Fubo Chen [Wed, 9 Feb 2011 23:34:48 +0000 (15:34 -0800)]
[SCSI] target: fixed missing lock drop in error path
The struct se_node_acl->device_list_lock needs to be released if either
sanity check for struct se_dev_entry->se_lun_acl or deve->se_lun fails.
Signed-off-by: Fubo Chen <fubo.chen@gmail.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Nicholas Bellinger [Wed, 9 Feb 2011 23:34:43 +0000 (15:34 -0800)]
[SCSI] target: Fix demo-mode MappedLUN shutdown UA/PR breakage
This patch fixes a bug in core_update_device_list_for_node() where
individual demo-mode generated MappedLUN's UA + Persistent
Reservations metadata where being leaked, instead of falling through
and calling existing core_scsi3_ua_release_all() and
core_scsi3_free_pr_reg_from_nacl() at the end of
core_update_device_list_for_node().
This bug would manifest itself with the following OOPs w/ TPG
demo-mode endpoints (tfo->tpg_check_demo_mode()=1), and PROUT
REGISTER+RESERVE -> explict struct se_session logout -> struct
se_device shutdown:
[ 697.021139] LIO_iblock used greatest stack depth: 2704 bytes left
[ 702.235017] general protection fault: 0000 [#1] SMP
[ 702.235074] last sysfs file: /sys/devices/virtual/net/lo/operstate
[ 704.372695] CPU 0
[ 704.372725] Modules linked in: crc32c target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: iscsi_target_mod]
[ 704.375442]
[ 704.375563] Pid: 4964, comm: tcm_node Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
[ 704.375912] RIP: 0010:[<
ffffffffa00aaa16>] [<
ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.376017] RSP: 0018:
ffff88001e5ffcb8 EFLAGS:
00010296
[ 704.376017] RAX:
6d32335b1b0a0d0a RBX:
ffff88001d952cb0 RCX:
0000000000000015
[ 704.376017] RDX:
ffff88001b428000 RSI:
ffff88001da5a4c0 RDI:
ffff88001e5ffcd8
[ 704.376017] RBP:
ffff88001e5ffd28 R08:
ffff88001e5ffcd8 R09:
ffff88001d952080
[ 704.377116] R10:
ffff88001dfc5480 R11:
ffff88001df8abb0 R12:
ffff88001d952cb0
[ 704.377319] R13:
0000000000000000 R14:
ffff88001df8abb0 R15:
ffff88001b428000
[ 704.377521] FS:
00007f033d15c6e0(0000) GS:
ffff88001fa00000(0000) knlGS:
0000000000000000
[ 704.377861] CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
[ 704.378043] CR2:
00007fff09281510 CR3:
000000001e5db000 CR4:
00000000000006f0
[ 704.378110] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 704.378110] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 704.378110] Process tcm_node (pid: 4964, threadinfo
ffff88001e5fe000, task
ffff88001d99c260)
[ 704.378110] Stack:
[ 704.378110]
ffffea0000678980 ffff88001da5a4c0 ffffea0000678980 ffff88001f402b00
[ 704.378110]
ffff88001e5ffd08 ffffffff810ea236 ffff88001e5ffd18 0000000000000282
[ 704.379772]
ffff88001d952080 ffff88001d952cb0 ffff88001d952cb0 ffff88001dc79010
[ 704.380082] Call Trace:
[ 704.380220] [<
ffffffff810ea236>] ? __slab_free+0x89/0x11c
[ 704.380403] [<
ffffffffa00ab781>] core_scsi3_free_all_registrations+0x3e/0x157 [target_core_mod]
[ 704.380479] [<
ffffffffa00a752b>] se_release_device_for_hba+0xa6/0xd8 [target_core_mod]
[ 704.380479] [<
ffffffffa00a7598>] se_free_virtual_device+0x3b/0x45 [target_core_mod]
[ 704.383750] [<
ffffffffa00a3177>] target_core_drop_subdev+0x13a/0x18d [target_core_mod]
[ 704.384068] [<
ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
[ 704.384263] [<
ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
[ 704.384459] [<
ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
[ 704.384631] [<
ffffffff810fc3be>] do_rmdir+0xa3/0xf4
[ 704.384895] [<
ffffffff810eed15>] ? filp_close+0x67/0x72
[ 704.386485] [<
ffffffff810fc446>] sys_rmdir+0x11/0x13
[ 704.387893] [<
ffffffff81002a92>] system_call_fastpath+0x16/0x1b
[ 704.388083] Code: 4c 8d 45 b0 41 56 49 89 d7 41 55 41 89 cd 41 54 b9 15 00 00 00 53 48 89 fb 48 83 ec 48 4c 89 c7 48 89 75 98 48 8b 86 28 01 00 00 <48> 8b 80 90 01 00 00 48 89 45 a0 31 c0 f3 aa c7 45 ac 00 00 00
[ 704.388763] RIP [<
ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.389142] RSP <
ffff88001e5ffcb8>
[ 704.389572] ---[ end trace
2a3614f3cd6261a5 ]---
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Nicholas Bellinger [Wed, 9 Feb 2011 23:34:38 +0000 (15:34 -0800)]
[SCSI] target/iblock: Fix failed bd claim NULL pointer dereference
This patch adds an explict check for struct iblock_dev->ibd_bd in
iblock_free_device() before calling blkdev_put(), which will otherwise hit
the following NULL pointer dereference @ ib_dev->ibd_bd when iblock_create_virtdevice()
fails to claim an already in-use struct block_device via blkdev_get_by_path().
[ 112.528578] Target_Core_ConfigFS: Allocated struct se_subsystem_dev:
ffff88001e750000 se_dev_su_ptr:
ffff88001dd05d70
[ 112.534681] Target_Core_ConfigFS: Calling t->free_device() for se_dev_su_ptr:
ffff88001dd05d70
[ 112.535029] BUG: unable to handle kernel NULL pointer dereference at
0000000000000020
[ 112.535029] IP: [<
ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] PGD
1e5d0067 PUD
1e274067 PMD 0
[ 112.535029] Oops: 0002 [#1] SMP
[ 112.535029] last sysfs file: /sys/devices/pci0000:00/0000:00:07.1/host2/target2:0:0/2:0:0:0/type
[ 112.535029] CPU 0
[ 112.535029] Modules linked in: iscsi_target_mod target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: scsi_wait_scan]
[ 112.535029]
[ 112.535029] Pid: 3345, comm: python2.5 Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
[ 112.535029] RIP: 0010:[<
ffffffff814987a3>] [<
ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] RSP: 0018:
ffff88001e6d7d58 EFLAGS:
00010246
[ 112.535029] RAX:
0000000000000000 RBX:
0000000000000020 RCX:
0000000000000082
[ 112.535029] RDX:
ffff88001e6d7fd8 RSI:
0000000000000083 RDI:
0000000000000020
[ 112.535029] RBP:
ffff88001e6d7d68 R08:
0000000000000000 R09:
0000000000000000
[ 112.535029] R10:
ffff8800000be860 R11:
ffff88001f420000 R12:
0000000000000020
[ 112.535029] R13:
0000000000000083 R14:
ffff88001d809430 R15:
ffff88001d8094f8
[ 112.535029] FS:
00007ff17ca7d6e0(0000) GS:
ffff88001fa00000(0000) knlGS:
0000000000000000
[ 112.535029] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 112.535029] CR2:
0000000000000020 CR3:
000000001e5d2000 CR4:
00000000000006f0
[ 112.535029] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 112.535029] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 112.535029] Process python2.5 (pid: 3345, threadinfo
ffff88001e6d6000, task
ffff88001e2d0760)
[ 112.535029] Stack:
[ 112.535029]
ffff88001e6d7d88 0000000000000000 ffff88001e6d7d98 ffffffff811187fc
[ 112.535029]
ffff88001d809430 ffff88001dd05d70 ffff88001e750860 ffff88001e750000
[ 112.535029]
ffff88001e6d7db8 ffffffffa00e3757 ffff88001e6d7db8 0000000000000004
[ 112.535029] Call Trace:
[ 112.535029] [<
ffffffff811187fc>] blkdev_put+0x28/0x107
[ 112.535029] [<
ffffffffa00e3757>] iblock_free_device+0x1d/0x36 [target_core_iblock]
[ 112.535029] [<
ffffffffa00a319c>] target_core_drop_subdev+0x15f/0x18d [target_core_mod]
[ 112.535029] [<
ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
[ 112.535029] [<
ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
[ 112.535029] [<
ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
[ 112.535029] [<
ffffffff810fc3be>] do_rmdir+0xa3/0xf4
[ 112.535029] [<
ffffffff810fc446>] sys_rmdir+0x11/0x13
[ 112.535029] [<
ffffffff81002a92>] system_call_fastpath+0x16/0x1b
[ 112.535029] Code: 8b 04 25 88 b5 00 00 48 2d d8 1f 00 00 48 89 43 18 31 c0 5e 5b c9 c3 55 48 89 e5 53 48 89 fb 48 83 ec 08 e8 c4 f7 ff ff 48 89 df <3e> ff 0f 79 05 e8 1e ff ff ff 65 48 8b 04 25 88 b5 00 00 48 2d
[ 112.535029] RIP [<
ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] RSP <
ffff88001e6d7d58>
[ 112.535029] CR2:
0000000000000020
[ 132.679636] ---[ end trace
05754bb48eb828f0 ]---
Note it also adds an second explict check for ib_dev->ibd_bio_set before calling
bioset_free() to fix the same possible NULL pointer deference during an early
iblock_create_virtdevice() failure.
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Dan Carpenter [Wed, 9 Feb 2011 23:34:36 +0000 (15:34 -0800)]
[SCSI] target: iblock/pscsi claim checking for NULL instead of IS_ERR
blkdev_get_by_path() returns an ERR_PTR() or error and it doesn't return
a NULL. It looks like this bug would be easy to trigger by mistake.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Darrick J. Wong [Tue, 1 Feb 2011 02:47:54 +0000 (18:47 -0800)]
[SCSI] scsi_debug: Fix 32-bit overflow in do_device_access causing memory corruption
If I create a scsi_debug device that is larger than 4GB, the multiplication of
(block * scsi_debug_sector_size) can produce a 64-bit value. Unfortunately,
the compiler sees two 32-bit quantities and performs a 32-bit multiplication,
thus truncating the bits above 2^32. This causes the wrong memory location to
be read or written. Change block and rest to be unsigned long long.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Madhuranath Iyengar [Fri, 28 Jan 2011 23:17:56 +0000 (15:17 -0800)]
[SCSI] qla2xxx: Change from irq to irqsave with host_lock
Make the driver safer by using irqsave/irqrestore with host_lock.
Signed-off-by: Madhuranath Iyengar <Madhu.Iyengar@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
James Bottomley [Thu, 27 Jan 2011 21:12:37 +0000 (16:12 -0500)]
[SCSI] qla2xxx: Fix race that could hang kthread_stop()
There is a small race window in qla2x00_do_dpc() between
checking for kthread_should_stop() and going to sleep after
setting TASK_INTERRUPTIBLE. If qla2x00_free_device() is called
in this window, kthread_stop will wait forever because there
will be no one to wake up the process.
Fix by making sure we only set TASK_INTERRUPTIBLE before checking
kthread_stop().
Reported-by: Bandan Das <bandan.das@stratus.com>
Acked-by: Madhuranath Iyengar <Madhu.Iyengar@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Linus Torvalds [Sat, 12 Feb 2011 00:30:09 +0000 (16:30 -0800)]
Merge branch 'kvm-updates/2.6.38' of git://git./virt/kvm/kvm
* 'kvm-updates/2.6.38' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: SVM: Make sure KERNEL_GS_BASE is valid when loading gs_index
Linus Torvalds [Sat, 12 Feb 2011 00:30:05 +0000 (16:30 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/bp/bp
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
amd64_edac: Fix DIMMs per DCTs output
Linus Torvalds [Sat, 12 Feb 2011 00:29:57 +0000 (16:29 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/teigland/dlm
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm:
dlm: use single thread workqueues
Linus Torvalds [Sat, 12 Feb 2011 00:29:50 +0000 (16:29 -0800)]
Merge git://git./linux/kernel/git/sfrench/cifs-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
cifs: don't always drop malformed replies on the floor (try #3)
cifs: clean up checks in cifs_echo_request
[CIFS] Do not send SMBEcho requests on new sockets until SMBNegotiate
Linus Torvalds [Sat, 12 Feb 2011 00:16:25 +0000 (16:16 -0800)]
Merge branch 'hwmon-for-linus' of git://git./linux/kernel/git/groeck/staging
* 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging:
hwmon: (emc1403) Fix I2C address range
hwmon: (lm63) Consider LM64 temperature offset
Linus Torvalds [Sat, 12 Feb 2011 00:16:03 +0000 (16:16 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
pci: use security_capable() when checking capablities during config space read
security: add cred argument to security_capable()
tpm_tis: Use timeouts returned from TPM
Linus Torvalds [Sat, 12 Feb 2011 00:15:15 +0000 (16:15 -0800)]
Merge branch 's5p-fixes-for-linus' of git://git./linux/kernel/git/kgene/linux-samsung
* 's5p-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
ARM: SAMSUNG: Ensure struct sys_device is declared in plat/pm.h
ARM: S5PV310: Cleanup System MMU
ARM: S5PV310: Add support System MMU on SMDKV310
Linus Torvalds [Sat, 12 Feb 2011 00:13:53 +0000 (16:13 -0800)]
Merge branch 'next' of git://git.monstr.eu/linux-2.6-microblaze
* 'next' of git://git.monstr.eu/linux-2.6-microblaze:
microblaze: Fix msr instruction detection
microblaze: Fix pte_update function
microblaze: Fix asm compilation warning
microblaze: Fix IRQ flag handling for MSR=0
Julia Lawall [Thu, 10 Feb 2011 23:01:37 +0000 (15:01 -0800)]
drivers/w1/masters/omap_hdq.c: add missing clk_put
This code makes two calls to clk_get, then test both return values and
fails if either failed.
The problem is that in the first inner if, where the first call to
clk_get has failed, it don't know if the second call has failed as well.
So it don't know whether clk_get should be called on the result of the
second call. Of course, it would be possible to test that value again.
A simpler solution is just to test the result of calling clk_get
directly after each call.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@r@
position p1,p2;
expression e;
statement S;
@@
e = clk_get@p1(...)
...
if@p2 (IS_ERR(e)) S
@@
expression e;
statement S;
identifier l;
position r.p1, p2 != r.p2;
@@
*e = clk_get@p1(...)
... when != clk_put(e)
*if@p2 (...)
{
... when != clk_put(e)
* return ...;
}// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Cc: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Acked-by: Tony Lindgren <tony@atomide.com>
Acked-by: Amit Kucheria <amit.kucheria@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
KAMEZAWA Hiroyuki [Thu, 10 Feb 2011 23:01:36 +0000 (15:01 -0800)]
memcg: fix leak of accounting at failure path of hugepage collapsing
mem_cgroup_uncharge_page() should be called in all failure cases after
mem_cgroup_charge_newpage() is called in huge_memory.c::collapse_huge_page()
[ 4209.076861] BUG: Bad page state in process khugepaged pfn:1e9800
[ 4209.077601] page:
ffffea0006b14000 count:0 mapcount:0 mapping: (null) index:0x2800
[ 4209.078674] page flags: 0x40000000004000(head)
[ 4209.079294] pc:
ffff880214a30000 pc->flags:
2146246697418756 pc->mem_cgroup:
ffffc9000177a000
[ 4209.082177] (/A)
[ 4209.082500] Pid: 31, comm: khugepaged Not tainted 2.6.38-rc3-mm1 #1
[ 4209.083412] Call Trace:
[ 4209.083678] [<
ffffffff810f4454>] ? bad_page+0xe4/0x140
[ 4209.084240] [<
ffffffff810f53e6>] ? free_pages_prepare+0xd6/0x120
[ 4209.084837] [<
ffffffff8155621d>] ? rwsem_down_failed_common+0xbd/0x150
[ 4209.085509] [<
ffffffff810f5462>] ? __free_pages_ok+0x32/0xe0
[ 4209.086110] [<
ffffffff810f552b>] ? free_compound_page+0x1b/0x20
[ 4209.086699] [<
ffffffff810fad6c>] ? __put_compound_page+0x1c/0x30
[ 4209.087333] [<
ffffffff810fae1d>] ? put_compound_page+0x4d/0x200
[ 4209.087935] [<
ffffffff810fb015>] ? put_page+0x45/0x50
[ 4209.097361] [<
ffffffff8113f779>] ? khugepaged+0x9e9/0x1430
[ 4209.098364] [<
ffffffff8107c870>] ? autoremove_wake_function+0x0/0x40
[ 4209.099121] [<
ffffffff8113ed90>] ? khugepaged+0x0/0x1430
[ 4209.099780] [<
ffffffff8107c236>] ? kthread+0x96/0xa0
[ 4209.100452] [<
ffffffff8100dda4>] ? kernel_thread_helper+0x4/0x10
[ 4209.101214] [<
ffffffff8107c1a0>] ? kthread+0x0/0xa0
[ 4209.101842] [<
ffffffff8100dda0>] ? kernel_thread_helper+0x0/0x10
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Johannes Weiner [Thu, 10 Feb 2011 23:01:34 +0000 (15:01 -0800)]
vmscan: fix zone shrinking exit when scan work is done
Commit
3e7d34497067 ("mm: vmscan: reclaim order-0 and use compaction
instead of lumpy reclaim") introduced an indefinite loop in
shrink_zone().
It meant to break out of this loop when no pages had been reclaimed and
not a single page was even scanned. The way it would detect the latter
is by taking a snapshot of sc->nr_scanned at the beginning of the
function and comparing it against the new sc->nr_scanned after the scan
loop. But it would re-iterate without updating that snapshot, looping
forever if sc->nr_scanned changed at least once since shrink_zone() was
invoked.
This is not the sole condition that would exit that loop, but it
requires other processes to change the zone state, as the reclaimer that
is stuck obviously can not anymore.
This is only happening for higher-order allocations, where reclaim is
run back to back with compaction.
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reported-by: Michal Hocko <mhocko@suse.cz>
Tested-by: Kent Overstreet<kent.overstreet@gmail.com>
Reported-by: Kent Overstreet <kent.overstreet@gmail.com>
Acked-by: Mel Gorman <mel@csn.ul.ie>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Michel Lespinasse [Thu, 10 Feb 2011 23:01:33 +0000 (15:01 -0800)]
mlock: do not munlock pages in __do_fault()
If the page is going to be written to, __do_page needs to break COW.
However, the old page (before breaking COW) was never mapped mapped into
the current pte (__do_fault is only called when the pte is not present),
so vmscan can't have marked the old page as PageMlocked due to being
mapped in __do_fault's VMA. Therefore, __do_fault() does not need to
worry about clearing PageMlocked() on the old page.
Signed-off-by: Michel Lespinasse <walken@google.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Michel Lespinasse [Thu, 10 Feb 2011 23:01:32 +0000 (15:01 -0800)]
mlock: fix race when munlocking pages in do_wp_page()
vmscan can lazily find pages that are mapped within VM_LOCKED vmas, and
set the PageMlocked bit on these pages, transfering them onto the
unevictable list. When do_wp_page() breaks COW within a VM_LOCKED vma,
it may need to clear PageMlocked on the old page and set it on the new
page instead.
This change fixes an issue where do_wp_page() was clearing PageMlocked
on the old page while the pte was still pointing to it (as well as
rmap). Therefore, we were not protected against vmscan immediately
transfering the old page back onto the unevictable list. This could
cause pages to get stranded there forever.
I propose to move the corresponding code to the end of do_wp_page(),
after the pte (and rmap) have been pointed to the new page.
Additionally, we can use munlock_vma_page() instead of
clear_page_mlock(), so that the old page stays mlocked if there are
still other VM_LOCKED vmas mapping it.
Signed-off-by: Michel Lespinasse <walken@google.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Yinghai Lu [Thu, 10 Feb 2011 23:01:30 +0000 (15:01 -0800)]
memblock: don't adjust size in memblock_find_base()
While applying patch to use memblock to find aperture for 64bit x86.
Ingo found system with 1g + force_iommu
> No AGP bridge found
> Node 0: aperture @
38000000 size 32 MB
> Aperture pointing to e820 RAM. Ignoring.
> Your BIOS doesn't leave a aperture memory hole
> Please enable the IOMMU option in the BIOS setup
> This costs you 64 MB of RAM
> Cannot allocate aperture memory hole (0,65536K)
the corresponding code:
addr = memblock_find_in_range(0, 1ULL<<32, aper_size, 512ULL<<20);
if (addr == MEMBLOCK_ERROR || addr + aper_size > 0xffffffff) {
printk(KERN_ERR
"Cannot allocate aperture memory hole (%lx,%uK)\n",
addr, aper_size>>10);
return 0;
}
memblock_x86_reserve_range(addr, addr + aper_size, "aperture64")
fails because memblock core code align the size with 512M. That could
make size way too big.
So don't align the size in that case.
actually __memblock_alloc_base, the another caller already align that
before calling that function.
BTW. x86 does not use __memblock_alloc_base...
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: David Miller <davem@davemloft.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Dave Airlie <airlied@linux.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Soren Hansen [Thu, 10 Feb 2011 23:01:28 +0000 (15:01 -0800)]
nbd: remove module-level ioctl mutex
Commit
2a48fc0ab242417 ("block: autoconvert trivial BKL users to private
mutex") replaced uses of the BKL in the nbd driver with mutex
operations. Since then, I've been been seeing these lock ups:
INFO: task qemu-nbd:16115 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
qemu-nbd D
0000000000000001 0 16115 16114 0x00000004
ffff88007d775d98 0000000000000082 ffff88007d775fd8 ffff88007d774000
0000000000013a80 ffff8800020347e0 ffff88007d775fd8 0000000000013a80
ffff880133730000 ffff880002034440 ffffea0004333db8 ffffffffa071c020
Call Trace:
[<
ffffffff815b9997>] __mutex_lock_slowpath+0xf7/0x180
[<
ffffffff815b93eb>] mutex_lock+0x2b/0x50
[<
ffffffffa071a21c>] nbd_ioctl+0x6c/0x1c0 [nbd]
[<
ffffffff812cb970>] blkdev_ioctl+0x230/0x730
[<
ffffffff811967a1>] block_ioctl+0x41/0x50
[<
ffffffff81175c03>] do_vfs_ioctl+0x93/0x370
[<
ffffffff81175f61>] sys_ioctl+0x81/0xa0
[<
ffffffff8100c0c2>] system_call_fastpath+0x16/0x1b
Instrumenting the nbd module's ioctl handler with some extra logging
clearly shows the NBD_DO_IT ioctl being invoked which is a long-lived
ioctl in the sense that it doesn't return until another ioctl asks the
driver to disconnect. However, that other ioctl blocks, waiting for the
module-level mutex that replaced the BKL, and then we're stuck.
This patch removes the module-level mutex altogether. It's clearly
wrong, and as far as I can see, it's entirely unnecessary, since the nbd
driver maintains per-device mutexes, and I don't see anything that would
require a module-level (or kernel-level, for that matter) mutex.
Signed-off-by: Soren Hansen <soren@linux2go.dk>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Paul Clements <paul.clements@steeleye.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@kernel.org> [2.6.37.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Alexander Strakh [Thu, 10 Feb 2011 23:01:25 +0000 (15:01 -0800)]
drivers/rtc/rtc-proc.c: add module_put on error path in rtc_proc_open()
In file drivers/rtc/rtc-proc.c seq_open() can return -ENOMEM.
86 if (!try_module_get(THIS_MODULE))
87 return -ENODEV;
88
89 return single_open(file, rtc_proc_show, rtc);
In this case before exiting (line 89) from rtc_proc_open the
module_put(THIS_MODULE) must be called.
Found by Linux Device Drivers Verification Project
Signed-off-by: Alexander Strakh <strakh@ispras.ru>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Roland Stigge [Thu, 10 Feb 2011 23:01:23 +0000 (15:01 -0800)]
drivers/gpio/pca953x.c: add a mutex to fix race condition
Add a mutex to register communication and handling. Without the mutex,
GPIOs didn't switch as expected when toggled in a fast sequence of
status changes of multiple outputs.
Signed-off-by: Roland Stigge <stigge@antcom.de>
Acked-by: Eric Miao <eric.y.miao@gmail.com>
Cc: Grant Likely <grant.likely@secretlab.ca>
Cc: Marc Zyngier <maz@misterjones.org>
Cc: Ben Gardner <bgardner@wabtec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tejun Heo [Thu, 10 Feb 2011 23:01:22 +0000 (15:01 -0800)]
ptrace: use safer wake up on ptrace_detach()
The wake_up_process() call in ptrace_detach() is spurious and not
interlocked with the tracee state. IOW, the tracee could be running or
sleeping in any place in the kernel by the time wake_up_process() is
called. This can lead to the tracee waking up unexpectedly which can be
dangerous.
The wake_up is spurious and should be removed but for now reduce its
toxicity by only waking up if the tracee is in TRACED or STOPPED state.
This bug can possibly be used as an attack vector. I don't think it
will take too much effort to come up with an attack which triggers oops
somewhere. Most sleeps are wrapped in condition test loops and should
be safe but we have quite a number of places where sleep and wakeup
conditions are expected to be interlocked. Although the window of
opportunity is tiny, ptrace can be used by non-privileged users and with
some loading the window can definitely be extended and exploited.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Roland McGrath <roland@redhat.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Boaz Harrosh [Thu, 10 Feb 2011 23:01:20 +0000 (15:01 -0800)]
vfs: call rcu_barrier after ->kill_sb()
In commit
fa0d7e3de6d6 ("fs: icache RCU free inodes"), we use rcu free
inode instead of freeing the inode directly. It causes a crash when we
rmmod immediately after we umount the volume[1].
So we need to call rcu_barrier after we kill_sb so that the inode is
freed before we do rmmod. The idea is inspired by Aneesh Kumar.
rcu_barrier will wait for all callbacks to end before preceding. The
original patch was done by Tao Ma, but synchronize_rcu() is not enough
here.
1. http://marc.info/?l=linux-fsdevel&m=
129680863330185&w=2
Tested-by: Tao Ma <boyu.mt@taobao.com>
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
Cc: Nick Piggin <npiggin@kernel.dk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 11 Feb 2011 23:53:38 +0000 (15:53 -0800)]
Fix possible filp_cachep memory corruption
In commit
31e6b01f4183 ("fs: rcu-walk for path lookup") we started doing
path lookup using RCU, which then falls back to a careful non-RCU lookup
in case of problems (LOOKUP_REVAL). So do_filp_open() has this "re-do
the lookup carefully" looping case.
However, that means that we must not release the open-intent file data
if we are going to loop around and use it once more!
Fix this by moving the release of the open-intent data to the function
that allocates it (do_filp_open() itself) rather than the helper
functions that can get called multiple times (finish_open() and
do_last()). This makes the logic for the lifetime of that field much
more obvious, and avoids the possible double free.
Reported-by: J. R. Okajima <hooanon05@yahoo.co.jp>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Nick Piggin <npiggin@kernel.dk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Teigland [Fri, 11 Feb 2011 22:44:31 +0000 (16:44 -0600)]
dlm: use single thread workqueues
The recent commit to use cmwq for send and recv threads
dcce240ead802d42b1e45ad2fcb2ed4a399cb255 introduced problems,
apparently due to multiple workqueue threads. Single threads
make the problems go away, so return to that until we fully
understand the concurrency issues with multiple threads.
Signed-off-by: David Teigland <teigland@redhat.com>
Chris Wright [Thu, 10 Feb 2011 23:58:56 +0000 (15:58 -0800)]
pci: use security_capable() when checking capablities during config space read
Eric Paris noted that commit
de139a3 ("pci: check caps from sysfs file
open to read device dependent config space") caused the capability check
to bypass security modules and potentially auditing. Rectify this by
calling security_capable() when checking the open file's capabilities
for config space reads.
Reported-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: James Morris <jmorris@namei.org>
Chris Wright [Thu, 10 Feb 2011 06:11:51 +0000 (22:11 -0800)]
security: add cred argument to security_capable()
Expand security_capable() to include cred, so that it can be usable in a
wider range of call sites.
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
James Morris [Fri, 11 Feb 2011 06:34:47 +0000 (17:34 +1100)]
Merge branch 'for-james' of git://tpmdd.git.sourceforge.net/gitroot/tpmdd/tpmdd into for-linus
Jeff Layton [Thu, 10 Feb 2011 13:03:50 +0000 (08:03 -0500)]
cifs: don't always drop malformed replies on the floor (try #3)
Slight revision to this patch...use min_t() instead of conditional
assignment. Also, remove the FIXME comment and replace it with the
explanation that Steve gave earlier.
After receiving a packet, we currently check the header. If it's no
good, then we toss it out and continue the loop, leaving the caller
waiting on that response.
In cases where the packet has length inconsistencies, but the MID is
valid, this leads to unneeded delays. That's especially problematic now
that the client waits indefinitely for responses.
Instead, don't immediately discard the packet if checkSMB fails. Try to
find a matching mid_q_entry, mark it as having a malformed response and
issue the callback.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Stefan Berger [Tue, 11 Jan 2011 19:37:29 +0000 (14:37 -0500)]
tpm_tis: Use timeouts returned from TPM
The current TPM TIS driver in git discards the timeout values returned
from the TPM. The check of the response packet needs to consider that
the return_code field is 0 on success and the size of the expected
packet is equivalent to the header size + u32 length indicator for the
TPM_GetCapability() result + 3 timeout indicators of type u32.
I am also adding a sysfs entry 'timeouts' showing the timeouts that are
being used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Tested-by: Guillaume Chazarain <guichaz@gmail.com>
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Corey Minyard [Thu, 10 Feb 2011 22:08:38 +0000 (16:08 -0600)]
char/ipmi: fix OOPS caused by pnp_unregister_driver on unregistered driver
This patch fixes an OOPS triggered when calling modprobe ipmi_si a
second time after the first modprobe returned without finding any ipmi
devices. This can happen if you reload the module after having the
first module load fail. The driver was not deregistering from PNP in
that case.
Peter Huewe originally reported this patch and supplied a fix, I have a
different patch based on Linus' suggestion that cleans things up a bit
more.
Cc: stable@kernel.org
Cc: openipmi-developer@lists.sourceforge.net
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Cc: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 11 Feb 2011 01:53:55 +0000 (17:53 -0800)]
cap_syslog: accept CAP_SYS_ADMIN for now
In commit
ce6ada35bdf7 ("security: Define CAP_SYSLOG") Serge Hallyn
introduced CAP_SYSLOG, but broke backwards compatibility by no longer
accepting CAP_SYS_ADMIN as an override (it would cause a warning and
then reject the operation).
Re-instate CAP_SYS_ADMIN - but keeping the warning - as an acceptable
capability until any legacy applications have been updated. There are
apparently applications out there that drop all capabilities except for
CAP_SYS_ADMIN in order to access the syslog.
(This is a re-implementation of a patch by Serge, cleaning the logic up
and making the code more readable)
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Mark Brown [Mon, 7 Feb 2011 01:51:04 +0000 (10:51 +0900)]
ARM: SAMSUNG: Ensure struct sys_device is declared in plat/pm.h
Previously we were relying on it being pulled in by other headers for
the prototype of s3c24xx_irq_suspend() and s3c24xx_irq_resume().
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Kukjin Kim [Tue, 1 Feb 2011 06:08:53 +0000 (15:08 +0900)]
ARM: S5PV310: Cleanup System MMU
This patch cleans following up.
- Moved definition of System MMU IPNUM into mach/sysmmu.h
- Removed useless SYSMMU_DEBUG configuration
- Removed useless header file plat/sysmmu.h
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Thomas Abraham [Mon, 24 Jan 2011 23:37:49 +0000 (08:37 +0900)]
ARM: S5PV310: Add support System MMU on SMDKV310
The 's5pv310_device_sysmmu' is used on SMDKV310. But since it is not
compiled now, there is a build error. To fix this compilation error,
S5PV310_DEV_SYSMMU needs to be selected for SMDKV310 board.
This patch enables System MMU support on SMDKV310.
Signed-off-by: Thomas Abraham <thomas.ab@samsung.com>
[kgene.kim@samsung.com: Adding description]
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Linus Torvalds [Thu, 10 Feb 2011 20:20:40 +0000 (12:20 -0800)]
Merge branch 'usb-linus' of git://git./linux/kernel/git/gregkh/usb-2.6
* 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (21 commits)
USB: cdc-acm: Adding second ACM channel support for Nokia N8
USB, Mass Storage, composite, gadget: Fix build failure and memset of a struct
USB: Fix trout build failure with ci13xxx_msm gadget
USB: EHCI: fix scheduling while atomic during suspend
USB: usb-storage: unusual_devs entry for Coby MP3 player
USB: ftdi_sio: Add VID=0x0647, PID=0x0100 for Acton Research spectrograph
USB: fix race between root-hub resume and wakeup requests
USB: prevent buggy hubs from crashing the USB stack
usb: r8a66597-udc: Fixed bufnum of Bulk
USB: ftdi_sio: add ST Micro Connect Lite uart support
USB: Storage: Add unusual_devs entry for VTech Kidizoom
USB SL811HS HCD: Fix memory leak in sl811h_urb_enqueue()
USB: ti_usb: fix module removal
USB: io_edgeport: fix the reported firmware major and minor
usb: ehci-omap: Show fatal probing time errors to end user
usb: musb: introduce api for dma code to check compatibility with usb request
usb: musb: maintain three states for buffer mappings instead of two
usb: musb: disable double buffering when it's broken
usb: musb: hsdma: change back to use musb_read/writew
usb: musb: core: fix IRQ check
...
Linus Torvalds [Thu, 10 Feb 2011 20:19:58 +0000 (12:19 -0800)]
Merge branch 'tty-linus' of git://git./linux/kernel/git/gregkh/tty-2.6
* 'tty-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6:
serial: bfin_5xx: split uart RX lock from uart port lock to avoid deadlock
68360serial: Plumb in rs_360_get_icount()
n_gsm: copy mtu over when configuring via ioctl interface
virtio: console: Move file back to drivers/char/
Linus Torvalds [Thu, 10 Feb 2011 20:19:23 +0000 (12:19 -0800)]
Merge branch 'staging-linus' of git://git./linux/kernel/git/gregkh/staging-2.6
* 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6:
staging: zram: fix data corruption issue
Staging: Comedi: Fix a few NI module dependencies
Staging: comedi: Add MODULE_LICENSE and similar to NI modules
staging: brcm80211: bugfix for softmac crash on multi cpu configurations
staging: sst: Fix for dmic capture on v2 pmic
staging: hv: Enable sending GARP packet after live migration
Linus Torvalds [Thu, 10 Feb 2011 20:05:09 +0000 (12:05 -0800)]
Merge git://git./linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (34 commits)
virtio_net: Add schedule check to napi_enable call
x25: Do not reference freed memory.
pch_can: fix tseg1/tseg2 setting issue
isdn: hysdn: Kill (partially buggy) CVS regision log reporting.
can: softing_cs needs slab.h
pch_gbe: Fix the issue which a driver locks when rx offload is set by ethtool
netfilter: nf_conntrack: set conntrack templates again if we return NF_REPEAT
pch_can: fix module reload issue with MSI
pch_can: fix rmmod issue
pch_can: fix 800k comms issue
net: Fix lockdep regression caused by initializing netdev queues too early.
net/caif: Fix dangling list pointer in freed object on error.
USB CDC NCM errata updates for cdc_ncm host driver
CDC NCM errata updates for cdc.h
ixgbe: update version string
ixgbe: cleanup variable initialization
ixgbe: limit VF access to network traffic
ixgbe: fix for 82599 erratum on Header Splitting
ixgbe: fix variable set but not used warnings by gcc 4.6
e1000: add support for Marvell Alaska M88E1118R PHY
...
Bruce Rogers [Thu, 10 Feb 2011 19:03:31 +0000 (11:03 -0800)]
virtio_net: Add schedule check to napi_enable call
Under harsh testing conditions, including low memory, the guest would
stop receiving packets. With this patch applied we no longer see any
problems in the driver while performing these tests for extended periods
of time.
Make sure napi is scheduled subsequent to each napi_enable.
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Olaf Kirch <okir@suse.de>
Cc: stable@kernel.org
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tim Deegan [Thu, 10 Feb 2011 08:50:41 +0000 (08:50 +0000)]
fix jiffy calculations in calibrate_delay_direct to handle overflow
Fixes a hang when booting as dom0 under Xen, when jiffies can be
quite large by the time the kernel init gets this far.
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
[jbeulich@novell.com: !time_after() -> time_before_eq() as suggested by Jiri Slaby]
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Borislav Petkov [Thu, 3 Feb 2011 14:59:57 +0000 (15:59 +0100)]
amd64_edac: Fix DIMMs per DCTs output
amd64_debug_display_dimm_sizes() reports the distribution of the DIMMs
on each DRAM controller and its chip select sizes. Thus, the last don't
have anything to do with whether we're running in ganged DCT mode or not
- their sizes don't change all of a sudden. Fix that by removing the
ganged-check and dump DCT0's config for DCT1 when in ganged mode since
they're identical.
Reported-and-tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
David S. Miller [Thu, 10 Feb 2011 05:48:36 +0000 (21:48 -0800)]
x25: Do not reference freed memory.
In x25_link_free(), we destroy 'nb' before dereferencing
'nb->dev'. Don't do this, because 'nb' might be freed
by then.
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jeff Layton [Wed, 9 Feb 2011 17:01:42 +0000 (12:01 -0500)]
cifs: clean up checks in cifs_echo_request
Follow-on patch to
7e90d705 which is already in Steve's tree...
The check for tcpStatus == CifsGood is not meaningful since it doesn't
indicate whether the NEGOTIATE request has been done. Also, clarify
why we're checking for maxBuf == 0.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Linus Torvalds [Thu, 10 Feb 2011 00:56:33 +0000 (16:56 -0800)]
Merge branch 'rc-fixes' of git://git./linux/kernel/git/mmarek/kbuild-2.6
* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6:
deb-pkg: Fix building outside of source tree (O=...).
deb-pkg: Use $SRCARCH for include path
Tomoya MORINAGA [Thu, 10 Feb 2011 00:46:21 +0000 (16:46 -0800)]
pch_can: fix tseg1/tseg2 setting issue
Previous patch "[PATCH 1/3] pch_can: fix 800k comms issue" is wrong.
I should have modified tseg1_min not tseg2_min.
This patch reverts tseg2_min to 1 and set tseg1_min to 2.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 9 Feb 2011 21:54:26 +0000 (13:54 -0800)]
isdn: hysdn: Kill (partially buggy) CVS regision log reporting.
Some cases try to modify const strings, and in any event the
CVS revision strings have not changed in over ten years making
these printouts completely worthless.
Just kill all of this stuff off.
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guenter Roeck [Wed, 9 Feb 2011 19:51:29 +0000 (11:51 -0800)]
hwmon: (emc1403) Fix I2C address range
I2C address range included 0x2a, which the chips do not support.
Replace with 0x29 which is supported but was missing.
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Acked-by: Jean Delvare <khali@linux-fr.org>
Dirk Eibach [Wed, 9 Feb 2011 09:51:34 +0000 (04:51 -0500)]
hwmon: (lm63) Consider LM64 temperature offset
LM64 has 16 degrees Celsius temperature offset on all
remote sensor registers.
This was not considered When LM64 support was added to lm63.c.
Signed-off-by: Dirk Eibach <eibach@gdsys.de>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: stable@kernel.org
Randy Dunlap [Wed, 9 Feb 2011 20:43:38 +0000 (12:43 -0800)]
can: softing_cs needs slab.h
From: Randy Dunlap <randy.dunlap@oracle.com>
softing_cs.c uses kzalloc & kfree, so it needs to include linux/slab.h.
drivers/net/can/softing/softing_cs.c:234: error: implicit declaration of function 'kfree'
drivers/net/can/softing/softing_cs.c:271: error: implicit declaration of function 'kzalloc'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 9 Feb 2011 20:40:21 +0000 (12:40 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6
Toshiharu Okada [Wed, 9 Feb 2011 20:28:06 +0000 (12:28 -0800)]
pch_gbe: Fix the issue which a driver locks when rx offload is set by ethtool
This driver will be in a deadlock, When the rx offload is set by ethtool.
The pch_gbe_reinit_locked function was modified.
Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 9 Feb 2011 19:51:40 +0000 (11:51 -0800)]
Merge git://git./linux/kernel/git/rusty/linux-2.6-for-linus
* git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus:
virtio: console: Update Copyright
virtio: console: Wake up outvq on host notifications
Linus Torvalds [Wed, 9 Feb 2011 19:45:21 +0000 (11:45 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
cdrom: support devices that have check_events but not media_changed
cfq-iosched: Don't wait if queue already has requests.
blkio-throttle: Avoid calling blkiocg_lookup_group() for root group
cfq: rename a function to give it more appropriate name
cciss: make cciss_revalidate not loop through CISS_MAX_LUNS volumes unnecessarily.
drivers/block/aoe/Makefile: replace the use of <module>-objs with <module>-y
loop: queue_lock NULL pointer derefence in blk_throtl_exit
drivers/block/Makefile: replace the use of <module>-objs with <module>-y
blktrace: Don't output messages if NOTIFY isn't set.
Linus Torvalds [Wed, 9 Feb 2011 19:44:55 +0000 (11:44 -0800)]
Merge branch 'for-linus' of git://neil.brown.name/md
* 'for-linus' of git://neil.brown.name/md:
FIX: md: process hangs at wait_barrier after 0->10 takeover
md_make_request: don't touch the bio after calling make_request
md: Don't allow slot_store while resync/recovery is happening.
md: don't clear curr_resync_completed at end of resync.
md: Don't use remove_and_add_spares to remove failed devices from a read-only array
Add raid1->raid0 takeover support
md: Remove the AllReserved flag for component devices.
md: don't abort checking spares as soon as one cannot be added.
md: fix the test for finding spares in raid5_start_reshape.
md: simplify some 'if' conditionals in raid5_start_reshape.
md: revert change to raid_disks on failure.
Nitin Gupta [Sun, 6 Feb 2011 01:34:20 +0000 (20:34 -0500)]
staging: zram: fix data corruption issue
In zram_read() and zram_write() we were not incrementing the
index number and thus were reading/writing values from/to
incorrect sectors on zram disk, resulting in data corruption.
Signed-off-by: Nitin Gupta <ngupta@vflare.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ian Abbott [Tue, 8 Feb 2011 15:26:33 +0000 (15:26 +0000)]
Staging: Comedi: Fix a few NI module dependencies
The ni_tio and ni_tio modules do not depend on the 8255 module, but the
ni_atmio, ni_mio_cs and ni_pcimio modules do need the 8255 module. The
ni_pcimio module also needs the comedi_fc module.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ian Abbott [Mon, 7 Feb 2011 13:39:52 +0000 (13:39 +0000)]
Staging: comedi: Add MODULE_LICENSE and similar to NI modules
As mentioned by W. Trevor King on the devel@linuxdriverproject.org list
on "Thu, 27 Jan 2011 18:52:15 -0500", "Message-ID:
<
20110127235214.GA5107@thialfi.dhcp.drexel.edu>", the ni_pcimio module
is missing module metadata, including a license.
This patch adds module metadata to all the NI comedi driver modules. It
also removes a duplicate MODULE_LICENSE("GPL") line from the "mite"
module.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: W. Trevor King <wking@drexel.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Joerg Roedel [Fri, 14 Jan 2011 15:45:01 +0000 (16:45 +0100)]
KVM: SVM: Make sure KERNEL_GS_BASE is valid when loading gs_index
The gs_index loading code uses the swapgs instruction to
switch to the user gs_base temporarily. This is unsave in an
lightweight exit-path in KVM on AMD because the
KERNEL_GS_BASE MSR is switches lazily. An NMI happening in
the critical path of load_gs_index may use the wrong GS_BASE
value then leading to unpredictable behavior, e.g. a
triple-fault.
This patch fixes the issue by making sure that load_gs_index
is called only with a valid KERNEL_GS_BASE value loaded in
KVM.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Simon Arlott [Wed, 9 Feb 2011 13:21:07 +0000 (14:21 +0100)]
cdrom: support devices that have check_events but not media_changed
Commit
93aae17af1172c40c6f74b7294e93a90c3cfaa5d ("sr: implement
sr_check_events()") replaced the media_changed op with the
check_events op in drivers/scsi/sr.c
All users that check for the CDC_MEDIA_CHANGED capbility try both
the check_events op and the media_changed op, but register_cdrom()
was requiring media_changed.
This patch fixes the capability checking.
The cdrom_select_disc ioctl is also using the two operations, so
they should be required for CDC_SELECT_DISC too.
Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Tested-by: Chris Clayton <chris2553@googlemail.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Justin TerAvest [Wed, 9 Feb 2011 13:20:03 +0000 (14:20 +0100)]
cfq-iosched: Don't wait if queue already has requests.
Commit
7667aa0630407bc07dc38dcc79d29cc0a65553c1 added logic to wait for
the last queue of the group to become busy (have at least one request),
so that the group does not lose out for not being continuously
backlogged. The commit did not check for the condition that the last
queue already has some requests. As a result, if the queue already has
requests, wait_busy is set. Later on, cfq_select_queue() checks the
flag, and decides that since the queue has a request now and wait_busy
is set, the queue is expired. This results in early expiration of the
queue.
This patch fixes the problem by adding a check to see if queue already
has requests. If it does, wait_busy is not set. As a result, time slices
do not expire early.
The queues with more than one request are usually buffered writers.
Testing shows improvement in isolation between buffered writers.
Cc: stable@kernel.org
Signed-off-by: Justin TerAvest <teravest@google.com>
Reviewed-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Pablo Neira Ayuso [Wed, 9 Feb 2011 07:08:20 +0000 (08:08 +0100)]
netfilter: nf_conntrack: set conntrack templates again if we return NF_REPEAT
The TCP tracking code has a special case that allows to return
NF_REPEAT if we receive a new SYN packet while in TIME_WAIT state.
In this situation, the TCP tracking code destroys the existing
conntrack to start a new clean session.
[DESTROY] tcp 6 src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 [ASSURED]
[NEW] tcp 6 120 SYN_SENT src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925
However, this is a problem for the iptables' CT target event filtering
which will not work in this case since the conntrack template will not
be there for the new session. To fix this, we reassign the conntrack
template to the packet if we return NF_REPEAT.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Tomoya [Mon, 7 Feb 2011 23:29:03 +0000 (23:29 +0000)]
pch_can: fix module reload issue with MSI
Currently, in case reload pch_can,
pch_can not to be able to catch interrupt.
The cause is bus-master is not set in pch_can.
Thus, add enabling bus-master processing.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tomoya [Mon, 7 Feb 2011 23:29:02 +0000 (23:29 +0000)]
pch_can: fix rmmod issue
Currently, when rmmod pch_can, kernel failure occurs.
The cause is pci_iounmap executed before pch_can_reset.
Thus pci_iounmap moves after pch_can_reset.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tomoya [Mon, 7 Feb 2011 23:29:01 +0000 (23:29 +0000)]
pch_can: fix 800k comms issue
Currently, 800k comms fails since prop_seg set zero.
(EG20T PCH CAN register of prop_seg must be set more than 1)
To prevent prop_seg set to zero, change tseg2_min 1 to 2.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steve French [Tue, 8 Feb 2011 23:52:32 +0000 (23:52 +0000)]
[CIFS] Do not send SMBEcho requests on new sockets until SMBNegotiate
In order to determine whether an SMBEcho request can be sent
we need to know that the socket is established (server tcpStatus == CifsGood)
AND that an SMB NegotiateProtocol has been sent (server maxBuf != 0).
Without the second check we can send an Echo request during reconnection
before the server can accept it.
CC: JG <jg@cms.ac>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
David S. Miller [Tue, 8 Feb 2011 23:02:50 +0000 (15:02 -0800)]
net: Fix lockdep regression caused by initializing netdev queues too early.
In commit
aa9421041128abb4d269ee1dc502ff65fb3b7d69 ("net: init ingress
queue") we moved the allocation and lock initialization of the queues
into alloc_netdev_mq() since register_netdevice() is way too late.
The problem is that dev->type is not setup until the setup()
callback is invoked by alloc_netdev_mq(), and the dev->type is
what determines the lockdep class to use for the locks in the
queues.
Fix this by doing the queue allocation after the setup() callback
runs.
This is safe because the setup() callback is not allowed to make any
state changes that need to be undone on error (memory allocations,
etc.). It may, however, make state changes that are undone by
free_netdev() (such as netif_napi_add(), which is done by the
ipoib driver's setup routine).
The previous code also leaked a reference to the &init_net namespace
object on RX/TX queue allocation failures.
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 8 Feb 2011 22:31:31 +0000 (14:31 -0800)]
net/caif: Fix dangling list pointer in freed object on error.
rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(),
cannot make state changes which need to be undone on failure. There is
no cleanup mechanism available at this point.
So we have to add the caif private instance to the global list once we
are sure that register_netdev() has succedded in ->newlink().
Otherwise, if register_netdev() fails, the caller will invoke free_netdev()
and we will have a reference to freed up memory on the chnl_net_list.
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexey Orishko [Mon, 7 Feb 2011 09:45:10 +0000 (09:45 +0000)]
USB CDC NCM errata updates for cdc_ncm host driver
Specification links:
- CDC NCM errata link:
http://www.usb.org/developers/devclass_docs/NCM10_012011.zip
- CDC and WMC errata link:
http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zip
Changes:
- driver updated to match cdc.h header with errata changes
- added support for USB_CDC_SET_NTB_INPUT_SIZE control request with
8 byte length
- fixes to comply with specification: send only control requests supported by
device, set number of datagrams for IN direction, connection speed structure
update, etc.
- packet loss fixed for tx direction; misleading flag renamed.
- adjusted hard_mtu value.
Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexey Orishko [Mon, 7 Feb 2011 09:45:09 +0000 (09:45 +0000)]
CDC NCM errata updates for cdc.h
Changes are based on the following documents:
- CDC NCM errata:
http://www.usb.org/developers/devclass_docs/NCM10_012011.zip
- CDC and WMC errata link:
http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zip
Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Shah [Mon, 31 Jan 2011 07:36:37 +0000 (13:06 +0530)]
virtio: console: Update Copyright
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Amit Shah [Mon, 31 Jan 2011 07:36:36 +0000 (13:06 +0530)]
virtio: console: Wake up outvq on host notifications
The outvq needs to be woken up on host notifications so that buffers
consumed by the host can be reclaimed, outvq freed, and application
writes may proceed again.
The need for this is now finally noticed when I have qemu patches ready
to use nonblocking IO and flow control.
CC: Hans de Goede <hdegoede@redhat.com>
CC: stable@kernel.org
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Acked-by: Hans de Goede <hdegoede@redhat.com>
David S. Miller [Tue, 8 Feb 2011 20:16:52 +0000 (12:16 -0800)]
Merge branch 'master' of /linux/kernel/git/jkirsher/net-2.6
David S. Miller [Tue, 8 Feb 2011 20:03:54 +0000 (12:03 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Don Skidmore [Wed, 26 Jan 2011 06:04:37 +0000 (06:04 +0000)]
ixgbe: update version string
This will synchronize the version string with that of the latest source
forge driver which shares its functionality.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Don Skidmore [Wed, 26 Jan 2011 06:04:17 +0000 (06:04 +0000)]
ixgbe: cleanup variable initialization
The ixgbe_fcoe_ddp_get function wasn't initializing one of its variables
and this was producing compiler warnings. This patch cleans that up.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Alexander Duyck [Wed, 19 Jan 2011 18:33:05 +0000 (18:33 +0000)]
ixgbe: limit VF access to network traffic
This change fixes VM pool allocation issues based on MAC address filtering,
as well as limits the scope of VF access to promiscuous mode.
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Acked-by: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Don Skidmore [Tue, 18 Jan 2011 22:53:47 +0000 (22:53 +0000)]
ixgbe: fix for 82599 erratum on Header Splitting
We have found a hardware erratum on 82599 hardware that can lead to
unpredictable behavior when Header Splitting mode is enabled. So
we are no longer enabling this feature on affected hardware.
Please see the 82599 Specification Update for more information.
CC: stable@kernel.org
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Emil Tantilov [Wed, 5 Jan 2011 07:09:41 +0000 (07:09 +0000)]
ixgbe: fix variable set but not used warnings by gcc 4.6
Caught with gcc 4.6 -Wunused-but-set-variable
Remove unused napi_vectors variable.
Fix the use of reset_bit in ixgbe_reset_hw_X540()
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Florian Fainelli [Mon, 24 Jan 2011 14:48:03 +0000 (14:48 +0000)]
e1000: add support for Marvell Alaska M88E1118R PHY
This patch adds support for Marvell Alask M88E188R PHY chips. Support for
other M88* PHYs is already there, so there is nothing more to add than its
PHY id.
CC: Dirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: Florian Fainelli <ffainelli@freebox.fr>
Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Jesse Brandeburg [Wed, 2 Feb 2011 10:19:55 +0000 (10:19 +0000)]
e1000e: tx_timeout should not increment for non-hang events
Currently the driver increments the tx_timeout counter (an error counter)
when simply resetting the part with outstanding transmit work pending.
This is an unnecessary count of an error, when all we should be doing is
just resetting the part and discarding the transmits. With this change the
only increment of tx_timeout is when the stack calls the watchdog reset
function due to a true Tx timeout.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Reviewed-by: Bruce Allan <bruce.w.allan@intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
David S. Miller [Tue, 8 Feb 2011 03:54:14 +0000 (19:54 -0800)]
Merge branch 'batman-adv/merge' of git://git.open-mesh.org/ecsv/linux-merge
Krzysztof Wojcik [Fri, 4 Feb 2011 13:18:26 +0000 (14:18 +0100)]
FIX: md: process hangs at wait_barrier after 0->10 takeover
Following symptoms were observed:
1. After raid0->raid10 takeover operation we have array with 2
missing disks.
When we add disk for rebuild, recovery process starts as expected
but it does not finish- it stops at about 90%, md126_resync process
hangs in "D" state.
2. Similar behavior is when we have mounted raid0 array and we
execute takeover to raid10. After this when we try to unmount array-
it causes process umount hangs in "D"
In scenarios above processes hang at the same function- wait_barrier
in raid10.c.
Process waits in macro "wait_event_lock_irq" until the
"!conf->barrier" condition will be true.
In scenarios above it never happens.
Reason was that at the end of level_store, after calling pers->run,
we call mddev_resume. This calls pers->quiesce(mddev, 0) with
RAID10, that calls lower_barrier.
However raise_barrier hadn't been called on that 'conf' yet,
so conf->barrier becomes negative, which is bad.
This patch introduces setting conf->barrier=1 after takeover
operation. It prevents to become barrier negative after call
lower_barrier().
Signed-off-by: Krzysztof Wojcik <krzysztof.wojcik@intel.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Linus Torvalds [Tue, 8 Feb 2011 00:03:17 +0000 (16:03 -0800)]
Linux 2.6.38-rc4
Sven Eckelmann [Sun, 6 Feb 2011 23:26:43 +0000 (23:26 +0000)]
batman-adv: Linearize fragment packets before merge
We access the data inside the skbs of two fragments directly using memmove
during the merge. The data of the skb could span over multiple skb pages. An
direct access without knowledge about the pages would lead to an invalid memory
access.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
[lindner_marek@yahoo.de: Move return from function to the end]
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Linus Torvalds [Mon, 7 Feb 2011 23:20:11 +0000 (15:20 -0800)]
Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
ALSA: AACI: allow writes to MAINCR to take effect
ARM: Update mach-types
ARM: 6652/1: ep93xx: correct the end address of the AC97 memory resource
ARM: mxs/imx28: remove now unused clock lookup "fec.0"
ARM: mxs: fix clock base address missing
ARM: mxs: acknowledge gpio irq
ARM: mach-imx/mach-mx25_3ds: Fix section type
ARM: imx: Add VPR200 and MX51_3DS entries to uncompress.h
ARM i.MX23: use correct register for setting the rate
ARM i.MX23/28: remove secondary field from struct clk. It's unused
ARM i.MX28: use correct register for setting the rate
ARM i.MX28: fix bit operation
Chris Mason [Tue, 8 Feb 2011 00:21:48 +0000 (19:21 -0500)]
md_make_request: don't touch the bio after calling make_request
md_make_request was calling bio_sectors() for part_stat_add
after it was calling the make_request function. This is
bad because the make_request function can free the bio and
because the bi_size field can change around.
The fix here was suggested by Jens Axboe. It saves the
sector count before the make_request call. I hit this
with CONFIG_DEBUG_PAGEALLOC turned on while trying to break
his pretty fusionio card.
Cc: <stable@kernel.org>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Linus Torvalds [Mon, 7 Feb 2011 22:06:18 +0000 (14:06 -0800)]
Merge git://git./linux/kernel/git/mason/btrfs-unstable
* git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable: (33 commits)
Btrfs: Fix page count calculation
btrfs: Drop __exit attribute on btrfs_exit_compress
btrfs: cleanup error handling in btrfs_unlink_inode()
Btrfs: exclude super blocks when we read in block groups
Btrfs: make sure search_bitmap finds something in remove_from_bitmap
btrfs: fix return value check of btrfs_start_transaction()
btrfs: checking NULL or not in some functions
Btrfs: avoid uninit variable warnings in ordered-data.c
Btrfs: catch errors from btrfs_sync_log
Btrfs: make shrink_delalloc a little friendlier
Btrfs: handle no memory properly in prepare_pages
Btrfs: do error checking in btrfs_del_csums
Btrfs: use the global block reserve if we cannot reserve space
Btrfs: do not release more reserved bytes to the global_block_rsv than we need
Btrfs: fix check_path_shared so it returns the right value
btrfs: check return value of btrfs_start_ioctl_transaction() properly
btrfs: fix return value check of btrfs_join_transaction()
fs/btrfs/inode.c: Add missing IS_ERR test
btrfs: fix missing break in switch phrase
btrfs: fix several uncheck memory allocations
...
Linus Torvalds [Mon, 7 Feb 2011 22:05:38 +0000 (14:05 -0800)]
Merge branch 'merge' of git://git./linux/kernel/git/benh/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
powerpc: Fix hcall tracepoint recursion
powerpc/numa: Fix bug in unmap_cpu_from_node
powerpc/numa: Disable VPHN on dedicated processor partitions
powerpc/numa: Add length when creating OF properties via VPHN
powerpc/numa: Check for all VPHN changes
powerpc/numa: Only use active VPHN count fields
powerpc/pseries: Remove unnecessary variable initializations in numa.c
powerpc/pseries: Fix brace placement in numa.c
powerpc/pseries: Fix typo in VPHN comments
powerpc: Fix some 6xx/7xxx CPU setup functions
powerpc: Pass the right cpu_spec to ->setup_cpu() on 64-bit
powerpc/book3e: Protect complex macro args in mmu-book3e.h
powerpc: Fix pfn_valid() when memory starts at a non-zero address
Linus Torvalds [Mon, 7 Feb 2011 22:05:24 +0000 (14:05 -0800)]
Merge branch 'omap-fixes-for-linus' of git://git./linux/kernel/git/tmlind/linux-omap-2.6
* 'omap-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap-2.6:
arm: omap4: panda: remove usb_nop_xceiv_register(v1)
OMAP1: Fix non-working LCD on OMAP310
OMAP3: Devkit8000: Change lcd power pin
omap1: remove duplicated #include
arm: mach-omap2: mux: free allocated memory on error exit
arm: mach-omap2: board-rm680: fix rm680_vemmc regulator constraints
OMAP: PM: SmartReflex: Fix possible null pointer read access
OMAP: PM: SmartReflex: Fix possible memory leak
arm: mach-omap2: voltage: debugfs: fix memory leak
OMAP3: PM: fix save secure RAM to restore MPU power state
OMAP: PM: SmartReflex: Add missing IS_ERR test
Linus Torvalds [Mon, 7 Feb 2011 22:04:43 +0000 (14:04 -0800)]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86, nx: Mark the ACPI resume trampoline code as +x
Tetsuo Handa [Mon, 7 Feb 2011 13:36:16 +0000 (13:36 +0000)]
CRED: Fix memory and refcount leaks upon security_prepare_creds() failure
In prepare_kernel_cred() since 2.6.29, put_cred(new) is called without
assigning new->usage when security_prepare_creds() returned an error. As a
result, memory for new and refcount for new->{user,group_info,tgcred} are
leaked because put_cred(new) won't call __put_cred() unless old->usage == 1.
Fix these leaks by assigning new->usage (and new->subscribers which was added
in 2.6.32) before calling security_prepare_creds().
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tetsuo Handa [Mon, 7 Feb 2011 13:36:10 +0000 (13:36 +0000)]
CRED: Fix BUG() upon security_cred_alloc_blank() failure
In cred_alloc_blank() since 2.6.32, abort_creds(new) is called with
new->security == NULL and new->magic == 0 when security_cred_alloc_blank()
returns an error. As a result, BUG() will be triggered if SELinux is enabled
or CONFIG_DEBUG_CREDENTIALS=y.
If CONFIG_DEBUG_CREDENTIALS=y, BUG() is called from __invalid_creds() because
cred->magic == 0. Failing that, BUG() is called from selinux_cred_free()
because selinux_cred_free() is not expecting cred->security == NULL. This does
not affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().
Fix these bugs by
(1) Set new->magic before calling security_cred_alloc_blank().
(2) Handle null cred->security in creds_are_invalid() and selinux_cred_free().
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Mon, 7 Feb 2011 22:02:06 +0000 (14:02 -0800)]
Merge git://git./linux/kernel/git/sfrench/cifs-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
cifs: remove checks for ses->status == CifsExiting
cifs: add check for kmalloc in parse_dacl
cifs: don't send an echo request unless NegProt has been done
cifs: enable signing flag in SMB header when server has it on
cifs: Possible slab memory corruption while updating extended stats (repost)
CIFS: Fix variable types in cifs_iovec_read/write (try #2)
cifs: fix length vs. total_read confusion in cifs_demultiplex_thread
andrew hendry [Mon, 7 Feb 2011 00:08:15 +0000 (00:08 +0000)]
x25: possible skb leak on bad facilities
Originally x25_parse_facilities returned
-1 for an error
0 meaning 0 length facilities
>0 the length of the facilities parsed.
5ef41308f94dc ("x25: Prevent crashing when parsing bad X.25 facilities") introduced more
error checking in x25_parse_facilities however used 0 to indicate bad parsing
a6331d6f9a429 ("memory corruption in X.25 facilities parsing") followed this further for
DTE facilities, again using 0 for bad parsing.
The meaning of 0 got confused in the callers.
If the facilities are messed up we can't determine where the data starts.
So patch makes all parsing errors return -1 and ensures callers close and don't use the skb further.
Reported-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Felix Fietkau [Mon, 7 Feb 2011 11:05:00 +0000 (12:05 +0100)]
mac80211: fix the skb cloned check in the tx path
Using skb_header_cloned to check if it's safe to write to the skb is not
enough - mac80211 also touches the tailroom of the skb.
Initially this check was only used to increase a counter, however this
commit changed the code to also skip skb data reallocation if no extra
head/tailroom was needed:
commit
4cd06a344db752f513437138953af191cbe9a691
mac80211: skip unnecessary pskb_expand_head calls
It added a regression at least with iwl3945, which is fixed by this patch.
Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Tested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Don Fry [Sun, 6 Feb 2011 17:29:45 +0000 (09:29 -0800)]
iwlagn: Re-enable RF_KILL interrupt when down
With commit
554d1d027b19265c4aa3f718b3126d2b86e09a08 only one RF_KILL
interrupt will be seen by the driver when the interface is down.
Re-enable the interrupt when it occurs to see all transitions.
Signed-off-by: Don Fry <donald.h.fry@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>