1. 04 Jul, 2012 9 commits
    • Ryusuke Konishi's avatar
      nilfs2: ensure proper cache clearing for gc-inodes · a49f6b0b
      Ryusuke Konishi authored
      commit fbb24a3a upstream.
      
      A gc-inode is a pseudo inode used to buffer the blocks to be moved by
      garbage collection.
      
      Block caches of gc-inodes must be cleared every time a garbage collection
      function (nilfs_clean_segments) completes.  Otherwise, stale blocks
      buffered in the caches may be wrongly reused in successive calls of the GC
      function.
      
      For user files, this is not a problem because their gc-inodes are
      distinguished by a checkpoint number as well as an inode number.  They
      never buffer different blocks if either an inode number, a checkpoint
      number, or a block offset differs.
      
      However, gc-inodes of sufile, cpfile and DAT file can store different data
      for the same block offset.  Thus, the nilfs_clean_segments function can
      move incorrect block for these meta-data files if an old block is cached.
      I found this is really causing meta-data corruption in nilfs.
      
      This fixes the issue by ensuring cache clear of gc-inodes and resolves
      reported GC problems including checkpoint file corruption, b-tree
      corruption, and the following warning during GC.
      
        nilfs_palloc_freev: entry number 307234 already freed.
        ...
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Tested-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a49f6b0b
    • Andrea Arcangeli's avatar
      thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE · dcad89e6
      Andrea Arcangeli authored
      commit e4eed03f upstream.
      
      In the x86 32bit PAE CONFIG_TRANSPARENT_HUGEPAGE=y case while holding the
      mmap_sem for reading, cmpxchg8b cannot be used to read pmd contents under
      Xen.
      
      So instead of dealing only with "consistent" pmdvals in
      pmd_none_or_trans_huge_or_clear_bad() (which would be conceptually
      simpler) we let pmd_none_or_trans_huge_or_clear_bad() deal with pmdvals
      where the low 32bit and high 32bit could be inconsistent (to avoid having
      to use cmpxchg8b).
      
      The only guarantee we get from pmd_read_atomic is that if the low part of
      the pmd was found null, the high part will be null too (so the pmd will be
      considered unstable).  And if the low part of the pmd is found "stable"
      later, then it means the whole pmd was read atomically (because after a
      pmd is stable, neither MADV_DONTNEED nor page faults can alter it anymore,
      and we read the high part after the low part).
      
      In the 32bit PAE x86 case, it is enough to read the low part of the pmdval
      atomically to declare the pmd as "stable" and that's true for THP and no
      THP, furthermore in the THP case we also have a barrier() that will
      prevent any inconsistent pmdvals to be cached by a later re-read of the
      *pmd.
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Cc: Jonathan Nieder <jrnieder@gmail.com>
      Cc: Ulrich Obergfell <uobergfe@redhat.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Larry Woodman <lwoodman@redhat.com>
      Cc: Petr Matousek <pmatouse@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Jan Beulich <jbeulich@suse.com>
      Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
      Tested-by: default avatarAndrew Jones <drjones@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dcad89e6
    • Andrea Arcangeli's avatar
      mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition · 02d1854e
      Andrea Arcangeli authored
      commit 26c19178 upstream.
      
      When holding the mmap_sem for reading, pmd_offset_map_lock should only
      run on a pmd_t that has been read atomically from the pmdp pointer,
      otherwise we may read only half of it leading to this crash.
      
      PID: 11679  TASK: f06e8000  CPU: 3   COMMAND: "do_race_2_panic"
       #0 [f06a9dd8] crash_kexec at c049b5ec
       #1 [f06a9e2c] oops_end at c083d1c2
       #2 [f06a9e40] no_context at c0433ded
       #3 [f06a9e64] bad_area_nosemaphore at c043401a
       #4 [f06a9e6c] __do_page_fault at c0434493
       #5 [f06a9eec] do_page_fault at c083eb45
       #6 [f06a9f04] error_code (via page_fault) at c083c5d5
          EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP:
          00000000
          DS:  007b     ESI: 9e201000 ES:  007b     EDI: 01fb4700 GS:  00e0
          CS:  0060     EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246
       #7 [f06a9f38] _spin_lock at c083bc14
       #8 [f06a9f44] sys_mincore at c0507b7d
       #9 [f06a9fb0] system_call at c083becd
                               start           len
          EAX: ffffffda  EBX: 9e200000  ECX: 00001000  EDX: 6228537f
          DS:  007b      ESI: 00000000  ES:  007b      EDI: 003d0f00
          SS:  007b      ESP: 62285354  EBP: 62285388  GS:  0033
          CS:  0073      EIP: 00291416  ERR: 000000da  EFLAGS: 00000286
      
      This should be a longstanding bug affecting x86 32bit PAE without THP.
      Only archs with 64bit large pmd_t and 32bit unsigned long should be
      affected.
      
      With THP enabled the barrier() in pmd_none_or_trans_huge_or_clear_bad()
      would partly hide the bug when the pmd transition from none to stable,
      by forcing a re-read of the *pmd in pmd_offset_map_lock, but when THP is
      enabled a new set of problem arises by the fact could then transition
      freely in any of the none, pmd_trans_huge or pmd_trans_stable states.
      So making the barrier in pmd_none_or_trans_huge_or_clear_bad()
      unconditional isn't good idea and it would be a flakey solution.
      
      This should be fully fixed by introducing a pmd_read_atomic that reads
      the pmd in order with THP disabled, or by reading the pmd atomically
      with cmpxchg8b with THP enabled.
      
      Luckily this new race condition only triggers in the places that must
      already be covered by pmd_none_or_trans_huge_or_clear_bad() so the fix
      is localized there but this bug is not related to THP.
      
      NOTE: this can trigger on x86 32bit systems with PAE enabled with more
      than 4G of ram, otherwise the high part of the pmd will never risk to be
      truncated because it would be zero at all times, in turn so hiding the
      SMP race.
      
      This bug was discovered and fully debugged by Ulrich, quote:
      
      ----
      [..]
      pmd_none_or_trans_huge_or_clear_bad() loads the content of edx and
      eax.
      
          496 static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t
          *pmd)
          497 {
          498         /* depend on compiler for an atomic pmd read */
          499         pmd_t pmdval = *pmd;
      
                                      // edi = pmd pointer
      0xc0507a74 <sys_mincore+548>:   mov    0x8(%esp),%edi
      ...
                                      // edx = PTE page table high address
      0xc0507a84 <sys_mincore+564>:   mov    0x4(%edi),%edx
      ...
                                      // eax = PTE page table low address
      0xc0507a8e <sys_mincore+574>:   mov    (%edi),%eax
      
      [..]
      
      Please note that the PMD is not read atomically. These are two "mov"
      instructions where the high order bits of the PMD entry are fetched
      first. Hence, the above machine code is prone to the following race.
      
      -  The PMD entry {high|low} is 0x0000000000000000.
         The "mov" at 0xc0507a84 loads 0x00000000 into edx.
      
      -  A page fault (on another CPU) sneaks in between the two "mov"
         instructions and instantiates the PMD.
      
      -  The PMD entry {high|low} is now 0x00000003fda38067.
         The "mov" at 0xc0507a8e loads 0xfda38067 into eax.
      ----
      Reported-by: default avatarUlrich Obergfell <uobergfe@redhat.com>
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Larry Woodman <lwoodman@redhat.com>
      Cc: Petr Matousek <pmatouse@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      02d1854e
    • Henrik Rydberg's avatar
      hwmon: (applesmc) Limit key length in warning messages · 51b9f4cb
      Henrik Rydberg authored
      commit ac852edb upstream.
      
      Key lookups may call read_smc() with a fixed-length key string,
      and if the lookup fails, trailing stack content may appear in the
      kernel log. Fixed with this patch.
      Signed-off-by: default avatarHenrik Rydberg <rydberg@euromail.se>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51b9f4cb
    • Lubomir Schmidt's avatar
      staging: r8712u: Add new USB IDs · d01f9593
      Lubomir Schmidt authored
      commit 3026b0e9 upstream.
      
      There are two new devices for this driver.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d01f9593
    • Peter Korsgaard's avatar
      hwrng: atmel-rng - fix data valid check · 07cea158
      Peter Korsgaard authored
      commit c475c06f upstream.
      
      Brown paper bag: Data valid is LSB of the ISR (status register), and NOT
      of ODATA (current random data word)!
      
      With this, rngtest is a lot happier. Before:
      
      rngtest 3
      Copyright (c) 2004 by Henrique de Moraes Holschuh
      This is free software; see the source for copying conditions.  There is NO warr.
      
      rngtest: starting FIPS tests...
      rngtest: bits received from input: 20000032
      rngtest: FIPS 140-2 successes: 3
      rngtest: FIPS 140-2 failures: 997
      rngtest: FIPS 140-2(2001-10-10) Monobit: 604
      rngtest: FIPS 140-2(2001-10-10) Poker: 996
      rngtest: FIPS 140-2(2001-10-10) Runs: 36
      rngtest: FIPS 140-2(2001-10-10) Long run: 0
      rngtest: FIPS 140-2(2001-10-10) Continuous run: 117
      rngtest: input channel speed: (min=622.371; avg=23682.481; max=28224.350)Kibitss
      rngtest: FIPS tests speed: (min=12.361; avg=12.718; max=12.861)Mibits/s
      rngtest: Program run time: 2331696 microsecondsx
      
      After:
      rngtest 3
      Copyright (c) 2004 by Henrique de Moraes Holschuh
      This is free software; see the source for copying conditions.  There is NO warr.
      
      rngtest: starting FIPS tests...
      rngtest: bits received from input: 20000032
      rngtest: FIPS 140-2 successes: 999
      rngtest: FIPS 140-2 failures: 1
      rngtest: FIPS 140-2(2001-10-10) Monobit: 0
      rngtest: FIPS 140-2(2001-10-10) Poker: 0
      rngtest: FIPS 140-2(2001-10-10) Runs: 1
      rngtest: FIPS 140-2(2001-10-10) Long run: 0
      rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
      rngtest: input channel speed: (min=777.363; avg=43588.270; max=47870.711)Kibitss
      rngtest: FIPS tests speed: (min=11.943; avg=12.716; max=12.844)Mibits/s
      rngtest: Program run time: 1955282 microseconds
      Signed-off-by: default avatarPeter Korsgaard <jacmet@sunsite.dk>
      Reported-by: default avatarGeorge Pontis <GPontis@z9.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      07cea158
    • Chen Gong's avatar
      edac: avoid mce decoding crash after edac driver unloaded · 4ce3278c
      Chen Gong authored
      commit e35fca47 upstream.
      
      Some edac drivers register themselves as mce decoders via
      notifier_chain. But in current notifier_chain implementation logic,
      it doesn't accept same notifier registered twice. If so, it will be
      wrong when adding/removing the element from the list. For example,
      on one SandyBridge platform, remove module sb_edac and then trigger
      one error, it will hit oops because it has no mce decoder registered
      but related notifier_chain still points to an invalid callback
      function. Here is an example:
      
      Call Trace:
       [<ffffffff8150ef6a>] atomic_notifier_call_chain+0x1a/0x20
       [<ffffffff8102b936>] mce_log+0x46/0x180
       [<ffffffff8102eaea>] apei_mce_report_mem_error+0x4a/0x60
       [<ffffffff812e19d2>] ghes_do_proc+0x192/0x210
       [<ffffffff812e2066>] ghes_proc+0x46/0x70
       [<ffffffff812e20d8>] ghes_notify_sci+0x48/0x80
       [<ffffffff8150ef05>] notifier_call_chain+0x55/0x80
       [<ffffffff81076f1a>] __blocking_notifier_call_chain+0x5a/0x80
       [<ffffffff812aea11>] ? acpi_os_wait_events_complete+0x23/0x23
       [<ffffffff81076f56>] blocking_notifier_call_chain+0x16/0x20
       [<ffffffff812ddc4d>] acpi_hed_notify+0x19/0x1b
       [<ffffffff812b16bd>] acpi_device_notify+0x19/0x1b
       [<ffffffff812beb38>] acpi_ev_notify_dispatch+0x67/0x7f
       [<ffffffff812aea3a>] acpi_os_execute_deferred+0x29/0x36
       [<ffffffff81069dc2>] process_one_work+0x132/0x450
       [<ffffffff8106bbcb>] worker_thread+0x17b/0x3c0
       [<ffffffff8106ba50>] ? manage_workers+0x120/0x120
       [<ffffffff81070aee>] kthread+0x9e/0xb0
       [<ffffffff81514724>] kernel_thread_helper+0x4/0x10
       [<ffffffff81070a50>] ? kthread_freezable_should_stop+0x70/0x70
       [<ffffffff81514720>] ? gs_change+0x13/0x13
      Code: f3 49 89 d4 45 85 ed 4d 89 c6 48 8b 0f 74 48 48 85 c9 75 17 eb 41
      0f 1f 80 00 00 00 00 41 83 ed 01 4c 89 f9 74 22 4d 85 ff 74 1d <4c> 8b
      79 08 4c 89 e2 48 89 de 48 89 cf ff 11 4d 85 f6 74 04 41
      RIP  [<ffffffff8150eef6>] notifier_call_chain+0x46/0x80
       RSP <ffff88042868fb20>
      CR2: ffffffffa01af838
      ---[ end trace 0100930068e73e6f ]---
      BUG: unable to handle kernel paging request at fffffffffffffff8
      IP: [<ffffffff810705b0>] kthread_data+0x10/0x20
      PGD 1a0d067 PUD 1a0e067 PMD 0
      Oops: 0000 [#2] SMP
      
      Only i7core_edac and sb_edac have such issues because they have more
      than one memory controller which means they have to register mce
      decoder many times.
      Signed-off-by: default avatarChen Gong <gong.chen@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
      [bwh: Backported to 3.2: drivers call atomic_notifier_chain_{,un}register()
       directly]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4ce3278c
    • Olaf Hering's avatar
      Tools: hv: verify origin of netlink connector message · 10682d24
      Olaf Hering authored
      commit bcc2c9c3 upstream.
      
      The SuSE security team suggested to use recvfrom instead of recv to be
      certain that the connector message is originated from kernel.
      
      CVE-2012-2669
      Signed-off-by: default avatarOlaf Hering <olaf@aepfle.de>
      Signed-off-by: default avatarMarcus Meissner <meissner@suse.de>
      Signed-off-by: default avatarSebastian Krahmer <krahmer@suse.de>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      10682d24
    • Lars-Peter Clausen's avatar
      staging:iio:ad7606: Re-add missing scale attribute · f3853ace
      Lars-Peter Clausen authored
      commit 279bf2e5 upstream.
      
      Commit 50ac23be ("staging:iio:adc:ad7606 add local define for chan_spec
      structures.") accidentally removed the scale info_mask flag. This patch
      adds it back again.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Acked-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - info_mask was completely gone rather than set to another flag
       - IIO_CHAN_INFO_SCALE_SHARED_BIT was not defined; write it out as a shift]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f3853ace
  2. 19 Jun, 2012 31 commits