1. 11 3月, 2011 1 次提交
    • T
      SUNRPC: Close a race in __rpc_wait_for_completion_task() · bf294b41
      Trond Myklebust 提交于
      Although they run as rpciod background tasks, under normal operation
      (i.e. no SIGKILL), functions like nfs_sillyrename(), nfs4_proc_unlck()
      and nfs4_do_close() want to be fully synchronous. This means that when we
      exit, we want all references to the rpc_task to be gone, and we want
      any dentry references etc. held by that task to be released.
      
      For this reason these functions call __rpc_wait_for_completion_task(),
      followed by rpc_put_task() in the expectation that the latter will be
      releasing the last reference to the rpc_task, and thus ensuring that the
      callback_ops->rpc_release() has been called synchronously.
      
      This patch fixes a race which exists due to the fact that
      rpciod calls rpc_complete_task() (in order to wake up the callers of
      __rpc_wait_for_completion_task()) and then subsequently calls
      rpc_put_task() without ensuring that these two steps are done atomically.
      
      In order to avoid adding new spin locks, the patch uses the existing
      waitqueue spin lock to order the rpc_task reference count releases between
      the waiting process and rpciod.
      The common case where nobody is waiting for completion is optimised for by
      checking if the RPC_TASK_ASYNC flag is cleared and/or if the rpc_task
      reference count is 1: in those cases we drop trying to grab the spin lock,
      and immediately free up the rpc_task.
      
      Those few processes that need to put the rpc_task from inside an
      asynchronous context and that do not care about ordering are given a new
      helper: rpc_put_task_async().
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      bf294b41
  2. 08 3月, 2011 2 次提交
  3. 07 3月, 2011 2 次提交
  4. 06 3月, 2011 2 次提交
  5. 05 3月, 2011 22 次提交
  6. 04 3月, 2011 11 次提交
    • M
      Blackfin: iflush: update anomaly 05000491 workaround · be1229b4
      Mike Frysinger 提交于
      Recent feedback from design says we need three NOPs in the hardware loop.
      Signed-off-by: NMike Frysinger <vapier@gentoo.org>
      be1229b4
    • M
      Blackfin: outs[lwb]: make sure count is greater than 0 · bb7b1129
      Mike Frysinger 提交于
      Some devices will use the outs* funcs with a length of zero, so make sure
      we do not write any data in that case.
      Reported-by: NGilbert Inho <gneny@edevice.com>
      Signed-off-by: NMike Frysinger <vapier@gentoo.org>
      bb7b1129
    • K
      ARM: mach-shmobile: mackerel: modify LCDC clock divider value · 2c34e939
      Kuninori Morimoto 提交于
      mackerel WVGA LCDC panel expect 33.3MHz for dot-clock,
      but current dot-clock was 50.0MHz.
      This patch modify clock divider value.
      Signed-off-by: NMakoto Ueda <makoto.ueda.ub@renesas.com>
      Signed-off-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
      2c34e939
    • K
      ARM: mach-shmobile: ap4evb: modify LCDC clock divider value · f60cb470
      Kuninori Morimoto 提交于
      ap4evb WVGA LCDC panel expect 33.3MHz for dot-clock,
      but current dot-clock was 50.0MHz.
      This patch modify clock divider value.
      Signed-off-by: NMakoto Ueda <makoto.ueda.ub@renesas.com>
      Signed-off-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
      f60cb470
    • B
      drm/nouveau: allocate kernel's notifier object at end of block · 73412c38
      Ben Skeggs 提交于
      The nv30/nv40 3d driver is about to start using DMA_FENCE from the 3D
      object which, it turns out, doesn't like its DMA object to not be
      aligned to a 4KiB boundary.
      Signed-off-by: NBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: NDave Airlie <airlied@redhat.com>
      73412c38
    • L
      Merge branch 'for-linus' of... · b65a0e0c
      Linus Torvalds 提交于
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
        DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
      b65a0e0c
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 4438a02f
      Linus Torvalds 提交于
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
        MAINTAINERS: Add Andy Gospodarek as co-maintainer.
        r8169: disable ASPM
        RxRPC: Fix v1 keys
        AF_RXRPC: Handle receiving ACKALL packets
        cnic: Fix lost interrupt on bnx2x
        cnic: Prevent status block race conditions with hardware
        net: dcbnl: check correct ops in dcbnl_ieee_set()
        e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead
        igb: fix sparse warning
        e1000: fix sparse warning
        netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values
        dccp: fix oops on Reset after close
        ipvs: fix dst_lock locking on dest update
        davinci_emac: Add Carrier Link OK check in Davinci RX Handler
        bnx2x: update driver version to 1.62.00-6
        bnx2x: properly calculate lro_mss
        bnx2x: perform statistics "action" before state transition.
        bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode).
        bnx2x: Fix ethtool -t link test for MF (non-pmf) devices.
        bnx2x: Fix nvram test for single port devices.
        ...
      4438a02f
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block · fb4b10ab
      Linus Torvalds 提交于
      * 'for-linus' of git://git.kernel.dk/linux-2.6-block:
        block: kill loop_mutex
        blktrace: Remove blk_fill_rwbs_rq.
        block: blk-flush shouldn't call directly into q->request_fn() __blk_run_queue()
        block: add @force_kblockd to __blk_run_queue()
        block: fix kernel-doc format for blkdev_issue_zeroout
        blk-throttle: Do not use kblockd workqueue for throtl work
      fb4b10ab
    • L
      Merge branch 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 · 83360269
      Linus Torvalds 提交于
      * 'i_nlink' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
        hfs: fix rename() over non-empty directory
        udf: fix i_nlink limit
        fix reiserfs mkdir() breakage
        exofs: i_nlink races in rename()
        nilfs2: i_nlink races in rename()
        minix: i_nlink races in rename()
        ufs: i_nlink races in rename()
        sysv: i_nlink races in rename()
      83360269
    • D
      DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] · 1362fa07
      David Howells 提交于
      When a DNS resolver key is instantiated with an error indication, attempts to
      read that key will result in an oops because user_read() is expecting there to
      be a payload - and there isn't one [CVE-2011-1076].
      
      Give the DNS resolver key its own read handler that returns the error cached in
      key->type_data.x[0] as an error rather than crashing.
      
      Also make the kenter() at the beginning of dns_resolver_instantiate() limit the
      amount of data it prints, since the data is not necessarily NUL-terminated.
      
      The buggy code was added in:
      
      	commit 4a2d7892
      	Author: Wang Lei <wang840925@gmail.com>
      	Date:   Wed Aug 11 09:37:58 2010 +0100
      	Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2]
      
      This can trivially be reproduced by any user with the following program
      compiled with -lkeyutils:
      
      	#include <stdlib.h>
      	#include <keyutils.h>
      	#include <err.h>
      	static char payload[] = "#dnserror=6";
      	int main()
      	{
      		key_serial_t key;
      		key = add_key("dns_resolver", "a", payload, sizeof(payload),
      			      KEY_SPEC_SESSION_KEYRING);
      		if (key == -1)
      			err(1, "add_key");
      		if (keyctl_read(key, NULL, 0) == -1)
      			err(1, "read_key");
      		return 0;
      	}
      
      What should happen is that keyctl_read() reports error 6 (ENXIO) to the user:
      
      	dns-break: read_key: No such device or address
      
      but instead the kernel oopses.
      
      This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands
      as both of those cut the data down below the NUL termination that must be
      included in the data.  Without this dns_resolver_instantiate() will return
      -EINVAL and the key will not be instantiated such that it can be read.
      
      The oops looks like:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
      IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f
      PGD 3bdf8067 PUD 385b9067 PMD 0
      Oops: 0000 [#1] SMP
      last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
      CPU 0
      Modules linked in:
      
      Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468                  /DG965RY
      RIP: 0010:[<ffffffff811b99f7>]  [<ffffffff811b99f7>] user_read+0x4f/0x8f
      RSP: 0018:ffff88003bf47f08  EFLAGS: 00010246
      RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378
      RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000
      R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1
      FS:  00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090)
      Stack:
       ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000
       ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000
       00000000004005a0 00007fffba368060 0000000000000000 0000000000000000
      Call Trace:
       [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf
       [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6
       [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b
      Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48
      RIP  [<ffffffff811b99f7>] user_read+0x4f/0x8f
       RSP <ffff88003bf47f08>
      CR2: 0000000000000010
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJeff Layton <jlayton@redhat.com>
      cc: Wang Lei <wang840925@gmail.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      1362fa07
    • S
      libceph: retry after authorization failure · 692d20f5
      Sage Weil 提交于
      If we mark the connection CLOSED we will give up trying to reconnect to
      this server instance.  That is appropriate for things like a protocol
      version mismatch that won't change until the server is restarted, at which
      point we'll get a new addr and reconnect.  An authorization failure like
      this is probably due to the server not properly rotating it's secret keys,
      however, and should be treated as transient so that the normal backoff and
      retry behavior kicks in.
      Signed-off-by: NSage Weil <sage@newdream.net>
      692d20f5