Permalink
Commits on Aug 18, 2015
  1. @torvalds

    Merge tag 'dmaengine-fix-4.2-rc8' of git://git.infradead.org/users/vk…

    …oul/slave-dma
    
    Pull dmaengine fix from Vinod Koul:
     "We recently found issue with dma_request_slave_channel() API causing
      privatecnt value to go bad.  This is fixed by balancing the privatecnt"
    
    * tag 'dmaengine-fix-4.2-rc8' of git://git.infradead.org/users/vkoul/slave-dma:
      dmaengine: fix balance of privatecnt inc/dec operations
    torvalds committed Aug 18, 2015
  2. @torvalds

    Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux

    Pull drm fixes from Dave Airlie:
     "These came in late last week, I wanted to look over the mst one before
      forwarding, but it seems good.
    
      Just three i915 and one MST fix"
    
    * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
      drm/i915: Commit planes on each crtc separately.
      drm/i915: calculate primary visibility changes instead of calling from set_config
      drm/i915: Only dither on 6bpc panels
      drm/dp/mst: Remove port after removing connector.
    torvalds committed Aug 18, 2015
Commits on Aug 17, 2015
  1. @torvalds

    Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/gi…

    …t/dledford/rdma
    
    Pull rdma bugfix from Doug Ledford:
     "Bugfix in iw_cxgb4"
    
    * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
      iw_cxgb4: gracefully handle unknown CQE status errors
    torvalds committed Aug 17, 2015
  2. @torvalds

    Merge branch 'for-4.2-fixes' of git://git.kernel.org/pub/scm/linux/ke…

    …rnel/git/tj/libata
    
    Pull libata fixes from Tejun Heo:
     "Three minor device-specific fixes and revert of NCQ autosense added
      during this -rc1.
    
      It turned out that NCQ autosense as currently implemented interferes
      with the usual error handling behavior.  It will be revisited in the
      near future"
    
    * 'for-4.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
      ata: ahci_brcmstb: Fix misuse of IS_ENABLED
      sata_sx4: Check return code from pdc20621_i2c_read()
      Revert "libata: Implement NCQ autosense"
      Revert "libata: Implement support for sense data reporting"
      Revert "libata-eh: Set 'information' field for autosense"
      ata: ahci_brcmstb: Fix warnings with CONFIG_PM_SLEEP=n
    torvalds committed Aug 17, 2015
  3. @torvalds

    Merge branch 'for-4.2-fixes' of git://git.kernel.org/pub/scm/linux/ke…

    …rnel/git/tj/cgroup
    
    Pull cgroup fix from Tejun Heo:
     "A fix for a subtle bug introduced back during 3.17 cycle which
      interferes with setting configurations under specific conditions"
    
    * 'for-4.2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
      cpuset: use trialcs->mems_allowed as a temp variable
    torvalds committed Aug 17, 2015
  4. @vinodkoul

    dmaengine: fix balance of privatecnt inc/dec operations

    This patch increments privatecnt value and set DMA_PRIVATE in device
    caps in dma_request_slave_channel() function. This is needed to keep
    privatecnt increment/decrement balance.
    
    As function dma_release_channel() decrements privatecnt counter, we need
    to increment it when channel is requested. Otherwise privatecnt drops
    into negatives after few dma_release_channel() calls.
    
    Reported-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
    Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Robert Baldyga committed with vinodkoul Aug 7, 2015
  5. @torvalds

    Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

    Pull crypto fixes from Herbert Xu:
     "This fixes the following issues:
    
       - a regression caused by the conversion of IPsec ESP to the new AEAD
         interface: ESN with authencesn no longer works because it relied on
         the AD input SG list having a specific layout which is no longer
         the case.  In linux-next authencesn is fixed properly and no longer
         assumes anything about the SG list format.  While for this release
         a minimal fix is applied to authencesn so that it works with the
         new linear layout.
    
       - fix memory corruption caused by bogus index in the caam hash code.
    
       - fix powerpc nx SHA hashing which could cause module load failures
         if module signature verification is enabled"
    
    * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
      crypto: caam - fix memory corruption in ahash_final_ctx
      crypto: nx - respect sg limit bounds when building sg lists for SHA
      crypto: authencesn - Fix breakage with new ESP code
    torvalds committed Aug 17, 2015
Commits on Aug 16, 2015
  1. @torvalds

    Linux 4.2-rc7

    torvalds committed Aug 16, 2015
  2. @torvalds

    Merge tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/ke…

    …rnel/git/arm/arm-soc
    
    Pull ARM SoC fixes from Olof Johansson:
     "A smallish batch of fixes, a little more than expected this late, but
      all fixes are contained to their platforms and seem reasonably low
      risk:
    
       - a somewhat large SMP fix for ux500 that still seemed warranted to
         include here
       - OMAP DT fixes for pbias regulator specification that broke due to
         some DT reshuffling
       - PCIe IRQ routing bugfix for i.MX
       - networking fixes for keystone
       - runtime PM for OMAP GPMC
       - a couple of error path bug fixes for exynos"
    
    * tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
      ARM: dts: keystone: Fix the mdio bindings by moving it to soc specific file
      ARM: dts: keystone: fix the clock node for mdio
      memory: omap-gpmc: Don't try to save uninitialized GPMC context
      ARM: imx6: correct i.MX6 PCIe interrupt routing
      ARM: ux500: add an SMP enablement type and move cpu nodes
      ARM: dts: dra7: Fix broken pbias device creation
      ARM: dts: OMAP5: Fix broken pbias device creation
      ARM: dts: OMAP4: Fix broken pbias device creation
      ARM: dts: omap243x: Fix broken pbias device creation
      ARM: EXYNOS: fix double of_node_put() on error path
      ARM: EXYNOS: Fix potentian kfree() of ro memory
    torvalds committed Aug 16, 2015
  3. @torvalds

    Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upst…

    …ream-linus
    
    Pull MIPS bugfix from Ralf Baechle:
     "Only a single MIPS fix - the math when invoking syscall_trace_enter
      was wrong"
    
    * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
      MIPS: Fix seccomp syscall argument for MIPS64
    torvalds committed Aug 16, 2015
  4. @torvalds

    Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/l…

    …inux/kernel/git/tip/tip
    
    Merge x86 fixes from Ingo Molnar:
     "Two followup fixes related to the previous LDT fix"
    
    Also applied a further FPU emulation fix from Andy Lutomirski to the
    branch before actually merging it.
    
    * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
      x86/ldt: Further fix FPU emulation
      x86/ldt: Correct FPU emulation access to LDT
      x86/ldt: Correct LDT access in single stepping logic
    torvalds committed Aug 16, 2015
  5. @torvalds

    x86/ldt: Further fix FPU emulation

    The previous fix confused a selector with a segment prefix.  Fix it.
    
    Compile-tested only.
    
    Cc: stable@vger.kernel.org
    Cc: Juergen Gross <jgross@suse.com>
    Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
    Fixes: 4809146 ("x86/ldt: Correct FPU emulation access to LDT")
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Andy Lutomirski committed with torvalds Aug 14, 2015
  6. @thejh @torvalds

    fs/fuse: fix ioctl type confusion

    fuse_dev_ioctl() performed fuse_get_dev() on a user-supplied fd,
    leading to a type confusion issue. Fix it by checking file->f_op.
    
    Signed-off-by: Jann Horn <jann@thejh.net>
    Acked-by: Miklos Szeredi <miklos@szeredi.hu>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    thejh committed with torvalds Aug 16, 2015
  7. @olofj

    Merge tag 'keystone-dts-late-fixes-v2' of git://git.kernel.org/pub/sc…

    …m/linux/kernel/git/ssantosh/linux-keystone into fixes
    
    ARM: Couple of Keysyone MDIO DTS fixes for 4.2-rc6+
    
    These are necessary to get the NIC card working on all Keystone
    EVMs. Couple of boards are broken without these two fixes.
    
    * tag 'keystone-dts-late-fixes-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/ssantosh/linux-keystone:
      ARM: dts: keystone: Fix the mdio bindings by moving it to soc specific file
      ARM: dts: keystone: fix the clock node for mdio
    
    Signed-off-by: Olof Johansson <olof@lixom.net>
    olofj committed Aug 16, 2015
  8. @ralfbaechle

    MIPS: Fix seccomp syscall argument for MIPS64

    Commit 4c21b8f ("MIPS: seccomp: Handle indirect system calls (o32)")
    fixed indirect system calls on O32 but it also introduced a bug for MIPS64
    where it erroneously modified the v0 (syscall) register with the assumption
    that the sycall offset hasn't been taken into consideration. This breaks
    seccomp on MIPS64 n64 and n32 ABIs. We fix this by replacing the addition
    with a move instruction.
    
    Fixes: 4c21b8f ("MIPS: seccomp: Handle indirect system calls (o32)")
    Cc: <stable@vger.kernel.org> # 3.15+
    Reviewed-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/10951/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Markos Chandras committed with ralfbaechle Aug 13, 2015
Commits on Aug 15, 2015
  1. @torvalds

    Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/g…

    …it/jejb/scsi
    
    Pull SCSI fixes from James Bottomley:
     "This has two libfc fixes for bugs causing rare crashes, one iscsi fix
      for a potential hang on shutdown, and a fix for an I/O blocksize issue
      which caused a regression"
    
    * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
      sd: Fix maximum I/O size for BLOCK_PC requests
      libfc: Fix fc_fcp_cleanup_each_cmd()
      libfc: Fix fc_exch_recv_req() error path
      libiscsi: Fix host busy blocking during connection teardown
    torvalds committed Aug 15, 2015
  2. @airlied

    Merge tag 'topic/drm-fixes-2015-08-14' of git://anongit.freedesktop.o…

    …rg/drm-intel into drm-next
    
    single MST fixes from Maarten.
    
    * tag 'topic/drm-fixes-2015-08-14' of git://anongit.freedesktop.org/drm-intel:
      drm/dp/mst: Remove port after removing connector.
    airlied committed Aug 15, 2015
  3. @airlied

    Merge tag 'drm-intel-fixes-2015-08-14' of git://anongit.freedesktop.o…

    …rg/drm-intel into drm-next
    
    three display fixes for Intel.
    
    * tag 'drm-intel-fixes-2015-08-14' of git://anongit.freedesktop.org/drm-intel:
      drm/i915: Commit planes on each crtc separately.
      drm/i915: calculate primary visibility changes instead of calling from set_config
      drm/i915: Only dither on 6bpc panels
    airlied committed Aug 15, 2015
  4. @torvalds

    Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

    Pull KVM fixes from Paolo Bonzini:
     "Just two very small & simple patches"
    
    * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
      KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST
      KVM: x86: zero IDT limit on entry to SMM
    torvalds committed Aug 15, 2015
  5. @torvalds

    Merge branch 'akpm' (patches from Andrew)

    Merge fixes from Andrew Morton:
     "11 fixes"
    
    * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
      Update maintainers for DRM STI driver
      mm: cma: mark cma_bitmap_maxno() inline in header
      zram: fix pool name truncation
      memory-hotplug: fix wrong edge when hot add a new node
      .mailmap: Andrey Ryabinin has moved
      ipc/sem.c: update/correct memory barriers
      mm/hwpoison: fix panic due to split huge zero page
      ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()
      ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits
      mm/hwpoison: fix fail isolate hugetlbfs page w/ refcount held
      mm/hwpoison: fix page refcount of unknown non LRU page
    torvalds committed Aug 15, 2015
Commits on Aug 14, 2015
  1. @torvalds

    Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux…

    …/kernel/git/clk/linux
    
    Pull clock fix from Stephen Boyd:
     "A one-liner for a regression found in the PXA clock driver"
    
    * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
      clk: pxa: pxa3xx: fix CKEN register access
    torvalds committed Aug 14, 2015
  2. @Benjamin-Gaignard @torvalds

    Update maintainers for DRM STI driver

    Add Vincent Abriou and myself as maintainers.
    
    Signed-off-by: Benjamin Gaignard <benjamin.gaignard@linaro.org>
    Cc: Vincent Abriou <vincent.abriou@st.com>
    Cc: Dave Airlie <airlied@linux.ie>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Benjamin-Gaignard committed with torvalds Aug 14, 2015
  3. @cha5on @torvalds

    mm: cma: mark cma_bitmap_maxno() inline in header

    cma_bitmap_maxno() was marked as static and not static inline, which can
    cause warnings about this function not being used if this file is included
    in a file that does not call that function, and violates the conventions
    used elsewhere.  The two options are to move the function implementation
    back to mm/cma.c or make it inline here, and it's simple enough for the
    latter to make sense.
    
    Signed-off-by: Gregory Fong <gregory.0xf0@gmail.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    cha5on committed with torvalds Aug 14, 2015
  4. @sergey-senozhatsky @torvalds

    zram: fix pool name truncation

    zram_meta_alloc() constructs a pool name for zs_create_pool() call as
    
        snprintf(pool_name, sizeof(pool_name), "zram%d", device_id);
    
    However, it defines pool name buffer to be only 8 bytes long (minus
    trailing zero), which means that we can have only 1000 pool names: zram0
    -- zram999.
    
    With CONFIG_ZSMALLOC_STAT enabled an attempt to create a device zram1000
    can fail if device zram100 already exists, because snprintf() will
    truncate new pool name to zram100 and pass it debugfs_create_dir(),
    causing:
    
      debugfs dir <zram100> creation failed
      zram: Error creating memory pool
    
    ... and so on.
    
    Fix it by passing zram->disk->disk_name to zram_meta_alloc() instead of
    divice_id.  We construct zram%d name earlier and keep it as a ->disk_name,
    no need to snprintf() it again.
    
    Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    Cc: Minchan Kim <minchan@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    sergey-senozhatsky committed with torvalds Aug 14, 2015
  5. @torvalds

    memory-hotplug: fix wrong edge when hot add a new node

    When we add a new node, the edge of memory may be wrong.
    
    e.g. system has 4 nodes, and node3 is movable, node3 mem:[24G-32G],
    
    1. hotremove the node3,
    2. then hotadd node3 with a part of memory, mem:[26G-30G],
    3. call hotadd_new_pgdat()
            free_area_init_node()
                    get_pfn_range_for_nid()
    4. it will return wrong start_pfn and end_pfn, because we have not
    update the memblock.
    
    This patch also fixes a BUG_ON during hot-addition, please see
    http://marc.info/?l=linux-kernel&m=142961156129456&w=2
    
    Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
    Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
    Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Taku Izumi <izumi.taku@jp.fujitsu.com>
    Cc: Tang Chen <tangchen@cn.fujitsu.com>
    Cc: Gu Zheng <guz.fnst@cn.fujitsu.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Xishi Qiu committed with torvalds Aug 14, 2015
  6. @aryabinin @torvalds

    .mailmap: Andrey Ryabinin has moved

    Update my email address.
    
    Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    aryabinin committed with torvalds Aug 14, 2015
  7. @manfred-colorfu @torvalds

    ipc/sem.c: update/correct memory barriers

    sem_lock() did not properly pair memory barriers:
    
    !spin_is_locked() and spin_unlock_wait() are both only control barriers.
    The code needs an acquire barrier, otherwise the cpu might perform read
    operations before the lock test.
    
    As no primitive exists inside <include/spinlock.h> and since it seems
    noone wants another primitive, the code creates a local primitive within
    ipc/sem.c.
    
    With regards to -stable:
    
    The change of sem_wait_array() is a bugfix, the change to sem_lock() is a
    nop (just a preprocessor redefinition to improve the readability).  The
    bugfix is necessary for all kernels that use sem_wait_array() (i.e.:
    starting from 3.10).
    
    Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
    Reported-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
    Cc: Kirill Tkhai <ktkhai@parallels.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: <stable@vger.kernel.org>	[3.10+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    manfred-colorfu committed with torvalds Aug 14, 2015
  8. @torvalds

    mm/hwpoison: fix panic due to split huge zero page

    Bug:
    
      ------------[ cut here ]------------
      kernel BUG at mm/huge_memory.c:1957!
      invalid opcode: 0000 [#1] SMP
      Modules linked in: snd_hda_codec_hdmi i915 rpcsec_gss_krb5 snd_hda_codec_realtek snd_hda_codec_generic nfsv4 dns_re
      CPU: 2 PID: 2576 Comm: test_huge Not tainted 4.2.0-rc5-mm1+ #27
      Hardware name: Dell Inc. OptiPlex 7020/0F5C5X, BIOS A03 01/08/2015
      task: ffff880204e3d600 ti: ffff8800db16c000 task.ti: ffff8800db16c000
      RIP: split_huge_page_to_list+0xdb/0x120
      Call Trace:
        memory_failure+0x32e/0x7c0
        madvise_hwpoison+0x8b/0x160
        SyS_madvise+0x40/0x240
        ? do_page_fault+0x37/0x90
        entry_SYSCALL_64_fastpath+0x12/0x71
      Code: ff f0 41 ff 4c 24 30 74 0d 31 c0 48 83 c4 08 5b 41 5c 41 5d c9 c3 4c 89 e7 e8 e2 58 fd ff 48 83 c4 08 31 c0
      RIP  split_huge_page_to_list+0xdb/0x120
       RSP <ffff8800db16fde8>
      ---[ end trace aee7ce0df8e44076 ]---
    
    Testcase:
    
        #define _GNU_SOURCE
        #include <stdlib.h>
        #include <stdio.h>
        #include <sys/mman.h>
        #include <unistd.h>
        #include <fcntl.h>
        #include <sys/types.h>
        #include <errno.h>
        #include <string.h>
    
        #define MB 1024*1024
    
        int main(void)
        {
                char *mem;
    
                posix_memalign((void **)&mem, 2 * MB, 200 * MB);
    
                madvise(mem, 200 * MB, MADV_HWPOISON);
    
                free(mem);
    
                return 0;
        }
    
    Huge zero page is allocated if page fault w/o FAULT_FLAG_WRITE flag.
    The get_user_pages_fast() which called in madvise_hwpoison() will get
    huge zero page if the page is not allocated before.  Huge zero page is a
    tranparent huge page, however, it is not an anonymous page.
    memory_failure will split the huge zero page and trigger
    BUG_ON(is_huge_zero_page(page));
    
    After commit 98ed2b0 ("mm/memory-failure: give up error handling
    for non-tail-refcounted thp"), memory_failure will not catch non anon
    thp from madvise_hwpoison path and this bug occur.
    
    Fix it by catching non anon thp in memory_failure in order to not split
    huge zero page in madvise_hwpoison path.
    
    After this patch:
    
      Injecting memory failure for page 0x202800 at 0x7fd8ae800000
      MCE: 0x202800: non anonymous thp
      [...]
    
    [akpm@linux-foundation.org: remove second split, per Wanpeng]
    Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
    Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Wanpeng Li committed with torvalds Aug 14, 2015
  9. @torvalds

    ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()

    After we acquire the sma->sem_perm lock in exit_sem(), we are protected
    against a racing IPC_RMID operation.  Also at that point, we are the last
    user of sem_undo_list.  Therefore it isn't required that we acquire or use
    ulp->lock.
    
    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
    Acked-by: Manfred Spraul <manfred@colorfullife.com>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Rafael Aquini <aquini@redhat.com>
    CC: Aristeu Rozanski <aris@redhat.com>
    Cc: David Jeffery <djeffery@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Herton R. Krzesinski committed with torvalds Aug 14, 2015
  10. @torvalds

    ipc,sem: fix use after free on IPC_RMID after a task using same semap…

    …hore set exits
    
    The current semaphore code allows a potential use after free: in
    exit_sem we may free the task's sem_undo_list while there is still
    another task looping through the same semaphore set and cleaning the
    sem_undo list at freeary function (the task called IPC_RMID for the same
    semaphore set).
    
    For example, with a test program [1] running which keeps forking a lot
    of processes (which then do a semop call with SEM_UNDO flag), and with
    the parent right after removing the semaphore set with IPC_RMID, and a
    kernel built with CONFIG_SLAB, CONFIG_SLAB_DEBUG and
    CONFIG_DEBUG_SPINLOCK, you can easily see something like the following
    in the kernel log:
    
       Slab corruption (Not tainted): kmalloc-64 start=ffff88003b45c1c0, len=64
       000: 6b 6b 6b 6b 6b 6b 6b 6b 00 6b 6b 6b 6b 6b 6b 6b  kkkkkkkk.kkkkkkk
       010: ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff  ....kkkk........
       Prev obj: start=ffff88003b45c180, len=64
       000: 00 00 00 00 ad 4e ad de ff ff ff ff 5a 5a 5a 5a  .....N......ZZZZ
       010: ff ff ff ff ff ff ff ff c0 fb 01 37 00 88 ff ff  ...........7....
       Next obj: start=ffff88003b45c200, len=64
       000: 00 00 00 00 ad 4e ad de ff ff ff ff 5a 5a 5a 5a  .....N......ZZZZ
       010: ff ff ff ff ff ff ff ff 68 29 a7 3c 00 88 ff ff  ........h).<....
       BUG: spinlock wrong CPU on CPU#2, test/18028
       general protection fault: 0000 [#1] SMP
       Modules linked in: 8021q mrp garp stp llc nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables binfmt_misc ppdev input_leds joydev parport_pc parport floppy serio_raw virtio_balloon virtio_rng virtio_console virtio_net iosf_mbi crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcspkr qxl ttm drm_kms_helper drm snd_hda_codec_generic i2c_piix4 snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore crc32c_intel virtio_pci virtio_ring virtio pata_acpi ata_generic [last unloaded: speedstep_lib]
       CPU: 2 PID: 18028 Comm: test Not tainted 4.2.0-rc5+ #1
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
       RIP: spin_dump+0x53/0xc0
       Call Trace:
         spin_bug+0x30/0x40
         do_raw_spin_unlock+0x71/0xa0
         _raw_spin_unlock+0xe/0x10
         freeary+0x82/0x2a0
         ? _raw_spin_lock+0xe/0x10
         semctl_down.clone.0+0xce/0x160
         ? __do_page_fault+0x19a/0x430
         ? __audit_syscall_entry+0xa8/0x100
         SyS_semctl+0x236/0x2c0
         ? syscall_trace_leave+0xde/0x130
         entry_SYSCALL_64_fastpath+0x12/0x71
       Code: 8b 80 88 03 00 00 48 8d 88 60 05 00 00 48 c7 c7 a0 2c a4 81 31 c0 65 8b 15 eb 40 f3 7e e8 08 31 68 00 4d 85 e4 44 8b 4b 08 74 5e <45> 8b 84 24 88 03 00 00 49 8d 8c 24 60 05 00 00 8b 53 04 48 89
       RIP  [<ffffffff810d6053>] spin_dump+0x53/0xc0
        RSP <ffff88003750fd68>
       ---[ end trace 783ebb76612867a0 ]---
       NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [test:18053]
       Modules linked in: 8021q mrp garp stp llc nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables binfmt_misc ppdev input_leds joydev parport_pc parport floppy serio_raw virtio_balloon virtio_rng virtio_console virtio_net iosf_mbi crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcspkr qxl ttm drm_kms_helper drm snd_hda_codec_generic i2c_piix4 snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore crc32c_intel virtio_pci virtio_ring virtio pata_acpi ata_generic [last unloaded: speedstep_lib]
       CPU: 3 PID: 18053 Comm: test Tainted: G      D         4.2.0-rc5+ #1
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
       RIP: native_read_tsc+0x0/0x20
       Call Trace:
         ? delay_tsc+0x40/0x70
         __delay+0xf/0x20
         do_raw_spin_lock+0x96/0x140
         _raw_spin_lock+0xe/0x10
         sem_lock_and_putref+0x11/0x70
         SYSC_semtimedop+0x7bf/0x960
         ? handle_mm_fault+0xbf6/0x1880
         ? dequeue_task_fair+0x79/0x4a0
         ? __do_page_fault+0x19a/0x430
         ? kfree_debugcheck+0x16/0x40
         ? __do_page_fault+0x19a/0x430
         ? __audit_syscall_entry+0xa8/0x100
         ? do_audit_syscall_entry+0x66/0x70
         ? syscall_trace_enter_phase1+0x139/0x160
         SyS_semtimedop+0xe/0x10
         SyS_semop+0x10/0x20
         entry_SYSCALL_64_fastpath+0x12/0x71
       Code: 47 10 83 e8 01 85 c0 89 47 10 75 08 65 48 89 3d 1f 74 ff 7e c9 c3 0f 1f 44 00 00 55 48 89 e5 e8 87 17 04 00 66 90 c9 c3 0f 1f 00 <55> 48 89 e5 0f 31 89 c1 48 89 d0 48 c1 e0 20 89 c9 48 09 c8 c9
       Kernel panic - not syncing: softlockup: hung tasks
    
    I wasn't able to trigger any badness on a recent kernel without the
    proper config debugs enabled, however I have softlockup reports on some
    kernel versions, in the semaphore code, which are similar as above (the
    scenario is seen on some servers running IBM DB2 which uses semaphore
    syscalls).
    
    The patch here fixes the race against freeary, by acquiring or waiting
    on the sem_undo_list lock as necessary (exit_sem can race with freeary,
    while freeary sets un->semid to -1 and removes the same sem_undo from
    list_proc or when it removes the last sem_undo).
    
    After the patch I'm unable to reproduce the problem using the test case
    [1].
    
    [1] Test case used below:
    
        #include <stdio.h>
        #include <sys/types.h>
        #include <sys/ipc.h>
        #include <sys/sem.h>
        #include <sys/wait.h>
        #include <stdlib.h>
        #include <time.h>
        #include <unistd.h>
        #include <errno.h>
    
        #define NSEM 1
        #define NSET 5
    
        int sid[NSET];
    
        void thread()
        {
                struct sembuf op;
                int s;
                uid_t pid = getuid();
    
                s = rand() % NSET;
                op.sem_num = pid % NSEM;
                op.sem_op = 1;
                op.sem_flg = SEM_UNDO;
    
                semop(sid[s], &op, 1);
                exit(EXIT_SUCCESS);
        }
    
        void create_set()
        {
                int i, j;
                pid_t p;
                union {
                        int val;
                        struct semid_ds *buf;
                        unsigned short int *array;
                        struct seminfo *__buf;
                } un;
    
                /* Create and initialize semaphore set */
                for (i = 0; i < NSET; i++) {
                        sid[i] = semget(IPC_PRIVATE , NSEM, 0644 | IPC_CREAT);
                        if (sid[i] < 0) {
                                perror("semget");
                                exit(EXIT_FAILURE);
                        }
                }
                un.val = 0;
                for (i = 0; i < NSET; i++) {
                        for (j = 0; j < NSEM; j++) {
                                if (semctl(sid[i], j, SETVAL, un) < 0)
                                        perror("semctl");
                        }
                }
    
                /* Launch threads that operate on semaphore set */
                for (i = 0; i < NSEM * NSET * NSET; i++) {
                        p = fork();
                        if (p < 0)
                                perror("fork");
                        if (p == 0)
                                thread();
                }
    
                /* Free semaphore set */
                for (i = 0; i < NSET; i++) {
                        if (semctl(sid[i], NSEM, IPC_RMID))
                                perror("IPC_RMID");
                }
    
                /* Wait for forked processes to exit */
                while (wait(NULL)) {
                        if (errno == ECHILD)
                                break;
                };
        }
    
        int main(int argc, char **argv)
        {
                pid_t p;
    
                srand(time(NULL));
    
                while (1) {
                        p = fork();
                        if (p < 0) {
                                perror("fork");
                                exit(EXIT_FAILURE);
                        }
                        if (p == 0) {
                                create_set();
                                goto end;
                        }
    
                        /* Wait for forked processes to exit */
                        while (wait(NULL)) {
                                if (errno == ECHILD)
                                        break;
                        };
                }
        end:
                return 0;
        }
    
    [akpm@linux-foundation.org: use normal comment layout]
    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
    Acked-by: Manfred Spraul <manfred@colorfullife.com>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Rafael Aquini <aquini@redhat.com>
    CC: Aristeu Rozanski <aris@redhat.com>
    Cc: David Jeffery <djeffery@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Herton R. Krzesinski committed with torvalds Aug 14, 2015
  11. @torvalds

    mm/hwpoison: fix fail isolate hugetlbfs page w/ refcount held

    Hugetlbfs pages will get a refcount in get_any_page() or
    madvise_hwpoison() if soft offlining through madvise.  The refcount which
    is held by the soft offline path should be released if we fail to isolate
    hugetlbfs pages.
    
    Fix it by reducing the refcount for both isolation success and failure.
    
    Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
    Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: <stable@vger.kernel.org>	[3.9+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Wanpeng Li committed with torvalds Aug 14, 2015
  12. @torvalds

    mm/hwpoison: fix page refcount of unknown non LRU page

    After trying to drain pages from pagevec/pageset, we try to get reference
    count of the page again, however, the reference count of the page is not
    reduced if the page is still not on LRU list.
    
    Fix it by adding the put_page() to drop the page reference which is from
    __get_any_page().
    
    Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
    Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: <stable@vger.kernel.org>	[3.9+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Wanpeng Li committed with torvalds Aug 14, 2015
  13. @torvalds

    Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/sc…

    …m/linux/kernel/git/tip/tip
    
    Pull timer fix from Ingo Molnar:
     "A single clocksource driver suspend/resume fix"
    
    * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
      clockevents/drivers/sh_cmt: Only perform clocksource suspend/resume if enabled
    torvalds committed Aug 14, 2015
  14. @torvalds

    Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/…

    …linux/kernel/git/tip/tip
    
    Pull perf fixes from Ingo Molnar:
     "Misc fixes: PMU driver corner cases, tooling fixes, and an 'AUX'
      (Intel PT) race related core fix"
    
    * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
      perf/x86/intel/cqm: Do not access cpu_data() from CPU_UP_PREPARE handler
      perf/x86/intel: Fix memory leak on hot-plug allocation fail
      perf: Fix PERF_EVENT_IOC_PERIOD migration race
      perf: Fix double-free of the AUX buffer
      perf: Fix fasync handling on inherited events
      perf tools: Fix test build error when bindir contains double slash
      perf stat: Fix transaction lenght metrics
      perf: Fix running time accounting
    torvalds committed Aug 14, 2015
  15. @torvalds

    Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/s…

    …cm/linux/kernel/git/tip/tip
    
    Pull locking fix from Ingo Molnar:
     "A single fix for a locking self-test crash"
    
    * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
      locking/pvqspinlock: Fix kernel panic in locking-selftest
    torvalds committed Aug 14, 2015