no way to deduce
          the number of overhead bytes consumed by the implementation.
          (The other user-space breakage was subsequently fixed.)
      
      This patch removes the accounting of kernel data structures in the
      queue.  Reporting the size of these data-structures in the QSIZE field
      was a breaking change (see Michael's comment above).  Without the QSIZE
      field reporting the total size of user-data in the queue, there is no
      way to deduce this number.
      
      It should be noted that the resource limit RLIMIT_MSGQUEUE is counted
      against the worst-case size of the queue (in both the old and the new
      implementation).  Therefore, the kernel overhead accounting in QSIZE is
      not necessary to help the user understand the limitations RLIMIT imposes
      on the processes.
      Signed-off-by: NMarcus Gelderie <redmnic@gmail.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      Acked-by: NMichael Kerrisk <mtk.manpages@gmail.com>
      Acked-by: NDavidlohr Bueso <dbueso@suse.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: John Duffy <jb_duffy@btinternet.com>
      Cc: Arto Bendiken <arto@bendiken.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      de54b9ac
  4. 06 8月, 2015 5 次提交
  5. 05 8月, 2015 5 次提交