diff --git a/debian/changelog b/debian/changelog index 7922e977d..f18a5bd8e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,11 @@ -linux (3.2.21-4) UNRELEASED; urgency=low +linux (3.2.22-1) UNRELEASED; urgency=low + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.22 + - nilfs2: ensure proper cache clearing for gc-inodes + - ath9k_hw: avoid possible infinite loop in ar9003_get_pll_sqsum_dvc + + [ Ben Hutchings ] * linux-libc-dev: Fix redundant 'GNU glibc' in description (Closes: #631228) * README.source: Correct name of main patch series file * [sh] Fix up store queue code for subsys_interface changes (Closes: #680025) diff --git a/debian/patches/bugfix/all/xen-netfront-teardown-the-device-before-unregistering-it.patch b/debian/patches/bugfix/all/xen-netfront-teardown-the-device-before-unregistering-it.patch deleted file mode 100644 index 822c1c0be..000000000 --- a/debian/patches/bugfix/all/xen-netfront-teardown-the-device-before-unregistering-it.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Ian Campbell -Date: Tue, 26 Jun 2012 09:48:41 +0100 -Subject: xen/netfront: teardown the device before unregistering it. -Bug-Debian: http://bugs.debian.org/675190 - -Fixes: -[ 15.470311] WARNING: at /local/scratch/ianc/devel/kernels/linux/fs/sysfs/file.c:498 sysfs_attr_ns+0x95/0xa0() -[ 15.470326] sysfs: kobject eth0 without dirent -[ 15.470333] Modules linked in: -[ 15.470342] Pid: 12, comm: xenwatch Not tainted 3.4.0-x86_32p-xenU #93 -and -[ 9.150554] BUG: unable to handle kernel paging request at 2b359000 -[ 9.150577] IP: [] linkwatch_do_dev+0x81/0xc0 -[ 9.150592] *pdpt = 000000002c3c9027 *pde = 0000000000000000 -[ 9.150604] Oops: 0002 [#1] SMP -[ 9.150613] Modules linked in: - -This is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675190 - -Reported-by: George Shuklin -Signed-off-by: Ian Campbell -Tested-by: William Dauchy -Cc: stable@kernel.org -Cc: 675190@bugs.debian.org ---- - drivers/net/xen-netfront.c | 8 ++++---- - 1 files changed, 4 insertions(+), 4 deletions(-) - ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -1922,14 +1922,14 @@ - - dev_dbg(&dev->dev, "%s\n", dev->nodename); - -- unregister_netdev(info->netdev); -- - xennet_disconnect_backend(info); - -- del_timer_sync(&info->rx_refill_timer); -- - xennet_sysfs_delif(info->netdev); - -+ unregister_netdev(info->netdev); -+ -+ del_timer_sync(&info->rx_refill_timer); -+ - free_percpu(info->stats); - - free_netdev(info->netdev); diff --git a/debian/patches/bugfix/x86/mm-pmd_read_atomic-fix-32bit-pae-pmd-walk-vs-pmd_populate-smp-race.patch b/debian/patches/bugfix/x86/mm-pmd_read_atomic-fix-32bit-pae-pmd-walk-vs-pmd_populate-smp-race.patch deleted file mode 100644 index 1b2f44156..000000000 --- a/debian/patches/bugfix/x86/mm-pmd_read_atomic-fix-32bit-pae-pmd-walk-vs-pmd_populate-smp-race.patch +++ /dev/null @@ -1,214 +0,0 @@ -From: Andrea Arcangeli -Date: Tue, 29 May 2012 15:06:49 -0700 -Subject: mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race - condition - -commit 26c191788f18129af0eb32a358cdaea0c7479626 upstream. - -When holding the mmap_sem for reading, pmd_offset_map_lock should only -run on a pmd_t that has been read atomically from the pmdp pointer, -otherwise we may read only half of it leading to this crash. - -PID: 11679 TASK: f06e8000 CPU: 3 COMMAND: "do_race_2_panic" - #0 [f06a9dd8] crash_kexec at c049b5ec - #1 [f06a9e2c] oops_end at c083d1c2 - #2 [f06a9e40] no_context at c0433ded - #3 [f06a9e64] bad_area_nosemaphore at c043401a - #4 [f06a9e6c] __do_page_fault at c0434493 - #5 [f06a9eec] do_page_fault at c083eb45 - #6 [f06a9f04] error_code (via page_fault) at c083c5d5 - EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP: - 00000000 - DS: 007b ESI: 9e201000 ES: 007b EDI: 01fb4700 GS: 00e0 - CS: 0060 EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246 - #7 [f06a9f38] _spin_lock at c083bc14 - #8 [f06a9f44] sys_mincore at c0507b7d - #9 [f06a9fb0] system_call at c083becd - start len - EAX: ffffffda EBX: 9e200000 ECX: 00001000 EDX: 6228537f - DS: 007b ESI: 00000000 ES: 007b EDI: 003d0f00 - SS: 007b ESP: 62285354 EBP: 62285388 GS: 0033 - CS: 0073 EIP: 00291416 ERR: 000000da EFLAGS: 00000286 - -This should be a longstanding bug affecting x86 32bit PAE without THP. -Only archs with 64bit large pmd_t and 32bit unsigned long should be -affected. - -With THP enabled the barrier() in pmd_none_or_trans_huge_or_clear_bad() -would partly hide the bug when the pmd transition from none to stable, -by forcing a re-read of the *pmd in pmd_offset_map_lock, but when THP is -enabled a new set of problem arises by the fact could then transition -freely in any of the none, pmd_trans_huge or pmd_trans_stable states. -So making the barrier in pmd_none_or_trans_huge_or_clear_bad() -unconditional isn't good idea and it would be a flakey solution. - -This should be fully fixed by introducing a pmd_read_atomic that reads -the pmd in order with THP disabled, or by reading the pmd atomically -with cmpxchg8b with THP enabled. - -Luckily this new race condition only triggers in the places that must -already be covered by pmd_none_or_trans_huge_or_clear_bad() so the fix -is localized there but this bug is not related to THP. - -NOTE: this can trigger on x86 32bit systems with PAE enabled with more -than 4G of ram, otherwise the high part of the pmd will never risk to be -truncated because it would be zero at all times, in turn so hiding the -SMP race. - -This bug was discovered and fully debugged by Ulrich, quote: - ----- -[..] -pmd_none_or_trans_huge_or_clear_bad() loads the content of edx and -eax. - - 496 static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t - *pmd) - 497 { - 498 /* depend on compiler for an atomic pmd read */ - 499 pmd_t pmdval = *pmd; - - // edi = pmd pointer -0xc0507a74 : mov 0x8(%esp),%edi -... - // edx = PTE page table high address -0xc0507a84 : mov 0x4(%edi),%edx -... - // eax = PTE page table low address -0xc0507a8e : mov (%edi),%eax - -[..] - -Please note that the PMD is not read atomically. These are two "mov" -instructions where the high order bits of the PMD entry are fetched -first. Hence, the above machine code is prone to the following race. - -- The PMD entry {high|low} is 0x0000000000000000. - The "mov" at 0xc0507a84 loads 0x00000000 into edx. - -- A page fault (on another CPU) sneaks in between the two "mov" - instructions and instantiates the PMD. - -- The PMD entry {high|low} is now 0x00000003fda38067. - The "mov" at 0xc0507a8e loads 0xfda38067 into eax. ----- - -Reported-by: Ulrich Obergfell -Signed-off-by: Andrea Arcangeli -Cc: Mel Gorman -Cc: Hugh Dickins -Cc: Larry Woodman -Cc: Petr Matousek -Cc: Rik van Riel -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Ben Hutchings ---- - arch/x86/include/asm/pgtable-3level.h | 50 +++++++++++++++++++++++++++++++++ - include/asm-generic/pgtable.h | 22 +++++++++++++-- - 2 files changed, 70 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h -index effff47..43876f1 100644 ---- a/arch/x86/include/asm/pgtable-3level.h -+++ b/arch/x86/include/asm/pgtable-3level.h -@@ -31,6 +31,56 @@ static inline void native_set_pte(pte_t *ptep, pte_t pte) - ptep->pte_low = pte.pte_low; - } - -+#define pmd_read_atomic pmd_read_atomic -+/* -+ * pte_offset_map_lock on 32bit PAE kernels was reading the pmd_t with -+ * a "*pmdp" dereference done by gcc. Problem is, in certain places -+ * where pte_offset_map_lock is called, concurrent page faults are -+ * allowed, if the mmap_sem is hold for reading. An example is mincore -+ * vs page faults vs MADV_DONTNEED. On the page fault side -+ * pmd_populate rightfully does a set_64bit, but if we're reading the -+ * pmd_t with a "*pmdp" on the mincore side, a SMP race can happen -+ * because gcc will not read the 64bit of the pmd atomically. To fix -+ * this all places running pmd_offset_map_lock() while holding the -+ * mmap_sem in read mode, shall read the pmdp pointer using this -+ * function to know if the pmd is null nor not, and in turn to know if -+ * they can run pmd_offset_map_lock or pmd_trans_huge or other pmd -+ * operations. -+ * -+ * Without THP if the mmap_sem is hold for reading, the -+ * pmd can only transition from null to not null while pmd_read_atomic runs. -+ * So there's no need of literally reading it atomically. -+ * -+ * With THP if the mmap_sem is hold for reading, the pmd can become -+ * THP or null or point to a pte (and in turn become "stable") at any -+ * time under pmd_read_atomic, so it's mandatory to read it atomically -+ * with cmpxchg8b. -+ */ -+#ifndef CONFIG_TRANSPARENT_HUGEPAGE -+static inline pmd_t pmd_read_atomic(pmd_t *pmdp) -+{ -+ pmdval_t ret; -+ u32 *tmp = (u32 *)pmdp; -+ -+ ret = (pmdval_t) (*tmp); -+ if (ret) { -+ /* -+ * If the low part is null, we must not read the high part -+ * or we can end up with a partial pmd. -+ */ -+ smp_rmb(); -+ ret |= ((pmdval_t)*(tmp + 1)) << 32; -+ } -+ -+ return (pmd_t) { ret }; -+} -+#else /* CONFIG_TRANSPARENT_HUGEPAGE */ -+static inline pmd_t pmd_read_atomic(pmd_t *pmdp) -+{ -+ return (pmd_t) { atomic64_read((atomic64_t *)pmdp) }; -+} -+#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ -+ - static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) - { - set_64bit((unsigned long long *)(ptep), native_pte_val(pte)); -diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h -index e2768f1..6f2b45a 100644 ---- a/include/asm-generic/pgtable.h -+++ b/include/asm-generic/pgtable.h -@@ -445,6 +445,18 @@ static inline int pmd_write(pmd_t pmd) - #endif /* __HAVE_ARCH_PMD_WRITE */ - #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ - -+#ifndef pmd_read_atomic -+static inline pmd_t pmd_read_atomic(pmd_t *pmdp) -+{ -+ /* -+ * Depend on compiler for an atomic pmd read. NOTE: this is -+ * only going to work, if the pmdval_t isn't larger than -+ * an unsigned long. -+ */ -+ return *pmdp; -+} -+#endif -+ - /* - * This function is meant to be used by sites walking pagetables with - * the mmap_sem hold in read mode to protect against MADV_DONTNEED and -@@ -458,11 +470,17 @@ static inline int pmd_write(pmd_t pmd) - * undefined so behaving like if the pmd was none is safe (because it - * can return none anyway). The compiler level barrier() is critically - * important to compute the two checks atomically on the same pmdval. -+ * -+ * For 32bit kernels with a 64bit large pmd_t this automatically takes -+ * care of reading the pmd atomically to avoid SMP race conditions -+ * against pmd_populate() when the mmap_sem is hold for reading by the -+ * caller (a special atomic read not done by "gcc" as in the generic -+ * version above, is also needed when THP is disabled because the page -+ * fault can populate the pmd from under us). - */ - static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t *pmd) - { -- /* depend on compiler for an atomic pmd read */ -- pmd_t pmdval = *pmd; -+ pmd_t pmdval = pmd_read_atomic(pmd); - /* - * The barrier will stabilize the pmdval in a register or on - * the stack so that it will stop changing under the code. diff --git a/debian/patches/bugfix/x86/thp-avoid-atomic64_read-in-pmd_read_atomic-for-32bit-pae.patch b/debian/patches/bugfix/x86/thp-avoid-atomic64_read-in-pmd_read_atomic-for-32bit-pae.patch deleted file mode 100644 index 0a8dfe616..000000000 --- a/debian/patches/bugfix/x86/thp-avoid-atomic64_read-in-pmd_read_atomic-for-32bit-pae.patch +++ /dev/null @@ -1,112 +0,0 @@ -From: Andrea Arcangeli -Subject: thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE - -In the x86 32bit PAE CONFIG_TRANSPARENT_HUGEPAGE=y case while holding the -mmap_sem for reading, cmpxchg8b cannot be used to read pmd contents under -Xen. - -So instead of dealing only with "consistent" pmdvals in -pmd_none_or_trans_huge_or_clear_bad() (which would be conceptually -simpler) we let pmd_none_or_trans_huge_or_clear_bad() deal with pmdvals -where the low 32bit and high 32bit could be inconsistent (to avoid having -to use cmpxchg8b). - -The only guarantee we get from pmd_read_atomic is that if the low part of -the pmd was found null, the high part will be null too (so the pmd will be -considered unstable). And if the low part of the pmd is found "stable" -later, then it means the whole pmd was read atomically (because after a -pmd is stable, neither MADV_DONTNEED nor page faults can alter it anymore, -and we read the high part after the low part). - -In the 32bit PAE x86 case, it is enough to read the low part of the pmdval -atomically to declare the pmd as "stable" and that's true for THP and no -THP, furthermore in the THP case we also have a barrier() that will -prevent any inconsistent pmdvals to be cached by a later re-read of the -*pmd. - -Signed-off-by: Andrea Arcangeli -Cc: Jonathan Nieder -Cc: Ulrich Obergfell -Cc: Mel Gorman -Cc: Hugh Dickins -Cc: Larry Woodman -Cc: Petr Matousek -Cc: Rik van Riel -Cc: Jan Beulich -Cc: KOSAKI Motohiro -Cc: -Signed-off-by: Andrew Morton ---- - - arch/x86/include/asm/pgtable-3level.h | 30 +++++++++++++----------- - include/asm-generic/pgtable.h | 10 ++++++++ - 2 files changed, 27 insertions(+), 13 deletions(-) - ---- a/arch/x86/include/asm/pgtable-3level.h -+++ b/arch/x86/include/asm/pgtable-3level.h -@@ -47,16 +47,26 @@ - * they can run pmd_offset_map_lock or pmd_trans_huge or other pmd - * operations. - * -- * Without THP if the mmap_sem is hold for reading, the -- * pmd can only transition from null to not null while pmd_read_atomic runs. -- * So there's no need of literally reading it atomically. -+ * Without THP if the mmap_sem is hold for reading, the pmd can only -+ * transition from null to not null while pmd_read_atomic runs. So -+ * we can always return atomic pmd values with this function. - * - * With THP if the mmap_sem is hold for reading, the pmd can become -- * THP or null or point to a pte (and in turn become "stable") at any -- * time under pmd_read_atomic, so it's mandatory to read it atomically -- * with cmpxchg8b. -+ * trans_huge or none or point to a pte (and in turn become "stable") -+ * at any time under pmd_read_atomic. We could read it really -+ * atomically here with a atomic64_read for the THP enabled case (and -+ * it would be a whole lot simpler), but to avoid using cmpxchg8b we -+ * only return an atomic pmdval if the low part of the pmdval is later -+ * found stable (i.e. pointing to a pte). And we're returning a none -+ * pmdval if the low part of the pmd is none. In some cases the high -+ * and low part of the pmdval returned may not be consistent if THP is -+ * enabled (the low part may point to previously mapped hugepage, -+ * while the high part may point to a more recently mapped hugepage), -+ * but pmd_none_or_trans_huge_or_clear_bad() only needs the low part -+ * of the pmd to be read atomically to decide if the pmd is unstable -+ * or not, with the only exception of when the low part of the pmd is -+ * zero in which case we return a none pmd. - */ --#ifndef CONFIG_TRANSPARENT_HUGEPAGE - static inline pmd_t pmd_read_atomic(pmd_t *pmdp) - { - pmdval_t ret; -@@ -74,12 +84,6 @@ - - return (pmd_t) { ret }; - } --#else /* CONFIG_TRANSPARENT_HUGEPAGE */ --static inline pmd_t pmd_read_atomic(pmd_t *pmdp) --{ -- return (pmd_t) { atomic64_read((atomic64_t *)pmdp) }; --} --#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ - - static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte) - { ---- a/include/asm-generic/pgtable.h -+++ b/include/asm-generic/pgtable.h -@@ -484,6 +484,16 @@ - /* - * The barrier will stabilize the pmdval in a register or on - * the stack so that it will stop changing under the code. -+ * -+ * When CONFIG_TRANSPARENT_HUGEPAGE=y on x86 32bit PAE, -+ * pmd_read_atomic is allowed to return a not atomic pmdval -+ * (for example pointing to an hugepage that has never been -+ * mapped in the pmd). The below checks will only care about -+ * the low part of the pmd with 32bit PAE x86 anyway, with the -+ * exception of pmd_none(). So the important thing is that if -+ * the low part of the pmd is found null, the high part will -+ * be also null or the pmd_none() check below would be -+ * confused. - */ - #ifdef CONFIG_TRANSPARENT_HUGEPAGE - barrier(); diff --git a/debian/patches/features/all/cpu-devices/X86-Introduce-HW-Pstate-scattered-cpuid-feature.patch b/debian/patches/features/all/cpu-devices/X86-Introduce-HW-Pstate-scattered-cpuid-feature.patch index ece442c08..b7aeb42aa 100644 --- a/debian/patches/features/all/cpu-devices/X86-Introduce-HW-Pstate-scattered-cpuid-feature.patch +++ b/debian/patches/features/all/cpu-devices/X86-Introduce-HW-Pstate-scattered-cpuid-feature.patch @@ -22,20 +22,16 @@ Signed-off-by: Greg Kroah-Hartman arch/x86/kernel/cpu/scattered.c | 1 + 2 files changed, 2 insertions(+) -diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h -index 17c5d4b..67b0910 100644 --- a/arch/x86/include/asm/cpufeature.h +++ b/arch/x86/include/asm/cpufeature.h @@ -176,6 +176,7 @@ #define X86_FEATURE_PLN (7*32+ 5) /* Intel Power Limit Notification */ #define X86_FEATURE_PTS (7*32+ 6) /* Intel Package Thermal Status */ - #define X86_FEATURE_DTS (7*32+ 7) /* Digital Thermal Sensor */ + #define X86_FEATURE_DTHERM (7*32+ 7) /* Digital Thermal Sensor */ +#define X86_FEATURE_HW_PSTATE (7*32+ 8) /* AMD HW-PState */ /* Virtualization flags: Linux defined, word 8 */ #define X86_FEATURE_TPR_SHADOW (8*32+ 0) /* Intel TPR Shadow */ -diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c -index c7f64e6..addf9e8 100644 --- a/arch/x86/kernel/cpu/scattered.c +++ b/arch/x86/kernel/cpu/scattered.c @@ -40,6 +40,7 @@ void __cpuinit init_scattered_cpuid_features(struct cpuinfo_x86 *c) diff --git a/debian/patches/series b/debian/patches/series index 96c18373f..2bd1851a3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -291,8 +291,6 @@ features/all/codel/0007-fq_codel-should-use-qdisc-backlog-as-threshold.patch features/all/AppArmor-compatibility-patch-for-v5-interface.patch bugfix/all/apparmor-remove-advertising-the-support-of-network-r.patch -bugfix/x86/mm-pmd_read_atomic-fix-32bit-pae-pmd-walk-vs-pmd_populate-smp-race.patch -bugfix/x86/thp-avoid-atomic64_read-in-pmd_read_atomic-for-32bit-pae.patch bugfix/all/hugepages-fix-use-after-free-bug-in-quota-handling.patch # netdev features, probably useful for other backports but not needed yet @@ -369,8 +367,6 @@ features/arm/ARM-7259-3-net-JIT-compiler-for-packet-filters.patch features/arm/ARM-fix-Kconfig-warning-for-HAVE_BPF_JIT.patch features/arm/net-drop-NET-dependency-from-HAVE_BPF_JIT.patch -bugfix/all/xen-netfront-teardown-the-device-before-unregistering-it.patch - # Until next ABI bump debian/driver-core-avoid-ABI-change-for-removal-of-__must_check.patch