519778 Commits

Author SHA1 Message Date
Dave Airlie
e52f649e5b Merge branch 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
radeon minor fixes, and pci id addition.
* 'drm-fixes-4.1' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: don't do mst probing if MST isn't enabled.
  drm/radeon: add new bonaire pci id
  drm/radeon: fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling
2015-05-15 15:20:45 +10:00
Theodore Ts'o
b9576fc362 ext4: fix an ext3 collapse range regression in xfstests
The xfstests test suite assumes that an attempt to collapse range on
the range (0, 1) will return EOPNOTSUPP if the file system does not
support collapse range.  Commit 280227a75b56: "ext4: move check under
lock scope to close a race" broke this, and this caused xfstests to
fail when run when testing file systems that did not have the extents
feature enabled.

Reported-by: Eric Whitney <enwlinux@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2015-05-15 00:24:10 -04:00
Roopa Prabhu
eea39946a1 rename RTNH_F_EXTERNAL to RTNH_F_OFFLOAD
RTNH_F_EXTERNAL today is printed as "offload" in iproute2 output.

This patch renames the flag to be consistent with what the user sees.

Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-14 22:45:39 -04:00
Bjorn Helgaas
c1c52db16e net/mlx4: Avoid 'may be used uninitialized' warnings
With a cross-compiler based on gcc-4.9, I see warnings like the following:

  drivers/net/ethernet/mellanox/mlx4/resource_tracker.c: In function 'mlx4_SW2HW_CQ_wrapper':
  drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3048:10: error: 'cq' may be used uninitialized in this function [-Werror=maybe-uninitialized]
    cq->mtt = mtt;

I think the warning is spurious because we only use cq when
cq_res_start_move_to() returns zero, and it always initializes *cq in that
case.  The srq case is similar.  But maybe gcc isn't smart enough to figure
that out.

Initialize cq and srq explicitly to avoid the warnings.

Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-14 22:28:48 -04:00
Vlad Yasevich
e87a468eb9 ipv6: Fix udp checksums with raw sockets
It was reported that trancerout6 would cause
a kernel to crash when trying to compute checksums
on raw UDP packets.  The cause was the check in
__ip6_append_data that would attempt to use
partial checksums on the packet.  However,
raw sockets do not initialize partial checksum
fields so partial checksums can't be used.

Solve this the same way IPv4 does it.  raw sockets
pass transhdrlen value of 0 to ip_append_data which
causes the checksum to be computed in software.  Use
the same check in ip6_append_data (check transhdrlen).

Reported-by: Wolfgang Walter <linux@stwm.de>
CC: Wolfgang Walter <linux@stwm.de>
CC: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-14 22:27:03 -04:00
Linus Torvalds
f0897f4cc0 ACPI fixes for v4.1-rc4
- The recent ACPICA commit that set the ACPI _REV return value to 2
    (which is the value always used by Windows and now mandated by the
    spec too) in order to prevent the firmware people from using it to
    play tricks with us caused a serious audio regression to happen on
    Dell XPS 13 (the AML on that machine uses the _REV return value to
    decide how to expose audio to the OS and does that to hide the
    lack of proper support for its I2S audio in Linux), so revert that
    commit for now and we'll revisit the issue in the next cycle.
 
  - Ensure that the ordering of acpi_reserve_resources() with respect
    to the rest of the ACPI initialization sequence will always be
    the same, or the IO or memory region occupied by the ACPI fixed
    registers may be assigned to a PCI host bridge as a result of
    a race and random breakage ensues going forward.
 
 /
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJVVS6SAAoJEILEb/54YlRxGNUP/jnRBNZhzIFWJxkbVJ/IQgXI
 g5HFO/ebdGqSyAEuXHZFzdNJv52WBsWurESHvCKyh4n+c0m6CIoKpXeNRFZyZJIU
 tPZhF9IzeuuLXz+MuR0V+9D45UFoBZFScqTqihw13kM1/DnRmKN/BSO4EdxDSzno
 zcUPXfUl8Od8erbAD5E3U0EnzEiM2nrg/PPmVs+DM1qYg5NVAFBniF44R47dvz0D
 yAKTjlQg8FouYw4gmD0E79n3ydL0A6S+TdNV+u/MYRHg7cq/P6kXvjNJncKTIof0
 WqbXBB9ZvcAfyltf10Me5E61pfhxM0a4Ufjr5z9NtSlXpwadeSUnFqP6zWsAbwBJ
 dU0apeZSGT2J+CuDzwyBmBkN3kT0i/97C8Yd7/K2lhy+GR148Zn6X6Cwk3C8LIwd
 w1dcXnoN50zk5FqC72GYGUFJEFYrlmmmeT9jQohNFURWlawYZ1HGJoXb3oQzA9j7
 HFM1Eor8UdlAMtvQ2aNGeHRorHVqsoSpzWZbQs5sCTL6qh69/ufKJzKRa/eAMm5k
 Fnf+hEuALhEe2S7EvbaHC04xvZie0HXoJR91+Tk4I9FUYXuxJojKbwLPKWMcr/p4
 ZXBTVdiUxWwd7Ey5Ckt9xNWmVwFKAruZp+hSYhl+iciyHYNHTjbx+a82+cTmcwd/
 sWSno6EBixqDfhEN4Fo8
 =N6C9
 -----END PGP SIGNATURE-----

Merge tag 'pm+acpi-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fixes from Rafael Wysocki:
 "Two fixes here, one revert of a recent ACPICA commit that broke audio
  support on one Dell machine and a fix for a long-standing issue that
  may cause systems to break randomly during boot.

  Specifics:

   - The recent ACPICA commit that set the ACPI _REV return value to 2
     (which is the value always used by Windows and now mandated by the
     spec too) in order to prevent the firmware people from using it to
     play tricks with us caused a serious audio regression to happen on
     Dell XPS 13 (the AML on that machine uses the _REV return value to
     decide how to expose audio to the OS and does that to hide the lack
     of proper support for its I2S audio in Linux), so revert that
     commit for now and we'll revisit the issue in the next cycle.

   - Ensure that the ordering of acpi_reserve_resources() with respect
     to the rest of the ACPI initialization sequence will always be the
     same, or the IO or memory region occupied by the ACPI fixed
     registers may be assigned to a PCI host bridge as a result of a
     race and random breakage ensues going forward"

* tag 'pm+acpi-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  Revert "ACPICA: Permanently set _REV to the value '2'."
  ACPI / init: Fix the ordering of acpi_reserve_resources()
2015-05-14 18:40:16 -07:00
Linus Torvalds
fc8c540b1d arm64 fixes:
- Fix potential memory leak in perf PMU probing
 - BPF sign extension fix for 64-bit immediates
 - Fix build failure with unusual configuration
 - Revert unused and broken branch patching from alternative code
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCgAGBQJVVGxeAAoJELescNyEwWM05DYH/Ajusp2WZjh3FVC7tJbNF1ky
 ODplN/p2bWDFhq62/pFKIR7Ms5+l6BgcS3rLxIzN6CeMIyKiU/jHnCKvNNyBcL/K
 aXLPJ84zNQ+iMCbjwDOEqwE2h2dPb1dXYAWsIywJ1ZzRSEwe9uIdlbLoicQT3HM6
 pTbmjvNxDY/nRygFgCa/o2MCnnyld1heGibeVdSivFSRxg59E+d9i2PVlLjl05ND
 V5cPFdRS/TEJnjOQ0g3c+sBSqrYwD5ad0RiFJMAS0mUG7ww0wwhCUE4hkmZy7sqT
 Iwux96/h5VzCwlHszFmfq0/kQoa/uYusydAhQ/chlTYyWG4CXq05O6mpfql72KU=
 =MDVF
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:

 - fix potential memory leak in perf PMU probing

 - BPF sign extension fix for 64-bit immediates

 - fix build failure with unusual configuration

 - revert unused and broken branch patching from alternative code

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: perf: fix memory leak when probing PMU PPIs
  arm64: bpf: fix signedness bug in loading 64-bit immediate
  arm64: mm: Fix build error with CONFIG_SPARSEMEM_VMEMMAP disabled
  Revert "arm64: alternative: Allow immediate branch as alternative instruction"
2015-05-14 18:35:33 -07:00
Linus Torvalds
3c25a75ee0 Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging
Pull dmi fixes from Jean Delvare.

* 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
  firmware: dmi_scan: Fix ordering of product_uuid
  firmware: dmi_scan: Simplified displayed version
2015-05-14 18:02:15 -07:00
Mel Gorman
b0dc2b9bb4 mm, numa: really disable NUMA balancing by default on single node machines
NUMA balancing is meant to be disabled by default on UMA machines but
the check is using nr_node_ids (highest node) instead of
num_online_nodes (online nodes).

The consequences are that a UMA machine with a node ID of 1 or higher
will enable NUMA balancing.  This will incur useless overhead due to
minor faults with the impact depending on the workload.  These are the
impact on the stats when running a kernel build on a single node machine
whose node ID happened to be 1:

  			       vanilla     patched
  NUMA base PTE updates          5113158           0
  NUMA huge PMD updates              643           0
  NUMA page range updates        5442374           0
  NUMA hint faults               2109622           0
  NUMA hint local faults         2109622           0
  NUMA hint local percent            100         100
  NUMA pages migrated                  0           0

Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: <stable@vger.kernel.org>	[3.8+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Jingoo Han
b77017555c MAINTAINERS: update Jingoo Han's email address
Change my private email address.

Signed-off-by: Jingoo Han <jingoohan1@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Hui Zhu
1ae7013dfa CMA: page_isolation: check buddy before accessing it
I had an issue:

    Unable to handle kernel NULL pointer dereference at virtual address 0000082a
    pgd = cc970000
    [0000082a] *pgd=00000000
    Internal error: Oops: 5 [#1] PREEMPT SMP ARM
    PC is at get_pageblock_flags_group+0x5c/0xb0
    LR is at unset_migratetype_isolate+0x148/0x1b0
    pc : [<c00cc9a0>]    lr : [<c0109874>]    psr: 80000093
    sp : c7029d00  ip : 00000105  fp : c7029d1c
    r10: 00000001  r9 : 0000000a  r8 : 00000004
    r7 : 60000013  r6 : 000000a4  r5 : c0a357e4  r4 : 00000000
    r3 : 00000826  r2 : 00000002  r1 : 00000000  r0 : 0000003f
    Flags: Nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 2cb7006a  DAC: 00000015
    Backtrace:
        get_pageblock_flags_group+0x0/0xb0
        unset_migratetype_isolate+0x0/0x1b0
        undo_isolate_page_range+0x0/0xdc
        __alloc_contig_range+0x0/0x34c
        alloc_contig_range+0x0/0x18

This issue is because when calling unset_migratetype_isolate() to unset
a part of CMA memory, it try to access the buddy page to get its status:

		if (order >= pageblock_order) {
			page_idx = page_to_pfn(page) & ((1 << MAX_ORDER) - 1);
			buddy_idx = __find_buddy_index(page_idx, order);
			buddy = page + (buddy_idx - page_idx);

			if (!is_migrate_isolate_page(buddy)) {

But the begin addr of this part of CMA memory is very close to a part of
memory that is reserved at boot time (not in buddy system).  So add a
check before accessing it.

[akpm@linux-foundation.org: use conventional code layout]
Signed-off-by: Hui Zhu <zhuhui@xiaomi.com>
Suggested-by: Laura Abbott <labbott@redhat.com>
Suggested-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Josh Triplett
929aa5b250 uidgid: make uid_valid and gid_valid work with !CONFIG_MULTIUSER
{u,g}id_valid call {u,g}id_eq, which calls __k{u,g}id_val on both
arguments and compares.  With !CONFIG_MULTIUSER, __k{u,g}id_val return a
constant 0, which makes {u,g}id_valid always return false.  Change
{u,g}id_valid to compare their argument against -1 instead.  That produces
identical results in the normal CONFIG_MULTIUSER=y case, but with
!CONFIG_MULTIUSER will make {u,g}id_valid constant-fold into "return
true;" rather than "return false;".

This fixes uses of devpts without CONFIG_MULTIUSER.

Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>,
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Vladimir Davydov
499611ed45 kernfs: do not account ino_ida allocations to memcg
root->ino_ida is used for kernfs inode number allocations. Since IDA has
a layered structure, different IDs can reside on the same layer, which
is currently accounted to some memory cgroup. The problem is that each
kmem cache of a memory cgroup has its own directory on sysfs (under
/sys/fs/kernel/<cache-name>/cgroup). If the inode number of such a
directory or any file in it gets allocated from a layer accounted to the
cgroup which the cache is created for, the cgroup will get pinned for
good, because one has to free all kmem allocations accounted to a cgroup
in order to release it and destroy all its kmem caches. That said we
must not account layers of ino_ida to any memory cgroup.

Since per net init operations may create new sysfs entries directly
(e.g. lo device) or indirectly (nf_conntrack creates a new kmem cache
per each namespace, which, in turn, creates new sysfs entries), an easy
way to reproduce this issue is by creating network namespace(s) from
inside a kmem-active memory cgroup.

Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>	[4.0.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Vladimir Davydov
8f4fc071b1 gfp: add __GFP_NOACCOUNT
Not all kmem allocations should be accounted to memcg.  The following
patch gives an example when accounting of a certain type of allocations to
memcg can effectively result in a memory leak.  This patch adds the
__GFP_NOACCOUNT flag which if passed to kmalloc and friends will force the
allocation to go through the root cgroup.  It will be used by the next
patch.

Note, since in case of kmemleak enabled each kmalloc implies yet another
allocation from the kmemleak_object cache, we add __GFP_NOACCOUNT to
gfp_kmemleak_mask.

Alternatively, we could introduce a per kmem cache flag disabling
accounting for all allocations of a particular kind, but (a) we would not
be able to bypass accounting for kmalloc then and (b) a kmem cache with
this flag set could not be merged with a kmem cache without this flag,
which would increase the number of global caches and therefore
fragmentation even if the memory cgroup controller is not used.

Despite its generic name, currently __GFP_NOACCOUNT disables accounting
only for kmem allocations while user page allocations are always charged.
To catch abusing of this flag, a warning is issued on an attempt of
passing it to mem_cgroup_try_charge.

Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>	[4.0.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Andi Kleen
4933f55fe7 tools/vm: fix page-flags build
libabikfs.a doesn't exist anymore, so we now need to link with libapi.a.

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Andrew Morton
f98b733e93 drivers/rtc/rtc-armada38x.c: remove unused local `flags'
Reported-by: Fengguang Wu <fengguang.wu@gmail.com>
Cc: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-05-14 17:55:51 -07:00
Darrick J. Wong
e531d0bceb jbd2: fix r_count overflows leading to buffer overflow in journal recovery
The journal revoke block recovery code does not check r_count for
sanity, which means that an evil value of r_count could result in
the kernel reading off the end of the revoke table and into whatever
garbage lies beyond.  This could crash the kernel, so fix that.

However, in testing this fix, I discovered that the code to write
out the revoke tables also was not correctly checking to see if the
block was full -- the current offset check is fine so long as the
revoke table space size is a multiple of the record size, but this
is not true when either journal_csum_v[23] are set.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@vger.kernel.org
2015-05-14 19:11:50 -04:00
Eryu Guan
2f974865ff ext4: check for zero length extent explicitly
The following commit introduced a bug when checking for zero length extent

5946d08 ext4: check for overlapping extents in ext4_valid_extent_entries()

Zero length extent could pass the check if lblock is zero.

Adding the explicit check for zero length back.

Signed-off-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
2015-05-14 19:00:45 -04:00
Lukas Czerner
9d50659406 ext4: fix NULL pointer dereference when journal restart fails
Currently when journal restart fails, we'll have the h_transaction of
the handle set to NULL to indicate that the handle has been effectively
aborted. We handle this situation quietly in the jbd2_journal_stop() and just
free the handle and exit because everything else has been done before we
attempted (and failed) to restart the journal.

Unfortunately there are a number of problems with that approach
introduced with commit

41a5b913197c "jbd2: invalidate handle if jbd2_journal_restart()
fails"

First of all in ext4 jbd2_journal_stop() will be called through
__ext4_journal_stop() where we would try to get a hold of the superblock
by dereferencing h_transaction which in this case would lead to NULL
pointer dereference and crash.

In addition we're going to free the handle regardless of the refcount
which is bad as well, because others up the call chain will still
reference the handle so we might potentially reference already freed
memory.

Moreover it's expected that we'll get aborted handle as well as detached
handle in some of the journalling function as the error propagates up
the stack, so it's unnecessary to call WARN_ON every time we get
detached handle.

And finally we might leak some memory by forgetting to free reserved
handle in jbd2_journal_stop() in the case where handle was detached from
the transaction (h_transaction is NULL).

Fix the NULL pointer dereference in __ext4_journal_stop() by just
calling jbd2_journal_stop() quietly as suggested by Jan Kara. Also fix
the potential memory leak in jbd2_journal_stop() and use proper
handle refcounting before we attempt to free it to avoid use-after-free
issues.

And finally remove all WARN_ON(!transaction) from the code so that we do
not get random traces when something goes wrong because when journal
restart fails we will get to some of those functions.

Cc: stable@vger.kernel.org
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
2015-05-14 18:55:18 -04:00
Theodore Ts'o
92c8263910 ext4: remove unused function prototype from ext4.h
The ext4_extent_tree_init() function hasn't been in the ext4 code for
a long time ago, except in an unused function prototype in ext4.h

Google-Bug-Id: 4530137
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2015-05-14 18:43:36 -04:00
Theodore Ts'o
1b46617b8d ext4: don't save the error information if the block device is read-only
Google-Bug-Id: 20939131
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2015-05-14 18:37:30 -04:00
Rafael J. Wysocki
4de5167ee0 Merge branches 'acpi-init' and 'acpica'
* acpi-init:
  ACPI / init: Fix the ordering of acpi_reserve_resources()

* acpica:
  Revert "ACPICA: Permanently set _REV to the value '2'."
2015-05-15 00:31:23 +02:00
Theodore Ts'o
8f4d855839 ext4: fix lazytime optimization
We had a fencepost error in the lazytime optimization which means that
timestamp would get written to the wrong inode.

Cc: stable@vger.kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2015-05-14 18:19:01 -04:00
Eric Dumazet
91dd93f956 netlink: move nl_table in read_mostly section
netlink sockets creation and deletion heavily modify nl_table_users
and nl_table_lock.

If nl_table is sharing one cache line with one of them, netlink
performance is really bad on SMP.

ffffffff81ff5f00 B nl_table
ffffffff81ff5f0c b nl_table_users

Putting nl_table in read_mostly section increased performance
of my open/delete netlink sockets test by about 80 %

This came up while diagnosing a getaddrinfo() problem.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-14 17:49:06 -04:00
Hai Li
ec1936eb09 drm/msm/dsi: Simplify the code to get the number of read byte
During cmd rx, only new versions of H/W provide register to read back
the real number of byte returned by panel. For the old versions, reading
this register will not get the right number. In fact, we only need to
assume the returned data is the same size as we expected, because later
we will check the data type to detect error.

Signed-off-by: Hai Li <hali@codeaurora.org>
2015-05-14 16:57:25 -04:00
Hai Li
6f6b287968 drm/msm: Attach assigned encoder to eDP and DSI connectors
drm_mode_connector_attach_encoder() function call is missing
during eDP and DSI connector initialization. As a result,
no encoder is returned by DRM_IOCTL_MODE_GETCONNECTOR system
call. This change is to fix this issue.

Signed-off-by: Hai Li <hali@codeaurora.org>
2015-05-14 16:56:42 -04:00
Greg Kroah-Hartman
569192605f USB-serial fixes for v4.1-rc4
Here are a few device-id changes removing a duplicate entry, refining
 another and adding a third.
 
 Signed-off-by: Johan Hovold <johan@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJVVMnhAAoJEEEN5E/e4bSVd3QP/3b1fb9pYuNwN7BXlmZqdoCF
 OauI0r1+W53pKhcbKibhmsbjIXKnMyzmY7AwcaSsalfMnk9mHARhUUxrmGdgxVtm
 +fc/1QXqbPOkTosnMlYaDx8u4MsfX3v1ThZaXirlwSePvYUnIRo9V8if0bWT8MoL
 s6hyXQZKhOcjA4HBrLSfTdN14ud4LlK/CyBMTVuEKBlyJ0XG6mYxZBnI3z9RDZ9U
 dUY6NwOYqjlAIk+u1AHgtSG2U/wIa5IU4I623oCNx3mHkYO9QfXCTEnC/XBB+DSX
 Z2llMWHSIrQHfhtAJJsRb24pFYo1zHS86VA2DHWgiSL7/TUC8mf44mGoDEs0qzyN
 5g6LmLMTshBSTBzI8w0DDf9Ir529SViWTrXTAQCLOIYDW50F/8kyfObBi0lII1xa
 vVlVBeG/T7cWjSMhjStahXXyAbcpVBJL2BlZnsgtb8jFtAdUUnfWDvNK4mu/DLWC
 +Y1ghaUYHHV8r54NH02jzeNuD/3RvOPTePQlH0hmdTlRTQ9FsTPTJKyZSpOgGjNr
 0FUyYw1GINOIRpKMgoGB4aLZFIJF4La6hOxnlyCSePGSr3MgV20BpFAPaFdsWMca
 PLcNwEBK95BedHi9OhIFGMqP2CZyOXv244hIzXMVJptaVB3rOxhSRQZRrzODnnhR
 2yTnVhFf2Z9nMWyqUljc
 =kack
 -----END PGP SIGNATURE-----

Merge tag 'usb-serial-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus

Johan writes:

USB-serial fixes for v4.1-rc4

Here are a few device-id changes removing a duplicate entry, refining
another and adding a third.

Signed-off-by: Johan Hovold <johan@kernel.org>
2015-05-14 12:43:36 -07:00
Brian Norris
db7c727402 mtd: readtest: don't clobber error reports
Commit 2a6a28e7922c ("mtd: Make MTD tests cancelable") accidentally
clobbered any read failure reports.

Coverity CID #1296020

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
2015-05-14 09:56:31 -07:00
Krzysztof Kozlowski
e8f9845758 MAINTAINERS: ARM: EXYNOS: Add Krzysztof Kozlowski as co-maintainer
Add Krzysztof Kozlowski as a co-maintainer of Samsung Exynos ARM
architecture to review the patches. Patches will go as usual - picked up
by Kukjin Kim.

Cc: Russell King <linux@arm.linux.org.uk>
Cc: Kukjin Kim <kgene@kernel.org>
Cc: Kevin Hilman <khilman@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Olof Johansson <olof@lixom.net>
Cc: linux-samsung-soc@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Acked-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Acked-by: Tobias Jakobi <liquid.acid@gmx.net>
Acked-by: Olof Johansson <olof@lixom.net>
Acked-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Kevin Hilman <khilman@linaro.org>
2015-05-14 09:46:13 -07:00
Rob Clark
13f15565f7 drm/msm: setup vram after component_bind_all()
First of all, we don't want -EPROBE_DEFER when trying to bind children
to cause us to forget to free our vram.  And second we don't want vram
allocation fail to trigger _unbind_all() before _bind_all().

Signed-off-by: Rob Clark <robdclark@gmail.com>
2015-05-14 11:50:39 -04:00
Rob Clark
ff431fa4d9 drm/msm/dsi: use pr_err_ratelimited
When things go badly we can get a lot of these error irqs.  Let's not
DoS the user.

Signed-off-by: Rob Clark <robdclark@gmail.com>
2015-05-14 11:50:38 -04:00
Stephane Viau
7194b62c8c drm/msm: fix unbalanced DRM framebuffer init/destroy
When msm_framebuffer_init() fails before calling drm_framebuffer_init(),
drm_framebuffer_cleanup() [called in msm_framebuffer_destroy()]
is still being called even though drm_framebuffer_init() was not
called for that buffer. Thus a NULL pointer derefencing:

[  247.529691] Unable to handle kernel NULL pointer dereference at virtual address 0000027c
...
[  247.563996] PC is at __mutex_lock_slowpath+0x94/0x3a8
...
[  247.823025] [<c07c3c78>] (__mutex_lock_slowpath) from [<c07c3fac>] (mutex_lock+0x20/0x3c)
[  247.831186] [<c07c3fac>] (mutex_lock) from [<c0347cf0>] (drm_framebuffer_cleanup+0x18/0x38)
[  247.839520] [<c0347cf0>] (drm_framebuffer_cleanup) from [<c036d138>] (msm_framebuffer_destroy+0x48/0x100)
[  247.849066] [<c036d138>] (msm_framebuffer_destroy) from [<c036d580>] (msm_framebuffer_init+0x1e8/0x228)
[  247.858439] [<c036d580>] (msm_framebuffer_init) from [<c036d630>] (msm_framebuffer_create+0x70/0x134)
[  247.867642] [<c036d630>] (msm_framebuffer_create) from [<c03493ec>] (internal_framebuffer_create+0x67c/0x7b4)
[  247.877537] [<c03493ec>] (internal_framebuffer_create) from [<c034ce34>] (drm_mode_addfb2+0x20/0x98)
[  247.886650] [<c034ce34>] (drm_mode_addfb2) from [<c034071c>] (drm_ioctl+0x240/0x420)
[  247.894378] [<c034071c>] (drm_ioctl) from [<c011df7c>] (do_vfs_ioctl+0x4e4/0x5a4)
...

Signed-off-by: Stephane Viau <sviau@codeaurora.org>
[plus initialize msm_fb to NULL to -Rob]
Signed-off-by: Rob Clark <robdclark@gmail.com>
2015-05-14 11:48:54 -04:00
Dave Airlie
bed447e7d1 drm/radeon: don't do mst probing if MST isn't enabled.
This causes an oops as we haven't initialised the mst
layer.

Reported-by: Dave Jones <<davej@codemonkey.org.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2015-05-14 11:46:47 -04:00
Stephane Viau
fe34464df5 drm/msm/mdp5: Fix iteration on INTF config array
The current iteration in get_dsi_id_from_intf() is wrong:
instead of iterating until hw_cfg->intf.count, we need to iterate
until MDP5_INTF_NUM_MAX here.

Let's take the example of msm8x16:

 hw_cfg->intf.count = 1
 intfs[0] = INTF_Disabled
 intfs[1] = INTF_DSI

If we stop iterating once i reaches hw_cfg->intf.count (== 1),
we will miss the test for intfs[1].

Actually, this hw_cfg->intf.count entry is quite confusing and is not
(or *should not be*) used anywhere else; let's remove it.

Signed-off-by: Stephane Viau <sviau@codeaurora.org>
2015-05-14 11:29:20 -04:00
Hai Li
651ad3f52b drm/msm/dsi: Fixup missing *break* statement during cmd rx
Signed-off-by: Hai Li <hali@codeaurora.org>
2015-05-14 11:28:58 -04:00
Julia Lawall
6128f1bec4 drm/msm/dp: fix error return code
Return a negative error code on failure.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
identifier ret; expression e1,e2;
@@
(
if (\(ret < 0\|ret != 0\))
 { ... return ret; }
|
ret = 0
)
... when != ret = e1
    when != &ret
*if(...)
{
  ... when != ret = e2
      when forall
 return ret;
}
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
2015-05-14 11:28:41 -04:00
Archit Taneja
a2ca77898e drm: msm: Fix build when legacy fbdev support isn't set
The DRM_KMS_FB_HELPER config is selected only when DRM_MSM_FBDEV config is
selected. The driver accesses drm_fb_helper_* functions even when legacy fbdev
support is disabled in msm. Wrap around these functions with #ifdef checks to
prevent build break.

Signed-off-by: Archit Taneja <architt@codeaurora.org>
2015-05-14 11:25:09 -04:00
Stephane Viau
981371f326 drm/msm/dsi: Fix a couple more 64-bit build warnings
Avoid such errors at compilation time:
	format '%d' expects argument of type 'int', but argument 3 has type 'size_t'

Signed-off-by: Stephane Viau <sviau@codeaurora.org>
2015-05-14 11:19:51 -04:00
Thierry Reding
fc99f97af2 drm/msm: Fix a couple of 64-bit build warnings
Avoid casts from pointers to fixed-size integers to prevent the compiler
from warning. Print virtual memory addresses using %p instead. Also turn
a couple of %d/%x specifiers into %zu/%zd/%zx to avoid further warnings
due to mismatched format strings.

Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
2015-05-14 11:19:25 -04:00
Jean Delvare
5c1ac56b51 firmware: dmi_scan: Fix ordering of product_uuid
In function dmi_present(), dmi_walk_early() calls dmi_table(), which
calls dmi_decode(), which ultimately calls dmi_save_uuid(). This last
function makes a decision based on the value of global variable
dmi_ver. The problem is that this variable is set right _after_
dmi_walk_early() returns. So dmi_save_uuid() always sees dmi_ver == 0
regardless of the actual version implemented.

This causes /sys/class/dmi/id/product_uuid to always use the old
ordering even on systems implementing DMI/SMBIOS 2.6 or later, which
should use the new ordering.

This is broken since kernel v3.8 for legacy DMI implementations and
since kernel v3.10 for SMBIOS 2 implementations. SMBIOS 3
implementations with the 64-bit entry point are not affected.

The first breakage does not matter much as in practice legacy DMI
implementations are always for versions older than 2.6, which is when
the UUID ordering changed. The second breakage is more problematic as
it affects the vast majority of x86 systems manufactured since 2009.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Fixes: 9f9c9cbb6057 ("drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists")
Fixes: 79bae42d51a5 ("dmi_scan: refactor dmi_scan_machine(), {smbios,dmi}_present()")
Acked-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Artem Savkov <artem.savkov@gmail.com>
Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Cc: Matt Fleming <matt.fleming@intel.com>
Cc: stable@vger.kernel.org [v3.10+]
2015-05-14 14:40:50 +02:00
Jean Delvare
c24930457d firmware: dmi_scan: Simplified displayed version
The trailing .x adds no information for the reader, and if anyone
tries to parse that line, this is more work as they have 3 different
formats to handle instead of 2. Plus, this makes backporting fixes
harder.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Fixes: 95be58df74a5 ("firmware: dmi_scan: Use full dmi version for SMBIOS3")
Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
2015-05-14 14:40:50 +02:00
Wesley Kuo
177d0506a9 Bluetooth: Fix remote name event return directly.
This patch fixes hci_remote_name_evt dose not resolve name during
discovery status is RESOLVING. Before simultaneous dual mode scan enabled,
hci_check_pending_name will set discovery status to STOPPED eventually.

Signed-off-by: Wesley Kuo <wesley.kuo@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-05-14 10:35:04 +02:00
Anton Blanchard
5e95235ccd powerpc: Align TOC to 256 bytes
Recent toolchains force the TOC to be 256 byte aligned. We need
to enforce this alignment in our linker script, otherwise pointers
to our TOC variables (__toc_start, __prom_init_toc_start) could
be incorrect.

If they are bad, we die a few hundred instructions into boot.

Cc: stable@vger.kernel.org
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2015-05-14 16:59:21 +10:00
Vlad Yasevich
be346ffaad vlan: Correctly propagate promisc|allmulti flags in notifier.
Currently vlan notifier handler will try to update all vlans
for a device when that device comes up.  A problem occurs,
however, when the vlan device was set to promiscuous, but not
by the user (ex: a bridge).  In that case, dev->gflags are
not updated.  What results is that the lower device ends
up with an extra promiscuity count.  Here are the
backtraces that prove this:
[62852.052179]  [<ffffffff814fe248>] __dev_set_promiscuity+0x38/0x1e0
[62852.052186]  [<ffffffff8160bcbb>] ? _raw_spin_unlock_bh+0x1b/0x40
[62852.052188]  [<ffffffff814fe4be>] ? dev_set_rx_mode+0x2e/0x40
[62852.052190]  [<ffffffff814fe694>] dev_set_promiscuity+0x24/0x50
[62852.052194]  [<ffffffffa0324795>] vlan_dev_open+0xd5/0x1f0 [8021q]
[62852.052196]  [<ffffffff814fe58f>] __dev_open+0xbf/0x140
[62852.052198]  [<ffffffff814fe88d>] __dev_change_flags+0x9d/0x170
[62852.052200]  [<ffffffff814fe989>] dev_change_flags+0x29/0x60

The above comes from the setting the vlan device to IFF_UP state.

[62852.053569]  [<ffffffff814fe248>] __dev_set_promiscuity+0x38/0x1e0
[62852.053571]  [<ffffffffa032459b>] ? vlan_dev_set_rx_mode+0x2b/0x30
[8021q]
[62852.053573]  [<ffffffff814fe8d5>] __dev_change_flags+0xe5/0x170
[62852.053645]  [<ffffffff814fe989>] dev_change_flags+0x29/0x60
[62852.053647]  [<ffffffffa032334a>] vlan_device_event+0x18a/0x690
[8021q]
[62852.053649]  [<ffffffff8161036c>] notifier_call_chain+0x4c/0x70
[62852.053651]  [<ffffffff8109d456>] raw_notifier_call_chain+0x16/0x20
[62852.053653]  [<ffffffff814f744d>] call_netdevice_notifiers+0x2d/0x60
[62852.053654]  [<ffffffff814fe1a3>] __dev_notify_flags+0x33/0xa0
[62852.053656]  [<ffffffff814fe9b2>] dev_change_flags+0x52/0x60
[62852.053657]  [<ffffffff8150cd57>] do_setlink+0x397/0xa40

And this one comes from the notification code.  What we end
up with is a vlan with promiscuity count of 1 and and a physical
device with a promiscuity count of 2.  They should both have
a count 1.

To resolve this issue, vlan code can use dev_get_flags() api
which correctly masks promiscuity and allmulti flags.

Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-14 00:54:32 -04:00
Krzysztof Kozlowski
c1f0ecff49 ARM: EXYNOS: Use of_machine_is_compatible instead of soc_is_exynos4
of_machine_is_compatible() seems to be preferred over soc_is_exynos4().

Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Kukjin Kim <kgene@kernel.org>
2015-05-14 11:43:59 +09:00
Krzysztof Kozlowski
6f024978e7 ARM: EXYNOS: Fix failed second suspend on Exynos4
On Exynos4412 boards (Trats2, Odroid U3) after enabling L2 cache in
56b60b8bce4a ("ARM: 8265/1: dts: exynos4: Add nodes for L2 cache
controller") the second suspend to RAM failed. First suspend worked fine
but the next one hang just after powering down of secondary CPUs (system
consumed energy as it would be running but was not responsive).

The issue was caused by enabling delayed reset assertion for CPU0 just
after issuing power down of cores. This was introduced for Exynos4 in
13cfa6c4f7fa ("ARM: EXYNOS: Fix CPU idle clock down after CPU off").

The whole behavior is not well documented but after checking with vendor
code this should be done like this (on Exynos4):
1. Enable delayed reset assertion when system is running (for all CPUs).
2. Disable delayed reset assertion before suspending the system.
   This can be done after powering off secondary CPUs.
3. Re-enable the delayed reset assertion when system is resumed.

Fixes: 13cfa6c4f7fa ("ARM: EXYNOS: Fix CPU idle clock down after CPU off")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Tested-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Tested-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Kukjin Kim <kgene@kernel.org>
2015-05-14 11:32:18 +09:00
Dmitry Tunin
ec0810d2ac Bluetooth: ath3k: add support of 04ca:300f AR3012 device
BugLink: https://bugs.launchpad.net/bugs/1449730

T:  Bus=01 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#=  3 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=04ca ProdID=300f Rev=00.01
C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-05-13 23:04:20 +02:00
Wen-chien Jesse Sung
2054111b10 Bluetooth: btusb: Add support for 0cf3:e007
Device 0cf3:e007 is one of the QCA ROME family.

T:  Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#=  3 Spd=12   MxCh= 0
D:  Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0cf3 ProdID=e007 Rev= 0.01
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms

Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-05-13 22:37:45 +02:00
Wen-chien Jesse Sung
ca79f23205 Bluetooth: ath3k: Add a new ID 0cf3:e006 to ath3k list
Device info in /sys/kernel/debug/usb/devices:

T:  Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#=  3 Spd=12   MxCh= 0
D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0cf3 ProdID=e006 Rev= 0.01
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms

Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2015-05-13 22:37:45 +02:00
Jeff Layton
feaff8e5b2 nfs: take extra reference to fl->fl_file when running a setlk
We had a report of a crash while stress testing the NFS client:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000150
    IP: [<ffffffff8127b698>] locks_get_lock_context+0x8/0x90
    PGD 0
    Oops: 0000 [#1] SMP
    Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ebtable_filter ebtable_broute bridge stp llc ebtables ip6table_security ip6table_mangle ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_raw ip6table_filter ip6_tables iptable_security iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_raw coretemp crct10dif_pclmul ppdev crc32_pclmul crc32c_intel ghash_clmulni_intel vmw_balloon serio_raw vmw_vmci i2c_piix4 shpchp parport_pc acpi_cpufreq parport nfsd auth_rpcgss nfs_acl lockd grace sunrpc vmwgfx drm_kms_helper ttm drm mptspi scsi_transport_spi mptscsih mptbase e1000 ata_generic pata_acpi
    CPU: 1 PID: 399 Comm: kworker/1:1H Not tainted 4.1.0-0.rc1.git0.1.fc23.x86_64 #1
    Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/30/2013
    Workqueue: rpciod rpc_async_schedule [sunrpc]
    task: ffff880036aea7c0 ti: ffff8800791f4000 task.ti: ffff8800791f4000
    RIP: 0010:[<ffffffff8127b698>]  [<ffffffff8127b698>] locks_get_lock_context+0x8/0x90
    RSP: 0018:ffff8800791f7c00  EFLAGS: 00010293
    RAX: ffff8800791f7c40 RBX: ffff88001f2ad8c0 RCX: ffffe8ffffc80305
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
    RBP: ffff8800791f7c88 R08: ffff88007fc971d8 R09: 279656d600000000
    R10: 0000034a01000000 R11: 279656d600000000 R12: ffff88001f2ad918
    R13: ffff88001f2ad8c0 R14: 0000000000000000 R15: 0000000100e73040
    FS:  0000000000000000(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000150 CR3: 0000000001c0b000 CR4: 00000000000407e0
    Stack:
     ffffffff8127c5b0 ffff8800791f7c18 ffffffffa0171e29 ffff8800791f7c58
     ffffffffa0171ef8 ffff8800791f7c78 0000000000000246 ffff88001ea0ba00
     ffff8800791f7c40 ffff8800791f7c40 00000000ff5d86a3 ffff8800791f7ca8
    Call Trace:
     [<ffffffff8127c5b0>] ? __posix_lock_file+0x40/0x760
     [<ffffffffa0171e29>] ? rpc_make_runnable+0x99/0xa0 [sunrpc]
     [<ffffffffa0171ef8>] ? rpc_wake_up_task_queue_locked.part.35+0xc8/0x250 [sunrpc]
     [<ffffffff8127cd3a>] posix_lock_file_wait+0x4a/0x120
     [<ffffffffa03e4f12>] ? nfs41_wake_and_assign_slot+0x32/0x40 [nfsv4]
     [<ffffffffa03bf108>] ? nfs41_sequence_done+0xd8/0x2d0 [nfsv4]
     [<ffffffffa03c116d>] do_vfs_lock+0x2d/0x30 [nfsv4]
     [<ffffffffa03c251d>] nfs4_lock_done+0x1ad/0x210 [nfsv4]
     [<ffffffffa0171a30>] ? __rpc_sleep_on_priority+0x390/0x390 [sunrpc]
     [<ffffffffa0171a30>] ? __rpc_sleep_on_priority+0x390/0x390 [sunrpc]
     [<ffffffffa0171a5c>] rpc_exit_task+0x2c/0xa0 [sunrpc]
     [<ffffffffa0167450>] ? call_refreshresult+0x150/0x150 [sunrpc]
     [<ffffffffa0172640>] __rpc_execute+0x90/0x460 [sunrpc]
     [<ffffffffa0172a25>] rpc_async_schedule+0x15/0x20 [sunrpc]
     [<ffffffff810baa1b>] process_one_work+0x1bb/0x410
     [<ffffffff810bacc3>] worker_thread+0x53/0x480
     [<ffffffff810bac70>] ? process_one_work+0x410/0x410
     [<ffffffff810bac70>] ? process_one_work+0x410/0x410
     [<ffffffff810c0b38>] kthread+0xd8/0xf0
     [<ffffffff810c0a60>] ? kthread_worker_fn+0x180/0x180
     [<ffffffff817a1aa2>] ret_from_fork+0x42/0x70
     [<ffffffff810c0a60>] ? kthread_worker_fn+0x180/0x180

Jean says:

"Running locktests with a large number of iterations resulted in a
 client crash.  The test run took a while and hasn't finished after close
 to 2 hours. The crash happened right after I gave up and killed the test
 (after 107m) with Ctrl+C."

The crash happened because a NULL inode pointer got passed into
locks_get_lock_context. The call chain indicates that file_inode(filp)
returned NULL, which means that f_inode was NULL. Since that's zeroed
out in __fput, that suggests that this filp pointer outlived the last
reference.

Looking at the code, that seems possible. We copy the struct file_lock
that's passed in, but if the task is signalled at an inopportune time we
can end up trying to use that file_lock in rpciod context after the process
that requested it has already returned (and possibly put its filp
reference).

Fix this by taking an extra reference to the filp when we allocate the
lock info, and put it in nfs4_lock_release.

Reported-by: Jean Spector <jean@primarydata.com>
Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
2015-05-13 14:56:06 -04:00