commit 14e9c7db465387ede7f019c42f28c90f99fc2793 Author: Greg Kroah-Hartman Date: Fri Oct 18 10:44:19 2013 -0700 Linux 3.10.17 commit 954acd2b6df732230608d260779ef6d545534929 Author: Linn Crosetto Date: Tue Aug 13 15:46:41 2013 -0600 x86: avoid remapping data in parse_setup_data() commit 30e46b574a1db7d14404e52dca8e1aa5f5155fd2 upstream. Type SETUP_PCI, added by setup_efi_pci(), may advertise a ROM size larger than early_memremap() is able to handle, which is currently limited to 256kB. If this occurs it leads to a NULL dereference in parse_setup_data(). To avoid this, remap the setup_data header and allow parsing functions for individual types to handle their own data remapping. Signed-off-by: Linn Crosetto Link: http://lkml.kernel.org/r/1376430401-67445-1-git-send-email-linn@hp.com Acked-by: Yinghai Lu Reviewed-by: Pekka Enberg Signed-off-by: H. Peter Anvin Cc: Paul Gortmaker Signed-off-by: Greg Kroah-Hartman commit 3232569ecd21ad181bd070acdb27ac5ccd54494c Author: Davidlohr Bueso Date: Mon Sep 30 13:45:26 2013 -0700 ipc,msg: prevent race with rmid in msgsnd,msgrcv commit 4271b05a227dc6175b66c3d9941aeab09048aeb2 upstream. This fixes a race in both msgrcv() and msgsnd() between finding the msg and actually dealing with the queue, as another thread can delete shmid underneath us if we are preempted before acquiring the kern_ipc_perm.lock. Manfred illustrates this nicely: Assume a preemptible kernel that is preempted just after msq = msq_obtain_object_check(ns, msqid) in do_msgrcv(). The only lock that is held is rcu_read_lock(). Now the other thread processes IPC_RMID. When the first task is resumed, then it will happily wait for messages on a deleted queue. Fix this by checking for if the queue has been deleted after taking the lock. Signed-off-by: Davidlohr Bueso Reported-by: Manfred Spraul Cc: Rik van Riel Cc: Mike Galbraith Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e556ea0191d648c63fbc4fe24bbfb15ad872a205 Author: Manfred Spraul Date: Mon Sep 30 13:45:25 2013 -0700 ipc/sem.c: update sem_otime for all operations commit 0e8c665699e953fa58dc1b0b0d09e5dce7343cc7 upstream. In commit 0a2b9d4c7967 ("ipc/sem.c: move wake_up_process out of the spinlock section"), the update of semaphore's sem_otime(last semop time) was moved to one central position (do_smart_update). But since do_smart_update() is only called for operations that modify the array, this means that wait-for-zero semops do not update sem_otime anymore. The fix is simple: Non-alter operations must update sem_otime. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Manfred Spraul Reported-by: Jia He Tested-by: Jia He Cc: Davidlohr Bueso Cc: Mike Galbraith Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 83aeb6e3449cc54fa8867a0c9cc1b8d2484fa91e Author: Manfred Spraul Date: Mon Sep 30 13:45:07 2013 -0700 ipc/sem.c: synchronize the proc interface commit d8c633766ad88527f25d9f81a5c2f083d78a2b39 upstream. The proc interface is not aware of sem_lock(), it instead calls ipc_lock_object() directly. This means that simple semop() operations can run in parallel with the proc interface. Right now, this is uncritical, because the implementation doesn't do anything that requires a proper synchronization. But it is dangerous and therefore should be fixed. Signed-off-by: Manfred Spraul Cc: Davidlohr Bueso Cc: Mike Galbraith Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 901f6fedc5340d66e2ca67c70dfee926cb5a1ea0 Author: Manfred Spraul Date: Mon Sep 30 13:45:06 2013 -0700 ipc/sem.c: optimize sem_lock() commit 6d07b68ce16ae9535955ba2059dedba5309c3ca1 upstream. Operations that need access to the whole array must guarantee that there are no simple operations ongoing. Right now this is achieved by spin_unlock_wait(sem->lock) on all semaphores. If complex_count is nonzero, then this spin_unlock_wait() is not necessary, because it was already performed in the past by the thread that increased complex_count and even though sem_perm.lock was dropped inbetween, no simple operation could have started, because simple operations cannot start when complex_count is non-zero. Signed-off-by: Manfred Spraul Cc: Mike Galbraith Cc: Rik van Riel Reviewed-by: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 184076a9f9306c9bef6843bf4cc7b7e15b8fc7b4 Author: Manfred Spraul Date: Mon Sep 30 13:45:04 2013 -0700 ipc/sem.c: fix race in sem_lock() commit 5e9d527591421ccdb16acb8c23662231135d8686 upstream. The exclusion of complex operations in sem_lock() is insufficient: after acquiring the per-semaphore lock, a simple op must first check that sem_perm.lock is not locked and only after that test check complex_count. The current code does it the other way around - and that creates a race. Details are below. The patch is a complete rewrite of sem_lock(), based in part on the code from Mike Galbraith. It removes all gotos and all loops and thus the risk of livelocks. I have tested the patch (together with the next one) on my i3 laptop and it didn't cause any problems. The bug is probably also present in 3.10 and 3.11, but for these kernels it might be simpler just to move the test of sma->complex_count after the spin_is_locked() test. Details of the bug: Assume: - sma->complex_count = 0. - Thread 1: semtimedop(complex op that must sleep) - Thread 2: semtimedop(simple op). Pseudo-Trace: Thread 1: sem_lock(): acquire sem_perm.lock Thread 1: sem_lock(): check for ongoing simple ops Nothing ongoing, thread 2 is still before sem_lock(). Thread 1: try_atomic_semop() <<< preempted. Thread 2: sem_lock(): static inline int sem_lock(struct sem_array *sma, struct sembuf *sops, int nsops) { int locknum; again: if (nsops == 1 && !sma->complex_count) { struct sem *sem = sma->sem_base + sops->sem_num; /* Lock just the semaphore we are interested in. */ spin_lock(&sem->lock); /* * If sma->complex_count was set while we were spinning, * we may need to look at things we did not lock here. */ if (unlikely(sma->complex_count)) { spin_unlock(&sem->lock); goto lock_array; } <<<<<<<<< <<< complex_count is still 0. <<< <<< Here it is preempted <<<<<<<<< Thread 1: try_atomic_semop() returns, notices that it must sleep. Thread 1: increases sma->complex_count. Thread 1: drops sem_perm.lock Thread 2: /* * Another process is holding the global lock on the * sem_array; we cannot enter our critical section, * but have to wait for the global lock to be released. */ if (unlikely(spin_is_locked(&sma->sem_perm.lock))) { spin_unlock(&sem->lock); spin_unlock_wait(&sma->sem_perm.lock); goto again; } <<< sem_perm.lock already dropped, thus no "goto again;" locknum = sops->sem_num; Signed-off-by: Manfred Spraul Cc: Mike Galbraith Cc: Rik van Riel Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit e84ca333752636c70cf85711aeef2b2abaac816e Author: Davidlohr Bueso Date: Mon Sep 23 17:04:45 2013 -0700 ipc: fix race with LSMs commit 53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1 upstream. Currently, IPC mechanisms do security and auditing related checks under RCU. However, since security modules can free the security structure, for example, through selinux_[sem,msg_queue,shm]_free_security(), we can race if the structure is freed before other tasks are done with it, creating a use-after-free condition. Manfred illustrates this nicely, for instance with shared mem and selinux: -> do_shmat calls rcu_read_lock() -> do_shmat calls shm_object_check(). Checks that the object is still valid - but doesn't acquire any locks. Then it returns. -> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat) -> selinux_shm_shmat calls ipc_has_perm() -> ipc_has_perm accesses ipc_perms->security shm_close() -> shm_close acquires rw_mutex & shm_lock -> shm_close calls shm_destroy -> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security) -> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm) -> ipc_free_security calls kfree(ipc_perms->security) This patch delays the freeing of the security structures after all RCU readers are done. Furthermore it aligns the security life cycle with that of the rest of IPC - freeing them based on the reference counter. For situations where we need not free security, the current behavior is kept. Linus states: "... the old behavior was suspect for another reason too: having the security blob go away from under a user sounds like it could cause various other problems anyway, so I think the old code was at least _prone_ to bugs even if it didn't have catastrophic behavior." I have tested this patch with IPC testcases from LTP on both my quad-core laptop and on a 64 core NUMA server. In both cases selinux is enabled, and tests pass for both voluntary and forced preemption models. While the mentioned races are theoretical (at least no one as reported them), I wanted to make sure that this new logic doesn't break anything we weren't aware of. Suggested-by: Linus Torvalds Signed-off-by: Davidlohr Bueso Acked-by: Manfred Spraul Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit c42107e68217f062e4257f0505a8c5b24b6cb9f3 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:31 2013 -0700 ipc: drop ipc_lock_check commit 20b8875abcf2daa1dda5cf70bd6369df5e85d4c1 upstream. No remaining users, we now use ipc_obtain_object_check(). Signed-off-by: Davidlohr Bueso Cc: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 1129a4810a2499dd02a7bfa657053c55c35140a3 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:30 2013 -0700 ipc, shm: drop shm_lock_check commit 7a25dd9e042b2b94202a67e5551112f4ac87285a upstream. This function was replaced by a the lockless shm_obtain_object_check(), and no longer has any users. Signed-off-by: Davidlohr Bueso Cc: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit ffa02e67efa1c1bd32ea07a17d74506e5855a50d Author: Davidlohr Bueso Date: Wed Sep 11 14:26:29 2013 -0700 ipc: drop ipc_lock_by_ptr commit 32a2750010981216fb788c5190fb0e646abfab30 upstream. After previous cleanups and optimizations, this function is no longer heavily used and we don't have a good reason to keep it. Update the few remaining callers and get rid of it. Signed-off-by: Davidlohr Bueso Cc: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 48ec782ce3e59d6ab14a8c1197c19826e61ac8e5 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:28 2013 -0700 ipc, shm: guard against non-existant vma in shmdt(2) commit 530fcd16d87cd2417c472a581ba5a1e501556c86 upstream. When !CONFIG_MMU there's a chance we can derefence a NULL pointer when the VM area isn't found - check the return value of find_vma(). Also, remove the redundant -EINVAL return: retval is set to the proper return code and *only* changed to 0, when we actually unmap the segments. Signed-off-by: Davidlohr Bueso Cc: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit a5daa172ff0897c52eb4c6da18b092c757264b2f Author: Davidlohr Bueso Date: Wed Sep 11 14:26:26 2013 -0700 ipc: document general ipc locking scheme commit 05603c44a7627793219b0bd9a7b236099dc9cd9d upstream. As suggested by Andrew, add a generic initial locking scheme used throughout all sysv ipc mechanisms. Documenting the ids rwsem, how rcu can be enough to do the initial checks and when to actually acquire the kern_ipc_perm.lock spinlock. I found that adding it to util.c was generic enough. Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit c143813735d3246637e4ad60bfd4cf042189b83c Author: Davidlohr Bueso Date: Wed Sep 11 14:26:25 2013 -0700 ipc,msg: drop msg_unlock commit 4718787d1f626f45ddb239912bc07266b9880044 upstream. There is only one user left, drop this function and just call ipc_unlock_object() and rcu_read_unlock(). Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 33b74669858f3f1982d83015203264b462d845e7 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:24 2013 -0700 ipc: rename ids->rw_mutex commit d9a605e40b1376eb02b067d7690580255a0df68f upstream. Since in some situations the lock can be shared for readers, we shouldn't be calling it a mutex, rename it to rwsem. Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit bd58e2dc27330012ff1774cd54d41d6e7ffcbc36 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:23 2013 -0700 ipc,shm: shorten critical region for shmat commit c2c737a0461e61a34676bd0bd1bc1a70a1b4e396 upstream. Similar to other system calls, acquire the kern_ipc_perm lock after doing the initial permission and security checks. [sasha.levin@oracle.com: dont leave do_shmat with rcu lock held] Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Sasha Levin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 247ec302b53873fa13bbb413b5df982cb5d7f78f Author: Davidlohr Bueso Date: Wed Sep 11 14:26:22 2013 -0700 ipc,shm: cleanup do_shmat pasta commit f42569b1388b1408b574a5e93a23a663647d4181 upstream. Clean up some of the messy do_shmat() spaghetti code, getting rid of out_free and out_put_dentry labels. This makes shortening the critical region of this function in the next patch a little easier to do and read. Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 00c88e695ae4c001495d6768d6c91603f34aa6c7 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:21 2013 -0700 ipc,shm: shorten critical region for shmctl commit 2caacaa82a51b78fc0c800e206473874094287ed upstream. With the *_INFO, *_STAT, IPC_RMID and IPC_SET commands already optimized, deal with the remaining SHM_LOCK and SHM_UNLOCK commands. Take the shm_perm lock after doing the initial auditing and security checks. The rest of the logic remains unchanged. Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit c29c40392a01b9414b02c1b57b042950704cb774 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:20 2013 -0700 ipc,shm: make shmctl_nolock lockless commit c97cb9ccab8c85428ec21eff690642ad2ce1fa8a upstream. While the INFO cmd doesn't take the ipc lock, the STAT commands do acquire it unnecessarily. We can do the permissions and security checks only holding the rcu lock. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit d6187ddfc90715e95b8c73f49887781b4b2a1ebc Author: Davidlohr Bueso Date: Wed Sep 11 14:26:18 2013 -0700 ipc,shm: introduce shmctl_nolock commit 68eccc1dc345539d589ae78ee43b835c1a06a134 upstream. Similar to semctl and msgctl, when calling msgctl, the *_INFO and *_STAT commands can be performed without acquiring the ipc object. Add a shmctl_nolock() function and move the logic of *_INFO and *_STAT out of msgctl(). Since we are just moving functionality, this change still takes the lock and it will be properly lockless in the next patch. Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 60425b7b25c07bbc55f39ce1b178c5bf86e679e4 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:17 2013 -0700 ipc: drop ipcctl_pre_down commit 3b1c4ad37741e53804ffe0a30dd01e08b2ab6241 upstream. Now that sem, msgque and shm, through *_down(), all use the lockless variant of ipcctl_pre_down(), go ahead and delete it. [akpm@linux-foundation.org: fix function name in kerneldoc, cleanups] Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit b3b7b427fd385e92ce2ea8a847ec977724dc9669 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:16 2013 -0700 ipc,shm: shorten critical region in shmctl_down commit 79ccf0f8c8e04e8b9eda6645ba0f63b0915a3075 upstream. Instead of holding the ipc lock for the entire function, use the ipcctl_pre_down_nolock and only acquire the lock for specific commands: RMID and SET. Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 1b2ad167481aed32347ef7726d14bb2b9f63c4c9 Author: Davidlohr Bueso Date: Wed Sep 11 14:26:15 2013 -0700 ipc,shm: introduce lockless functions to obtain the ipc object commit 8b8d52ac382b17a19906b930cd69e2edb0aca8ba upstream. This is the third and final patchset that deals with reducing the amount of contention we impose on the ipc lock (kern_ipc_perm.lock). These changes mostly deal with shared memory, previous work has already been done for semaphores and message queues: http://lkml.org/lkml/2013/3/20/546 (sems) http://lkml.org/lkml/2013/5/15/584 (mqueues) With these patches applied, a custom shm microbenchmark stressing shmctl doing IPC_STAT with 4 threads a million times, reduces the execution time by 50%. A similar run, this time with IPC_SET, reduces the execution time from 3 mins and 35 secs to 27 seconds. Patches 1-8: replaces blindly taking the ipc lock for a smarter combination of rcu and ipc_obtain_object, only acquiring the spinlock when updating. Patch 9: renames the ids rw_mutex to rwsem, which is what it already was. Patch 10: is a trivial mqueue leftover cleanup Patch 11: adds a brief lock scheme description, requested by Andrew. This patch: Add shm_obtain_object() and shm_obtain_object_check(), which will allow us to get the ipc object without acquiring the lock. Just as with other forms of ipc, these functions are basically wrappers around ipc_obtain_object*(). Signed-off-by: Davidlohr Bueso Tested-by: Sedat Dilek Cc: Rik van Riel Cc: Manfred Spraul Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 11ce33923261281f406a99ee345ffc5f53aec2c8 Author: Manfred Spraul Date: Tue Sep 3 16:00:08 2013 +0200 ipc/msg.c: Fix lost wakeup in msgsnd(). commit bebcb928c820d0ee83aca4b192adc195e43e66a2 upstream. The check if the queue is full and adding current to the wait queue of pending msgsnd() operations (ss_add()) must be atomic. Otherwise: - the thread that performs msgsnd() finds a full queue and decides to sleep. - the thread that performs msgrcv() first reads all messages from the queue and then sleeps, because the queue is empty. - the msgrcv() calls do not perform any wakeups, because the msgsnd() task has not yet called ss_add(). - then the msgsnd()-thread first calls ss_add() and then sleeps. Net result: msgsnd() and msgrcv() both sleep forever. Observed with msgctl08 from ltp with a preemptible kernel. Fix: Call ipc_lock_object() before performing the check. The patch also moves security_msg_queue_msgsnd() under ipc_lock_object: - msgctl(IPC_SET) explicitely mentions that it tries to expunge any pending operations that are not allowed anymore with the new permissions. If security_msg_queue_msgsnd() is called without locks, then there might be races. - it makes the patch much simpler. Reported-and-tested-by: Vineet Gupta Acked-by: Rik van Riel Signed-off-by: Manfred Spraul Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit b56e88e25e1d576619343e97fdb6cbe11035cf6d Author: Manfred Spraul Date: Mon Jul 8 16:01:26 2013 -0700 ipc/sem.c: rename try_atomic_semop() to perform_atomic_semop(), docu update commit 758a6ba39ef6df4cdc615e5edd7bd86eab81a5f7 upstream. Cleanup: Some minor points that I noticed while writing the previous patches 1) The name try_atomic_semop() is misleading: The function performs the operation (if it is possible). 2) Some documentation updates. No real code change, a rename and documentation changes. Signed-off-by: Manfred Spraul Cc: Rik van Riel Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit bf6830ad689a462a61c7e9191dc44fc45e205165 Author: Manfred Spraul Date: Mon Jul 8 16:01:25 2013 -0700 ipc/sem.c: replace shared sem_otime with per-semaphore value commit d12e1e50e47e0900dbbf52237b7e171f4f15ea1e upstream. sem_otime contains the time of the last semaphore operation that completed successfully. Every operation updates this value, thus access from multiple cpus can cause thrashing. Therefore the patch replaces the variable with a per-semaphore variable. The per-array sem_otime is only calculated when required. No performance improvement on a single-socket i3 - only important for larger systems. Signed-off-by: Manfred Spraul Cc: Rik van Riel Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit e5639c5288c125607fc45fb727c72a97d01cd868 Author: Manfred Spraul Date: Mon Jul 8 16:01:24 2013 -0700 ipc/sem.c: always use only one queue for alter operations commit f269f40ad5aeee229ed70044926f44318abe41ef upstream. There are two places that can contain alter operations: - the global queue: sma->pending_alter - the per-semaphore queues: sma->sem_base[].pending_alter. Since one of the queues must be processed first, this causes an odd priorization of the wakeups: complex operations have priority over simple ops. The patch restores the behavior of linux <=3.0.9: The longest waiting operation has the highest priority. This is done by using only one queue: - if there are complex ops, then sma->pending_alter is used. - otherwise, the per-semaphore queues are used. As a side effect, do_smart_update_queue() becomes much simpler: no more goto logic. Signed-off-by: Manfred Spraul Cc: Rik van Riel Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit ab63bc97faaa8e26cef944eda370cf83ca818ca5 Author: Manfred Spraul Date: Mon Jul 8 16:01:23 2013 -0700 ipc/sem: separate wait-for-zero and alter tasks into seperate queues commit 1a82e9e1d0f1b45f47a97c9e2349020536ff8987 upstream. Introduce separate queues for operations that do not modify the semaphore values. Advantages: - Simpler logic in check_restart(). - Faster update_queue(): Right now, all wait-for-zero operations are always tested, even if the semaphore value is not 0. - wait-for-zero gets again priority, as in linux <=3.0.9 Signed-off-by: Manfred Spraul Cc: Rik van Riel Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 0824e44c3f0aa0d5dc3d06910a09b9bbaa53d2f6 Author: Manfred Spraul Date: Mon Jul 8 16:01:22 2013 -0700 ipc/sem.c: cacheline align the semaphore structures commit f5c936c0f267ec58641451cf8b8d39b4c207ee4d upstream. As now each semaphore has its own spinlock and parallel operations are possible, give each semaphore its own cacheline. On a i3 laptop, this gives up to 28% better performance: #semscale 10 | grep "interleave 2" - before: Cpus 1, interleave 2 delay 0: 36109234 in 10 secs Cpus 2, interleave 2 delay 0: 55276317 in 10 secs Cpus 3, interleave 2 delay 0: 62411025 in 10 secs Cpus 4, interleave 2 delay 0: 81963928 in 10 secs -after: Cpus 1, interleave 2 delay 0: 35527306 in 10 secs Cpus 2, interleave 2 delay 0: 70922909 in 10 secs <<< + 28% Cpus 3, interleave 2 delay 0: 80518538 in 10 secs Cpus 4, interleave 2 delay 0: 89115148 in 10 secs <<< + 8.7% i3, with 2 cores and with hyperthreading enabled. Interleave 2 in order use first the full cores. HT partially hides the delay from cacheline trashing, thus the improvement is "only" 8.7% if 4 threads are running. Signed-off-by: Manfred Spraul Cc: Rik van Riel Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 49f7f31ab27de9bcaf2d12e1d0196400dadf6add Author: Manfred Spraul Date: Mon Jul 8 16:01:20 2013 -0700 ipc/util.c, ipc_rcu_alloc: cacheline align allocation commit 196aa0132fc7261f34b10ae1bfb44abc1bc69b3c upstream. Enforce that ipc_rcu_alloc returns a cacheline aligned pointer on SMP. Rationale: The SysV sem code tries to move the main spinlock into a seperate cacheline (____cacheline_aligned_in_smp). This works only if ipc_rcu_alloc returns cacheline aligned pointers. vmalloc and kmalloc return cacheline algined pointers, the implementation of ipc_rcu_alloc breaks that. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Manfred Spraul Cc: Rik van Riel Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 5cd37e921753eeff777a522aa78b0cc5a6ff7596 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:19 2013 -0700 ipc: remove unused functions commit 9ad66ae65fc8d3e7e3344310fb0aa835910264fe upstream. We can now drop the msg_lock and msg_lock_check functions along with a bogus comment introduced previously in semctl_down. Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 7b527fcdfdc6c4edfc6dad3bae254679ed63fc55 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:18 2013 -0700 ipc,msg: shorten critical region in msgrcv commit 41a0d523d0f626e9da0dc01de47f1b89058033cf upstream. do_msgrcv() is the last msg queue function that abuses the ipc lock Take it only when needed when actually updating msq. Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Tested-by: Sedat Dilek Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 8398fe18b48b6e4ac671898cd9b7327954b4ba5f Author: Davidlohr Bueso Date: Mon Jul 8 16:01:17 2013 -0700 ipc,msg: shorten critical region in msgsnd commit 3dd1f784ed6603d7ab1043e51e6371235edf2313 upstream. do_msgsnd() is another function that does too many things with the ipc object lock acquired. Take it only when needed when actually updating msq. Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 107b413cd33374f8eb3a0075d0237e1076e0a752 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:16 2013 -0700 ipc,msg: make msgctl_nolock lockless commit ac0ba20ea6f2201a1589d6dc26ad1a4f0f967bb8 upstream. While the INFO cmd doesn't take the ipc lock, the STAT commands do acquire it unnecessarily. We can do the permissions and security checks only holding the rcu lock. This function now mimics semctl_nolock(). Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 15d49ab4814e9b3e6b340ec073a3ce95862643a9 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:15 2013 -0700 ipc,msg: introduce lockless functions to obtain the ipc object commit a5001a0d9768568de5d613c3b3a5b9c7721299da upstream. Add msq_obtain_object() and msq_obtain_object_check(), which will allow us to get the ipc object without acquiring the lock. Just as with semaphores, these functions are basically wrappers around ipc_obtain_object*(). Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit f1f7913980afb02f8dee9ee190b29230e69cf7a4 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:14 2013 -0700 ipc,msg: introduce msgctl_nolock commit 2cafed30f150f7314f98717b372df8173516cae0 upstream. Similar to semctl, when calling msgctl, the *_INFO and *_STAT commands can be performed without acquiring the ipc object. Add a msgctl_nolock() function and move the logic of *_INFO and *_STAT out of msgctl(). This change still takes the lock and it will be properly lockless in the next patch Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit f880aca02ec5531b5ce62b10dae6311001a34804 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:13 2013 -0700 ipc,msg: shorten critical region in msgctl_down commit 15724ecb7e9bab35fc694c666ad563adba820cc3 upstream. Instead of holding the ipc lock for the entire function, use the ipcctl_pre_down_nolock and only acquire the lock for specific commands: RMID and SET. Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit ac9bc6e396285ab732dd869c3edb353662134022 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:12 2013 -0700 ipc: move locking out of ipcctl_pre_down_nolock commit 7b4cc5d8411bd4e9d61d8714f53859740cf830c2 upstream. This function currently acquires both the rw_mutex and the rcu lock on successful lookups, leaving the callers to explicitly unlock them, creating another two level locking situation. Make the callers (including those that still use ipcctl_pre_down()) explicitly lock and unlock the rwsem and rcu lock. Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 115d40dbef93b70e6f32732b0fdd5903c1f7fce4 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:11 2013 -0700 ipc: close open coded spin lock calls commit cf9d5d78d05bca96df7618dfc3a5ee4414dcae58 upstream. Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 9f7b399c9dbc71bd09d5b45242a6fb8fbf2650a3 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:10 2013 -0700 ipc: introduce ipc object locking helpers commit 1ca7003ab41152d673d9e359632283d05294f3d6 upstream. Simple helpers around the (kern_ipc_perm *)->lock spinlock. Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 34b2092419a3f73bb69c55247fe71ca4941faad2 Author: Davidlohr Bueso Date: Mon Jul 8 16:01:09 2013 -0700 ipc: move rcu lock out of ipc_addid commit dbfcd91f06f0e2d5564b2fd184e9c2a43675f9ab upstream. This patchset continues the work that began in the sysv ipc semaphore scaling series, see https://lkml.org/lkml/2013/3/20/546 Just like semaphores used to be, sysv shared memory and msg queues also abuse the ipc lock, unnecessarily holding it for operations such as permission and security checks. This patchset mostly deals with mqueues, and while shared mem can be done in a very similar way, I want to get these patches out in the open first. It also does some pending cleanups, mostly focused on the two level locking we have in ipc code, taking care of ipc_addid() and ipcctl_pre_down_nolock() - yes there are still functions that need to be updated as well. This patch: Make all callers explicitly take and release the RCU read lock. This addresses the two level locking seen in newary(), newseg() and newqueue(). For the last two, explicitly unlock the ipc object and the rcu lock, instead of calling the custom shm_unlock and msg_unlock functions. The next patch will deal with the open coded locking for ->perm.lock Signed-off-by: Davidlohr Bueso Cc: Andi Kleen Cc: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Mike Galbraith Signed-off-by: Greg Kroah-Hartman commit 7276dd0042b05ae6409274664ed8747f4dcd2a30 Author: wojciech kapuscinski Date: Tue Oct 1 19:54:33 2013 -0400 drm/radeon: fix hw contexts for SUMO2 asics commit 50b8f5aec04ebec7dbdf2adb17220b9148c99e63 upstream. They have 4 rather than 8. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=63599 Signed-off-by: wojciech kapuscinski Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 11685f24f1e127ac069bd37cf1b5db559ced1f7e Author: Alex Deucher Date: Tue Oct 1 16:40:45 2013 -0400 drm/radeon: fix typo in CP DMA register headers commit aa3e146d04b6ae37939daeebaec060562b3db559 upstream. Wrong bit offset for SRC endian swapping. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 4fbde5f0aabcd189d03e4e34a52024e70bdd3a73 Author: Dan Carpenter Date: Mon Jul 1 19:39:34 2013 +0300 drm/radeon: forever loop on error in radeon_do_test_moves() commit 89cd67b326fa95872cc2b4524cd807128db6071d upstream. The error path does this: for (--i; i >= 0; --i) { which is a forever loop because "i" is unsigned. Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 27c35c76cdfec3848ef0997605cfc16cb85a290c Author: Chris Wilson Date: Sun Sep 29 19:15:07 2013 +0100 drm/i915: Only apply DPMS to the encoder if enabled commit c9976dcf55c8aaa7037427b239f15e5acfc01a3a upstream. The current test for an attached enabled encoder fails if we have multiple connectors aliased to the same encoder - both connectors believe they own the enabled encoder and so we attempt to both enable and disable DPMS on the encoder, leading to hilarity and an OOPs: [ 354.803064] WARNING: CPU: 0 PID: 482 at /usr/src/linux/dist/3.11.2/drivers/gpu/drm/i915/intel_display.c:3869 intel_modeset_check_state+0x764/0x770 [i915]() [ 354.803064] wrong connector dpms state [ 354.803084] Modules linked in: nfsd auth_rpcgss oid_registry exportfs nfs lockd sunrpc xt_nat iptable_nat nf_nat_ipv4 nf_nat xt_limit xt_LOG xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT ipv6 xt_recent xt_conntrack nf_conntrack iptable_filter ip_tables x_tables snd_hda_codec_realtek snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_intel coretemp kvm_intel snd_hda_codec i915 kvm snd_hwdep snd_pcm_oss snd_mixer_oss crc32_pclmul snd_pcm crc32c_intel e1000e intel_agp igb ghash_clmulni_intel intel_gtt aesni_intel cfbfillrect aes_x86_64 cfbimgblt lrw cfbcopyarea drm_kms_helper ptp video thermal processor gf128mul snd_page_alloc drm snd_timer glue_helper 8250_pci snd pps_core ablk_helper agpgart cryptd sg soundcore fan i2c_algo_bit sr_mod thermal_sys 8250 i2c_i801 serial_core hwmon cdrom i2c_core evdev button [ 354.803086] CPU: 0 PID: 482 Comm: kworker/0:1 Not tainted 3.11.2 #1 [ 354.803087] Hardware name: Supermicro X10SAE/X10SAE, BIOS 1.00 05/03/2013 [ 354.803091] Workqueue: events console_callback [ 354.803092] 0000000000000009 ffff88023611db48 ffffffff814048ac ffff88023611db90 [ 354.803093] ffff88023611db80 ffffffff8103d4e3 ffff880230d82800 ffff880230f9b800 [ 354.803094] ffff880230f99000 ffff880230f99448 ffff8802351c0e00 ffff88023611dbe0 [ 354.803094] Call Trace: [ 354.803098] [] dump_stack+0x54/0x8d [ 354.803101] [] warn_slowpath_common+0x73/0x90 [ 354.803103] [] warn_slowpath_fmt+0x47/0x50 [ 354.803109] [] ? intel_ddi_connector_get_hw_state+0x5e/0x110 [i915] [ 354.803114] [] intel_modeset_check_state+0x764/0x770 [i915] [ 354.803117] [] intel_connector_dpms+0x3b/0x60 [i915] [ 354.803120] [] drm_fb_helper_dpms.isra.11+0x120/0x160 [drm_kms_helper] [ 354.803122] [] drm_fb_helper_blank+0x3e/0x80 [drm_kms_helper] [ 354.803123] [] fb_blank+0x52/0xc0 [ 354.803125] [] fbcon_blank+0x21b/0x2d0 [ 354.803127] [] ? update_rq_clock.part.74+0x13/0x30 [ 354.803129] [] ? lock_timer_base.isra.30+0x26/0x50 [ 354.803130] [] ? internal_add_timer+0x12/0x40 [ 354.803131] [] ? mod_timer+0xf8/0x1c0 [ 354.803133] [] do_unblank_screen+0xa1/0x1c0 [ 354.803134] [] poke_blanked_console+0xc7/0xd0 [ 354.803136] [] console_callback+0x13f/0x160 [ 354.803137] [] process_one_work+0x148/0x3d0 [ 354.803138] [] worker_thread+0x119/0x3a0 [ 354.803140] [] ? manage_workers.isra.30+0x2a0/0x2a0 [ 354.803141] [] kthread+0xbb/0xc0 [ 354.803142] [] ? kthread_create_on_node+0x120/0x120 [ 354.803144] [] ret_from_fork+0x7c/0xb0 [ 354.803145] [] ? kthread_create_on_node+0x120/0x120 This regression goes back to the big modeset rework and the conversion to the new dpms helpers which started with: commit 5ab432ef4997ce32c9406721b37ef6e97e57dae1 Author: Daniel Vetter Date: Sat Jun 30 08:59:56 2012 +0200 drm/i915/hdmi: convert to encoder->disable/enable Fixes: igt/kms_flip/dpms-off-confusion Reported-and-tested-by: Wakko Warner Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=68030 Link: http://lkml.kernel.org/r/20130928185023.GA21672@animx.eu.org Signed-off-by: Chris Wilson [danvet: Add regression citation, mention the igt testcase this fixes and slap a cc: stable on the patch.] Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit ad4c3cc41d6248a80231a6b87f1dab31542f011c Author: Al Viro Date: Sat Aug 24 12:08:17 2013 -0400 cope with potentially long ->d_dname() output for shmem/hugetlb commit 118b23022512eb2f41ce42db70dc0568d00be4ba upstream. dynamic_dname() is both too much and too little for those - the output may be well in excess of 64 bytes dynamic_dname() assumes to be enough (thanks to ashmem feeding really long names to shmem_file_setup()) and vsnprintf() is an overkill for those guys. Signed-off-by: Al Viro Cc: Colin Cross Signed-off-by: Greg Kroah-Hartman commit 92a02b07759bb5cbed4a4793019d14247649925c Author: David Henningsson Date: Mon Oct 7 10:39:59 2013 +0200 ALSA: hda - Fix mono speakers and headset mic on Dell Vostro 5470 This is a backport for stable. The original commit SHA is 338cae565c53755de9f87d6a801517940d2d56f7. On this machine, DAC on node 0x03 seems to give mono output. Also, it needs additional patches for headset mic support. It supports CTIA style headsets only. Alsa-info available at the bug link below. BugLink: https://bugs.launchpad.net/bugs/1236228 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bb42ad4e4d2c1c10637368c750a5683100f2ddfa Author: Ingo Molnar Date: Thu Oct 10 10:16:30 2013 +0200 compiler/gcc4: Add quirk for 'asm goto' miscompilation bug commit 3f0116c3238a96bc18ad4b4acefe4e7be32fa861 upstream. Fengguang Wu, Oleg Nesterov and Peter Zijlstra tracked down a kernel crash to a GCC bug: GCC miscompiles certain 'asm goto' constructs, as outlined here: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 Implement a workaround suggested by Jakub Jelinek. Reported-and-tested-by: Fengguang Wu Reported-by: Oleg Nesterov Reported-by: Peter Zijlstra Suggested-by: Jakub Jelinek Reviewed-by: Richard Henderson Cc: Linus Torvalds Cc: Andrew Morton Link: http://lkml.kernel.org/r/20131015062351.GA4666@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e2dcd671f79ade2c764034aeab492ce9a7da6194 Author: Dan Carpenter Date: Fri Aug 23 11:40:59 2013 +0300 watchdog: ts72xx_wdt: locking bug in ioctl commit 8612ed0d97abcf1c016d34755b7cf2060de71963 upstream. Calling the WDIOC_GETSTATUS & WDIOC_GETBOOTSTATUS and twice will cause a interruptible deadlock. Signed-off-by: Dan Carpenter Reviewed-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Cc: Jonghwan Choi Signed-off-by: Greg Kroah-Hartman commit 4b3ea63f5af44f93bd28d94a93508bbd3186be89 Author: Vineet Gupta Date: Thu Oct 10 19:33:57 2013 +0530 ARC: Ignore ptrace SETREGSET request for synthetic register "stop_pc" commit 5b24282846c064ee90d40fcb3a8f63b8e754fd28 upstream. ARCompact TRAP_S insn used for breakpoints, commits before exception is taken (updating architectural PC). So ptregs->ret contains next-PC and not the breakpoint PC itself. This is different from other restartable exceptions such as TLB Miss where ptregs->ret has exact faulting PC. gdb needs to know exact-PC hence ARC ptrace GETREGSET provides for @stop_pc which returns ptregs->ret vs. EFA depending on the situation. However, writing stop_pc (SETREGSET request), which updates ptregs->ret doesn't makes sense stop_pc doesn't always correspond to that reg as described above. This was not an issue so far since user_regs->ret / user_regs->stop_pc had same value and both writing to ptregs->ret was OK, needless, but NOT broken, hence not observed. With gdb "jump", they diverge, and user_regs->ret updating ptregs is overwritten immediately with stop_pc, which this patch fixes. Reported-by: Anton Kolesov Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 19a420033da02200c424adfa3a7b9eed6e3a6dc2 Author: Christian Ruppert Date: Wed Oct 2 11:13:38 2013 +0200 ARC: Fix signal frame management for SA_SIGINFO commit 10469350e345599dfef3fa78a7c19fb230e674c1 upstream. Previously, when a signal was registered with SA_SIGINFO, parameters 2 and 3 of the signal handler were written to registers r1 and r2 before the register set was saved. This led to corruption of these two registers after returning from the signal handler (the wrong values were restored). With this patch, registers are now saved before any parameters are passed, thus maintaining the processor state from before signal entry. Signed-off-by: Christian Ruppert Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 0c06a0a693a5baaeacdb4c9485d5d6d490ea8a23 Author: Vineet Gupta Date: Wed Sep 25 16:53:32 2013 +0530 ARC: Workaround spinlock livelock in SMP SystemC simulation commit 6c00350b573c0bd3635436e43e8696951dd6e1b6 upstream. Some ARC SMP systems lack native atomic R-M-W (LLOCK/SCOND) insns and can only use atomic EX insn (reg with mem) to build higher level R-M-W primitives. This includes a SystemC based SMP simulation model. So rwlocks need to use a protecting spinlock for atomic cmp-n-exchange operation to update reader(s)/writer count. The spinlock operation itself looks as follows: mov reg, 1 ; 1=locked, 0=unlocked retry: EX reg, [lock] ; load existing, store 1, atomically BREQ reg, 1, rety ; if already locked, retry In single-threaded simulation, SystemC alternates between the 2 cores with "N" insn each based scheduling. Additionally for insn with global side effect, such as EX writing to shared mem, a core switch is enforced too. Given that, 2 cores doing a repeated EX on same location, Linux often got into a livelock e.g. when both cores were fiddling with tasklist lock (gdbserver / hackbench) for read/write respectively as the sequence diagram below shows: core1 core2 -------- -------- 1. spin lock [EX r=0, w=1] - LOCKED 2. rwlock(Read) - LOCKED 3. spin unlock [ST 0] - UNLOCKED spin lock [EX r=0,w=1] - LOCKED -- resched core 1---- 5. spin lock [EX r=1] - ALREADY-LOCKED -- resched core 2---- 6. rwlock(Write) - READER-LOCKED 7. spin unlock [ST 0] 8. rwlock failed, retry again 9. spin lock [EX r=0, w=1] -- resched core 1---- 10 spinlock locked in #9, retry #5 11. spin lock [EX gets 1] -- resched core 2---- ... ... The fix was to unlock using the EX insn too (step 7), to trigger another SystemC scheduling pass which would let core1 proceed, eliding the livelock. Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit a683a93b1ce0b86944a51a1b8f787aa684836edb Author: Vineet Gupta Date: Thu Sep 26 18:50:40 2013 +0530 ARC: Fix 32-bit wrap around in access_ok() commit 0752adfda15f0eca9859a76da3db1800e129ad43 upstream. Anton reported | LTP tests syscalls/process_vm_readv01 and process_vm_writev01 fail | similarly in one testcase test_iov_invalid -> lvec->iov_base. | Testcase expects errno EFAULT and return code -1, | but it gets return code 1 and ERRNO is 0 what means success. Essentially test case was passing a pointer of -1 which access_ok() was not catching. It was doing [@addr + @sz <= TASK_SIZE] which would pass for @addr == -1 Fixed that by rewriting as [@addr <= TASK_SIZE - @sz] Reported-by: Anton Kolesov Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 5cd12e7776183668bd92a5f5fe102113d3bb599a Author: Mischa Jonker Date: Thu Sep 26 15:44:56 2013 +0200 ARC: Handle zero-overhead-loop in unaligned access handler commit c11eb222fd7d4db91196121dbf854178505d2751 upstream. If a load or store is the last instruction in a zero-overhead-loop, and it's misaligned, the loop would execute only once. This fixes that problem. Signed-off-by: Mischa Jonker Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 8036c31c84117707d4132cd199d997d7ed41427c Author: Mischa Jonker Date: Fri Aug 30 11:56:25 2013 +0200 ARC: Fix __udelay calculation commit 7efd0da2d17360e1cef91507dbe619db0ee2c691 upstream. Cast usecs to u64, to ensure that the (usecs * 4295 * HZ) multiplication is 64 bit. Initially, the (usecs * 4295 * HZ) part was done as a 32 bit multiplication, with the result casted to 64 bit. This led to some bits falling off, causing a "DMA initialization error" in the stmmac Ethernet driver, due to a premature timeout. Signed-off-by: Mischa Jonker Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 98f745546bd27e54fe0bed1e9c900301428de9d5 Author: Noam Camus Date: Thu Sep 12 13:07:39 2013 +0530 ARC: SMP failed to boot due to missing IVT setup commit c3567f8a359b7917dcffa442301f88ed0a75211f upstream. Commit 05b016ecf5e7a "ARC: Setup Vector Table Base in early boot" moved the Interrupt vector Table setup out of arc_init_IRQ() which is called for all CPUs, to entry point of boot cpu only, breaking booting of others. Fix by adding the same to entry point of non-boot CPUs too. read_arc_build_cfg_regs() printing IVT Base Register didn't help the casue since it prints a synthetic value if zero which is totally bogus, so fix that to print the exact Register. [vgupta: Remove the now stale comment from header of arc_init_IRQ and also added the commentary for halt-on-reset] Cc: Gilad Ben-Yossef Signed-off-by: Noam Camus Signed-off-by: Vineet Gupta Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8a229aeadcf9cf6616e56b00babc86607a3b3d1d Author: Vineet Gupta Date: Mon Jun 17 18:27:23 2013 +0530 ARC: Setup Vector Table Base in early boot commit 05b016ecf5e7a8c24409d8e9effb5d2ec9107708 upstream. Otherwise early boot exceptions such as instructions errors due to configuration mismatch between kernel and hardware go off to la-la land, as opposed to hitting the handler and panic()'ing properly. Signed-off-by: Vineet Gupta Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 1176dcded10fd4de79aaac9bb1bd77a4aabdba61 Author: Russell King Date: Tue Aug 6 09:49:14 2013 +0100 ARM: Fix the world famous typo with is_gate_vma() commit 1d0bbf428924f94867542d49d436cf254b9dbd06 upstream. Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman Cc: Colin Cross Signed-off-by: Greg Kroah-Hartman commit 77587e89405f5d8225a0e750df254bcc2dcb73e1 Author: Helge Deller Date: Tue Oct 1 21:54:46 2013 +0200 parisc: fix interruption handler to respect pagefault_disable() commit 59b33f148cc08fb33cbe823fca1e34f7f023765e upstream. Running an "echo t > /proc/sysrq-trigger" crashes the parisc kernel. The problem is, that in print_worker_info() we try to read the workqueue info via the probe_kernel_read() functions which use pagefault_disable() to avoid crashes like this: probe_kernel_read(&pwq, &worker->current_pwq, sizeof(pwq)); probe_kernel_read(&wq, &pwq->wq, sizeof(wq)); probe_kernel_read(name, wq->name, sizeof(name) - 1); The problem here is, that the first probe_kernel_read(&pwq) might return zero in pwq and as such the following probe_kernel_reads() try to access contents of the page zero which is read protected and generate a kernel segfault. With this patch we fix the interruption handler to call parisc_terminate() directly only if pagefault_disable() was not called (in which case preempt_count()==0). Otherwise we hand over to the pagefault handler which will try to look up the faulting address in the fixup tables. Signed-off-by: Helge Deller Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 40ee05de350259890492ceb4f23017470c553217 Author: Paul Mackerras Date: Sat Sep 21 09:53:28 2013 +1000 KVM: PPC: Book3S HV: Fix typo in saving DSCR commit cfc860253abd73e1681696c08ea268d33285a2c4 upstream. This fixes a typo in the code that saves the guest DSCR (Data Stream Control Register) into the kvm_vcpu_arch struct on guest exit. The effect of the typo was that the DSCR value was saved in the wrong place, so changes to the DSCR by the guest didn't persist across guest exit and entry, and some host kernel memory got corrupted. Signed-off-by: Paul Mackerras Acked-by: Alexander Graf Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit cec073e269a8e8ee653ada869b96c59e8286a606 Author: Dave Jones Date: Thu Oct 10 20:05:35 2013 -0400 ext4: fix memory leak in xattr commit 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc upstream. If we take the 2nd retry path in ext4_expand_extra_isize_ea, we potentionally return from the function without having freed these allocations. If we don't do the return, we over-write the previous allocation pointers, so we leak either way. Spotted with Coverity. [ Fixed by tytso to set is and bs to NULL after freeing these pointers, in case in the retry loop we later end up triggering an error causing a jump to cleanup, at which point we could have a double free bug. -- Ted ] Signed-off-by: Dave Jones Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Signed-off-by: Greg Kroah-Hartman commit a849b2f4200ab490d7a6d80e7632d28dc80c8f6f Author: Josef Bacik Date: Wed Oct 9 12:24:04 2013 -0400 Btrfs: use right root when checking for hash collision commit 4871c1588f92c6c13f4713a7009f25f217055807 upstream. btrfs_rename was using the root of the old dir instead of the root of the new dir when checking for a hash collision, so if you tried to move a file into a subvol it would freak out because it would see the file you are trying to move in its current root. This fixes the bug where this would fail btrfs subvol create test1 btrfs subvol create test2 mv test1 test2. Thanks to Chris Murphy for catching this, Reported-by: Chris Murphy Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 8c279694727d2ec6de4cc9dc96b1d0cfac0f5295 Author: Henrik Rydberg Date: Wed Oct 2 19:15:03 2013 +0200 hwmon: (applesmc) Always read until end of data commit 25f2bd7f5add608c1d1405938f39c96927b275ca upstream. The crash reported and investigated in commit 5f4513 turned out to be caused by a change to the read interface on newer (2012) SMCs. Tests by Chris show that simply reading the data valid line is enough for the problem to go away. Additional tests show that the newer SMCs no longer wait for the number of requested bytes, but start sending data right away. Apparently the number of bytes to read is no longer specified as before, but instead found out by reading until end of data. Failure to read until end of data confuses the state machine, which eventually causes the crash. As a remedy, assuming bit0 is the read valid line, make sure there is nothing more to read before leaving the read function. Tested to resolve the original problem, and runtested on MBA3,1, MBP4,1, MBP8,2, MBP10,1, MBP10,2. The patch seems to have no effect on machines before 2012. Tested-by: Chris Murphy Signed-off-by: Henrik Rydberg Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit fafd39123416e56bf782e323031e6fdd18b61d60 Author: Taras Kondratiuk Date: Mon Oct 7 13:41:59 2013 +0300 i2c: omap: Clear ARDY bit twice commit 4cdbf7d346e7461c3b93a26707c852e2c9db3753 upstream. Initially commit cb527ede1bf6ff2008a025606f25344b8ed7b4ac "i2c-omap: Double clear of ARDY status in IRQ handler" added a workaround for undocumented errata ProDB0017052. But then commit 1d7afc95946487945cc7f5019b41255b72224b70 "i2c: omap: ack IRQ in parts" refactored code and missed one of ARDY clearings. So current code violates errata. It causes often i2c bus timeouts on my Pandaboard. This patch adds a second clearing in place. Signed-off-by: Grygorii Strashko Signed-off-by: Taras Kondratiuk Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 670c0d101a57340aff4311c26a9ebb65b1d58f5a Author: Linus Torvalds Date: Mon Sep 30 08:35:10 2013 -0700 vfs: allow O_PATH file descriptors for fstatfs() commit 9d05746e7b16d8565dddbe3200faa1e669d23bbf upstream. Olga reported that file descriptors opened with O_PATH do not work with fstatfs(), found during further development of ksh93's thread support. There is no reason to not allow O_PATH file descriptors here (fstatfs is very much a path operation), so use "fdget_raw()". See commit 55815f70147d ("vfs: make O_PATH file descriptors usable for 'fstat()'") for a very similar issue reported for fstat() by the same team. Reported-and-tested-by: ольга крыжановская Acked-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b7a52f5111bc53ffbfff96330621cbde80df6ba4 Author: Theodore Ts'o Date: Tue Sep 10 10:52:35 2013 -0400 random: run random_int_secret_init() run after all late_initcalls commit 47d06e532e95b71c0db3839ebdef3fe8812fca2c upstream. The some platforms (e.g., ARM) initializes their clocks as late_initcalls for some unknown reason. So make sure random_int_secret_init() is run after all of the late_initcalls are run. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 09c517435dd6f29c29822b627f653259e97e7294 Author: David Henningsson Date: Fri Oct 11 10:18:45 2013 +0200 ALSA: hda - Fix microphone for Sony VAIO Pro 13 (Haswell model) commit 88cfcf86aa3ada84d97195bcad74f4dadb4ae23b upstream. The external mic showed up with a precense detect of "always present", essentially disabling the internal mic. Therefore turn off presence detection for this pin. Note: The external mic seems not yet working, but an internal mic is certainly better than no mic at all. BugLink: https://bugs.launchpad.net/bugs/1227093 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 74a8f08dfff48215dabccf8148b7505e00d39c37 Author: Takashi Iwai Date: Tue Oct 8 19:57:50 2013 +0200 ALSA: hda - Add fixup for ASUS N56VZ commit c6cc3d58b4042f5cadae653ff8d3df26af1a0169 upstream. ASUS N56VZ needs a fixup for the bass speaker pin, which was already provided via model=asus-mode4. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=841645 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 43d3dd157aa81407473c416234c94abcd13c4fc8 Author: Anssi Hannula Date: Mon Oct 7 19:24:52 2013 +0300 ALSA: hda - hdmi: Fix channel map switch not taking effect commit 39edac70e9aedf451fccaa851b273ace9fcca0bd upstream. Currently hdmi_setup_audio_infoframe() reprograms the HDA channel mapping only when the infoframe is not up-to-date or the non-PCM flag has changed. However, when just the channel map has been changed, the infoframe may still be up-to-date and non-PCM flag may not have changed, so the new channel map is not actually programmed into the HDA codec. Notably, this failing case is also always triggered when the device is already in a prepared state and a new channel map is configured while changing only the channel positions (for example, plain "speaker-test -c2 -m FR,FL"). Fix that by always programming the channel map in hdmi_setup_audio_infoframe(). Tested on Intel HDMI. Signed-off-by: Anssi Hannula Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 044dde0ae7ea37140b31c5068c7517b49b141aae Author: Daniel Mack Date: Wed Oct 2 17:49:50 2013 +0200 ALSA: snd-usb-usx2y: remove bogus frame checks commit a9d14bc0b188a822e42787d01e56c06fe9750162 upstream. The frame check in i_usX2Y_urb_complete() and i_usX2Y_usbpcm_urb_complete() is bogus and produces false positives as described in this LAU thread: http://linuxaudio.org/mailarchive/lau/2013/5/20/200177 This patch removes the check code entirely. Cc: fzu@wemgehoertderstaat.de Reported-by: Dr Nicholas J Bailey Suggested-by: Takashi Iwai Signed-off-by: Daniel Mack Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman