04 Oct, 2008
12 commits
-
When userspace uses SIGIO notification and forgets to disable it before
closing file descriptor, rtc->async_queue contains stale pointer to struct
file. When user space enables again SIGIO notification in different
process, kernel dereferences this (poisoned) pointer and crashes.So disable SIGIO notification on close.
Kernel panic:
(second run of qemu (requires echo 1024 > /sys/class/rtc/rtc0/max_user_freq))general protection fault: 0000 [1] PREEMPT
CPU 0
Modules linked in: af_packet snd_pcm_oss snd_mixer_oss snd_seq_oss snd_seq_midi_event snd_seq usbhid tuner tea5767 tda8290 tuner_xc2028 xc5000 tda9887 tuner_simple tuner_types mt20xx tea5761 tda9875 uhci_hcd ehci_hcd usbcore bttv snd_via82xx snd_ac97_codec ac97_bus snd_pcm snd_timer ir_common compat_ioctl32 snd_page_alloc videodev v4l1_compat snd_mpu401_uart snd_rawmidi v4l2_common videobuf_dma_sg videobuf_core snd_seq_device snd btcx_risc soundcore tveeprom i2c_viapro
Pid: 5781, comm: qemu-system-x86 Not tainted 2.6.27-rc6 #363
RIP: 0010:[] [] __lock_acquire+0x3db/0x73f
RSP: 0000:ffffffff80674cb8 EFLAGS: 00010002
RAX: ffff8800224c62f0 RBX: 0000000000000046 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800224c62f0
RBP: ffffffff80674d08 R08: 0000000000000002 R09: 0000000000000001
R10: ffffffff80238941 R11: 0000000000000001 R12: 0000000000000000
R13: 6b6b6b6b6b6b6b6b R14: ffff88003a450080 R15: 0000000000000000
FS: 00007f98b69516f0(0000) GS:ffffffff80623200(0000) knlGS:00000000f7cc86d0
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000a87000 CR3: 0000000022598000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process qemu-system-x86 (pid: 5781, threadinfo ffff880028812000, task ffff88003a450080)
Stack: ffffffff80674cf8 0000000180238440 0000000200000002 0000000000000000
ffff8800224c62f0 0000000000000046 0000000000000000 0000000000000002
0000000000000002 0000000000000000 ffffffff80674d68 ffffffff8024fc7a
Call Trace:
[] lock_acquire+0x85/0xa9
[] ? send_sigio+0x2a/0x184
[] _read_lock+0x3e/0x4a
[] ? send_sigio+0x2a/0x184
[] send_sigio+0x2a/0x184
[] ? __lock_acquire+0x6e1/0x73f
[] ? kill_fasync+0x2c/0x4e
[] __kill_fasync+0x54/0x65
[] kill_fasync+0x3a/0x4e
[] rtc_update_irq+0x9c/0xa5
[] cmos_interrupt+0xae/0xc0
[] handle_IRQ_event+0x25/0x5a
[] handle_edge_irq+0xdd/0x123
[] do_IRQ+0xe4/0x144
[] ret_from_intr+0x0/0xf
[] ? __alloc_pages_internal+0xe7/0x3ad
[] ? clear_page_c+0x7/0x10
[] ? get_page_from_freelist+0x385/0x450
[] ? __alloc_pages_internal+0xe7/0x3ad
[] ? anon_vma_prepare+0x2e/0xf6
[] ? handle_mm_fault+0x227/0x6a5
[] ? do_page_fault+0x494/0x83f
[] ? error_exit+0x0/0xa9Code: cc 41 39 45 28 74 24 e8 5e 1d 0f 00 85 c0 0f 84 6a 03 00 00 83 3d 8f a9 aa 00 00 be 47 03 00 00 0f 84 6a 02 00 00 e9 53 03 00 00 ff 85 38 01 00 00 45 8b be 90 06 00 00 41 83 ff 2f 76 24 e8
RIP [] __lock_acquire+0x3db/0x73f
RSP
---[ end trace 431877d860448760 ]---
Kernel panic - not syncing: Aiee, killing interrupt handler!Signed-off-by: Marcin Slusarz
Acked-by: Alessandro Zummo
Acked-by: David Brownell
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
[MIPS] SMTC: Fix SMTC dyntick support.
[MIPS] SMTC: Close tiny holes in the SMTC IPI replay system.
[MIPS] SMTC: Fix holes in SMTC and FPU affinity support.
[MIPS] SMTC: Build fix: Fix filename in Makefile
[MIPS] Build fix: Fix irq flags type -
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6:
[S390] qdio: prevent stack clobber
[S390] nohz: Fix __udelay. -
.. small detail, but the silly e1000e initcall warning debugging caused
me to look at this code. Rather than gouge my eyes out with a spoon, I
just fixed it.Signed-off-by: Linus Torvalds
-
Don't print more information than fits into the string on the
stack. Combine the informational output of qdio to fit into
one line.Signed-off-by: Jan Glauber
Signed-off-by: Martin Schwidefsky -
This fixes a regression that came with 934b2857cc576ae53c92a66e63fce7ddcfa74691
("[S390] nohz/sclp: disable timer on synchronous waits.").
If udelay() gets called from a disabled context it sets the clock comparator
to a value where it expects the next interrupt. When the interrupt happens
the clock comparator gets not reset and therefore the interrupt condition
doesn't get cleared. The result is an endless timer interrupt loop.In addition this patch fixes also the following:
rcutorture reveals that our __udelay implementation is still buggy,
since it might schedule tasklets, but prevents their execution:NOHZ: local_softirq_pending 42
NOHZ: local_softirq_pending 02
NOHZ: local_softirq_pending 142
NOHZ: local_softirq_pending 02To fix this we make sure that only the clock comparator interrupt
is enabled when the enabled wait psw is loaded.
Also no code gets called anymore which might schedule tasklets.Signed-off-by: Heiko Carstens
Signed-off-by: Martin Schwidefsky -
Rework of SMTC support to make it work with the new clock event system,
allowing "tickless" operation, and to make it compatible with the use of
the "wait_irqoff" idle loop. The new clocking scheme means that the
previously optional IPI instant replay mechanism is now required, and has
been made more robust.Signed-off-by: Kevin D. Kissell
Signed-off-by: Ralf Baechle -
Signed-off-by: Kevin D. Kissell
Signed-off-by: Ralf Baechle -
Signed-off-by: Kevin D. Kissell
Signed-off-by: Ralf Baechle -
Signed-off-by: Ralf Baechle
-
Though from a hardware perspective it would be sensible to use only a
32-bit unsigned int type Linux defines interrupt flags to be stored in
an unsigned long and nothing else.Signed-off-by: Ralf Baechle
-
Doing 'WARN_ON(preempt_count())' was horribly horribly wrong, and would
cause tons of warnings at bootup if PREEMPT was enabled because the
initcalls currently run with the kernel lock, which increments the
preempt count.At the same time, the warning was also insufficient, since it didn't
check that interrupts were enabled.The proper debug function to use for something that can sleep and wants
a warning if it's called in the wrong context is 'might_sleep()'.Reported-by: Christian Borntraeger
Signed-off-by: Linus Torvalds
03 Oct, 2008
14 commits
-
This is loosely based on a patch by Jesse Barnes to check the user-space
PCI mappings though the sysfs interfaces. Quoting Jesse's original
explanation:It's fairly common for applications to map PCI resources through sysfs.
However, with the current implementation, it's possible for an application
to map far more than the range corresponding to the resourceN file it
opened. This patch plugs that hole by checking the range at mmap time,
similar to what is done on platforms like sparc64 in their lower level
PCI remapping routines.It was initially put together to help debug the e1000e NVRAM corruption
problem, since we initially thought an X driver might be walking past the
end of one of its mappings and clobbering the NVRAM. It now looks like
that's not the case, but doing the check is still important for obvious
reasons.and this version of the patch differs in that it uses a helper function
to clarify the code, and does all the checks in pages (instead of bytes)
in order to avoid overflows when doing "<< PAGE_SHIFT" etc.Acked-by: Jesse Barnes
Signed-off-by: Linus Torvalds -
Signed-off-by: Jesse Brandeburg
Signed-off-by: Linus Torvalds -
This patch adds a mutex to the e1000e driver that would help
catch any collisions of two e1000e threads accessing hardware
at the same time.description and patch updated by Jesse
Signed-off-by: Thomas Gleixner
Signed-off-by: Jesse Brandeburg
Signed-off-by: Linus Torvalds -
the stats lock is left over from e1000, e1000e no longer
has the adjust tbi stats function that required the addition
of the stats lock to begin with.adding a mutex to acquire_swflag helped catch this one too.
Signed-off-by: Jesse Brandeburg
Acked-by: Thomas Gleixner
Signed-off-by: Linus Torvalds -
thanks to tglx, we're finding some interesting reentrancy issues.
this patch removes the phy read from inside a spinlock, paving
the way for removing the spinlock completely. The phy read was
only feeding a statistic that wasn't used.Signed-off-by: Jesse Brandeburg
Acked-by: Thomas Gleixner
Signed-off-by: Linus Torvalds -
e1000e was apparently calling two functions that attempted to reserve
the SWFLAG bit for exclusive (to hardware and firmware) access to
the PHY and NVM (aka eeprom). These accesses could possibly call
msleep to wait for the resource which is not allowed from interrupt
context.Signed-off-by: Jesse Brandeburg
Acked-by: Thomas Gleixner
Tested-by: Thomas Gleixner
Signed-off-by: Linus Torvalds -
in the process of debugging things, noticed that the swflag is not reset
by the driver after reset, and the swflag is probably not reset unless
management firmware clears it after 100ms.Signed-off-by: Jesse Brandeburg
Signed-off-by: Linus Torvalds -
When we initialise a compound page we initialise the page flags and head
page pointer for all base pages spanned by that page. When we initialise
a gigantic page (a page of order greater than or equal to MAX_ORDER) we
have to initialise more than MAX_ORDER_NR_PAGES pages. Currently we
assume that all elements of the mem_map in this page are contigious in
memory. However this is only guarenteed out to MAX_ORDER_NR_PAGES pages,
and with SPARSEMEM enabled they will not be contigious. This leads us to
walk off the end of the first section and scribble on everything which
follows, BAD.When we reach a MAX_ORDER_NR_PAGES boundary we much locate the next
section of the mem_map. As gigantic pages can only be maximally aligned
we know this will occur at exact multiple of MAX_ORDER_NR_PAGES pages from
the start of the page.This is a bug fix for the gigantic page support in hugetlbfs.
Credit to Mel Gorman for spotting the issue.
Signed-off-by: Andy Whitcroft
Cc: Mel Gorman
Cc: Jon Tollefson
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The previous patch db203d53d474aa068984e409d807628f5841da1b ("mm:
tiny-shmem fix lock ordering: mmap_sem vs i_mutex") to fix the lock
ordering in tiny-shmem breaks shared anonymous and IPC memory on NOMMU
architectures because it was using the expanding truncate to signal ramfs
to allocate a physically contiguous RAM backing the inode (otherwise it is
unusable for "memory mapping" it to userspace).However do_truncate is what caused the lock ordering error, due to it
taking i_mutex. In this case, we can actually just call ramfs directly to
allocate memory for the mapping, rather than go via truncate.Acked-by: David Howells
Acked-by: Hugh Dickins
Signed-off-by: Nick Piggin
Cc: Matt Mackall
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
__test_page_isolated_in_pageblock() in mm/page_isolation.c has a comment
saying that the caller must hold zone->lock. But the only caller of that
function, test_pages_isolated(), does not hold zone->lock and the lock is
also not acquired anywhere before. This patch adds the missing zone->lock
to test_pages_isolated().We reproducibly run into BUG_ON(!PageBuddy(page)) in __offline_isolated_pages()
during memory hotplug stress test, see trace below. This patch fixes that
problem, it would be good if we could have it in 2.6.27.kernel BUG at /home/autobuild/BUILD/linux-2.6.26-20080909/mm/page_alloc.c:4561!
illegal operation: 0001 [#1] PREEMPT SMP
Modules linked in: dm_multipath sunrpc bonding qeth_l3 dm_mod qeth ccwgroup vmur
CPU: 1 Not tainted 2.6.26-29.x.20080909-s390default #1
Process memory_loop_all (pid: 10025, task: 2f444028, ksp: 2b10dd28)
Krnl PSW : 040c0000 801727ea (__offline_isolated_pages+0x18e/0x1c4)
R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:0 CC:0 PM:0
Krnl GPRS: 00000000 7e27fc00 00000000 7e27fc00
00000000 00000400 00014000 7e27fc01
00606f00 7e27fc00 00013fe0 2b10dd28
00000005 80172662 801727b2 2b10dd28
Krnl Code: 801727de: 5810900c l %r1,12(%r9)
801727e2: a7f4ffb3 brc 15,80172748
801727e6: a7f40001 brc 15,801727e8
>801727ea: a7f4ffbc brc 15,80172762
801727ee: a7f40001 brc 15,801727f0
801727f2: a7f4ffaf brc 15,80172750
801727f6: 0707 bcr 0,%r7
801727f8: 0017 unknown
Call Trace:
([] __offline_isolated_pages+0x116/0x1c4)
[] offline_isolated_pages_cb+0x22/0x34
[] walk_memory_resource+0xcc/0x11c
[] offline_pages+0x36a/0x498
[] remove_memory+0x36/0x44
[] memory_block_change_state+0x112/0x150
[] store_mem_state+0x90/0xe4
[] sysdev_store+0x34/0x40
[] sysfs_write_file+0xd0/0x178
[] vfs_write+0x74/0x118
[] sys_write+0x46/0x7c
[] sysc_do_restart+0x12/0x16
[] 0x77f3e8caSigned-off-by: Gerald Schaefer
Acked-by: KAMEZAWA Hiroyuki
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Found by static checker (http://repo.or.cz/w/smatch.git).
Signed-off-by: Dan Carpenter
Acked-by: Thomas Gleixner
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Only register the braille driver VT and keyboard notifiers when the
braille console is used. Avoids eating insert or backspace keys.Addresses http://bugzilla.kernel.org/show_bug.cgi?id=11242
Signed-off-by: Pascal Terjan
Signed-off-by: Samuel Thibault
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix inotify lock order reversal with mmap_sem due to holding locks over
copy_to_user.Signed-off-by: Nick Piggin
Reported-by: "Daniel J Blueman"
Tested-by: "Daniel J Blueman"
Cc: Ingo Molnar
Cc: Peter Zijlstra
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Commit 22af89aa0c0b4012a7431114a340efd3665a7617 ("fbcon: replace mono_col
macro with static inline") changed the order of operations for computing
monochrome color values. This generates 0xffff000f instead of 0x0000000f
for a 4 bit monochrome color, leading to image corruption if it is passed
to cfb_imageblit or other similar functions. Fix it up.Cc: Harvey Harrison
Cc: "Antonino A. Daplas"
Cc: Krzysztof Helt
Cc: [2.6.26.x]
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
02 Oct, 2008
12 commits
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: snd-powermac: HP detection for 1st iMac G3 SL
ALSA: snd-powermac: mixers for PowerMac G4 AGP
ASoC: Set correct name for WM8753 rec mixer output -
Correct headphone detection for 1st generation iMac G3 Slot-loading (Screamer).
This patch fixes the regression in the recent snd-powermac which
doesn't support some G3/G4 PowerMacs:
http://lkml.org/lkml/2008/10/1/220Signed-off-by: Risto Suominen
Tested-by: Mariusz Kozlowski
Cc: stable@kernel.org
Signed-off-by: Takashi Iwai -
Add mixer controls for PowerMac G4 AGP (Screamer).
This patch fixes the regression in the recent snd-powermac which
doesn't support some G3/G4 PowerMacs:
http://lkml.org/lkml/2008/10/1/220Signed-off-by: Risto Suominen
Tested-by: Mariusz Kozlowski
Cc: stable@kernel.org
Signed-off-by: Takashi Iwai -
Rob Sims wrote:
"I can't seem to turn on register 0x17, bit 3 in the sound chip, except
by codec_reg_write; the mixer lacks direct or indirect control. It
seems there are two names for the output of the rec mixer:
Capture ST Mixer
Playback MixerWould the following do the trick?"
I confirm that this solves the audio problems I was having.
Signed-off-by: Jonas Bonn
Signed-off-by: Mark Brown
Signed-off-by: Takashi Iwai -
Commit 00c5372d37a78990c1530184a9c792ee60a30067 caused the MPC8544DS
board to hang at boot. The MPC8544DS is unique in that it doesn't use
the PCI slots on the ULI (unlike the MPC8572DS or MPC8610HPCD). So
the dummy read at the end of the address space causes us to hang.We can detect the situation by comparing the bridge's BARs versus
the root complex.Signed-off-by: Kumar Gala
-
Set the hardware to ignore all write/erase cycles to the GbE region in
the ICHx NVM. This feature can be disabled by the WriteProtectNVM module
parameter (enabled by default) only after a hardware reset, but
the machine must be power cycled before trying to enable writes.Signed-off-by: Bruce Allan
Signed-off-by: Jesse Brandeburg
CC: arjan@linux.intel.com
Signed-off-by: Linus Torvalds -
This patch fixes a build error in the pxa2xx-spi driver,
introduced by commit 7e96445533ac3f4f7964646a202ff3620602fab4
("pxa2xx_spi: dma bugfixes")CC drivers/spi/pxa2xx_spi.o
drivers/spi/pxa2xx_spi.c: In function 'map_dma_buffers':
drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary &
drivers/spi/pxa2xx_spi.c:331: error: invalid operands to binary &
drivers/spi/pxa2xx_spi.c: In function 'pump_transfers':
drivers/spi/pxa2xx_spi.c:897: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'unsigned int'[dbrownell@users.sourceforge.net: fix warning too ]
Signed-off-by: Mike Rapoport
Acked-by: Eric Miao
Signed-off-by: Andrew Morton
Signed-off-by: David Brownell
Signed-off-by: Linus Torvalds -
…git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86, vmi: fix broken LDT access
x86: fix typo in enable_mtrr_cleanup early parameter -
Fix the IRQ handling on the MN10300 arch.
This patch makes a number of significant changes:
(1) It separates the irq_chip definition for edge-triggered interrupts from
the one for level-triggered interrupts.This is necessary because the MN10300 PIC latches the IRQ channel's
interrupt request bit (GxICR_REQUEST), even after the device has ceased to
assert its interrupt line and the interrupt channel has been disabled in
the PIC. So for level-triggered interrupts we need to clear this bit when
we re-enable - which is achieved by setting GxICR_DETECT but not
GxICR_REQUEST when writing to the register.Not doing this results in spurious interrupts occurring because calling
mask_ack() at the start of handle_level_irq() is insufficient - it fails
to clear the REQUEST latch because the device that caused the interrupt is
still asserting its interrupt line at this point.(2) IRQ disablement [irq_chip::disable_irq()] shouldn't clear the interrupt
request flag for edge-triggered interrupts lest it lose an interrupt.(3) IRQ unmasking [irq_chip::unmask_irq()] also shouldn't clear the interrupt
request flag for edge-triggered interrupts lest it lose an interrupt.(4) The end() operation is now left to the default (no-operation) as
__do_IRQ() is compiled out. This may affect misrouted_irq(), but
according to Thomas Gleixner it's the correct thing to do.(5) handle_level_irq() is used for edge-triggered interrupts rather than
handle_edge_irq() as the MN10300 PIC latches interrupt events even on
masked IRQ channels, thus rendering IRQ_PENDING unnecessary. It is
sufficient to call mask_ack() at the start and unmask() at the end.(6) For level-triggered interrupts, ack() is now NULL as it's not used, and
there is no effective ACK function on the PIC. mask_ack() is now the
same as mask() as the latch continues to latch, even when the channel is
masked.Further, the patch discards the disable() op implementation as its now the same
as the mask() op implementation, which is used instead.It also discards the enable() op implementations as they're now the same as
the unmask() op implementations, which are used instead.Signed-off-by: David Howells
Signed-off-by: Linus Torvalds -
* git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm:
dm mpath: add missing path switching locking
dm: cope with access beyond end of device in dm_merge_bvec
dm: always allow one page in dm_merge_bvec -
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
af_key: Free dumping state on socket close
XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep
ipv6: NULL pointer dereferrence in tcp_v6_send_ack
tcp: Fix NULL dereference in tcp_4_send_ack()
sctp: Fix kernel panic while process protocol violation parameter
iucv: Fix mismerge again.
ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space
01 Oct, 2008
2 commits
-
Moving the path activation to workqueue along with scsi_dh patches introduced
a race. It is due to the fact that the current_pgpath (in the multipath data
structure) can be modified if changes happen in any of the paths leading to
the lun. If the changes lead to current_pgpath being set to NULL, then it
leads to the invalid access which results in the panic below.This patch fixes that by storing the pgpath to activate in the multipath data
structure and properly protecting it.Note that if activate_path is called twice in succession with different pgpath,
with the second one being called before the first one is done, then activate
path will be called twice for the second pgpath, which is fine.Unable to handle kernel paging request for data at address 0x00000020
Faulting instruction address: 0xd000000000aa1844
cpu 0x1: Vector: 300 (Data Access) at [c00000006b987a80]
pc: d000000000aa1844: .activate_path+0x30/0x218 [dm_multipath]
lr: c000000000087a2c: .run_workqueue+0x114/0x204
sp: c00000006b987d00
msr: 8000000000009032
dar: 20
dsisr: 40000000
current = 0xc0000000676bb3f0
paca = 0xc0000000006f3680
pid = 2528, comm = kmpath_handlerd
enter ? for help
[c00000006b987da0] c000000000087a2c .run_workqueue+0x114/0x204
[c00000006b987e40] c000000000088b58 .worker_thread+0x120/0x144
[c00000006b987f00] c00000000008ca70 .kthread+0x78/0xc4
[c00000006b987f90] c000000000027cc8 .kernel_thread+0x4c/0x68Signed-off-by: Chandra Seetharaman
Signed-off-by: Alasdair G Kergon -
If for any reason dm_merge_bvec() is given an offset beyond the end of the
device, avoid an oops and always allow one page to be added to an empty bio.
We'll reject the I/O later after the bio is submitted.Signed-off-by: Mikulas Patocka
Signed-off-by: Alasdair G Kergon
