26 Oct, 2009
1 commit
-
commit 0762b8bde9729f10f8e6249809660ff2ec3ad735
(from 14 months ago) introduced a use-after-free bug which has just
recently started manifesting in my md testing.
I tried git bisect to find out what caused the bug to start
manifesting, and it could have been the recent change to
blk_unregister_queue (48c0d4d4c04) but the results were inconclusive.This patch certainly fixes my symptoms and looks correct as the two
calls are now in the same order as elsewhere in that function.Signed-off-by: NeilBrown
Acked-by: Tejun Heo
Signed-off-by: Jens Axboe
24 Oct, 2009
1 commit
-
With 2.6.32-rc5 in a KVM guest using dm and virtio_blk, we see the
following errors:end_request: I/O error, dev vda, sector 0
end_request: I/O error, dev vda, sector 0The errors go away if dm stops submitting empty barriers, by reverting:
commit 52b1fd5a27c625c78373e024bf570af3c9d44a79
Author: Mikulas Patocka
dm: send empty barriers to targets in dm_flushWe should silently error all barriers, even empty barriers, on devices
like virtio_blk which don't support them.See also:
https://bugzilla.redhat.com/514901
Signed-off-by: Mark McLoughlin
Signed-off-by: Mike Snitzer
Acked-by: Alasdair G Kergon
Acked-by: Mikulas Patocka
Cc: Rusty Russell
Cc: Neil Brown
Cc: Christoph Hellwig
Signed-off-by: Jens Axboe
22 Oct, 2009
10 commits
-
* 'for-linus' of git://git.infradead.org/users/eparis/notify:
dnotify: ignore FS_EVENT_ON_CHILD
inotify: fix coalesce duplicate events into a single event in special case
inotify: deprecate the inotify kernel interface
fsnotify: do not set group for a mark before it is on the i_list -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: hp_sdc_rtc - fix test in hp_sdc_rtc_read_rt()
Input: atkbd - consolidate force release quirks for volume keys
Input: logips2pp - model 73 is actually TrackMan FX
Input: i8042 - add Sony Vaio VGN-FZ240E to the nomux list
Input: fix locking issue in /proc/bus/input/ handlers
Input: atkbd - postpone restoring LED/repeat rate at resume
Input: atkbd - restore resetting LED state at startup
Input: i8042 - make pnp_data_busted variable boolean instead of int
Input: synaptics - add another Protege M300 to rate blacklist -
* 'kvm-updates/2.6.32' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: Prevent kvm_init from corrupting debugfs structures
KVM: MMU: fix pointer cast
KVM: use proper hrtimer function to retrieve expiration time -
* git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm:
dm snapshot: allow chunk size to be less than page size
dm snapshot: use unsigned integer chunk size
dm snapshot: lock snapshot while supplying status
dm exception store: fix failed set_chunk_size error path
dm snapshot: require non zero chunk size by end of ctr
dm: dec_pending needs locking to save error value
dm: add missing del_gendisk to alloc_dev error path
dm log: userspace fix incorrect luid cast in userspace_ctr
dm snapshot: free exception store on init failure
dm snapshot: sort by chunk size to fix race -
Increase TEST_SUSPEND_SECONDS to 10 so the warning in
suspend_test_finish() doesn't annoy the users of slower systems so much.Also, make the warning print the suspend-resume cycle time, so that we
know why the warning actually triggered.Patch prepared during the hacking session at the Kernel Summit in Tokyo.
Signed-off-by: Rafael J. Wysocki
Signed-off-by: Linus Torvalds -
This fixes a compile bug introduced in
6ef297f (ARM: 5720/1: Move MMCI header to amba include dir)
That commit moved arch/arm/include/asm/mach/mmc.h to
include/linux/amba/mmci.h. Just removing the include was enough.Signed-off-by: Uwe Kleine-König
Acked-by: Linus Walleij
Acked-by: Nicolas Ferre
Acked-by: Bill Gatliff
Cc: Catalin Marinas
Cc: Russell King
Cc: Pierre Ossman
Cc: linux-arm-kernel@lists.infradead.org
Cc: Andrew Morton
Signed-off-by: Linus Torvalds -
* 'sh/for-2.6.32' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
sh: Kill off stray HAVE_FTRACE_SYSCALLS reference.
sh: Remove BKL from landisk gio.
sh: disabled cache handling fix.
sh: Fix up single page flushing to use PAGE_SIZE. -
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: aesni-intel - Fix irq_fpu_usable usage
crypto: padlock-sha - Fix stack alignment -
Fix a (small) memory leak in one of the error paths of the NFS mount
options parsing code.Regression introduced in 2.6.30 by commit a67d18f (NFS: load the
rpc/rdma transport module automatically).Reported-by: Yinghai Lu
Reported-by: Pekka Enberg
Signed-off-by: Ingo Molnar
Signed-off-by: Trond Myklebust
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds -
This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> [] pipe_rdwr_open+0x35/0x70
> [] __dentry_open+0x13c/0x230
> [] do_filp_open+0x2d/0x40
> [] do_sys_open+0x5a/0x100
> [] sysenter_do_call+0x1b/0x67The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:=============================================================
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
=============================================================Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
msleep(100);
mutex_lock(&inode->i_mutex);Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.Signed-off-by: Earl Chew
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds
21 Oct, 2009
1 commit
-
Mask off FS_EVENT_ON_CHILD in dnotify_handle_event(). Otherwise, when there
is more than one watch on a directory and dnotify_should_send_event()
succeeds, events with FS_EVENT_ON_CHILD set will trigger all watches and cause
spurious events.This case was overlooked in commit e42e2773.
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#includestatic void create_event(int s, siginfo_t* si, void* p)
{
printf("create\n");
}static void delete_event(int s, siginfo_t* si, void* p)
{
printf("delete\n");
}int main (void) {
struct sigaction action;
char *tmpdir, *file;
int fd1, fd2;sigemptyset (&action.sa_mask);
action.sa_flags = SA_SIGINFO;action.sa_sigaction = create_event;
sigaction (SIGRTMIN + 0, &action, NULL);action.sa_sigaction = delete_event;
sigaction (SIGRTMIN + 1, &action, NULL);# define TMPDIR "/tmp/test.XXXXXX"
tmpdir = malloc(strlen(TMPDIR) + 1);
strcpy(tmpdir, TMPDIR);
mkdtemp(tmpdir);# define TMPFILE "/file"
file = malloc(strlen(tmpdir) + strlen(TMPFILE) + 1);
sprintf(file, "%s/%s", tmpdir, TMPFILE);fd1 = open (tmpdir, O_RDONLY);
fcntl(fd1, F_SETSIG, SIGRTMIN);
fcntl(fd1, F_NOTIFY, DN_MULTISHOT | DN_CREATE);fd2 = open (tmpdir, O_RDONLY);
fcntl(fd2, F_SETSIG, SIGRTMIN + 1);
fcntl(fd2, F_NOTIFY, DN_MULTISHOT | DN_DELETE);if (fork()) {
/* This triggers a create event */
creat(file, 0600);
/* This triggers a create and delete event (!) */
unlink(file);
} else {
sleep(1);
rmdir(tmpdir);
}return 0;
}Signed-off-by: Andreas Gruenbacher
Signed-off-by: Eric Paris
20 Oct, 2009
1 commit
-
When renaming kernel_fpu_using to irq_fpu_usable, the semantics of the
function is changed too, from mesuring whether kernel is using FPU,
that is, the FPU is NOT available, to measuring whether FPU is usable,
that is, the FPU is available.But the usage of irq_fpu_usable in aesni-intel_glue.c is not changed
accordingly. This patch fixes this.Signed-off-by: Huang Ying
Signed-off-by: Herbert Xu
19 Oct, 2009
3 commits
-
If we do rename a dir entry, like this:
rename("/tmp/ino7UrgoJ.rename1", "/tmp/ino7UrgoJ.rename2")
rename("/tmp/ino7UrgoJ.rename2", "/tmp/ino7UrgoJ")The duplicate events should be coalesced into a single event. But those two
events do not be coalesced into a single event, due to some bad check in
event_compare(). It can not match the two NULL inodes as the same event.Signed-off-by: Wei Yongjun
Signed-off-by: Eric Paris -
In 2.6.33 there will be no users of the inotify interface. Mark it for
removal as fsnotify is more generic and is easier to use.Signed-off-by: Eric Paris
-
fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to
set the group and inode for the mark. fsnotify_destroy_mark_by_entry uses
the fact that ->group != NULL to know if this group should be destroyed or
if it's already been done.But fsnotify_add_mark sets the group and inode before it actually adds the
mark to the i_list and g_list. This can result in a race in inotify, it
requires 3 threads.sys_inotify_add_watch("file") sys_inotify_add_watch("file") sys_inotify_rm_watch([a])
inotify_update_watch()
inotify_new_watch()
inotify_add_to_idr()
^--- returns wd = [a]
inotfiy_update_watch()
inotify_new_watch()
inotify_add_to_idr()
fsnotify_add_mark()
^--- returns wd = [b]
returns to userspace;
inotify_idr_find([a])
^--- gives us the pointer from task 1
fsnotify_add_mark()
^--- this is going to set the mark->group and mark->inode fields, but will
return -EEXIST because of the race with [b].
fsnotify_destroy_mark()
^--- since ->group != NULL we call back
into inotify_freeing_mark() which calls
inotify_remove_from_idr([a])since fsnotify_add_mark() failed we call:
inotify_remove_from_idr([a]) group until we are sure the mark is
on the inode and fsnotify_add_mark will return success.Signed-off-by: Eric Paris
18 Oct, 2009
4 commits
-
If left unsigned the hp_sdc_rtc_read_i8042timer() return value will not
be checked correctly.Signed-off-by: Roel Kluin
Signed-off-by: Dmitry Torokhov -
Some machines share same key list for volume up/down release key quirks,
use only one key list.Signed-off-by: Herton Ronaldo Krzesinski
Signed-off-by: Dmitry Torokhov -
Reported-and-tested-by: Harald Dunkel
Signed-off-by: Dmitry Torokhov -
On this model, when KBD is in active multiplexing mode, acknowledgements
to reset and get ID commands issued on KBD port sometimes are delivered
to AUX3 port (touchpad) which messes up device detection. Legacy KBC
mode works fine and since there are no external PS/2 ports on this laptop
and no support for docking station we can safely disable active MUX mode.Tested-by: Carlos R. Mafra
Signed-off-by: Dmitry Torokhov
17 Oct, 2009
13 commits
-
Allow the snapshot chunk size to be smaller than the page size
The code is now capable of handling this due to some previous
fixes and enhancements.As the page size varies between computers, prior to this patch,
the chunk size of a snapshot dictated which machines could read it:
Snapshots created on one machine might not be readable on another.Signed-off-by: Mikulas Patocka
Reviewed-by: Mike Snitzer
Reviewed-by: Jonathan Brassow
Signed-off-by: Alasdair G Kergon -
Use unsigned integer chunk size.
Maximum chunk size is 512kB, there won't ever be need to use 4GB chunk size,
so the number can be 32-bit. This fixes compiler failure on 32-bit systems
with large block devices.Cc: stable@kernel.org
Signed-off-by: Mikulas Patocka
Signed-off-by: Mike Snitzer
Reviewed-by: Jonathan Brassow
Signed-off-by: Alasdair G Kergon -
This patch locks the snapshot when returning status. It fixes a race
when it could return an invalid number of free chunks if someone
was simultaneously modifying it.Cc: stable@kernel.org
Signed-off-by: Mikulas Patocka
Signed-off-by: Alasdair G Kergon -
Properly close the device if failing because of an invalid chunk size.
Cc: stable@kernel.org
Signed-off-by: Mikulas Patocka
Signed-off-by: Alasdair G Kergon -
If we are creating snapshot with memory-stored exception store, fail if
the user didn't specify chunk size. Zero chunk size would probably crash
a lot of places in the rest of snapshot code.Cc: stable@kernel.org
Signed-off-by: Mikulas Patocka
Reviewed-by: Jonathan Brassow
Reviewed-by: Mike Snitzer
Signed-off-by: Alasdair G Kergon -
Multiple instances of dec_pending() can run concurrently so a lock is
needed when it saves the first error code.I have never experienced actual problem without locking and just found
this during code inspection while implementing the barrier support
patch for request-based dm.This patch adds the locking.
I've done compile, boot and basic I/O testings.Cc: stable@kernel.org
Signed-off-by: Kiyoshi Ueda
Signed-off-by: Jun'ichi Nomura
Signed-off-by: Alasdair G Kergon -
Add missing del_gendisk() to error path when creation of workqueue fails.
Otherwice there is a resource leak and following warning is shown:WARNING: at fs/sysfs/dir.c:487 sysfs_add_one+0xc5/0x160()
sysfs: cannot create duplicate filename '/devices/virtual/block/dm-0'Cc: stable@kernel.org
Signed-off-by: Zdenek Kabelac
Reviewed-by: Jonathan Brassow
Signed-off-by: Alasdair G Kergon -
mips:
drivers/md/dm-log-userspace-base.c: In function `userspace_ctr':
drivers/md/dm-log-userspace-base.c:159: warning: cast from pointer to integer of different sizeCc: stable@kernel.org
Cc: Jonathan Brassow
Signed-off-by: Andrew Morton
Signed-off-by: Alasdair G Kergon -
While initializing the snapshot module, if we fail to register
the snapshot target then we must back-out the exception store
module initialization.Cc: stable@kernel.org
Signed-off-by: Jonathan Brassow
Reviewed-by: Mikulas Patocka
Reviewed-by: Mike Snitzer
Signed-off-by: Alasdair G Kergon -
Avoid a race causing corruption when snapshots of the same origin have
different chunk sizes by sorting the internal list of snapshots by chunk
size, largest first.
https://bugzilla.redhat.com/show_bug.cgi?id=182659For example, let's have two snapshots with different chunk sizes. The
first snapshot (1) has small chunk size and the second snapshot (2) has
large chunk size. Let's have chunks A, B, C in these snapshots:
snapshot1: ====A==== ====B====
snapshot2: ==========C==========(Chunk size is a power of 2. Chunks are aligned.)
A write to the origin at a position within A and C comes along. It
triggers reallocation of A, then reallocation of C and links them
together using A as the 'primary' exception.Then another write to the origin comes along at a position within B and
C. It creates pending exception for B. C already has a reallocation in
progress and it already has a primary exception (A), so nothing is done
to it: B and C are not linked.If the reallocation of B finishes before the reallocation of C, because
there is no link with the pending exception for C it does not know to
wait for it and, the second write is dispatched to the origin and causes
data corruption in the chunk C in snapshot2.To avoid this situation, we maintain snapshots sorted in descending
order of chunk size. This leads to a guaranteed ordering on the links
between the pending exceptions and avoids the problem explained above -
both A and B now get linked to C.Cc: stable@kernel.org
Signed-off-by: Mikulas Patocka
Signed-off-by: Alasdair G Kergon -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
amd64_edac: fix DRAM base and limit extraction masks, v2 -
This is a proper fix as a follow-up to 66216a7 and 916d11b.
Signed-off-by: Borislav Petkov
-
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
sata_mv: Prevent PIO commands to be defered too long if traffic in progress.
pata_sc1200: Fix crash on boot
libata: fix internal command failure handling
libata: fix PMP initialization
sata_nv: make sure link is brough up online when skipping hardreset
ahci / atiixp / pci quirks: rename AMD SB900 into Hudson-2
ahci: Add the AHCI controller Linux Device ID for NVIDIA chipsets.
pata_via: extend the rev_max for VT6330
16 Oct, 2009
6 commits
-
I'm seeing an oops condition when kvm-intel and kvm-amd are modprobe'd
during boot (say on an Intel system) and then rmmod'd:# modprobe kvm-intel
kvm_init()
kvm_init_debug()
kvm_arch_init()
Signed-off-by: Marcelo Tosatti -
On a 32 bits compile, commit 3da0dd433dc399a8c0124d0614d82a09b6a49bce
introduced the following warnings:arch/x86/kvm/mmu.c: In function ‘kvm_set_pte_rmapp’:
arch/x86/kvm/mmu.c:770: warning: cast to pointer from integer of different size
arch/x86/kvm/mmu.c: In function ‘kvm_set_spte_hva’:
arch/x86/kvm/mmu.c:849: warning: cast from pointer to integer of different sizeThe following patch uses 'unsigned long' instead of u64 to match the
pointer size on both arches.Signed-off-by: Frederik Deweerdt
Signed-off-by: Marcelo Tosatti -
hrtimer->base can be temporarily NULL due to racing hrtimer_start.
See switch_hrtimer_base/lock_hrtimer_base.Use hrtimer_get_remaining which is robust against it.
CC: stable@kernel.org
Signed-off-by: Marcelo Tosatti
Signed-off-by: Avi Kivity -
Use excl_link when non NCQ commands are defered, to be sure they are processed
as soon as outstanding commands are completed. It prevents some commands to be
defered indifinitely when using a port multiplier.Signed-off-by: Gwendal Grignou
Signed-off-by: Jeff Garzik -
The SC1200 needs a NULL terminator or it may cause a crash on boot.
Bug #14227
Also correct a bogus comment as the driver had serializing added so can run
dual port.Signed-off-by: Alan Cox
Signed-off-by: Jeff Garzik -
When an internal command fails, it should be failed directly without
invoking EH. In the original implemetation, this was accomplished by
letting internal command bypass failure handling in ata_qc_complete().
However, later changes added post-successful-completion handling to
that code path and the success path is no longer adequate as internal
command failure path. One of the visible problems is that internal
command failure due to timeout or other freeze conditions would
spuriously trigger WARN_ON_ONCE() in the success path.This patch updates failure path such that internal command failure
handling is contained there.Signed-off-by: Tejun Heo
Cc: stable@kernel.org
Signed-off-by: Jeff Garzik
