1. 05 4月, 2013 1 次提交
    • J
      mm: prevent mmap_cache race in find_vma() · b6a9b7f6
      Jan Stancek 提交于
      find_vma() can be called by multiple threads with read lock
      held on mm->mmap_sem and any of them can update mm->mmap_cache.
      Prevent compiler from re-fetching mm->mmap_cache, because other
      readers could update it in the meantime:
      
                     thread 1                             thread 2
                                              |
        find_vma()                            |  find_vma()
          struct vm_area_struct *vma = NULL;  |
          vma = mm->mmap_cache;               |
          if (!(vma && vma->vm_end > addr     |
              && vma->vm_start <= addr)) {    |
                                              |    mm->mmap_cache = vma;
          return vma;                         |
           ^^ compiler may optimize this      |
              local variable out and re-read  |
              mm->mmap_cache                  |
      
      This issue can be reproduced with gcc-4.8.0-1 on s390x by running
      mallocstress testcase from LTP, which triggers:
      
        kernel BUG at mm/rmap.c:1088!
          Call Trace:
           ([<000003d100c57000>] 0x3d100c57000)
            [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
            [<000000000023baae>] handle_pte_fault+0x41a/0xac8
            [<000000000023d832>] handle_mm_fault+0x17a/0x268
            [<000000000060507a>] do_protection_exception+0x1e2/0x394
            [<0000000000603a04>] pgm_check_handler+0x138/0x13c
            [<000003fffcf1f07a>] 0x3fffcf1f07a
          Last Breaking-Event-Address:
            [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
      
      Thanks to Jakub Jelinek for his insight on gcc and helping to
      track this down.
      Signed-off-by: NJan Stancek <jstancek@redhat.com>
      Acked-by: NDavid Rientjes <rientjes@google.com>
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b6a9b7f6
  2. 04 4月, 2013 9 次提交
  3. 03 4月, 2013 19 次提交
  4. 02 4月, 2013 10 次提交
    • L
      Merge tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 118c9a45
      Linus Torvalds 提交于
      Pull ARM SoC bug fixes from Arnd Bergmann:
       "After a quiet set of fixes for 3.9-rc4, a lot of people woke up and
        sent urgent fixes for 3.9.  I pushed back on a number of them that got
        deferred to 3.10, but these are the ones that seemed important.
      
        Regression in 3.9:
      
         - Multiple regressions in OMAP2+ clock cleanup
         - SH-Mobile frame buffer bug fix that merged here because of
           maintainer MIA
         - ux500 prcmu changes broke DT booting
         - MMCI duplicated regulator setup on ux500
         - New ux500 clock driver broke ethernet on snowball
         - Local interrupt driver for mvebu broke ethernet
         - MVEBU GPIO driver did not get set up right on Orion DT
         - incorrect interrupt number on Orion crypto for DT
      
        Long-standing bugs, including candidates for stable:
      
         - Kirkwood MMC needs to disable invalid card detect pins
         - MV SDIO pinmux was wrong on Mirabox
         - GoFlex Net board file needs to set NAND chip delay
         - MSM timer restart race
         - ep93xx early debug code broke in 3.7
         - i.MX CPU hotplug race
         - Incorrect clock setup for OMAP1 USB
         - Workaround for bad clock setup by some old OMAP4 boot loaders
         - Static I/O mappings on cns3xxx since 3.2"
      
      * tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: cns3xxx: fix mapping of private memory region
        arm: mvebu: Fix pinctrl for Armada 370 Mirabox SDIO port.
        arm: orion5x: correct IRQ used in dtsi for mv_cesa
        arm: orion5x: fix orion5x.dtsi gpio parameters
        ARM: Kirkwood: fix unused mvsdio gpio pins
        arm: mvebu: Use local interrupt only for the timer 0
        ARM: kirkwood: Fix chip-delay for GoFlex Net
        ARM: ux500: Enable the clock controlling Ethernet on Snowball
        ARM: ux500: Stop passing ios_handler() as an MMCI power controlling call-back
        ARM: ux500: Apply the TCPM and TCDM locations and sizes to dbx5x0 DT
        fbdev: sh_mobile_lcdc: fixup B side hsync adjust settings
        ARM: OMAP: clocks: Delay clk inits atleast until slab is initialized
        ARM: imx: fix sync issue between imx_cpu_die and imx_cpu_kill
        ARM: msm: Stop counting before reprogramming clockevent
        ARM: ep93xx: Fix wait for UART FIFO to be empty
        ARM: OMAP4: PM: fix PM regression introduced by recent clock cleanup
        ARM: OMAP3: hwmod data: keep MIDLEMODE in force-standby for musb
        ARM: OMAP4: clock data: lock USB DPLL on boot
        ARM: OMAP1: fix USB host on 1710
      118c9a45
    • L
      Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux · f8e9248d
      Linus Torvalds 提交于
      Pull nfsd bugfix from J Bruce Fields:
       "An xdr decoding error--thanks, Toralf Förster, and Trinity!"
      
      * 'for-3.9' of git://linux-nfs.org/~bfields/linux:
        nfsd4: reject "negative" acl lengths
      f8e9248d
    • A
      Merge tag 'v3.9-rc1_cns3xxx_fixes' of git://git.infradead.org/users/cbou/linux-cns3xxx into fixes · 06d1d8c8
      Arnd Bergmann 提交于
      From Anton Vorontsov <anton@enomsg.org>:
      
      This tag includes Mac Lin's work to revive CNS3xxx booting:
      
       "Since commit 0536bdf3 (ARM: move iotable mappings within the vmalloc
       region), [...] the pre-defined iotable mappings is not in the vmalloc
       region. [...] move the iotable mappings into the vmalloc region, and
       merge the MPCore private memory region (containing the SCU, the GIC and
       the TWD) as a single region."
      
      Plus there is a small cosmetic fix, also from Mac Lin.
      
      * tag 'v3.9-rc1_cns3xxx_fixes' of git://git.infradead.org/users/cbou/linux-cns3xxx:
        ARM: cns3xxx: fix mapping of private memory region
      
      [arnd: dropped the cosmetic fix from the merge as it is not needed for 3.9]
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      06d1d8c8
    • H
      s390/mm: provide emtpy check_pgt_cache() function · 765a0cac
      Heiko Carstens 提交于
      All architectures need to provide a check_pgt_cache() function. The s390 one
      got lost somewhere.
      So reintroduce it to prevent future compile errors e.g. if Thomas Gleixner's
      idle loop rework patches get merged.
      Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      765a0cac
    • H
      s390/uaccess: fix page table walk · ea81531d
      Heiko Carstens 提交于
      When translating user space addresses to kernel addresses the follow_table()
      function had two bugs:
      
      - PROT_NONE mappings could be read accessed via the kernel mapping. That is
        e.g. putting a filename into a user page, then protecting the page with
        PROT_NONE and afterwards issuing the "open" syscall with a pointer to
        the filename would incorrectly succeed.
      
      - when walking the page tables it used the pgd/pud/pmd/pte primitives which
        with dynamic page tables give no indication which real level of page tables
        is being walked (region2, region3, segment or page table). So in case of an
        exception the translation exception code passed to __handle_fault() is not
        necessarily correct.
        This is not really an issue since __handle_fault() doesn't evaluate the code.
        Only in case of e.g. a SIGBUS this code gets passed to user space. If user
        space can do something sane with the value is a different question though.
      
      To fix these issues don't use any Linux primitives. Only walk the page tables
      like the hardware would do it, however we leave quite some checks away since
      we know that we only have full size page tables and each index is within bounds.
      
      In theory this should fix all issues...
      Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
      Reviewed-by: NGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      ea81531d
    • L
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux · fefcdbe4
      Linus Torvalds 提交于
      Pull virtio fixes from Rusty Russell:
       "One reversion, a tiny leak fix, and a cc:stable locking fix, in two
        parts"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
        virtio: console: add locking around c_ovq operations
        virtio: console: rename cvq_lock to c_ivq_lock
        hw_random: free rng_buffer at module exit
        Revert "virtio_console: Initialize guest_connected=true for rproc_serial"
      fefcdbe4
    • A
      loop: prevent bdev freeing while device in use · c1681bf8
      Anatol Pomozov 提交于
      struct block_device lifecycle is defined by its inode (see fs/block_dev.c) -
      block_device allocated first time we access /dev/loopXX and deallocated on
      bdev_destroy_inode. When we create the device "losetup /dev/loopXX afile"
      we want that block_device stay alive until we destroy the loop device
      with "losetup -d".
      
      But because we do not hold /dev/loopXX inode its counter goes 0, and
      inode/bdev can be destroyed at any moment. Usually it happens at memory
      pressure or when user drops inode cache (like in the test below). When later in
      loop_clr_fd() we want to use bdev we have use-after-free error with following
      stack:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000280
        bd_set_size+0x10/0xa0
        loop_clr_fd+0x1f8/0x420 [loop]
        lo_ioctl+0x200/0x7e0 [loop]
        lo_compat_ioctl+0x47/0xe0 [loop]
        compat_blkdev_ioctl+0x341/0x1290
        do_filp_open+0x42/0xa0
        compat_sys_ioctl+0xc1/0xf20
        do_sys_open+0x16e/0x1d0
        sysenter_dispatch+0x7/0x1a
      
      To prevent use-after-free we need to grab the device in loop_set_fd()
      and put it later in loop_clr_fd().
      
      The issue is reprodusible on current Linus head and v3.3. Here is the test:
      
        dd if=/dev/zero of=loop.file bs=1M count=1
        while [ true ]; do
          losetup /dev/loop0 loop.file
          echo 2 > /proc/sys/vm/drop_caches
          losetup -d /dev/loop0
        done
      
      [ Doing bdgrab/bput in loop_set_fd/loop_clr_fd is safe, because every
        time we call loop_set_fd() we check that loop_device->lo_state is
        Lo_unbound and set it to Lo_bound If somebody will try to set_fd again
        it will get EBUSY.  And if we try to loop_clr_fd() on unbound loop
        device we'll get ENXIO.
      
        loop_set_fd/loop_clr_fd (and any other loop ioctl) is called under
        loop_device->lo_ctl_mutex. ]
      Signed-off-by: NAnatol Pomozov <anatol.pomozov@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c1681bf8
    • L
      Merge tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux · aae92db9
      Linus Torvalds 提交于
      Pull tegra clock driver fix from Mike Turquette:
       "Missing base address in Tegra clock driver results in non-operational
        PCIe.  On some devices this means that Ethernet will go uninitialized
        and other devices will fail.  This pull request fixes it with a single
        patch to pass the proper base address in the Tegra clock driver."
      
      * tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux:
        clk: tegra: Allow PLLE training to succeed
      aae92db9
    • L
      Merge tag 'for-3.9-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe · dc543f9e
      Linus Torvalds 提交于
      Pull FCoE fixes from Robert Love:
       "Critical patches to fix FCoE VN2VN mode with new interfaces targeting
        3.9-rc"
      
      * tag 'for-3.9-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rwlove/fcoe:
        libfcoe: Fix fcoe_sysfs VN2VN mode
        libfc, fcoe, bnx2fc: Split fc_disc_init into fc_disc_{init, config}
        libfc, fcoe, bnx2fc: Always use fcoe_disc_init for discovery layer initialization
        fcoe: Fix deadlock between create and destroy paths
        bnx2fc: Make the fcoe_cltr the SCSI host parent
      dc543f9e
    • T
      clk: tegra: Allow PLLE training to succeed · 0f1bc12e
      Thierry Reding 提交于
      Under some circumstances the PLLE needs to be retrained, in which case
      access to the PMC registers is required. Fix this by passing a pointer
      to the PMC registers instead of NULL when registering the PLLE clock.
      Signed-off-by: NThierry Reding <thierry.reding@avionic-design.de>
      Acked-By: NPeter De Schrijver <pdeschrijver@nvidia.com>
      Signed-off-by: NMike Turquette <mturquette@linaro.org>
      0f1bc12e
  5. 01 4月, 2013 1 次提交
新手
引导
客服 返回
顶部