1. 03 4月, 2009 9 次提交
    • M
      mm: do_xip_mapping_read: fix length calculation · 58984ce2
      Martin Schwidefsky 提交于
      The calculation of the value nr in do_xip_mapping_read is incorrect.  If
      the copy required more than one iteration in the do while loop the copies
      variable will be non-zero.  The maximum length that may be passed to the
      call to copy_to_user(buf+copied, xip_mem+offset, nr) is len-copied but the
      check only compares against (nr > len).
      
      This bug is the cause for the heap corruption Carsten has been chasing
      for so long:
      
      *** glibc detected *** /bin/bash: free(): invalid next size (normal): 0x00000000800e39f0 ***
      ======= Backtrace: =========
      /lib64/libc.so.6[0x200000b9b44]
      /lib64/libc.so.6(cfree+0x8e)[0x200000bdade]
      /bin/bash(free_buffered_stream+0x32)[0x80050e4e]
      /bin/bash(close_buffered_stream+0x1c)[0x80050ea4]
      /bin/bash(unset_bash_input+0x2a)[0x8001c366]
      /bin/bash(make_child+0x1d4)[0x8004115c]
      /bin/bash[0x8002fc3c]
      /bin/bash(execute_command_internal+0x656)[0x8003048e]
      /bin/bash(execute_command+0x5e)[0x80031e1e]
      /bin/bash(execute_command_internal+0x79a)[0x800305d2]
      /bin/bash(execute_command+0x5e)[0x80031e1e]
      /bin/bash(reader_loop+0x270)[0x8001efe0]
      /bin/bash(main+0x1328)[0x8001e960]
      /lib64/libc.so.6(__libc_start_main+0x100)[0x200000592a8]
      /bin/bash(clearerr+0x5e)[0x8001c092]
      
      With this bug fix the commit 0e4a9b59
      "ext2/xip: refuse to change xip flag during remount with busy inodes" can
      be removed again.
      
      Cc: Carsten Otte <cotte@de.ibm.com>
      Cc: Nick Piggin <npiggin@suse.de>
      Cc: Jared Hulbert <jaredeh@gmail.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      58984ce2
    • A
      random: align rekey_work's timer · 417b43d4
      Anton Blanchard 提交于
      Align rekey_work. Even though it's infrequent, we may as well line it up.
      Signed-off-by: NAnton Blanchard <anton@samba.org>
      Acked-by: NMatt Mackall <mpm@selenic.com>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      417b43d4
    • A
      mm: align vmstat_work's timer · 98f4ebb2
      Anton Blanchard 提交于
      Even though vmstat_work is marked deferrable, there are still benefits to
      aligning it.  For certain applications we want to keep OS jitter as low as
      possible and aligning timers and work so they occur together can reduce
      their overall impact.
      Signed-off-by: NAnton Blanchard <anton@samba.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      98f4ebb2
    • J
      writeback: guard against jiffies wraparound on inode->dirtied_when checks (try #3) · d2caa3c5
      Jeff Layton 提交于
      The dirtied_when value on an inode is supposed to represent the first time
      that an inode has one of its pages dirtied.  This value is in units of
      jiffies.  It's used in several places in the writeback code to determine
      when to write out an inode.
      
      The problem is that these checks assume that dirtied_when is updated
      periodically.  If an inode is continuously being used for I/O it can be
      persistently marked as dirty and will continue to age.  Once the time
      compared to is greater than or equal to half the maximum of the jiffies
      type, the logic of the time_*() macros inverts and the opposite of what is
      needed is returned.  On 32-bit architectures that's just under 25 days
      (assuming HZ == 1000).
      
      As the least-recently dirtied inode, it'll end up being the first one that
      pdflush will try to write out.  sync_sb_inodes does this check:
      
      	/* Was this inode dirtied after sync_sb_inodes was called? */
       	if (time_after(inode->dirtied_when, start))
       		break;
      
      ...but now dirtied_when appears to be in the future.  sync_sb_inodes bails
      out without attempting to write any dirty inodes.  When this occurs,
      pdflush will stop writing out inodes for this superblock.  Nothing can
      unwedge it until jiffies moves out of the problematic window.
      
      This patch fixes this problem by changing the checks against dirtied_when
      to also check whether it appears to be in the future.  If it does, then we
      consider the value to be far in the past.
      
      This should shrink the problematic window of time to such a small period
      (30s) as not to matter.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NWu Fengguang <fengguang.wu@intel.com>
      Acked-by: NIan Kent <raven@themaw.net>
      Cc: Jens Axboe <jens.axboe@oracle.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d2caa3c5
    • A
      __tty_open(): use the correct type for saved_flags · 846c151a
      Andrew Morton 提交于
      filp->f_flags is unsigned, so use that type for the local copy.
      
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      846c151a
    • W
      vfs: skip I_CLEAR state inodes · b6fac63c
      Wu Fengguang 提交于
      clear_inode() will switch inode state from I_FREEING to I_CLEAR, and do so
      _outside_ of inode_lock.  So any I_FREEING testing is incomplete without a
      coupled testing of I_CLEAR.
      
      So add I_CLEAR tests to drop_pagecache_sb(), generic_sync_sb_inodes() and
      add_dquot_ref().
      
      Masayoshi MIZUMA discovered the bug in drop_pagecache_sb() and Jan Kara
      reminds fixing the other two cases.
      
      Masayoshi MIZUMA has a nice panic flow:
      
      =====================================================================
                  [process A]               |        [process B]
       |                                    |
       |    prune_icache()                  | drop_pagecache()
       |      spin_lock(&inode_lock)        |   drop_pagecache_sb()
       |      inode->i_state |= I_FREEING;  |       |
       |      spin_unlock(&inode_lock)      |       V
       |          |                         |     spin_lock(&inode_lock)
       |          V                         |         |
       |      dispose_list()                |         |
       |        list_del()                  |         |
       |        clear_inode()               |         |
       |          inode->i_state = I_CLEAR  |         |
       |            |                       |         V
       |            |                       |      if (inode->i_state & (I_FREEING|I_WILL_FREE))
       |            |                       |              continue;           <==== NOT MATCH
       |            |                       |
       |            |                       | (DANGER from here on! Accessing disposing inode!)
       |            |                       |
       |            |                       |      __iget()
       |            |                       |        list_move() <===== PANIC on poisoned list !!
       V            V                       |
      (time)
      =====================================================================
      Reported-by: NMasayoshi MIZUMA <m.mizuma@jp.fujitsu.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NWu Fengguang <fengguang.wu@intel.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b6fac63c
    • D
      nommu: fix a number of issues with the per-MM VMA patch · 33e5d769
      David Howells 提交于
      Fix a number of issues with the per-MM VMA patch:
      
       (1) Make mmap_pages_allocated an atomic_long_t, just in case this is used on
           a NOMMU system with more than 2G pages.  Makes no difference on a 32-bit
           system.
      
       (2) Report vma->vm_pgoff * PAGE_SIZE as a 64-bit value, not a 32-bit value,
           lest it overflow.
      
       (3) Move the allocation of the vm_area_struct slab back for fork.c.
      
       (4) Use KMEM_CACHE() for both vm_area_struct and vm_region slabs.
      
       (5) Use BUG_ON() rather than if () BUG().
      
       (6) Make the default validate_nommu_regions() a static inline rather than a
           #define.
      
       (7) Make free_page_series()'s objection to pages with a refcount != 1 more
           informative.
      
       (8) Adjust the __put_nommu_region() banner comment to indicate that the
           semaphore must be held for writing.
      
       (9) Limit the number of warnings about munmaps of non-mmapped regions.
      Reported-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Cc: Greg Ungerer <gerg@snapgear.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      33e5d769
    • S
      fb: nvidiafb recognizes geforcego 7300 chip as mobile · 5482415a
      Sergey Senozhatsky 提交于
      nvidiafb recognizes geforcego 7300 chip as mobile
      Signed-off-by: NSergey Senozhatsky <sergey.senozhatsky@mail.by>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5482415a
    • A
      generic debug pagealloc: build fix · ee3b4290
      Akinobu Mita 提交于
      This fixes a build failure with generic debug pagealloc:
      
        mm/debug-pagealloc.c: In function 'set_page_poison':
        mm/debug-pagealloc.c:8: error: 'struct page' has no member named 'debug_flags'
        mm/debug-pagealloc.c: In function 'clear_page_poison':
        mm/debug-pagealloc.c:13: error: 'struct page' has no member named 'debug_flags'
        mm/debug-pagealloc.c: In function 'page_poison':
        mm/debug-pagealloc.c:18: error: 'struct page' has no member named 'debug_flags'
        mm/debug-pagealloc.c: At top level:
        mm/debug-pagealloc.c:120: error: redefinition of 'kernel_map_pages'
        include/linux/mm.h:1278: error: previous definition of 'kernel_map_pages' was here
        mm/debug-pagealloc.c: In function 'kernel_map_pages':
        mm/debug-pagealloc.c:122: error: 'debug_pagealloc_enabled' undeclared (first use in this function)
      
      by fixing
      
       - debug_flags should be in struct page
       - define DEBUG_PAGEALLOC config option for all architectures
      Signed-off-by: NAkinobu Mita <akinobu.mita@gmail.com>
      Reported-by: NAlexander Beregalov <a.beregalov@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ee3b4290
  2. 02 4月, 2009 17 次提交
  3. 01 4月, 2009 14 次提交