- 24 9月, 2007 5 次提交
-
-
由 Artem Bityutskiy 提交于
This patch make the OneNAND driver much less racy. It fixes our "onenand_wait: read timeout!" heisenbugs. The reason of these bugs was that the driver did not lock the chip when accessing OTP, and it screwed up OneNAND state when the OTP was read while JFFS2 was doing FS checking. This patch also fixes other races I spotted: 1. BBT was not protected 2. Access to ecc_stats was not protected Now the chip is locked when BBT is accessed. To fix all of these I basically split all interface functions on 'function()' and 'function_nolock()' parts. I tested this patch on N800 hardware - it fixes our problems. But I tested a little different version because our OneNAND codebase is slightly out-of-date. But it should be OK. This patch also includes the prin fixes I posted before. Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 David Woodhouse 提交于
The Vermilion Range Expansion Bus supports four chip selects, each of which has 64MiB of address space. The 2nd BAR of the Expansion Bus PCI Device is a 256MiB memory region containing the address spaces for all four of the chip selects, with start addresses hardcoded on 64MiB boundaries. This map driver only supports NOR flash on chip select 0. The buswidth (either 8 bits or 16 bits) is determined by reading the Expansion Bus Timing and Control Register for Chip Select 0 (EXP_TIMING_CS0). Signed-off-by: NAndy Lowe <alowe@mvista.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Andy Lowe 提交于
Fix a couple of instances in JFFS2 where the unpoint() routine is being called with the wrong length in cases where the point() routine truncated a request. Signed-off-by: NAndy Lowe <alowe@mvista.com> Signed-off-by: NNicolas Pitre <nico@cam.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Andy Lowe 提交于
The CFI probe routine is capable of detecting flash banks consisting of identical chips mapped to physically discontiguous addresses. (One common way this can occur is if a flash bank is populated with chips of less capacity than the hardware was designed to support.) The CFI point() routine currently ignores any such gaps. This patch fixes the CFI point() routine so that it truncates any request that would span a gap. Signed-off-by: NAndy Lowe <alowe@mvista.com> Signed-off-by: NNicolas Pitre <nico@cam.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Todd Poynor 提交于
Replace Lubbock and Mainstone board drivers with common PXA2xx driver, convert to platform driver (corresponding platform device changes merged to kernel.org for 2.6.15), add power management callbacks. Signed-off-by: NTodd Poynor <tpoynor@mvista.com> Signed-off-by: NNicolas Pitre <npitre@mvista.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
- 21 9月, 2007 1 次提交
-
-
由 Jörn Engel 提交于
Document mtd erase interface. Signed-off-by: NJörn Engel <joern@logfs.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
- 10 9月, 2007 1 次提交
-
-
由 Yoichi Yuasa 提交于
This patch has removed Momenco Ocelot support from MTD. Ocelot support has already removed. Signed-off-by: NYoichi Yuasa <yoichi_yuasa@tripeaks.co.jp> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
- 06 9月, 2007 3 次提交
-
-
由 Artem Bityutskiy 提交于
Make nandsim use GFP_NOFS when allocating memory, because it might be used by a file-system (e.g. UBIFS2) which means, if we are short of memory, we may deadlock. Indee, UBIFS is holding a lock, writes to the media, reaches this place in NANDsim, kmalloc does not find the requested amount of RAM, calls memory shrinker, which decides to writeback inodes, calls FS, and it deadlocks on the lock which is already being held. Below is the UBIFS backtrace which demonstrates that: [<c03717dc>] __mutex_lock_slowpath+0xc8/0x2e6 [<c0371a16>] mutex_lock+0x1c/0x1f [<f8b9d076>] reserve_space+0x3d/0xa9 [ubifs] [<f8b9d1bd>] make_one_reservation+0x2b/0x86 [ubifs] [<f8b9d3fc>] ubifs_jrn_write_block+0xda/0x12f [ubifs] [<f8b9ff3a>] ubifs_writepage+0x11d/0x1ec [ubifs] [<c015d6ab>] shrink_inactive_list+0x7fa/0x969 [<c015d8c8>] shrink_zone+0xae/0x10c [<c015e3b4>] try_to_free_pages+0x159/0x251 [<c015980a>] __alloc_pages+0x125/0x2f0 [<c016ff6a>] cache_alloc_refill+0x380/0x6ba [<c01703f3>] __kmalloc+0x14f/0x157 [<f885722a>] do_state_action+0xab7/0xc74 [nandsim] [<f885760c>] switch_state+0x225/0x402 [nandsim] [<f8857e7e>] ns_hwcontrol+0x3e2/0x620 [nandsim] [<f8862f53>] nand_command+0x2e/0x1a5 [nand] [<f8861ad8>] nand_write_page+0x4a/0x9a [nand] [<f88617b4>] nand_do_write_ops+0x1cf/0x343 [nand] [<f8861a70>] nand_write+0x88/0xa6 [nand] [<f8850b0e>] part_write+0x72/0x8b [mtd] [<f88e19c5>] ubi_io_write+0x189/0x29c [ubi] [<f88dfb98>] ubi_eba_write_leb+0xb6/0x699 [ubi] [<f88def93>] ubi_leb_write+0xe4/0xe9 [ubi] [<f8ba3b82>] ubifs_wbuf_write_nolock+0x333/0x4c9 [ubifs] [<f8b9d28c>] write_node+0x74/0x8e [ubifs] [<f8b9d422>] ubifs_jrn_write_block+0x100/0x12f [ubifs] [<f8b9ff3a>] ubifs_writepage+0x11d/0x1ec [ubifs] [<c0159e5b>] __writepage+0xb/0x26 [<c015a318>] write_cache_pages+0x203/0x2d9 [<c015a411>] generic_writepages+0x23/0x2d [<c015a452>] do_writepages+0x37/0x39 [<c018e24a>] __writeback_single_inode+0x96/0x399 [<c018e903>] sync_sb_inodes+0x1a3/0x274 [<c018ebf3>] writeback_inodes+0xa6/0xd8 [<c015a9dd>] background_writeout+0x86/0x9e [<c015ae9c>] pdflush+0xfb/0x1b6 [<c01387d7>] kthread+0x37/0x59 [<c0104dc3>] kernel_thread_helper+0x7/0x14 The deadlock is funny because it starts in pdflush/writeback, and comes back to writeback, then deadlocks. It seems we should look carefully for other places in UBI and MTD and use GFP_NOFS instead of GFP_KERNEL. Caught-by: NAdrian Hunter <ext-adrian.hunter@nokia.com> Signed-off-by: NArtem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 David Woodhouse 提交于
When building NOR flash support, you have compile-time options for the bus width and the number of individual chips which are interleaved together onto that bus. The code to deal with arbitrary geometry is a bit convoluted, and people want to just configure it for the specific hardware they have, to avoid the runtime overhead. Selecting _none_ of the available options doesn't make any sense. You should have at least one. This makes it build though, since people persist in trying. Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Kyungmin Park 提交于
Now we can use yaffs2 on OneNAND Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
- 30 8月, 2007 2 次提交
-
-
由 Kyungmin Park 提交于
To enable the main read/write at oob ops Next time we will commit the main read/write support for yaffs2 Signed-off-by: NKyungmin Park <kyungmin.park@samsung.com> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
由 Jörn Engel 提交于
Unlike most stuff on the market the chip inside these two allows raw flash access and doesn't implement and FTL, leaving that functionality to the device driver. Raw flash access in a cheap USB cardreader! An MTD test device one can attach to a PC! What a deal! The command set of the chip is not documented, so information was obtained from the existing mass-storage driver (drivers/usb/storage/alauda.c), its documentation (http://alauda.sourceforge.net/wikka.php?wakka=BulkCommandReference), additional reverse engineering and comparison with a vendor driver for a related chip (http://www.ratocsystems.com/english/download/driver/linux/sma03u.html). Signed-off-by: NJoern Engel <joern@logfs.org> Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
-
- 23 8月, 2007 28 次提交
-
-
由 David Woodhouse 提交于
-
由 Kumar Gala 提交于
The tqm834x map Kconfig options depends on TQM834x which does not exist anywhere else in the kernel. The pq2fads map Kconfig/makefile support was removed a while ago but the actual file persisted. Signed-off-by: NKumar Gala <galak@kernel.crashing.org>
-
由 Josh Boyer 提交于
These drivers are specific to 4xx support in arch/ppc at the moment. Make sure they don't get built on arch/powerpc. Signed-off-by: NJosh Boyer <jwboyer@linux.vnet.ibm.com> Signed-off-by: NKumar Gala <galak@kernel.crashing.org>
-
由 Mel Gorman 提交于
The NUMA layer only supports NUMA policies for the highest zone. When ZONE_MOVABLE is configured with kernelcore=, the the highest zone becomes ZONE_MOVABLE. The result is that policies are only applied to allocations like anonymous pages and page cache allocated from ZONE_MOVABLE when the zone is used. This patch applies policies to the two highest zones when the highest zone is ZONE_MOVABLE. As ZONE_MOVABLE consists of pages from the highest "real" zone, it's always functionally equivalent. The patch has been tested on a variety of machines both NUMA and non-NUMA covering x86, x86_64 and ppc64. No abnormal results were seen in kernbench, tbench, dbench or hackbench. It passes regression tests from the numactl package with and without kernelcore= once numactl tests are patched to wait for vmstat counters to update. akpm: this is the nasty hack to fix NUMA mempolicies in the presence of ZONE_MOVABLE and kernelcore= in 2.6.23. Christoph says "For .24 either merge the mobility or get the other solution that Mel is working on. That solution would only use a single zonelist per node and filter on the fly. That may help performance and also help to make memory policies work better." Signed-off-by: NMel Gorman <mel@csn.ul.ie> Acked-by: NLee Schermerhorn <lee.schermerhorn@hp.com> Tested-by: NLee Schermerhorn <lee.schermerhorn@hp.com> Acked-by: NChristoph Lameter <clameter@sgi.com> Cc: Andi Kleen <ak@suse.de> Cc: Paul Mundt <lethal@linux-sh.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Yoichi Yuasa 提交于
au1100fb_fb_blank() should come before au1100fb_setmode(). drivers/video/au1100fb.c: In function 'au1100fb_setmode': drivers/video/au1100fb.c:211: error: implicit declaration of function 'au1100fb_fb_blank' Signed-off-by: NYoichi Yuasa <yoichi_yuasa@tripeaks.co.jp> Cc: "Antonino A. Daplas" <adaplas@pol.net> Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Andrew Morton 提交于
drivers/video/console/newport_con.c: In function `newport_console_init': drivers/video/console/newport_con.c:743: warning: return makes integer from pointer without a cast Although one wonders whether that should have been -ENODEV... Cc: "Antonino A. Daplas" <adaplas@pol.net> Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Andrew Morton 提交于
In file included from drivers/video/console/newport_con.c:16: include/linux/selection.h:16: warning: "struct tty_struct" declared inside parameter list include/linux/selection.h:16: warning: its scope is only this definition or declaration, which is probably not what you want Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Stephen Rothwell 提交于
This is the correct fix according to Paul Mackerras and allows an allyesconfig on PPC64 to build. Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au> Cc: Paul Mackerras <paulus@samba.org> Cc: "Antonino A. Daplas" <adaplas@pol.net> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Mathieu Desnoyers 提交于
Xen i386 xen-head.S fix sections mixup xen-head.S does not come back to the data section, leaving the text section as current section. It causes problems with a slightly enhanced DEBUG_RODATA that supports CONFIG_HOTPLUG and bringing a CPU up after the text has been marked read-only: reference to early_gdt_descr causes a page fault. Updates: - It should be using pushsection/popsection. - Actually, the push/popsections around the ELFNOTEs are redundant; ELFNOTE() does its own push/popsection to put things into the appropriate .note* section anyway. Signed-off-by: NMathieu Desnoyers <mathieu.desnoyers@polymtl.ca> Acked-by: NJeremy Fitzhardinge <jeremy@xensource.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Andi Kleen <ak@suse.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Oleg Nesterov 提交于
de_thread: if (atomic_read(&oldsighand->count) <= 1) BUG_ON(atomic_read(&sig->count) != 1); This is not safe without the rmb() in between. The results of two correctly ordered __exit_signal()->atomic_dec_and_test()'s could be seen out of order on our CPU. The same is true for the "thread_group_empty()" case, __unhash_process()'s changes could be seen before atomic_dec_and_test(&sig->count). On some platforms (including i386) atomic_read() doesn't provide even the compiler barrier, in that case these checks are simply racy. Remove these BUG_ON()'s. Alternatively, we can do something like BUG_ON( ({ smp_rmb(); atomic_read(&sig->count) != 1; }) ); Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru> Acked-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Roland McGrath <roland@redhat.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 David Brownell 提交于
Minor tweaks to rtc-max6902: make it hotplug correctly, and fix a few space-before-tab whitespace botches. This driver has no current in-tree users, so the hotplug fix changes the driver name. Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net> Cc: Atsushi Nemoto <anemo@mba.ocn.ne.jp> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Christoph Lameter 提交于
Print a big fat warning and do what is necessary to continue if a node is marked as up (meaning either node is online (upstream) or node has memory (Andrew's tree)) but allocations from the node do not succeed. Signed-off-by: NChristoph Lameter <clameter@sgi.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Christoph Lameter 提交于
SLUB is using atomic_read() for variables declared atomic_long_t. Switch to atomic_long_read(). Signed-off-by: NChristoph Lameter <clameter@sgi.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Miguel Ojeda 提交于
This one-liner patch fixes a bug in drivers/auxdisplay/cfag12864b.c At cfag12864b_init(), the driver tries to kalloc some memory in the variable cfag12864b_cache. Then, as usual, it checks if the call failed. However, it checks cfag12864b_buffer instead. This patch changes the "cfag12864b_buffer" to "cfag12864b_cache" so the correct variable is checked. Signed-off-by: NMiguel Ojeda <maxextreme@gmail.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Olof Johansson 提交于
Add PCI IDs for the onchip UARTs on PA Semi PWRficient. Signed-off-by: NOlof Johansson <olof@lixom.net> Cc: Russell King <rmk@arm.linux.org.uk> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Ian Kent 提交于
Due to inconsistent locking in the VFS between calls to lookup and revalidate deadlock can occur in the automounter. The inconsistency is that the directory inode mutex is held for both lookup and revalidate calls when called via lookup_hash whereas it is held only for lookup during a path walk. Consequently, if the mutex is held during a call to revalidate autofs4 can't release the mutex to callback the daemon as it can't know whether it owns the mutex. This situation happens when a process tries to create a directory within an automount and a second process also tries to create the same directory between the lookup and the mkdir. Since the first process has dropped the mutex for the daemon callback, the second process takes it during revalidate leading to deadlock between the autofs daemon and the second process when the daemon tries to create the mount point directory. After spending quite a bit of time trying to resolve this on more than one occassion, using rather complex and ulgy approaches, it turns out that just delaying the hashing of the dentry until the create operation works fine. Signed-off-by: NIan Kent <raven@themaw.net> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Jeff Dike 提交于
The previous patch which limited the number of sectors in a single request to a COWed device was correct in concept, but the limit was implemented in the wrong place. By putting it in ubd_add, it covered the cases where the COWing was specified on the command line. However, when the command line only has the COW file specified, the fact that it's a COW file isn't known until it's opened, so the limit is missed in these cases. This patch moves the sector limit from ubd_add to ubd_open_dev. Signed-off-by: NJeff Dike <jdike@linux.intel.com> Cc: <stable@kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 NeilBrown 提交于
When a raid1 array is reshaped (number of drives changed), the list of devices is compacted, so that slots for missing devices are filled with working devices from later slots. This requires the "rd%d" symlinks in sysfs to be updated. Signed-off-by: NNeil Brown <neilb@suse.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 NeilBrown 提交于
Commit 17571284 was slightly bad. If an array has a write-intent bitmap, and you remove a drive, then readd it, only the changed parts should be resynced. However after the above commit, this only works if the array has not been shut down and restarted. This is because it sets 'fullsync' at little more often than it should. This patch is more careful. Signed-off-by: NNeil Brown <neilb@suse.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Evgeniy Polyakov 提交于
In case bus master driver provided bogus value as its private data, search can be incorrect. Problem found by Adrian Bunk. Signed-off-by: NEvgeniy Polyakov <johnpol@2ka.mipt.ru> Cc: Adrian Bunk <bunk@stusta.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Adam Litke 提交于
It seems a simple mistake was made when converting follow_hugetlb_page() over to the VM_FAULT flags bitmasks (in "mm: fault feedback #2", commit 83c54070). By using the wrong bitmask, hugetlb_fault() failures are not being recognized. This results in an infinite loop whenever follow_hugetlb_page is involved in a failed fault. Signed-off-by: NAdam Litke <agl@us.ibm.com> Acked-by: NNick Piggin <npiggin@suse.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Paul Fulghum 提交于
Get module reference on open() by generic HDLC to prevent module from unloading while interface is active. Signed-off-by: NPaul Fulghum <paulkf@microgate.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Siddha, Suresh B 提交于
Skip calling cache_free_alien() when the platform is not numa capable. This will avoid cache misses that happen while accessing slabp (which is per page memory reference) to get nodeid. Instead use a global variable to skip the call, which is mostly likely to be present in the cache. This gives a 0.8% performance boost with the database oltp workload on a quad-core SMP platform and by any means the number is not small :) Signed-off-by: NSuresh Siddha <suresh.b.siddha@intel.com> Acked-by: NChristoph Lameter <clameter@sgi.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Mijo Safradin 提交于
trivial change: fix warning Signed-off-by: NMijo Safradin <safradin@de.ibm.com> Acked-by: NChristian Krafft <krafft@de.ibm.com> Signed-off-by: NCorey Minyard <cminyard@mvista.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Oleg Nesterov 提交于
With this patch any thread can dequeue its own private signals via signalfd, even if it was created by another sub-thread. To do so, we pass "current" to dequeue_signal() if the caller is from the same thread group. This also fixes the scheduling of posix timers broken by the previous patch. If the caller doesn't belong to this thread group, we can't handle __SI_TIMER case properly anyway. Perhaps we should forbid the cross-process signalfd usage and convert ctx->tsk to ctx->sighand. Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Davide Libenzi <davidel@xmailserver.org> Cc: Ingo Molnar <mingo@elte.hu> Cc: Michael Kerrisk <mtk-manpages@gmx.net> Cc: Roland McGrath <roland@redhat.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Oleg Nesterov 提交于
dequeue_signal: if (__SI_TIMER) { spin_unlock(&tsk->sighand->siglock); do_schedule_next_timer(info); spin_lock(&tsk->sighand->siglock); } Unless tsk == curent, this is absolutely unsafe: nothing prevents tsk from exiting. If signalfd was passed to another process, do_schedule_next_timer() is just wrong. Add yet another "tsk == current" check into dequeue_signal(). This patch fixes an oopsable bug, but breaks the scheduling of posix timers if the shared __SI_TIMER signal was fetched via signalfd attached to another sub-thread. Mostly fixed by the next patch. Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Davide Libenzi <davidel@xmailserver.org> Cc: Ingo Molnar <mingo@elte.hu> Cc: Michael Kerrisk <mtk-manpages@gmx.net> Cc: Roland McGrath <roland@redhat.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: <stable@kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 Oleg Nesterov 提交于
sys_timer_create() sets ->it_process and unlocks ->siglock, then checks tmr->it_sigev_notify to define if get_task_struct() is needed. We already passed ->it_id to the caller, another thread can delete this timer and free its memory in between. As a minimal fix, move this code under ->siglock, sys_timer_delete() takes it too before calling release_posix_timer(). A proper serialization would be to take ->it_lock, we add a partly initialized timer on posix_timers_id, not good. Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-