Re: [PATCH 3.10 099/180] fix d_walk()/non-delayed __d_free() race

Re: [PATCH 3.10 099/180] fix d_walk()/non-delayed __d_free() race

[Jari Ruusu]

This patch for 3.10 branch appears to be missing one important

+       dentry->d_flags |= DCACHE_RCUACCESS;

in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings
backported Al Viro's original fix to stable branches that he maintains,
he added that one additional line to both 3.2 and 3.16 branches. Please
consider including that additional one line fix for 3.10 stable branch
also.


Ben Hutchings said this on his 3.2.82-rc1 patch:
[bwh: Backported to 3.2:
 - Adjust context
 - Also set the flag in __d_materialise_dentry())]

http://marc.info/?l=linux-kernel&m=147117565612275&w=2


Ben Hutchings said this on his 3.16.37-rc1 patch:
[bwh: Backported to 3.16:
 - Adjust context
 - Also set the flag in __d_materialise_dentry())]

http://marc.info/?l=linux-kernel&m=147117433412006&w=2


Also mentioned by Sasha Levin on 3.18 and 4.1 commits:
Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry())

http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2
http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2

-- 
Jari Ruusu  4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD  ACDF F073 3C80 8132 F189

Re: [PATCH 3.10 099/180] fix d_walk()/non-delayed __d_free() race

[Willy Tarreau]

On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote:
> This patch for 3.10 branch appears to be missing one important
> 
> +       dentry->d_flags |= DCACHE_RCUACCESS;
> 
> in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings
> backported Al Viro's original fix to stable branches that he maintains,
> he added that one additional line to both 3.2 and 3.16 branches. Please
> consider including that additional one line fix for 3.10 stable branch
> also.
(...)

Many thanks Jari, I'll use Ben's backport then.

Cheers,
Willy

Re: [PATCH 3.10 099/180] fix d_walk()/non-delayed __d_free() race

[Willy Tarreau]

Greg, Jiri,

I checked Jari's explanation below and found that v3.14.77 and v3.12.62
are missing the same fix as 3.10. In fact Al's original commit 3d56c25
("fix d_walk()/non-delayed __d_free() race") used to mention to check 
this __d_materialise_dentry() function in the Cc: stable line, but this
got lost during the backports.

Normally all of our 3 kernels need to apply the following patch that
Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103
right now.

Cheers,
Willy

diff --git a/fs/dcache.c b/fs/dcache.c
index 2a808fb..2d0b9d2 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2401,6 +2401,7 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon)
 	switch_names(dentry, anon);
 	swap(dentry->d_name.hash, anon->d_name.hash);
 
+	dentry->d_flags |= DCACHE_RCUACCESS;
 	dentry->d_parent = dentry;
 	list_del_init(&dentry->d_child);
 	anon->d_parent = dparent;


On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote:
> This patch for 3.10 branch appears to be missing one important
> 
> +       dentry->d_flags |= DCACHE_RCUACCESS;
> 
> in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings
> backported Al Viro's original fix to stable branches that he maintains,
> he added that one additional line to both 3.2 and 3.16 branches. Please
> consider including that additional one line fix for 3.10 stable branch
> also.
> 
> 
> Ben Hutchings said this on his 3.2.82-rc1 patch:
> [bwh: Backported to 3.2:
>  - Adjust context
>  - Also set the flag in __d_materialise_dentry())]
> 
> http://marc.info/?l=linux-kernel&m=147117565612275&w=2
> 
> 
> Ben Hutchings said this on his 3.16.37-rc1 patch:
> [bwh: Backported to 3.16:
>  - Adjust context
>  - Also set the flag in __d_materialise_dentry())]
> 
> http://marc.info/?l=linux-kernel&m=147117433412006&w=2
> 
> 
> Also mentioned by Sasha Levin on 3.18 and 4.1 commits:
> Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry())
> 
> http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2
> http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2
> 
> -- 
> Jari Ruusu  4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD  ACDF F073 3C80 8132 F189

Re: [PATCH 3.10 099/180] fix d_walk()/non-delayed __d_free() race

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 2878 bytes --]

On Sat, 2016-08-27 at 11:31 +0200, Willy Tarreau wrote:
> Greg, Jiri,
> 
> I checked Jari's explanation below and found that v3.14.77 and v3.12.62
> are missing the same fix as 3.10. In fact Al's original commit 3d56c25
> ("fix d_walk()/non-delayed __d_free() race") used to mention to check 
> this __d_materialise_dentry() function in the Cc: stable line, but this
> got lost during the backports.
> 
> Normally all of our 3 kernels need to apply the following patch that
> Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103
> right now.

I never did get positive confirmation that this is the right change in
__d_materialise_dentry().  Al, could you please comment?

Ben.

> > Cheers,
> Willy
> 
> diff --git a/fs/dcache.c b/fs/dcache.c
> index 2a808fb..2d0b9d2 100644
> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -2401,6 +2401,7 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon)
> >  	switch_names(dentry, anon);
> >  	swap(dentry->d_name.hash, anon->d_name.hash);
>  
> > +	dentry->d_flags |= DCACHE_RCUACCESS;
> >  	dentry->d_parent = dentry;
> >  	list_del_init(&dentry->d_child);
> >  	anon->d_parent = dparent;
> 
> 
> On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote:
> > 
> > This patch for 3.10 branch appears to be missing one important
> > 
> > +       dentry->d_flags |= DCACHE_RCUACCESS;
> > 
> > in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings
> > backported Al Viro's original fix to stable branches that he maintains,
> > he added that one additional line to both 3.2 and 3.16 branches. Please
> > consider including that additional one line fix for 3.10 stable branch
> > also.
> > 
> > 
> > Ben Hutchings said this on his 3.2.82-rc1 patch:
> > [bwh: Backported to 3.2:
> >  - Adjust context
> >  - Also set the flag in __d_materialise_dentry())]
> > 
> > http://marc.info/?l=linux-kernel&m=147117565612275&w=2
> > 
> > 
> > Ben Hutchings said this on his 3.16.37-rc1 patch:
> > [bwh: Backported to 3.16:
> >  - Adjust context
> >  - Also set the flag in __d_materialise_dentry())]
> > 
> > http://marc.info/?l=linux-kernel&m=147117433412006&w=2
> > 
> > 
> > Also mentioned by Sasha Levin on 3.18 and 4.1 commits:
> > > > Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry())
> > 
> > http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2
> > http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2
> > 
> > -- 
> > Jari Ruusu  4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD  ACDF F073 3C80 8132 F189
-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [PATCH 3.10 099/180] fix d_walk()/non-delayed __d_free() race

[Willy Tarreau]

On Sat, Aug 27, 2016 at 12:38:38PM +0100, Ben Hutchings wrote:
> On Sat, 2016-08-27 at 11:31 +0200, Willy Tarreau wrote:
> > Greg, Jiri,
> > 
> > I checked Jari's explanation below and found that v3.14.77 and v3.12.62
> > are missing the same fix as 3.10. In fact Al's original commit 3d56c25
> > ("fix d_walk()/non-delayed __d_free() race") used to mention to check 
> > this __d_materialise_dentry() function in the Cc: stable line, but this
> > got lost during the backports.
> > 
> > Normally all of our 3 kernels need to apply the following patch that
> > Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103
> > right now.
> 
> I never did get positive confirmation that this is the right change in
> __d_materialise_dentry().  Al, could you please comment?

Well in my experience Al checks our reviews and steps in when there's
a mistake. Also your patch seems to reproduce the fix for the code
that was later killed by commit 63cf427 ("kill __d_materialise_dentry()")
which factors it out into __d_move() so I'm inclined to think that what
you did makes sense.

Cheers,
Willy

[PATCH 3.10 000/180] 3.10.103-stable review

[Willy Tarreau]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 22660 bytes --]

This is the start of the stable review cycle for the 3.10.103 release.
All patches will be posted as a response to this one. If anyone has any
issue with these being applied, please let me know. If anyone thinks some
important patches are missing and should be added prior to the release,
please report them quickly with their respective mainline commit IDs.

Responses should be made by Fri Aug 26 17:04:04 CEST 2016.
Anything received after that time might be too late. If someone
wants a bit more time for a deeper review, please let me know.

The whole patch series can be found in one patch at :
   https://kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.10.103-rc1.gz

The shortlog and diffstat are appended below.

Thanks,
Willy

===============


Al Viro (1):
  fix d_walk()/non-delayed __d_free() race

Alan Stern (2):
  USB: fix invalid memory access in hub_activate()
  USB: EHCI: declare hostpc register as zero-length array

Alex Deucher (3):
  drm/radeon: fix asic initialization for virtualized environments
  drm/radeon: add a delay after ATPX dGPU power off
  drm/radeon: fix firmware info version checks

Alex Hung (1):
  hp-wmi: Fix wifi cannot be hard-unblocked

Alexander Shiyan (1):
  stb6100: fix buffer length check in stb6100_write_reg_range()

Alexey Brodkin (1):
  arc: unwind: warn only once if DW2_UNWIND is disabled

Amadeusz Sławiński (1):
  Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU

Andi Kleen (1):
  x86, asmlinkage, apm: Make APM data structure used from assembler
    visible

Andrew Goodbody (2):
  usb: musb: Stop bulk endpoint while queue is rotated
  usb: musb: Ensure rx reinit occurs for shared_fifo endpoints

Andrey Grodzovsky (1):
  xen/pciback: Fix conf_space read/write overlap check.

Andrey Ryabinin (1):
  perf/x86: Fix undefined shift on 32-bit kernels

Andy Lutomirski (2):
  x86/mm: Add barriers and document switch_mm()-vs-flush synchronization
  x86/mm: Improve switch_mm() barrier comments

Anthony Romano (1):
  tmpfs: don't undo fallocate past its last page

Antonio Alecrim Jr (2):
  X.509: remove possible code fragility: enumeration values not handled
  isdn: hfcpci_softirq: get func return to suppress compiler warning

Ben Hutchings (1):
  module: Invalidate signatures on force-loaded modules

Bernhard Thaler (1):
  Revert "netfilter: ensure number of counters is >0 in do_replace()"

Bjørn Mork (1):
  cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind

Bjørn Mork (1):
  cdc_ncm: workaround for EM7455 "silent" data interface

Bob Copeland (1):
  mac80211: mesh: flush mesh paths unconditionally

Borislav Petkov (1):
  x86/amd_nb: Fix boot crash on non-AMD systems

Brian King (1):
  ipr: Clear interrupt on croc/crocodile when running with LSI

Cameron Gutman (1):
  Input: xpad - validate USB endpoint count during probe

Charles (Chas) Williams (1):
  tcp: make challenge acks less predictable

Christoph Hellwig (1):
  scsi: remove scsi_end_request

Crestez Dan Leonard (1):
  iio: Fix error handling in iio_trigger_attach_poll_func

Cyril Bur (1):
  powerpc/tm: Always reclaim in start_thread() for exec() class syscalls

Dan Carpenter (1):
  KEYS: potential uninitialized variable

Daniele Palmas (1):
  USB: serial: option: add support for Telit LE910 PID 0x1206

Dave Chinner (3):
  xfs: xfs_iflush_cluster fails to abort on error
  xfs: fix inode validity check in xfs_iflush_cluster
  xfs: skip stale inodes in xfs_iflush_cluster

Dave Jones (1):
  netfilter: ensure number of counters is >0 in do_replace()

Dave Weinstein (1):
  arm: oabi compat: add missing access checks

David Howells (1):
  KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace

Dmitri Epshtein (1):
  net: mvneta: set real interrupt per packet for tx_done

Dmitry Torokhov (1):
  tty/vt/keyboard: fix OOB access in do_compute_shiftstate()

Erez Shitrit (1):
  IB/IPoIB: Don't update neigh validity for unresolved entries

Eric Dumazet (1):
  udp: properly support MSG_PEEK with truncated buffers

Feng Tang (1):
  net: alx: Work around the DMA RX overflow issue

Florian Westphal (19):
  netfilter: x_tables: validate e->target_offset early
  netfilter: x_tables: make sure e->next_offset covers remaining blob
    size
  netfilter: x_tables: fix unconditional helper
  netfilter: x_tables: don't move to non-existent next rule
  netfilter: x_tables: validate targets of jumps
  netfilter: x_tables: add and use xt_check_entry_offsets
  netfilter: x_tables: kill check_entry helper
  netfilter: x_tables: assert minimum target size
  netfilter: x_tables: add compat version of xt_check_entry_offsets
  netfilter: x_tables: check standard target size too
  netfilter: x_tables: check for bogus target offset
  netfilter: x_tables: validate all offsets and sizes in a rule
  netfilter: x_tables: don't reject valid target size on some
    architectures
  netfilter: arp_tables: simplify translate_compat_table args
  netfilter: ip_tables: simplify translate_compat_table args
  netfilter: ip6_tables: simplify translate_compat_table args
  netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
  netfilter: x_tables: do compat validation via translate_table
  netfilter: x_tables: introduce and use xt_copy_counters_from_user

Gavin Shan (1):
  powerpc/pseries: Fix PCI config address for DDW

Greg Kroah-Hartman (1):
  xfs: fix up backport error in fs/xfs/xfs_inode.c

Guilherme G. Piccoli (1):
  powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism

H. Peter Anvin (1):
  x86, build: copy ldlinux.c32 to image.iso

Hari Bathini (1):
  powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel

Helge Deller (1):
  parisc: Fix pagefault crash in unaligned __get_user() call

Herbert Xu (2):
  crypto: gcm - Filter out async ghash if necessary
  crypto: scatterwalk - Fix test in scatterwalk_done

Hugh Dickins (2):
  mm: migrate dirty page without clear_page_dirty_for_io etc
  tmpfs: fix regression hang in fallocate undo

Ilya Dryomov (1):
  libceph: apply new_state before new_up_client on incrementals

Iosif Harutyunov (1):
  ubi: Fix race condition between ubi device creation and udev

Itai Handler (1):
  drm/gma500: Fix possible out of bounds read

James Bottomley (1):
  scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands

James C Boyd (1):
  HID: hid-input: Add parentheses to quell gcc warning

James Hogan (7):
  MIPS: KVM: Fix mapped fault broken commpage handling
  MIPS: KVM: Add missing gfn range check
  MIPS: KVM: Fix gfn range check in kseg0 tlb faults
  MIPS: KVM: Propagate kseg0/mapped tlb fault errors
  MIPS: Fix siginfo.h to use strict posix types
  MIPS: KVM: Fix modular KVM under QEMU
  metag: Fix __cmpxchg_u32 asm constraint for CMP

Jan Beulich (1):
  xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7

Jan Willeke (1):
  s390/seccomp: fix error return for filtered system calls

Jann Horn (1):
  ecryptfs: forbid opening files without mmap handler

Jason Gunthorpe (2):
  IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
  IB/security: Restrict use of the write() interface

Javier Martinez Canillas (2):
  s5p-mfc: Set device name for reserved memory region devs
  s5p-mfc: Add release callback for memory region devs

Jeff Mahoney (2):
  Revert "ecryptfs: forbid opening files without mmap handler"
  ecryptfs: don't allow mmap when the lower fs doesn't support it

Jiri Slaby (1):
  base: make module_create_drivers_dir race-free

Joseph Salisbury (1):
  ath5k: Change led pin configuration for compaq c700 laptop

Kangjie Lu (4):
  USB: usbfs: fix potential infoleak in devio
  ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
  ALSA: timer: Fix leak in events via snd_timer_user_ccallback
  ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

Karl Heiss (1):
  sctp: Prevent soft lockup when sctp_accept() is called during a
    timeout event

Kirill A. Shutemov (1):
  UBIFS: Implement ->migratepage()

Konstantin Neumoin (1):
  balloon: check the number of available pages in leak balloon

Laura Abbott (1):
  ftrace/recordmcount: Work around for addition of metag magic but not
    relocations

Linus Walleij (2):
  crypto: ux500 - memmove the right size
  iio: accel: kxsd9: fix the usage of spi_w8r8()

Luis Henriques (1):
  net: rfkill: Do not ignore errors from regulator_enable()

Luis de Bethencourt (1):
  staging: iio: accel: fix error check

Lyude (2):
  drm/fb_helper: Fix references to dev->mode_config.num_connector
  drm/radeon: Poll for both connect/disconnect on analog connectors

Mark Brown (2):
  iio:ad7266: Fix broken regulator error handling
  iio:ad7266: Fix probe deferral for vref

Martin Willi (1):
  mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL

Masami Hiramatsu (1):
  kprobes/x86: Clear TF bit in fault on single-stepping

Matthias Schiffer (1):
  MIPS: ath79: make bootconsole wait for both THRE and TEMT

Mike Snitzer (1):
  dm flakey: error READ bios during the down_interval

Neil Horman (1):
  PCI/ACPI: Fix _OSC ordering to allow PCIe hotplug use when available

Nicolai Stange (2):
  ext4: address UBSAN warning in mb_find_order_for_block()
  ext4: silence UBSAN in ext4_mb_init()

Oliver Hartkopp (1):
  can: fix oops caused by wrong rtnl dellink usage

Palik, Imre (1):
  perf/x86: Honor the architectural performance monitoring version

Paolo Bonzini (1):
  KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS

Paul Burton (1):
  MIPS: math-emu: Fix jalr emulation when rd == $0

Paul Moore (1):
  netlabel: add address family checks to netlbl_{sock,req}_delattr()

Ping Cheng (1):
  Input: wacom_w8001 - w8001_MAX_LENGTH should be 13

Prarit Bhargava (1):
  PCI: Disable all BAR sizing for devices with non-compliant BARs

Prasun Maiti (1):
  wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel

Raghava Aditya Renukunta (2):
  aacraid: Relinquish CPU during timeout wait
  aacraid: Fix for aac_command_thread hang

Ralf Baechle (1):
  MIPS: Fix 64k page support for 32 bit kernels.

Richard Weinberger (2):
  mm: Export migrate_page_move_mapping and migrate_page_copy
  ubi: Make volume resize power cut aware

Ricky Liang (1):
  Input: uinput - handle compat ioctl for UI_SET_PHYS

Russell Currey (1):
  powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge

Russell King (1):
  ARM: fix PTRACE_SETVFPREGS on SMP systems

Sachin Prabhu (1):
  cifs: Check for existing directory when opening file with O_CREAT

Scott Bauer (1):
  HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES
    commands

Simon Horman (1):
  sit: correct IP protocol used in ipip6_err

Soheil Hassas Yeganeh (1):
  tcp: consider recv buf for the initial window scale

Steve French (1):
  Fix reconnect to not defer smb3 session reconnect long after socket
    reconnect

Steven Rostedt (Red Hat) (1):
  tracing: Handle NULL formats in hold_module_trace_bprintk_format()

Takashi Iwai (3):
  ALSA: dummy: Fix a use-after-free at closing
  ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
  ALSA: ctl: Stop notification after disconnection

Taras Kondratiuk (1):
  mmc: block: fix packed command header endianness

Tejun Heo (1):
  printk: do cond_resched() between lines while outputting to consoles

Theodore Ts'o (1):
  ext4: fix hang when processing corrupted orphaned inode list

Thomas Huth (2):
  powerpc: Fix definition of SIAR and SDAR registers
  powerpc: Use privileged SPR number for MMCR2

Tim Gardner (1):
  be2iscsi: Fix bogus WARN_ON length check

Tom Goff (1):
  ipmr/ip6mr: Initialize the last assert time of mfc entries.

Tomer Barletz (1):
  ALSA: oxygen: Fix logical-not-parentheses warning

Tomáš Trnka (1):
  sunrpc: fix stripping of padded MIC tokens

Torsten Hilbrich (1):
  fs/nilfs2: fix potential underflow in call to crc32_le

Trond Myklebust (1):
  NFS: Fix another OPEN_DOWNGRADE bug

Ursula Braun (1):
  qeth: delete napi struct when removing a qeth device

Vegard Nossum (7):
  ext4: verify extent header depth
  ext4: check for extents that wrap around
  ext4: don't call ext4_should_journal_data() on the journal inode
  ext4: short-cut orphan cleanup on error
  ext4: fix reference counting bug on block allocation error
  block: fix use-after-free in seq file
  net/irda: fix NULL pointer dereference on memory allocation failure

Vignesh R (1):
  gpio: pca953x: Fix NBANK calculation for PCA9536

Ville Syrjälä (1):
  dma-debug: avoid spinlock recursion when disabling dma-debug

Vineet Gupta (1):
  ARC: use ASL assembler mnemonic

Vladimir Davydov (1):
  signal: remove warning about using SI_TKILL in rt_[tg]sigqueueinfo

Wei Fang (2):
  scsi: fix race between simultaneous decrements of ->host_failed
  fuse: fix wrong assignment of ->flags in fuse_send_init()

Willy Tarreau (3):
  USB: fix up faulty backports
  pipe: limit the per-user amount of pages allocated in pipes
  squash mm: Export migrate_page_... : also make it non-static

Wolfgang Grandegger (1):
  can: at91_can: RX queue could get stuck at high bus load

Xiubo Li (1):
  kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES

Yishai Hadas (1):
  IB/mlx4: Fix the SQ size of an RC QP

Yoshihiro Shimoda (1):
  usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()

Yuchung Cheng (1):
  tcp: record TLP and ER timer stats in v6 stats

dan.carpenter@oracle.com (1):
  spi: spi-xilinx: cleanup a check in xilinx_spi_txrx_bufs()

wang yanqing (1):
  rtlwifi: Fix logic error in enter/exit power-save mode

 Documentation/scsi/scsi_eh.txt                |   8 +-
 Documentation/sysctl/fs.txt                   |  23 ++
 arch/arc/kernel/stacktrace.c                  |   2 +-
 arch/arc/mm/tlbex.S                           |   4 +-
 arch/arm/kernel/ptrace.c                      |   2 +-
 arch/arm/kernel/sys_oabi-compat.c             |   8 +-
 arch/metag/include/asm/cmpxchg_lnkget.h       |   2 +-
 arch/mips/ath79/early_printk.c                |   6 +-
 arch/mips/include/asm/kvm_host.h              |   1 +
 arch/mips/include/asm/processor.h             |   2 +-
 arch/mips/include/uapi/asm/siginfo.h          |  18 +-
 arch/mips/kernel/scall64-n32.S                |   2 +-
 arch/mips/kernel/scall64-o32.S                |   2 +-
 arch/mips/kvm/kvm_locore.S                    |   1 +
 arch/mips/kvm/kvm_mips.c                      |  11 +-
 arch/mips/kvm/kvm_mips_emul.c                 |  33 ++-
 arch/mips/kvm/kvm_mips_int.h                  |   2 +
 arch/mips/kvm/kvm_tlb.c                       |  61 +++--
 arch/mips/math-emu/cp1emu.c                   |   8 +-
 arch/parisc/kernel/unaligned.c                |  10 +-
 arch/powerpc/include/asm/reg.h                |   6 +-
 arch/powerpc/kernel/exceptions-64s.S          |  16 +-
 arch/powerpc/kernel/process.c                 |  10 +
 arch/powerpc/platforms/pseries/eeh_pseries.c  |  51 ++--
 arch/powerpc/platforms/pseries/iommu.c        |  24 +-
 arch/s390/include/asm/syscall.h               |   2 +-
 arch/x86/boot/Makefile                        |   3 +
 arch/x86/include/asm/mmu_context.h            |  33 ++-
 arch/x86/kernel/amd_nb.c                      |   4 +-
 arch/x86/kernel/apm_32.c                      |   2 +-
 arch/x86/kernel/cpu/perf_event_intel.c        |  11 +-
 arch/x86/kernel/kprobes/core.c                |  12 +
 arch/x86/kvm/x86.c                            |   5 +
 arch/x86/mm/tlb.c                             |  24 +-
 block/genhd.c                                 |   1 +
 crypto/gcm.c                                  |   4 +-
 crypto/scatterwalk.c                          |   3 +-
 drivers/acpi/pci_root.c                       |  67 ++---
 drivers/ata/libata-eh.c                       |   2 +-
 drivers/base/module.c                         |   8 +-
 drivers/crypto/ux500/hash/hash_core.c         |   4 +-
 drivers/gpio/gpio-pca953x.c                   |   2 +-
 drivers/gpu/drm/drm_fb_helper.c               |   5 +-
 drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c |   2 +-
 drivers/gpu/drm/radeon/radeon_atombios.c      |   4 +-
 drivers/gpu/drm/radeon/radeon_atpx_handler.c  |   5 +
 drivers/gpu/drm/radeon/radeon_connectors.c    |  15 +-
 drivers/gpu/drm/radeon/radeon_device.c        |  21 ++
 drivers/hid/hid-input.c                       |   2 +-
 drivers/hid/usbhid/hiddev.c                   |  10 +-
 drivers/iio/accel/kxsd9.c                     |   4 +-
 drivers/iio/adc/ad7266.c                      |   6 +-
 drivers/iio/industrialio-trigger.c            |  23 +-
 drivers/infiniband/core/ucm.c                 |   4 +
 drivers/infiniband/core/ucma.c                |   4 +
 drivers/infiniband/core/uverbs_main.c         |   5 +
 drivers/infiniband/hw/mlx4/ah.c               |   2 +-
 drivers/infiniband/hw/mlx4/qp.c               |   2 +-
 drivers/infiniband/hw/qib/qib_file_ops.c      |   5 +
 drivers/infiniband/ulp/ipoib/ipoib_main.c     |   4 +-
 drivers/input/joystick/xpad.c                 |   3 +
 drivers/input/misc/uinput.c                   |   6 +
 drivers/input/touchscreen/wacom_w8001.c       |   2 +-
 drivers/isdn/hardware/mISDN/hfcpci.c          |   4 +-
 drivers/md/dm-flakey.c                        |  23 +-
 drivers/media/dvb-frontends/stb6100.c         |   2 +-
 drivers/media/platform/s5p-mfc/s5p_mfc.c      |  11 +
 drivers/mmc/card/block.c                      |  12 +-
 drivers/mtd/ubi/build.c                       |   5 +-
 drivers/mtd/ubi/vmt.c                         |  25 +-
 drivers/net/can/at91_can.c                    |   5 +-
 drivers/net/can/dev.c                         |   6 +
 drivers/net/ethernet/atheros/alx/main.c       |   7 +-
 drivers/net/ethernet/marvell/mvneta.c         |   2 +-
 drivers/net/usb/cdc_ncm.c                     |  27 +-
 drivers/net/wireless/ath/ath5k/led.c          |   2 +-
 drivers/net/wireless/mac80211_hwsim.c         |   1 +
 drivers/net/wireless/rtlwifi/base.c           |   4 +-
 drivers/pci/probe.c                           |   6 +-
 drivers/platform/x86/hp-wmi.c                 |   5 +
 drivers/s390/net/qeth_l2_main.c               |   1 +
 drivers/s390/net/qeth_l3_main.c               |   1 +
 drivers/scsi/aacraid/commsup.c                |  12 +-
 drivers/scsi/be2iscsi/be_main.c               |   2 +-
 drivers/scsi/ipr.c                            |   1 +
 drivers/scsi/scsi_error.c                     |   4 +-
 drivers/scsi/scsi_lib.c                       | 116 +++------
 drivers/spi/spi-xilinx.c                      |   2 +-
 drivers/staging/iio/accel/sca3000_core.c      |   2 +-
 drivers/tty/vt/keyboard.c                     |  30 +--
 drivers/usb/core/devio.c                      |   9 +-
 drivers/usb/core/hub.c                        |  23 +-
 drivers/usb/core/quirks.c                     |  16 +-
 drivers/usb/musb/musb_host.c                  |  21 +-
 drivers/usb/renesas_usbhs/mod_gadget.c        |   9 +-
 drivers/usb/serial/option.c                   |   3 +
 drivers/virtio/virtio_balloon.c               |   2 +
 drivers/xen/xen-acpi-processor.c              |  35 +--
 drivers/xen/xen-pciback/conf_space.c          |   6 +-
 fs/cifs/connect.c                             |   4 +-
 fs/cifs/dir.c                                 |  24 +-
 fs/cifs/smb2pdu.c                             |  27 ++
 fs/dcache.c                                   |   4 +-
 fs/ecryptfs/file.c                            |  15 +-
 fs/ext4/extents.c                             |  12 +-
 fs/ext4/ialloc.c                              |  10 +-
 fs/ext4/inode.c                               |   6 +-
 fs/ext4/mballoc.c                             |  27 +-
 fs/ext4/super.c                               |  10 +
 fs/fuse/inode.c                               |   2 +-
 fs/nfs/nfs4proc.c                             |   5 +-
 fs/nilfs2/the_nilfs.c                         |   2 +-
 fs/pipe.c                                     |  47 +++-
 fs/ubifs/file.c                               |  24 ++
 fs/xfs/xfs_inode.c                            |  26 +-
 include/linux/console.h                       |   1 +
 include/linux/migrate.h                       |   3 +
 include/linux/netfilter/x_tables.h            |  12 +-
 include/linux/pipe_fs_i.h                     |   4 +
 include/linux/sched.h                         |   1 +
 include/linux/usb/ehci_def.h                  |   4 +-
 include/rdma/ib.h                             |  54 ++++
 kernel/module.c                               |  13 +-
 kernel/panic.c                                |   3 +
 kernel/printk.c                               |  35 ++-
 kernel/signal.c                               |  14 +-
 kernel/sysctl.c                               |  14 +
 kernel/trace/trace_printk.c                   |   7 +-
 lib/dma-debug.c                               |   2 +-
 mm/migrate.c                                  |  55 ++--
 mm/shmem.c                                    |   8 +-
 net/bluetooth/l2cap_sock.c                    |   2 +-
 net/ceph/osdmap.c                             | 152 +++++++----
 net/ipv4/ipmr.c                               |   4 +-
 net/ipv4/netfilter/arp_tables.c               | 327 ++++++++---------------
 net/ipv4/netfilter/ip_tables.c                | 360 ++++++++------------------
 net/ipv4/tcp_input.c                          |  14 +-
 net/ipv4/tcp_output.c                         |   3 +-
 net/ipv4/udp.c                                |   6 +-
 net/ipv6/ip6mr.c                              |   1 +
 net/ipv6/netfilter/ip6_tables.c               | 354 ++++++++-----------------
 net/ipv6/sit.c                                |   4 +-
 net/ipv6/tcp_ipv6.c                           |   4 +-
 net/ipv6/udp.c                                |   6 +-
 net/irda/af_irda.c                            |   7 +-
 net/mac80211/mesh.c                           |   4 +
 net/netfilter/x_tables.c                      | 245 +++++++++++++++++-
 net/netlabel/netlabel_kapi.c                  |  12 +-
 net/rfkill/rfkill-regulator.c                 |   8 +-
 net/sctp/sm_sideeffect.c                      |  42 +--
 net/sunrpc/auth_gss/svcauth_gss.c             |   4 +-
 net/wireless/wext-core.c                      |  25 +-
 scripts/asn1_compiler.c                       |   2 +
 scripts/recordmcount.c                        |   9 +-
 security/keys/key.c                           |   2 +-
 sound/core/control.c                          |   2 +
 sound/core/timer.c                            |   3 +
 sound/drivers/dummy.c                         |   1 +
 sound/pci/au88x0/au88x0_core.c                |   5 +-
 sound/pci/oxygen/oxygen_mixer.c               |   2 +-
 virt/kvm/kvm_main.c                           |   2 +-
 161 files changed, 1869 insertions(+), 1294 deletions(-)
 create mode 100644 include/rdma/ib.h

-- 
2.8.0.rc2.1.gbe9624a

[PATCH 3.10 099/180] fix d_walk()/non-delayed __d_free() race

[Willy Tarreau]

From: Al Viro <viro@zeniv.linux.org.uk>

commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream.

Ascend-to-parent logics in d_walk() depends on all encountered child
dentries not getting freed without an RCU delay.  Unfortunately, in
quite a few cases it is not true, with hard-to-hit oopsable race as
the result.

Fortunately, the fix is simiple; right now the rule is "if it ever
been hashed, freeing must be delayed" and changing it to "if it
ever had a parent, freeing must be delayed" closes that hole and
covers all cases the old rule used to cover.  Moreover, pipes and
sockets remain _not_ covered, so we do not introduce RCU delay in
the cases which are the reason for having that delay conditional
in the first place.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 fs/dcache.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 17222fa..2a808fb 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1311,7 +1311,7 @@ struct dentry *d_alloc(struct dentry * parent, const struct qstr *name)
 	struct dentry *dentry = __d_alloc(parent->d_sb, name);
 	if (!dentry)
 		return NULL;
-
+	dentry->d_flags |= DCACHE_RCUACCESS;
 	spin_lock(&parent->d_lock);
 	/*
 	 * don't need child lock because it is not subject
@@ -2101,7 +2101,6 @@ static void __d_rehash(struct dentry * entry, struct hlist_bl_head *b)
 {
 	BUG_ON(!d_unhashed(entry));
 	hlist_bl_lock(b);
-	entry->d_flags |= DCACHE_RCUACCESS;
 	hlist_bl_add_head_rcu(&entry->d_hash, b);
 	hlist_bl_unlock(b);
 }
@@ -2285,6 +2284,7 @@ static void __d_move(struct dentry * dentry, struct dentry * target)
 
 	/* ... and switch the parents */
 	if (IS_ROOT(dentry)) {
+		dentry->d_flags |= DCACHE_RCUACCESS;
 		dentry->d_parent = target->d_parent;
 		target->d_parent = target;
 		INIT_LIST_HEAD(&target->d_child);
-- 
2.8.0.rc2.1.gbe9624a