diff --git a/Revert-Bluetooth-Add-a-new-PID-VID-0cf3-e005-for-AR3.patch b/Revert-Bluetooth-Add-a-new-PID-VID-0cf3-e005-for-AR3.patch deleted file mode 100644 index 358b106..0000000 --- a/Revert-Bluetooth-Add-a-new-PID-VID-0cf3-e005-for-AR3.patch +++ /dev/null @@ -1,63 +0,0 @@ -Bugzilla: 1121785 -Upstream-status: 3.16 and CC'd to stable for 3.15.y - -From a2b23bacb315d3873ed90029fd2b68c95de734c0 Mon Sep 17 00:00:00 2001 -From: Marcel Holtmann -Date: Fri, 20 Jun 2014 12:34:28 +0200 -Subject: [PATCH] Revert "Bluetooth: Add a new PID/VID 0cf3/e005 for AR3012." - -This reverts commit ca58e594da2486c1d28e7ad547d82266604ec4ce. - -For some unclear reason this patch tries to add suport for the -product ID 0xe005, but it ends up adding product ID 0x3005 to -all the tables. This is obviously wrong and causing multiple -issues. - -The original patch seemed to be fine, but what ended up in 3.15 -is not what the patch intended. The commit 0a3658cccdf53 is -already present and adds support for this hardware. This means -only revert of this broken commit is requird. - -Signed-off-by: Marcel Holtmann -Reported-by: Alexander Holler -Cc: stable@vger.kernel.org # 3.15.x ---- - drivers/bluetooth/ath3k.c | 2 -- - drivers/bluetooth/btusb.c | 1 - - 2 files changed, 3 deletions(-) - -diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c -index f98380648cb3..f50dffc0374f 100644 ---- a/drivers/bluetooth/ath3k.c -+++ b/drivers/bluetooth/ath3k.c -@@ -90,7 +90,6 @@ static const struct usb_device_id ath3k_table[] = { - { USB_DEVICE(0x0b05, 0x17d0) }, - { USB_DEVICE(0x0CF3, 0x0036) }, - { USB_DEVICE(0x0CF3, 0x3004) }, -- { USB_DEVICE(0x0CF3, 0x3005) }, - { USB_DEVICE(0x0CF3, 0x3008) }, - { USB_DEVICE(0x0CF3, 0x311D) }, - { USB_DEVICE(0x0CF3, 0x311E) }, -@@ -140,7 +139,6 @@ static const struct usb_device_id ath3k_blist_tbl[] = { - { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, -- { USB_DEVICE(0x0cf3, 0x3005), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x311E), .driver_info = BTUSB_ATH3012 }, -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index a1c80b0c7663..6250fc2fb93a 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -162,7 +162,6 @@ static const struct usb_device_id blacklist_table[] = { - { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, -- { USB_DEVICE(0x0cf3, 0x3005), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, --- -1.9.3 - diff --git a/Revert-drm-i915-reverse-dp-link-param-selection-pref.patch b/Revert-drm-i915-reverse-dp-link-param-selection-pref.patch deleted file mode 100644 index 25aff2f..0000000 --- a/Revert-drm-i915-reverse-dp-link-param-selection-pref.patch +++ /dev/null @@ -1,43 +0,0 @@ -Bugzilla: 1117008 -Upstream-status: Sent to intel-gfx - -From b22370f0cf68e49ddcb3dd7033aba5ff6454dfcc Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Mon, 14 Jul 2014 10:54:20 +1000 -Subject: [PATCH] Revert "drm/i915: reverse dp link param selection, prefer - fast over wide again" - -This reverts commit 38aecea0ccbb909d635619cba22f1891e589b434. - -This breaks Haswell Thinkpad + Lenovo dock in SST mode with a HDMI monitor attached. - -Before this we can 1920x1200 mode, after this we only ever get 1024x768, and -a lot of deferring. - -This didn't revert clean, but this should be fine. - -bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1117008 -Cc: stable@vger.kernel.org # v3.15 -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/i915/intel_dp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c -index 2a00cb8..61963d3 100644 ---- a/drivers/gpu/drm/i915/intel_dp.c -+++ b/drivers/gpu/drm/i915/intel_dp.c -@@ -833,8 +833,8 @@ intel_dp_compute_config(struct intel_encoder *encoder, - mode_rate = intel_dp_link_required(adjusted_mode->crtc_clock, - bpp); - -- for (lane_count = min_lane_count; lane_count <= max_lane_count; lane_count <<= 1) { -- for (clock = min_clock; clock <= max_clock; clock++) { -+ for (clock = min_clock; clock <= max_clock; clock++) { -+ for (lane_count = min_lane_count; lane_count <= max_lane_count; lane_count <<= 1) { - link_clock = drm_dp_bw_code_to_link_rate(bws[clock]); - link_avail = intel_dp_max_data_rate(link_clock, - lane_count); --- -1.9.3 - diff --git a/kernel.spec b/kernel.spec index b883b7a..25004ce 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -741,15 +741,9 @@ Patch25110: 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch #rhbz 1114768 Patch25112: 0001-synaptics-Add-min-max-quirk-for-pnp-id-LEN2002-Edge-.patch -#rhbz 1117008 -Patch25114: Revert-drm-i915-reverse-dp-link-param-selection-pref.patch - #CVE-2014-4943 rhbz 1119458 1120542 Patch25115: net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch -#rhbz 1121785 -Patch25116: Revert-Bluetooth-Add-a-new-PID-VID-0cf3-e005-for-AR3.patch - #CVE-2014-3534 rhbz 1114089 1122612 Patch25117: s390-ptrace-fix-PSW-mask-check.patch @@ -759,11 +753,6 @@ Patch25118: sched-fix-sched_setparam-policy-1-logic.patch #CVE-2014-5045 rhbz 1122472 1122482 Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch -#CVE-2014-4171 rhbz 1111180 1118247 -Patch25120: shmem-fix-faulting-into-a-hole-while-it-s-punched.patch -Patch25121: shmem-fix-faulting-into-a-hole-not-taking-i_mutex.patch -Patch25122: shmem-fix-splicing-from-a-hole-while-it-s-punched.patch - #rhbz 1060327 Patch25123: drm-try-harder-to-avoid-regression-when-merging-mode.patch @@ -1479,15 +1468,9 @@ ApplyPatch 0001-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch #rhbz 1114768 ApplyPatch 0001-synaptics-Add-min-max-quirk-for-pnp-id-LEN2002-Edge-.patch -#rhbz 1117008 -ApplyPatch Revert-drm-i915-reverse-dp-link-param-selection-pref.patch - #CVE-2014-4943 rhbz 1119458 1120542 ApplyPatch net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch -#rhbz 1121785 -ApplyPatch Revert-Bluetooth-Add-a-new-PID-VID-0cf3-e005-for-AR3.patch - #CVE-2014-3534 rhbz 1114089 1122612 ApplyPatch s390-ptrace-fix-PSW-mask-check.patch @@ -1497,11 +1480,6 @@ ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch #CVE-2014-5045 rhbz 1122472 1122482 ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch -#CVE-2014-4171 rhbz 1111180 1118247 -ApplyPatch shmem-fix-faulting-into-a-hole-while-it-s-punched.patch -ApplyPatch shmem-fix-faulting-into-a-hole-not-taking-i_mutex.patch -ApplyPatch shmem-fix-splicing-from-a-hole-while-it-s-punched.patch - #rhbz 1060327 ApplyPatch drm-try-harder-to-avoid-regression-when-merging-mode.patch @@ -2328,6 +2306,9 @@ fi # ||----w | # || || %changelog +* Mon Jul 28 2014 Justin M. Forbes 3.15.7-200 +- Linux v3.15.7 + * Mon Jul 28 2014 Hans de Goede - Add use_native_backlight=1 quirk for HP ProBook 4540s (rhbz#1025690) - Add use_native_backlight=1 quirk for HP EliteBook 2014 series (rhbz#1123565) diff --git a/shmem-fix-faulting-into-a-hole-not-taking-i_mutex.patch b/shmem-fix-faulting-into-a-hole-not-taking-i_mutex.patch deleted file mode 100644 index 527cdd0..0000000 --- a/shmem-fix-faulting-into-a-hole-not-taking-i_mutex.patch +++ /dev/null @@ -1,197 +0,0 @@ -Bugzilla: 1118247 -Upstream-status: 3.16 and CC'd for stable - -From 8e205f779d1443a94b5ae81aa359cb535dd3021e Mon Sep 17 00:00:00 2001 -From: Hugh Dickins -Date: Wed, 23 Jul 2014 14:00:10 -0700 -Subject: shmem: fix faulting into a hole, not taking i_mutex - -From: Hugh Dickins - -commit 8e205f779d1443a94b5ae81aa359cb535dd3021e upstream. - -Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's -punched") was buggy: Sasha sent a lockdep report to remind us that -grabbing i_mutex in the fault path is a no-no (write syscall may already -hold i_mutex while faulting user buffer). - -We tried a completely different approach (see following patch) but that -proved inadequate: good enough for a rational workload, but not good -enough against trinity - which forks off so many mappings of the object -that contention on i_mmap_mutex while hole-puncher holds i_mutex builds -into serious starvation when concurrent faults force the puncher to fall -back to single-page unmap_mapping_range() searches of the i_mmap tree. - -So return to the original umbrella approach, but keep away from i_mutex -this time. We really don't want to bloat every shmem inode with a new -mutex or completion, just to protect this unlikely case from trinity. -So extend the original with wait_queue_head on stack at the hole-punch -end, and wait_queue item on the stack at the fault end. - -This involves further use of i_lock to guard against the races: lockdep -has been happy so far, and I see fs/inode.c:unlock_new_inode() holds -i_lock around wake_up_bit(), which is comparable to what we do here. -i_lock is more convenient, but we could switch to shmem's info->lock. - -This issue has been tagged with CVE-2014-4171, which will require commit -f00cdc6df7d7 and this and the following patch to be backported: we -suggest to 3.1+, though in fact the trinity forkbomb effect might go -back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might -not, since much has changed, with i_mmap_mutex a spinlock before 3.0. -Anyone running trinity on 3.0 and earlier? I don't think we need care. - -Signed-off-by: Hugh Dickins -Reported-by: Sasha Levin -Tested-by: Sasha Levin -Cc: Vlastimil Babka -Cc: Konstantin Khlebnikov -Cc: Johannes Weiner -Cc: Lukas Czerner -Cc: Dave Jones -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - mm/shmem.c | 78 ++++++++++++++++++++++++++++++++++++++++--------------------- - 1 file changed, 52 insertions(+), 26 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -85,7 +85,7 @@ static struct vfsmount *shm_mnt; - * a time): we would prefer not to enlarge the shmem inode just for that. - */ - struct shmem_falloc { -- int mode; /* FALLOC_FL mode currently operating */ -+ wait_queue_head_t *waitq; /* faults into hole wait for punch to end */ - pgoff_t start; /* start of range currently being fallocated */ - pgoff_t next; /* the next page offset to be fallocated */ - pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -760,7 +760,7 @@ static int shmem_writepage(struct page * - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; - if (shmem_falloc && -- !shmem_falloc->mode && -+ !shmem_falloc->waitq && - index >= shmem_falloc->start && - index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; -@@ -1239,38 +1239,58 @@ static int shmem_fault(struct vm_area_st - * Trinity finds that probing a hole which tmpfs is punching can - * prevent the hole-punch from ever completing: which in turn - * locks writers out with its hold on i_mutex. So refrain from -- * faulting pages into the hole while it's being punched, and -- * wait on i_mutex to be released if vmf->flags permits. -+ * faulting pages into the hole while it's being punched. Although -+ * shmem_undo_range() does remove the additions, it may be unable to -+ * keep up, as each new page needs its own unmap_mapping_range() call, -+ * and the i_mmap tree grows ever slower to scan if new vmas are added. -+ * -+ * It does not matter if we sometimes reach this check just before the -+ * hole-punch begins, so that one fault then races with the punch: -+ * we just need to make racing faults a rare case. -+ * -+ * The implementation below would be much simpler if we just used a -+ * standard mutex or completion: but we cannot take i_mutex in fault, -+ * and bloating every shmem inode for this unlikely case would be sad. - */ - if (unlikely(inode->i_private)) { - struct shmem_falloc *shmem_falloc; - - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; -- if (!shmem_falloc || -- shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -- vmf->pgoff < shmem_falloc->start || -- vmf->pgoff >= shmem_falloc->next) -- shmem_falloc = NULL; -- spin_unlock(&inode->i_lock); -- /* -- * i_lock has protected us from taking shmem_falloc seriously -- * once return from shmem_fallocate() went back up that stack. -- * i_lock does not serialize with i_mutex at all, but it does -- * not matter if sometimes we wait unnecessarily, or sometimes -- * miss out on waiting: we just need to make those cases rare. -- */ -- if (shmem_falloc) { -+ if (shmem_falloc && -+ shmem_falloc->waitq && -+ vmf->pgoff >= shmem_falloc->start && -+ vmf->pgoff < shmem_falloc->next) { -+ wait_queue_head_t *shmem_falloc_waitq; -+ DEFINE_WAIT(shmem_fault_wait); -+ -+ ret = VM_FAULT_NOPAGE; - if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && - !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -+ /* It's polite to up mmap_sem if we can */ - up_read(&vma->vm_mm->mmap_sem); -- mutex_lock(&inode->i_mutex); -- mutex_unlock(&inode->i_mutex); -- return VM_FAULT_RETRY; -+ ret = VM_FAULT_RETRY; - } -- /* cond_resched? Leave that to GUP or return to user */ -- return VM_FAULT_NOPAGE; -+ -+ shmem_falloc_waitq = shmem_falloc->waitq; -+ prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, -+ TASK_UNINTERRUPTIBLE); -+ spin_unlock(&inode->i_lock); -+ schedule(); -+ -+ /* -+ * shmem_falloc_waitq points into the shmem_fallocate() -+ * stack of the hole-punching task: shmem_falloc_waitq -+ * is usually invalid by the time we reach here, but -+ * finish_wait() does not dereference it in that case; -+ * though i_lock needed lest racing with wake_up_all(). -+ */ -+ spin_lock(&inode->i_lock); -+ finish_wait(shmem_falloc_waitq, &shmem_fault_wait); -+ spin_unlock(&inode->i_lock); -+ return ret; - } -+ spin_unlock(&inode->i_lock); - } - - error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); -@@ -1773,13 +1793,13 @@ static long shmem_fallocate(struct file - - mutex_lock(&inode->i_mutex); - -- shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -- - if (mode & FALLOC_FL_PUNCH_HOLE) { - struct address_space *mapping = file->f_mapping; - loff_t unmap_start = round_up(offset, PAGE_SIZE); - loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; -+ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq); - -+ shmem_falloc.waitq = &shmem_falloc_waitq; - shmem_falloc.start = unmap_start >> PAGE_SHIFT; - shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; - spin_lock(&inode->i_lock); -@@ -1791,8 +1811,13 @@ static long shmem_fallocate(struct file - 1 + unmap_end - unmap_start, 0); - shmem_truncate_range(inode, offset, offset + len - 1); - /* No need to unmap again: hole-punching leaves COWed pages */ -+ -+ spin_lock(&inode->i_lock); -+ inode->i_private = NULL; -+ wake_up_all(&shmem_falloc_waitq); -+ spin_unlock(&inode->i_lock); - error = 0; -- goto undone; -+ goto out; - } - - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ -@@ -1808,6 +1833,7 @@ static long shmem_fallocate(struct file - goto out; - } - -+ shmem_falloc.waitq = NULL; - shmem_falloc.start = start; - shmem_falloc.next = start; - shmem_falloc.nr_falloced = 0; diff --git a/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch b/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch deleted file mode 100644 index 59475f7..0000000 --- a/shmem-fix-faulting-into-a-hole-while-it-s-punched.patch +++ /dev/null @@ -1,138 +0,0 @@ -Bugzilla: 1118247 -Upstream-status: 3.16 and CC'd for stable - -From f00cdc6df7d7cfcabb5b740911e6788cb0802bdb Mon Sep 17 00:00:00 2001 -From: Hugh Dickins -Date: Mon, 23 Jun 2014 13:22:06 -0700 -Subject: shmem: fix faulting into a hole while it's punched - -From: Hugh Dickins - -commit f00cdc6df7d7cfcabb5b740911e6788cb0802bdb upstream. - -Trinity finds that mmap access to a hole while it's punched from shmem -can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE) -from completing, until the reader chooses to stop; with the puncher's -hold on i_mutex locking out all other writers until it can complete. - -It appears that the tmpfs fault path is too light in comparison with its -hole-punching path, lacking an i_data_sem to obstruct it; but we don't -want to slow down the common case. - -Extend shmem_fallocate()'s existing range notification mechanism, so -shmem_fault() can refrain from faulting pages into the hole while it's -punched, waiting instead on i_mutex (when safe to sleep; or repeatedly -faulting when not). - -[akpm@linux-foundation.org: coding-style fixes] -Signed-off-by: Hugh Dickins -Reported-by: Sasha Levin -Tested-by: Sasha Levin -Cc: Dave Jones -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - mm/shmem.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 52 insertions(+), 4 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -80,11 +80,12 @@ static struct vfsmount *shm_mnt; - #define SHORT_SYMLINK_LEN 128 - - /* -- * shmem_fallocate and shmem_writepage communicate via inode->i_private -- * (with i_mutex making sure that it has only one user at a time): -- * we would prefer not to enlarge the shmem inode just for that. -+ * shmem_fallocate communicates with shmem_fault or shmem_writepage via -+ * inode->i_private (with i_mutex making sure that it has only one user at -+ * a time): we would prefer not to enlarge the shmem inode just for that. - */ - struct shmem_falloc { -+ int mode; /* FALLOC_FL mode currently operating */ - pgoff_t start; /* start of range currently being fallocated */ - pgoff_t next; /* the next page offset to be fallocated */ - pgoff_t nr_falloced; /* how many new pages have been fallocated */ -@@ -759,6 +760,7 @@ static int shmem_writepage(struct page * - spin_lock(&inode->i_lock); - shmem_falloc = inode->i_private; - if (shmem_falloc && -+ !shmem_falloc->mode && - index >= shmem_falloc->start && - index < shmem_falloc->next) - shmem_falloc->nr_unswapped++; -@@ -1233,6 +1235,44 @@ static int shmem_fault(struct vm_area_st - int error; - int ret = VM_FAULT_LOCKED; - -+ /* -+ * Trinity finds that probing a hole which tmpfs is punching can -+ * prevent the hole-punch from ever completing: which in turn -+ * locks writers out with its hold on i_mutex. So refrain from -+ * faulting pages into the hole while it's being punched, and -+ * wait on i_mutex to be released if vmf->flags permits. -+ */ -+ if (unlikely(inode->i_private)) { -+ struct shmem_falloc *shmem_falloc; -+ -+ spin_lock(&inode->i_lock); -+ shmem_falloc = inode->i_private; -+ if (!shmem_falloc || -+ shmem_falloc->mode != FALLOC_FL_PUNCH_HOLE || -+ vmf->pgoff < shmem_falloc->start || -+ vmf->pgoff >= shmem_falloc->next) -+ shmem_falloc = NULL; -+ spin_unlock(&inode->i_lock); -+ /* -+ * i_lock has protected us from taking shmem_falloc seriously -+ * once return from shmem_fallocate() went back up that stack. -+ * i_lock does not serialize with i_mutex at all, but it does -+ * not matter if sometimes we wait unnecessarily, or sometimes -+ * miss out on waiting: we just need to make those cases rare. -+ */ -+ if (shmem_falloc) { -+ if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -+ up_read(&vma->vm_mm->mmap_sem); -+ mutex_lock(&inode->i_mutex); -+ mutex_unlock(&inode->i_mutex); -+ return VM_FAULT_RETRY; -+ } -+ /* cond_resched? Leave that to GUP or return to user */ -+ return VM_FAULT_NOPAGE; -+ } -+ } -+ - error = shmem_getpage(inode, vmf->pgoff, &vmf->page, SGP_CACHE, &ret); - if (error) - return ((error == -ENOMEM) ? VM_FAULT_OOM : VM_FAULT_SIGBUS); -@@ -1733,18 +1773,26 @@ static long shmem_fallocate(struct file - - mutex_lock(&inode->i_mutex); - -+ shmem_falloc.mode = mode & ~FALLOC_FL_KEEP_SIZE; -+ - if (mode & FALLOC_FL_PUNCH_HOLE) { - struct address_space *mapping = file->f_mapping; - loff_t unmap_start = round_up(offset, PAGE_SIZE); - loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1; - -+ shmem_falloc.start = unmap_start >> PAGE_SHIFT; -+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; -+ spin_lock(&inode->i_lock); -+ inode->i_private = &shmem_falloc; -+ spin_unlock(&inode->i_lock); -+ - if ((u64)unmap_end > (u64)unmap_start) - unmap_mapping_range(mapping, unmap_start, - 1 + unmap_end - unmap_start, 0); - shmem_truncate_range(inode, offset, offset + len - 1); - /* No need to unmap again: hole-punching leaves COWed pages */ - error = 0; -- goto out; -+ goto undone; - } - - /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ diff --git a/shmem-fix-splicing-from-a-hole-while-it-s-punched.patch b/shmem-fix-splicing-from-a-hole-while-it-s-punched.patch deleted file mode 100644 index 12daf86..0000000 --- a/shmem-fix-splicing-from-a-hole-while-it-s-punched.patch +++ /dev/null @@ -1,132 +0,0 @@ -Bugzilla: 1118247 -Upstream-status: 3.16 and CC'd for stable - -From b1a366500bd537b50c3aad26dc7df083ec03a448 Mon Sep 17 00:00:00 2001 -From: Hugh Dickins -Date: Wed, 23 Jul 2014 14:00:13 -0700 -Subject: shmem: fix splicing from a hole while it's punched - -From: Hugh Dickins - -commit b1a366500bd537b50c3aad26dc7df083ec03a448 upstream. - -shmem_fault() is the actual culprit in trinity's hole-punch starvation, -and the most significant cause of such problems: since a page faulted is -one that then appears page_mapped(), needing unmap_mapping_range() and -i_mmap_mutex to be unmapped again. - -But it is not the only way in which a page can be brought into a hole in -the radix_tree while that hole is being punched; and Vlastimil's testing -implies that if enough other processors are busy filling in the hole, -then shmem_undo_range() can be kept from completing indefinitely. - -shmem_file_splice_read() is the main other user of SGP_CACHE, which can -instantiate shmem pagecache pages in the read-only case (without holding -i_mutex, so perhaps concurrently with a hole-punch). Probably it's -silly not to use SGP_READ already (using the ZERO_PAGE for holes): which -ought to be safe, but might bring surprises - not a change to be rushed. - -shmem_read_mapping_page_gfp() is an internal interface used by -drivers/gpu/drm GEM (and next by uprobes): it should be okay. And -shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when -called internally by the kernel (perhaps for a stacking filesystem, -which might rely on holes to be reserved): it's unclear whether it could -be provoked to keep hole-punch busy or not. - -We could apply the same umbrella as now used in shmem_fault() to -shmem_file_splice_read() and the others; but it looks ugly, and use over -a range raises questions - should it actually be per page? can these get -starved themselves? - -The origin of this part of the problem is my v3.1 commit d0823576bf4b -("mm: pincer in truncate_inode_pages_range"), once it was duplicated -into shmem.c. It seemed like a nice idea at the time, to ensure -(barring RCU lookup fuzziness) that there's an instant when the entire -hole is empty; but the indefinitely repeated scans to ensure that make -it vulnerable. - -Revert that "enhancement" to hole-punch from shmem_undo_range(), but -retain the unproblematic rescanning when it's truncating; add a couple -of comments there. - -Remove the "indices[0] >= end" test: that is now handled satisfactorily -by the inner loop, and mem_cgroup_uncharge_start()/end() are too light -to be worth avoiding here. - -But if we do not always loop indefinitely, we do need to handle the case -of swap swizzled back to page before shmem_free_swap() gets it: add a -retry for that case, as suggested by Konstantin Khlebnikov; and for the -case of page swizzled back to swap, as suggested by Johannes Weiner. - -Signed-off-by: Hugh Dickins -Reported-by: Sasha Levin -Suggested-by: Vlastimil Babka -Cc: Konstantin Khlebnikov -Cc: Johannes Weiner -Cc: Lukas Czerner -Cc: Dave Jones -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - mm/shmem.c | 24 +++++++++++++++--------- - 1 file changed, 15 insertions(+), 9 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -468,23 +468,20 @@ static void shmem_undo_range(struct inod - return; - - index = start; -- for ( ; ; ) { -+ while (index < end) { - cond_resched(); - - pvec.nr = find_get_entries(mapping, index, - min(end - index, (pgoff_t)PAGEVEC_SIZE), - pvec.pages, indices); - if (!pvec.nr) { -- if (index == start || unfalloc) -+ /* If all gone or hole-punch or unfalloc, we're done */ -+ if (index == start || end != -1) - break; -+ /* But if truncating, restart to make sure all gone */ - index = start; - continue; - } -- if ((index == start || unfalloc) && indices[0] >= end) { -- pagevec_remove_exceptionals(&pvec); -- pagevec_release(&pvec); -- break; -- } - mem_cgroup_uncharge_start(); - for (i = 0; i < pagevec_count(&pvec); i++) { - struct page *page = pvec.pages[i]; -@@ -496,8 +493,12 @@ static void shmem_undo_range(struct inod - if (radix_tree_exceptional_entry(page)) { - if (unfalloc) - continue; -- nr_swaps_freed += !shmem_free_swap(mapping, -- index, page); -+ if (shmem_free_swap(mapping, index, page)) { -+ /* Swap was replaced by page: retry */ -+ index--; -+ break; -+ } -+ nr_swaps_freed++; - continue; - } - -@@ -506,6 +507,11 @@ static void shmem_undo_range(struct inod - if (page->mapping == mapping) { - VM_BUG_ON_PAGE(PageWriteback(page), page); - truncate_inode_page(mapping, page); -+ } else { -+ /* Page was replaced by swap: retry */ -+ unlock_page(page); -+ index--; -+ break; - } - } - unlock_page(page); diff --git a/sources b/sources index e3b7282..ddeca2d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 97ca1625bb40368dc41b9a7971549071 linux-3.15.tar.xz -25e4c27b4aff5e14dc4b3dc0029fd05d patch-3.15.6.xz +2f09ab9d30dfe6d59469990a46d20cc4 patch-3.15.7.xz