- 29 11月, 2012 7 次提交
-
-
由 Michael S. Tsirkin 提交于
If a single descriptor crosses a region, the second chunk length should be decremented by size translated so far, instead it includes the full descriptor length. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tommi Rantala 提交于
Cleanup the memory we allocated earlier in irttp_open_tsap() when we hit this error path. The leak goes back to at least 1da177e4 ("Linux-2.6.12-rc2"). Discovered with Trinity (the syscall fuzzer). Signed-off-by: NTommi Rantala <tt.rantala@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Bjørn Mork 提交于
The Huawei E173 is a QMI/wwan device which normally appear as 12d1:1436 in Linux. The descriptors displayed in that mode will be picked up by cdc_ether. But the modem has another mode with a different device ID and a slightly different set of descriptors. This is the mode used by Windows like this: 3Modem: USB\VID_12D1&PID_140C&MI_00\6&3A1D2012&0&0000 Networkcard: USB\VID_12D1&PID_140C&MI_01\6&3A1D2012&0&0001 Appli.Inter: USB\VID_12D1&PID_140C&MI_02\6&3A1D2012&0&0002 PC UI Inter: USB\VID_12D1&PID_140C&MI_03\6&3A1D2012&0&0003 Reported-by: NThomas Schäfer <tschaefer@t-online.de> Signed-off-by: NBjørn Mork <bjorn@mork.no> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Amir Vadai 提交于
Had a typo in memcpy. Signed-off-by: NAmir Vadai <amirv@mellanox.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Schoch Christian 提交于
The calculation of RTTVAR involves the subtraction of two unsigned numbers which may causes rollover and results in very high values of RTTVAR when RTT > SRTT. With this patch it is possible to set RTOmin = 1 to get the minimum of RTO at 4 times the clock granularity. Change Notes: v2) *Replaced abs() by abs64() and long by __s64, changed patch description. Signed-off-by: NChristian Schoch <e0326715@student.tuwien.ac.at> CC: Vlad Yasevich <vyasevich@gmail.com> CC: Sridhar Samudrala <sri@us.ibm.com> CC: Neil Horman <nhorman@tuxdriver.com> CC: linux-sctp@vger.kernel.org Acked-by: NVlad Yasevich <vyasevich@gmail.com> Acked-by: NNeil Horman <nhorman@tuxdriver.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tommi Rantala 提交于
Consider the following program, that sets the second argument to the sendto() syscall incorrectly: #include <string.h> #include <arpa/inet.h> #include <sys/socket.h> int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } We get -ENOMEM: $ strace -e sendto ./demo sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory) Propagate the error code from sctp_user_addto_chunk(), so that we will tell user space what actually went wrong: $ strace -e sendto ./demo sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address) Noticed while running Trinity (the syscall fuzzer). Signed-off-by: NTommi Rantala <tt.rantala@gmail.com> Acked-by: NVlad Yasevich <vyasevich@gmail.com> Acked-by: NNeil Horman <nhorman@tuxdriver.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tommi Rantala 提交于
Trinity (the syscall fuzzer) discovered a memory leak in SCTP, reproducible e.g. with the sendto() syscall by passing invalid user space pointer in the second argument: #include <string.h> #include <arpa/inet.h> #include <sys/socket.h> int main(void) { int fd; struct sockaddr_in sa; fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/); if (fd < 0) return 1; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr("127.0.0.1"); sa.sin_port = htons(11111); sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa)); return 0; } As far as I can tell, the leak has been around since ~2003. Signed-off-by: NTommi Rantala <tt.rantala@gmail.com> Acked-by: NVlad Yasevich <vyasevich@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 27 11月, 2012 4 次提交
-
-
由 Eric Dumazet 提交于
Name of pimreg devices are built from following format : char name[IFNAMSIZ]; // IFNAMSIZ == 16 sprintf(name, "pimreg%u", mrt->id); We must therefore limit mrt->id to 9 decimal digits or risk a buffer overflow and a crash. Restrict table identifiers in [0 ... 999999999] interval. Reported-by: NChen Gang <gang.chen@asianux.com> Signed-off-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Neal Cardwell 提交于
inet_getpeer_v4() can return NULL under OOM conditions, and while inet_peer_xrlim_allow() is OK with a NULL peer, inet_putpeer() will crash. This code path now uses the same idiom as the others from: 1d861aa4 ("inet: Minimize use of cached route inetpeer."). Signed-off-by: NNeal Cardwell <ncardwell@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Oliver Hartkopp 提交于
Set in the rx_ifindex to pass the correct interface index in the case of a message timeout detection. Usually the rx_ifindex value is set at receive time. But when no CAN frame has been received the RX_TIMEOUT notification did not contain a valid value. Cc: linux-stable <stable@vger.kernel.org> Reported-by: NAndre Naujoks <nautsch2@googlemail.com> Signed-off-by: NOliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
-
由 Oliver Hartkopp 提交于
The skb->tstamp is set to the hardware timestamp when available in the USB urb message. This leads to user visible timestamps which contain the 'uptime' of the USB adapter - and not the usual system generated timestamp. Fix this wrong assignment by applying the available hardware timestamp to the skb_shared_hwtstamps data structure - which is intended for this purpose. Cc: linux-stable <stable@vger.kernel.org> Signed-off-by: NOliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
-
- 25 11月, 2012 1 次提交
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound由 Linus Torvalds 提交于
Pull sound build error fix from Takashi Iwai: "Only a single commit for fixing the build error without CONFIG_PM in hda driver." * tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda - Fix build without CONFIG_PM
-
- 24 11月, 2012 18 次提交
-
-
由 Takashi Iwai 提交于
I forgot this again... codec->in_pm is in #ifdef CONFIG_PM Reported-by: NMarkus Trippelsdorf <markus@trippelsdorf.de> Signed-off-by: NTakashi Iwai <tiwai@suse.de>
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip由 Linus Torvalds 提交于
Pull x86 arch fixes from Peter Anvin: "Here is a collection of fixes for 3.7-rc7. This is a superset of tglx' earlier pull request." * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86-64: Fix ordering of CFI directives and recent ASM_CLAC additions x86, microcode, AMD: Add support for family 16h processors x86-32: Export kernel_stack_pointer() for modules x86-32: Fix invalid stack address while in softirq x86, efi: Fix processor-specific memcpy() build error x86: remove dummy long from EFI stub x86, mm: Correct vmflag test for checking VM_HUGETLB x86, amd: Disable way access filter on Piledriver CPUs x86/mce: Do not change worker's running cpu in cmci_rediscover(). x86/ce4100: Fix PCI configuration register access for devices without interrupts x86/ce4100: Fix reboot by forcing the reboot method to be KBD x86/ce4100: Fix pm_poweroff MAINTAINERS: Update email address for Robert Richter x86, microcode_amd: Change email addresses, MAINTAINERS entry MAINTAINERS: Change Boris' email address EDAC: Change Boris' email address x86, AMD: Change Boris' email address
-
git://git.infradead.org/mtd-2.6由 Linus Torvalds 提交于
Pull MTD fixes from David Woodhouse: "The most important part of this is that it fixes a regression in Samsung NAND chip detection, introduced by some rework which went into 3.7. The initial fix wasn't quite complete, so it's in two parts. In fact the first part is committed twice (Artem committed his own copy of the same patch) and I've merged Artem's tree into mine which already had that fix. I'd have recommitted that to make it somewhat cleaner, but figured by this point in the release cycle it was better to merge *exactly* the commits which have been in linux-next. If I'd recommitted, I'd also omit the sparse warning fix. But it's there, and it's harmless — just marking one function as 'static' in onenand code. This also includes a couple more fixes for stable: an AB-BA deadlock in JFFS2, and an invalid range check in slram." * tag 'for-linus-20121123' of git://git.infradead.org/mtd-2.6: mtd: nand: fix Samsung SLC detection regression mtd: nand: fix Samsung SLC NAND identification regression jffs2: Fix lock acquisition order bug in jffs2_write_begin mtd: onenand: Make flexonenand_set_boundary static mtd: slram: invalid checking of absolute end address mtd: ofpart: Fix incorrect NULL check in parse_ofoldpart_partitions() mtd: nand: fix Samsung SLC NAND identification regression
-
git://git.secretlab.ca/git/linux-2.6由 Linus Torvalds 提交于
Pull device tree regression fix from Grant Likely: "Simple build regression fix for DT device drivers on Sparc. An earlier change had masked out the of_iomap() helper on SPARC." * tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux-2.6: of/address: sparc: Declare of_iomap as an extern function for sparc again
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm由 Linus Torvalds 提交于
Pull power management update from Rafael Wysocki: "Fix for an incorrect error condition check in device PM QoS code that may lead to an Oops from Guennadi Liakhovetski." * tag 'pm-for-3.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / QoS: fix wrong error-checking condition
-
git://neil.brown.name/md由 Linus Torvalds 提交于
Pull md fixes from NeilBrown: "Several bug fixes for md in 3.7: - raid5 discard has problems - raid10 replacement devices have problems - bad block lock seqlock usage has problems - dm-raid doesn't free everything" * tag 'md-3.7-fixes' of git://neil.brown.name/md: md/raid10: decrement correct pending counter when writing to replacement. md/raid10: close race that lose writes lost when replacement completes. md/raid5: Make sure we clear R5_Discard when discard is finished. md/raid5: move resolving of reconstruct_state earlier in stripe_handle. md/raid5: round discard alignment up to power of 2. md: make sure everything is freed when dm-raid stops an array. md: Avoid write invalid address if read_seqretry returned true. md: Reassigned the parameters if read_seqretry returned true in func md_is_badblock.
-
git://git.kernel.dk/linux-block由 Linus Torvalds 提交于
Pull block layer fixes from Jens Axboe: "Distilled down version of bug fixes for 3.7. The patches have been well tested. If you notice that commit dates are from today, it's because I pulled less important bits out and shuffled them into the 3.8 mix. Apart from that, no changes, base still the same. It contains: - Fix for aoe, don't run request_fn while it's plugged. - Fix for a regression in floppy since 3.6, which causes problems if no floppy is found. - Stable fix for blk_exec(), don't touch a request after it has been sent to the scheduler (and the device as well). - Five fixes for various nasties in mtip32xx." * 'for-linus' of git://git.kernel.dk/linux-block: block: Don't access request after it might be freed mtip32xx: Fix padding issue aoe: avoid running request handler on plugged queue mtip32xx: fix potential NULL pointer dereference in mtip_timeout_function() mtip32xx: fix shift larger than type warning mtip32xx: Fix incorrect mask used for erase mode mtip32xx: Fix to make lba address correct in big-endian systems mtip32xx: fix potential crash on SEC_ERASE_UNIT dm: fix deadlock with request based dm and queue request_fn recursion floppy: destroy floppy workqueue before cleaning up the queue
-
由 Andreas Larsson 提交于
This bug-fix makes sure that of_iomap is defined extern for sparc so that the sparc-specific implementation of_iomap is once again used when including include/linux/of_address.h in a sparc context. OF_GPIO that is now available for sparc relies on this. The bug was inadvertently introduced in a850a755, "of/address: add empty static inlines for !CONFIG_OF", that added a static dummy inline for of_iomap when !CONFIG_OF_ADDRESS. However, CONFIG_OF_ADDRESS is never defined for sparc, but there is a sparc-specific implementation /arch/sparc/kernel/of_device_common.c. This fix takes the same approach as 0bce04be that solved the equivalent problem for of_address_to_resource. Signed-off-by: NAndreas Larsson <andreas@gaisler.com> Acked-by: NDavid Miller <davem@davemloft.net> Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>
-
git://gitorious.org/linux-omap-dss2/linux由 Linus Torvalds 提交于
Pull omapdss fixes from Tomi Valkeinen: "Here are a few OMAPDSS fixes for the next -rc. I'm sending these directly to you, and quite late, as the fbdev tree maintainer (Florian) has been busy with his work and hasn't had time to manage the fb patches." * tag 'omapdss-for-3.7-rc' of git://gitorious.org/linux-omap-dss2/linux: OMAPDSS: do not fail if dpll4_m4_ck is missing OMAPFB: Fix possible null pointer dereferencing OMAPDSS: HDMI: fix missing unlock on error in hdmi_dump_regs() omapdss: dss: Fix clocks on OMAP363x OMAPDSS: DSI: fix dsi_get_dsidev_from_id()
-
git://git.pengutronix.de/git/wsa/linux由 Linus Torvalds 提交于
Pull i2c fixes from Wolfram Sang: "Bugfixes for the i2c subsystem. Except for a few one-liners, there is mainly one revert because of an overlooked dependency. Since there is no linux-next at the moment, I did some extra testing, and all was fine for me." * 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux: i2c: mxs: Handle i2c DMA failure properly i2c: s3c2410: Fix code to free gpios i2c: omap: ensure writes to dev->buf_len are ordered Revert "ARM: OMAP: convert I2C driver to PM QoS for MPU latency constraints" i2c: at91: fix SMBus quick command
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound由 Linus Torvalds 提交于
Pull sound fixes from Takashi Iwai: "The highlight of this update is the fixes for ASoC kirkwood by Russell. In addition to that, a couple of regression fixes for HD-audio due to the runtime PM support on 3.7, and other driver- specific regression fixes like USB MIDI on non-standard USB audio drivers." * tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: snd-usb: properly initialize the sync endpoint ALSA: hda - Cirrus: Correctly clear line_out_pins when moving to speaker ALSA: hda - Add support for Realtek ALC292 ASoC: kirkwood-i2s: more pause-mode fixes ASoC: kirkwood-i2s: fix DMA underruns ASoC: kirkwood-i2s: fix DCO lock detection ASoC: kirkwood-dma: don't ignore other irq causes on error ASoC: kirkwood-dma: fix use of virt_to_phys() ALSA: hda - Limit runtime PM support only to known Intel chips ALSA: hda - Fix recursive suspend/resume call ALSA: ua101, usx2y: fix broken MIDI output ASoC: arizona: Fix typo - Swap value in 48k_rates[] and 44k1_rates[] ASoC: bells: Fix up git patch application failure ASoC: cs4271: free allocated GPIO
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net由 Linus Torvalds 提交于
Pull networkign fixes from David Miller: "Networking bug fixes, Cacio e Pepe edition: 1) BNX2X accidently accesses chip rev specific registers without an appropriate guard, fix from Ariel Elior. 2) When we removed the routing cache, we set ip_rt_max_size to ~0 just to keep reporting a value to userspace via sysfs. But the ipv4 IPSEC layer was using this to tune itself which is completely bogus to now do. Fix from Steffen Klassert. 3) Missing initialization in netfilter ipset code from Jozsef Kadlecsik. 4) Check CTA_TIMEOUT_NAME length properly in netfilter cttimeout code, fix from Florian Westphal. 5) After removing the routing cache, we inadvertantly are caching multicast routes that end up looping back locally, we cannot do that legitimately any more. Fix from Julian Anastasov. 6) Revert a race fix for 8139cp qemu/kvm that doesn't actually work properly on real hardware. From Francois Romieu. 7) Fixup errors in example command lines in VXLAN device docs." * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: bnx2x: remove redundant warning log vxlan: fix command usage in its doc 8139cp: revert "set ring address before enabling receiver" ipv4: do not cache looped multicasts netfilter: cttimeout: fix buffer overflow netfilter: ipset: Fix range bug in hash:ip,port,net xfrm: Fix the gc threshold value for ipv4
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc由 Linus Torvalds 提交于
Pull sparc fix from David Miller: "Bug fix from Al Viro" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc64: not any error from do_sigaltstack() should fail rt_sigreturn()
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc由 Linus Torvalds 提交于
Pull one more ARM SoC fix from Olof Johansson: "I missed one pull request from Samsung with one fix in the previous batch. Here it is -- a dma driver fix for an early version of silicon that they still support." * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: ARM: EXYNOS: PL330 MDMA1 fix for revision 0 of Exynos4210 SOC
-
由 Guennadi Liakhovetski 提交于
dev_pm_qos_add_request() can return 0, 1, or a negative error code, therefore the correct error test is "if (error < 0)." Checking just for non-zero return code leads to erroneous setting of the req->dev pointer to NULL, which then leads to a repeated call to dev_pm_qos_add_ancestor_request() in st1232_ts_irq_handler(). This in turn leads to an Oops, when the I2C host adapter is unloaded and reloaded again because of the inconsistent state of its QoS request list. Signed-off-by: NGuennadi Liakhovetski <g.liakhovetski@gmx.de> Cc: <stable@vger.kernel.org> Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
-
由 Ariel Elior 提交于
fix bug where a register which was only meant to be read in 578xx/57712 devices causes a bogus error message to be logged when read from other devices. Signed-off-by: NAriel Elior <ariele@broadcom.com> Signed-off-by: NEilon Greenstein <eilong@broadcom.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Zhi Yong Wu 提交于
Some commands don't work in its example doc. The patch will fix it. Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 françois romieu 提交于
This patch reverts b01af457. The original patch was tested with emulated hardware. Real hardware chokes. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=47041Signed-off-by: NFrancois Romieu <romieu@fr.zoreil.com> Acked-by: NJeff Garzik <jgarzik@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 23 11月, 2012 10 次提交
-
-
由 Roland Dreier 提交于
After we've done __elv_add_request() and __blk_run_queue() in blk_execute_rq_nowait(), the request might finish and be freed immediately. Therefore checking if the type is REQ_TYPE_PM_RESUME isn't safe afterwards, because if it isn't, rq might be gone. Instead, check beforehand and stash the result in a temporary. This fixes crashes in blk_execute_rq_nowait() I get occasionally when running with lots of memory debugging options enabled -- I think this race is usually harmless because the window for rq to be reallocated is so small. Signed-off-by: NRoland Dreier <roland@purestorage.com> Cc: stable@kernel.org Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Selvan Mani 提交于
Hi Jens, Another tiny patch. Removed __packed before the struct smart_attr and added __packed at end of the structure to fix padding issue. Signed-off-by: NSelvan Mani <smani@micron.com> Signed-off-by: NAsai Thambi S P <asamymuthupa@micron.com> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Ed Cashin 提交于
Calling the request handler directly on a plugged queue defeats the performance improvements provided by the plugging mechanism. Use the __blk_run_queue function instead of calling the request handler directly, so that we don't interfere with the block layer's ability to plug the queue. Signed-off-by: NEd Cashin <ecashin@coraid.com> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Wei Yongjun 提交于
The dereference to port should be moved below the NULL test. dpatch engine is used to auto generate this patch. (https://github.com/weiyj/dpatch) Signed-off-by: NWei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Jens Axboe 提交于
If we're building a 32-bit kernel and CONFIG_LBADF isn't set, sector_t is 32-bits wide. The shifts by 32 and 40 are thus larger than we support. Cast the sector offset to a u64 to avoid these warnings. Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Selvan Mani 提交于
Previous commit use value 3 for erasemode mask. Changing the mask to correct value to 2 Signed-off-by: NSelvan Mani <smani@micron.com> Signed-off-by: NAsai Thambi S P <asamymuthupa@micron.com> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Selvan Mani 提交于
Earlier lba address was assigned directly to lba_low and lba_low_ex, which would result in a different number (bytes reversed) in big-endian systems. Now assigning lba address byte-by-byte to fis. Reported-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NSelvan Mani <smani@micron.com> Signed-off-by: NAsai Thambi S P <asamymuthupa@micron.com> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Selvan Mani 提交于
The mtip driver lifted this code from elsewhere and then added a special handling check for SEC_ERASE_UNIT. If the caller tries to do a security erase but passes no output data for the command then outbuf is not allocated and the driver duly explodes. Reported-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NAlan Cox <alan@linux.intel.com> Signed-off-by: NSelvan Mani <smani@micron.com> Signed-off-by: NAsai Thambi S P <asamymuthupa@micron.com> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Jens Axboe 提交于
Request based dm attempts to re-run the request queue off the request completion path. If used with a driver that potentially does end_io from its request_fn, we could deadlock trying to recurse back into request dispatch. Fix this by punting the request queue run to kblockd. Tested to fix a quickly reproducible deadlock in such a scenario. Cc: stable@kernel.org Acked-by: NAlasdair G Kergon <agk@redhat.com> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-
由 Jiri Kosina 提交于
We need to first destroy the floppy_wq workqueue before cleaning up the queue. Otherwise we might race with still pending work with the workqueue, but all the block queue already gone. This might lead to various oopses, such as CPU 0 Pid: 6, comm: kworker/u:0 Not tainted 3.7.0-rc4 #1 Bochs Bochs RIP: 0010:[<ffffffff8134eef5>] [<ffffffff8134eef5>] blk_peek_request+0xd5/0x1c0 RSP: 0000:ffff88000dc7dd88 EFLAGS: 00010092 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88000f602688 RSI: ffffffff81fd95d8 RDI: 6b6b6b6b6b6b6b6b RBP: ffff88000dc7dd98 R08: ffffffff81fd95c8 R09: 0000000000000000 R10: ffffffff81fd9480 R11: 0000000000000001 R12: 6b6b6b6b6b6b6b6b R13: ffff88000dc7dfd8 R14: ffff88000dc7dfd8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000001e11000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process kworker/u:0 (pid: 6, threadinfo ffff88000dc7c000, task ffff88000dc5ecc0) Stack: 0000000000000000 0000000000000000 ffff88000dc7ddb8 ffffffff8134efee ffff88000dc7ddb8 0000000000000000 ffff88000dc7dde8 ffffffff814aef3c ffffffff81e75d80 ffff88000dc0c640 ffff88000fbfb000 ffffffff814aed90 Call Trace: [<ffffffff8134efee>] blk_fetch_request+0xe/0x30 [<ffffffff814aef3c>] redo_fd_request+0x1ac/0x400 [<ffffffff814aed90>] ? start_motor+0x130/0x130 [<ffffffff8106b526>] process_one_work+0x136/0x450 [<ffffffff8106af65>] ? manage_workers+0x205/0x2e0 [<ffffffff8106bb6d>] worker_thread+0x14d/0x420 [<ffffffff8106ba20>] ? rescuer_thread+0x1a0/0x1a0 [<ffffffff8107075a>] kthread+0xba/0xc0 [<ffffffff810706a0>] ? __kthread_parkme+0x80/0x80 [<ffffffff818b553a>] ret_from_fork+0x7a/0xb0 [<ffffffff810706a0>] ? __kthread_parkme+0x80/0x80 Code: 0f 84 c0 00 00 00 83 f8 01 0f 85 e2 00 00 00 81 4b 40 00 00 80 00 48 89 df e8 58 f8 ff ff be fb ff ff ff fe ff ff <49> 8b 1c 24 49 39 dc 0f 85 2e ff ff ff 41 0f b6 84 24 28 04 00 RIP [<ffffffff8134eef5>] blk_peek_request+0xd5/0x1c0 RSP <ffff88000dc7dd88> Reported-by: NFengguang Wu <fengguang.wu@intel.com> Tested-by: NFengguang Wu <fengguang.wu@intel.com> Signed-off-by: NJiri Kosina <jkosina@suse.cz> Signed-off-by: NJens Axboe <axboe@kernel.dk>
-