24 Jun, 2008
15 commits
-
After Linus fixed the inline assembly, the CFLAGS option is not
needed anymore.Signed-off-by: Thomas Mingarelli
Signed-off-by: Wim Van Sebroeck -
* 'hotfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
NFS: nfs_updatepage(): don't mark page as dirty if an error occurred
NFS: Fix filehandle size comparisons in the mount code
NFS: Reduce the NFS mount code stack usage. -
Signed-off-by: Trond Myklebust
-
Fix a sign issue in xdr_decode_fhstatus3()
Fix incorrect comparison in nfs_validate_mount_data()Signed-off-by: Trond Myklebust
-
This appears to fix the Oops reported in
http://bugzilla.kernel.org/show_bug.cgi?id=10826Signed-off-by: Trond Myklebust
-
…/git/tip/linux-2.6-tip
* 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
futexes: fix fault handling in futex_lock_pi -
…l/git/tip/linux-2.6-tip
* 'sched-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
sched: refactor wait_for_completion_timeout()
sched: fix wait_for_completion_timeout() spurious failure under heavy load
sched: rt: dont stop the period timer when there are tasks wanting to run -
…git/tip/linux-2.6-tip
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
xen: don't drop NX bit
xen: mask unwanted pte bits in __supported_pte_mask
xen: Use wmb instead of rmb in xen_evtchn_do_upcall().
x86: fix NULL pointer deref in __switch_to -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
IB/mthca: Clear ICM pages before handing to FW -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: sb - Fix wrong assertions
ALSA: aw2 - Fix Oops at initialization -
There is a race in the COW logic. It contains a shortcut to avoid the
COW and reuse the page if we have the sole reference on the page,
however it is possible to have two racing do_wp_page()ers with one
causing the other to mistakenly believe it is safe to take the shortcut
when it is not. This could lead to data corruption.Process 1 and process2 each have a wp pte of the same anon page (ie.
one forked the other). The page's mapcount is 2. Then they both
attempt to write to it around the same time...proc1 proc2 thr1 proc2 thr2
CPU0 CPU1 CPU3
do_wp_page() do_wp_page()
trylock_page()
can_share_swap_page()
load page mapcount (==2)
reuse = 0
pte unlock
copy page to new_page
pte lock
page_remove_rmap(page);
trylock_page()
can_share_swap_page()
load page mapcount (==1)
reuse = 1
ptep_set_access_flags (allow W)write private key into page
read from page
ptep_clear_flush()
set_pte_at(pte of new_page)Fix this by moving the page_remove_rmap of the old page after the pte
clear and flush. Potentially the entire branch could be moved down
here, but in order to stay consistent, I won't (should probably move all
the *_mm_counter stuff with one patch).Signed-off-by: Nick Piggin
Acked-by: Hugh Dickins
Cc: Andrew Morton
Signed-off-by: Linus Torvalds -
Commit 89f5b7da2a6bad2e84670422ab8192382a5aeb9f ("Reinstate ZERO_PAGE
optimization in 'get_user_pages()' and fix XIP") broke vmware, as
reported by Jeff Chua:"This broke vmware 6.0.4.
Jun 22 14:53:03.845: vmx| NOT_IMPLEMENTED
/build/mts/release/bora-93057/bora/vmx/main/vmmonPosix.c:774"and the reason seems to be that there's an old bug in how we handle do
FOLL_ANON on VM_SHARED areas in get_user_pages(), but since it only
triggered if the whole page table was missing, nobody had apparently hit
it before.The recent changes to 'follow_page()' made the FOLL_ANON logic trigger
not just for whole missing page tables, but for individual pages as
well, and exposed this problem.This fixes it by making the test for when FOLL_ANON is used more
careful, and also makes the code easier to read and understand by moving
the logic to a separate inline function.Reported-and-tested-by: Jeff Chua
Signed-off-by: Linus Torvalds -
I noted that the 'struct tty_struct *real_tty' is not used in this
function, so I removed the code about 'real_tty'.Signed-off-by: Gustavo Fernando Padovan
Acked-by: Alan Cox
Signed-off-by: Linus Torvalds -
Some of the requirement rules are now more relaxed. Also correct a
contradiction in the previous updateSigned-off-by: Alan Cox
Signed-off-by: Linus Torvalds -
Current memfree FW has a bug which in some cases, assumes that ICM
pages passed to it are cleared. This patch uses __GFP_ZERO to
allocate all ICM pages passed to the FW. Once firmware with a fix is
released, we can make the workaround conditional on firmware version.This fixes the bug reported by Arthur Kepner here:
http://lists.openfabrics.org/pipermail/general/2008-May/050026.htmlCc:
Signed-off-by: Eli Cohen[ Rewritten to be a one-liner using __GFP_ZERO instead of vmap()ing
ICM memory and memset()ing it to 0. - Roland ]Signed-off-by: Roland Dreier
23 Jun, 2008
5 commits
-
This patch addresses a very sporadic pi-futex related failure in
highly threaded java apps on large SMP systems.David Holmes reported that the pi_state consistency check in
lookup_pi_state triggered with his test application. This means that
the kernel internal pi_state and the user space futex variable are out
of sync. First we assumed that this is a user space data corruption,
but deeper investigation revieled that the problem happend because the
pi-futex code is not handling a fault in the futex_lock_pi path when
the user space variable needs to be fixed up.The fault happens when a fork mapped the anon memory which contains
the futex readonly for COW or the page got swapped out exactly between
the unlock of the futex and the return of either the new futex owner
or the task which was the expected owner but failed to acquire the
kernel internal rtmutex. The current futex_lock_pi() code drops out
with an inconsistent in case it faults and returns -EFAULT to user
space. User space has no way to fixup that state.When we wrote this code we thought that we could not drop the hash
bucket lock at this point to handle the fault.After analysing the code again it turned out to be wrong because there
are only two tasks involved which might modify the pi_state and the
user space variable:- the task which acquired the rtmutex
- the pending owner of the pi_state which did not get the rtmutexBoth tasks drop into the fixup_pi_state() function before returning to
user space. The first task which acquired the hash bucket lock faults
in the fixup of the user space variable, drops the spinlock and calls
futex_handle_fault() to fault in the page. Now the second task could
acquire the hash bucket lock and tries to fixup the user space
variable as well. It either faults as well or it succeeds because the
first task already faulted the page in.One caveat is to avoid a double fixup. After returning from the fault
handling we reacquire the hash bucket lock and check whether the
pi_state owner has been modified already.Reported-by: David Holmes
Signed-off-by: Thomas Gleixner
Cc: Andrew Morton
Cc: David Holmes
Cc: Peter Zijlstra
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc:
Signed-off-by: Ingo Molnarkernel/futex.c | 93 ++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 73 insertions(+), 20 deletions(-) -
snd_assert() in save_mixer() and restore_mixer() in sb_mixer.c is
just wrong. The debug code wasn't tested at all, obviously...Signed-off-by: Takashi Iwai
-
The irq handler may be called before the proper initialization of hardware.
Call snd_aw2_saa7146_setup() before the irq handler registration.Signed-off-by: Takashi Iwai
-
Christian Borntraeger reported that reinstating cond_resched() with
CONFIG_PREEMPT caused a performance regression on lmbench:For example select file 500:
23 microseconds
32 microsecondsand that's really because we totally unnecessarily do the cond_resched()
in the innermost loop of select(), which is just silly.This moves it out from the innermost loop (which only ever loops ove the
bits in a single "unsigned long" anyway), which makes the performance
regression go away.Reported-and-tested-by: Christian Borntraeger
Signed-off-by: Linus Torvalds
22 Jun, 2008
4 commits
-
The zonelist patches caused the loop that checks for available
objects in permitted zones to not terminate immediately. One object
per zone per allocation may be allocated and then abandoned.Break the loop when we have successfully allocated one object.
Signed-off-by: Christoph Lameter
Signed-off-by: Linus Torvalds -
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
Ext4: Fix online resize block group descriptor corruption -
* 'release' of git://lm-sensors.org/kernel/mhoffman/hwmon-2.6:
hwmon: (lm75) sensor reading bugfix
hwmon: (abituguru3) update driver detection
hwmon: (w83791d) new maintainer
hwmon: (abituguru3) Identify Abit AW8D board as such
hwmon: Update the sysfs interface documentation
hwmon: (adt7473) Initialize max_duty_at_overheat before use
hwmon: (lm85) Fix function RANGE_TO_REG() -
This patch changes the function reserve_bootmem_node() from void to int,
returning -ENOMEM if the allocation fails.This fixes a build problem on x86 with CONFIG_KEXEC=y and
CONFIG_NEED_MULTIPLE_NODES=ySigned-off-by: Bernhard Walle
Reported-by: Adrian Bunk
Signed-off-by: Linus Torvalds
21 Jun, 2008
16 commits
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
netns: Don't receive new packets in a dead network namespace.
sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
pppoe: warning fix
ipv6: Drop packets for loopback address from outside of the box.
ipv6: Remove options header when setsockopt's optlen is 0
mac80211: detect driver tx bugs -
Alexey Dobriyan writes:
> Subject: ICMP sockets destruction vs ICMP packets oops> After icmp_sk_exit() nuked ICMP sockets, we get an interrupt.
> icmp_reply() wants ICMP socket.
>
> Steps to reproduce:
>
> launch shell in new netns
> move real NIC to netns
> setup routing
> ping -i 0
> exit from shell
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> IP: [] icmp_sk+0x17/0x30
> PGD 17f3cd067 PUD 17f3ce067 PMD 0
> Oops: 0000 [1] PREEMPT SMP DEBUG_PAGEALLOC
> CPU 0
> Modules linked in: usblp usbcore
> Pid: 0, comm: swapper Not tainted 2.6.26-rc6-netns-ct #4
> RIP: 0010:[] [] icmp_sk+0x17/0x30
> RSP: 0018:ffffffff8057fc30 EFLAGS: 00010286
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff81017c7db900
> RDX: 0000000000000034 RSI: ffff81017c7db900 RDI: ffff81017dc41800
> RBP: ffffffff8057fc40 R08: 0000000000000001 R09: 000000000000a815
> R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8057fd28
> R13: ffffffff8057fd00 R14: ffff81017c7db938 R15: ffff81017dc41800
> FS: 0000000000000000(0000) GS:ffffffff80525000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
> CR2: 0000000000000000 CR3: 000000017fcda000 CR4: 00000000000006e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process swapper (pid: 0, threadinfo ffffffff8053a000, task ffffffff804fa4a0)
> Stack: 0000000000000000 ffff81017c7db900 ffffffff8057fcf0 ffffffff803fcfe4
> ffffffff804faa38 0000000000000246 0000000000005a40 0000000000000246
> 000000000001ffff ffff81017dd68dc0 0000000000005a40 0000000055342436
> Call Trace:
> [] icmp_reply+0x44/0x1e0
> [] ? ip_route_input+0x23a/0x1360
> [] icmp_echo+0x65/0x70
> [] icmp_rcv+0x180/0x1b0
> [] ip_local_deliver+0xf4/0x1f0
> [] ip_rcv+0x33b/0x650
> [] netif_receive_skb+0x27a/0x340
> [] process_backlog+0x9d/0x100
> [] net_rx_action+0x18d/0x250
> [] __do_softirq+0x75/0x100
> [] call_softirq+0x1c/0x30
> [] do_softirq+0x65/0xa0
> [] irq_exit+0x97/0xa0
> [] do_IRQ+0xa8/0x130
> [] ? mwait_idle+0x0/0x60
> [] ret_from_intr+0x0/0xf
> [] ? mwait_idle+0x4c/0x60
> [] ? mwait_idle+0x43/0x60
> [] ? cpu_idle+0x57/0xa0
> [] ? rest_init+0x70/0x80
> Code: 10 5b 41 5c 41 5d 41 5e c9 c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 53
> 48 83 ec 08 48 8b 9f 78 01 00 00 e8 2b c7 f1 ff 89 c0 8b 04 c3 48 83 c4 08
> 5b c9 c3 66 66 66 66 66 2e 0f 1f 84 00
> RIP [] icmp_sk+0x17/0x30
> RSP
> CR2: 0000000000000000
> ---[ end trace ea161157b76b33e8 ]---
> Kernel panic - not syncing: Aiee, killing interrupt handler!Receiving packets while we are cleaning up a network namespace is a
racy proposition. It is possible when the packet arrives that we have
removed some but not all of the state we need to fully process it. We
have the choice of either playing wack-a-mole with the cleanup routines
or simply dropping packets when we don't have a network namespace to
handle them.Since the check looks inexpensive in netif_receive_skb let's just
drop the incoming packets.Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller -
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.Therefore, enforce an appropriate limit.
Signed-off-by: David S. Miller
-
Fix warning:
drivers/net/pppoe.c: In function 'pppoe_recvmsg':
drivers/net/pppoe.c:945: warning: comparison of distinct pointer types lacks a cast
because skb->len is unsigned int and total_len is size_tSigned-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
[IA64] SN2: security hole in sn2_ptc_proc_write -
Which was removed in the hope that generic legacy IDE quirk in
drivers/pci/probe.c is sufficient for Cypress IDE.
It isn't, as this controller has non-standard BAR layout:
secondary channel registers are in the BAR0-1 of the second
PCI function - not in the BAR2-3 of the same function, as the
generic quirk routine assumes.Signed-off-by: Ivan Kokshaysky
Signed-off-by: Linus Torvalds -
Vast majority of these build failures are gcc-4.3 warnings
about static functions and objects being referenced from
non-static (read: "extern inline") functions, in conjunction
with our -Werror.We cannot just convert "extern inline" to "static inline",
as people keep suggesting all the time, because "extern inline"
logic is crucial for generic kernel build.
So
- just make sure that all callees of critical "extern inline"
functions are also "extern inline";
- use "static inline", wherever it's possible.traps.c: work around gcc-4.3 being too smart about array
bounds-checking.TODO: add "gnu_inline" attribute to all our "extern inline"
functions to ensure desired behaviour with future compilers.Signed-off-by: Ivan Kokshaysky
Signed-off-by: Linus Torvalds -
With built-in scsi disk driver, the final link fails with a following
error:
`.exit.text' referenced in section `.rodata' of drivers/built-in.o:
defined in discarded section `.exit.text' of drivers/built-in.oThis happens with -Os (CONFIG_CC_OPTIMIZE_FOR_SIZE=y) with all gcc-4
versions, and also with -O2 and gcc-4.3.The problem is in sd.c:sd_major() being inlined into __exit function
exit_sd(), and the compiler generating a jump table in .rodata section
for the 'switch' statement in sd_major(). So we have references to
discarded section.Fixed with a big hammer in the form of -fno-jump-tables.
Note that jump tables vs. discarded sections is a generic problem,
other architectures are just lucky not to suffer from it. But with
a slightly more complex switch/case statement it can be reproduced
on x86 as well. So maybe at some point we should consider
-fno-jump-tables as a generic compile option...Signed-off-by: Ivan Kokshaysky
Signed-off-by: Linus Torvalds -
To calculate addresses of locally defined variables, GCC uses 32-bit
displacement from the GP. Which doesn't work for per cpu variables in
modules, as an offset to the kernel per cpu area is way above 4G.The workaround is to force allocation of a GOT entry for per cpu variable
using ldq instruction with a 'literal' relocation.
I had to use custom asm/percpu.h, as a required argument magic doesn't
work with asm-generic/percpu.h macros.Signed-off-by: Ivan Kokshaysky
Signed-off-by: Linus Torvalds -
* git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6:
BAST: Remove old IDE driver
pcmcia ide kingston compactflash's have a new manufacturer id
pcmcia: add another pata/ide ID
pcmcia: add an pata/ide ID
ide: increase timeout in wait_drive_not_busy()
palm_bk3710: fix resource management -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
ieee1394: Kconfig menu touch-up
firewire: Kconfig menu touch-up
firewire: deadline for PHY config transmission
firewire: fw-ohci: unify printk prefixes
firewire: fill_bus_reset_event needs lock protection
firewire: fw-ohci: write selfIDBufferPtr before LinkControl.rcvSelfID
firewire: fw-ohci: disable PHY packet reception into AR context
firewire: fw-ohci: use of uninitialized data in AR handler
firewire: don't panic on invalid AR request buffer -
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
ACPI: no AC status notification
ACPI Exception (video-1721): UNKNOWN_STATUS_CODE, Cant attach device -
* 'drm-patches' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: (21 commits)
drm: only trust core drm ioctls - driver ioctls are a mess.
drm/i915: add support for Intel series 4 chipsets.
drm/radeon: add hier-z registers for r300 and r500 chipsets
drm/radeon: use DSTCACHE_CTLSTAT rather than RB2D_DSTCACHE_CTLSTAT
drm/radeon: switch IGP gart to use radeon_write_agp_base()
drm/radeon: Restore sw interrupt on resume
drm/r500: add support for AGP based cards.
drm/radeon: fix texture uploads with large 3d textures (bug 13980)
drm/radeon: add initial r500 support.
drm/radeon: init pipe setup in kernel code.
drm/radeon: fixup radeon_do_engine_reset
drm/radeon: fix pixcache and purge/cache flushing registers
drm/radeon: write AGP_BASE_2 on chips that support it.
drm/radeon: merge IGP chip setup and fixup RS400 vs RS480 support
drm/radeon: IGP clean up register and magic numbers.
drm/rs690: set base 2 to 0.
drm/rs690: set all of gart base address.
radeon: add production microcode from AMD
drm: pcigart use proper pci map interfaces.
drm: the sg alloc ioctl should write back the handle to userspace
... -
* 'agp-patches' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/agp-2.6:
[agp]: fixup chipset flush for new Intel G4x.
agp: brown paper bag patch - put back the two lines it took out. -
…/git/tip/linux-2.6-tip
* 'core-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
softlockup: fix NMI hangs due to lock race - 2.6.26-rc regression
rcupreempt: remove export of rcu_batches_completed_bh
cpuset: limit the input of cpuset.sched_relax_domain_level
