- Dec 16, 2013
-
-
Steven Rostedt (Red Hat) authored
-
Sebastian Siewior authored
neigh_priv_len is defined as u8. With all debug enabled struct ipoib_neigh has 200 bytes. The largest part is sk_buff_head with 96 bytes and here the spinlock with 72 bytes. The size value still fits in this u8 leaving some room for more. On -RT struct ipoib_neigh put on weight and has 392 bytes. The main reason is sk_buff_head with 288 and the fatty here is spinlock with 192 bytes. This does no longer fit into into neigh_priv_len and gcc complains. This patch changes neigh_priv_len from being 8bit to 16bit. Since the following element (dev_id) is 16bit followed by a spinlock which is aligned, the struct remains with a total size of 3200 (allmodconfig) / 2048 (with as much debug off as possible) bytes on x86-64. On x86-32 the struct is 1856 (allmodconfig) / 1216 (with as much debug off as possible) bytes long. The numbers were gained with and without the patch to prove that this change does not increase the size of the struct. Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Steven Rostedt <rostedt@goodmis.org>
-
- Dec 11, 2013
-
-
Sebastian Andrzej Siewior authored
Mike Galbraith captered the following: | >#11 [ffff88017b243e90] _raw_spin_lock at ffffffff815d2596 | >#12 [ffff88017b243e90] rt_mutex_trylock at ffffffff815d15be | >#13 [ffff88017b243eb0] get_next_timer_interrupt at ffffffff81063b42 | >#14 [ffff88017b243f00] tick_nohz_stop_sched_tick at ffffffff810bd1fd | >#15 [ffff88017b243f70] tick_nohz_irq_exit at ffffffff810bd7d2 | >#16 [ffff88017b243f90] irq_exit at ffffffff8105b02d | >#17 [ffff88017b243fb0] reschedule_interrupt at ffffffff815db3dd | >--- <IRQ stack> --- | >#18 [ffff88017a2a9bc8] reschedule_interrupt at ffffffff815db3dd | > [exception RIP: task_blocks_on_rt_mutex+51] | >#19 [ffff88017a2a9ce0] rt_spin_lock_slowlock at ffffffff815d183c | >#20 [ffff88017a2a9da0] lock_timer_base.isra.35 at ffffffff81061cbf | >#21 [ffff88017a2a9dd0] schedule_timeout at ffffffff815cf1ce | >#22 [ffff88017a2a9e50] rcu_gp_kthread at ffffffff810f9bbb | >#23 [ffff88017a2a9ed0] kthread at ffffffff810796d5 | >#24 [ffff88017a2a9f50] ret_from_fork at ffffffff815da04c lock_timer_base() does a try_lock() which deadlocks on the waiter lock not the lock itself. This patch takes the waiter_lock with trylock so it should work from interrupt context as well. If the fastpath doesn't work and the waiter_lock itself is taken then it seems that the lock itself taken. This patch also adds a "rt_spin_try_unlock" to keep lockdep happy. If we managed to take the wait_lock in the first place we should also be able to take it in the unlock path. Cc: stable-rt@vger.kernel.org Reported-by:
Mike Galbraith <bitbucket@online.de> Signed-off-by:
-
Peter Zijlstra authored
There was a reported deadlock on -rt which lockdep didn't report. It turns out that in irq_exit() we tell lockdep that the hardirq context ends and then do all kinds of locking afterwards. To fix it, move trace_hardirq_exit() to the very end of irq_exit(), this ensures all locking in tick_irq_exit() and rcu_irq_exit() are properly recorded as happening from hardirq context. This however leads to the 'fun' little problem of running softirqs while in hardirq context. To cure this make the softirq code a little more complex (in the CONFIG_TRACE_IRQFLAGS case). Due to stack swizzling arch dependent trickery we cannot pass an argument to __do_softirq() to tell it if it was done from hardirq context or not; so use a side-band argument. When we do __do_softirq() from hardirq context, 'atomically' flip to softirq context and back, so that no locking goes without being in either hard- or soft-irq context. I didn't find any new problems in mainline using this patch, but it did show the -rt problem. Cc: stable-rt@vger.kernel.org Reported-by:
Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/n/tip-dgwc5cdksbn0jk09vbmcc9sa@git.kernel.org Signed-off-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
-
Sebastian Andrzej Siewior authored
The wait-simple queue is lighter weight and more efficient than the full wait queue, and may be used in atomic context on PREEMPT_RT. Fix up some places that needed to call the swait_*() functions instead of the wait_*() functions. Cc: stable-rt@vger.kernel.org Signed-off-by:
-
- Dec 10, 2013
-
-
Tiejun Chen authored
Commit 08c1ab68 , "hotplug-use-migrate-disable.patch", intends to use migrate_enable()/migrate_disable() to replace that combination of preempt_enable() and preempt_disable(), but actually in !CONFIG_PREEMPT_RT_FULL case, migrate_enable()/migrate_disable() are still equal to preempt_enable()/preempt_disable(). So that followed cpu_hotplug_begin()/cpu_unplug_begin(cpu) would go schedule() to trigger schedule_debug() like this: _cpu_down() | + migrate_disable() = preempt_disable() | + cpu_hotplug_begin() or cpu_unplug_begin() | + schedule() | + __schedule() | + preempt_disable(); | + __schedule_bug() is true! So we should move migrate_enable() as the original scheme. Cc: stable-rt@vger.kernel.org Signed-off-by:
Tiejun Chen <tiejun.chen@windriver.com> Signed-off-by:
-
- Dec 02, 2013
-
-
Steven Rostedt (Red Hat) authored
-
- Nov 20, 2013
-
-
Sebastian Andrzej Siewior authored
Luis captured the following: | BUG: sleeping function called from invalid context at kernel/rtmutex.c:659 | in_atomic(): 1, irqs_disabled(): 0, pid: 517, name: Xorg | 2 locks held by Xorg/517: | #0: | ( | &dev->vbl_lock | ){......} | , at: | [<ffffffffa0024c60>] drm_vblank_get+0x30/0x2b0 [drm] | #1: | ( | &dev->vblank_time_lock | ){......} | , at: | [<ffffffffa0024ce1>] drm_vblank_get+0xb1/0x2b0 [drm] | Preemption disabled at: | [<ffffffffa008bc95>] i915_get_vblank_timestamp+0x45/0xa0 [i915] | CPU: 3 PID: 517 Comm: Xorg Not tainted 3.10.10-rt7+ #5 | Call Trace: | [<ffffffff8164b790>] dump_stack+0x19/0x1b | [<ffffffff8107e62f>] __might_sleep+0xff/0x170 | [<ffffffff81651ac4>] rt_spin_lock+0x24/0x60 | [<ffffffffa0084e67>] i915_read32+0x27/0x170 [i915] | [<ffffffffa008a591>] i915_pipe_enabled+0x31/0x40 [i915] | [<ffffffffa008a6be>] i915_get_crtc_scanoutpos+0x3e/0x1b0 [i915] | [<ffffffffa00245d4>] drm_calc_vbltimestamp_from_scanoutpos+0xf4/0x430 [drm] | [<ffffffffa008bc95>] i915_get_vblank_timestamp+0x45/0xa0 [i915] | [<ffffffffa0024998>] drm_get_last_vbltimestamp+0x48/0x70 [drm] | [<ffffffffa0024db5>] drm_vblank_get+0x185/0x2b0 [drm] | [<ffffffffa0025d03>] drm_wait_vblank+0x83/0x5d0 [drm] | [<ffffffffa00212a2>] drm_ioctl+0x552/0x6a0 [drm] | [<ffffffff811a0095>] do_vfs_ioctl+0x325/0x5b0 | [<ffffffff811a03a1>] SyS_ioctl+0x81/0xa0 | [<ffffffff8165a342>] tracesys+0xdd/0xe2 After a longer thread it was decided to drop the preempt_disable()/ enable() invocations which were meant for -RT and Mario Kleiner looks for a replacement. Cc: stable-rt@vger.kernel.org Reported-By:Luis Claudio R. Goncalves <lclaudio@uudg.org> Signed-off-by:
-
Yang Shi authored
The following trace is triggered when running ltp oom test cases: BUG: sleeping function called from invalid context at kernel/rtmutex.c:659 in_atomic(): 1, irqs_disabled(): 0, pid: 17188, name: oom03 Preemption disabled at:[<ffffffff8112ba70>] mem_cgroup_reclaim+0x90/0xe0 CPU: 2 PID: 17188 Comm: oom03 Not tainted 3.10.10-rt3 #2 Hardware name: Intel Corporation Calpella platform/MATXM-CORE-411-B, BIOS 4.6.3 08/18/2010 ffff88007684d730 ffff880070df9b58 ffffffff8169918d ffff880070df9b70 ffffffff8106db31 ffff88007688b4a0 ffff880070df9b88 ffffffff8169d9c0 ffff88007688b4a0 ffff880070df9bc8 ffffffff81059da1 0000000170df9bb0 Call Trace: [<ffffffff8169918d>] dump_stack+0x19/0x1b [<ffffffff8106db31>] __might_sleep+0xf1/0x170 [<ffffffff8169d9c0>] rt_spin_lock+0x20/0x50 [<ffffffff81059da1>] queue_work_on+0x61/0x100 [<ffffffff8112b361>] drain_all_stock+0xe1/0x1c0 [<ffffffff8112ba70>] mem_cgroup_reclaim+0x90/0xe0 [<ffffffff8112beda>] __mem_cgroup_try_charge+0x41a/0xc40 [<ffffffff810f1c91>] ? release_pages+0x1b1/0x1f0 [<ffffffff8106f200>] ? sched_exec+0x40/0xb0 [<ffffffff8112cc87>] mem_cgroup_charge_common+0x37/0x70 [<ffffffff8112e2c6>] mem_cgroup_newpage_charge+0x26/0x30 [<ffffffff8110af68>] handle_pte_fault+0x618/0x840 [<ffffffff8103ecf6>] ? unpin_current_cpu+0x16/0x70 [<ffffffff81070f94>] ? migrate_enable+0xd4/0x200 [<ffffffff8110cde5>] handle_mm_fault+0x145/0x1e0 [<ffffffff810301e1>] __do_page_fault+0x1a1/0x4c0 [<ffffffff8169c9eb>] ? preempt_schedule_irq+0x4b/0x70 [<ffffffff8169e3b7>] ? retint_kernel+0x37/0x40 [<ffffffff8103053e>] do_page_fault+0xe/0x10 [<ffffffff8169e4c2>] page_fault+0x22/0x30 So, to prevent schedule_work_on from being called in preempt disabled context, replace the pair of get/put_cpu() to get/put_cpu_light(). Cc: stable-rt@vger.kernel.org Signed-off-by:
Yang Shi <yang.shi@windriver.com> Signed-off-by:
-
Sebastian Andrzej Siewior authored
You can get this backtrace: | ============================================================================= | BUG dentry (Not tainted): Padding overwritten. 0xf15e1ec0-0xf15e1f1f | ----------------------------------------------------------------------------- | | Disabling lock debugging due to kernel taint | INFO: Slab 0xf6f10b00 objects=21 used=0 fp=0xf15e0480 flags=0x2804080 | CPU: 6 PID: 1 Comm: systemd Tainted: G B 3.10.17-rt12+ #197 | Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 | f6f10b00 f6f10b00 f20a3be8 c149da9e f20a3c74 c110b0d6 c15e010c f6f10b00 | 00000015 00000000 f15e0480 02804080 64646150 20676e69 7265766f 74697277 | 2e6e6574 66783020 31653531 2d306365 31667830 66316535 00006631 00000046 | Call Trace: | [<c149da9e>] dump_stack+0x16/0x18 | [<c110b0d6>] slab_err+0x76/0x80 | [<c110c231>] ? deactivate_slab+0x3f1/0x4a0 | [<c110c231>] ? deactivate_slab+0x3f1/0x4a0 | [<c110b56f>] slab_pad_check.part.54+0xbf/0x150 | [<c110ba04>] __free_slab+0x124/0x130 | [<c149bb79>] ? __slab_alloc.constprop.69+0x27b/0x5d3 | [<c110ba39>] free_delayed+0x29/0x40 | [<c149bec5>] __slab_alloc.constprop.69+0x5c7/0x5d3 | [<c1126062>] ? __d_alloc+0x22/0x150 | [<c1126062>] ? __d_alloc+0x22/0x150 | [<c11265b0>] ? __d_lookup_rcu+0x160/0x160 | [<c110d912>] kmem_cache_alloc+0x162/0x190 | [<c112668b>] ? __d_lookup+0xdb/0x1d0 | [<c1126062>] ? __d_alloc+0x22/0x150 | [<c1126062>] __d_alloc+0x22/0x150 | [<c11261a5>] d_alloc+0x15/0x60 | [<c111aec1>] lookup_dcache+0x71/0xa0 | [<c111af0e>] __lookup_hash+0x1e/0x40 | [<c111b374>] lookup_slow+0x34/0x90 | [<c111c3c7>] link_path_walk+0x737/0x780 | [<c111a3d4>] ? path_get+0x24/0x40 | [<c111a3df>] ? path_get+0x2f/0x40 | [<c111bfb2>] link_path_walk+0x322/0x780 | [<c111e3ed>] path_openat.isra.54+0x7d/0x400 | [<c111f32b>] do_filp_open+0x2b/0x70 | [<c11110a2>] do_sys_open+0xe2/0x1b0 | [<c14a319f>] ? restore_all+0xf/0xf | [<c102bb80>] ? vmalloc_sync_all+0x10/0x10 | [<c1111192>] SyS_open+0x22/0x30 | [<c14a393e>] sysenter_do_call+0x12/0x36 | Padding f15e1de0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ | Padding f15e1df0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ | Padding f15e1e00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | Padding f15e1e10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | Padding f15e1e20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | Padding f15e1e30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | Padding f15e1e40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | Padding f15e1e50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | Padding f15e1e60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | Padding f15e1e70: 6b 6b 6b 6b 6b 6b 6b a5 bb bb bb bb 80 01 5e f1 kkkkkkk.......^. | Padding f15e1e80: 53 7e 0d c1 c3 bd 49 c1 12 d9 10 c1 53 7e 0d c1 S~....I.....S~.. | Padding f15e1e90: 60 7f 0d c1 e0 05 14 c1 ce d1 13 c1 96 d4 13 c1 `............... | Padding f15e1ea0: e9 e0 13 c1 f7 48 17 c1 13 6a 17 c1 41 fb 17 c1 .....H...j..A... | Padding f15e1eb0: 07 a4 11 c1 22 af 11 c1 74 b3 11 c1 06 d2 11 c1 ...."...t....... | Padding f15e1ec0: c6 d2 11 c1 06 00 00 00 01 00 00 00 f3 dc fe ff ................ | Padding f15e1ed0: 73 7e 0d c1 5d b4 49 c1 ec c4 10 c1 73 7e 0d c1 s~..].I.....s~.. | Padding f15e1ee0: 50 83 0d c1 79 09 14 c1 fd b9 13 c1 5a f2 13 c1 P...y.......Z... | Padding f15e1ef0: 7b 1c 28 c1 03 20 28 c1 9e 25 28 c1 b3 26 28 c1 {.(.. (..%(..&(. | Padding f15e1f00: f4 ab 34 c1 bc 89 30 c1 e5 0d 0a c1 c1 0f 0a c1 ..4...0......... | Padding f15e1f10: ae 34 0a c1 00 00 00 00 00 00 00 00 f3 dc fe ff .4.............. | FIX dentry: Restoring 0xf15e1de0-0xf15e1f1f=0x5a | | ============================================================================= | BUG dentry (Tainted: G B ): Redzone overwritten | ----------------------------------------------------------------------------- | | INFO: 0xf15e009c-0xf15e009f. First byte 0x96 instead of 0xbb | INFO: Allocated in __ext4_get_inode_loc+0x3b7/0x460 age=1054261382 cpu=3239295485 pid=-1055657382 | ext4_iget+0x63/0x9c0 | ext4_lookup+0x71/0x180 | lookup_real+0x17/0x40 | do_last.isra.53+0x72b/0xbc0 | path_openat.isra.54+0x9d/0x400 | do_filp_open+0x2b/0x70 | do_sys_open+0xe2/0x1b0 | 0x7 | 0x1 | 0xfffedcf2 | mempool_free_slab+0x13/0x20 | __slab_free+0x3d/0x3ae | kmem_cache_free+0x1bc/0x1d0 | mempool_free_slab+0x13/0x20 | mempool_free+0x40/0x90 | bio_put+0x59/0x70 | INFO: Freed in blk_update_bidi_request+0x13/0x70 age=2779021993 cpu=1515870810 pid=1515870810 | __blk_end_bidi_request+0x1e/0x50 | __blk_end_request_all+0x23/0x40 | virtblk_done+0xf4/0x260 | vring_interrupt+0x2c/0x50 | handle_irq_event_percpu+0x45/0x1f0 | handle_irq_event+0x31/0x50 | handle_edge_irq+0x6e/0x130 | 0x5 | INFO: Slab 0xf6f10b00 objects=21 used=0 fp=0xf15e0480 flags=0x2804080 | INFO: Object 0xf15e0000 @offset=0 fp=0xc113e0e9 If you try to free memory in irqs_disabled(). This is then added to the slub_free_list list. The following allocation then might be from a different kmem_cache. If the two caches have a different SLAB_DEBUG_FLAGS then one might complain about bad bad marker which are actually not used. Cc: stable-rt@vger.kernel.org Signed-off-by: -
Mike Galbraith authored
If the user specified a threshold at module load time, use it. Cc: stable-rt@vger.kernel.org Acked-by:
-
Wolfram Sang authored
This more or less reverts commit 6391f697 . Instead of adding an unneeded 'default', mark the variable to prevent the false positive 'uninitialized var'. The other change (fixing the printout) needs revert, too. We want to know WHICH critical irq failed, not which level it had. Signed-off-by:
Wolfram Sang <wsa@the-dreams.de> Cc: stable-rt@vger.kernel.org Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Anatolij Gustschin <agust@denx.de> Signed-off-by:
-
Thomas Pfaff authored
In commit ee238713 ("genirq: Set irq thread to RT priority on creation") we moved the assigment of the thread's priority from the thread's function into __setup_irq(). That function may run in user context for instance if the user opens an UART node and then driver calls requests in the ->open() callback. That user may not have CAP_SYS_NICE and so the irq thread won't run with the SCHED_OTHER policy. This patch uses sched_setscheduler_nocheck() so we omit the CAP_SYS_NICE check which is otherwise required for the SCHED_OTHER policy. Cc: Ivo Sieben <meltedpianoman@gmail.com> Cc: stable@vger.kernel.org Cc: stable-rt@vger.kernel.org Signed-off-by:
Thomas Pfaff <tpfaff@pcs.com> Signed-off-by:
-
- Nov 19, 2013
-
-
Steven Rostedt (Red Hat) authored
-
Steven Rostedt (Red Hat) authored
v3.8.13.13
-
Steven Rostedt (Red Hat) authored
-
Steven Rostedt (Red Hat) authored
v3.8.13.12 Conflicts: init/main.c
-
Steven Rostedt (Red Hat) authored
-
Steven Rostedt (Red Hat) authored
v3.8.13.11
-
Steven Rostedt (Red Hat) authored
-
Steven Rostedt (Red Hat) authored
v3.8.13.10 Conflicts: mm/swap.c
-
- Nov 13, 2013
-
-
Kamal Mostafa authored
Signed-off-by:Kamal Mostafa <kamal@canonical.com>
-
- Nov 08, 2013
-
-
David Vrabel authored
commit dc62ccac upstream. If a guest is destroyed without transitioning its frontend to CLOSED, the domain becomes a zombie as netback was not grant unmapping the shared rings. When removing a VIF, transition the backend to CLOSED so the VIF is disconnected if necessary (which will unmap the shared rings etc). This fixes a regression introduced by 279f438e (xen-netback: Don't destroy the netdev until the vif is shut down). Signed-off-by:
David Vrabel <david.vrabel@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Cc: Paul Durrant <Paul.Durrant@citrix.com> Acked-by:
Wei Liu <wei.liu2@citrix.com> Reviewed-by:
Paul Durrant <paul.durrant@citrix.com> Signed-off-by:
-
Paul Durrant authored
commit ea732dff upstream. When the frontend state changes netback now specifies its desired state to a new function, set_backend_state(), which transitions through any necessary intermediate states. This fixes an issue observed with some old Windows frontend drivers where they failed to transition through the Closing state and netback would not behave correctly. Signed-off-by:
Ian Campbell <ian.campbell@citrix.com> Signed-off-by:
-
- Nov 07, 2013
-
-
Ming Lei authored
commit f6537f2f upstream. This patch uses CONFIG_PAGE_OFFSET to filter symbols which are not in kernel address space because these symbols are generally for generating code purpose and can't be run at kernel mode, so we needn't keep them in /proc/kallsyms. For example, on ARM there are some symbols which may be linked in relocatable code section, then perf can't parse symbols any more from /proc/kallsyms, this patch fixes the problem (introduced b9b32bf7 ) Cc: Russell King <linux@arm.linux.org.uk> Cc: linux-arm-kernel@lists.infradead.org Cc: Michal Marek <mmarek@suse.cz> Signed-off-by:
Ming Lei <tom.leiming@gmail.com> Signed-off-by:
Rusty Russell <rusty@rustcorp.com.au> Signed-off-by:
-
Ming Lei authored
commit 3d77b50c upstream. Commit b1adaf65 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by:
Ming Lei <ming.lei@canonical.com> Reported-by:
Aaro Koskinen <aaro.koskinen@iki.fi> Tested-by:
Simon Baatz <gmbnomis@gmail.com> Cc: Russell King - ARM Linux <linux@arm.linux.org.uk> Cc: Will Deacon <will.deacon@arm.com> Cc: Aaro Koskinen <aaro.koskinen@iki.fi> Acked-by:
Catalin Marinas <catalin.marinas@arm.com> Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> Cc: Tejun Heo <tj@kernel.org> Cc: "James E.J. Bottomley" <JBottomley@parallels.com> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Russell King authored
commit a4461f41 upstream. Unable to handle kernel NULL pointer dereference at virtual address 00000008 pgd = d5300000 [00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755 task: dee74800 ti: e213c000 task.ti: e213c000 PC is at snd_pcm_info+0xc8/0xd8 LR is at 0x30232065 pc : [<c031b52c>] lr : [<30232065>] psr: a0070013 sp : e213dea8 ip : d81cb0d0 fp : c05f7678 r10: c05f7770 r9 : fffffdfd r8 : 00000000 r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000 r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 15300019 DAC: 00000015 Process vlc (pid: 2295, stack limit = 0xe213c248) [<c031b52c>] (snd_pcm_info) from [<c031b570>] (snd_pcm_info_user+0x34/0x9c) [<c031b570>] (snd_pcm_info_user) from [<c03164a4>] (snd_pcm_control_ioctl+0x274/0x280) [<c03164a4>] (snd_pcm_control_ioctl) from [<c0311458>] (snd_ctl_ioctl+0xc0/0x55c) [<c0311458>] (snd_ctl_ioctl) from [<c00eca84>] (do_vfs_ioctl+0x80/0x31c) [<c00eca84>] (do_vfs_ioctl) from [<c00ecd5c>] (SyS_ioctl+0x3c/0x60) [<c00ecd5c>] (SyS_ioctl) from [<c000e500>] (ret_fast_syscall+0x0/0x48) Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008) ---[ end trace cb3d9bdb8dfefb3c ]--- This is provoked when the ASoC front end is open along with its backend, (which causes the backend to have a runtime assigned to it) and then the SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device. Resolve this by ensuring that ASoC internal backend devices are not visible to userspace, just as the commentry for snd_pcm_new_internal() says it should be. Signed-off-by:
Russell King <rmk+kernel@arm.linux.org.uk> Acked-by:
Mark Brown <broonie@linaro.org> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
Dan Carpenter authored
commit a8b33654 upstream. The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by:
Nico Golde <nico@ngolde.de> Reported-by:
Fabian Yamaguchi <fabs@goesec.de> Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Dan Carpenter authored
commit 8d1e7225 upstream. The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by:
-
Dan Carpenter authored
commit b5e2f339 upstream. We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by:
-
Dan Carpenter authored
commit f856567b upstream. In commit d496f94d ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by:
-
Dan Carpenter authored
commit c2c65cd2 upstream. We need to check "count" so we don't overflow the ei->data buffer. Reported-by:
-
Dan Carpenter authored
commit 201f99f1 upstream. We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by:
-
Takashi Iwai authored
commit 268ff145 upstream. Spotted by coverity CID 115170. Signed-off-by:
-
Takashi Iwai authored
commit 6fc16e58 upstream. ASUS N76VZ needs the same fixup as N56VZ for supporting the boost speaker. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=846529 Signed-off-by:
-
Linus Torvalds authored
commit 7314e613 upstream. Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by:
Linus Torvalds <torvalds@linux-foundation.org.> [ kamal: backport to 3.8 (no uio_physical_vm_ops; context) ] Signed-off-by:
-
Mel Gorman authored
commit 0255d491 upstream. A THP PMD update is accounted for as 512 pages updated in vmstat. This is large difference when estimating the cost of automatic NUMA balancing and can be misleading when comparing results that had collapsed versus split THP. This patch addresses the accounting issue. Signed-off-by:
Mel Gorman <mgorman@suse.de> Reviewed-by:
Rik van Riel <riel@redhat.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com> Signed-off-by:
-
Mel Gorman authored
commit 3f926ab9 upstream. THP migration uses the page lock to guard against parallel allocations but there are cases like this still open Task A Task B --------------------- --------------------- do_huge_pmd_numa_page do_huge_pmd_numa_page lock_page mpol_misplaced == -1 unlock_page goto clear_pmdnuma lock_page mpol_misplaced == 2 migrate_misplaced_transhuge pmd = pmd_mknonnuma set_pmd_at During hours of testing, one crashed with weird errors and while I have no direct evidence, I suspect something like the race above happened. This patch extends the page lock to being held until the pmd_numa is cleared to prevent migration starting in parallel while the pmd_numa is being cleared. It also flushes the old pmd entry and orders pagetable insertion before rmap insertion. Signed-off-by:
-
Mel Gorman authored
commit c61109e3 upstream. There are three callers of task_numa_fault(): - do_huge_pmd_numa_page(): Accounts against the current node, not the node where the page resides, unless we migrated, in which case it accounts against the node we migrated to. - do_numa_page(): Accounts against the current node, not the node where the page resides, unless we migrated, in which case it accounts against the node we migrated to. - do_pmd_numa_page(): Accounts not at all when the page isn't migrated, otherwise accounts against the node we migrated towards. This seems wrong to me; all three sites should have the same sementaics, furthermore we should accounts against where the page really is, we already know where the task is. So modify all three sites to always account; we did after all receive the fault; and always account to where the page is after migration, regardless of success. They all still differ on when they clear the PTE/PMD; ideally that would get sorted too. Signed-off-by:
-
Mel Gorman authored
commit 587fe586 upstream. THP migrations are serialised by the page lock but on its own that does not prevent THP splits. If the page is split during THP migration then the pmd_same checks will prevent page table corruption but the unlock page and other fix-ups potentially will cause corruption. This patch takes the anon_vma lock to prevent parallel splits during migration. Signed-off-by:
-
