1. 23 10月, 2009 1 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 4848490c
      Linus Torvalds 提交于
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (21 commits)
        niu: VLAN_ETH_HLEN should be used to make sure that the whole MAC header was copied to the head buffer in the Vlan packets case
        KS8851: Fix ks8851_set_rx_mode() for IFF_MULTICAST
        KS8851: Fix MAC address write order
        KS8851: Add soft reset at probe time
        net: fix section mismatch in fec.c
        net: Fix struct inet_timewait_sock bitfield annotation
        tcp: Try to catch MSG_PEEK bug
        net: Fix IP_MULTICAST_IF
        bluetooth: static lock key fix
        bluetooth: scheduling while atomic bug fix
        tcp: fix TCP_DEFER_ACCEPT retrans calculation
        tcp: reduce SYN-ACK retrans for TCP_DEFER_ACCEPT
        tcp: accept socket after TCP_DEFER_ACCEPT period
        Revert "tcp: fix tcp_defer_accept to consider the timeout"
        AF_UNIX: Fix deadlock on connecting to shutdown socket
        ethoc: clear only pending irqs
        ethoc: inline regs access
        vmxnet3: use dev_dbg, fix build for CONFIG_BLOCK=n
        virtio_net: use dev_kfree_skb_any() in free_old_xmit_skbs()
        be2net: fix support for PCI hot plug
        ...
      4848490c
  2. 22 10月, 2009 11 次提交
  3. 21 10月, 2009 5 次提交
    • B
      KS8851: Fix ks8851_set_rx_mode() for IFF_MULTICAST · b6a71bfa
      Ben Dooks 提交于
      In ks8851_set_rx_mode() the case handling IFF_MULTICAST was also setting
      the RXCR1_AE bit by accident. This meant that all unicast frames where
      being accepted by the device. Remove RXCR1_AE from this case.
      
      Note, RXCR1_AE was also masking a problem with setting the MAC address
      properly, so needs to be applied after fixing the MAC write order.
      
      Fixes a bug reported by Doong, Ping of Micrel. This version of the
      patch avoids setting RXCR1_ME for all cases.
      Signed-off-by: NBen Dooks <ben@simtec.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6a71bfa
    • B
      KS8851: Fix MAC address write order · 160d0fad
      Ben Dooks 提交于
      The MAC address register was being written in the wrong order, so add
      a new address macro to convert mac-address byte to register address and
      a ks8851_wrreg8() function to write each byte without having to worry
      about any difficult byte swapping.
      
      Fixes a bug reported by Doong, Ping of Micrel.
      Signed-off-by: NBen Dooks <ben@simtec.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      160d0fad
    • B
      KS8851: Add soft reset at probe time · 57dada68
      Ben Dooks 提交于
      Issue a full soft reset at probe time.
      
      This was reported by Doong Ping of Micrel, but no explanation of why this
      is necessary or what bug it is fixing. Add it as it does not seem to hurt
      the current driver and ensures that the device is in a known state when we
      start setting it up.
      Signed-off-by: NBen Dooks <ben@simtec.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      57dada68
    • S
      net: fix section mismatch in fec.c · 78abcb13
      Steven King 提交于
      fec_enet_init is called by both fec_probe and fec_resume, so it
      shouldn't be marked as __init.
      Signed-off-by: NSteven King <sfking@fdwdc.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      78abcb13
    • A
      dnotify: ignore FS_EVENT_ON_CHILD · 94552684
      Andreas Gruenbacher 提交于
      Mask off FS_EVENT_ON_CHILD in dnotify_handle_event().  Otherwise, when there
      is more than one watch on a directory and dnotify_should_send_event()
      succeeds, events with FS_EVENT_ON_CHILD set will trigger all watches and cause
      spurious events.
      
      This case was overlooked in commit e42e2773.
      
      	#define _GNU_SOURCE
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <unistd.h>
      	#include <signal.h>
      	#include <sys/types.h>
      	#include <sys/stat.h>
      	#include <fcntl.h>
      	#include <string.h>
      
      	static void create_event(int s, siginfo_t* si, void* p)
      	{
      		printf("create\n");
      	}
      
      	static void delete_event(int s, siginfo_t* si, void* p)
      	{
      		printf("delete\n");
      	}
      
      	int main (void) {
      		struct sigaction action;
      		char *tmpdir, *file;
      		int fd1, fd2;
      
      		sigemptyset (&action.sa_mask);
      		action.sa_flags = SA_SIGINFO;
      
      		action.sa_sigaction = create_event;
      		sigaction (SIGRTMIN + 0, &action, NULL);
      
      		action.sa_sigaction = delete_event;
      		sigaction (SIGRTMIN + 1, &action, NULL);
      
      	#	define TMPDIR "/tmp/test.XXXXXX"
      		tmpdir = malloc(strlen(TMPDIR) + 1);
      		strcpy(tmpdir, TMPDIR);
      		mkdtemp(tmpdir);
      
      	#	define TMPFILE "/file"
      		file = malloc(strlen(tmpdir) + strlen(TMPFILE) + 1);
      		sprintf(file, "%s/%s", tmpdir, TMPFILE);
      
      		fd1 = open (tmpdir, O_RDONLY);
      		fcntl(fd1, F_SETSIG, SIGRTMIN);
      		fcntl(fd1, F_NOTIFY, DN_MULTISHOT | DN_CREATE);
      
      		fd2 = open (tmpdir, O_RDONLY);
      		fcntl(fd2, F_SETSIG, SIGRTMIN + 1);
      		fcntl(fd2, F_NOTIFY, DN_MULTISHOT | DN_DELETE);
      
      		if (fork()) {
      			/* This triggers a create event */
      			creat(file, 0600);
      			/* This triggers a create and delete event (!) */
      			unlink(file);
      		} else {
      			sleep(1);
      			rmdir(tmpdir);
      		}
      
      		return 0;
      	}
      Signed-off-by: NAndreas Gruenbacher <agruen@suse.de>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      94552684
  4. 20 10月, 2009 10 次提交
    • E
      net: Fix struct inet_timewait_sock bitfield annotation · abf90cca
      Eric Dumazet 提交于
      commit 9e337b0f (net: annotate inet_timewait_sock bitfields)
      added 4/8 bytes in struct inet_timewait_sock.
      
      Fix this by declaring tw_ipv6_offset in the 'flags' bitfield
      The 14 bits hole is named tw_pad to make it cleary apparent.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      abf90cca
    • H
      tcp: Try to catch MSG_PEEK bug · b6b39e8f
      Herbert Xu 提交于
      This patch tries to print out more information when we hit the
      MSG_PEEK bug in tcp_recvmsg.  It's been around since at least
      2005 and it's about time that we finally fix it.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6b39e8f
    • H
      crypto: aesni-intel - Fix irq_fpu_usable usage · 13b79b97
      Huang Ying 提交于
      When renaming kernel_fpu_using to irq_fpu_usable, the semantics of the
      function is changed too, from mesuring whether kernel is using FPU,
      that is, the FPU is NOT available, to measuring whether FPU is usable,
      that is, the FPU is available.
      
      But the usage of irq_fpu_usable in aesni-intel_glue.c is not changed
      accordingly. This patch fixes this.
      Signed-off-by: NHuang Ying <ying.huang@intel.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      13b79b97
    • E
      net: Fix IP_MULTICAST_IF · 55b80503
      Eric Dumazet 提交于
      ipv4/ipv6 setsockopt(IP_MULTICAST_IF) have dubious __dev_get_by_index() calls.
      
      This function should be called only with RTNL or dev_base_lock held, or reader
      could see a corrupt hash chain and eventually enter an endless loop.
      
      Fix is to call dev_get_by_index()/dev_put().
      
      If this happens to be performance critical, we could define a new dev_exist_by_index()
      function to avoid touching dev refcount.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      55b80503
    • D
      bluetooth: static lock key fix · 45054dc1
      Dave Young 提交于
      When shutdown ppp connection, lockdep waring about non-static key
      will happen, it is caused by the lock is not initialized properly
      at that time.
      
      Fix with tuning the lock/skb_queue_head init order
      
      [   94.339261] INFO: trying to register non-static key.
      [   94.342509] the code is fine but needs lockdep annotation.
      [   94.342509] turning off the locking correctness validator.
      [   94.342509] Pid: 0, comm: swapper Not tainted 2.6.31-mm1 #2
      [   94.342509] Call Trace:
      [   94.342509]  [<c0248fbe>] register_lock_class+0x58/0x241
      [   94.342509]  [<c024b5df>] ? __lock_acquire+0xb57/0xb73
      [   94.342509]  [<c024ab34>] __lock_acquire+0xac/0xb73
      [   94.342509]  [<c024b7fa>] ? lock_release_non_nested+0x17b/0x1de
      [   94.342509]  [<c024b662>] lock_acquire+0x67/0x84
      [   94.342509]  [<c04cd1eb>] ? skb_dequeue+0x15/0x41
      [   94.342509]  [<c054a857>] _spin_lock_irqsave+0x2f/0x3f
      [   94.342509]  [<c04cd1eb>] ? skb_dequeue+0x15/0x41
      [   94.342509]  [<c04cd1eb>] skb_dequeue+0x15/0x41
      [   94.342509]  [<c054a648>] ? _read_unlock+0x1d/0x20
      [   94.342509]  [<c04cd641>] skb_queue_purge+0x14/0x1b
      [   94.342509]  [<fab94fdc>] l2cap_recv_frame+0xea1/0x115a [l2cap]
      [   94.342509]  [<c024b5df>] ? __lock_acquire+0xb57/0xb73
      [   94.342509]  [<c0249c04>] ? mark_lock+0x1e/0x1c7
      [   94.342509]  [<f8364963>] ? hci_rx_task+0xd2/0x1bc [bluetooth]
      [   94.342509]  [<fab95346>] l2cap_recv_acldata+0xb1/0x1c6 [l2cap]
      [   94.342509]  [<f8364997>] hci_rx_task+0x106/0x1bc [bluetooth]
      [   94.342509]  [<fab95295>] ? l2cap_recv_acldata+0x0/0x1c6 [l2cap]
      [   94.342509]  [<c02302c4>] tasklet_action+0x69/0xc1
      [   94.342509]  [<c022fbef>] __do_softirq+0x94/0x11e
      [   94.342509]  [<c022fcaf>] do_softirq+0x36/0x5a
      [   94.342509]  [<c022fe14>] irq_exit+0x35/0x68
      [   94.342509]  [<c0204ced>] do_IRQ+0x72/0x89
      [   94.342509]  [<c02038ee>] common_interrupt+0x2e/0x34
      [   94.342509]  [<c024007b>] ? pm_qos_add_requirement+0x63/0x9d
      [   94.342509]  [<c038e8a5>] ? acpi_idle_enter_bm+0x209/0x238
      [   94.342509]  [<c049d238>] cpuidle_idle_call+0x5c/0x94
      [   94.342509]  [<c02023f8>] cpu_idle+0x4e/0x6f
      [   94.342509]  [<c0534153>] rest_init+0x53/0x55
      [   94.342509]  [<c0781894>] start_kernel+0x2f0/0x2f5
      [   94.342509]  [<c0781091>] i386_start_kernel+0x91/0x96
      Reported-by: NOliver Hartkopp <oliver@hartkopp.net>
      Signed-off-by: NDave Young <hidave.darkstar@gmail.com>
      Tested-by: NOliver Hartkopp <oliver@hartkopp.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      45054dc1
    • D
      bluetooth: scheduling while atomic bug fix · f74c77cb
      Dave Young 提交于
      Due to driver core changes dev_set_drvdata will call kzalloc which should be
      in might_sleep context, but hci_conn_add will be called in atomic context
      
      Like dev_set_name move dev_set_drvdata to work queue function.
      
      oops as following:
      
      Oct  2 17:41:59 darkstar kernel: [  438.001341] BUG: sleeping function called from invalid context at mm/slqb.c:1546
      Oct  2 17:41:59 darkstar kernel: [  438.001345] in_atomic(): 1, irqs_disabled(): 0, pid: 2133, name: sdptool
      Oct  2 17:41:59 darkstar kernel: [  438.001348] 2 locks held by sdptool/2133:
      Oct  2 17:41:59 darkstar kernel: [  438.001350]  #0:  (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.+.}, at: [<faa1d2f5>] lock_sock+0xa/0xc [l2cap]
      Oct  2 17:41:59 darkstar kernel: [  438.001360]  #1:  (&hdev->lock){+.-.+.}, at: [<faa20e16>] l2cap_sock_connect+0x103/0x26b [l2cap]
      Oct  2 17:41:59 darkstar kernel: [  438.001371] Pid: 2133, comm: sdptool Not tainted 2.6.31-mm1 #2
      Oct  2 17:41:59 darkstar kernel: [  438.001373] Call Trace:
      Oct  2 17:41:59 darkstar kernel: [  438.001381]  [<c022433f>] __might_sleep+0xde/0xe5
      Oct  2 17:41:59 darkstar kernel: [  438.001386]  [<c0298843>] __kmalloc+0x4a/0x15a
      Oct  2 17:41:59 darkstar kernel: [  438.001392]  [<c03f0065>] ? kzalloc+0xb/0xd
      Oct  2 17:41:59 darkstar kernel: [  438.001396]  [<c03f0065>] kzalloc+0xb/0xd
      Oct  2 17:41:59 darkstar kernel: [  438.001400]  [<c03f04ff>] device_private_init+0x15/0x3d
      Oct  2 17:41:59 darkstar kernel: [  438.001405]  [<c03f24c5>] dev_set_drvdata+0x18/0x26
      Oct  2 17:41:59 darkstar kernel: [  438.001414]  [<fa51fff7>] hci_conn_init_sysfs+0x40/0xd9 [bluetooth]
      Oct  2 17:41:59 darkstar kernel: [  438.001422]  [<fa51cdc0>] ? hci_conn_add+0x128/0x186 [bluetooth]
      Oct  2 17:41:59 darkstar kernel: [  438.001429]  [<fa51ce0f>] hci_conn_add+0x177/0x186 [bluetooth]
      Oct  2 17:41:59 darkstar kernel: [  438.001437]  [<fa51cf8a>] hci_connect+0x3c/0xfb [bluetooth]
      Oct  2 17:41:59 darkstar kernel: [  438.001442]  [<faa20e87>] l2cap_sock_connect+0x174/0x26b [l2cap]
      Oct  2 17:41:59 darkstar kernel: [  438.001448]  [<c04c8df5>] sys_connect+0x60/0x7a
      Oct  2 17:41:59 darkstar kernel: [  438.001453]  [<c024b703>] ? lock_release_non_nested+0x84/0x1de
      Oct  2 17:41:59 darkstar kernel: [  438.001458]  [<c028804b>] ? might_fault+0x47/0x81
      Oct  2 17:41:59 darkstar kernel: [  438.001462]  [<c028804b>] ? might_fault+0x47/0x81
      Oct  2 17:41:59 darkstar kernel: [  438.001468]  [<c033361f>] ? __copy_from_user_ll+0x11/0xce
      Oct  2 17:41:59 darkstar kernel: [  438.001472]  [<c04c9419>] sys_socketcall+0x82/0x17b
      Oct  2 17:41:59 darkstar kernel: [  438.001477]  [<c020329d>] syscall_call+0x7/0xb
      Signed-off-by: NDave Young <hidave.darkstar@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f74c77cb
    • J
      tcp: fix TCP_DEFER_ACCEPT retrans calculation · b103cf34
      Julian Anastasov 提交于
      Fix TCP_DEFER_ACCEPT conversion between seconds and
      retransmission to match the TCP SYN-ACK retransmission periods
      because the time is converted to such retransmissions. The old
      algorithm selects one more retransmission in some cases. Allow
      up to 255 retransmissions.
      Signed-off-by: NJulian Anastasov <ja@ssi.bg>
      Acked-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b103cf34
    • J
      tcp: reduce SYN-ACK retrans for TCP_DEFER_ACCEPT · 0c3d79bc
      Julian Anastasov 提交于
      Change SYN-ACK retransmitting code for the TCP_DEFER_ACCEPT
      users to not retransmit SYN-ACKs during the deferring period if
      ACK from client was received. The goal is to reduce traffic
      during the deferring period. When the period is finished
      we continue with sending SYN-ACKs (at least one) but this time
      any traffic from client will change the request to established
      socket allowing application to terminate it properly.
      Also, do not drop acked request if sending of SYN-ACK fails.
      Signed-off-by: NJulian Anastasov <ja@ssi.bg>
      Acked-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0c3d79bc
    • J
      tcp: accept socket after TCP_DEFER_ACCEPT period · d1b99ba4
      Julian Anastasov 提交于
      Willy Tarreau and many other folks in recent years
      were concerned what happens when the TCP_DEFER_ACCEPT period
      expires for clients which sent ACK packet. They prefer clients
      that actively resend ACK on our SYN-ACK retransmissions to be
      converted from open requests to sockets and queued to the
      listener for accepting after the deferring period is finished.
      Then application server can decide to wait longer for data
      or to properly terminate the connection with FIN if read()
      returns EAGAIN which is an indication for accepting after
      the deferring period. This change still can have side effects
      for applications that expect always to see data on the accepted
      socket. Others can be prepared to work in both modes (with or
      without TCP_DEFER_ACCEPT period) and their data processing can
      ignore the read=EAGAIN notification and to allocate resources for
      clients which proved to have no data to send during the deferring
      period. OTOH, servers that use TCP_DEFER_ACCEPT=1 as flag (not
      as a timeout) to wait for data will notice clients that didn't
      send data for 3 seconds but that still resend ACKs.
      Thanks to Willy Tarreau for the initial idea and to
      Eric Dumazet for the review and testing the change.
      Signed-off-by: NJulian Anastasov <ja@ssi.bg>
      Acked-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d1b99ba4
    • D
      Revert "tcp: fix tcp_defer_accept to consider the timeout" · a1a2ad91
      David S. Miller 提交于
      This reverts commit 6d01a026.
      
      Julian Anastasov, Willy Tarreau and Eric Dumazet have come up
      with a more correct way to deal with this.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a1a2ad91
  5. 19 10月, 2009 6 次提交
    • T
      AF_UNIX: Fix deadlock on connecting to shutdown socket · 77238f2b
      Tomoki Sekiyama 提交于
      I found a deadlock bug in UNIX domain socket, which makes able to DoS
      attack against the local machine by non-root users.
      
      How to reproduce:
      1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
          namespace(*), and shutdown(2) it.
       2. Repeat connect(2)ing to the listening socket from the other sockets
          until the connection backlog is full-filled.
       3. connect(2) takes the CPU forever. If every core is taken, the
          system hangs.
      
      PoC code: (Run as many times as cores on SMP machines.)
      
      int main(void)
      {
      	int ret;
      	int csd;
      	int lsd;
      	struct sockaddr_un sun;
      
      	/* make an abstruct name address (*) */
      	memset(&sun, 0, sizeof(sun));
      	sun.sun_family = PF_UNIX;
      	sprintf(&sun.sun_path[1], "%d", getpid());
      
      	/* create the listening socket and shutdown */
      	lsd = socket(AF_UNIX, SOCK_STREAM, 0);
      	bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
      	listen(lsd, 1);
      	shutdown(lsd, SHUT_RDWR);
      
      	/* connect loop */
      	alarm(15); /* forcely exit the loop after 15 sec */
      	for (;;) {
      		csd = socket(AF_UNIX, SOCK_STREAM, 0);
      		ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
      		if (-1 == ret) {
      			perror("connect()");
      			break;
      		}
      		puts("Connection OK");
      	}
      	return 0;
      }
      
      (*) Make sun_path[0] = 0 to use the abstruct namespace.
          If a file-based socket is used, the system doesn't deadlock because
          of context switches in the file system layer.
      
      Why this happens:
       Error checks between unix_socket_connect() and unix_wait_for_peer() are
       inconsistent. The former calls the latter to wait until the backlog is
       processed. Despite the latter returns without doing anything when the
       socket is shutdown, the former doesn't check the shutdown state and
       just retries calling the latter forever.
      
      Patch:
       The patch below adds shutdown check into unix_socket_connect(), so
       connect(2) to the shutdown socket will return -ECONREFUSED.
      Signed-off-by: NTomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
      Signed-off-by: NMasanori Yoshida <masanori.yoshida.tv@hitachi.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      77238f2b
    • T
      ethoc: clear only pending irqs · 50c54a57
      Thomas Chou 提交于
      This patch fixed the problem of dropped packets due to lost of
      interrupt requests. We should only clear what was pending at the
      moment we read the irq source reg.
      Signed-off-by: NThomas Chou <thomas@wytron.com.tw>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      50c54a57
    • T
      ethoc: inline regs access · 16dd18b0
      Thomas Chou 提交于
      Signed-off-by: NThomas Chou <thomas@wytron.com.tw>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      16dd18b0
    • W
      inotify: fix coalesce duplicate events into a single event in special case · 3de0ef4f
      Wei Yongjun 提交于
      If we do rename a dir entry, like this:
      
        rename("/tmp/ino7UrgoJ.rename1", "/tmp/ino7UrgoJ.rename2")
        rename("/tmp/ino7UrgoJ.rename2", "/tmp/ino7UrgoJ")
      
      The duplicate events should be coalesced into a single event. But those two
      events do not be coalesced into a single event, due to some bad check in
      event_compare(). It can not match the two NULL inodes as the same event.
      Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      3de0ef4f
    • E
      inotify: deprecate the inotify kernel interface · cdc321ff
      Eric Paris 提交于
      In 2.6.33 there will be no users of the inotify interface.  Mark it for
      removal as fsnotify is more generic and is easier to use.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      cdc321ff
    • E
      fsnotify: do not set group for a mark before it is on the i_list · 9f0d793b
      Eric Paris 提交于
      fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to
      set the group and inode for the mark.  fsnotify_destroy_mark_by_entry uses
      the fact that ->group != NULL to know if this group should be destroyed or
      if it's already been done.
      
      But fsnotify_add_mark sets the group and inode before it actually adds the
      mark to the i_list and g_list.  This can result in a race in inotify, it
      requires 3 threads.
      
      sys_inotify_add_watch("file")	sys_inotify_add_watch("file")	sys_inotify_rm_watch([a])
      inotify_update_watch()
      inotify_new_watch()
      inotify_add_to_idr()
         ^--- returns wd = [a]
      				inotfiy_update_watch()
      				inotify_new_watch()
      				inotify_add_to_idr()
      				fsnotify_add_mark()
      				   ^--- returns wd = [b]
      				returns to userspace;
      								inotify_idr_find([a])
      								   ^--- gives us the pointer from task 1
      fsnotify_add_mark()
         ^--- this is going to set the mark->group and mark->inode fields, but will
      return -EEXIST because of the race with [b].
      								fsnotify_destroy_mark()
      								   ^--- since ->group != NULL we call back
      									into inotify_freeing_mark() which calls
      								inotify_remove_from_idr([a])
      
      since fsnotify_add_mark() failed we call:
      inotify_remove_from_idr([a])     <------WHOOPS it's not in the idr, this could
      					have been any entry added later!
      
      The fix is to make sure we don't set mark->group until we are sure the mark is
      on the inode and fsnotify_add_mark will return success.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      9f0d793b
  6. 18 10月, 2009 4 次提交
  7. 17 10月, 2009 3 次提交