1. 05 10月, 2011 7 次提交
  2. 04 10月, 2011 13 次提交
  3. 03 10月, 2011 2 次提交
    • M
      [SCSI] libsas: fix panic when single phy is disabled on a wide port · a73914c3
      Mark Salyzyn 提交于
      When a wide port is being utilized to a target, if one disables only one
      of the
      phys, we get an OS crash:
      
      BUG: unable to handle kernel NULL pointer dereference at
      0000000000000238
      IP: [<ffffffff814ca9b1>] mutex_lock+0x21/0x50
      PGD 4103f5067 PUD 41dba9067 PMD 0
      Oops: 0002 [#1] SMP
      last sysfs file: /sys/bus/pci/slots/5/address
      CPU 0
      Modules linked in: pm8001(U) ses enclosure fuse nfsd exportfs autofs4
      ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache nfs_acl
      auth_rpcgss 8021q fcoe libfcoe garp libfc scsi_transport_fc stp scsi_tgt
      llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table ipv6 sr_mod cdrom
      dm_mirror dm_region_hash dm_log uinput sg i2c_i801 i2c_core iTCO_wdt
      iTCO_vendor_support e1000e mlx4_ib ib_mad ib_core mlx4_en mlx4_core ext3
      jbd mbcache sd_mod crc_t10dif usb_storage ata_generic pata_acpi ata_piix
      libsas(U) scsi_transport_sas dm_mod [last unloaded: pm8001]
      
      Modules linked in: pm8001(U) ses enclosure fuse nfsd exportfs autofs4
      ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache nfs_acl
      auth_rpcgss 8021q fcoe libfcoe garp libfc scsi_transport_fc stp scsi_tgt
      llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table ipv6 sr_mod cdrom
      dm_mirror dm_region_hash dm_log uinput sg i2c_i801 i2c_core iTCO_wdt
      iTCO_vendor_support e1000e mlx4_ib ib_mad ib_core mlx4_en mlx4_core ext3
      jbd mbcache sd_mod crc_t10dif usb_storage ata_generic pata_acpi ata_piix
      libsas(U) scsi_transport_sas dm_mod [last unloaded: pm8001]
      Pid: 5146, comm: scsi_wq_5 Not tainted
      2.6.32-71.29.1.el6.lustre.7.x86_64 #1 Storage Server
      RIP: 0010:[<ffffffff814ca9b1>]  [<ffffffff814ca9b1>]
      mutex_lock+0x21/0x50
      RSP: 0018:ffff8803e4e33d30  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000000238 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff8803e664c800 RDI: 0000000000000238
      RBP: ffff8803e4e33d40 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
      R13: 0000000000000238 R14: ffff88041acb7200 R15: ffff88041c51ada0
      FS:  0000000000000000(0000) GS:ffff880028200000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000000238 CR3: 0000000410143000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process scsi_wq_5 (pid: 5146, threadinfo ffff8803e4e32000, task
      ffff8803e4e294a0)
      Stack:
       ffff8803e664c800 0000000000000000 ffff8803e4e33d70 ffffffffa001f06e
      <0> ffff8803e4e33d60 ffff88041c51ada0 ffff88041acb7200 ffff88041bc0aa00
      <0> ffff8803e4e33d90 ffffffffa0032b6c 0000000000000014 ffff88041acb7200
      Call Trace:
       [<ffffffffa001f06e>] sas_port_delete_phy+0x2e/0xa0 [scsi_transport_sas]
       [<ffffffffa0032b6c>] sas_unregister_devs_sas_addr+0xac/0xe0 [libsas]
       [<ffffffffa0034914>] sas_ex_revalidate_domain+0x204/0x330 [libsas]
       [<ffffffffa00307f0>] ? sas_revalidate_domain+0x0/0x90 [libsas]
       [<ffffffffa0030855>] sas_revalidate_domain+0x65/0x90 [libsas]
       [<ffffffff8108c7d0>] worker_thread+0x170/0x2a0
       [<ffffffff81091ea0>] ? autoremove_wake_function+0x0/0x40
       [<ffffffff8108c660>] ? worker_thread+0x0/0x2a0
       [<ffffffff81091b36>] kthread+0x96/0xa0
       [<ffffffff810141ca>] child_rip+0xa/0x20
       [<ffffffff81091aa0>] ? kthread+0x0/0xa0
       [<ffffffff810141c0>] ? child_rip+0x0/0x20
      Code: ff ff 85 c0 75 ed eb d6 66 90 55 48 89 e5 48 83 ec 10 48 89 1c 24
      4c 89 64 24 08 0f 1f 44 00 00 48 89 fb e8 92 f4 ff ff 48 89 df <f0> ff
      0f 79 05 e8 25 00 00 00 65 48 8b 04 25 08 cc 00 00 48 2d
      RIP  [<ffffffff814ca9b1>] mutex_lock+0x21/0x50
       RSP <ffff8803e4e33d30>
      CR2: 0000000000000238
      
      The following patch is admittedly a band-aid, and does not solve the
      root cause, but it still is a good candidate for hardening as a pointer
      check before reference.
      Signed-off-by: NMark Salyzyn <mark_salyzyn@us.xyratex.com>
      Tested-by: NJack Wang <jack_wang@usish.com>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
      a73914c3
    • R
      [SCSI] qla2xxx: Fix crash in qla2x00_abort_all_cmds() on unload · 9bfacd01
      Roland Dreier 提交于
      I hit a crash in qla2x00_abort_all_cmds() if the qla2xxx module is
      unloaded right after it is loaded.  I debugged this down to the abort
      handling improperly treating a command of type SRB_ADISC_CMD as if it
      had a bsg_job to complete when that command actually uses the iocb_cmd
      part of the union.  (I guess to hit this one has to unload the module
      while the async FC initialization is still in progress)
      
      It seems we should only look for a bsg_job if type is SRB_ELS_CMD_RPT,
      SRB_ELS_CMD_HST or SRB_CT_CMD, so switch the test to make that explicit.
      Signed-off-by: NRoland Dreier <roland@purestorage.com>
      Acked-by: NChad Dupuis <chad.dupuis@qlogic.com>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
      9bfacd01
  4. 29 9月, 2011 3 次提交
  5. 28 9月, 2011 5 次提交
  6. 27 9月, 2011 4 次提交
    • M
      ath9k: Fix a dma warning/memory leak · ba542385
      Mohammed Shafi Shajakhan 提交于
      proper dma_unmapping and freeing of skb's has to be done in the rx
      cleanup for EDMA chipsets when the device is unloaded and this also
      seems to address the following warning which shows up occasionally when
      the device is unloaded
      
      	Call Trace:
      	[<c0148cd2>] warn_slowpath_common+0x72/0xa0
      	[<c03b669c>] ? dma_debug_device_change+0x19c/0x200
      	[<c03b669c>] ? dma_debug_device_change+0x19c/0x200
      	[<c0148da3>] warn_slowpath_fmt+0x33/0x40
      	[<c03b669c>] dma_debug_device_change+0x19c/0x200
      	[<c0657f12>] notifier_call_chain+0x82/0xb0
      	[<c0171370>] __blocking_notifier_call_chain+0x60/0x90
      	[<c01713bf>] blocking_notifier_call_chain+0x1f/0x30
      	[<c044f594>] __device_release_driver+0xa4/0xc0
      	[<c044f647>] driver_detach+0x97/0xa0
      	[<c044e65c>] bus_remove_driver+0x6c/0xe0
      	[<c029af0b>] ? sysfs_addrm_finish+0x4b/0x60
      	[<c0450109>] driver_unregister+0x49/0x80
      	[<c0299f54>] ? sysfs_remove_file+0x14/0x20
      	[<c03c3ab2>] pci_unregister_driver+0x32/0x80
      	[<f92c2162>] ath_pci_exit+0x12/0x20 [ath9k]
      	[<f92c8467>] ath9k_exit+0x17/0x36 [ath9k]
      	[<c06523cd>] ? mutex_unlock+0xd/0x10
      	[<c018e27f>] sys_delete_module+0x13f/0x200
      	[<c02139bb>] ? sys_munmap+0x4b/0x60
      	[<c06547c5>] ? restore_all+0xf/0xf
      	[<c0657a20>] ? spurious_fault+0xe0/0xe0
      	[<c01832f4>] ? trace_hardirqs_on_caller+0xf4/0x180
      	[<c065b863>] sysenter_do_call+0x12/0x38
      	 ---[ end trace 16e1c1521c06bcf9 ]---
      	Mapped at:
      	[<c03b7938>] debug_dma_map_page+0x48/0x120
      	[<f92ba3e8>] ath_rx_init+0x3f8/0x4b0 [ath9k]
      	[<f92b5ae4>] ath9k_init_device+0x4c4/0x7b0 [ath9k]
      	[<f92c2813>] ath_pci_probe+0x263/0x330 [ath9k]
      Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      ba542385
    • L
      rtlwifi: rtl8192cu: Fix unitialized struct · 831d8547
      Larry Finger 提交于
      Driver rtl8192cu assigns a new struct rtl_tcb_desc object, but fails to
      clear it.
      Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Stable <stable@kernel.org>  [2.6.39+]
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      831d8547
    • J
      iwlagn: fix dangling scan request · 6c80c39d
      Johannes Berg 提交于
      If iwl_scan_initiate() fails for any reason,
      priv->scan_request and priv->scan_vif are left
      dangling. This can lead to a crash later when
      iwl_bg_scan_completed() tries to run a pending
      scan request.
      
      In practice, this seems to be very rare due to
      the STATUS_SCANNING check earlier. That check,
      however, is wrong -- it should allow a scan to
      be queued when a reset/roc scan is going on.
      When a normal scan is already going on, a new
      one can't be issued by mac80211, so that code
      can be removed completely. I introduced this
      bug when adding off-channel support in commit
      266af4c7.
      
      Cc: stable@kernel.org [3.0]
      Reported-by: NPeng Yan <peng.yan@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NWey-Yi Guy <wey-yi.w.guy@intel.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      6c80c39d
    • R
      PM / Clocks: Do not acquire a mutex under a spinlock · e8b364b8
      Rafael J. Wysocki 提交于
      Commit b7ab83ed (PM: Use spinlock instead of mutex in clock
      management functions) introduced a regression causing clocks_mutex
      to be acquired under a spinlock.  This happens because
      pm_clk_suspend() and pm_clk_resume() call pm_clk_acquire() under
      pcd->lock, but pm_clk_acquire() executes clk_get() which causes
      clocks_mutex to be acquired.  Similarly, __pm_clk_remove(),
      executed under pcd->lock, calls clk_put(), which also causes
      clocks_mutex to be acquired.
      
      To fix those problems make pm_clk_add() call pm_clk_acquire(), so
      that pm_clk_suspend() and pm_clk_resume() don't have to do that.
      Change pm_clk_remove() and pm_clk_destroy() to separate
      modifications of the pcd->clock_list list from the actual removal of
      PM clock entry objects done by __pm_clk_remove().
      Reported-and-tested-by: NGuennadi Liakhovetski <g.liakhovetski@gmx.de>
      Signed-off-by: NRafael J. Wysocki <rjw@sisk.pl>
      Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk>
      e8b364b8
  7. 26 9月, 2011 3 次提交
    • P
      [S390] cio: fix cio_tpi ignoring adapter interrupts · a681887f
      Peter Oberparleiter 提交于
      Ensure that adapter interrupts are correctly processed when they are
      retrieved using TEST PENDING INTERRUPTION.
      Signed-off-by: NPeter Oberparleiter <peter.oberparleiter@de.ibm.com>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      a681887f
    • J
      [SCSI] 3w-9xxx: fix iommu_iova leak · 96067723
      James Bottomley 提交于
      Following reports on the list, it looks like the 3e-9xxx driver will leak dma
      mappings every time we get a transient queueing error back from the card.
      This is because it maps the sg list in the routine that sends the command, but
      doesn't unmap again in the transient failure path (even though the command is
      sent back to the block layer).  Fix by unmapping before returning the status.
      Reported-by: NChris Boot <bootc@bootc.net>
      Tested-by: NChris Boot <bootc@bootc.net>
      Acked-by: NAdam Radford <aradford@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
      96067723
    • N
      [SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference · e48f129c
      Neil Horman 提交于
      This oops was reported recently:
      d:mon> e
      cpu 0xd: Vector: 300 (Data Access) at [c0000000fd4c7120]
          pc: d00000000076f194: .t3_l2t_get+0x44/0x524 [cxgb3]
          lr: d000000000b02108: .init_act_open+0x150/0x3d4 [cxgb3i]
          sp: c0000000fd4c73a0
         msr: 8000000000009032
         dar: 0
       dsisr: 40000000
        current = 0xc0000000fd640d40
        paca    = 0xc00000000054ff80
          pid   = 5085, comm = iscsid
      d:mon> t
      [c0000000fd4c7450] d000000000b02108 .init_act_open+0x150/0x3d4 [cxgb3i]
      [c0000000fd4c7500] d000000000e45378 .cxgbi_ep_connect+0x784/0x8e8 [libcxgbi]
      [c0000000fd4c7650] d000000000db33f0 .iscsi_if_rx+0x71c/0xb18
      [scsi_transport_iscsi2]
      [c0000000fd4c7740] c000000000370c9c .netlink_data_ready+0x40/0xa4
      [c0000000fd4c77c0] c00000000036f010 .netlink_sendskb+0x4c/0x9c
      [c0000000fd4c7850] c000000000370c18 .netlink_sendmsg+0x358/0x39c
      [c0000000fd4c7950] c00000000033be24 .sock_sendmsg+0x114/0x1b8
      [c0000000fd4c7b50] c00000000033d208 .sys_sendmsg+0x218/0x2ac
      [c0000000fd4c7d70] c00000000033f55c .sys_socketcall+0x228/0x27c
      [c0000000fd4c7e30] c0000000000086a4 syscall_exit+0x0/0x40
      --- Exception: c01 (System Call) at 00000080da560cfc
      
      The root cause was an EEH error, which sent us down the offload_close path in
      the cxgb3 driver, which in turn sets cdev->l2opt to NULL, without regard for
      upper layer driver (like the cxgbi drivers) which might have execution contexts
      in the middle of its use. The result is the oops above, when t3_l2t_get attempts
      to dereference L2DATA(cdev)->nentries in arp_hash right after the EEH error handler sets it to NULL.
      
      The fix is to prevent the setting of the NULL pointer until after there are no
      further users of it.  The t3cdev->l2opt pointer is now converted to be an rcu
      pointer and the L2DATA macro is now called under the protection of the
      rcu_read_lock().  When the EEH error path:
      t3_adapter_error->offload_close->cxgb3_offload_deactivate
      Is exectured, setting of that l2opt pointer to NULL, is now gated on an rcu
      quiescence point, preventing, allowing L2DATA callers to safely check for a NULL
      pointer without concern that the underlying data will be freeded before the
      pointer is dereferenced.
      
      This has been tested by the reporter and shown to fix the reproted oops
      
      [nhorman: fix up unitinialised variable reported by Dan Carpenter]
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      Reviewed-by: NKaren Xie <kxie@chelsio.com>
      Cc: stable@kernel.org
      Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
      e48f129c
  8. 24 9月, 2011 3 次提交