Commit Graph

322462 Commits

Author SHA1 Message Date
Michal Hocko eb48c07146 mm: hugetlbfs: correctly populate shared pmd
Each page mapped in a process's address space must be correctly
accounted for in _mapcount.  Normally the rules for this are
straightforward but hugetlbfs page table sharing is different.  The page
table pages at the PMD level are reference counted while the mapcount
remains the same.

If this accounting is wrong, it causes bugs like this one reported by
Larry Woodman:

  kernel BUG at mm/filemap.c:135!
  invalid opcode: 0000 [#1] SMP
  CPU 22
  Modules linked in: bridge stp llc sunrpc binfmt_misc dcdbas microcode pcspkr acpi_pad acpi]
  Pid: 18001, comm: mpitest Tainted: G        W    3.3.0+ #4 Dell Inc. PowerEdge R620/07NDJ2
  RIP: 0010:[<ffffffff8112cfed>]  [<ffffffff8112cfed>] __delete_from_page_cache+0x15d/0x170
  Process mpitest (pid: 18001, threadinfo ffff880428972000, task ffff880428b5cc20)
  Call Trace:
    delete_from_page_cache+0x40/0x80
    truncate_hugepages+0x115/0x1f0
    hugetlbfs_evict_inode+0x18/0x30
    evict+0x9f/0x1b0
    iput_final+0xe3/0x1e0
    iput+0x3e/0x50
    d_kill+0xf8/0x110
    dput+0xe2/0x1b0
    __fput+0x162/0x240

During fork(), copy_hugetlb_page_range() detects if huge_pte_alloc()
shared page tables with the check dst_pte == src_pte.  The logic is if
the PMD page is the same, they must be shared.  This assumes that the
sharing is between the parent and child.  However, if the sharing is
with a different process entirely then this check fails as in this
diagram:

  parent
    |
    ------------>pmd
                 src_pte----------> data page
                                        ^
  other--------->pmd--------------------|
                  ^
  child-----------|
                 dst_pte

For this situation to occur, it must be possible for Parent and Other to
have faulted and failed to share page tables with each other.  This is
possible due to the following style of race.

  PROC A                                          PROC B
  copy_hugetlb_page_range                         copy_hugetlb_page_range
    src_pte == huge_pte_offset                      src_pte == huge_pte_offset
    !src_pte so no sharing                          !src_pte so no sharing

  (time passes)

  hugetlb_fault                                   hugetlb_fault
    huge_pte_alloc                                  huge_pte_alloc
      huge_pmd_share                                 huge_pmd_share
        LOCK(i_mmap_mutex)
        find nothing, no sharing
        UNLOCK(i_mmap_mutex)
                                                      LOCK(i_mmap_mutex)
                                                      find nothing, no sharing
                                                      UNLOCK(i_mmap_mutex)
      pmd_alloc                                       pmd_alloc
      LOCK(instantiation_mutex)
      fault
      UNLOCK(instantiation_mutex)
                                                  LOCK(instantiation_mutex)
                                                  fault
                                                  UNLOCK(instantiation_mutex)

These two processes are not poing to the same data page but are not
sharing page tables because the opportunity was missed.  When either
process later forks, the src_pte == dst pte is potentially insufficient.
As the check falls through, the wrong PTE information is copied in
(harmless but wrong) and the mapcount is bumped for a page mapped by a
shared page table leading to the BUG_ON.

This patch addresses the issue by moving pmd_alloc into huge_pmd_share
which guarantees that the shared pud is populated in the same critical
section as pmd.  This also means that huge_pte_offset test in
huge_pmd_share is serialized correctly now which in turn means that the
success of the sharing will be higher as the racing tasks see the pud
and pmd populated together.

Race identified and changelog written mostly by Mel Gorman.

{akpm@linux-foundation.org: attempt to make the huge_pmd_share() comment comprehensible, clean up coding style]
Reported-by: Larry Woodman <lwoodman@redhat.com>
Tested-by: Larry Woodman <lwoodman@redhat.com>
Reviewed-by: Mel Gorman <mgorman@suse.de>
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: Ken Chen <kenchen@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-08-21 16:45:02 -07:00
Stephen M. Cameron b0cf0b118c cciss: fix incorrect scsi status reporting
Delete code which sets SCSI status incorrectly as it's already been set
correctly above this incorrect code.  The bug was introduced in 2009 by
commit b0e15f6db1 ("cciss: fix typo that causes scsi status to be
lost.")

Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Reported-by: Roel van Meer <roel.vanmeer@bokxing.nl>
Tested-by: Roel van Meer <roel.vanmeer@bokxing.nl>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-08-21 16:45:02 -07:00
Namjae Jeon d65226e2bf Documentation: update mount option in filesystem/vfat.txt
Update two mount options(discard, nfs) in vfat.txt.

Signed-off-by: Namjae Jeon <linkinjeon@gmail.com>
Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-08-21 16:45:02 -07:00
Hugh Dickins f9aed62a2b mm: change nr_ptes BUG_ON to WARN_ON
Occasionally an isolated BUG_ON(mm->nr_ptes) gets reported, indicating
that not all the page tables allocated could be found and freed when
exit_mmap() tore down the user address space.

There's usually nothing we can say about it, beyond that it's probably a
sign of some bad memory or memory corruption; though it might still
indicate a bug in vma or page table management (and did recently reveal a
race in THP, fixed a few months ago).

But one overdue change we can make is from BUG_ON to WARN_ON.

It's fairly likely that the system will crash shortly afterwards in some
other way (for example, the BUG_ON(page_mapped(page)) in
__delete_from_page_cache(), once an inode mapped into the lost page tables
gets evicted); but might tell us more before that.

Change the BUG_ON(page_mapped) to WARN_ON too?  Later perhaps: I'm less
eager, since that one has several times led to fixes.

Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-08-21 16:45:02 -07:00
Jens Rottmann 61e01be22e cs5535-clockevt: typo, it's MFGPT, not MFPGT
Signed-off-by: Jens Rottmann <JRottmann@LiPPERTEmbedded.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: John Stultz <john.stultz@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-08-21 16:45:02 -07:00
Sachin Kamat 27fc4f1c0b drm: Add missing static storage class specifiers in drm_proc.c file
Fixes the following sparse warning:
drivers/gpu/drm/drm_proc.c:92:5:
warning: symbol 'drm_proc_create_files' was not declared. Should it be static?
drivers/gpu/drm/drm_proc.c:175:5:
warning: symbol 'drm_proc_remove_files' was not declared. Should it be static?

Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2012-08-22 09:30:00 +10:00
Dave Airlie d5c2c20e35 drm/udl: dpms off the crtc when disabled.
This turns off the crtc when its been disabled,
fixes it not turning off properly the whole time.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
2012-08-22 09:27:47 +10:00
Damien Lespiau 04ccfe77f1 drm: Remove two unused fields from struct drm_display_mode
Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2012-08-22 09:27:27 +10:00
Alan Cox f5869a8308 drm: stop vmgfx driver explosion
If you do a page flip with no flags set then event is NULL. If event is
NULL then the vmw_gfx driver likes to go digging into NULL and extracts
NULL->base.file_priv.

On a modern kernel with NULL mapping protection it's just another oops,
without it there are some "intriguing" possibilities.

What it should do is an open question but that for the driver owners to
sort out.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
2012-08-22 09:26:50 +10:00
Dave Airlie 85119c16b3 Merge branch 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel into drm-fixes
Daniel writes:

" Nothing too major:
- A few fixes around the edid handling from Jani, also fixing a regression
  in 3.5 due to us using gmbus by default.
- Fixup hsw uncached pte flags.
- Fix suspend/resume crash when using hw contexts, from Ben.
- Try to tune gpu turbo a bit better, seems to help with some oddball
  power regressions."

* 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
  drm/i915: use hsw rps tuning values everywhere on gen6+
  drm/i915: fall back to bit-banging if GMBUS fails in CRT EDID reads
  drm/i915: extract connector update from intel_ddc_get_modes() for reuse
  drm/i915: fix hsw uncached pte
  drm/i915/contexts: fix list corruption
  drm/i915: fix EDID memory leak in SDVO
2012-08-22 09:19:40 +10:00
Dave Airlie e2be2cd804 Merge branch 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Alex writes:

"This is the current set of radeon fixes for 3.6.  Nothing too major.

Highlights:
- fix vbios fetch on pure uefi systems
- fix vbios fetch on thunderbolt systems
- MSAA fixes
- lockup timeout fix
- modesetting fix"

* 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon/ss: use num_crtc rather than hardcoded 6
  Revert "drm/radeon: fix bo creation retry path"
  drm/radeon: split ATRM support out from the ATPX handler (v3)
  drm/radeon: convert radeon vfct code to use acpi_get_table_with_size
  ACPI: export symbol acpi_get_table_with_size
  drm/radeon: implement ACPI VFCT vbios fetch (v3)
  drm/radeon/kms: extend the Fujitsu D3003-S2 board connector quirk to cover later silicon stepping
  drm/radeon: fix checking of MSAA renderbuffers on r600-r700
  drm/radeon: allow CMASK and FMASK in the CS checker on r600-r700
  drm/radeon: init lockup timeout on ring init
  drm/radeon: avoid turning off spread spectrum for used pll
2012-08-22 09:18:49 +10:00
Sage Weil 45f2e081f5 ceph: avoid divide by zero in __validate_layout()
If "l->stripe_unit" is zero the the mod on the next line will cause a
divide by zero bug.  This comes from the copy_from_user() in
ceph_ioctl_set_layout_policy().  Passing 0 is valid, though (it means
"do not change") so avoid the % check in that case.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>
2012-08-21 15:55:28 -07:00
Jim Schutt 6d4221b537 libceph: avoid truncation due to racing banners
Because the Ceph client messenger uses a non-blocking connect, it is
possible for the sending of the client banner to race with the
arrival of the banner sent by the peer.

When ceph_sock_state_change() notices the connect has completed, it
schedules work to process the socket via con_work().  During this
time the peer is writing its banner, and arrival of the peer banner
races with con_work().

If con_work() calls try_read() before the peer banner arrives, there
is nothing for it to do, after which con_work() calls try_write() to
send the client's banner.  In this case Ceph's protocol negotiation
can complete succesfully.

The server-side messenger immediately sends its banner and addresses
after accepting a connect request, *before* actually attempting to
read or verify the banner from the client.  As a result, it is
possible for the banner from the server to arrive before con_work()
calls try_read().  If that happens, try_read() will read the banner
and prepare protocol negotiation info via prepare_write_connect().
prepare_write_connect() calls con_out_kvec_reset(), which discards
the as-yet-unsent client banner.  Next, con_work() calls
try_write(), which sends the protocol negotiation info rather than
the banner that the peer is expecting.

The result is that the peer sees an invalid banner, and the client
reports "negotiation failed".

Fix this by moving con_out_kvec_reset() out of
prepare_write_connect() to its callers at all locations except the
one where the banner might still need to be sent.

[elder@inktak.com: added note about server-side behavior]

Signed-off-by: Jim Schutt <jaschut@sandia.gov>
Reviewed-by: Alex Elder <elder@inktank.com>
2012-08-21 15:55:27 -07:00
Sage Weil 6c5e50fa61 ceph: tolerate (and warn on) extraneous dentry from mds
If the MDS gives us a dentry and we weren't prepared to handle it,
WARN_ON_ONCE instead of crashing.

Reported-by: Yan, Zheng <zheng.z.yan@intel.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>
2012-08-21 15:55:25 -07:00
Alex Deucher 5317670692 drm/radeon/ss: use num_crtc rather than hardcoded 6
When checking if a pll is in use.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2012-08-21 18:52:56 -04:00
Miklos Szeredi 9974e43d90 ide: fix generic_ide_suspend/resume Oops
This patch fixes a regresion introduced by commit 0998d063 (device-core: Ensure
drvdata = NULL when no driver is bound).

Suspend oopses in generic_ide_suspend() because dev_get_drvdata()
returns NULL (dev->p->driver_data == NULL) and this function is not
prepared for this.

Fix is based on Alan Stern's suggestion.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-08-21 14:54:42 -07:00
Eric Dumazet e0e3cea46d af_netlink: force credentials passing [CVE-2012-3520]
Pablo Neira Ayuso discovered that avahi and
potentially NetworkManager accept spoofed Netlink messages because of a
kernel bug.  The kernel passes all-zero SCM_CREDENTIALS ancillary data
to the receiver if the sender did not provide such data, instead of not
including any such data at all or including the correct data from the
peer (as it is the case with AF_UNIX).

This bug was introduced in commit 16e5726269
(af_unix: dont send SCM_CREDENTIALS by default)

This patch forces passing credentials for netlink, as
before the regression.

Another fix would be to not add SCM_CREDENTIALS in
netlink messages if not provided by the sender, but it
might break some programs.

With help from Florian Weimer & Petr Matousek

This issue is designated as CVE-2012-3520

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-08-21 14:53:01 -07:00
Eric Dumazet a9915a1b52 ipv4: fix ip header ident selection in __ip_make_skb()
Christian Casteyde reported a kmemcheck 32-bit read from uninitialized
memory in __ip_select_ident().

It turns out that __ip_make_skb() called ip_select_ident() before
properly initializing iph->daddr.

This is a bug uncovered by commit 1d861aa4b3 (inet: Minimize use of
cached route inetpeer.)

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=46131

Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-08-21 14:51:06 -07:00
Christoph Paasch 1a7b27c97c ipv4: Use newinet->inet_opt in inet_csk_route_child_sock()
Since 0e73441992 ("ipv4: Use inet_csk_route_child_sock() in DCCP and
TCP."), inet_csk_route_child_sock() is called instead of
inet_csk_route_req().

However, after creating the child-sock in tcp/dccp_v4_syn_recv_sock(),
ireq->opt is set to NULL, before calling inet_csk_route_child_sock().
Thus, inside inet_csk_route_child_sock() opt is always NULL and the
SRR-options are not respected anymore.
Packets sent by the server won't have the correct destination-IP.

This patch fixes it by accessing newinet->inet_opt instead of ireq->opt
inside inet_csk_route_child_sock().

Reported-by: Luca Boccassi <luca.boccassi@gmail.com>
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-08-21 14:49:11 -07:00
Eric Dumazet 144d56e910 tcp: fix possible socket refcount problem
Commit 6f458dfb40 (tcp: improve latencies of timer triggered events)
added bug leading to following trace :

[ 2866.131281] IPv4: Attempt to release TCP socket in state 1 ffff880019ec0000
[ 2866.131726]
[ 2866.132188] =========================
[ 2866.132281] [ BUG: held lock freed! ]
[ 2866.132281] 3.6.0-rc1+ #622 Not tainted
[ 2866.132281] -------------------------
[ 2866.132281] kworker/0:1/652 is freeing memory ffff880019ec0000-ffff880019ec0a1f, with a lock still held there!
[ 2866.132281]  (sk_lock-AF_INET-RPC){+.+...}, at: [<ffffffff81903619>] tcp_sendmsg+0x29/0xcc6
[ 2866.132281] 4 locks held by kworker/0:1/652:
[ 2866.132281]  #0:  (rpciod){.+.+.+}, at: [<ffffffff81083567>] process_one_work+0x1de/0x47f
[ 2866.132281]  #1:  ((&task->u.tk_work)){+.+.+.}, at: [<ffffffff81083567>] process_one_work+0x1de/0x47f
[ 2866.132281]  #2:  (sk_lock-AF_INET-RPC){+.+...}, at: [<ffffffff81903619>] tcp_sendmsg+0x29/0xcc6
[ 2866.132281]  #3:  (&icsk->icsk_retransmit_timer){+.-...}, at: [<ffffffff81078017>] run_timer_softirq+0x1ad/0x35f
[ 2866.132281]
[ 2866.132281] stack backtrace:
[ 2866.132281] Pid: 652, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #622
[ 2866.132281] Call Trace:
[ 2866.132281]  <IRQ>  [<ffffffff810bc527>] debug_check_no_locks_freed+0x112/0x159
[ 2866.132281]  [<ffffffff818a0839>] ? __sk_free+0xfd/0x114
[ 2866.132281]  [<ffffffff811549fa>] kmem_cache_free+0x6b/0x13a
[ 2866.132281]  [<ffffffff818a0839>] __sk_free+0xfd/0x114
[ 2866.132281]  [<ffffffff818a08c0>] sk_free+0x1c/0x1e
[ 2866.132281]  [<ffffffff81911e1c>] tcp_write_timer+0x51/0x56
[ 2866.132281]  [<ffffffff81078082>] run_timer_softirq+0x218/0x35f
[ 2866.132281]  [<ffffffff81078017>] ? run_timer_softirq+0x1ad/0x35f
[ 2866.132281]  [<ffffffff810f5831>] ? rb_commit+0x58/0x85
[ 2866.132281]  [<ffffffff81911dcb>] ? tcp_write_timer_handler+0x148/0x148
[ 2866.132281]  [<ffffffff81070bd6>] __do_softirq+0xcb/0x1f9
[ 2866.132281]  [<ffffffff81a0a00c>] ? _raw_spin_unlock+0x29/0x2e
[ 2866.132281]  [<ffffffff81a1227c>] call_softirq+0x1c/0x30
[ 2866.132281]  [<ffffffff81039f38>] do_softirq+0x4a/0xa6
[ 2866.132281]  [<ffffffff81070f2b>] irq_exit+0x51/0xad
[ 2866.132281]  [<ffffffff81a129cd>] do_IRQ+0x9d/0xb4
[ 2866.132281]  [<ffffffff81a0a3ef>] common_interrupt+0x6f/0x6f
[ 2866.132281]  <EOI>  [<ffffffff8109d006>] ? sched_clock_cpu+0x58/0xd1
[ 2866.132281]  [<ffffffff81a0a172>] ? _raw_spin_unlock_irqrestore+0x4c/0x56
[ 2866.132281]  [<ffffffff81078692>] mod_timer+0x178/0x1a9
[ 2866.132281]  [<ffffffff818a00aa>] sk_reset_timer+0x19/0x26
[ 2866.132281]  [<ffffffff8190b2cc>] tcp_rearm_rto+0x99/0xa4
[ 2866.132281]  [<ffffffff8190dfba>] tcp_event_new_data_sent+0x6e/0x70
[ 2866.132281]  [<ffffffff8190f7ea>] tcp_write_xmit+0x7de/0x8e4
[ 2866.132281]  [<ffffffff818a565d>] ? __alloc_skb+0xa0/0x1a1
[ 2866.132281]  [<ffffffff8190f952>] __tcp_push_pending_frames+0x2e/0x8a
[ 2866.132281]  [<ffffffff81904122>] tcp_sendmsg+0xb32/0xcc6
[ 2866.132281]  [<ffffffff819229c2>] inet_sendmsg+0xaa/0xd5
[ 2866.132281]  [<ffffffff81922918>] ? inet_autobind+0x5f/0x5f
[ 2866.132281]  [<ffffffff810ee7f1>] ? trace_clock_local+0x9/0xb
[ 2866.132281]  [<ffffffff8189adab>] sock_sendmsg+0xa3/0xc4
[ 2866.132281]  [<ffffffff810f5de6>] ? rb_reserve_next_event+0x26f/0x2d5
[ 2866.132281]  [<ffffffff8103e6a9>] ? native_sched_clock+0x29/0x6f
[ 2866.132281]  [<ffffffff8103e6f8>] ? sched_clock+0x9/0xd
[ 2866.132281]  [<ffffffff810ee7f1>] ? trace_clock_local+0x9/0xb
[ 2866.132281]  [<ffffffff8189ae03>] kernel_sendmsg+0x37/0x43
[ 2866.132281]  [<ffffffff8199ce49>] xs_send_kvec+0x77/0x80
[ 2866.132281]  [<ffffffff8199cec1>] xs_sendpages+0x6f/0x1a0
[ 2866.132281]  [<ffffffff8107826d>] ? try_to_del_timer_sync+0x55/0x61
[ 2866.132281]  [<ffffffff8199d0d2>] xs_tcp_send_request+0x55/0xf1
[ 2866.132281]  [<ffffffff8199bb90>] xprt_transmit+0x89/0x1db
[ 2866.132281]  [<ffffffff81999bcd>] ? call_connect+0x3c/0x3c
[ 2866.132281]  [<ffffffff81999d92>] call_transmit+0x1c5/0x20e
[ 2866.132281]  [<ffffffff819a0d55>] __rpc_execute+0x6f/0x225
[ 2866.132281]  [<ffffffff81999bcd>] ? call_connect+0x3c/0x3c
[ 2866.132281]  [<ffffffff819a0f33>] rpc_async_schedule+0x28/0x34
[ 2866.132281]  [<ffffffff810835d6>] process_one_work+0x24d/0x47f
[ 2866.132281]  [<ffffffff81083567>] ? process_one_work+0x1de/0x47f
[ 2866.132281]  [<ffffffff819a0f0b>] ? __rpc_execute+0x225/0x225
[ 2866.132281]  [<ffffffff81083a6d>] worker_thread+0x236/0x317
[ 2866.132281]  [<ffffffff81083837>] ? process_scheduled_works+0x2f/0x2f
[ 2866.132281]  [<ffffffff8108b7b8>] kthread+0x9a/0xa2
[ 2866.132281]  [<ffffffff81a12184>] kernel_thread_helper+0x4/0x10
[ 2866.132281]  [<ffffffff81a0a4b0>] ? retint_restore_args+0x13/0x13
[ 2866.132281]  [<ffffffff8108b71e>] ? __init_kthread_worker+0x5a/0x5a
[ 2866.132281]  [<ffffffff81a12180>] ? gs_change+0x13/0x13
[ 2866.308506] IPv4: Attempt to release TCP socket in state 1 ffff880019ec0000
[ 2866.309689] =============================================================================
[ 2866.310254] BUG TCP (Not tainted): Object already free
[ 2866.310254] -----------------------------------------------------------------------------
[ 2866.310254]

The bug comes from the fact that timer set in sk_reset_timer() can run
before we actually do the sock_hold(). socket refcount reaches zero and
we free the socket too soon.

timer handler is not allowed to reduce socket refcnt if socket is owned
by the user, or we need to change sk_reset_timer() implementation.

We should take a reference on the socket in case TCP_DELACK_TIMER_DEFERRED
or TCP_DELACK_TIMER_DEFERRED bit are set in tsq_flags

Also fix a typo in tcp_delack_timer(), where TCP_WRITE_TIMER_DEFERRED
was used instead of TCP_DELACK_TIMER_DEFERRED.

For consistency, use same socket refcount change for TCP_MTU_REDUCED_DEFERRED,
even if not fired from a timer.

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-08-21 14:42:23 -07:00
Roland Dreier af74115eed target: Remove unused se_cmd.cmd_spdtl
This was originally for helping fabrics to determine overflow/underflow
status, and has been superceeded by SCF_OVERFLOW_BIT + SCF_UNDERFLOW_BIT.

Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-08-21 14:27:35 -07:00
Linus Torvalds 1456c75a80 Merge branch 'audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs
Pull audit-tree fixes from Miklos Szeredi:
 "The audit subsystem maintainers (Al and Eric) are not responding to
  repeated resends.  Eric did ack them a while ago, but no response
  since then.  So I'm sending these directly to you."

* 'audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  audit: clean up refcounting in audit-tree
  audit: fix refcounting in audit-tree
  audit: don't free_chunk() after fsnotify_add_mark()
2012-08-21 12:25:24 -07:00
Linus Torvalds a6b881a5b8 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu
Pull m68knommu arch fixes from Greg Ungerer:
 "This contains 2 fixes.  One fixes compilation of ColdFire clk code,
  the other makes sure we use the generic atomic64 support on all m68k
  targets."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
  m68k: select CONFIG_GENERIC_ATOMIC64 for all m68k CPU types
  m68knommu: select CONFIG_HAVE_CLK for ColdFire CPU types
2012-08-21 10:08:39 -07:00
Linus Torvalds 8f6c1ca9be Pin control fixes for v3.6:
- Fixed Nomadik errorpath
 - Fixed documentation spelling errors
 - Forward-declare struct device in a header file
 - Remove some extraneous code lines when getting pinctrl states
 - Correct the i.MX51 configure register number
 - Fix the Nomadik keypad function group list
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (GNU/Linux)
 
 iQIcBAABAgAGBQJQMmrMAAoJEEEQszewGV1zFpEP/0tTUOT60A12qbMMgW7smwRM
 jt/AqLxULX9iLawJtBZ3IY5iIoo8ZYpHDAUEIISKZEUnpCKGx3VDKHrHjsPxxfFf
 oBZ8PAQIVJYN0jiUkCeGAeKGzqzNGALt8NvBghlJJC6/CDk89Fe8fAjeRUXRCPjo
 hVY9hZ73TcqFAtZ80ETk5vDMMa3/OQukdbuVVBQTi+Y0mJ15zeFqNogPQRgX6oC7
 VJiIpPSUbcmgE+wWRUxIdf2y4isHZum62EWLjFPsgrK3ms1c2ap6RCr9P7ORXWc7
 lBq9uGDWa0ptXlI8drXVit8Pd4b98keEczyuNJFe7sSLYO4/BB8dUvp1jXdyjUWz
 kY6aIIvWrG0607rafPyg/5EbPQcX3NLmp3wevL0XEV/mwalu7ZcXaqnUWUVunRMM
 l8Y95T2uyoM+J4yPw8mUyPrRbN/THDqk9s53P+hQZEZjlkvGeaT2kRqbANkq/uKz
 XNaH2Zzdt1duvM0HO+S4gl+gz/iCpebjeb6gLf1bzd/NRqKlopmWw6L2cGbyTInq
 TohQQhYhvm+dib3a3teF4DEeJBRPmheNzdIoAnHQ1tbe6LNQzVSZzE3qEKGk7sSG
 Rk5SASW575LNBV+I/g8P4uuV4qMdr6jJikTLYGU4FsTBRNNhFvZtRTUWVTS6gdxt
 9KrpXkhZdV1dVElupOX/
 =E7f4
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 - Fixed Nomadik errorpath
 - Fixed documentation spelling errors
 - Forward-declare struct device in a header file
 - Remove some extraneous code lines when getting pinctrl states
 - Correct the i.MX51 configure register number
 - Fix the Nomadik keypad function group list

* tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl/nomadik: add kp_b_2 keyboard function group list
  pinctrl: imx51: fix .conf_reg of MX51_PAD_SD2_CMD__CSPI_MOSI
  trivial: pinctrl core: remove extraneous code lines
  pinctrl: header: trivial: declare struct device
  Documentation/pinctrl.txt: Fix some misspelled macros
  pinctrl/nomadik: fix null in irqdomain errorpath
2012-08-21 10:07:41 -07:00
Linus Torvalds 4459f3974a Sound fixes for 3.6-rc3
This update became slightly bigger than usual for rc3, but most of the
 commits are small and trivial.  A large chunk is found for HD-audio
 ca0132 codec, which is mostly a clean up of the specific code, to make
 SPDIF working properly, and also in the new ASoC Arizona driver.
 
 One important fix is for usb-audio Oops fix since 3.5.  We still see
 some EHCI related bandwidth problem, but usb-audio should be more
 stabilized now.
 
 Other than that, a Kconfig fix is spread over files, and various
 HD-audio and ASoC fixes as usual, in addition to Julia's error path
 fixes.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
 iQIcBAABAgAGBQJQM0KtAAoJEGwxgFQ9KSmkgvkP/ifTaAQAJcuR15G8wHf4awPn
 cy/S7M5I02MRFe2c4IltJiK/y21jSsYLNvq3ISlcVxWrBod4r9ee2/23y/1veI2Z
 MhNXjN5vU/gNN/Ll5GTg/8dKaVTOSp3GqKJrEUDWhld42IZFS2OZwF6Qdx/jqoSS
 eCDEBQnkGj5mxLGC53ZwWURLCBrj8gIaaLXcm3121+/MAM3y8o7HaU45pJCPMVRR
 QdvVCW7FoPQ+S/j4eozElcGuACJTNvJnUhfSk0oAUoiZHfb8UThpexdF4K8l1qNB
 9PP3Pc1X2Fu7Ta1HDFenY3eOqNEOUY1Kj3isxEj0QOZugRpHYsp0k4GakAyDd8Ik
 2xUQumwzuxLEkkoHOVLM3lwppnD15KKm67OXeykNiI1xqlXNiuyhCL/pZIkxluuQ
 dPyG3EP+8yyFIuB709oaGlrMcscPZcxUw2RMeWBGTEUY0ECnrz8pCQRseazcmBP6
 LcyVlT3IWsmsogFU1OLGhl7kpmV3KisAJcUPPNNaq7wYEFtRxfUo0w3oXrn8jGe3
 sPiUhDm6WULJDsQYa9kss1GzXJVsdkCzoPw9vMTb9x9cXFO5XYigY0Qf6ujtjdQy
 WAvOYnuTfa2DAS+YCCFG0rO1H8Fv7SamDKyP4jJpnV7WHbDNOveWjtAC6VMcb9EY
 v+ko6dxRohfjUbvgdLiS
 =d2Si
 -----END PGP SIGNATURE-----

Merge tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This update became slightly bigger than usual for rc3, but most of the
  commits are small and trivial.  A large chunk is found for HD-audio
  ca0132 codec, which is mostly a clean up of the specific code, to make
  SPDIF working properly, and also in the new ASoC Arizona driver.

  One important fix is for usb-audio Oops fix since 3.5.  We still see
  some EHCI related bandwidth problem, but usb-audio should be more
  stabilized now.

  Other than that, a Kconfig fix is spread over files, and various
  HD-audio and ASoC fixes as usual, in addition to Julia's error path
  fixes."

* tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (42 commits)
  ALSA: snd-als100: fix suspend/resume
  ALSA: hda - Fix leftover codec->power_transition
  ALSA: hda - don't create dysfunctional mixer controls for ca0132
  ALSA: sound/ppc/snd_ps3.c: fix error return code
  ALSA: sound/pci/rme9652/hdspm.c: fix error return code
  ALSA: sound/pci/sis7019.c: fix error return code
  ALSA: sound/pci/ctxfi/ctatc.c: fix error return code
  ALSA: sound/atmel/ac97c.c: fix error return code
  ALSA: sound/atmel/abdac.c: fix error return code
  ALSA: fix pcm.h kernel-doc warning and notation
  sound: oss/sb_audio: prevent divide by zero bug
  ASoC: wm9712: Fix inverted capture volume
  ASoC: wm9712: Fix microphone source selection
  ASoC: wm5102: Remove DRC2
  ALSA: hda - Don't send invalid volume knob command on IDT 92hd75bxx
  ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream
  ALSA: lx6464es: Add a missing error check
  ALSA: hda - Fix 'Beep Playback Switch' with no underlying mute switch
  ASoC: jack: Always notify full jack status
  ASoC: wm5110: Add missing input PGA routes
  ...
2012-08-21 09:17:05 -07:00
Eric Dumazet f341861fb0 task_work: add a scheduling point in task_work_run()
It seems commit 4a9d4b024a ("switch fput to task_work_add") re-
introduced the problem addressed in 944be0b224 ("close_files(): add
scheduling point")

If a server process with a lot of files (say 2 million tcp sockets) is
killed, we can spend a lot of time in task_work_run() and trigger a soft
lockup.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-08-21 09:11:44 -07:00
Dave Airlie ec5da7f8dc fbcon: fix race condition between console lock and cursor timer
So we've had a fair few reports of fbcon handover breakage between
efi/vesafb and i915 surface recently, so I dedicated a couple of
days to finding the problem.

Essentially the last thing we saw was the conflicting framebuffer
message and that was all.

So after much tracing with direct netconsole writes (printks
under console_lock not so useful), I think I found the race.

  Thread A (driver load)    Thread B (timer thread)
    unbind_con_driver ->              |
    bind_con_driver ->                |
    vc->vc_sw->con_deinit ->          |
    fbcon_deinit ->                   |
    console_lock()                    |
        |                             |
        |                       fbcon_flashcursor timer fires
        |                       console_lock() <- blocked for A
        |
        |
  fbcon_del_cursor_timer ->
    del_timer_sync
    (BOOM)

Of course because all of this is under the console lock,
we never see anything, also since we also just unbound the active
console guess what we never see anything.

Hopefully this fixes the problem for anyone seeing vesafb->kms
driver handoff.

Signed-off-by: David Airlie <airlied@redhat.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: stable@vger.kernel.org
Tested-by: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-08-21 09:08:50 -07:00
Ingo Molnar f5042d0375 perf/urgent fix:
. Add missing object files needed to use the python binding, cherry-picked
   from perf/core, got a report it affects Linus's too, fix it.
 
 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.14 (GNU/Linux)
 
 iQIcBAABAgAGBQJQM5adAAoJENZQFvNTUqpAsZ0P/0tbtY0F3rMiXq84ok/tzp06
 ks3kpGA/8IODyOais3DI1IrmDknCBTYNIY5hhupYZwx8dVtRsKgRcsxVbp4pMGEp
 3fGpmuQ/PGM4hcQPiCo+qeLmvtCzpJAnzTQ5bki+70ZzkwE8RkY4y2tI4gyEOagi
 MucKuQ8SInUwG05OjrsnGQmA5RlH0u/ENhc61SDRg2tY8dH3fopgKnetqElg+vEh
 TUbd/p3/lp/rDDKBHysAB8lXj9nD3RRMaR78wh4ta2qybt2FPnI31VJf8HfDDOEA
 ASQXOQ3GR3aXCt93Eoe+oIK3sJjWXx/C80nW/vR/WSSzQl4f9ct6mFjipX7WGPHY
 styQr70RErNIQU+Xf+LTuwozzJOHCj1747jku1PRz8f8q/KzlDWCzuivPC00R3L3
 gqHE2NhZSQHoSEJXKMVVso/FUvcqrr1bQJ8WiNEAg/DZREiXH3UoH9dyU4qQLy/V
 HixAbG8pSDlOaAn+D68aPNdEBOV3s2JPxXyQyhC1e75aLRSkLl7uLW7lIYux+iEK
 xNT6TP9eO9KG7sfH/h0YZ9Mijiv5TmXQfFJNXkE7gNR+uCkZXSV5uEiiJhY/VCpt
 lQEkel7AgEzYTAA0Jw9aCdnYKCPNdxSVs3wqPe+Rb9NuZF7eYiEcMzPMxEJpWTXS
 lbbgjm6Qe1UUM+2i9Okm
 =Mghe
 -----END PGP SIGNATURE-----

Merge tag 'perf-urgent-for-mingo' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent

Pull perf/urgent fix from Arnaldo Carvalho de Melo:

 * Add missing object files needed to use the python binding, cherry-picked
   from perf/core, got a report it affects Linus's tree too, fix it.

Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2012-08-21 16:57:50 +02:00
Alex Deucher 676bc2e1e4 Revert "drm/radeon: fix bo creation retry path"
This reverts commit d1c7871ddb.

ttm_bo_init() destroys the BO on failure. So this patch makes
the retry path work with freed memory.  This ends up causing
kernel panics when this path is hit.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
2012-08-21 09:55:01 -04:00
Arnaldo Carvalho de Melo 3ab484b862 perf tools: Add missing files to build the python binding
Changeset 0f6a3015:
"perf tools: Support user regs and stack in sample parsing"

uses hweight_long in evsel.c, so we need to drag util/hweight.c
to the python binding.

Ditto for ee8dd3c:
"perf tools: Change strlist to use the new rblist"

where we need to add util/rblist.c.

Now twatch.py works again:

 # export PYTHONPATH=~acme/git/build/perf/python/
 # ~acme/git/linux/tools/perf/python/twatch.py
 cpu:  4, pid: 23639, tid: 23639 { type: fork, pid: 30659, ppid: 23639, tid: 30659, ptid: 23639, time: 36287872076780}
 cpu:  5, pid: 30659, tid: 30659 { type: comm, pid: 30659, tid: 30659, comm: ls }
 cpu:  5, pid: 30659, tid: 30659 { type: exit, pid: 30659, ppid: 30659, tid: 30659, ptid: 30659, time: 36287873681539}
 cpu:  4, pid: 23639, tid: 23639 { type: fork, pid: 30660, ppid: 23639, tid: 30660, ptid: 23639, time: 36291720420480}
 cpu:  5, pid: 30659, tid: 30659 { type: exit, pid: 30659, ppid: 30659, tid: 30659, ptid: 30659, time: 36287873685714}
 cpu:  5, pid: 30660, tid: 30660 { type: comm, pid: 30660, tid: 30660, comm: git }
 ^C
 KeyboardInterrupt

Reported-by: Jérôme Carretero <cJ-ko@zougloub.eu>
Cc: David Ahern <dsahern@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Namhyung Kim <namhyung@gmail.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Link: http://lkml.kernel.org/n/tip-gmq82zp5blin9aml9g5tzokr@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
2012-08-21 10:31:40 -03:00
Artem Bityutskiy c212f4020d UBIFS: fix replay regression
Commit "d51f17e UBIFS: simplify reply code a bit" introduces a bug with the
following symptoms:

UBIFS error (pid 1): replay_log_leb: first CS node at LEB 3:0 has wrong commit number 0 expected 1

The issue is that we start replaying the log from UBIFS_LOG_LNUM instead
of c->lhead_lnum. This patch fixes that.

Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
2012-08-21 15:25:25 +03:00
Artem Bityutskiy 11e3be0be2 UBIFS: fix crash on error path
This patch fixes a regression introduced by
"4994297 UBIFS: make ubifs_lpt_init clean-up in case of failure" which
I've hit while running the 'integck -p' test. When remount the file-system
from R/O mode to R/W mode and 'lpt_init_wr()' fails, we free _all_ LPT
resources by calling 'ubifs_lpt_free(c, 0)', even those needed for R/O
mode. This leads to subsequent crashes, e.g., if we try to unmount
the file-system.

Cc: stable@vger.kernel.org [v3.5+]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
2012-08-21 15:25:24 +03:00
Artem Bityutskiy 73e8712aa0 UBIFS: remove stale commentary
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
2012-08-21 15:25:24 +03:00
Ingo Molnar 5c65ca7520 Merge branch 'tip/perf/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace into perf/urgent
Pull syscall tracing fix from Steve Rostedt.

Signed-off-by: Ingo Molnar <mingo@kernel.org>
2012-08-21 11:49:37 +02:00
Oleg Nesterov c7a3a88c93 uprobes: Fix mmap_region()'s mm->mm_rb corruption if uprobe_mmap() fails
This patch fixes:

  https://bugzilla.redhat.com/show_bug.cgi?id=843640

If mmap_region()->uprobe_mmap() fails, unmap_and_free_vma path
does unmap_region() but does not remove the soon-to-be-freed vma
from rb tree. Actually there are more problems but this is how
William noticed this bug.

Perhaps we could do do_munmap() + return in this case, but in
fact it is simply wrong to abort if uprobe_mmap() fails. Until
at least we move the !UPROBE_COPY_INSN code from
install_breakpoint() to uprobe_register().

For example, uprobe_mmap()->install_breakpoint() can fail if the
probed insn is not supported (remember, uprobe_register()
succeeds if nobody mmaps inode/offset), mmap() should not fail
in this case.

dup_mmap()->uprobe_mmap() is wrong too by the same reason,
fork() can race with uprobe_register() and fail for no reason if
it wins the race and does install_breakpoint() first.

And, if nothing else, both mmap_region() and dup_mmap() return
success if uprobe_mmap() fails. Change them to ignore the error
code from uprobe_mmap().

Reported-and-tested-by: William Cohen <wcohen@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> # v3.5
Cc: Anton Arapov <anton@redhat.com>
Cc: William Cohen <wcohen@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20120819171042.GB26957@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2012-08-21 11:48:12 +02:00
Ondrej Zary 53e1719f3d ALSA: snd-als100: fix suspend/resume
snd_card_als100_probe() does not set pcm field in struct snd_sb.
As a result, PCM is not suspended and applications don't know that they need
to resume the playback.

Tested with Labway A381-F20 card (ALS120).

Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-08-21 07:29:40 +02:00
Linus Torvalds 9160338de9 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
Pull PCI fixes from Bjorn Helgaas:
 "Here are two patches from Rafael Wysocki.

  One fixes an EHCI-related hibernation crash on ASUS boxes.  We fixed a
  similar suspend issue in v3.6-rc1, and this applies the same fix to
  the hibernate path.

  The other fixes D3/D3cold/D4 messages related to the D3cold support we
  merged in v3.6-rc1."

(Removed redundant top non-fast-forward merge commit from pulled branch)

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: EHCI: Fix crash during hibernation on ASUS computers
  PCI / PM: Fix D3/D3cold/D4 messages printed by acpi_pci_set_power_state()
2012-08-20 16:42:41 -07:00
J. Bruce Fields d10f27a750 svcrpc: fix svc_xprt_enqueue/svc_recv busy-looping
The rpc server tries to ensure that there will be room to send a reply
before it receives a request.

It does this by tracking, in xpt_reserved, an upper bound on the total
size of the replies that is has already committed to for the socket.

Currently it is adding in the estimate for a new reply *before* it
checks whether there is space available.  If it finds that there is not
space, it then subtracts the estimate back out.

This may lead the subsequent svc_xprt_enqueue to decide that there is
space after all.

The results is a svc_recv() that will repeatedly return -EAGAIN, causing
server threads to loop without doing any actual work.

Cc: stable@vger.kernel.org
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2012-08-20 18:39:19 -04:00
J. Bruce Fields f06f00a24d svcrpc: sends on closed socket should stop immediately
svc_tcp_sendto sets XPT_CLOSE if we fail to transmit the entire reply.
However, the XPT_CLOSE won't be acted on immediately.  Meanwhile other
threads could send further replies before the socket is really shut
down.  This can manifest as data corruption: for example, if a truncated
read reply is followed by another rpc reply, that second reply will look
to the client like further read data.

Symptoms were data corruption preceded by svc_tcp_sendto logging
something like

	kernel: rpc-srv/tcp: nfsd: sent only 963696 when sending 1048708 bytes - shutting down socket

Cc: stable@vger.kernel.org
Reported-by: Malahal Naineni <malahal@us.ibm.com>
Tested-by: Malahal Naineni <malahal@us.ibm.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2012-08-20 18:38:59 -04:00
J. Bruce Fields be1e44441a svcrpc: fix BUG() in svc_tcp_clear_pages
Examination of svc_tcp_clear_pages shows that it assumes sk_tcplen is
consistent with sk_pages[] (in particular, sk_pages[n] can't be NULL if
sk_tcplen would lead us to expect n pages of data).

svc_tcp_restore_pages zeroes out sk_pages[] while leaving sk_tcplen.
This is OK, since both functions are serialized by XPT_BUSY.  However,
that means the inconsistency must be repaired before dropping XPT_BUSY.

Therefore we should be ensuring that svc_tcp_save_pages repairs the
problem before exiting svc_tcp_recv_record on error.

Symptoms were a BUG() in svc_tcp_clear_pages.

Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2012-08-20 18:38:44 -04:00
J. Bruce Fields 39307655a1 nfsd4: fix security flavor of NFSv4.0 callback
Commit d5497fc693 "nfsd4: move rq_flavor
into svc_cred" forgot to remove cl_flavor from the client, leaving two
places (cl_flavor and cl_cred.cr_flavor) for the flavor to be stored.
After that patch, the latter was the one that was updated, but the
former was the one that the callback used.

Symptoms were a long delay on utime().  This is because the utime()
generated a setattr which recalled a delegation, but the cb_recall was
ignored by the client because it had the wrong security flavor.

Cc: stable@vger.kernel.org
Tested-by: Jamie Heilman <jamie@audible.transient.net>
Reported-by: Jamie Heilman <jamie@audible.transient.net>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2012-08-20 18:38:36 -04:00
Linus Torvalds 3b31fe9294 Clean out references to dead CONFIG_MISC_DEVICES option
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJQMpkfAAoJEKurIx+X31iB3xsP+wX0Od5j2Nu4E5wIpowt/m7I
 8/G8thVVLGV76ZXnXQ6uPOcb4sshJH/HnsGdn/nIqy9ICHEeUOfTDSNrsa4gW0re
 iBhZWf8SorZYb9TIbr+SbpVdcWkzs7KpBInZBlG4XXAEHdtJt/525DkRr8Hyvfok
 AXwmrQ8l4gMXhjV4uu8dT3YAPeJnpCt98GUQpOOu9WsdgD5pTUZXHmeySjevwgEp
 Rpz2jaOafkvDi/4eX2/0zv1b6p+5S2bkFId2mL/gTsBNt5qR4DRS6Eh6M604LDGq
 V9cNtUX+JJ3+JcVVyEw09R3wp1prCyt6xbxx02+cA8IYA2zH+oTRz38GXSroJkTP
 8fdrPhT3rkKfQrq+QbnzxulD3A2KxhvgKraJb8hc/iEf3ctKeguh4pDl8v/lV1RN
 X5Ni3mTvRh7gSjexL3GyvDU+S+oCyJtR/epP1Al+ihqgqXRn50uTSa1q00ZUGZk0
 eozm1W6j5olgih8w3KNW4cx3s1piQ4M9oDym2VEWJ8sbgKLr24qUGoW//7EHBCz9
 wA6ZFYckXH/PYV+ZUqK6pR1sIJSo0hyy+alJt3WOlB6gy/FQNUhiicGqW/LEf5Eu
 WNexzdccTurdiI3OZ2lxoPVgZRCG2lhqwdvI5wxGJqduV46fr5ydgQ06AoElOjf4
 XHW7TR2qlJzovim2Vqh0
 =Epgu
 -----END PGP SIGNATURE-----

Merge tag 'please-pull-ia64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux

Pull config cleanup for ia64 from Tony Luck:
 "Clean out references to dead CONFIG_MISC_DEVICES option"

* tag 'please-pull-ia64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux:
  [IA64] defconfig: Remove CONFIG_MISC_DEVICES
2012-08-20 15:26:28 -07:00
Denis Efremov 08a16208c8 tcm_fc: rcu_deref outside rcu lock/unlock section
Use rcu_dereference_protected in order to prevent lockdep
complaint. Sequel of the patch 863555be

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Denis Efremov <yefremov.denis@gmail.com>
Acked-by: Mark D. Rustad <mark.d.rustad@intel.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-08-20 14:52:15 -07:00
Michael S. Tsirkin 6de7145ca3 tcm_vhost: Fix vhost_scsi_target structure alignment
Here TRANSPORT_IQN_LEN is 224, which is a multiple of 4.
Since vhost_tpgt is 2 bytes and abi_version is 4, the total size would
be 230.  But gcc needs struct size be aligned to first field size, which
is 4 bytes, so it pads the structure by extra 2 bytes to the total of
232.

This padding is very undesirable in an ABI:
- it can not be initialized easily
- it can not be checked easily
- it can leak information between kernel and userspace

Simplest solution is probably just to make the padding
explicit.

(v2: Add check for zero'ed backend->reserved field for VHOST_SCSI_SET_ENDPOINT
     and VHOST_SCSI_CLEAR_ENDPOINT ops as requested by MST)

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2012-08-20 14:52:11 -07:00
Linus Torvalds 10c63c9aec More USB patches for 3.6-rc3
Here are 10 more USB patches for 3.6-rc3.  They all fix reported
 problems (build problems for one of them, and easily repeatable oopses
 for the others.)
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (GNU/Linux)
 
 iEYEABECAAYFAlAyjj4ACgkQMUfUDdst+yn8gQCgkNpc92Ux5hBYJIX/AQYoBrTB
 ktAAoLiXxIhVP+D4C42R1VLw9vGeB1QH
 =+8kb
 -----END PGP SIGNATURE-----

Merge tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull more USB patches from Greg Kroah-Hartman:
 "Here are 10 more USB patches for 3.6-rc3.  They all fix reported
  problems (build problems for one of them, and easily repeatable oopses
  for the others.)

  Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"

* tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  gpu/mfd/usb: Fix USB randconfig problems
  USB: CDC ACM: Fix NULL pointer dereference
  USB: emi62: remove __devinit* from the struct usb_device_id table
  USB: winbond: remove __devinit* from the struct usb_device_id table
  USB: vt6656: remove __devinit* from the struct usb_device_id table
  USB: rtl8187: remove __devinit* from the struct usb_device_id table
  USB: p54usb: remove __devinit* from the struct usb_device_id table
  USB: spca506: remove __devinit* from the struct usb_device_id table
  USB: jl2005bcd: remove __devinit* from the struct usb_device_id table
  USB: smsusb: remove __devinit* from the struct usb_device_id table
2012-08-20 13:14:22 -07:00
Linus Torvalds c3e2f79d2d dmesg fix for 3.6-rc3
Here is one fix for the dmesg line corruption problem that the previous
 set of patches caused.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (GNU/Linux)
 
 iEYEABECAAYFAlAyh14ACgkQMUfUDdst+yn2RQCbBissjdBqDhaX9schGTKyrxPM
 UOUAn3o3KZpUzFWSGYXQGaSI7HtcyElz
 =GWkA
 -----END PGP SIGNATURE-----

Merge tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull one more driver core fix from Greg Kroah-Hartman:
 "Here is one fix for the dmesg line corruption problem that the
  previous set of patches caused.

  Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"

* tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  dyndbg: fix for SOH in logging messages
2012-08-20 13:13:47 -07:00
Linus Torvalds b0fbfb0cec Merge branch 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86
Pull x86 platform driver update from Matthew Garrett:
 "Some small updates for a few drivers, and some hardware enablement for
  new Ideapads and the gmux hardware in the latest Macs.

  This code won't run on older devices and has been well tested on new
  ones, so low risk of regressions."

* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
  ideapad: add Lenovo IdeaPad Z570 support (part 3)
  ideapad: add Lenovo IdeaPad Z570 support (part 2)
  ideapad: add Lenovo IdeaPad Z570 support (part 1)
  classmate-laptop: always call input_sync() after input_report_switch()
  thinkpad-acpi: recognize latest V-Series using DMI_BIOS_VENDOR
  dell-laptop: Fixed typo in touchpad LED quirk
  vga_switcheroo: Don't require handler init callback
  vga_switcheroo: Remove assumptions about registration/unregistration ordering
  apple-gmux: Add display mux support
  apple-gmux: Fix kconfig dependencies
  asus-wmi: record wlan status while controlled by userapp
  apple_gmux: Fix ACPI video unregister
  apple_gmux: Add support for newer hardware
  gmux: Add generic write32 function
2012-08-20 13:12:41 -07:00
Linus Torvalds 807b5169e2 One patch with section conflict fixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJQMRbfAAoJEMsfJm/On5mBG3AP/2zEQEmUuefWsifb8B2cBptO
 78bNB4pZx1u93GNv+qaTNS2q0dNgck4YOvpvDCgF5KD1VHDIEbJUxXGTB6M/i5qw
 yEU1NVYUj6j+FQTJDmitDkjW9dOFonJeGOQhKInNEq2WTseMAxNxAhhStYotLTwq
 u6gjwEE1MFttiWKcMwMdfpIfzjDrbFmxAT82YtapVhQFluKyZxmzALPFYgsiZPWy
 KPNdNpFx7SY0i45SR5eJRYxuJSpFg21rdW+NlcCDejugZ1V/V7vhqBy8HkjgT7xs
 iGJSlEcCTpEAXWVBv/wLHobTC/Jzq/s5mFKqygvwctIrcELh6i9kutDf8j0Vinas
 opg+ayxGsCRSwhuJMwRX2s/3+z9faDGdRVEDO/Jxs8SB6/qbdGoOnDO2Ox5xk6mg
 lFcXmBTIhs0rcik4SUmQkv18wQ8CQkhLi4yhXhK1t/5jGS5ZJz1d9MtQQqFtnF+l
 eyvyP1bO9iR+bDiFrGy18E7Z4ovDGzx8hRJvCFDndMXYmYGxkM8Ar8dKohZPY1WG
 RWsnvm3LqBPOIrTNR/0jxqpJzYpZvU3lIdYA23FJHNxzPhg2pTWAXu6ZpN7Jrh7K
 rKbOWBQL8vk6v7HnEG1RbJ6karWRtYPWGsyImfU6qLVGa5jnhvKATIFk+IrPJ+U5
 bOUrzrg8pfLAhV7OzH11
 =ln9n
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull a hwmon fix from Guenter Roeck:
 "One patch with section conflict fixes."

* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  sections: Fix section conflicts in drivers/hwmon
2012-08-20 13:11:00 -07:00
Linus Torvalds 8a6b52140f spi: Updates for 3.6
Grant is still away so another pull request with some fairly minor
 fixes, the most notable of which are several fixes for some common error
 patterns with the reference counting spi_master_get/put do.
 -
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJQLrxzAAoJEFJkBDiqVpZ4xHIP+wQ8wi6X/HkB4I7EA9aET/hO
 UzyUTZtK6UQGjpqOBK0S38BMweyC23rbeYCcyWgF7rKI7IEjlul1r4O3iChgmeWR
 0ksrDfAIajb+9r1VoN7JQXnqk6miIIFdK2rotLNPnpbNlJTFCmmXD2FK5Zfc/pNA
 e3OjFvtMcaOGjTo5xvN3RK3e2IcH3eKHLCeoj33bKqElT6loITHPnOaEWyIe6QCc
 ExNCiv+D4apTRZ7nlvrttJrNtoMrL49rMy4rz0Z68nsClf1RZeZlTbVeT9+le3LQ
 VhrHUeW8TqYYPBuyMgDyCCBmkVlTZCODBaW2ZtXaC32n72luJuDgq3cZBXhCYuKe
 OPibJSY9j1P9CQBlro6Ccb/3pMjfegaLKCKsSHOdaMF730z9CImT78a2hVgMCNjQ
 WsUDwsOp8l8iJpgTylD1ijQGhH5h7yfp1TXc8rdeEWsRlI2wovCJtU4G4okvFUID
 UQFWShim73f6tDE5dzSYhzigg1ikbaOe5CpO3xk1foyNOx/o3/7U7Da0P5t6yVBa
 zwW/zXdl3GWMLGkqL+oHHMDGLGPeALsgIzMwSMVQY6cK3qROL3fJI9ajk31a1zeP
 sbWx53G2/AHDOqmvvXbuM/GJ8FOrQx7qJ/A2kLp+Fd+y8j/X15C28qVjQYNCJCXi
 x/02RXln1MxLrFKVasvn
 =8RgT
 -----END PGP SIGNATURE-----

Merge tag 'spi-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc

Pull spi fixes from Mark Brown:
 "Grant is still away so another pull request with some fairly minor
  fixes, the most notable of which are several fixes for some common
  error patterns with the reference counting spi_master_get/put do."

* tag 'spi-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
  spi/coldfire-qspi: Drop extra calls to spi_master_get in suspend/resume functions
  spi: spi-coldfire-qspi: Drop extra spi_master_put in device remove function
  spi/pl022: fix spi-pl022 pm enable at probe
  spi/bcm63xx: Ensure that memory is freed only after it is no longer used
  spi: omap2-mcspi: Fix the error handling in probe
  spi/s3c64xx: Add missing static storage class specifiers
2012-08-20 13:05:27 -07:00
Fabio Estevam 7c3ea4859a [IA64] defconfig: Remove CONFIG_MISC_DEVICES
commit 7c5763b845 (drivers:misc: Remove MISC_DEVICES config option) removed
CONFIG_MISC_DEVICES option, so remove the occurrences from the config files
as well.

Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2012-08-20 13:04:29 -07:00