1. 25 Oct, 2012 10 commits
    • Thadeu Lima de Souza Cascardo's avatar
      genalloc: stop crashing the system when destroying a pool · eedce141
      Thadeu Lima de Souza Cascardo authored
      The genalloc code uses the bitmap API from include/linux/bitmap.h and
      lib/bitmap.c, which is based on long values.  Both bitmap_set from
      lib/bitmap.c and bitmap_set_ll, which is the lockless version from
      genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in
      the bitmap.
      
      That one uses (1 << bits) - 1, 0b111, if you are setting the first three
      bits.  This means that the API counts from the least significant bits
      (LSB from now on) to the MSB.  The LSB in the first long is bit 0, then.
      The same works for the lookup functions.
      
      The genalloc code uses longs for the bitmap, as it should.  In
      include/linux/genalloc.h, struct gen_pool_chunk has unsigned long
      bits[0] as its last member.  When allocating the struct, genalloc should
      reserve enough space for the bitmap.  This should be a proper number of
      longs that can fit the amount of bits in the bitmap.
      
      However, genalloc allocates an integer number of bytes that fit the
      amount of bits, but may not be an integer amount of longs.  9 bytes, for
      example, could be allocated for 70 bits.
      
      This is a problem in itself if the Least Significat Bit in a long is in
      the byte with the largest address, which happens in Big Endian machines.
      This means genalloc is not allocating the byte in which it will try to
      set or check for a bit.
      
      This may end up in memory corruption, where genalloc will try to set the
      bits it has not allocated.  In fact, genalloc may not set these bits
      because it may find them already set, because they were not zeroed since
      they were not allocated.  And that's what causes a BUG when
      gen_pool_destroy is called and check for any set bits.
      
      What really happens is that genalloc uses kmalloc_node with __GFP_ZERO
      on gen_pool_add_virt.  With SLAB and SLUB, this means the whole slab
      will be cleared, not only the requested bytes.  Since struct
      gen_pool_chunk has a size that is a multiple of 8, and slab sizes are
      multiples of 8, we get lucky and allocate and clear the right amount of
      bytes.
      
      Hower, this is not the case with SLOB or with older code that did memset
      after allocating instead of using __GFP_ZERO.
      
      So, a simple module as this (running 3.6.0), will cause a crash when
      rmmod'ed.
      
        [root@phantom-lp2 foo]# cat foo.c
        #include <linux/kernel.h>
        #include <linux/module.h>
        #include <linux/init.h>
        #include <linux/genalloc.h>
      
        MODULE_LICENSE("GPL");
        MODULE_VERSION("0.1");
      
        static struct gen_pool *foo_pool;
      
        static __init int foo_init(void)
        {
                int ret;
                foo_pool = gen_pool_create(10, -1);
                if (!foo_pool)
                        return -ENOMEM;
                ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1);
                if (ret) {
                        gen_pool_destroy(foo_pool);
                        return ret;
                }
                return 0;
        }
      
        static __exit void foo_exit(void)
        {
                gen_pool_destroy(foo_pool);
        }
      
        module_init(foo_init);
        module_exit(foo_exit);
        [root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB
        CONFIG_SLOB=y
        [root@phantom-lp2 foo]# insmod ./foo.ko
        [root@phantom-lp2 foo]# rmmod foo
        ------------[ cut here ]------------
        kernel BUG at lib/genalloc.c:243!
        cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960]
            pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110
            lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110
            sp: c0000000bb0e7be0
           msr: 8000000000029032
          current = 0xc0000000bb0e0000
          paca    = 0xc000000006d30e00   softe: 0        irq_happened: 0x01
            pid   = 13044, comm = rmmod
        kernel BUG at lib/genalloc.c:243!
        [c0000000bb0e7ca0] d000000004b00020 .foo_exit+0x20/0x38 [foo]
        [c0000000bb0e7d20] c0000000000dff98 .SyS_delete_module+0x1a8/0x290
        [c0000000bb0e7e30] c0000000000097d4 syscall_exit+0x0/0x94
        --- Exception: c00 (System Call) at 000000800753d1a0
        SP (fffd0b0e640) is in userspace
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
      Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
      Cc: Benjamin Gaignard <benjamin.gaignard@stericsson.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      eedce141
    • Jingoo Han's avatar
      backlight: ili9320: add missing SPI dependency · fd6de530
      Jingoo Han authored
      Add this missing SPI dependency and prevent the driver from building
      without SPI, because functions of the spi driver are used in this
      driver.
      
        drivers/video/backlight/ili9320.c:51: undefined reference to `spi_sync'
      
      Also, a prompt string for CONFIG_LCD_ILI9320 is added for explicit
      selection.
      Signed-off-by: default avatarJingoo Han <jg1.han@samsung.com>
      Cc: Richard Purdie <rpurdie@rpsys.net>
      Cc: Ben Dooks <ben-linux@fluff.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      fd6de530
    • Aristeu Rozanski's avatar
      device_cgroup: add proper checking when changing default behavior · 4cef7299
      Aristeu Rozanski authored
      Before changing a group's default behavior to ALLOW, we must check if
      its parent's behavior is also ALLOW.
      Signed-off-by: default avatarAristeu Rozanski <aris@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4cef7299
    • Aristeu Rozanski's avatar
      device_cgroup: stop using simple_strtoul() · 26fd8405
      Aristeu Rozanski authored
      Convert the code to use kstrtou32() instead of simple_strtoul() which is
      deprecated.  The real size of the variables are u32, so use kstrtou32
      instead of kstrtoul
      Signed-off-by: default avatarAristeu Rozanski <aris@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      26fd8405
    • Aristeu Rozanski's avatar
      device_cgroup: rename deny_all to behavior · 5b7aa7d5
      Aristeu Rozanski authored
      This was done in a v2 patch but v1 ended up being committed.  The
      variable name is less confusing and stores the default behavior when no
      matching exception exists.
      Signed-off-by: default avatarAristeu Rozanski <aris@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5b7aa7d5
    • Jiri Slaby's avatar
      cgroup: fix invalid rcu dereference · 8c9506d1
      Jiri Slaby authored
      Commit ad676077 ("device_cgroup: convert device_cgroup internally to
      policy + exceptions") removed rcu locks which are needed in
      task_devcgroup called in this chain:
      
        devcgroup_inode_mknod OR __devcgroup_inode_permission ->
          __devcgroup_inode_permission ->
            task_devcgroup ->
              task_subsys_state ->
                task_subsys_state_check.
      
      Change the code so that task_devcgroup is safely called with rcu read
      lock held.
      
        ===============================
        [ INFO: suspicious RCU usage. ]
        3.6.0-rc5-next-20120913+ #42 Not tainted
        -------------------------------
        include/linux/cgroup.h:553 suspicious rcu_dereference_check() usage!
      
        other info that might help us debug this:
      
        rcu_scheduler_active = 1, debug_locks = 0
        2 locks held by kdevtmpfs/23:
         #0:  (sb_writers){.+.+.+}, at: [<ffffffff8116873f>]
        mnt_want_write+0x1f/0x50
         #1:  (&sb->s_type->i_mutex_key#3/1){+.+.+.}, at: [<ffffffff811558af>]
        kern_path_create+0x7f/0x170
      
        stack backtrace:
        Pid: 23, comm: kdevtmpfs Not tainted 3.6.0-rc5-next-20120913+ #42
        Call Trace:
          lockdep_rcu_suspicious+0xfd/0x130
          devcgroup_inode_mknod+0x19d/0x240
          vfs_mknod+0x71/0xf0
          handle_create.isra.2+0x72/0x200
          devtmpfsd+0x114/0x140
          ? handle_create.isra.2+0x200/0x200
          kthread+0xd6/0xe0
          kernel_thread_helper+0x4/0x10
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Dave Jones <davej@redhat.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Li Zefan <lizefan@huawei.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Pavel Emelyanov <xemul@openvz.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8c9506d1
    • Jan Kara's avatar
      mm: fix XFS oops due to dirty pages without buffers on s390 · ef5d437f
      Jan Kara authored
      On s390 any write to a page (even from kernel itself) sets architecture
      specific page dirty bit.  Thus when a page is written to via buffered
      write, HW dirty bit gets set and when we later map and unmap the page,
      page_remove_rmap() finds the dirty bit and calls set_page_dirty().
      
      Dirtying of a page which shouldn't be dirty can cause all sorts of
      problems to filesystems.  The bug we observed in practice is that
      buffers from the page get freed, so when the page gets later marked as
      dirty and writeback writes it, XFS crashes due to an assertion
      BUG_ON(!PagePrivate(page)) in page_buffers() called from
      xfs_count_page_state().
      
      Similar problem can also happen when zero_user_segment() call from
      xfs_vm_writepage() (or block_write_full_page() for that matter) set the
      hardware dirty bit during writeback, later buffers get freed, and then
      page unmapped.
      
      Fix the issue by ignoring s390 HW dirty bit for page cache pages of
      mappings with mapping_cap_account_dirty().  This is safe because for
      such mappings when a page gets marked as writeable in PTE it is also
      marked dirty in do_wp_page() or do_page_fault().  When the dirty bit is
      cleared by clear_page_dirty_for_io(), the page gets writeprotected in
      page_mkclean().  So pagecache page is writeable if and only if it is
      dirty.
      
      Thanks to Hugh Dickins for pointing out mapping has to have
      mapping_cap_account_dirty() for things to work and proposing a cleaned
      up variant of the patch.
      
      The patch has survived about two hours of running fsx-linux on tmpfs
      while heavily swapping and several days of running on out build machines
      where the original problem was triggered.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: <stable@vger.kernel.org>		[3.0+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ef5d437f
    • Linus Torvalds's avatar
      Merge tag 'spi-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc · 4864ccbb
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A bunch of fixes here, mostly minor except for the pl022 which has
        just been a bit of a shambles all round, the recent runtime PM changes
        have as far as I can tell never worked so they're just getting thrown
        out."
      
      * tag 'spi-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
        spi/pl022: Revert recent runtime PM changes
        spi: tsc2005: delete soon-obsolete e-mail address
        spi: spi-rspi: fix build error for the latest shdma driver
      4864ccbb
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v3.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 735f0a98
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "Two fixes this time:
      
         1. Another fix for a broken BIOS to detect when AMD IOMMU interrupt
            remapping can not work reliably
         2. Typo fix for NVidia IOMMU driver"
      
      * tag 'iommu-fixes-v3.7-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/tegra: smmu: Fix deadly typo
        iommu/amd: Work around wrong IOAPIC device-id in IVRS table
      735f0a98
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v3.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 99103f77
      Linus Torvalds authored
      Pull pinctrl fixes from Linus Walleij:
       "This fixes a few pinctrl problems seen since v3.7-rc1:
         - Section tagging for init code
         - Use proper pointers to lookup struct device * in the bcm2835
           (a.k.a.  Raspberry Pi)
         - Remove duplicate #includes
         - Fix bad return values in errorpath
         - Remove extraneous pull function from the sirf driver causing build
           errors
         - Provide compilation stubs for the Nomadik pinctrl driver when used
           with legacy systems without PRCMU units
         - Various irqdomain fixes in the Nomadik driver as predicted
         - Various smallish bugs in the Tegra driver, most also targeted for
           stable
         - Removed a deadlocking mutex in the groups debugfs show function"
      
      * tag 'pinctrl-v3.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl/nomadik: pass DT node to the irqdomain
        pinctrl/nomadik: use zero as default irq_start
        pinctrl: fix missing unlock on error in pinctrl_groups_show()
        pinctrl/nomadik: use irq_create_mapping()
        pinctrl: remove mutex lock in groups show
        pinctrl: tegra: correct bank for pingroup and drv pingroup
        pinctrl: tegra: set low power mode bank width to 2
        dt: Document: correct tegra20/30 pinctrl slew-rate name
      99103f77
  2. 24 Oct, 2012 16 commits
  3. 23 Oct, 2012 14 commits