Commit Graph

361086 Commits

Author SHA1 Message Date
Cong Wang
ece6b0a2b2 rds: limit the size allocated by rds_message_alloc()
Dave Jones reported the following bug:

"When fed mangled socket data, rds will trust what userspace gives it,
and tries to allocate enormous amounts of memory larger than what
kmalloc can satisfy."

WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
Hardware name: GA-MA78GM-S2H
Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
Call Trace:
 [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
 [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
 [<ffffffff81567f30>] sys_sendto+0x130/0x180
 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
---[ end trace eed6ae990d018c8b ]---

Reported-by: Dave Jones <davej@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Signed-off-by: Cong Wang <amwang@redhat.com>
Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-04 14:12:06 -05:00
Chris Metcalf
87c319a2c3 tile: properly use COMPAT_SYSCALL_DEFINEx
This was pointed out by Al Viro.  Using the correct wrappers
properly does sign extension as necessary on syscall arguments.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2013-03-04 13:37:32 -05:00
Theodore Ts'o
b980955236 random: fix locking dependency with the tasklist_lock
Commit 6133705494 introduced a circular lock dependency because
posix_cpu_timers_exit() is called by release_task(), which is holding
a writer lock on tasklist_lock, and this can cause a deadlock since
kill_fasync() gets called with nonblocking_pool.lock taken.

There's no reason why kill_fasync() needs to be taken while the random
pool is locked, so move it out to fix this locking dependency.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reported-by: Russ Dill <Russ.Dill@gmail.com>
Cc: stable@kernel.org
2013-03-04 12:05:15 -05:00
Egbert Eich
61bc95c1fb DRM/i915: On G45 enable cursor plane briefly after enabling the display plane.
On G45 some low res modes (800x600 and 1024x768) produce a blank
screen when the display plane is enabled with with cursor plane
off.
Experiments showed that this issue occurred when the following
conditions were met:
a. a previous mode had the cursor plane enabled (Xserver).
b. this mode or the previous one was using self refresh. (Thus
   the problem was only seen with low res modes).
The screens lit up as soon as the cursor plane got enabled.
Therefore the blank screen occurred only in console mode, not
when running an Xserver.
It also seemed to be necessary to disable self refresh while briefly
enabling the cursor plane.

Signed-off-by: Egbert Eich <eich@suse.com>
Bugzilla: https://bugs.freedesktop.org/attachment.cgi?bugid=61457
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
[danvet: drop spurious whitespace change.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2013-03-04 17:22:07 +01:00
Chris Metcalf
5a114b9866 tile: work around bug in the generic sys_llseek
sys_llseek should specify the high and low 32-bit seek values as "unsigned
int" but instead it specifies "unsigned long".  Since compat syscall
arguments are always sign-extended on tile, this means that a seek value
of 0xffffffff will be incorrectly interpreted as a value of -1ULL.

To avoid the risk of breaking binary compatibility on architectures
that already use sys_llseek this way, we follow the same path as MIPS
and provide a wrapper override.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Cc: stable@kernel.org [v3.6 onwards]
2013-03-04 11:19:09 -05:00
Dan Carpenter
85c50a5899 ALSA: seq: seq_oss_event: missing range checks
The "dev" variable could be out of bounds.  Calling
snd_seq_oss_synth_is_valid() checks that it is is a valid device
which has been opened.  We check this inside set_note_event() so
this function can't succeed without a valid "dev".  But we need to
do the check earlier to prevent invalid dereferences and memory
corruption.

One call tree where "dev" could be out of bounds is:
-> snd_seq_oss_oob_user()
   -> snd_seq_oss_process_event()
      -> extended_event()
         -> note_on_event()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-03-04 16:39:50 +01:00
Rafael J. Wysocki
924144818c ACPI / glue: Drop .find_bridge() callback from struct acpi_bus_type
After PCI and USB have stopped using the .find_bridge() callback in
struct acpi_bus_type, the only remaining user of it is SATA, but SATA
only pretends to be a user, because it points that callback to a stub
always returning -ENODEV.

For this reason, drop the SATA's dummy .find_bridge() callback and
remove .find_bridge(), which is not used any more, from struct
acpi_bus_type entirely.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Jeff Garzik <jgarzik@pobox.com>
2013-03-04 14:23:40 +01:00
Rafael J. Wysocki
53540098b2 ACPI / glue: Add .match() callback to struct acpi_bus_type
USB uses the .find_bridge() callback from struct acpi_bus_type
incorrectly, because as a result of the way it is used by USB every
device in the system that doesn't have a bus type or parent is
passed to usb_acpi_find_device() for inspection.

What USB actually needs, though, is to call usb_acpi_find_device()
for USB ports that don't have a bus type defined, but have
usb_port_device_type as their device type, as well as for USB
devices.

To fix that replace the struct bus_type pointer in struct
acpi_bus_type used for matching devices to specific subsystems
with a .match() callback to be used for this purpose and update
the users of struct acpi_bus_type, including USB, accordingly.
Define the .match() callback routine for USB, usb_acpi_bus_match(),
in such a way that it will cover both USB devices and USB ports
and remove the now redundant .find_bridge() callback pointer from
usb_acpi_bus.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Jeff Garzik <jgarzik@pobox.com>
2013-03-04 14:23:40 +01:00
Chen Gang
9b27516fcd ACPI / porocessor: Beautify code, pr->id is u32 which is never < 0
pr->id is u32 which never < 0, so remove the redundant pr->id < 0
check from acpi_processor_add().

[rjw: Changelog]
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:39 +01:00
Syam Sidhardhan
5273a25837 ACPI / processor: Remove redundant NULL check before kfree
kfree() on a NULL pointer is a no-op, so remove a redundant NULL
pointer check in map_mat_entry().

[rjw: Changelog]
Signed-off-by: Syam Sidhardhan <s.syam@samsung.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:39 +01:00
Joe Perches
ed4cf5b23f ACPI / Sleep: Avoid interleaved message on errors
Got this dmesg log on an Acer Aspire 725.

[    0.256351] ACPI: (supports S0ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S1_] (20130117/hwxface-568)
[    0.256373] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S2_] (20130117/hwxface-568)
[    0.256391]  S3 S4 S5)

Avoid this interleaving error messages.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:39 +01:00
Rafael J. Wysocki
37530f2bda PM / QoS: Remove device PM QoS sysfs attributes at the right place
Device PM QoS sysfs attributes, if present during device removal,
are removed from within device_pm_remove(), which is too late,
since dpm_sysfs_remove() has already removed the whole attribute
group they belonged to.  However, moving the removal of those
attributes to dpm_sysfs_remove() alone is not sufficient, because
in theory they still can be re-added right after being removed by it
(the device's driver is still bound to it at that point).

For this reason, move the entire desctruction of device PM QoS
constraints to dpm_sysfs_remove() and make it prevent any new
constraints from being added after it has run.  Also, move the
initialization of the power.qos field in struct device to
device_pm_init_common() and drop the no longer needed
dev_pm_qos_constraints_init().

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:12 +01:00
Rafael J. Wysocki
b81ea1b5ac PM / QoS: Fix concurrency issues and memory leaks in device PM QoS
The current device PM QoS code assumes that certain functions will
never be called in parallel with each other (for example, it is
assumed that dev_pm_qos_expose_flags() won't be called in parallel
with dev_pm_qos_hide_flags() for the same device and analogously
for the latency limit), which may be overly optimistic.  Moreover,
dev_pm_qos_expose_flags() and dev_pm_qos_expose_latency_limit()
leak memory in error code paths (req needs to be freed on errors)
and __dev_pm_qos_drop_user_request() forgets to free the request.

To fix the above issues put more things under the device PM QoS
mutex to make them mutually exclusive and add the missing freeing
of memory.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:11 +01:00
Emilio López
f5f43dcfff cpufreq: highbank: do not initialize array with a loop
As uninitialized array members will be initialized to zero, we can
avoid using a for loop by setting a value to it.

Signed-off-by: Emilio López <emilio@elopez.com.ar>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Acked-By: Mark Langsdorf <mark.langsdorf@calxeda.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:11 +01:00
Nishanth Menon
4b87581036 PM / OPP: improve introductory documentation
Make Operating Performance Points (OPP) library introductory chapter
a little more reader-friendly. Split the chapter into two sections,
highlight the definition with an example and minor rewording to be
verbose.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Nishanth Menon <nm@ti.com>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:11 +01:00
Namhyung Kim
e5dde92cb2 cpufreq: Fix a typo in comment
Fix a typo in a comment in cpufreq_governor.h.

[rjw: Changelog]
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:11 +01:00
Mark Langsdorf
091930a2e6 mailbox, pl320-ipc: remove __init from probe function
Avoids a section mismatch.

Signed-off-by: Mark Langsdorf <mark.langsdorf@calxeda.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-03-04 14:23:11 +01:00
Paul Mundt
40f09f3cd6 metag: Inhibit NUMA balancing.
The metag NUMA implementation follows the SH model, using different nodes for
memories with different latencies. As such, we ensure that automated balancing
between nodes is inhibited, by way of the new ARCH_WANT_VARIABLE_LOCALITY.

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
2013-03-04 10:29:19 +00:00
James Hogan
0010aeed7b metag: remove SET_PERSONALITY()
Commit e72837e3e7 ("default
SET_PERSONALITY() in linux/elf.h").

The above commit moved the common definition of SET_PERSONALITY() in a
bunch of the arch headers to linux/elf.h. Metag shares that common
definition so remove it from arch/metag/include/asm/elf.h too.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
2013-03-04 10:27:20 +00:00
Kees Cook
290502bee2 eCryptfs: allow userspace messaging to be disabled
When the userspace messaging (for the less common case of userspace key
wrap/unwrap via ecryptfsd) is not needed, allow eCryptfs to build with
it removed. This saves on kernel code size and reduces potential attack
surface by removing the /dev/ecryptfs node.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
2013-03-03 23:59:59 -08:00
Mark Brown
3e78080f81 hwmon: (sht15) Check return value of regulator_enable()
Not having power is a pretty serious error so check that we are able to
enable the supply and error out if we can't.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org #3.8+; 3.0+ will need manual backport
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2013-03-03 21:45:48 -08:00
Jean Delvare
ab302bb0b8 hwmon: (adt7410) Document ADT7420 support
The adt7410 driver supports the ADT7420, but its documentation file
makes no mention of that. Add this refrence, and a brief a description
of the differences between the ADT7410 and the ADT7420.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Hartmut Knaack <knaack.h@gmx.de>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2013-03-03 21:45:48 -08:00
Guenter Roeck
f366fccd08 hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality
We read the chip ID from the chip, use it to determine if the chip ID provided
to the driver is correct, and report it if wrong. We should also use the
correct chip ID to select supported functionality.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org # 3.2+
Acked-by: Jean Delvare <khali@linux-fr.org>
2013-03-03 21:45:47 -08:00
Guenter Roeck
dbd712c227 hwmon: (pmbus/ltc2978) Fix peak attribute handling
Peak attributes were not initialized and cleared correctly.
Also, temp2_max is only supported on page 0 and thus does not need to be
an array.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org # 3.2+
Acked-by: Jean Delvare <khali@linux-fr.org>
2013-03-03 21:45:47 -08:00
Guenter Roeck
6d21a41656 hwmon: (pmbus/ltc2978) Update datasheet links
Links to datasheets are no longer valid. Provide links to product information
instead (which provides links to the datasheets and is hopefully more
persistent).

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Jean Delvare <khali@linux-fr.org>
2013-03-03 21:45:47 -08:00
Guenter Roeck
e3333e572f hwmon: Update my e-mail address in driver documentation
Most of the hwmon driver documentation still listed my old invalid e-mail
address. Fix it.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Jean Delvare <khali@linux-fr.org>
2013-03-03 21:45:47 -08:00
Eric W. Biederman
7f78e03513 fs: Limit sys_mount to only request filesystem modules.
Modify the request_module to prefix the file system type with "fs-"
and add aliases to all of the filesystems that can be built as modules
to match.

A common practice is to build all of the kernel code and leave code
that is not commonly needed as modules, with the result that many
users are exposed to any bug anywhere in the kernel.

Looking for filesystems with a fs- prefix limits the pool of possible
modules that can be loaded by mount to just filesystems trivially
making things safer with no real cost.

Using aliases means user space can control the policy of which
filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
with blacklist and alias directives.  Allowing simple, safe,
well understood work-arounds to known problematic software.

This also addresses a rare but unfortunate problem where the filesystem
name is not the same as it's module name and module auto-loading
would not work.  While writing this patch I saw a handful of such
cases.  The most significant being autofs that lives in the module
autofs4.

This is relevant to user namespaces because we can reach the request
module in get_fs_type() without having any special permissions, and
people get uncomfortable when a user specified string (in this case
the filesystem type) goes all of the way to request_module.

After having looked at this issue I don't think there is any
particular reason to perform any filtering or permission checks beyond
making it clear in the module request that we want a filesystem
module.  The common pattern in the kernel is to call request_module()
without regards to the users permissions.  In general all a filesystem
module does once loaded is call register_filesystem() and go to sleep.
Which means there is not much attack surface exposed by loading a
filesytem module unless the filesystem is mounted.  In a user
namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
which most filesystems do not set today.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reported-by: Kees Cook <keescook@google.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-03-03 19:36:31 -08:00
Eric W. Biederman
ba0e3427b0 userns: Stop oopsing in key_change_session_keyring
Dave Jones <davej@redhat.com> writes:
> Just hit this on Linus' current tree.
>
> [   89.621770] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8
> [   89.623111] IP: [<ffffffff810784b0>] commit_creds+0x250/0x2f0
> [   89.624062] PGD 122bfd067 PUD 122bfe067 PMD 0
> [   89.624901] Oops: 0000 [#1] PREEMPT SMP
> [   89.625678] Modules linked in: caif_socket caif netrom bridge hidp 8021q garp stp mrp rose llc2 af_rxrpc phonet af_key binfmt_misc bnep l2tp_ppp can_bcm l2tp_core pppoe pppox can_raw scsi_transport_iscsi ppp_generic slhc nfnetlink can ipt_ULOG ax25 decnet irda nfc rds x25 crc_ccitt appletalk atm ipx p8023 psnap p8022 llc lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables btusb bluetooth snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_pcm vhost_net snd_page_alloc snd_timer tun macvtap usb_debug snd rfkill microcode macvlan edac_core pcspkr serio_raw kvm_amd soundcore kvm r8169 mii
> [   89.637846] CPU 2
> [   89.638175] Pid: 782, comm: trinity-main Not tainted 3.8.0+ #63 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H
> [   89.639850] RIP: 0010:[<ffffffff810784b0>]  [<ffffffff810784b0>] commit_creds+0x250/0x2f0
> [   89.641161] RSP: 0018:ffff880115657eb8  EFLAGS: 00010207
> [   89.641984] RAX: 00000000000003e8 RBX: ffff88012688b000 RCX: 0000000000000000
> [   89.643069] RDX: 0000000000000000 RSI: ffffffff81c32960 RDI: ffff880105839600
> [   89.644167] RBP: ffff880115657ed8 R08: 0000000000000000 R09: 0000000000000000
> [   89.645254] R10: 0000000000000001 R11: 0000000000000246 R12: ffff880105839600
> [   89.646340] R13: ffff88011beea490 R14: ffff88011beea490 R15: 0000000000000000
> [   89.647431] FS:  00007f3ac063b740(0000) GS:ffff88012b200000(0000) knlGS:0000000000000000
> [   89.648660] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [   89.649548] CR2: 00000000000000c8 CR3: 0000000122bfc000 CR4: 00000000000007e0
> [   89.650635] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   89.651723] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   89.652812] Process trinity-main (pid: 782, threadinfo ffff880115656000, task ffff88011beea490)
> [   89.654128] Stack:
> [   89.654433]  0000000000000000 ffff8801058396a0 ffff880105839600 ffff88011beeaa78
> [   89.655769]  ffff880115657ef8 ffffffff812c7d9b ffffffff82079be0 0000000000000000
> [   89.657073]  ffff880115657f28 ffffffff8106c665 0000000000000002 ffff880115657f58
> [   89.658399] Call Trace:
> [   89.658822]  [<ffffffff812c7d9b>] key_change_session_keyring+0xfb/0x140
> [   89.659845]  [<ffffffff8106c665>] task_work_run+0xa5/0xd0
> [   89.660698]  [<ffffffff81002911>] do_notify_resume+0x71/0xb0
> [   89.661581]  [<ffffffff816c9a4a>] int_signal+0x12/0x17
> [   89.662385] Code: 24 90 00 00 00 48 8b b3 90 00 00 00 49 8b 4c 24 40 48 39 f2 75 08 e9 83 00 00 00 48 89 ca 48 81 fa 60 29 c3 81 0f 84 41 fe ff ff <48> 8b 8a c8 00 00 00 48 39 ce 75 e4 3b 82 d0 00 00 00 0f 84 4b
> [   89.667778] RIP  [<ffffffff810784b0>] commit_creds+0x250/0x2f0
> [   89.668733]  RSP <ffff880115657eb8>
> [   89.669301] CR2: 00000000000000c8
>
> My fastest trinity induced oops yet!
>
>
> Appears to be..
>
>                 if ((set_ns == subset_ns->parent)  &&
>      850:       48 8b 8a c8 00 00 00    mov    0xc8(%rdx),%rcx
>
> from the inlined cred_cap_issubset

By historical accident we have been reading trying to set new->user_ns
from new->user_ns.  Which is totally silly as new->user_ns is NULL (as
is every other field in new except session_keyring at that point).

The intent is clearly to copy all of the fields from old to new so copy
old->user_ns into  into new->user_ns.

Cc: stable@vger.kernel.org
Reported-by: Dave Jones <davej@redhat.com>
Tested-by: Dave Jones <davej@redhat.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-03-03 19:35:38 -08:00
Ben Skeggs
9f9bdaaf07 drm/nv50-: prevent some races between modesetting and page flipping
nexuiz-glx + gnome-shell is able to trigger this a lot of the time.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2013-03-04 11:46:35 +10:00
Ben Skeggs
42bed34c36 drm/nouveau/i2c: drop parent refcount when creating ports
Fixes issue where i2c subdev never gets destroyed due to its subobjects
holding references.  This will mean the i2c subdev refcount goes
negative during its destruction, but this isn't an issue in practice.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2013-03-04 11:46:20 +10:00
Ben Skeggs
67f9718b08 drm/nv84: fix regression in page flipping
Need to emit the semaphore ctxdma before trying to use the semaphore
operations.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2013-03-04 11:46:13 +10:00
Francisco Jerez
f6853faa85 drm/nouveau: Fix typo in init_idx_addr_latched().
Fixes script-based modesetting on some LVDS panels.

Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2013-03-04 11:46:12 +10:00
Francisco Jerez
650e1203c1 drm/nouveau: Disable AGP on PowerPC again.
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2013-03-04 11:46:12 +10:00
Ben Skeggs
65b5f42e2a drm/nve0/graph: some random reg moved on kepler
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2013-03-04 11:46:05 +10:00
Linus Torvalds
6dbe51c251 Linux 3.9-rc1 2013-03-03 15:11:05 -08:00
Cyrill Gorcunov
3f7d1fe108 ARM: 7665/1: Wire up kcmp syscall
Wire up kcmp syscall for ability to proceed checkpoint/restore
procedure on ARM platform.

Signed-off-by: Alexander Kartashov <alekskartashov@parallels.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:18 +00:00
Chen Gang
e595ede605 ARM: 7664/1: perf: remove erroneous semicolon from event initialisation
Commit 9dcbf46655 ("ARM: perf: simplify __hw_perf_event_init err
handling") tidied up the error handling code for perf event
initialisation on ARM, but a copy-and-paste error left a dangling
semicolon at the end of an if statement.

This patch removes the broken semicolon, restoring the old group
validation semantics.

Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Dirk Behme <dirk.behme@gmail.com>
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:17 +00:00
Will Deacon
f2fe09b055 ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit
Masked out PMXEVTYPER.NSH means that we can't enable profiling at PL2,
regardless of the settings in the HDCR.

This patch fixes the broken mask.

Cc: <stable@vger.kernel.org>
Reported-by: Christoffer Dall <cdall@cs.columbia.edu>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:17 +00:00
Dietmar Eggemann
1a8e611874 ARM: 7662/1: hw_breakpoint: reset debug logic on secondary CPUs in s2ram resume
We must mask out the CPU_TASKS_FROZEN bit so that reset_ctrl_regs is
also called on a secondary CPU during s2ram resume, where only the boot
CPU will receive the PM_EXIT notification.

Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:16 +00:00
Will Deacon
89c7e4b8bb ARM: 7661/1: mm: perform explicit branch predictor maintenance when required
The ARM ARM requires branch predictor maintenance if, for a given ASID,
the instructions at a specific virtual address appear to change.

From the kernel's point of view, that means:

	- Changing the kernel's view of memory (e.g. switching to the
	  identity map)
	- ASID rollover (since ASIDs will be re-allocated to new tasks)

This patch adds explicit branch predictor maintenance when either of the
two conditions above are met.

Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:16 +00:00
Will Deacon
862c588f06 ARM: 7660/1: tlb: add branch predictor maintenance operations
The ARM architecture requires explicit branch predictor maintenance
when updating an instruction stream for a given virtual address. In
reality, this isn't so much of a burden because the branch predictor
is flushed during the cache maintenance required to make the new
instructions visible to the I-side of the processor.

However, there are still some cases where explicit flushing is required,
so add a local_bp_flush_all operation to deal with this.

Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:15 +00:00
Will Deacon
8a4e3a9ead ARM: 7659/1: mm: make mm->context.id an atomic64_t variable
mm->context.id is updated under asid_lock when a new ASID is allocated
to an mm_struct. However, it is also read without the lock when a task
is being scheduled and checking whether or not the current ASID
generation is up-to-date.

If two threads of the same process are being scheduled in parallel and
the bottom bits of the generation in their mm->context.id match the
current generation (that is, the mm_struct has not been used for ~2^24
rollovers) then the non-atomic, lockless access to mm->context.id may
yield the incorrect ASID.

This patch fixes this issue by making mm->context.id and atomic64_t,
ensuring that the generation is always read consistently. For code that
only requires access to the ASID bits (e.g. TLB flushing by mm), then
the value is accessed directly, which GCC converts to an ldrb.

Cc: <stable@vger.kernel.org> # 3.8
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:14 +00:00
Will Deacon
37f47e3d62 ARM: 7658/1: mm: fix race updating mm->context.id on ASID rollover
If a thread triggers an ASID rollover, other threads of the same process
must be made to wait until the mm->context.id for the shared mm_struct
has been updated to new generation and associated book-keeping (e.g.
TLB invalidation) has ben performed.

However, there is a *tiny* window where both mm->context.id and the
relevant active_asids entry are updated to the new generation, but the
TLB flush has not been performed, which could allow another thread to
return to userspace with a dirty TLB, potentially leading to data
corruption. In reality this will never occur because one CPU would need
to perform a context-switch in the time it takes another to do a couple
of atomic test/set operations but we should plug the race anyway.

This patch moves the active_asids update until after the potential TLB
flush on context-switch.

Cc: <stable@vger.kernel.org> # 3.8
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:13 +00:00
Will Deacon
d61947a164 ARM: 7657/1: head: fix swapper and idmap population with LPAE and big-endian
The LPAE page table format uses 64-bit descriptors, so we need to take
endianness into account when populating the swapper and idmap tables
during early initialisation.

This patch ensures that we store the two words making up each page table
entry in the correct order when running big-endian.

Cc: <stable@vger.kernel.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:13 +00:00
Shawn Guo
904464b91e ARM: 7655/1: smp_twd: make twd_local_timer_of_register() no-op for nosmp
When booting a SMP build kernel with nosmp on kernel cmdline, the
following fat warning will be hit.

------------[ cut here ]------------
WARNING: at arch/arm/kernel/smp_twd.c:345
twd_local_timer_of_register+0x7c/0x90()
twd_local_timer_of_register failed (-6)
Modules linked in:
Backtrace:
[<80011f14>] (dump_backtrace+0x0/0x10c) from [<8044dd30>]
(dump_stack+0x18/0x1c)
 r7:805e9f58 r6:805ba84c r5:80539331 r4:00000159
[<8044dd18>] (dump_stack+0x0/0x1c) from [<80020fbc>]
(warn_slowpath_common+0x54/0x6c)
[<80020f68>] (warn_slowpath_common+0x0/0x6c) from [<80021078>]
(warn_slowpath_fmt+0x38/0x40)
 r9:412fc09a r8:8fffffff r7:ffffffff r6:00000001 r5:80633b8c
r4:80b32da8
[<80021040>] (warn_slowpath_fmt+0x0/0x40) from [<805ba84]
(twd_local_timer_of_register+0x7c/0x90)
 r3:fffffffa r2:8053934b
[<805ba7d0>] (twd_local_timer_of_register+0x0/0x90) from [<805c0bec>]
(imx6q_timer_init+0x18/0x4c)
 r5:80633800 r4:8053b701
[<805c0bd4>] (imx6q_timer_init+0x0/0x4c) from [<805ba4e8>]
(time_init+0x28/0x38)
 r5:80633800 r4:805dc0f4
[<805ba4c0>] (time_init+0x0/0x38) from [<805b6854>]
(start_kernel+0x1a0/0x310)
[<805b66b4>] (start_kernel+0x0/0x310) from [<10008044>] (0x10008044)
 r8:1000406a r7:805f3f8c r6:805dc0c4 r5:805f0518 r4:10c5387d
---[ end trace 1b75b31a2719ed1c ]---

Check (!is_smp() || !setup_max_cpus) in twd_local_timer_of_register()
to make it be a no-op for the conditions, thus avoid above warning.

Reported-by: Dirk Behme <dirk.behme@de.bosch.com>
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:12 +00:00
Ben Dooks
78305c8630 ARM: 7652/1: mm: fix missing use of 'asid' to get asid value from mm->context.id
Fix missing use of the asid macro when getting the ASID from the mm->context.id field.

Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:12 +00:00
Linus Walleij
30a1b5ef0c ARM: 7642/1: netx: bump IRQ offset to 64
The Netx IRQs offset from zero, which is illegal, since Linux
IRQ 0 is NO_IRQ.

Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Jamie Iles <jamie@jamieiles.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-03-03 22:54:11 +00:00
Linus Torvalds
ea882c2ece UAPI disintegration 2012-12-20
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIVAwUAUNNNlBOxKuMESys7AQKLmw//TQ8NRe7PGpsKpApuCVePmmIicGv9f9C2
 5Upovfl1Um144jDzpNDuvM+txzrZvh9riaLYbqvoWGUlP4kbX9VsMA6fJcLonUEk
 G9/RtdijZzhlNL59mhoLxUWJi5/jK8TAgStJmJ7TkZFFc8r0QXlHcx5+lClrYLAv
 jTkPlIqm9YhzeayOOPmbrI1lxgPJrf6MZ9BJh4cz93VPqKmYvA69/dqJAO/1JBHW
 YmWfzHy7NTchdWbw0+vGPlsX0xe5ymTl5reY94H23AxGhOB1CqiXqXyy4CyjaQ8g
 sxkhDJFmgA6+OyJQeG98lmcVV5heY0h4AizHvIuwnUZzIgXF2ipWMp1zhJf8yX9/
 wQQBtN0VZ9QGdo6lMzFd2jzqkVtYMyYuDasMb4OGVGtX/0w95j7uvRXjPEkRl21e
 B4In9VqYp8yKusPwGgHd4NkSUJS/iqg7FknkiOL/OI6rjqfF5/Ot2yL2Mhp7ozh+
 I8hflc2BaKv29UNRPAnI6Z2GngylLF0E4fvxU4E/L8EUwi7O3UxYqerT9fUDodrM
 xSdAlWK+iNBURo9G8/Au3XNpJwSAMYTBMJf0RevI7QpxqxYvjdygX+jiqfzH4x3A
 SMDeeSIsipbVJxZgCzRngQl/yPD/Cu3bRBBTV3Y8vVxt2Fv5vJBQ8pXhBBrcyx8M
 Wuoyk58CGaw=
 =JMlx
 -----END PGP SIGNATURE-----

Merge tag 'disintegrate-fbdev-20121220' of git://git.infradead.org/users/dhowells/linux-headers

Pull fbdev UAPI disintegration from David Howells:
 "You'll be glad to here that the end is nigh for the UAPI patches.
  Only the fbdev/framebuffer piece remains now that the SCSI stuff has
  gone in.

  Here are the UAPI disintegration bits for the fbdev drivers.  It
  appears that Florian hasn't had time to deal with my patch, but back
  in December he did say he didn't mind if I pushed it forward."

Yay.  No more uapi movement.  And hopefully no more big header file
cleanups coming up either, it just tends to be very painful.

* tag 'disintegrate-fbdev-20121220' of git://git.infradead.org/users/dhowells/linux-headers:
  UAPI: (Scripted) Disintegrate include/video
2013-03-03 14:24:59 -08:00
Linus Torvalds
8e8b180a5f Bug-fixes:
- Update the Xen ACPI memory and CPU hotplug locking mechanism.
  - Fix PAT issues wherein various applications would not start
  - Fix handling of multiple MSI as AHCI now does it.
  - Fix ARM compile failures.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.13 (GNU/Linux)
 
 iQEcBAABAgAGBQJRMM+8AAoJEFjIrFwIi8fJnGsIANU/lVS5EwV6ZMP9GiVtbm68
 sBn0MoDIkN2ID16gcrQdfvzgtTQHsptL2fOl756veTHN2AIpIFYShKZpbgR9VM+c
 MpD68ltakkfjoVeb7F7yPbDvcSftKRW5VAq1SeFMc2gOOmiqAWQGgBC+3Cd04zFk
 SqzDs1RLUHypwBOFlZKa1ex/ShuYfzRb9x+J6zqGO+OpjhlMobyag8rhSlgehlfP
 6gS1IzmcH8a6SgBKZk/+YC+i+QLgPOyxiK6zcxa2rfc6iUwodpqBpKP1N+CS4lnu
 FIKOIIzzCwCEAq94wVV0GJwHyw7nsqjG8syfRyOPmauLrpOI70xrV+lYFMVVRA0=
 =HwzV
 -----END PGP SIGNATURE-----

Merge tag 'stable/for-linus-3.9-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen

Pull Xen bug-fixes from Konrad Rzeszutek Wilk:
 - Update the Xen ACPI memory and CPU hotplug locking mechanism.
 - Fix PAT issues wherein various applications would not start
 - Fix handling of multiple MSI as AHCI now does it.
 - Fix ARM compile failures.

* tag 'stable/for-linus-3.9-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xenbus: fix compile failure on ARM with Xen enabled
  xen/pci: We don't do multiple MSI's.
  xen/pat: Disable PAT using pat_enabled value.
  xen/acpi: xen cpu hotplug minor updates
  xen/acpi: xen memory hotplug minor updates
2013-03-03 14:22:53 -08:00
Linus Torvalds
56a79b7b02 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull  more VFS bits from Al Viro:
 "Unfortunately, it looks like xattr series will have to wait until the
  next cycle ;-/

  This pile contains 9p cleanups and fixes (races in v9fs_fid_add()
  etc), fixup for nommu breakage in shmem.c, several cleanups and a bit
  more file_inode() work"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  constify path_get/path_put and fs_struct.c stuff
  fix nommu breakage in shmem.c
  cache the value of file_inode() in struct file
  9p: if v9fs_fid_lookup() gets to asking server, it'd better have hashed dentry
  9p: make sure ->lookup() adds fid to the right dentry
  9p: untangle ->lookup() a bit
  9p: double iput() in ->lookup() if d_materialise_unique() fails
  9p: v9fs_fid_add() can't fail now
  v9fs: get rid of v9fs_dentry
  9p: turn fid->dlist into hlist
  9p: don't bother with private lock in ->d_fsdata; dentry->d_lock will do just fine
  more file_inode() open-coded instances
  selinux: opened file can't have NULL or negative ->f_path.dentry

(In the meantime, the hlist traversal macros have changed, so this
required a semantic conflict fixup for the newly hlistified fid->dlist)
2013-03-03 13:23:03 -08:00