summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2014-09-24serial: core: Privatize modem status enable flagsPeter Hurley3-13/+30
The serial core uses the tty port flags, ASYNC_CTS_FLOW and ASYNC_CD_CHECK, to track whether CTS and DCD changes should be ignored or handled. However, the tty port flags are not safe for atomic bit operations and no lock provides serialized updates. Introduce the struct uart_port status field to track CTS and DCD enable states, and serialize access with uart port lock. Substitute uart_cts_enabled() helper for tty_port_cts_enabled(). Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-09-24serial: core: Document and assert lock requirements for irq helpersPeter Hurley1-0/+8
The serial core provides two helper functions, uart_handle_dcd_change() and uart_handle_cts_change(), for UART drivers to use at interrupt time. The serial core expects the UART driver to hold the uart port lock when calling these helpers to prevent state corruption. If lockdep enabled, trigger a warning if the uart port lock is not held when calling these helper functions. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-09-24locking: Add WARN_ON_ONCE lock assertionPeter Hurley1-0/+5
An interface may need to assert a lock invariant and not flood the system logs; add a lockdep helper macro equivalent to lockdep_assert_held() which only WARNs once. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Acked-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-09-20tty: serial_mctrl_gpio: Fix COMPILE_TEST build for architectures with custom ↵Alexander Shiyan1-1/+1
termios.h This patch fixes COMPILE_TEST build of serial_mctrl_gpio module for architectures with custom termios.h header. sparc64:allmodconfig: In file included from drivers/tty/serial/serial_mctrl_gpio.c:21:0: include/uapi/asm-generic/termios.h:22:8: error: redefinition of 'struct termio' ./arch/sparc/include/uapi/asm/termbits.h:16:8: note: originally defined here make[3]: *** [drivers/tty/serial/serial_mctrl_gpio.o] Error 1 Reported-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Alexander Shiyan <shc_work@mail.ru> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-09-15Merge 3.17-rc5 into tty-nextGreg Kroah-Hartman479-2803/+5412
We want those fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-09-15Linux 3.17-rc5v3.17-rc5Linus Torvalds1-1/+1
2014-09-15Merge branch 'for-linus' of ↵Linus Torvalds3-23/+39
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fixes from Al Viro: "double iput() on failure exit in lustre, racy removal of spliced dentries from ->s_anon in __d_materialise_dentry() plus a bunch of assorted RCU pathwalk fixes" The RCU pathwalk fixes end up fixing a couple of cases where we incorrectly dropped out of RCU walking, due to incorrect initialization and testing of the sequence locks in some corner cases. Since dropping out of RCU walk mode forces the slow locked accesses, those corner cases slowed down quite dramatically. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: be careful with nd->inode in path_init() and follow_dotdot_rcu() don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu() fix bogus read_seqretry() checks introduced in b37199e move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) [fix] lustre: d_make_root() does iput() on dentry allocation failure
2014-09-15vfs: avoid non-forwarding large load after small store in path lookupLinus Torvalds2-9/+11
The performance regression that Josef Bacik reported in the pathname lookup (see commit 99d263d4c5b2 "vfs: fix bad hashing of dentries") made me look at performance stability of the dcache code, just to verify that the problem was actually fixed. That turned up a few other problems in this area. There are a few cases where we exit RCU lookup mode and go to the slow serializing case when we shouldn't, Al has fixed those and they'll come in with the next VFS pull. But my performance verification also shows that link_path_walk() turns out to have a very unfortunate 32-bit store of the length and hash of the name we look up, followed by a 64-bit read of the combined hash_len field. That screws up the processor store to load forwarding, causing an unnecessary hickup in this critical routine. It's caused by the ugly calling convention for the "hash_name()" function, and easily fixed by just making hash_name() fill in the whole 'struct qstr' rather than passing it a pointer to just the hash value. With that, the profile for this function looks much smoother. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-09-14Merge branch 'parisc-3.17-1' of ↵Linus Torvalds9-8/+280
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc updates from Helge Deller: "The most important patch is a new Light Weigth Syscall (LWS) for 8, 16, 32 and 64 bit atomic CAS operations which is required in order to be able to implement the atomic gcc builtins on our platform. Other than that, we wire up the seccomp, getrandom and memfd_create syscalls, fixes a minor off-by-one bug and a wrong printk string" * 'parisc-3.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Implement new LWS CAS supporting 64 bit operations. parisc: Wire up seccomp, getrandom and memfd_create syscalls parisc: dino: fix %d confusingly prefixed with 0x in format string parisc: sys_hpux: NUL terminator is one past the end
2014-09-14be careful with nd->inode in path_init() and follow_dotdot_rcu()Al Viro1-2/+13
in the former we simply check if dentry is still valid after picking its ->d_inode; in the latter we fetch ->d_inode in the same places where we fetch dentry and its ->d_seq, under the same checks. Cc: stable@vger.kernel.org # 2.6.38+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-09-14don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu()Al Viro1-16/+17
return the value instead, and have path_init() do the assignment. Broken by "vfs: Fix absolute RCU path walk failures due to uninitialized seq number", which was Cc-stable with 2.6.38+ as destination. This one should go where it went. To avoid dummy value returned in case when root is already set (it would do no harm, actually, since the only caller that doesn't ignore the return value is guaranteed to have nd->root *not* set, but it's more obvious that way), lift the check into callers. And do the same to set_root(), to keep them in sync. Cc: stable@vger.kernel.org # 2.6.38+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-09-14Merge tag 'ntb-3.17' of git://github.com/jonmason/ntbLinus Torvalds2-3/+17
Pull ntb driver bugfixes from Jon Mason: "NTB driver fixes for queue spread and buffer alignment. Also, update to MAINTAINERS to reflect new e-mail address" * tag 'ntb-3.17' of git://github.com/jonmason/ntb: ntb: Add alignment check to meet hardware requirement MAINTAINERS: update NTB info NTB: correct the spread of queues over mw's
2014-09-14Merge branch 'irq-urgent-for-linus' of ↵Linus Torvalds4-22/+23
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull ARM irq chip fixes from Thomas Gleixner: "Another pile of ARM specific irq chip fixlets: - off by one bugs in the crossbar driver - missing annotations - a bunch of "make it compile" updates I pulled the lot today from Jason, but it has been in -next for at least a week" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip: gic-v3: Declare rdist as __percpu pointer to __iomem pointer irqchip: gic: Make gic_default_routable_irq_domain_ops static irqchip: exynos-combiner: Fix compilation error on ARM64 irqchip: crossbar: Off by one bugs in init irqchip: gic-v3: Tag all low level accessors __maybe_unused irqchip: gic-v3: Only define gic_peek_irq() when building SMP
2014-09-14Merge tag 'irqchip-urgent-3.17' of ↵Thomas Gleixner4-22/+23
git://git.infradead.org/users/jcooper/linux into irq/urgent irqchip fixes for v3.17 from Jason Cooper - GIC/GICV3: Various fixlets - crossbar: Fix off-by-one bug - exynos-combiner: Fix arm64 build error
2014-09-14ntb: Add alignment check to meet hardware requirementDave Jiang1-0/+13
The NTB translate register must have the value to be BAR size aligned. This alignment check make sure that the DMA memory allocated has the proper alignment. Another requirement for NTB to function properly with memory window BAR size greater or equal to 4M is to use the CMA feature in 3.16 kernel with the appropriate CONFIG_CMA_ALIGNMENT and CONFIG_CMA_SIZE_MBYTES set. Signed-off-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jon Mason <jdmason@kudzu.us>
2014-09-14MAINTAINERS: update NTB infoJon Mason1-1/+2
Update my contact info to my personal email address and add Dave Jiang. Signed-off-by: Jon Mason <jon.mason@intel.com> Signed-off-by: Dave Jiang <dave.jiang@intel.com>
2014-09-14NTB: correct the spread of queues over mw'sJon Mason1-2/+2
The detection of an uneven number of queues on the given memory windows was not correct. The mw_num is zero based and the mod should be division to spread them evenly over the mw's. Signed-off-by: Jon Mason <jon.mason@intel.com>
2014-09-14fix bogus read_seqretry() checks introduced in b37199eAl Viro1-2/+2
read_seqretry() returns true on mismatch, not on match... Cc: stable@vger.kernel.org # 3.15+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-09-14move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon)Al Viro1-2/+6
and lock the right list there Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-09-14[fix] lustre: d_make_root() does iput() on dentry allocation failureAl Viro1-1/+1
double-free is a bad thing Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-09-14Merge branches 'locking-urgent-for-linus' and 'timers-urgent-for-linus' of ↵Linus Torvalds4-48/+55
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull futex and timer fixes from Thomas Gleixner: "A oneliner bugfix for the jinxed futex code: - Drop hash bucket lock in the error exit path. I really could slap myself for intruducing that bug while fixing all the other horror in that code three month ago ... and the timer department is not too proud about the following fixes: - Deal with a long standing rounding bug in the timeval to jiffies conversion. It's a real issue and this fix fell through the cracks for quite some time. - Another round of alarmtimer fixes. Finally this code gets used more widely and the subtle issues hidden for quite some time are noticed and fixed. Nothing really exciting, just the itty bitty details which bite the serious users here and there" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: futex: Unlock hb->lock in futex_wait_requeue_pi() error path * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: alarmtimer: Lock k_itimer during timer callback alarmtimer: Do not signal SIGEV_NONE timers alarmtimer: Return relative times in timer_gettime jiffies: Fix timeval conversion to jiffies
2014-09-14parisc: Implement new LWS CAS supporting 64 bit operations.Guy Martin1-4/+229
The current LWS cas only works correctly for 32bit. The new LWS allows for CAS operations of variable size. Signed-off-by: Guy Martin <gmsoft@tuxicoman.be> Cc: <stable@vger.kernel.org> # 3.13+ Signed-off-by: Helge Deller <deller@gmx.de>
2014-09-13vfs: fix bad hashing of dentriesLinus Torvalds2-4/+3
Josef Bacik found a performance regression between 3.2 and 3.10 and narrowed it down to commit bfcfaa77bdf0 ("vfs: use 'unsigned long' accesses for dcache name comparison and hashing"). He reports: "The test case is essentially for (i = 0; i < 1000000; i++) mkdir("a$i"); On xfs on a fio card this goes at about 20k dir/sec with 3.2, and 12k dir/sec with 3.10. This is because we spend waaaaay more time in __d_lookup on 3.10 than in 3.2. The new hashing function for strings is suboptimal for < sizeof(unsigned long) string names (and hell even > sizeof(unsigned long) string names that I've tested). I broke out the old hashing function and the new one into a userspace helper to get real numbers and this is what I'm getting: Old hash table had 1000000 entries, 0 dupes, 0 max dupes New hash table had 12628 entries, 987372 dupes, 900 max dupes We had 11400 buckets with a p50 of 30 dupes, p90 of 240 dupes, p99 of 567 dupes for the new hash My test does the hash, and then does the d_hash into a integer pointer array the same size as the dentry hash table on my system, and then just increments the value at the address we got to see how many entries we overlap with. As you can see the old hash function ended up with all 1 million entries in their own bucket, whereas the new one they are only distributed among ~12.5k buckets, which is why we're using so much more CPU in __d_lookup". The reason for this hash regression is two-fold: - On 64-bit architectures the down-mixing of the original 64-bit word-at-a-time hash into the final 32-bit hash value is very simplistic and suboptimal, and just adds the two 32-bit parts together. In particular, because there is no bit shuffling and the mixing boundary is also a byte boundary, similar character patterns in the low and high word easily end up just canceling each other out. - the old byte-at-a-time hash mixed each byte into the final hash as it hashed the path component name, resulting in the low bits of the hash generally being a good source of hash data. That is not true for the word-at-a-time case, and the hash data is distributed among all the bits. The fix is the same in both cases: do a better job of mixing the bits up and using as much of the hash data as possible. We already have the "hash_32|64()" functions to do that. Reported-by: Josef Bacik <jbacik@fb.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@infradead.org> Cc: Chris Mason <clm@fb.com> Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-09-13Make hash_64() use a 64-bit multiply when appropriateLinus Torvalds1-0/+4
The hash_64() function historically does the multiply by the GOLDEN_RATIO_PRIME_64 number with explicit shifts and adds, because unlike the 32-bit case, gcc seems unable to turn the constant multiply into the more appropriate shift and adds when required. However, that means that we generate those shifts and adds even when the architecture has a fast multiplier, and could just do it better in hardware. Use the now-cleaned-up CONFIG_ARCH_HAS_FAST_MULTIPLIER (together with "is it a 64-bit architecture") to decide whether to use an integer multiply or the explicit sequence of shift/add instructions. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-09-13Make ARCH_HAS_FAST_MULTIPLIER a real config variableLinus Torvalds5-6/+8
It used to be an ad-hoc hack defined by the x86 version of <asm/bitops.h> that enabled a couple of library routines to know whether an integer multiply is faster than repeated shifts and additions. This just makes it use the real Kconfig system instead, and makes x86 (which was the only architecture that did this) select the option. NOTE! Even for x86, this really is kind of wrong. If we cared, we would probably not enable this for builds optimized for netburst (P4), where shifts-and-adds are generally faster than multiplies. This patch does *not* change that kind of logic, though, it is purely a syntactic change with no code changes. This was triggered by the fact that we have other places that really want to know "do I want to expand multiples by constants by hand or not", particularly the hash generation code. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-09-13Merge tag 'dm-3.17-fix2' of ↵Linus Torvalds1-2/+2
git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fix from Mike Snitzer: "Fix a race in the DM cache target that caused dirty blocks to be marked as clean. This could cause no writeback to occur or spurious dirty block counts" * tag 'dm-3.17-fix2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm cache: fix race causing dirty blocks to be marked as clean
2014-09-13Merge branch 'for-linus' of git://git.kernel.dk/linux-blockLinus Torvalds7-47/+123
Pull block fixes from Jens Axboe: "A small collection of fixes for the current rc series. This contains: - Two small blk-mq patches from Rob Elliott, cleaning up error case at init time. - A fix from Ming Lei, fixing SG merging for blk-mq where QUEUE_FLAG_SG_NO_MERGE is the default. - A dev_t minor lifetime fix from Keith, fixing an issue where a minor might be reused before all references to it were gone. - Fix from Alan Stern where an unbalanced queue bypass caused SCSI some headaches when it does a series of add/del on devices without fully registrering the queue. - A fix from me for improving the scaling of tag depth in blk-mq if we are short on memory" * 'for-linus' of git://git.kernel.dk/linux-block: blk-mq: scale depth and rq map appropriate if low on memory Block: fix unbalanced bypass-disable in blk_register_queue block: Fix dev_t minor allocation lifetime blk-mq: cleanup after blk_mq_init_rq_map failures blk-mq: pass along blk_mq_alloc_tag_set return values blk-merge: fix blk_recount_segments
2014-09-13Merge tag 'stable/for-linus-3.17-b-rc4-arm-tag' of ↵Linus Torvalds7-93/+220
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull Xen ARM bugfix from Stefano Stabellini: "The patches fix the "xen_add_mach_to_phys_entry: cannot add" bug that has been affecting xen on arm and arm64 guests since 3.16. They require a few hypervisor side changes that just went in xen-unstable. A couple of days ago David sent out a pull request with a few other Xen fixes (it is already in master). Sorry we didn't synchronized better among us" * tag 'stable/for-linus-3.17-b-rc4-arm-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/arm: remove mach_to_phys rbtree xen/arm: reimplement xen_dma_unmap_page & friends xen/arm: introduce XENFEAT_grant_map_identity
2014-09-13alarmtimer: Lock k_itimer during timer callbackRichard Larocque1-2/+8
Locks the k_itimer's it_lock member when handling the alarm timer's expiry callback. The regular posix timers defined in posix-timers.c have this lock held during timout processing because their callbacks are routed through posix_timer_fn(). The alarm timers follow a different path, so they ought to grab the lock somewhere else. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> Signed-off-by: John Stultz <john.stultz@linaro.org>
2014-09-13alarmtimer: Do not signal SIGEV_NONE timersRichard Larocque1-2/+4
Avoids sending a signal to alarm timers created with sigev_notify set to SIGEV_NONE by checking for that special case in the timeout callback. The regular posix timers avoid sending signals to SIGEV_NONE timers by not scheduling any callbacks for them in the first place. Although it would be possible to do something similar for alarm timers, it's simpler to handle this as a special case in the timeout. Prior to this patch, the alarm timer would ignore the sigev_notify value and try to deliver signals to the process anyway. Even worse, the sanity check for the value of sigev_signo is skipped when SIGEV_NONE was specified, so the signal number could be bogus. If sigev_signo was an unitialized value (as it often would be if SIGEV_NONE is used), then it's hard to predict which signal will be sent. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> Signed-off-by: John Stultz <john.stultz@linaro.org>
2014-09-13alarmtimer: Return relative times in timer_gettimeRichard Larocque1-7/+11
Returns the time remaining for an alarm timer, rather than the time at which it is scheduled to expire. If the timer has already expired or it is not currently scheduled, the it_value's members are set to zero. This new behavior matches that of the other posix-timers and the POSIX specifications. This is a change in user-visible behavior, and may break existing applications. Hopefully, few users rely on the old incorrect behavior. Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Sharvil Nanavati <sharvil@google.com> Signed-off-by: Richard Larocque <rlarocque@google.com> [jstultz: minor style tweak] Signed-off-by: John Stultz <john.stultz@linaro.org>
2014-09-13jiffies: Fix timeval conversion to jiffiesAndrew Hunter2-37/+31
timeval_to_jiffies tried to round a timeval up to an integral number of jiffies, but the logic for doing so was incorrect: intervals corresponding to exactly N jiffies would become N+1. This manifested itself particularly repeatedly stopping/starting an itimer: setitimer(ITIMER_PROF, &val, NULL); setitimer(ITIMER_PROF, NULL, &val); would add a full tick to val, _even if it was exactly representable in terms of jiffies_ (say, the result of a previous rounding.) Doing this repeatedly would cause unbounded growth in val. So fix the math. Here's what was wrong with the conversion: we essentially computed (eliding seconds) jiffies = usec * (NSEC_PER_USEC/TICK_NSEC) by using scaling arithmetic, which took the best approximation of NSEC_PER_USEC/TICK_NSEC with denominator of 2^USEC_JIFFIE_SC = x/(2^USEC_JIFFIE_SC), and computed: jiffies = (usec * x) >> USEC_JIFFIE_SC and rounded this calculation up in the intermediate form (since we can't necessarily exactly represent TICK_NSEC in usec.) But the scaling arithmetic is a (very slight) *over*approximation of the true value; that is, instead of dividing by (1 usec/ 1 jiffie), we effectively divided by (1 usec/1 jiffie)-epsilon (rounding down). This would normally be fine, but we want to round timeouts up, and we did so by adding 2^USEC_JIFFIE_SC - 1 before the shift; this would be fine if our division was exact, but dividing this by the slightly smaller factor was equivalent to adding just _over_ 1 to the final result (instead of just _under_ 1, as desired.) In particular, with HZ=1000, we consistently computed that 10000 usec was 11 jiffies; the same was true for any exact multiple of TICK_NSEC. We could possibly still round in the intermediate form, adding something less than 2^USEC_JIFFIE_SC - 1, but easier still is to convert usec->nsec, round in nanoseconds, and then convert using time*spec*_to_jiffies. This adds one constant multiplication, and is not observably slower in microbenchmarks on recent x86 hardware. Tested: the following program: int main() { struct itimerval zero = {{0, 0}, {0, 0}}; /* Initially set to 10 ms. */ struct itimerval initial = zero; initial.it_interval.tv_usec = 10000; setitimer(ITIMER_PROF, &initial, NULL); /* Save and restore several times. */ for (size_t i = 0; i < 10; ++i) { struct itimerval prev; setitimer(ITIMER_PROF, &zero, &prev); /* on old kernels, this goes up by TICK_USEC every iteration */ printf("previous value: %ld %ld %ld %ld\n", prev.it_interval.tv_sec, prev.it_interval.tv_usec, prev.it_value.tv_sec, prev.it_value.tv_usec); setitimer(ITIMER_PROF, &prev, NULL); } return 0; } Cc: stable@vger.kernel.org Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Paul Turner <pjt@google.com> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Prarit Bhargava <prarit@redhat.com> Reviewed-by: Paul Turner <pjt@google.com> Reported-by: Aaron Jacobs <jacobsa@google.com> Signed-off-by: Andrew Hunter <ahh@google.com> [jstultz: Tweaked to apply to 3.17-rc] Signed-off-by: John Stultz <john.stultz@linaro.org>
2014-09-13futex: Unlock hb->lock in futex_wait_requeue_pi() error pathThomas Gleixner1-0/+1
futex_wait_requeue_pi() calls futex_wait_setup(). If futex_wait_setup() succeeds it returns with hb->lock held and preemption disabled. Now the sanity check after this does: if (match_futex(&q.key, &key2)) { ret = -EINVAL; goto out_put_keys; } which releases the keys but does not release hb->lock. So we happily return to user space with hb->lock held and therefor preemption disabled. Unlock hb->lock before taking the exit route. Reported-by: Dave "Trinity" Jones <davej@redhat.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Darren Hart <dvhart@linux.intel.com> Reviewed-by: Davidlohr Bueso <dave@stgolabs.net> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2014-09-12Merge tag 'char-misc-3.17-rc5' of ↵Linus Torvalds1-0/+5
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fix from Greg KH: "Here is one misc driver fix for 3.17-rc5. It resolves a kernel oops that can happen in the lattice FPGA driver if the firmware isn't present on the system. It's been in the linux-next tree for a while now" * tag 'char-misc-3.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: Lattice ECP3 FPGA: Check firmware pointer
2014-09-12Merge tag 'staging-3.17-rc5' of ↵Linus Torvalds3-2/+5
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are 3 tiny staging driver fixes for 3.17-rc5. Two are fixes for the imx-drm driver, resolving issues that have been reported. The other is a memory leak fix for the Android sync driver, due to changes that went into 3.17-rc1. All have been in linux-next for a while" * tag 'staging-3.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: android: fix reference leak in sync_fence_create imx-drm: imx-ldb: fix NULL pointer in imx_ldb_unbind() imx-drm: ipuv3-plane: fix ipu_plane_dpms()
2014-09-12Merge tag 'tty-3.17-rc5' of ↵Linus Torvalds3-2/+44
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are 3 patches for 3.17-rc5. Two serial driver fixes that resolve some reported issues, and one new device id. All have been in linux-next just fine" * tag 'tty-3.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: tty: xuartps: Fix tx_emtpy() callback tty/serial: at91: BUG: disable interrupts when !UART_ENABLE_MS() serial: 8250_dw: Add ACPI ID for Intel Braswell
2014-09-12Merge tag 'usb-3.17-rc5' of ↵Linus Torvalds35-138/+389
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some USB and PHY fixes for 3.17-rc5. Nothing major here, just a number of tiny fixes for reported issues, and some new device ids as well. All have been tested in linux-next" * tag 'usb-3.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (46 commits) xhci: fix oops when xhci resumes from hibernate with hw lpm capable devices usb: xhci: Fix OOPS in xhci error handling code xhci: Fix null pointer dereference if xhci initialization fails storage: Add single-LUN quirk for Jaz USB Adapter uas: Add missing le16_to_cpu calls to asm1051 / asm1053 usb-id check usb: chipidea: msm: Initialize PHY on reset event usb: chipidea: msm: Use USB PHY API to control PHY state usb: hub: take hub->hdev reference when processing from eventlist uas: Disable uas on ASM1051 devices usb: dwc2/gadget: avoid disabling ep0 usb: dwc2/gadget: delay enabling irq once hardware is configured properly usb: dwc2/gadget: do not call disconnect method in pullup usb: dwc2/gadget: break infinite loop in endpoint disable code usb: dwc2/gadget: fix phy initialization sequence usb: dwc2/gadget: fix phy disable sequence uwb: init beacon cache entry before registering uwb device USB: ftdi_sio: Add support for GE Healthcare Nemo Tracker device USB: document the 'u' flag for usb-storage quirks parameter usb: host: xhci: fix compliance mode workaround usb: dwc3: fix TRB completion when multiple TRBs are started ...
2014-09-12Merge tag 'nfs-for-3.17-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfsLinus Torvalds4-36/+18
Pull NFS client fixes from Trond Myklebust: "Highlights: - fix a kernel warning when removing /proc/net/nfsfs - revert commit 49a4bda22e18 due to Oopses - fix a typo in the pNFS file layout commit code" * tag 'nfs-for-3.17-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: pnfs: fix filelayout_retry_commit when idx > 0 nfs: revert "nfs4: queue free_lock_state job submission to nfsiod" nfs: fix kernel warning when removing proc entry
2014-09-12Merge branch 'for-linus' of ↵Linus Torvalds5-101/+203
git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "Filipe is doing a careful pass through fsync problems, and these are the fixes so far. I'll have one more for rc6 that we're still testing. My big commit is fixing up some inode hash races that Al Viro found (thanks Al)" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: use insert_inode_locked4 for inode creation Btrfs: fix fsync data loss after a ranged fsync Btrfs: kfree()ing ERR_PTRs Btrfs: fix crash while doing a ranged fsync Btrfs: fix corruption after write/fsync failure + fsync + log recovery Btrfs: fix autodefrag with compression
2014-09-12Merge tag 'arm64-fixes' of ↵Linus Torvalds3-8/+28
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "Just a couple of stragglers here: - fix an issue migrating interrupts on CPU hotplug - fix a potential information leak of TLS registers across an exec (Nathan has sent a corresponding patch for arch/arm/ to rmk)" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: flush TLS registers during exec arm64: use irq_set_affinity with force=false when migrating irqs
2014-09-12Merge tag 'iommu-fixes-v3.17-rc4' of ↵Linus Torvalds4-61/+87
git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fixes from Joerg Roedel: - two fixes for issues found by Coverity - various fixes for the ARM SMMU driver - a warning fix for the FSL PAMU driver * tag 'iommu-fixes-v3.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/fsl: Fix warning resulting from adding PCI device twice iommu/arm-smmu: fix corner cases in address size calculations iommu/arm-smmu: fix decimal printf format specifiers prefixed with 0x iommu/arm-smmu: Do not access non-existing S2CR registers iommu/arm-smmu: fix s2cr and smr teardown on device detach from domain iommu/arm-smmu: remove pgtable_page_{c,d}tor() iommu/arm-smmu: fix programming of SMMU_CBn_TCR for stage 1 iommu/arm-smmu: avoid calling request_irq in atomic context iommu/vt-d: Check return value of acpi_bus_get_device() iommu/core: Make iommu_group_get_for_dev() more robust
2014-09-12Merge branch 'for-linus' of ↵Linus Torvalds1-1/+3
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull assoc array garbage collection fix from James Morris. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: KEYS: Fix termination condition in assoc array garbage collection
2014-09-12Merge tag 'fbdev-fixes-3.17' of ↵Linus Torvalds3-6/+4
git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux Pull fbdev fixes from Tomi Valkeinen: "Minor fixes for amba-clcd and video DT bindings" * tag 'fbdev-fixes-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux: video: ARM CLCD: Fix color model capabilities for DT platforms video: fix composite video connector compatible string
2014-09-12Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linuxLinus Torvalds15-262/+371
Pull drm fixes from Dave Airlie: "AST, i915, radeon and msm fixes, all over the place. All fixing build issues, regressions, oopses or failure to detect cards" * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/ast: AST2000 cannot be detected correctly drm/ast: open key before detect chips drm/msm: don't crash if no msm.vram param drm/msm/hdmi: fix build break on non-CCF platforms drm/msm: Change nested function to static function drm/radeon/dpm: set the thermal type properly for special configs drm/radeon: reduce memory footprint for debugging drm/radeon: add connector quirk for fujitsu board drm/radeon: fix semaphore value init drm/radeon: only use me/pfp sync on evergreen+ drm/i915: Wait for vblank before enabling the TV encoder drm/i915: Evict CS TLBs between batches drm/i915: Fix irq enable tracking in driver load drm/i915: Fix EIO/wedged handling in gem fault handler drm/i915: Prevent recursive deadlock on releasing a busy userptr
2014-09-12KEYS: Fix termination condition in assoc array garbage collectionDavid Howells1-1/+3
This fixes CVE-2014-3631. It is possible for an associative array to end up with a shortcut node at the root of the tree if there are more than fan-out leaves in the tree, but they all crowd into the same slot in the lowest level (ie. they all have the same first nibble of their index keys). When assoc_array_gc() returns back up the tree after scanning some leaves, it can fall off of the root and crash because it assumes that the back pointer from a shortcut (after label ascend_old_tree) must point to a normal node - which isn't true of a shortcut node at the root. Should we find we're ascending rootwards over a shortcut, we should check to see if the backpointer is zero - and if it is, we have completed the scan. This particular bug cannot occur if the root node is not a shortcut - ie. if you have fewer than 17 keys in a keyring or if you have at least two keys that sit into separate slots (eg. a keyring and a non keyring). This can be reproduced by: ring=`keyctl newring bar @s` for ((i=1; i<=18; i++)); do last_key=`keyctl newring foo$i $ring`; done keyctl timeout $last_key 2 Doing this: echo 3 >/proc/sys/kernel/keys/gc_delay first will speed things up. If we do fall off of the top of the tree, we get the following oops: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 PGD dae15067 PUD cfc24067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: xt_nat xt_mark nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_ni CPU: 0 PID: 26011 Comm: kworker/0:1 Not tainted 3.14.9-200.fc20.x86_64 #1 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: events key_garbage_collector task: ffff8800918bd580 ti: ffff8800aac14000 task.ti: ffff8800aac14000 RIP: 0010:[<ffffffff8136cea7>] [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 RSP: 0018:ffff8800aac15d40 EFLAGS: 00010206 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800aaecacc0 RDX: ffff8800daecf440 RSI: 0000000000000001 RDI: ffff8800aadc2bc0 RBP: ffff8800aac15da8 R08: 0000000000000001 R09: 0000000000000003 R10: ffffffff8136ccc7 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000070 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000018 CR3: 00000000db10d000 CR4: 00000000000006f0 Stack: ffff8800aac15d50 0000000000000011 ffff8800aac15db8 ffffffff812e2a70 ffff880091a00600 0000000000000000 ffff8800aadc2bc3 00000000cd42c987 ffff88003702df20 ffff88003702dfa0 0000000053b65c09 ffff8800aac15fd8 Call Trace: [<ffffffff812e2a70>] ? keyring_detect_cycle_iterator+0x30/0x30 [<ffffffff812e3e75>] keyring_gc+0x75/0x80 [<ffffffff812e1424>] key_garbage_collector+0x154/0x3c0 [<ffffffff810a67b6>] process_one_work+0x176/0x430 [<ffffffff810a744b>] worker_thread+0x11b/0x3a0 [<ffffffff810a7330>] ? rescuer_thread+0x3b0/0x3b0 [<ffffffff810ae1a8>] kthread+0xd8/0xf0 [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40 [<ffffffff816ffb7c>] ret_from_fork+0x7c/0xb0 [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40 Code: 08 4c 8b 22 0f 84 bf 00 00 00 41 83 c7 01 49 83 e4 fc 41 83 ff 0f 4c 89 65 c0 0f 8f 5a fe ff ff 48 8b 45 c0 4d 63 cf 49 83 c1 02 <4e> 8b 34 c8 4d 85 f6 0f 84 be 00 00 00 41 f6 c6 01 0f 84 92 RIP [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540 RSP <ffff8800aac15d40> CR2: 0000000000000018 ---[ end trace 1129028a088c0cbd ]--- Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Don Zickus <dzickus@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-09-12video: ARM CLCD: Fix color model capabilities for DT platformsPawel Moll1-3/+1
The DT-based panel capabilities selection was picking up a subset of available modes based on hardware configuration. This was wrong, as the capabilities describe available memory models and adapt the display controller to them that the RGB output is wired up correctly (as in: R and B components are not swapped). This patch fixes it by removing the unnecessary limitation. Signed-off-by: Pawel Moll <pawel.moll@arm.com> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
2014-09-12drm/ast: AST2000 cannot be detected correctlyY.C. Chen1-1/+1
Type error and cause AST2000 cannot be detected correctly Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com> Reviewed-by: Egbert Eich <eich@suse.de> Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>
2014-09-12drm/ast: open key before detect chipsY.C. Chen1-0/+1
Some config settings like 3rd TX chips will not get correctly if the extended reg is protected Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com> Reviewed-by: Egbert Eich <eich@suse.de> Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>
2014-09-12Merge branch 'for-linus' of ↵Linus Torvalds3-123/+147
git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client Pull Ceph fixes from Sage Weil: "The main thing here is a set of three patches that fix a buffer overrun for large authentication tickets (sigh). There is also a trivial warning fix and an error path fix that are both regressions" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: libceph: do not hard code max auth ticket len libceph: add process_one_ticket() helper libceph: gracefully handle large reply messages from the mon rbd: fix error return code in rbd_dev_device_setup() rbd: avoid format-security warning inside alloc_workqueue()
2014-09-12Merge tag 'stable/for-linus-3.17-b-rc4-tag' of ↵Linus Torvalds5-33/+22
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull Xen bug fixes from David Vrabel: - fix for PVHVM suspend/resume and migration - don't pointlessly retry certain ballooning ops - fix gntalloc when grefs have run out. - fix PV boot if KSALR is enable or very large modules are used. * tag 'stable/for-linus-3.17-b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: x86/xen: don't copy bogus duplicate entries into kernel page tables xen/gntalloc: safely delete grefs in add_grefs() undo path xen/gntalloc: fix oops after runnning out of grant refs xen/balloon: cancel ballooning if adding new memory failed xen/manage: Always freeze/thaw processes when suspend/resuming