1. 02 10月, 2012 35 次提交
    • A
      rbd: simplify snap_by_name() interface · 8836b995
      Alex Elder 提交于
      There is only one caller of snap_by_name(), and it passes two values
      to be assigned, both of which are found within an rbd device
      structure.
      
      Change the interface so it just passes the address of the rbd_dev,
      and make the assignments to its fields directly.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      8836b995
    • A
      rbd: set mapping name with the rest · 4e1105a2
      Alex Elder 提交于
      With the exception of the snapshot name, all of the mapping-specific
      fields in an rbd device structure are set in rbd_header_set_snap().
      
      Pass the snapshot name to be assigned into rbd_header_set_snap()
      to keep all of the mapping assignments together.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      4e1105a2
    • A
      rbd: return snap name from rbd_add_parse_args() · 3feeb894
      Alex Elder 提交于
      This is the first of two patches aimed at isolating the code that
      sets the mapping information into a single spot.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      3feeb894
    • A
      rbd: record mapped size · 99c1f08f
      Alex Elder 提交于
      Add the size of the mapped image to the set of mapping-specific
      fields in an rbd_device, and use it when setting the capacity of the
      disk.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      99c1f08f
    • A
      rbd: separate mapping info in rbd_dev · f84344f3
      Alex Elder 提交于
      Several fields in a struct rbd_dev are related to what is mapped, as
      opposed to the actual base rbd image.  If the base image is mapped
      these are almost unneeded, but if a snapshot is mapped they describe
      information about that snapshot.
      
      In some contexts this can be a little bit confusing.  So group these
      mapping-related field into a structure to make it clear what they
      are describing.
      
      This also includes a minor change that rearranges the fields in the
      in-core image header structure so that invariant fields are at the
      top, followed by those that change.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      f84344f3
    • A
      rbd: kill rbd_image_header->total_snaps · c9aadfe7
      Alex Elder 提交于
      The "total_snaps" field in an rbd header structure is never any
      different from the value of "num_snaps" stored within a snapshot
      context.  Avoid any confusion by just using the value held within
      the snapshot context, and get rid of the "total_snaps" field.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      c9aadfe7
    • A
      rbd: kill rbd_dev->q · 98cec111
      Alex Elder 提交于
      A copy of rbd_dev->disk->queue is held in rbd_dev->q, but it's
      never actually used.  So get just get rid of the field.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      98cec111
    • A
      rbd: rename __rbd_init_snaps_header() · 9fcbb800
      Alex Elder 提交于
      The name __rbd_init_snaps_header() doesn't really convey what that
      function does very well.  Its purpose is to scan a new snapshot
      context and either create or destroy snapshot device entries so
      that local host's view is consistent with the reality maintained
      on the OSDs.  This patch just changes the name of this function,
      to be rbd_dev_snap_devs_update().  Still not perfect, but I think
      better.
      
      Also add some dynamic debug statements to this function.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      9fcbb800
    • A
      rbd: rename rbd_id_get() · e2839308
      Alex Elder 提交于
      This should have been done as part of this commit:
      
          commit de71a297
          Author: Alex Elder <elder@inktank.com>
          Date:   Tue Jul 3 16:01:19 2012 -0500
          rbd: rename rbd_device->id
      
      rbd_id_get() is assigning the rbd_dev->dev_id field.  Change the
      name of that function as well as rbd_id_put() and rbd_id_max
      to reflect what they are affecting.
      
      Add some dynamic debug statements related to rbd device id activity.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      e2839308
    • A
      rbd: define rbd_assert() · aafb230e
      Alex Elder 提交于
      Define rbd_assert() and use it in place of various BUG_ON() calls
      now present in the code.  By default assertion checking is enabled;
      we want to do this differently at some point.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      aafb230e
    • A
      rbd: split up rbd_get_segment() · 65ccfe21
      Alex Elder 提交于
      There are two places where rbd_get_segment() is called.  One, in
      rbd_rq_fn(), only needs to know the length within a segment that an
      I/O request should be.  The other, in rbd_do_op(), also needs the
      name of the object and the offset within it for the I/O request.
      
      Split out rbd_segment_name() into three dedicated functions:
          - rbd_segment_name() allocates and formats the name of the
            object for a segment containing a given rbd image offset
          - rbd_segment_offset() computes the offset within a segment for
            a given rbd image offset
          - rbd_segment_length() computes the length to use for I/O within
            a segment for a request, not to exceed the end of a segment
            object.
      
      In the new functions be a bit more careful, checking for possible
      error conditions:
          - watch for errors or overflows returned by snprintf()
          - catch (using BUG_ON()) potential overflow conditions
            when computing segment length
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      65ccfe21
    • A
      rbd: check for overflow in rbd_get_num_segments() · df111be6
      Alex Elder 提交于
      It is possible in rbd_get_num_segments() for an overflow to occur
      when adding the offset and length.  This is easily avoided.
      
      Since the function returns an int and the one caller is already
      prepared to handle errors, have it return -ERANGE if overflow would
      occur.
      
      The overflow check would not work if a zero-length request was
      being tested, so short-circuit that case, returning 0 for the
      number of segments required.  (This condition might be avoided
      elsewhere already, I don't know.)
      
      Have the caller end the request if either an error or 0 is returned.
      The returned value is passed to __blk_end_request_all(), meaning
      a 0 length request is not treated an error.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      df111be6
    • A
      rbd: drop needless test in rbd_rq_fn() · 38f5f65e
      Alex Elder 提交于
      There's a test for null rq pointer inside the while loop in
      rbd_rq_fn() that's not needed.  That same test already occurred
      in the immediatly preceding loop condition test.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      38f5f65e
    • A
      rbd: bio_chain_clone() cleanups · 542582fc
      Alex Elder 提交于
      In bio_chain_clone(), at the end of the function the bi_next field
      of the tail of the new bio chain is nulled.  This isn't necessary,
      because if "tail" is non-null, its value will be the last bio
      structure allocated at the top of the while loop in that function.
      And before that structure is added to the end of the new chain, its
      bi_next pointer is always made null.
      
      While touching that function, clean a few other things:
          - define each local variable on its own line
          - move the definition of "tmp" to an inner scope
          - move the modification of gfpmask closer to where it's used
          - rearrange the logic that sets the chain's tail pointer
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      542582fc
    • A
      rbd: kill notify_timeout option · 84d34dcc
      Alex Elder 提交于
      The "notify_timeout" rbd device option is never used, so get rid of
      it.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      84d34dcc
    • A
      rbd: add read_only rbd map option · cc0538b6
      Alex Elder 提交于
      Add the ability to map an rbd image read-only, by specifying either
      "read_only" or "ro" as an option on the rbd "command line."  Also
      allow the inverse to be explicitly specified using "read_write" or
      "rw".
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      cc0538b6
    • A
      rbd: move rbd_opts to struct rbd_device · f8c38929
      Alex Elder 提交于
      The rbd options don't really apply to the ceph client.  So don't
      store a pointer to it in the ceph_client structure, and put them
      (a struct, not a pointer) into the rbd_dev structure proper.
      
      Pass the rbd device structure to rbd_client_create() so it can
      assign rbd_dev->rbdc if successful, and have it return an error code
      instead of the rbd client pointer.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      f8c38929
    • A
      rbd: more cleanup in rbd_header_from_disk() · 621901d6
      Alex Elder 提交于
      This just rearranges things a bit more in rbd_header_from_disk()
      so that the snapshot sizes are initialized right after the buffer
      to hold them is allocated and doing a little further consolidation
      that follows from that.  Also adds a few simple comments.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      621901d6
    • A
      rbd: kill incore snap_names_len · f785cc1d
      Alex Elder 提交于
      The only thing the on-disk snap_names_len field is needed is to
      size the buffer allocated to hold a copy of the snapshot names
      for an rbd image.
      
      So don't bother saving it in the in-core rbd_image_header structure.
      Just use a local variable to hold the required buffer size while
      it's needed.
      
      Move the code that actually copies the snapshot names up closer
      to where the required length is saved.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      f785cc1d
    • A
      rbd: don't over-allocate space for object prefix · 58c17b0e
      Alex Elder 提交于
      In rbd_header_from_disk() the object prefix buffer is sized based on
      the maximum size it's block_name equivalent on disk could be.
      
      Instead, only allocate enough to hold null-terminated string from
      the on-disk header--or the maximum size of no NUL is found.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      58c17b0e
    • A
      rbd: handle locking inside __rbd_client_find() · 1f7ba331
      Alex Elder 提交于
      There is only caller of __rbd_client_find(), and it somewhat
      clumsily gets the appropriate lock and gets a reference to the
      existing ceph_client structure if it's found.
      
      Instead, have that function handle its own locking, and acquire the
      reference if found while it holds the lock.  Drop the underscores
      from the name because there's no need to signify anything special
      about this function.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NYehuda Sadeh <yehuda@inktank.com>
      1f7ba331
    • W
      ceph: use list_move_tail instead of list_del/list_add_tail · cc4829e5
      Wei Yongjun 提交于
      Using list_move_tail() instead of list_del() + list_add_tail().
      Signed-off-by: NWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: NSage Weil <sage@inktank.com>
      cc4829e5
    • A
      rbd: add new snapshots at the tail · 523f3258
      Alex Elder 提交于
      This fixes a bug that went in with this commit:
      
          commit f6e0c99092cca7be00fca4080cfc7081739ca544
          Author: Alex Elder <elder@inktank.com>
          Date:   Thu Aug 2 11:29:46 2012 -0500
          rbd: simplify __rbd_init_snaps_header()
      
      The problem is that a new rbd snapshot needs to go either after an
      existing snapshot entry, or at the *end* of an rbd device's snapshot
      list.  As originally coded, it is placed at the beginning.  This was
      based on the assumption the list would be empty (so it wouldn't
      matter), but in fact if multiple new snapshots are added to an empty
      list in one shot the list will be non-empty after the first one is
      added.
      
      This addresses http://tracker.newdream.net/issues/3063Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      523f3258
    • A
      rbd: rename block_name -> object_prefix · 843a0d08
      Alex Elder 提交于
      In the on-disk image header structure there is a field "block_name"
      which represents what we now call the "object prefix" for an rbd
      image.  Rename this field "object_prefix" to be consistent with
      modern usage.
      
      This appears to be the only remaining vestige of the use of "block"
      in symbols that represent objects in the rbd code.
      
      This addresses http://tracker.newdream.net/issues/1761Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      Reviewed-by: NDan Mick <dan.mick@inktank.com>
      843a0d08
    • I
      libceph: Fix sparse warning · 7698f2f5
      Iulius Curt 提交于
      Make ceph_monc_do_poolop() static to remove the following sparse warning:
       * net/ceph/mon_client.c:616:5: warning: symbol 'ceph_monc_do_poolop' was not
         declared. Should it be static?
      Also drops the 'ceph_monc_' prefix, now being a private function.
      Signed-off-by: NIulius Curt <icurt@ixiacom.com>
      Signed-off-by: NSage Weil <sage@inktank.com>
      7698f2f5
    • S
      libceph: remove unused monc->have_fsid · 290e3359
      Sage Weil 提交于
      This is unused; use monc->client->have_fsid.
      Signed-off-by: NSage Weil <sage@inktank.com>
      290e3359
    • A
      ceph: let path portion of mount "device" be optional · c98f533c
      Alex Elder 提交于
      A recent change to /sbin/mountall causes any trailing '/' character
      in the "device" (or fs_spec) field in /etc/fstab to be stripped.  As
      a result, an entry for a ceph mount that intends to mount the root
      of the name space ends up with now path portion, and the ceph mount
      option processing code rejects this.
      
      That is, an entry in /etc/fstab like:
          cephserver:port:/ /mnt ceph defaults 0 0
      provides to the ceph code just "cephserver:port:" as the "device,"
      and that gets rejected.
      
      Although this is a bug in /sbin/mountall, we can have the ceph mount
      code support an empty/nonexistent path, interpreting it to mean the
      root of the name space.
      
      RFC 5952 offers recommendations for how to express IPv6 addresses,
      and recommends the usage found in RFC 3986 (which specifies the
      format for URI's) for representing both IPv4 and IPv6 addresses that
      include port numbers.  (See in particular the definition of
      "authority" found in the Appendix of RFC 3986.)
      
      According to those standards, no host specification will ever
      contain a '/' character.  As a result, it is sufficient to scan a
      provided "device" from an /etc/fstab entry for the first '/'
      character, and if it's found, treat that as the beginning of the
      path.  If no '/' character is present, we can treat the entire
      string as the monitor host specification(s), and assume the path
      to be the root of the name space.  We'll still require a ':' to
      separate the host portion from the (possibly empty) path portion.
      
      This means that we can more formally define how ceph will interpret
      the "device" it's provided when processing a mount request:
      
          "device" will look like:
              <server_spec>[,<server_spec>...]:[<path>]
          where
              <server_spec> is <ip>[:<port>]
              <path> is optional, but if present must begin with '/'
      
      This addresses http://tracker.newdream.net/issues/2919Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NDan Mick <dan.mick@inktank.com>
      c98f533c
    • A
      rbd: separate reading header from decoding it · 4156d998
      Alex Elder 提交于
      Right now rbd_read_header() both reads the header object for an rbd
      image and decodes its contents.  It does this repeatedly if needed,
      in order to ensure a complete and intact header is obtained.
      
      Separate this process into two steps--reading of the raw header
      data (in new function, rbd_dev_v1_header_read()) and separately
      decoding its contents (in rbd_header_from_disk()).  As a result,
      the latter function no longer requires its allocated_snaps argument.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      4156d998
    • A
      rbd: expand rbd_dev_ondisk_valid() checks · 103a150f
      Alex Elder 提交于
      Add checks on the validity of the snap_count and snap_names_len
      field values in rbd_dev_ondisk_valid().  This eliminates the
      need to do them in rbd_header_from_disk().
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      103a150f
    • A
      rbd: return earlier in rbd_header_from_disk() · 28cb775d
      Alex Elder 提交于
      The only caller of rbd_header_from_disk() is rbd_read_header().
      It passes as allocated_snaps the number of snapshots it will
      have received from the server for the snapshot context that
      rbd_header_from_disk() is to interpret.  The first time through
      it provides 0--mainly to extract the number of snapshots from
      the snapshot context header--so that it can allocate an
      appropriately-sized buffer to receive the entire snapshot
      context from the server in a second request.
      
      rbd_header_from_disk() will not fill in the array of snapshot ids
      unless the number in the snapshot matches the number the caller
      had allocated.
      
      This patch adjusts that logic a little further to be more efficient.
      rbd_read_header() doesn't even examine the snapshot context unless
      the snapshot count (stored in header->total_snaps) matches the
      number of snapshots allocated.  So rbd_header_from_disk() doesn't
      need to allocate or fill in the snapshot context field at all in
      that case.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      28cb775d
    • A
      rbd: rearrange rbd_header_from_disk() · 6a52325f
      Alex Elder 提交于
      This just moves code around for the most part.  It was pulled out as
      a separate patch to avoid cluttering up some upcoming patches which
      are more substantive.  The point is basically to group everything
      related to initializing the snapshot context together.
      
      The only functional change is that rbd_header_from_disk() now
      ensures the (in-core) header it is passed is zero-filled.  This
      allows a simpler error handling path in rbd_header_from_disk().
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      6a52325f
    • A
      rbd: use sizeof (object) instead of sizeof (type) · d2bb24e5
      Alex Elder 提交于
      Fix a few spots in rbd_header_from_disk() to use sizeof (object)
      rather than sizeof (type).  Use a local variable to record sizes
      to shorten some lines and improve readability.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      d2bb24e5
    • A
      rbd: ensure invalid pointers are made null · d78fd7ae
      Alex Elder 提交于
      Fix a number of spots where a pointer value that is known to
      have become invalid but was not reset to null.
      
      Also, toss in a change so we use sizeof (object) rather than
      sizeof (type).
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      d78fd7ae
    • A
      rbd: make snap_names_len a u64 · 0f1d3f93
      Alex Elder 提交于
      The snap_names_len field of an rbd_image_header structure is defined
      with type size_t.  That field is used as both the source and target
      of 64-bit byte-order swapping operations though, so it's best to
      define it with type u64 instead.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      0f1d3f93
    • A
      rbd: simplify __rbd_init_snaps_header() · 35938150
      Alex Elder 提交于
      The purpose of __rbd_init_snaps_header() is to compare a new
      snapshot context with an rbd device's list of existing snapshots.
      It updates the list by adding any new snapshots or removing any
      that are not present in the new snapshot context.
      
      The code as written is a little confusing, because it traverses both
      the existing snapshot list and the set of snapshots in the snapshot
      context in reverse.  This was done based on an assumption about
      snapshots that is not true--namely that a duplicate snapshot name
      could cause an error in intepreting things if they were not
      processed in ascending order.
      
      These precautions are not necessary, because:
          - all snapshots are uniquely identified by their snapshot id
          - a new snapshot cannot be created if the rbd device has another
            snapshot with the same name
      (It is furthermore not currently possible to rename a snapshot.)
      
      This patch re-implements __rbd_init_snaps_header() so it passes
      through both the existing snapshot list and the entries in the
      snapshot context in forward order.  It still does the same thing
      as before, but I find the logic considerably easier to understand.
      
      By going forward through the names in the snapshot context, there
      is no longer a need for the rbd_prev_snap_name() helper function.
      Signed-off-by: NAlex Elder <elder@inktank.com>
      Reviewed-by: NJosh Durgin <josh.durgin@inktank.com>
      35938150
  2. 01 10月, 2012 1 次提交
  3. 30 9月, 2012 3 次提交
    • M
      vfs: dcache: fix deadlock in tree traversal · 8110e16d
      Miklos Szeredi 提交于
      IBM reported a deadlock in select_parent().  This was found to be caused
      by taking rename_lock when already locked when restarting the tree
      traversal.
      
      There are two cases when the traversal needs to be restarted:
      
       1) concurrent d_move(); this can only happen when not already locked,
          since taking rename_lock protects against concurrent d_move().
      
       2) racing with final d_put() on child just at the moment of ascending
          to parent; rename_lock doesn't protect against this rare race, so it
          can happen when already locked.
      
      Because of case 2, we need to be able to handle restarting the traversal
      when rename_lock is already held.  This patch fixes all three callers of
      try_to_ascend().
      
      IBM reported that the deadlock is gone with this patch.
      
      [ I rewrote the patch to be smaller and just do the "goto again" if the
        lock was already held, but credit goes to Miklos for the real work.
         - Linus ]
      Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8110e16d
    • L
      Merge tag 'iommu-fixes-v3.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 6a3e3dbe
      Linus Torvalds 提交于
      Pull IOMMU fixes from Joerg Roedel:
       "Two small patches:
      
      	* One patch to fix the function declarations for
      	  !CONFIG_IOMMU_API. This is causing build errors
      	  in linux-next and should be fixed for v3.6.
      
      	* Another patch to fix an IOMMU group related NULL pointer
      	  dereference."
      
      * tag 'iommu-fixes-v3.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Fix wrong assumption in iommu-group specific code
        iommu: static inline iommu group stub functions
      6a3e3dbe
    • L
      Merge git://git.infradead.org/users/willy/linux-nvme · 21e98932
      Linus Torvalds 提交于
      Pull NVMe driver fixes from Matthew Wilcox:
       "Now that actual hardware has been released (don't have any yet
        myself), people are starting to want some of these fixes merged."
      
      Willy doesn't have hardware? Guys...
      
      * git://git.infradead.org/users/willy/linux-nvme:
        NVMe: Cancel outstanding IOs on queue deletion
        NVMe: Free admin queue memory on initialisation failure
        NVMe: Use ida for nvme device instance
        NVMe: Fix whitespace damage in nvme_init
        NVMe: handle allocation failure in nvme_map_user_pages()
        NVMe: Fix uninitialized iod compiler warning
        NVMe: Do not set IO queue depth beyond device max
        NVMe: Set block queue max sectors
        NVMe: use namespace id for nvme_get_features
        NVMe: replace nvme_ns with nvme_dev for user admin
        NVMe: Fix nvme module init when nvme_major is set
        NVMe: Set request queue logical block size
      21e98932
  4. 29 9月, 2012 1 次提交
    • L
      mtdchar: fix offset overflow detection · 9c603e53
      Linus Torvalds 提交于
      Sasha Levin has been running trinity in a KVM tools guest, and was able
      to trigger the BUG_ON() at arch/x86/mm/pat.c:279 (verifying the range of
      the memory type).  The call trace showed that it was mtdchar_mmap() that
      created an invalid remap_pfn_range().
      
      The problem is that mtdchar_mmap() does various really odd and subtle
      things with the vma page offset etc, and uses the wrong types (and the
      wrong overflow) detection for it.
      
      For example, the page offset may well be 32-bit on a 32-bit
      architecture, but after shifting it up by PAGE_SHIFT, we need to use a
      potentially 64-bit resource_size_t to correctly hold the full value.
      
      Also, we need to check that the vma length plus offset doesn't overflow
      before we check that it is smaller than the length of the mtdmap region.
      
      This fixes things up and tries to make the code a bit easier to read.
      Reported-and-tested-by: NSasha Levin <levinsasha928@gmail.com>
      Acked-by: NSuresh Siddha <suresh.b.siddha@intel.com>
      Acked-by: NArtem Bityutskiy <dedekind1@gmail.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: linux-mtd@lists.infradead.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      9c603e53