1. 10 7月, 2012 33 次提交
  2. 09 7月, 2012 2 次提交
    • M
      virtio-balloon: fix add/get API use · 9c378abc
      Michael S. Tsirkin 提交于
      Since ee7cd898 'virtio: expose added
      descriptors immediately.', in virtio balloon virtqueue_get_buf might
      now run concurrently with virtqueue_kick.  I audited both and this
      seems safe in practice but this is not guaranteed by the API.
      Additionally, a spurious interrupt might in theory make
      virtqueue_get_buf run in parallel with virtqueue_add_buf, which is
      racy.
      
      While we might try to protect against spurious callbacks it's
      easier to fix the driver: balloon seems to be the only one
      (mis)using the API like this, so let's just fix balloon.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (removed unused var)
      9c378abc
    • L
      Merge branch 'for-3.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 8c84bf41
      Linus Torvalds 提交于
      Pull cgroup fixes from Tejun Heo:
       "The previous cgroup pull request contained a patch to fix a race
        condition during cgroup hierarchy umount.  Unfortunately, while the
        patch reduced the race window such that the test case I and Sasha were
        using didn't trigger it anymore, it wasn't complete - Shyju and Li
        could reliably trigger the race condition using a different test case.
      
        The problem wasn't the gap between dentry deletion and release which
        the previous patch tried to fix.  The window was between the last
        dput() of a root's child and the resulting dput() of the root.  For
        cgroup dentries, the deletion and release always happen synchronously.
        As this releases the s_active ref, the refcnt of the root dentry,
        which doesn't hold s_active, stays above zero without the
        corresponding s_active.  If umount was in progress, the last
        deactivate_super() proceeds to destory the superblock and triggers
        BUG() on the non-zero root dentry refcnt after shrinking.
      
        This issue surfaced because cgroup dentries are now allowed to linger
        after rmdir(2) since 3.5-rc1.  Before, rmdir synchronously drained the
        dentry refcnt and the s_active acquired by rmdir from vfs layer
        protected the whole thing.  After 3.5-rc1, cgroup may internally hold
        and put dentry refs after rmdir finishes and the delayed dput()
        doesn't have surrounding s_active ref exposing this issue.
      
        This pull request contains two patches - one reverting the previous
        incorrect fix and the other adding the surrounding s_active ref around
        the delayed dput().
      
        This is quite late in the release cycle but the change is on the safer
        side and fixes the test cases reliably, so I don't think it's too
        crazy."
      
      * 'for-3.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: fix cgroup hierarchy umount race
        Revert "cgroup: superblock can't be released with active dentries"
      8c84bf41
  3. 08 7月, 2012 5 次提交
    • L
      Linux 3.5-rc6 · bd0a521e
      Linus Torvalds 提交于
      bd0a521e
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · a0127afb
      Linus Torvalds 提交于
      Pull security docs update from James Morris.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        security: Minor improvements to no_new_privs documentation
      a0127afb
    • L
      vfs: make O_PATH file descriptors usable for 'fchdir()' · 332a2e12
      Linus Torvalds 提交于
      We already use them for openat() and friends, but fchdir() also wants to
      be able to use O_PATH file descriptors.  This should make it comparable
      to the O_SEARCH of Solaris.  In particular, O_PATH allows you to access
      (not-quite-open) a directory you don't have read persmission to, only
      execute permission.
      
      Noticed during development of multithread support for ksh93.
      Reported-by: Nольга крыжановская <olga.kryzhanovska@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: stable@kernel.org    # O_PATH introduced in 3.0+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      332a2e12
    • T
      cgroup: fix cgroup hierarchy umount race · 5db9a4d9
      Tejun Heo 提交于
      48ddbe19 "cgroup: make css->refcnt clearing on cgroup removal
      optional" allowed a css to linger after the associated cgroup is
      removed.  As a css holds a reference on the cgroup's dentry, it means
      that cgroup dentries may linger for a while.
      
      Destroying a superblock which has dentries with positive refcnts is a
      critical bug and triggers BUG() in vfs code.  As each cgroup dentry
      holds an s_active reference, any lingering cgroup has both its dentry
      and the superblock pinned and thus preventing premature release of
      superblock.
      
      Unfortunately, after 48ddbe19, there's a small window while
      releasing a cgroup which is directly under the root of the hierarchy.
      When a cgroup directory is released, vfs layer first deletes the
      corresponding dentry and then invokes dput() on the parent, which may
      recurse further, so when a cgroup directly below root cgroup is
      released, the cgroup is first destroyed - which releases the s_active
      it was holding - and then the dentry for the root cgroup is dput().
      
      This creates a window where the root dentry's refcnt isn't zero but
      superblock's s_active is.  If umount happens before or during this
      window, vfs will see the root dentry with non-zero refcnt and trigger
      BUG().
      
      Before 48ddbe19, this problem didn't exist because the last dentry
      reference was guaranteed to be put synchronously from rmdir(2)
      invocation which holds s_active around the whole process.
      
      Fix it by holding an extra superblock->s_active reference across
      dput() from css release, which is the dput() path added by 48ddbe19
      and the only one which doesn't hold an extra s_active ref across the
      final cgroup dput().
      Signed-off-by: NTejun Heo <tj@kernel.org>
      LKML-Reference: <4FEEA5CB.8070809@huawei.com>
      Reported-by: Nshyju pv <shyju.pv@huawei.com>
      Tested-by: Nshyju pv <shyju.pv@huawei.com>
      Cc: Sasha Levin <levinsasha928@gmail.com>
      Acked-by: NLi Zefan <lizefan@huawei.com>
      5db9a4d9
    • T
      Revert "cgroup: superblock can't be released with active dentries" · 7db5b3ca
      Tejun Heo 提交于
      This reverts commit fa980ca8.  The
      commit was an attempt to fix a race condition where a cgroup hierarchy
      may be unmounted with positive dentry reference on root cgroup.  While
      the commit made the race condition slightly more difficult to trigger,
      the race was still there and could be reliably triggered using a
      different test case.
      
      Revert the incorrect fix.  The next commit will describe the race and
      fix it correctly.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      LKML-Reference: <4FEEA5CB.8070809@huawei.com>
      Reported-by: Nshyju pv <shyju.pv@huawei.com>
      Cc: Sasha Levin <levinsasha928@gmail.com>
      Acked-by: NLi Zefan <lizefan@huawei.com>
      7db5b3ca