1. 31 8月, 2013 4 次提交
  2. 30 8月, 2013 9 次提交
  3. 29 8月, 2013 13 次提交
    • H
      cgroup: fix rmdir EBUSY regression in 3.11 · bb78a92f
      Hugh Dickins 提交于
      On 3.11-rc we are seeing cgroup directories left behind when they should
      have been removed.  Here's a trivial reproducer:
      
      cd /sys/fs/cgroup/memory
      mkdir parent parent/child; rmdir parent/child parent
      rmdir: failed to remove `parent': Device or resource busy
      
      It's because cgroup_destroy_locked() (step 1 of destruction) leaves
      cgroup on parent's children list, letting cgroup_offline_fn() (step 2 of
      destruction) remove it; but step 2 is run by work queue, which may not
      yet have removed the children when parent destruction checks the list.
      
      Fix that by checking through a non-empty list of children: if every one
      of them has already been marked CGRP_DEAD, then it's safe to proceed:
      those children are invisible to userspace, and should not obstruct rmdir.
      
      (I didn't see any reason to keep the cgrp->children checks under the
      unrelated css_set_lock, so moved them out.)
      
      tj: Flattened nested ifs a bit and updated comment so that it's
          correct on both for-3.11-fixes and for-3.12.
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      bb78a92f
    • T
      workqueue: cond_resched() after processing each work item · b22ce278
      Tejun Heo 提交于
      If !PREEMPT, a kworker running work items back to back can hog CPU.
      This becomes dangerous when a self-requeueing work item which is
      waiting for something to happen races against stop_machine.  Such
      self-requeueing work item would requeue itself indefinitely hogging
      the kworker and CPU it's running on while stop_machine would wait for
      that CPU to enter stop_machine while preventing anything else from
      happening on all other CPUs.  The two would deadlock.
      
      Jamie Liu reports that this deadlock scenario exists around
      scsi_requeue_run_queue() and libata port multiplier support, where one
      port may exclude command processing from other ports.  With the right
      timing, scsi_requeue_run_queue() can end up requeueing itself trying
      to execute an IO which is asked to be retried while another device has
      an exclusive access, which in turn can't make forward progress due to
      stop_machine.
      
      Fix it by invoking cond_resched() after executing each work item.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Reported-by: NJamie Liu <jamieliu@google.com>
      References: http://thread.gmane.org/gmane.linux.kernel/1552567
      Cc: stable@vger.kernel.org
      --
       kernel/workqueue.c |    9 +++++++++
       1 file changed, 9 insertions(+)
      b22ce278
    • L
      Merge branch 'akpm' (patches from Andrew Morton) · c95389b4
      Linus Torvalds 提交于
      Merge fixes from Andrew Morton:
       "Five fixes.
      
        err, make that six.  let me try again"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        fs/ocfs2/super.c: Use bigger nodestr to accomodate 32-bit node numbers
        memcg: check that kmem_cache has memcg_params before accessing it
        drivers/base/memory.c: fix show_mem_removable() to handle missing sections
        IPC: bugfix for msgrcv with msgtyp < 0
        Omnikey Cardman 4000: pull in ioctl.h in user header
        timer_list: correct the iterator for timer_list
      c95389b4
    • G
      fs/ocfs2/super.c: Use bigger nodestr to accomodate 32-bit node numbers · 49fa8140
      Goldwyn Rodrigues 提交于
      While using pacemaker/corosync, the node numbers are generated using IP
      address as opposed to serial node number generation.  This may not fit
      in a 8-byte string.  Use a bigger string to print the complete node
      number.
      Signed-off-by: NGoldwyn Rodrigues <rgoldwyn@suse.com>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      49fa8140
    • A
      memcg: check that kmem_cache has memcg_params before accessing it · 6f6b8951
      Andrey Vagin 提交于
      If the system had a few memory groups and all of them were destroyed,
      memcg_limited_groups_array_size has non-zero value, but all new caches
      are created without memcg_params, because memcg_kmem_enabled() returns
      false.
      
      We try to enumirate child caches in a few places and all of them are
      potentially dangerous.
      
      For example my kernel is compiled with CONFIG_SLAB and it crashed when I
      tryed to mount a NFS share after a few experiments with kmemcg.
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        IP: [<ffffffff8118166a>] do_tune_cpucache+0x8a/0xd0
        PGD b942a067 PUD b999f067 PMD 0
        Oops: 0000 [#1] SMP
        Modules linked in: fscache(+) ip6table_filter ip6_tables iptable_filter ip_tables i2c_piix4 pcspkr virtio_net virtio_balloon i2c_core floppy
        CPU: 0 PID: 357 Comm: modprobe Not tainted 3.11.0-rc7+ #59
        Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        task: ffff8800b9f98240 ti: ffff8800ba32e000 task.ti: ffff8800ba32e000
        RIP: 0010:[<ffffffff8118166a>]  [<ffffffff8118166a>] do_tune_cpucache+0x8a/0xd0
        RSP: 0018:ffff8800ba32fb70  EFLAGS: 00010246
        RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006
        RDX: 0000000000000000 RSI: ffff8800b9f98910 RDI: 0000000000000246
        RBP: ffff8800ba32fba0 R08: 0000000000000002 R09: 0000000000000004
        R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000010
        R13: 0000000000000008 R14: 00000000000000d0 R15: ffff8800375d0200
        FS:  00007f55f1378740(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
        CR2: 00007f24feba57a0 CR3: 0000000037b51000 CR4: 00000000000006f0
        Call Trace:
          enable_cpucache+0x49/0x100
          setup_cpu_cache+0x215/0x280
          __kmem_cache_create+0x2fa/0x450
          kmem_cache_create_memcg+0x214/0x350
          kmem_cache_create+0x2b/0x30
          fscache_init+0x19b/0x230 [fscache]
          do_one_initcall+0xfa/0x1b0
          load_module+0x1c41/0x26d0
          SyS_finit_module+0x86/0xb0
          system_call_fastpath+0x16/0x1b
      Signed-off-by: NAndrey Vagin <avagin@openvz.org>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Glauber Costa <glommer@openvz.org>
      Cc: Joonsoo Kim <js1304@gmail.com>
      Cc: Michal Hocko <mhocko@suse.cz>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6f6b8951
    • R
      drivers/base/memory.c: fix show_mem_removable() to handle missing sections · 21ea9f5a
      Russ Anderson 提交于
      "cat /sys/devices/system/memory/memory*/removable" crashed the system.
      
      The problem is that show_mem_removable() is passing a
      bad pfn to is_mem_section_removable(), which causes
      
          if (!node_online(page_to_nid(page)))
      
      to blow up.  Why is it passing in a bad pfn?
      
      The reason is that show_mem_removable() will loop sections_per_block
      times.  sections_per_block is 16, but mem->section_count is 8,
      indicating holes in this memory block.  Checking that the memory section
      is present before checking to see if the memory section is removable
      fixes the problem.
      
         harp5-sys:~ # cat /sys/devices/system/memory/memory*/removable
         0
         1
         1
         1
         1
         1
         1
         1
         1
         1
         1
         1
         1
         1
         BUG: unable to handle kernel paging request at ffffea00c3200000
         IP: [<ffffffff81117ed1>] is_pageblock_removable_nolock+0x1/0x90
         PGD 83ffd4067 PUD 37bdfce067 PMD 0
         Oops: 0000 [#1] SMP
         Modules linked in: autofs4 binfmt_misc rdma_ucm rdma_cm iw_cm ib_addr ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_cm ib_uverbs ib_umad iw_cxgb3 cxgb3 mdio mlx4_en mlx4_ib ib_sa mlx4_core ib_mthca ib_mad ib_core fuse nls_iso8859_1 nls_cp437 vfat fat joydev loop hid_generic usbhid hid hwperf(O) numatools(O) dm_mod iTCO_wdt ipv6 iTCO_vendor_support igb i2c_i801 ioatdma i2c_algo_bit ehci_pci pcspkr lpc_ich i2c_core ehci_hcd ptp sg mfd_core dca rtc_cmos pps_core mperf button xhci_hcd sd_mod crc_t10dif usbcore usb_common scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh_rdac scsi_dh gru(O) xvma(O) xfs crc32c libcrc32c thermal sata_nv processor piix mptsas mptscsih scsi_transport_sas mptbase megaraid_sas fan thermal_sys hwmon ext3 jbd ata_piix ahci libahci libata scsi_mod
         CPU: 4 PID: 5991 Comm: cat Tainted: G           O 3.11.0-rc5-rja-uv+ #10
         Hardware name: SGI UV2000/ROMLEY, BIOS SGI UV 2000/3000 series BIOS 01/15/2013
         task: ffff88081f034580 ti: ffff880820022000 task.ti: ffff880820022000
         RIP: 0010:[<ffffffff81117ed1>]  [<ffffffff81117ed1>] is_pageblock_removable_nolock+0x1/0x90
         RSP: 0018:ffff880820023df8  EFLAGS: 00010287
         RAX: 0000000000040000 RBX: ffffea00c3200000 RCX: 0000000000000004
         RDX: ffffea00c30b0000 RSI: 00000000001c0000 RDI: ffffea00c3200000
         RBP: ffff880820023e38 R08: 0000000000000000 R09: 0000000000000001
         R10: 0000000000000000 R11: 0000000000000001 R12: ffffea00c33c0000
         R13: 0000160000000000 R14: 6db6db6db6db6db7 R15: 0000000000000001
         FS:  00007ffff7fb2700(0000) GS:ffff88083fc80000(0000) knlGS:0000000000000000
         CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
         CR2: ffffea00c3200000 CR3: 000000081b954000 CR4: 00000000000407e0
         Call Trace:
           show_mem_removable+0x41/0x70
           dev_attr_show+0x2a/0x60
           sysfs_read_file+0xf7/0x1c0
           vfs_read+0xc8/0x130
           SyS_read+0x5d/0xa0
           system_call_fastpath+0x16/0x1b
      Signed-off-by: NRuss Anderson <rja@sgi.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Reviewed-by: NYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      21ea9f5a
    • S
      IPC: bugfix for msgrcv with msgtyp < 0 · 368ae537
      Svenning Sørensen 提交于
      According to 'man msgrcv': "If msgtyp is less than 0, the first message of
      the lowest type that is less than or equal to the absolute value of msgtyp
      shall be received."
      
      Bug: The kernel only returns a message if its type is 1; other messages
      with type < abs(msgtype) will never get returned.
      
      Fix: After having traversed the list to find the first message with the
      lowest type, we need to actually return that message.
      
      This regression was introduced by commit daaf74cf ("ipc: refactor
      msg list search into separate function")
      Signed-off-by: NSvenning Soerensen <sss@secomea.dk>
      Reviewed-by: NPeter Hurley <peter@hurleysoftware.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      368ae537
    • M
      Omnikey Cardman 4000: pull in ioctl.h in user header · aaaafb7f
      Mike Frysinger 提交于
      This file uses the ioctl helpers (_IOR/_IOW/etc...), so include ioctl.h
      for the definitions.
      Signed-off-by: NMike Frysinger <vapier@gentoo.org>
      Cc: Harald Welte <laforge@gnumonks.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      aaaafb7f
    • N
      timer_list: correct the iterator for timer_list · 84a78a65
      Nathan Zimmer 提交于
      Correct an issue with /proc/timer_list reported by Holger.
      
      When reading from the proc file with a sufficiently small buffer, 2k so
      not really that small, there was one could get hung trying to read the
      file a chunk at a time.
      
      The timer_list_start function failed to account for the possibility that
      the offset was adjusted outside the timer_list_next.
      Signed-off-by: NNathan Zimmer <nzimmer@sgi.com>
      Reported-by: NHolger Hans Peter Freyther <holger@freyther.de>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Berke Durak <berke.durak@xiphos.com>
      Cc: Jeff Layton <jlayton@redhat.com>
      Tested-by: NAl Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org> # 3.10.x
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      84a78a65
    • W
      vfs: make the dentry cache use the lockref infrastructure · 98474236
      Waiman Long 提交于
      This just replaces the dentry count/lock combination with the lockref
      structure that contains both a count and a spinlock, and does the
      mechanical conversion to use the lockref infrastructure.
      
      There are no semantic changes here, it's purely syntactic.  The
      reference lockref implementation uses the spinlock exactly the same way
      that the old dcache code did, and the bulk of this patch is just
      expanding the internal "d_count" use in the dcache code to use
      "d_lockref.count" instead.
      
      This is purely preparation for the real change to make the reference
      count updates be lockless during the 3.12 merge window.
      
      [ As with the previous commit, this is a rewritten version of a concept
        originally from Waiman, so credit goes to him, blame for any errors
        goes to me.
      
        Waiman's patch had some semantic differences for taking advantage of
        the lockless update in dget_parent(), while this patch is
        intentionally a pure search-and-replace change with no semantic
        changes.     - Linus ]
      Signed-off-by: NWaiman Long <Waiman.Long@hp.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      98474236
    • W
      Add new lockref infrastructure reference implementation · 0f8f2aaa
      Waiman Long 提交于
      This introduces a new "lockref" structure that supports the concept of
      lockless updates of reference counts that still honor an attached
      spinlock.
      
      NOTE! This reference implementation is not the optimized lockless
      version, rather it is the fallback implementation using standard
      spinlocks.  The actual optimized versions will be merged into 3.12, but
      I wanted to get the infrastructure in place and document the new
      interfaces.
      
      [ Also note that this particular commit is drastically cut-down minimal
        version of the original patch by Waiman.  In order to properly credit
        the original author I'm marking Waiman as the author here, but in the
        end this patch bears little resemblance to the patch by Waiman.  So
        blame any errors on me editing things down to the point where I can
        introduce the infrastructure before the merge window for 3.12 actually
        opens.     - Linus ]
      Signed-off-by: NWaiman Long <Waiman.Long@hp.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0f8f2aaa
    • T
      SUNRPC: Fix memory corruption issue on 32-bit highmem systems · 347e2233
      Trond Myklebust 提交于
      Some architectures, such as ARM-32 do not return the same base address
      when you call kmap_atomic() twice on the same page.
      This causes problems for the memmove() call in the XDR helper routine
      "_shift_data_right_pages()", since it defeats the detection of
      overlapping memory ranges, and has been seen to corrupt memory.
      
      The fix is to distinguish between the case where we're doing an
      inter-page copy or not. In the former case of we know that the memory
      ranges cannot possibly overlap, so we can additionally micro-optimise
      by replacing memmove() with memcpy().
      Reported-by: NMark Young <MYoung@nvidia.com>
      Reported-by: NMatt Craighead <mcraighead@nvidia.com>
      Cc: Bruce Fields <bfields@fieldses.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      Tested-by: NMatt Craighead <mcraighead@nvidia.com>
      347e2233
    • L
      Revert "fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink" · f0cc6ffb
      Linus Torvalds 提交于
      This reverts commit bb2314b4.
      
      It wasn't necessarily wrong per se, but we're still busily discussing
      the exact details of this all, so I'm going to revert it for now.
      
      It's true that you can already do flink() through /proc and that flink()
      isn't new.  But as Brad Spengler points out, some secure environments do
      not mount proc, and flink adds a new interface that can avoid path
      lookup of the source for those kinds of environments.
      
      We may re-do this (and even mark it for stable backporting back in 3.11
      and possibly earlier) once the whole discussion about the interface is done.
      
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Brad Spengler <spender@grsecurity.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f0cc6ffb
  4. 28 8月, 2013 4 次提交
    • T
      ALSA: opti9xx: Fix conflicting driver object name · fb615499
      Takashi Iwai 提交于
      The recent commit to delay the release of kobject triggered NULL
      dereferences of opti9xx drivers.  The cause is that all
      snd-opti92x-ad1848, snd-opti92x-cs4231 and snd-opti93x drivers
      register the PnP card driver with the very same name, and also
      snd-opti92x-ad1848 and -cs4231 drivers register the ISA driver with
      the same name, too.  When these drivers are built in, quick
      "register-release-and-re-register" actions occur, and this results in
      Oops because of the same name is assigned to the kobject.
      
      The fix is simply to assign individual names.  As a bonus, by using
      KBUILD_MODNAME, the patch reduces more lines than it adds.
      
      The fix is based on the suggestion by Russell King.
      Reported-and-tested-by: NFengguang Wu <fengguang.wu@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      fb615499
    • L
      Merge tag 'regmap-v3.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap · fa8218de
      Linus Torvalds 提交于
      Pull regmap fixes from Mark Brown:
       "Two changes here:
      
         - Fix a bug in the rbtree code which could cause it to create two
           different cache entries for the same register by adding a single
           register at a time to the cache.  This isn't awesome for
           performance but it's non-invasive which we need for this late in
           the release cycle and the I/O costs we're trying to avoid are high.
      
         - Add another header used in the !CONFIG_REGMAP stubs where we had
           been relying on implicit inclusion"
      
      * tag 'regmap-v3.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
        regmap: rbtree: Fix overlapping rbnodes.
        regmap: Add another missing header for !CONFIG_REGMAP stubs
      fa8218de
    • L
      Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc · 0c6b5c5b
      Linus Torvalds 提交于
      Pull powerpc fixes from Ben Herrenschmidt:
       "Here are 3 bug fixes that should probably go into 3.11 since I'm also
        tagging them for stable.
      
        Once fixes our old /proc/powerpc/lparcfg file which provides partition
        informations when running under our hypervisor and also acts as a
        user-triggerable Oops when hot :-(
      
        The other two respectively are a one liner to fix a HVSI protocol
        handshake problem causing the console to fail to show up on a bunch of
        machines until we reach userspace, which I deem annoying enough to
        warrant going to stable, and a nasty gcc miscompile causing us to pass
        virtual instead of physical addresses to the firmware under some
        circumstances"
      
      * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
        powerpc/hvsi: Increase handshake timeout from 200ms to 400ms.
        powerpc: Work around gcc miscompilation of __pa() on 64-bit
        powerpc: Don't Oops when accessing /proc/powerpc/lparcfg without hypervisor
      0c6b5c5b
    • C
      mm: move_ptes -- Set soft dirty bit depending on pte type · 6dec97dc
      Cyrill Gorcunov 提交于
      Dave reported corrupted swap entries
      
       | [ 4588.541886] swap_free: Unused swap offset entry 00002d15
       | [ 4588.541952] BUG: Bad page map in process trinity-kid12  pte:005a2a80 pmd:22c01f067
      
      and Hugh pointed that in move_ptes _PAGE_SOFT_DIRTY bit set regardless
      the type of entry pte consists of.  The trick here is that when we carry
      soft dirty status in swap entries we are to use _PAGE_SWP_SOFT_DIRTY
      instead, because this is the only place in pte which can be used for own
      needs without intersecting with bits owned by swap entry type/offset.
      Reported-and-tested-by: NDave Jones <davej@redhat.com>
      Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
      Cc: Pavel Emelyanov <xemul@parallels.com>
      Analyzed-by: NHugh Dickins <hughd@google.com>
      Cc: Hillf Danton <dhillf@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6dec97dc
  5. 27 8月, 2013 6 次提交
  6. 26 8月, 2013 4 次提交