In OLPC trac #4184 we found a case where a corrupted node didn't
actually get obsoleted when we tried to garbage-collect it. So we wrote
out many million copies of it, in repeated attempts to obsolete it,
until the flash became full. Don't Do That.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Instead of matching resv_blocks_gcmerge, which is only about 3, instead
match resv_blocks_gctrigger, which includes a proportion of the total
device size.
These ought to become tunable from userspace, at some point.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
With huge amounts of free space, we weren't bothering to GC for while a
while, and pathological numbers of obsolete nodes were accumulating,
seriously affecting performance on NAND flash (OLPC trac #3978)
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
When the erase callback performs some other action on the flash, it's
highly likely to deadlock unless we actually release the chip lock
before calling it.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Originally from Marcelo; modified to put the original timing registers
back instead of 0xFFFFFFFF.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
It was only the very early prototypes which made the mistake of using
the same device ident for all three functions on the device -- don't
bother trying to express that in the PCI match table, since the tools
don't cope. We can check in the probe routine instead, just in case.
Also remember to terminate the table.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Fixup the includes which have been moved around
when changing the s3c24xx arch support.
Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This patch make the OneNAND driver much less racy. It fixes
our "onenand_wait: read timeout!" heisenbugs. The reason of
these bugs was that the driver did not lock the chip when
accessing OTP, and it screwed up OneNAND state when the OTP
was read while JFFS2 was doing FS checking.
This patch also fixes other races I spotted:
1. BBT was not protected
2. Access to ecc_stats was not protected
Now the chip is locked when BBT is accessed.
To fix all of these I basically split all interface functions
on 'function()' and 'function_nolock()' parts.
I tested this patch on N800 hardware - it fixes our problems.
But I tested a little different version because our OneNAND
codebase is slightly out-of-date. But it should be OK.
This patch also includes the prin fixes I posted before.
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
The Vermilion Range Expansion Bus supports four chip selects, each of which
has 64MiB of address space. The 2nd BAR of the Expansion Bus PCI Device
is a 256MiB memory region containing the address spaces for all four of
the chip selects, with start addresses hardcoded on 64MiB boundaries.
This map driver only supports NOR flash on chip select 0. The buswidth
(either 8 bits or 16 bits) is determined by reading the Expansion Bus Timing
and Control Register for Chip Select 0 (EXP_TIMING_CS0).
Signed-off-by: Andy Lowe <alowe@mvista.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Fix a couple of instances in JFFS2 where the unpoint() routine is
being called with the wrong length in cases where the point() routine
truncated a request.
Signed-off-by: Andy Lowe <alowe@mvista.com>
Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
The CFI probe routine is capable of detecting flash banks consisting of
identical chips mapped to physically discontiguous addresses. (One
common way this can occur is if a flash bank is populated with chips of
less capacity than the hardware was designed to support.) The CFI
point() routine currently ignores any such gaps. This patch fixes
the CFI point() routine so that it truncates any request that would
span a gap.
Signed-off-by: Andy Lowe <alowe@mvista.com>
Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Replace Lubbock and Mainstone board drivers with common PXA2xx driver,
convert to platform driver (corresponding platform device changes merged
to kernel.org for 2.6.15), add power management callbacks.
Signed-off-by: Todd Poynor <tpoynor@mvista.com>
Signed-off-by: Nicolas Pitre <npitre@mvista.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This patch has removed Momenco Ocelot support from MTD.
Ocelot support has already removed.
Signed-off-by: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Make nandsim use GFP_NOFS when allocating memory, because it might
be used by a file-system (e.g. UBIFS2) which means, if we are short
of memory, we may deadlock. Indee, UBIFS is holding a lock, writes
to the media, reaches this place in NANDsim, kmalloc does not find
the requested amount of RAM, calls memory shrinker, which decides
to writeback inodes, calls FS, and it deadlocks on the lock which
is already being held. Below is the UBIFS backtrace which
demonstrates that:
[<c03717dc>] __mutex_lock_slowpath+0xc8/0x2e6
[<c0371a16>] mutex_lock+0x1c/0x1f
[<f8b9d076>] reserve_space+0x3d/0xa9 [ubifs]
[<f8b9d1bd>] make_one_reservation+0x2b/0x86 [ubifs]
[<f8b9d3fc>] ubifs_jrn_write_block+0xda/0x12f [ubifs]
[<f8b9ff3a>] ubifs_writepage+0x11d/0x1ec [ubifs]
[<c015d6ab>] shrink_inactive_list+0x7fa/0x969
[<c015d8c8>] shrink_zone+0xae/0x10c
[<c015e3b4>] try_to_free_pages+0x159/0x251
[<c015980a>] __alloc_pages+0x125/0x2f0
[<c016ff6a>] cache_alloc_refill+0x380/0x6ba
[<c01703f3>] __kmalloc+0x14f/0x157
[<f885722a>] do_state_action+0xab7/0xc74 [nandsim]
[<f885760c>] switch_state+0x225/0x402 [nandsim]
[<f8857e7e>] ns_hwcontrol+0x3e2/0x620 [nandsim]
[<f8862f53>] nand_command+0x2e/0x1a5 [nand]
[<f8861ad8>] nand_write_page+0x4a/0x9a [nand]
[<f88617b4>] nand_do_write_ops+0x1cf/0x343 [nand]
[<f8861a70>] nand_write+0x88/0xa6 [nand]
[<f8850b0e>] part_write+0x72/0x8b [mtd]
[<f88e19c5>] ubi_io_write+0x189/0x29c [ubi]
[<f88dfb98>] ubi_eba_write_leb+0xb6/0x699 [ubi]
[<f88def93>] ubi_leb_write+0xe4/0xe9 [ubi]
[<f8ba3b82>] ubifs_wbuf_write_nolock+0x333/0x4c9 [ubifs]
[<f8b9d28c>] write_node+0x74/0x8e [ubifs]
[<f8b9d422>] ubifs_jrn_write_block+0x100/0x12f [ubifs]
[<f8b9ff3a>] ubifs_writepage+0x11d/0x1ec [ubifs]
[<c0159e5b>] __writepage+0xb/0x26
[<c015a318>] write_cache_pages+0x203/0x2d9
[<c015a411>] generic_writepages+0x23/0x2d
[<c015a452>] do_writepages+0x37/0x39
[<c018e24a>] __writeback_single_inode+0x96/0x399
[<c018e903>] sync_sb_inodes+0x1a3/0x274
[<c018ebf3>] writeback_inodes+0xa6/0xd8
[<c015a9dd>] background_writeout+0x86/0x9e
[<c015ae9c>] pdflush+0xfb/0x1b6
[<c01387d7>] kthread+0x37/0x59
[<c0104dc3>] kernel_thread_helper+0x7/0x14
The deadlock is funny because it starts in pdflush/writeback,
and comes back to writeback, then deadlocks. It seems we should look
carefully for other places in UBI and MTD and use GFP_NOFS instead
of GFP_KERNEL.
Caught-by: Adrian Hunter <ext-adrian.hunter@nokia.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
When building NOR flash support, you have compile-time options for the
bus width and the number of individual chips which are interleaved
together onto that bus. The code to deal with arbitrary geometry is a
bit convoluted, and people want to just configure it for the specific
hardware they have, to avoid the runtime overhead.
Selecting _none_ of the available options doesn't make any sense. You
should have at least one. This makes it build though, since people
persist in trying.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
To enable the main read/write at oob ops
Next time we will commit the main read/write support for yaffs2
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Unlike most stuff on the market the chip inside these two allows raw
flash access and doesn't implement and FTL, leaving that functionality
to the device driver.
Raw flash access in a cheap USB cardreader! An MTD test device one can
attach to a PC! What a deal!
The command set of the chip is not documented, so information was
obtained from the existing mass-storage driver
(drivers/usb/storage/alauda.c), its documentation
(http://alauda.sourceforge.net/wikka.php?wakka=BulkCommandReference),
additional reverse engineering and comparison with a vendor driver for a
related chip
(http://www.ratocsystems.com/english/download/driver/linux/sma03u.html).
Signed-off-by: Joern Engel <joern@logfs.org>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
The tqm834x map Kconfig options depends on TQM834x which does not
exist anywhere else in the kernel.
The pq2fads map Kconfig/makefile support was removed a while ago but
the actual file persisted.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
These drivers are specific to 4xx support in arch/ppc at the moment. Make
sure they don't get built on arch/powerpc.
Signed-off-by: Josh Boyer <jwboyer@linux.vnet.ibm.com>
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
The NUMA layer only supports NUMA policies for the highest zone. When
ZONE_MOVABLE is configured with kernelcore=, the the highest zone becomes
ZONE_MOVABLE. The result is that policies are only applied to allocations
like anonymous pages and page cache allocated from ZONE_MOVABLE when the
zone is used.
This patch applies policies to the two highest zones when the highest zone
is ZONE_MOVABLE. As ZONE_MOVABLE consists of pages from the highest "real"
zone, it's always functionally equivalent.
The patch has been tested on a variety of machines both NUMA and non-NUMA
covering x86, x86_64 and ppc64. No abnormal results were seen in
kernbench, tbench, dbench or hackbench. It passes regression tests from
the numactl package with and without kernelcore= once numactl tests are
patched to wait for vmstat counters to update.
akpm: this is the nasty hack to fix NUMA mempolicies in the presence of
ZONE_MOVABLE and kernelcore= in 2.6.23. Christoph says "For .24 either merge
the mobility or get the other solution that Mel is working on. That solution
would only use a single zonelist per node and filter on the fly. That may
help performance and also help to make memory policies work better."
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Acked-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
Tested-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
Acked-by: Christoph Lameter <clameter@sgi.com>
Cc: Andi Kleen <ak@suse.de>
Cc: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
au1100fb_fb_blank() should come before au1100fb_setmode().
drivers/video/au1100fb.c: In function 'au1100fb_setmode':
drivers/video/au1100fb.c:211: error: implicit declaration of function 'au1100fb_fb_blank'
Signed-off-by: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/video/console/newport_con.c: In function `newport_console_init':
drivers/video/console/newport_con.c:743: warning: return makes integer from pointer without a cast
Although one wonders whether that should have been -ENODEV...
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
In file included from drivers/video/console/newport_con.c:16:
include/linux/selection.h:16: warning: "struct tty_struct" declared inside parameter list
include/linux/selection.h:16: warning: its scope is only this definition or declaration, which is probably not what you want
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This is the correct fix according to Paul Mackerras and allows an
allyesconfig on PPC64 to build.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Xen i386 xen-head.S fix sections mixup
xen-head.S does not come back to the data section, leaving the text section
as current section. It causes problems with a slightly enhanced DEBUG_RODATA
that supports CONFIG_HOTPLUG and bringing a CPU up after the text has been
marked read-only: reference to early_gdt_descr causes a page fault.
Updates:
- It should be using pushsection/popsection.
- Actually, the push/popsections around the ELFNOTEs are redundant; ELFNOTE()
does its own push/popsection to put things into the appropriate .note* section
anyway.
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Acked-by: Jeremy Fitzhardinge <jeremy@xensource.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
de_thread:
if (atomic_read(&oldsighand->count) <= 1)
BUG_ON(atomic_read(&sig->count) != 1);
This is not safe without the rmb() in between. The results of two
correctly ordered __exit_signal()->atomic_dec_and_test()'s could be seen
out of order on our CPU.
The same is true for the "thread_group_empty()" case, __unhash_process()'s
changes could be seen before atomic_dec_and_test(&sig->count).
On some platforms (including i386) atomic_read() doesn't provide even the
compiler barrier, in that case these checks are simply racy.
Remove these BUG_ON()'s. Alternatively, we can do something like
BUG_ON( ({ smp_rmb(); atomic_read(&sig->count) != 1; }) );
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Minor tweaks to rtc-max6902: make it hotplug correctly, and fix a few
space-before-tab whitespace botches. This driver has no current in-tree
users, so the hotplug fix changes the driver name.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Print a big fat warning and do what is necessary to continue if a node is
marked as up (meaning either node is online (upstream) or node has memory
(Andrew's tree)) but allocations from the node do not succeed.
Signed-off-by: Christoph Lameter <clameter@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
SLUB is using atomic_read() for variables declared atomic_long_t.
Switch to atomic_long_read().
Signed-off-by: Christoph Lameter <clameter@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This one-liner patch fixes a bug in drivers/auxdisplay/cfag12864b.c
At cfag12864b_init(), the driver tries to kalloc some memory in the
variable cfag12864b_cache.
Then, as usual, it checks if the call failed. However, it checks
cfag12864b_buffer instead.
This patch changes the "cfag12864b_buffer" to "cfag12864b_cache" so the
correct variable is checked.
Signed-off-by: Miguel Ojeda <maxextreme@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Add PCI IDs for the onchip UARTs on PA Semi PWRficient.
Signed-off-by: Olof Johansson <olof@lixom.net>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Due to inconsistent locking in the VFS between calls to lookup and
revalidate deadlock can occur in the automounter.
The inconsistency is that the directory inode mutex is held for both lookup
and revalidate calls when called via lookup_hash whereas it is held only
for lookup during a path walk. Consequently, if the mutex is held during a
call to revalidate autofs4 can't release the mutex to callback the daemon
as it can't know whether it owns the mutex.
This situation happens when a process tries to create a directory within an
automount and a second process also tries to create the same directory
between the lookup and the mkdir. Since the first process has dropped the
mutex for the daemon callback, the second process takes it during
revalidate leading to deadlock between the autofs daemon and the second
process when the daemon tries to create the mount point directory.
After spending quite a bit of time trying to resolve this on more than one
occassion, using rather complex and ulgy approaches, it turns out that just
delaying the hashing of the dentry until the create operation works fine.
Signed-off-by: Ian Kent <raven@themaw.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The previous patch which limited the number of sectors in a single request
to a COWed device was correct in concept, but the limit was implemented in
the wrong place.
By putting it in ubd_add, it covered the cases where the COWing was
specified on the command line. However, when the command line only has the
COW file specified, the fact that it's a COW file isn't known until it's
opened, so the limit is missed in these cases.
This patch moves the sector limit from ubd_add to ubd_open_dev.
Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When a raid1 array is reshaped (number of drives changed), the list of devices
is compacted, so that slots for missing devices are filled with working
devices from later slots. This requires the "rd%d" symlinks in sysfs to be
updated.
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit 1757128438 was slightly bad. If an array
has a write-intent bitmap, and you remove a drive, then readd it, only the
changed parts should be resynced. However after the above commit, this only
works if the array has not been shut down and restarted.
This is because it sets 'fullsync' at little more often than it should. This
patch is more careful.
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
In case bus master driver provided bogus value as its private data, search
can be incorrect. Problem found by Adrian Bunk.
Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Cc: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
It seems a simple mistake was made when converting follow_hugetlb_page()
over to the VM_FAULT flags bitmasks (in "mm: fault feedback #2", commit
83c54070ee).
By using the wrong bitmask, hugetlb_fault() failures are not being
recognized. This results in an infinite loop whenever follow_hugetlb_page
is involved in a failed fault.
Signed-off-by: Adam Litke <agl@us.ibm.com>
Acked-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Get module reference on open() by generic HDLC to prevent module from
unloading while interface is active.
Signed-off-by: Paul Fulghum <paulkf@microgate.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Skip calling cache_free_alien() when the platform is not numa capable.
This will avoid cache misses that happen while accessing slabp (which is
per page memory reference) to get nodeid. Instead use a global variable to
skip the call, which is mostly likely to be present in the cache.
This gives a 0.8% performance boost with the database oltp workload on a
quad-core SMP platform and by any means the number is not small :)
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Acked-by: Christoph Lameter <clameter@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
With this patch any thread can dequeue its own private signals via signalfd,
even if it was created by another sub-thread.
To do so, we pass "current" to dequeue_signal() if the caller is from the same
thread group. This also fixes the scheduling of posix timers broken by the
previous patch.
If the caller doesn't belong to this thread group, we can't handle __SI_TIMER
case properly anyway. Perhaps we should forbid the cross-process signalfd usage
and convert ctx->tsk to ctx->sighand.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Davide Libenzi <davidel@xmailserver.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Cc: Roland McGrath <roland@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
dequeue_signal:
if (__SI_TIMER) {
spin_unlock(&tsk->sighand->siglock);
do_schedule_next_timer(info);
spin_lock(&tsk->sighand->siglock);
}
Unless tsk == curent, this is absolutely unsafe: nothing prevents tsk from
exiting. If signalfd was passed to another process, do_schedule_next_timer()
is just wrong.
Add yet another "tsk == current" check into dequeue_signal().
This patch fixes an oopsable bug, but breaks the scheduling of posix timers
if the shared __SI_TIMER signal was fetched via signalfd attached to another
sub-thread. Mostly fixed by the next patch.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Davide Libenzi <davidel@xmailserver.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Cc: Roland McGrath <roland@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
sys_timer_create() sets ->it_process and unlocks ->siglock, then checks
tmr->it_sigev_notify to define if get_task_struct() is needed.
We already passed ->it_id to the caller, another thread can delete this timer
and free its memory in between.
As a minimal fix, move this code under ->siglock, sys_timer_delete() takes it
too before calling release_posix_timer(). A proper serialization would be to
take ->it_lock, we add a partly initialized timer on posix_timers_id, not
good.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
timer_delete does:
lock_timer();
timer->it_process = NULL;
unlock_timer();
release_posix_timer();
timer->it_process is checked in lock_timer() to prevent access to a
timer, which is on the way to be deleted, but the check happens after
idr_lock is dropped. This allows release_posix_timer() to delete the
timer before the lock code can check the timer:
CPU 0 CPU 1
lock_timer();
timer->it_process = NULL;
unlock_timer();
lock_timer()
spin_lock(idr_lock);
timer = idr_find();
spin_lock(timer->lock);
spin_unlock(idr_lock);
release_posix_timer();
spin_lock(idr_lock);
idr_remove(timer);
spin_unlock(idr_lock);
free_timer(timer);
if (timer->......)
Change the locking to prevent this.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>