1. 21 4月, 2013 1 次提交
    • P
      events: Protect access via task_subsys_state_check() · c79aa0d9
      Paul E. McKenney 提交于
      The following RCU splat indicates lack of RCU protection:
      
      [  953.267649] ===============================
      [  953.267652] [ INFO: suspicious RCU usage. ]
      [  953.267657] 3.9.0-0.rc6.git2.4.fc19.ppc64p7 #1 Not tainted
      [  953.267661] -------------------------------
      [  953.267664] include/linux/cgroup.h:534 suspicious rcu_dereference_check() usage!
      [  953.267669]
      [  953.267669] other info that might help us debug this:
      [  953.267669]
      [  953.267675]
      [  953.267675] rcu_scheduler_active = 1, debug_locks = 0
      [  953.267680] 1 lock held by glxgears/1289:
      [  953.267683]  #0:  (&sig->cred_guard_mutex){+.+.+.}, at: [<c00000000027f884>] .prepare_bprm_creds+0x34/0xa0
      [  953.267700]
      [  953.267700] stack backtrace:
      [  953.267704] Call Trace:
      [  953.267709] [c0000001f0d1b6e0] [c000000000016e30] .show_stack+0x130/0x200 (unreliable)
      [  953.267717] [c0000001f0d1b7b0] [c0000000001267f8] .lockdep_rcu_suspicious+0x138/0x180
      [  953.267724] [c0000001f0d1b840] [c0000000001d43a4] .perf_event_comm+0x4c4/0x690
      [  953.267731] [c0000001f0d1b950] [c00000000027f6e4] .set_task_comm+0x84/0x1f0
      [  953.267737] [c0000001f0d1b9f0] [c000000000280414] .setup_new_exec+0x94/0x220
      [  953.267744] [c0000001f0d1ba70] [c0000000002f665c] .load_elf_binary+0x58c/0x19b0
      ...
      
      This commit therefore adds the required RCU read-side critical
      section to perf_event_comm().
      Reported-by: NAdam Jackson <ajax@redhat.com>
      Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: a.p.zijlstra@chello.nl
      Cc: paulus@samba.org
      Cc: acme@ghostprotocols.net
      Link: http://lkml.kernel.org/r/20130419190124.GA8638@linux.vnet.ibm.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Tested-by: NGustavo Luiz Duarte <gusld@br.ibm.com>
      c79aa0d9
  2. 16 4月, 2013 1 次提交
    • S
      perf/x86: Fix offcore_rsp valid mask for SNB/IVB · f1923820
      Stephane Eranian 提交于
      The valid mask for both offcore_response_0 and
      offcore_response_1 was wrong for SNB/SNB-EP,
      IVB/IVB-EP. It was possible to write to
      reserved bit and cause a GP fault crashing
      the kernel.
      
      This patch fixes the problem by correctly marking the
      reserved bits in the valid mask for all the processors
      mentioned above.
      
      A distinction between desktop and server parts is introduced
      because bits 24-30 are only available on the server parts.
      
      This version of the  patch is just a rebase to perf/urgent tree
      and should apply to older kernels as well.
      Signed-off-by: NStephane Eranian <eranian@google.com>
      Cc: peterz@infradead.org
      Cc: jolsa@redhat.com
      Cc: gregkh@linuxfoundation.org
      Cc: security@kernel.org
      Cc: ak@linux.intel.com
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      f1923820
  3. 15 4月, 2013 11 次提交
  4. 14 4月, 2013 3 次提交
    • N
      watchdog: Revert the AT91RM9200_WATCHDOG dependency · 09549cd0
      Nicolas Ferre 提交于
      Compiling the at91rm9200_wdt.c driver without at91rm9200
      support was leading to several errors:
      
      drivers/built-in.o: In function `at91_wdt_close':
      at91_adc.c:(.text+0xc9fe4): undefined reference to `at91_st_base'
      drivers/built-in.o: In function `at91_wdt_write':
      at91_adc.c:(.text+0xca004): undefined reference to `at91_st_base'
      drivers/built-in.o: In function `at91wdt_shutdown':
      at91_adc.c:(.text+0xca01c): undefined reference to `at91_st_base'
      drivers/built-in.o: In function `at91wdt_suspend':
      at91_adc.c:(.text+0xca038): undefined reference to `at91_st_base'
      drivers/built-in.o: In function `at91_wdt_open':
      at91_adc.c:(.text+0xca0cc): undefined reference to `at91_st_base'
      drivers/built-in.o:at91_adc.c:(.text+0xca2c8): more undefined references to
      `at91_st_base' follow
      
      So, reverting the modification of the "depends" Kconfig line
      introduced by patch a6a1bcd3 (watchdog: at91rm9200: add DT support)
      seems to be the good solution.
      Signed-off-by: NNicolas Ferre <nicolas.ferre@atmel.com>
      Acked-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NWim Van Sebroeck <wim@iguana.be>
      09549cd0
    • S
      vfs: Revert spurious fix to spinning prevention in prune_icache_sb · 5b55d708
      Suleiman Souhlal 提交于
      Revert commit 62a3ddef ("vfs: fix spinning prevention in prune_icache_sb").
      
      This commit doesn't look right: since we are looking at the tail of the
      list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
      it back at the head of the list instead of the tail, otherwise we will
      keep spinning on it.
      
      Discovered when investigating why prune_icache_sb came top in perf
      reports of a swapping load.
      Signed-off-by: NSuleiman Souhlal <suleiman@google.com>
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Cc: stable@vger.kernel.org # v3.2+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5b55d708
    • L
      kobject: fix kset_find_obj() race with concurrent last kobject_put() · a49b7e82
      Linus Torvalds 提交于
      Anatol Pomozov identified a race condition that hits module unloading
      and re-loading.  To quote Anatol:
      
       "This is a race codition that exists between kset_find_obj() and
        kobject_put().  kset_find_obj() might return kobject that has refcount
        equal to 0 if this kobject is freeing by kobject_put() in other
        thread.
      
        Here is timeline for the crash in case if kset_find_obj() searches for
        an object tht nobody holds and other thread is doing kobject_put() on
        the same kobject:
      
          THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
          splin_lock()
                                               atomic_dec_return(kobj->kref), counter gets zero here
                                               ... starts kobject cleanup ....
                                               spin_lock() // WAIT thread A in kobj_kset_leave()
          iterate over kset->list
          atomic_inc(kobj->kref) (counter becomes 1)
          spin_unlock()
                                               spin_lock() // taken
                                               // it does not know that thread A increased counter so it
                                               remove obj from list
                                               spin_unlock()
                                               vfree(module) // frees module object with containing kobj
      
          // kobj points to freed memory area!!
          kobject_put(kobj) // OOPS!!!!
      
        The race above happens because module.c tries to use kset_find_obj()
        when somebody unloads module.  The module.c code was introduced in
        commit 6494a93d"
      
      Anatol supplied a patch specific for module.c that worked around the
      problem by simply not using kset_find_obj() at all, but rather than make
      a local band-aid, this just fixes kset_find_obj() to be thread-safe
      using the proper model of refusing the get a new reference if the
      refcount has already dropped to zero.
      
      See examples of this proper refcount handling not only in the kref
      documentation, but in various other equivalent uses of this pattern by
      grepping for atomic_inc_not_zero().
      
      [ Side note: the module race does indicate that module loading and
        unloading is not properly serialized wrt sysfs information using the
        module mutex.  That may require further thought, but this is the
        correct fix at the kobject layer regardless. ]
      Reported-analyzed-and-tested-by: NAnatol Pomozov <anatol.pomozov@gmail.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: stable@vger.kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a49b7e82
  5. 13 4月, 2013 7 次提交
    • J
      Btrfs: make sure nbytes are right after log replay · 4bc4bee4
      Josef Bacik 提交于
      While trying to track down a tree log replay bug I noticed that fsck was always
      complaining about nbytes not being right for our fsynced file.  That is because
      the new fsync stuff doesn't wait for ordered extents to complete, so the inodes
      nbytes are not necessarily updated properly when we log it.  So to fix this we
      need to set nbytes to whatever it is on the inode that is on disk, so when we
      replay the extents we can just add the bytes that are being added as we replay
      the extent.  This makes it work for the case that we have the wrong nbytes or
      the case that we logged everything and nbytes is actually correct.  With this
      I'm no longer getting nbytes errors out of btrfsck.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: NChris Mason <chris.mason@fusionio.com>
      4bc4bee4
    • D
      x86-32: Fix possible incomplete TLB invalidate with PAE pagetables · 1de14c3c
      Dave Hansen 提交于
      This patch attempts to fix:
      
      	https://bugzilla.kernel.org/show_bug.cgi?id=56461
      
      The symptom is a crash and messages like this:
      
      	chrome: Corrupted page table at address 34a03000
      	*pdpt = 0000000000000000 *pde = 0000000000000000
      	Bad pagetable: 000f [#1] PREEMPT SMP
      
      Ingo guesses this got introduced by commit 611ae8e3 ("x86/tlb:
      enable tlb flush range support for x86") since that code started to free
      unused pagetables.
      
      On x86-32 PAE kernels, that new code has the potential to free an entire
      PMD page and will clear one of the four page-directory-pointer-table
      (aka pgd_t entries).
      
      The hardware aggressively "caches" these top-level entries and invlpg
      does not actually affect the CPU's copy.  If we clear one we *HAVE* to
      do a full TLB flush, otherwise we might continue using a freed pmd page.
      (note, we do this properly on the population side in pud_populate()).
      
      This patch tracks whenever we clear one of these entries in the 'struct
      mmu_gather', and ensures that we follow up with a full tlb flush.
      
      BTW, I disassembled and checked that:
      
      	if (tlb->fullmm == 0)
      and
      	if (!tlb->fullmm && !tlb->need_flush_all)
      
      generate essentially the same code, so there should be zero impact there
      to the !PAE case.
      Signed-off-by: NDave Hansen <dave.hansen@linux.intel.com>
      Cc: Peter Anvin <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Artem S Tashkinov <t.artem@mailcity.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      1de14c3c
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · bf81710c
      Linus Torvalds 提交于
      Pull SCSI target fixes from Nicholas Bellinger:
       "Here are remaining target-pending items for v3.9-rc7 code.
      
        The tcm_vhost patches are more than I'd usually include in a -rc7
        pull, but are changes required for v3.9 to work correctly with the
        pending vhost-scsi-pci QEMU upstream series merge.  (Paolo CC'ed)
      
        Plus Asias's conversion to use vhost_virtqueue->private_data + RCU for
        managing vhost-scsi endpoints has gotten alot of review + testing over
        the past weeks, and MST has ACKed the full series.
      
        Also, there is a target patch to fix a long-standing bug within
        control CDB handling with Standby/Offline/Transition ALUA port access
        states, that had been incorrectly rejecting the control CDBs required
        for LUN scan to work during these port group states.  CC'ing to
        stable."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        target: Fix incorrect fallthrough of ALUA Standby/Offline/Transition CDBs
        tcm_vhost: Send bad target to guest when cmd fails
        tcm_vhost: Add vhost_scsi_send_bad_target() helper
        tcm_vhost: Fix tv_cmd leak in vhost_scsi_handle_vq
        tcm_vhost: Remove double check of response
        tcm_vhost: Initialize vq->last_used_idx when set endpoint
        tcm_vhost: Use vq->private_data to indicate if the endpoint is setup
        tcm_vhost: Use ACCESS_ONCE for vs->vs_tpg[target] access
      bf81710c
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 90f340e2
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "This is a set of ten bug fixes (and two consisting of copyright year
        update and version number change) pretty much all of which involve
        either a crash or a hang except the removal of the random sleep from
        the qla2xxx driver (which is a coding error so bad, we want it gone
        before anyone has a chance to copy it)."
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        [SCSI] lpfc: fix potential NULL pointer dereference in lpfc_sli4_rq_put()
        [SCSI] libsas: fix handling vacant phy in sas_set_ex_phy()
        [SCSI] ibmvscsi: Fix slave_configure deadlock
        [SCSI] qla2xxx: Update the driver version to 8.04.00.13-k.
        [SCSI] qla2xxx: Remove debug code that msleeps for random duration.
        [SCSI] qla2xxx: Update copyright dates information in LICENSE.qla2xxx file.
        [SCSI] qla2xxx: Fix crash during firmware dump procedure.
        [SCSI] Revert "qla2xxx: Add setting of driver version string for vendor application."
        [SCSI] ipr: dlpar failed when adding an adapter back
        [SCSI] ipr: fix addition of abort command to HRRQ free queue
        [SCSI] st: Take additional queue ref in st_probe
        [SCSI] libsas: use right function to alloc smp response
        [SCSI] ipr: ipr_test_msi() fails when running with msi-x enabled adapter
      90f340e2
    • L
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · 0b1fd266
      Linus Torvalds 提交于
      Pull CIFS fix from Steve French:
       "Fixes a regression in cifs in which a password which begins with a
        comma is parsed incorrectly as a blank password"
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: Allow passwords which begin with a delimitor
      0b1fd266
    • S
      ftrace: Move ftrace_filter_lseek out of CONFIG_DYNAMIC_FTRACE section · 7f49ef69
      Steven Rostedt (Red Hat) 提交于
      As ftrace_filter_lseek is now used with ftrace_pid_fops, it needs to
      be moved out of the #ifdef CONFIG_DYNAMIC_FTRACE section as the
      ftrace_pid_fops is defined when DYNAMIC_FTRACE is not.
      
      Cc: stable@vger.kernel.org
      Cc: Namhyung Kim <namhyung@kernel.org>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      7f49ef69
    • N
      tracing: Fix possible NULL pointer dereferences · 6a76f8c0
      Namhyung Kim 提交于
      Currently set_ftrace_pid and set_graph_function files use seq_lseek
      for their fops.  However seq_open() is called only for FMODE_READ in
      the fops->open() so that if an user tries to seek one of those file
      when she open it for writing, it sees NULL seq_file and then panic.
      
      It can be easily reproduced with following command:
      
        $ cd /sys/kernel/debug/tracing
        $ echo 1234 | sudo tee -a set_ftrace_pid
      
      In this example, GNU coreutils' tee opens the file with fopen(, "a")
      and then the fopen() internally calls lseek().
      
      Link: http://lkml.kernel.org/r/1365663302-2170-1-git-send-email-namhyung@kernel.org
      
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Namhyung Kim <namhyung.kim@lge.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NNamhyung Kim <namhyung@kernel.org>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      6a76f8c0
  6. 12 4月, 2013 17 次提交