05 Feb, 2012
3 commits
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: i8042 - add Lenovo Ideapad U455 to 'reset' blacklist
Input: serio_raw - return proper result when serio_raw_read fails
Input: document device properties
Input: twl4030_keypad - fix comment (trivial)
Input: gpio_keys - fix struct device declared inside parameter list
Input: evdev - fix variable initialisation -
* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
i.MX SDMA: Fix burstsize settings
ARM: mach-shmobile: both USB DMAC instances on sh7372 are slave-only
dma: sh_dma: not all SH DMAC implementations support MEMCPY
at_hdmac: bugfix for enabling channel irq
dmaengine: fix missing 'cnt' in ?: in dmatest -
* akpm:
mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration
readahead: fix pipeline break caused by block plug
kprobes: fix a memory leak in function pre_handler_kretprobe()
drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer
lkdtm: avoid calling lkdtm_do_action() with spinlock held
mm/filemap_xip.c: fix race condition in xip_file_fault()
mm/memcontrol.c: fix warning with CONFIG_NUMA=n
avr32: select generic atomic64_t support
mm: postpone migrated page mapping reset
xtensa: fix memscan()
MAINTAINERS: update lguest F: patterns
MAINTAINERS: remove staging sections
MAINTAINERS: remove iMX5 section
MAINTAINERS: update partitions block F: patterns
04 Feb, 2012
19 commits
-
- Fix a regression in 16-bit Atmel NAND flash which was introduced in 3.1
- Fix breakage with MTD suspend caused by the API rework
- Fix a problem with resetting the MX28 BCH module
- A couple of other trivial fixes* tag 'for-linus-3.3-20120204' of git://git.infradead.org/~dwmw2/mtd-3.3:
Revert "mtd: atmel_nand: optimize read/write buffer functions"
mtd: fix MTD suspend
jffs2: do not initialize variable unnecessarily
mtd: gpmi-nand bugfix: reset the BCH module when it is not MX23
mtd: nand: fix typo in comment -
This reverts commit fb5427508abbd635e877fabdf55795488119c2d6.
The reason is that it breaks 16 bits NAND flash as it was reported by
Nikolaus Voss and confirmed by Eric Bénard.Nicolas Ferre alco confirmed:
"After double checking with designers, I must admit that I misunderstood
the way of optimizing accesses to SMC. 16 bit nand is not so common
those days..."Reported-by: Nikolaus Voss
Acked-by: Nicolas Ferre
Signed-off-by: Artem Bityutskiy
Signed-off-by: David Woodhouse
Cc: stable@kernel.org [3.1+] -
* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
ARM: 7314/1: kuser: consistently use usr_ret for returning from helpers
ARM: 7302/1: Add TLB flushing for both entries in a PMD
ARM: 7303/1: perf: add empty NODE event definitions for Cortex-A5 and Cortex-A15
ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers
ARM: 7307/1: vfp: fix ptrace regset modification race
ARM: 7306/1: vfp: flush thread hwstate before restoring context from sigframe
Revert "ARM: 7304/1: ioremap: fix boundary check when reusing static mapping" -
…ing isolation for migration
When isolating for migration, migration starts at the start of a zone
which is not necessarily pageblock aligned. Further, it stops isolating
when COMPACT_CLUSTER_MAX pages are isolated so migrate_pfn is generally
not aligned. This allows isolate_migratepages() to call pfn_to_page() on
an invalid PFN which can result in a crash. This was originally reported
against a 3.0-based kernel with the following trace in a crash dump.PID: 9902 TASK: d47aecd0 CPU: 0 COMMAND: "memcg_process_s"
#0 [d72d3ad0] crash_kexec at c028cfdb
#1 [d72d3b24] oops_end at c05c5322
#2 [d72d3b38] __bad_area_nosemaphore at c0227e60
#3 [d72d3bec] bad_area at c0227fb6
#4 [d72d3c00] do_page_fault at c05c72ec
#5 [d72d3c80] error_code (via page_fault) at c05c47a4
EAX: 00000000 EBX: 000c0000 ECX: 00000001 EDX: 00000807 EBP: 000c0000
DS: 007b ESI: 00000001 ES: 007b EDI: f3000a80 GS: 6f50
CS: 0060 EIP: c030b15a ERR: ffffffff EFLAGS: 00010002
#6 [d72d3cb4] isolate_migratepages at c030b15a
#7 [d72d3d14] zone_watermark_ok at c02d26cb
#8 [d72d3d2c] compact_zone at c030b8de
#9 [d72d3d68] compact_zone_order at c030bba1
#10 [d72d3db4] try_to_compact_pages at c030bc84
#11 [d72d3ddc] __alloc_pages_direct_compact at c02d61e7
#12 [d72d3e08] __alloc_pages_slowpath at c02d66c7
#13 [d72d3e78] __alloc_pages_nodemask at c02d6a97
#14 [d72d3eb8] alloc_pages_vma at c030a845
#15 [d72d3ed4] do_huge_pmd_anonymous_page at c03178eb
#16 [d72d3f00] handle_mm_fault at c02f36c6
#17 [d72d3f30] do_page_fault at c05c70ed
#18 [d72d3fb0] error_code (via page_fault) at c05c47a4
EAX: b71ff000 EBX: 00000001 ECX: 00001600 EDX: 00000431
DS: 007b ESI: 08048950 ES: 007b EDI: bfaa3788
SS: 007b ESP: bfaa36e0 EBP: bfaa3828 GS: 6f50
CS: 0073 EIP: 080487c8 ERR: ffffffff EFLAGS: 00010202It was also reported by Herbert van den Bergh against 3.1-based kernel
with the following snippet from the console log.BUG: unable to handle kernel paging request at 01c00008
IP: [<c0522399>] isolate_migratepages+0x119/0x390
*pdpt = 000000002f7ce001 *pde = 0000000000000000It is expected that it also affects 3.2.x and current mainline.
The problem is that pfn_valid is only called on the first PFN being
checked and that PFN is not necessarily aligned. Lets say we have a case
like thisH = MAX_ORDER_NR_PAGES boundary
| = pageblock boundary
m = cc->migrate_pfn
f = cc->free_pfn
o = memory holeH------|------H------|----m-Hoooooo|ooooooH-f----|------H
The migrate_pfn is just below a memory hole and the free scanner is beyond
the hole. When isolate_migratepages started, it scans from migrate_pfn to
migrate_pfn+pageblock_nr_pages which is now in a memory hole. It checks
pfn_valid() on the first PFN but then scans into the hole where there are
not necessarily valid struct pages.This patch ensures that isolate_migratepages calls pfn_valid when
necessary.Reported-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com>
Tested-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com>
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -
Herbert Poetzl reported a performance regression since 2.6.39. The test
is a simple dd read, but with big block size. The reason is:T1: ra (A, A+128k), (A+128k, A+256k)
T2: lock_page for page A, submit the 256k
T3: hit page A+128K, ra (A+256k, A+384). the range isn't submitted
because of plug and there isn't any lock_page till we hit page A+256k
because all pages from A to A+256k is in memory
T4: hit page A+256k, ra (A+384, A+ 512). Because of plug, the range isn't
submitted again.
T5: lock_page A+256k, so (A+256k, A+512k) will be submitted. The task is
waitting for (A+256k, A+512k) finish.There is no request to disk in T3 and T4, so readahead pipeline breaks.
We really don't need block plug for generic_file_aio_read() for buffered
I/O. The readahead already has plug and has fine grained control when I/O
should be submitted. Deleting plug for buffered I/O fixes the regression.One side effect is plug makes the request size 256k, the size is 128k
without it. This is because default ra size is 128k and not a reason we
need plug here.Vivek said:
: We submit some readahead IO to device request queue but because of nested
: plug, queue never gets unplugged. When read logic reaches a page which is
: not in page cache, it waits for page to be read from the disk
: (lock_page_killable()) and that time we flush the plug list.
:
: So effectively read ahead logic is kind of broken in parts because of
: nested plugging. Removing top level plug (generic_file_aio_read()) for
: buffered reads, will allow unplugging queue earlier for readahead.Signed-off-by: Shaohua Li
Signed-off-by: Wu Fengguang
Reported-by: Herbert Poetzl
Tested-by: Eric Dumazet
Cc: Christoph Hellwig
Cc: Jens Axboe
Cc: Vivek Goyal
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
In function pre_handler_kretprobe(), the allocated kretprobe_instance
object will get leaked if the entry_handler callback returns non-zero.
This may cause all the preallocated kretprobe_instance objects exhausted.This issue can be reproduced by changing
samples/kprobes/kretprobe_example.c to probe "mutex_unlock". And the fix
is straightforward: just put the allocated kretprobe_instance object back
onto the free_instances list.[akpm@linux-foundation.org: use raw_spin_lock/unlock]
Signed-off-by: Jiang Liu
Acked-by: Jim Keniston
Acked-by: Ananth N Mavinakayanahalli
Cc: Masami Hiramatsu
Cc: Anil S Keshavamurthy
Cc: "David S. Miller"
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
KDFONTOP(GET) currently fails with EIO when being run in a 32bit userland
with a 64bit kernel if the font width is not 8.This is because of the setting of the KD_FONT_FLAG_OLD flag, which makes
con_font_get return EIO in such case.This flag should *not* be set for KDFONTOP, since it's actually the whole
point of this flag (see comment in con_font_set for instance).Signed-off-by: Samuel Thibault
Reviewed-by: Arnd Bergmann
Cc: Greg Kroah-Hartman
Cc: Arthur Taylor
Cc: Jiri Slaby
Cc: Jiri Olsa
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
lkdtm_do_action() may call sleeping functions like kmalloc(), so do not
call it with spin lock held.Signed-off-by: WANG Cong
Cc: Prarit Bhargava
Cc: Arnd Bergmann
Cc: Greg Kroah-Hartman
Reviewed-by: Dave Young
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix a race condition that shows in conjunction with xip_file_fault() when
two threads of the same user process fault on the same memory page.In this case, the race winner will install the page table entry and the
unlucky loser will cause an oops: xip_file_fault calls vm_insert_pfn (via
vm_insert_mixed) which drops out at this check:retval = -EBUSY;
if (!pte_none(*pte))
goto out_unlock;The resulting -EBUSY return value will trigger a BUG_ON() in
xip_file_fault.This fix simply considers the fault as fixed in this case, because the
race winner has successfully installed the pte.[akpm@linux-foundation.org: use conventional (and consistent) comment layout]
Reported-by: David Sadler
Signed-off-by: Carsten Otte
Reported-by: Louis Alex Eisner
Cc: Hugh Dickins
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
mm/memcontrol.c: In function 'memcg_check_events':
mm/memcontrol.c:779: warning: unused variable 'do_numainfo'Acked-by: Michal Hocko
Cc: Li Zefan
Cc: Hiroyuki KAMEZAWA
Cc: Johannes Weiner
Acked-by: "Kirill A. Shutemov"
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Enable use of the generic atomic64 implementation on AVR32 platforms.
Without this the kernel fails to build as the architecture does not
provide its version.Signed-off-by: Fabio Baltieri
Acked-by: Hans-Christian Egtvedt
Cc: Haavard Skinnemoen
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Postpone resetting page->mapping until the final remove_migration_ptes().
Otherwise the expression PageAnon(migration_entry_to_page(entry)) does not
work.Signed-off-by: Konstantin Khlebnikov
Cc: Hugh Dickins
Cc: KAMEZAWA Hiroyuki
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Defining memscan() as memchr() is wrong, because the return values of
memscan() and memchr() are different when the character is not found. So
use the generic memscan() implementation to fix this.Signed-off-by: Akinobu Mita
Cc: Chris Zankel
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
commit 07fe9977b623 ("lguest: move the lguest tool to the tools
directory") moved the files, update the patterns. Sort F: patterns
alphabetically too.Signed-off-by: Joe Perches
Cc: Davidlohr Bueso
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Two commits moved files from staging to drivers/media/
commit d6ce55de3abcc ("[media] move cx25821 out of staging")
commit be30497085080 ("[media] move tm6000 to drivers/media/video")Remove the sections.
Signed-off-by: Joe Perches
Cc: Mauro Carvalho Chehab
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
commit 784a90c0a7d8f5 ("ARM i.MX: Merge i.MX5 support into mach-imx")
merged the files, remove the iMX5 section.Signed-off-by: Joe Perches
Cc: Amit Kucheria
Cc: Sascha Hauer
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Commit 9be96f3fd101 ("move fs/partitions to block/") moved the files,
update the patterns.Signed-off-by: Joe Perches
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Trivial kmemleak bug-fixes:
- Early logging doesn't stop when kmemleak is off by default.
- Zero-size scanning areas should be ignored (currently it prints a
warning).* tag 'kmemleak-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux:
kmemleak: Disable early logging when kmemleak is off by default
kmemleak: Only scan non-zero-size areas -
sound fixes for 3.3-rc3
Most of commits are either regression fixes for varioud HD-audio
codecs or small ASoC fixes. Also a trivial build fix is included.* tag 'sound-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda - Disable dynamic-power control for VIA as default
ALSA: hda - Allow analog low-current mode when dynamic power-control is on
ALSA: hda - Fix the logic to detect VIA analog low-current mode
ALSA: hda - Check power-state before changing in patch_via.c
ALSA: HDA: Fix duplicated output to more than one codec
ALSA: hda - Fix calling cs_automic twice for Cirrus codecs.
ALSA: HDA: Remove quirk for Toshiba Qosmio G50
ALSA: HDA: Fix jack creation for codecs with front and rear Line In
ALSA: hda - Apply 0x0f-VREF fix to all ASUS laptops with ALC861/660
ASoC: neo1973_wm8753: remove references to the neo1973-gta01 machine
ALSA: Add #ifdef CONFIG_PCI guard for snd_pci_quirk_* functions
ASoC: wm_hubs: fix wrong bits for LINEOUT2 N/P mixer
ALSA: HDA: Remove quirk for Asus N53Jq
ASoC: wm_hubs: Enable line out VMID buffer for single ended line outputs
ASoC: wm5100: Mark register cache as dirty when regulators are disabled
ASoC: wm8962: Mark register cache as dirty when regulators are disabled
ASoC: wm8996: Mark register cache as dirty when regulators are disabled
ASoC: wm5100: Fix microphone configuration
ASoC: wm5100: Make sure we switch to button reporting mode
03 Feb, 2012
18 commits
-
__kuser_cmpxchg64 has a return path using bx lr to get back to the caller.
This is actually ok since the code in question is predicated on
CONFIG_CPU_32v6K, but for the sake of consistency using the usr_ret
macro is probably better.Acked-by: Dave Martin
Acked-by: Nicolas Pitre
Signed-off-by: Will Deacon
Signed-off-by: Russell King -
From 2d5a38a56453421e82428155f4b00303f3fb19b2 Mon Sep 17 00:00:00 2001
From: Igor Murzov
Date: Wed, 1 Feb 2012 03:11:53 +0400
Subject: [PATCH] Input: i8042 - add Lenovo Ideapad U455 to 'reset' blacklistLenovo Ideapad U455 needs to be in the reset quirk list for its
touchpad's proper function.Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=40672
Signed-off-by: Igor Murzov
Signed-off-by: Dmitry Torokhov -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
rbd: fix safety of rbd_put_client()
rbd: fix a memory leak in rbd_get_client()
ceph: create a new session lock to avoid lock inversion
ceph: fix length validation in parse_reply_info()
ceph: initialize client debugfs outside of monc->mutex
ceph: change "ceph.layout" xattr to be "ceph.file.layout" -
Signed-off-by: Josh Triplett
Signed-off-by: Linus Torvalds -
The rbd_client structure uses a kref to arrange for cleaning up and
freeing an instance when its last reference is dropped. The cleanup
routine is rbd_client_release(), and one of the things it does is
delete the rbd_client from rbd_client_list. It acquires node_lock
to do so, but the way it is done is still not safe.The problem is that when attempting to reuse an existing rbd_client,
the structure found might already be in the process of getting
destroyed and cleaned up.Here's the scenario, with "CLIENT" representing an existing
rbd_client that's involved in the race:Thread on CPU A | Thread on CPU B
--------------- | ---------------
rbd_put_client(CLIENT) | rbd_get_client()
kref_put() | (acquires node_lock)
kref->refcount becomes 0 | __rbd_client_find() returns CLIENT
calls rbd_client_release() | kref_get(&CLIENT->kref);
| (releases node_lock)
(acquires node_lock) |
deletes CLIENT from list | ...and starts using CLIENT...
(releases node_lock) |
and frees CLIENT |
Signed-off-by: Sage Weil -
This fixes the race in process_vm_core found by Oleg (see
http://article.gmane.org/gmane.linux.kernel/1235667/
for details).
This has been updated since I last sent it as the creation of the new
mm_access() function did almost exactly the same thing as parts of the
previous version of this patch did.In order to use mm_access() even when /proc isn't enabled, we move it to
kernel/fork.c where other related process mm access functions already
are.Signed-off-by: Chris Yeoh
Signed-off-by: Linus Torvalds -
If an existing rbd client is found to be suitable for use in
rbd_get_client(), the rbd_options structure is not being
freed as it should. Fix that.Signed-off-by: Alex Elder
Signed-off-by: Sage Weil -
Lockdep was reporting a possible circular lock dependency in
dentry_lease_is_valid(). That function needs to sample the
session's s_cap_gen and and s_cap_ttl fields coherently, but needs
to do so while holding a dentry lock. The s_cap_lock field was
being used to protect the two fields, but that can't be taken while
holding a lock on a dentry within the session.In most cases, the s_cap_gen and s_cap_ttl fields only get operated
on separately. But in three cases they need to be updated together.
Implement a new lock to protect the spots updating both fields
atomically is required.Signed-off-by: Alex Elder
Reviewed-by: Sage Weil -
"len" is read from network and thus needs validation. Otherwise, given
a bogus "len" value, p+len could be an out-of-bounds pointer, which is
used in further parsing.Signed-off-by: Xi Wang
Signed-off-by: Sage Weil -
Initializing debufs under monc->mutex introduces a lock dependency for
sb->s_type->i_mutex_key, which (combined with several other dependencies)
leads to an annoying lockdep warning. There's no particular reason to do
the debugfs setup under this lock, so move it out.It used to be the case that our first monmap could come from the OSD; that
is no longer the case with recent servers, so we will reliably set up the
client entry during the initial authentication.We don't have to worry about racing with debugfs teardown by
ceph_debugfs_client_cleanup() because ceph_destroy_client() calls
ceph_msgr_flush() first, which will wait for the message dispatch work
to complete (and the debugfs init to complete).Fixes: #1940
Signed-off-by: Sage Weil -
The virtual extended attribute named "ceph.layout" is meaningful
only for regular files. Change its name to be "ceph.file.layout" to
more directly reflect that in the ceph xattr namespace. Preserve
the old "ceph.layout" name for the time being (until we decide it's
safe to get rid of it entirely).Add a missing initializer for "readonly" in the terminating entry.
Signed-off-by: Alex Elder
Reviewed-by: Sage Weil -
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/radeon/kms/blit: fix blit copy for very large buffers
drm/radeon/kms: fix TRAVIS panel setup
drm/radeon: fix use after free in ATRM bios reading code.
drm/radeon/kms: Fix device tree linkage of DP i2c buses too
drm/radeon: Set DESKTOP_HEIGHT register to the framebuffer (not mode) height.
drm/radeon/kms: disable output polling when suspended
drm/nv50/pm: signedness bug in nv50_pm_clocks_pre()
drm/nouveau/gem: fix fence_sync race / oops
drm/nouveau: fix typo on mxmdcb option
drm/nouveau/mxm: pretend to succeed, even if we can't shadow the MXM-SIS
drm/nouveau/disp: check that panel power gpio is enabled at init time -
* 'next' of git://git.monstr.eu/linux-2.6-microblaze:
Revert "microblaze: Add topology init" -
…or-linus' and 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
bugs, x86: Fix printk levels for panic, softlockups and stack dumps* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf top: Fix number of samples displayed
perf tools: Fix strlen() bug in perf_event__synthesize_event_type()
perf tools: Fix broken build by defining _GNU_SOURCE in Makefile
x86/dumpstack: Remove unneeded check in dump_trace()
perf: Fix broken interrupt rate throttling* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
sched/rt: Fix task stack corruption under __ARCH_WANT_INTERRUPTS_ON_CTXSW
sched: Fix ancient race in do_exit()
sched/nohz: Fix nohz cpu idle load balancing state with cpu hotplug
sched/s390: Fix compile error in sched/core.c
sched: Fix rq->nr_uninterruptible update race* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/reboot: Remove VersaLogic Menlow reboot quirk
x86/reboot: Skip DMI checks if reboot set by user
x86: Properly parenthesize cmpxchg() macro arguments -
Linux uses two PMD entries for a PTE with the classic page table format,
covering 2MB range. However, the __pte_free_tlb() function only adds a
single TLB flush corresponding to 1MB range covering 'addr'. On
Cortex-A15, level 1 entries can be cached by the TLB independently of
the level 2 entries and without additional flushing a PMD entry would be
left pointing at the wrong PTE. The patch limits the TLB flushing range
to two 4KB pages around the 1MB boundary within PMD.Signed-off-by: Catalin Marinas
Signed-off-by: Russell King -
Commit 89d6c0b5 ("perf, arch: Add generic NODE cache events") added
empty NODE event definitions for the ARM PMU implementations. This was
merged along with Cortex-A5 and Cortex-A15 PMU support, so they missed
out on the original patch.This patch adds the empty definitions to Cortex-A5 and Cortex-A15.
Signed-off-by: Will Deacon
Signed-off-by: Russell King -
If we are context switched whilst copying into a thread's
vfp_hard_struct then the partial copy may be corrupted by the VFP
context switching code (see "ARM: vfp: flush thread hwstate before
restoring context from sigframe").This patch updates the ptrace VFP set code so that the thread state is
flushed before the copy, therefore disabling VFP and preventing
corruption from occurring.Cc: stable
Signed-off-by: Will Deacon
Signed-off-by: Russell King -
In a preemptible kernel, vfp_set() can be preempted, causing the
hardware VFP context to be switched while the thread vfp state is
being read and modified. This leads to a race condition which can
cause the thread vfp state to become corrupted if lazy VFP context
save occurs due to preemption in between the time thread->vfpstate
is read and the time the modified state is written back.This may occur if preemption occurs during the execution of a
ptrace() call which modifies the VFP register state of a thread.
Such instances should be very rare in most realistic scenarios --
none has been reported, so far as I am aware. Only uniprocessor
systems should be affected, since VFP context save is not currently
lazy in SMP kernels.The problem was introduced by my earlier patch migrating to use
regsets to implement ptrace.This patch does a vfp_sync_hwstate() before reading
thread->vfpstate, to make sure that the thread's VFP state is not
live in the hardware registers while the registers are modified.Thanks to Will Deacon for spotting this.
Cc: stable
Signed-off-by: Dave Martin
Signed-off-by: Will Deacon
Signed-off-by: Russell King
