1. 14 8月, 2008 6 次提交
  2. 13 8月, 2008 16 次提交
    • S
      crypto: padlock - fix VIA PadLock instruction usage with irq_ts_save/restore() · e4914012
      Suresh Siddha 提交于
      Wolfgang Walter reported this oops on his via C3 using padlock for
      AES-encryption:
      
      ##################################################################
      
      BUG: unable to handle kernel NULL pointer dereference at 000001f0
      IP: [<c01028c5>] __switch_to+0x30/0x117
      *pde = 00000000
      Oops: 0002 [#1] PREEMPT
      Modules linked in:
      
      Pid: 2071, comm: sleep Not tainted (2.6.26 #11)
      EIP: 0060:[<c01028c5>] EFLAGS: 00010002 CPU: 0
      EIP is at __switch_to+0x30/0x117
      EAX: 00000000 EBX: c0493300 ECX: dc48dd00 EDX: c0493300
      ESI: dc48dd00 EDI: c0493530 EBP: c04cff8c ESP: c04cff7c
       DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
      Process sleep (pid: 2071, ti=c04ce000 task=dc48dd00 task.ti=d2fe6000)
      Stack: dc48df30 c0493300 00000000 00000000 d2fe7f44 c03b5b43 c04cffc8 00000046
             c0131856 0000005a dc472d3c c0493300 c0493470 d983ae00 00002696 00000000
             c0239f54 00000000 c04c4000 c04cffd8 c01025fe c04f3740 00049800 c04cffe0
      Call Trace:
       [<c03b5b43>] ? schedule+0x285/0x2ff
       [<c0131856>] ? pm_qos_requirement+0x3c/0x53
       [<c0239f54>] ? acpi_processor_idle+0x0/0x434
       [<c01025fe>] ? cpu_idle+0x73/0x7f
       [<c03a4dcd>] ? rest_init+0x61/0x63
       =======================
      
      Wolfgang also found out that adding kernel_fpu_begin() and kernel_fpu_end()
      around the padlock instructions fix the oops.
      
      Suresh wrote:
      
      These padlock instructions though don't use/touch SSE registers, but it behaves
      similar to other SSE instructions. For example, it might cause DNA faults
      when cr0.ts is set. While this is a spurious DNA trap, it might cause
      oops with the recent fpu code changes.
      
      This is the code sequence  that is probably causing this problem:
      
      a) new app is getting exec'd and it is somewhere in between
         start_thread() and flush_old_exec() in the load_xyz_binary()
      
      b) At pont "a", task's fpu state (like TS_USEDFPU, used_math() etc) is
         cleared.
      
      c) Now we get an interrupt/softirq which starts using these encrypt/decrypt
         routines in the network stack. This generates a math fault (as
         cr0.ts is '1') which sets TS_USEDFPU and restores the math that is
         in the task's xstate.
      
      d) Return to exec code path, which does start_thread() which does
         free_thread_xstate() and sets xstate pointer to NULL while
         the TS_USEDFPU is still set.
      
      e) At the next context switch from the new exec'd task to another task,
         we have a scenarios where TS_USEDFPU is set but xstate pointer is null.
         This can cause an oops during unlazy_fpu() in __switch_to()
      
      Now:
      
      1) This should happen with or with out pre-emption. Viro also encountered
         similar problem with out CONFIG_PREEMPT.
      
      2) kernel_fpu_begin() and kernel_fpu_end() will fix this problem, because
         kernel_fpu_begin() will manually do a clts() and won't run in to the
         situation of setting TS_USEDFPU in step "c" above.
      
      3) This was working before the fpu changes, because its a spurious
         math fault  which doesn't corrupt any fpu/sse registers and the task's
         math state was always in an allocated state.
      
      With out the recent lazy fpu allocation changes, while we don't see oops,
      there is a possible race still present in older kernels(for example,
      while kernel is using kernel_fpu_begin() in some optimized clear/copy
      page and an interrupt/softirq happens which uses these padlock
      instructions generating DNA fault).
      
      This is the failing scenario that existed even before the lazy fpu allocation
      changes:
      
      0. CPU's TS flag is set
      
      1. kernel using FPU in some optimized copy  routine and while doing
      kernel_fpu_begin() takes an interrupt just before doing clts()
      
      2. Takes an interrupt and ipsec uses padlock instruction. And we
      take a DNA fault as TS flag is still set.
      
      3. We handle the DNA fault and set TS_USEDFPU and clear cr0.ts
      
      4. We complete the padlock routine
      
      5. Go back to step-1, which resumes clts() in kernel_fpu_begin(), finishes
      the optimized copy routine and does kernel_fpu_end(). At this point,
      we have cr0.ts again set to '1' but the task's TS_USEFPU is stilll
      set and not cleared.
      
      6. Now kernel resumes its user operation. And at the next context
      switch, kernel sees it has do a FP save as TS_USEDFPU is still set
      and then will do a unlazy_fpu() in __switch_to(). unlazy_fpu()
      will take a DNA fault, as cr0.ts is '1' and now, because we are
      in __switch_to(), math_state_restore() will get confused and will
      restore the next task's FP state and will save it in prev tasks's FP state.
      Remember, in __switch_to() we are already on the stack of the next task
      but take a DNA fault for the prev task.
      
      This causes the fpu leakage.
      
      Fix the padlock instruction usage by calling them inside the
      context of new routines irq_ts_save/restore(), which clear/restore cr0.ts
      manually in the interrupt context. This will not generate spurious DNA
      in the  context of the interrupt which will fix the oops encountered and
      the possible FPU leakage issue.
      Reported-and-bisected-by: NWolfgang Walter <wolfgang.walter@stwm.de>
      Signed-off-by: NSuresh Siddha <suresh.b.siddha@intel.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      e4914012
    • H
      crypto: hash - Add missing top-level functions · 318e5313
      Herbert Xu 提交于
      The top-level functions init/update/final were missing for ahash.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      318e5313
    • R
      ipv6: Kill unused ip6_prohibit_entry and ip6_blk_hole_entry declarations. · 6bf90b2b
      Rami Rosen 提交于
      This patch removes ip6_prohibit_entry and ip6_blk_hole_entry
      declarations from include/net/ip6_route.h as they are unused.
      Signed-off-by: NRami Rosen <ramirose@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6bf90b2b
    • R
      ipv6: ip6_route.h cleanup. · 83ac794f
      Rami Rosen 提交于
      This patch removes rt6_lock declaration from include/net/ip6_route.h
      as it is unused.
      Signed-off-by: NRami Rosen <ramirose@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      83ac794f
    • D
      pkt_sched: Add queue stopped test back to qdisc_run(). · 83f36f3f
      David S. Miller 提交于
      Based upon a bug report by Andrew Gallatin on netdev
      with subject "CPU utilization increased in 2.6.27rc"
      
      In commit 37437bb2
      ("pkt_sched: Schedule qdiscs instead of netdev_queue.")
      the test of the queue being stopped was erroneously
      removed from qdisc_run().
      
      When the TX queue of the device fills up, this omission
      causes lots of extraneous useless work to be queued up
      to softirq context, where we'll just return immediately
      because the device is still stuffed up.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      83f36f3f
    • D
      [XFS] extend completions to provide XFS object flush requirements · 39d2f1ab
      David Chinner 提交于
      XFS object flushing doesn't quite match existing completion semantics.  It
      mixed exclusive access with completion.  That is, we need to mark an object as
      being flushed before flushing it to disk, and then block any other attempt to
      flush it until the completion occurs.  We do this but adding an extra count to
      the completion before we start using them.  However, we still need to
      determine if there is a completion in progress, and allow no-blocking attempts
      fo completions to decrement the count.
      
      To do this we introduce:
      
      int try_wait_for_completion(struct completion *x)
      	returns a failure status if done == 0, otherwise decrements done
      	to zero and returns a "started" status. This is provided
      	to allow counted completions to begin safely while holding
      	object locks in inverted order.
      
      int completion_done(struct completion *x)
      	returns 1 if there is no waiter, 0 if there is a waiter
      	(i.e. a completion in progress).
      
      This replaces the use of semaphores for providing this exclusion
      and completion mechanism.
      
      SGI-PV: 981498
      
      SGI-Modid: xfs-linux-melb:xfs-kern:31816a
      Signed-off-by: NDavid Chinner <david@fromorbit.com>
      Signed-off-by: NLachlan McIlroy <lachlan@sgi.com>
      39d2f1ab
    • B
      firmware/memmap: cleanup · 31bad924
      Bernhard Walle 提交于
      Various cleanup the drivers/firmware/memmap (after review by AKPM):
      
          - fix kdoc to conform to the standard
          - move kdoc from header to implementation files
          - remove superfluous WARN_ON() after kmalloc()
          - WARN_ON(x); if (!x) -> if(!WARN_ON(x))
          - improve some comments
      Signed-off-by: NBernhard Walle <bwalle@suse.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      31bad924
    • M
      Make ioctl.h compatible with userland · 5f8c3c8e
      Michael Abbott 提交于
      The attached patch seems to already exist in a number of branches -- it
      keeps popping up on Google for me, and is certainly already in Debian --
      but is strangely absent from mainstream.
      
      The problem appears to be that the patched file ends up as part of the
      target toolchain, but unfortunately the gcc constant folding doesn't
      appear to eliminate the __invalid_size_argument_for_IOC value early
      enough.  Certainly compiling C++ programs which use _IO...  macros as
      constants fails without this patch.
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5f8c3c8e
    • H
    • H
      byteorder: add a new include/linux/swab.h to define byteswapping functions · 40c9f222
      Harvey Harrison 提交于
      Collect the implementations from include/linux/byteorder/swab.h, swabb.h
      in swab.h
      
      The functionality provided covers:
      u16 swab16(u16 val) - return a byteswapped 16 bit value
      u32 swab32(u32 val) - return a byteswapped 32 bit value
      u64 swab64(u64 val) - return a byteswapped 64 bit value
      u32 swahw32(u32 val) - return a wordswapped 32 bit value
      u32 swahb32(u32 val) - return a high/low byteswapped 32 bit value
      
      Similar to above, but return swapped value from a naturally-aligned pointer
      u16 swab16p(u16 *p)
      u32 swab32p(u32 *p)
      u64 swab64p(u64 *p)
      u32 swahw32p(u32 *p)
      u32 swahb32p(u32 *p)
      
      Similar to above, but swap the value in-place (in-situ)
      void swab16s(u16 *p)
      void swab32s(u32 *p)
      void swab64s(u64 *p)
      void swahw32s(u32 *p)
      void swahb32s(u32 *p)
      
      Arches can override any of these with an optimized version by defining an
      inline in their asm/byteorder.h (example given for swab16()):
      
      u16 __arch_swab16() {}
       #define __arch_swab16 __arch_swab16
      Signed-off-by: NHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      40c9f222
    • A
      seq_file: add seq_cpumask(), seq_nodemask() · 50ac2d69
      Alexey Dobriyan 提交于
      Short enough reads from /proc/irq/*/smp_affinity return -EINVAL for no
      good reason.
      
      This became noticed with NR_CPUS=4096 patches, when length of printed
      representation of cpumask becase 1152, but cat(1) continued to read with
      1024-byte chunks.  bitmap_scnprintf() in good faith fills buffer, returns
      1023, check returns -EINVAL.
      
      Fix it by switching to seq_file, so handler will just fill buffer and
      doesn't care about offsets, length, filling EOF and all this crap.
      
      For that add seq_bitmap(), and wrappers around it -- seq_cpumask() and
      seq_nodemask().
      Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
      Reviewed-by: NPaul Jackson <pj@sgi.com>
      Cc: Mike Travis <travis@sgi.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      50ac2d69
    • U
      move kernel-doc comment for might_sleep directly before its defining block · 070cb065
      Uwe Kleine-König 提交于
      Signed-off-by: NUwe Kleine-König <Uwe.Kleine-Koenig@digi.com>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Randy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      070cb065
    • H
      atmel_lcdfb: add board parameter specify framebuffer memory size · ea757aca
      Haavard Skinnemoen 提交于
      Specify how much physically continuous, DMA capable memory will be
      allocated at driver initialization time.  This allow to create framebuffer
      device with larger virtual resolution.  Combine with y-panning this can be
      used to implement double buffering acceleration method.
      Signed-off-by: NStanislaw Gruszka <stf_xl@wp.pl>
      Acked-by: NHaavard Skinnemoen <haavard.skinnemoen@atmel.com>
      Acked-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
      Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ea757aca
    • J
      matrox maven: convert to a new-style i2c driver · 10546355
      Jean Delvare 提交于
      The legacy i2c model is going away soon, so switch to the new model.
      Signed-off-by: NJean Delvare <khali@linux-fr.org>
      Acked-by: NKrzysztof Helt <krzysztof.h1@wp.pl>
      Cc: Petr Vandrovec <VANDROVE@vc.cvut.cz>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      10546355
    • D
      radeonfb: fix accel engine hangs · 969830b2
      David Miller 提交于
      Some chips appear to have the 2D engine hang during screen redraw,
      typically in a sequence of copyarea operations. This appear to be
      solved by adding a flush of the engine destination pixel cache
      and waiting for the engine to be idle before issuing the accel
      operation. The performance impact seems to be fairly small.
      
      Here is a trace on an RV370 (PCI device ID 0x5b64), it records the
      RBBM_STATUS register, then the source x/y, destination x/y, and
      width/height used for the copy:
      
      ----------------------------------------
      radeonfb_prim_copyarea: STATUS[00000140] src[210:70] dst[210:60] wh[a0:10]
      radeonfb_prim_copyarea: STATUS[00000140] src[2b8:70] dst[2b8:60] wh[88:10]
      radeonfb_prim_copyarea: STATUS[00000140] src[348:70] dst[348:60] wh[40:10]
      radeonfb_prim_copyarea: STATUS[80020140] src[390:70] dst[390:60] wh[88:10]
      radeonfb_prim_copyarea: STATUS[8002613f] src[40:80] dst[40:70] wh[28:10]
      radeonfb_prim_copyarea: STATUS[80026139] src[a8:80] dst[a8:70] wh[38:10]
      radeonfb_prim_copyarea: STATUS[80026133] src[e8:80] dst[e8:70] wh[80:10]
      radeonfb_prim_copyarea: STATUS[8002612d] src[170:80] dst[170:70] wh[30:10]
      radeonfb_prim_copyarea: STATUS[80026127] src[1a8:80] dst[1a8:70] wh[8:10]
      radeonfb_prim_copyarea: STATUS[80026121] src[1b8:80] dst[1b8:70] wh[88:10]
      radeonfb_prim_copyarea: STATUS[8002611b] src[248:80] dst[248:70] wh[68:10]
      ----------------------------------------
      
      When things are going fine the copies complete before the next ROP is
      even issued, but all of a sudden the 2D unit becomes active (bit 17 in
      RBBM_STATUS) and the FIFO retry (bit 13) and FIFO pipeline busy (bit
      14) are set as well.  The FIFO begins to backup until it becomes full.
      
      What happens next is the radeon_fifo_wait() times out, and we access
      the chip illegally leading to a bus error which usually wedges the
      box.  None of this makes it to the console screen, of course :-)
      radeon_fifo_wait() should be modified to reset the accelerator when
      this timeout happens instead of programming the chip anyways.
      
      ----------------------------------------
      radeonfb: FIFO Timeout !
      ERROR(0): Cheetah error trap taken afsr[0010080005000000] afar[000007f900800e40] TL1(0)
      ERROR(0): TPC[595114] TNPC[595118] O7[459788] TSTATE[11009601]
      ERROR(0): TPC<radeonfb_copyarea+0xfc/0x248>
      ERROR(0): M_SYND(0),  E_SYND(0), Privileged
      ERROR(0): Highest priority error (0000080000000000) "Bus error response from system bus"
      ERROR(0): D-cache idx[0] tag[0000000000000000] utag[0000000000000000] stag[0000000000000000]
      ERROR(0): D-cache data0[0000000000000000] data1[0000000000000000] data2[0000000000000000] data3[0000000000000000]
      ERROR(0): I-cache idx[0] tag[0000000000000000] utag[0000000000000000] stag[0000000000000000] u[0000000000000000] l[00\
      
      ERROR(0): I-cache INSN0[0000000000000000] INSN1[0000000000000000] INSN2[0000000000000000] INSN3[0000000000000000]
      ERROR(0): I-cache INSN4[0000000000000000] INSN5[0000000000000000] INSN6[0000000000000000] INSN7[0000000000000000]
      ERROR(0): E-cache idx[800e40] tag[000000000e049f4c]
      ERROR(0): E-cache data0[fffff8127d300180] data1[00000000004b5384] data2[0000000000000000] data3[0000000000000000]
      Ker:xnel panic - not syncing: Irrecoverable deferred error trap.
      ----------------------------------------
      
      Another quirk is that these copyarea calls will not happen until the
      first drivers/char/vt.c:redraw_screen() occurs.  This will only happen
      if you 1) VC switch or 2) run "consolechars" or 3) unblank the screen.
      
      This seems to happen because until a redraw_screen() the screen scrolling
      method used by fbcon is not finalized yet.  I've seen this with other fb
      drivers too.
      
      So if all you do is boot straight into X you will never see this bug on
      the relevant chips.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: <stable@kernel.org>		[2.6.25.x, 2.6.26.x]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      969830b2
    • J
      page allocator: use no-panic variant of alloc_bootmem() in alloc_large_system_hash() · 74768ed8
      Jan Beulich 提交于
      ..  since a failed allocation is being (initially) handled gracefully, and
      panic()-ed upon failure explicitly in the function if retries with smaller
      sizes failed.
      Signed-off-by: NJan Beulich <jbeulich@novell.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      74768ed8
  3. 12 8月, 2008 7 次提交
  4. 11 8月, 2008 11 次提交