Commit Graph

287383 Commits

Author SHA1 Message Date
Heiko Carstens 96e02d1586 exec: fix use-after-free bug in setup_new_exec()
Setting the task name is done within setup_new_exec() by accessing
bprm->filename. However this happens after flush_old_exec().
This may result in a use after free bug, flush_old_exec() may
"complete" vfork_done, which will wake up the parent which in turn
may free the passed in filename.
To fix this add a new tcomm field in struct linux_binprm which
contains the now early generated task name until it is used.

Fixes this bug on s390:

  Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
  Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
  Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
  Call Trace:
  ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
   [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
   [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
   [<0000000000282b6c>] do_execve_common+0x410/0x514
   [<0000000000282cb6>] do_execve+0x46/0x58
   [<00000000005bce58>] kernel_execve+0x28/0x70
   [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
   [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
   [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
  Last Breaking-Event-Address:
   [<00000000002830f0>] setup_new_exec+0x2fc/0x374

  Kernel panic - not syncing: Fatal exception: panic_on_oops

Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-06 15:15:20 -08:00
Jesper Juhl 715252d419 IB/srpt: Don't return freed pointer from srpt_alloc_ioctx_ring()
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Roland Dreier <roland@purestorage.com>
2012-02-06 08:57:11 -08:00
Przemo Firszt d7cb3dbd10 HID: wacom: Fix invalid power_supply_powers calls
power_supply_powers calls added in 35b4c01e2 ("power_supply: add "powers" links
to self-powered HID devices") have to be called after power device is created.
This patch also fixes the second call - it has to be "ac" instead of "battery"

Signed-off-by: Przemo Firszt <przemo@firszt.eu>
Signed-off-by: Chris Bagwell <chris@cnpbagwell.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2012-02-06 16:14:20 +01:00
Jiri Kosina d4730ace0c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into upstream-fixes
Sync with Linus' tree. This is necessary to have a base for
patch that fixes commit 35b4c01e29 ("power_supply: add "powers"
links to self-powered HID devices") which went in through Anton's
tree.
2012-02-06 16:12:16 +01:00
Mark Brown db966f8abb ASoC: wm8994: Enabling VMID should take a runtime PM reference
We can enable VMID independently of the bias in some use cases so we need
to ensure that the core device is powered up.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org
2012-02-06 12:08:33 +00:00
Takashi Iwai eedec3d385 ALSA: hda/realtek - Fix a wrong condition
sparse complains that "spec->multiout.dac_nids" is a pointer.

sound/pci/hda/patch_realtek.c:2321:37: error: incompatible types for operation (>)
sound/pci/hda/patch_realtek.c:2321:37:    left side has type unsigned short const [usertype] *dac_nids
sound/pci/hda/patch_realtek.c:2321:37:    right side has type int

It was meant to be num_dacs instead of dac_nids.
Although the current code still works as expected (when num_dacs is zero,
dac_nids should be NULL, too), better to fix now, of course.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-02-06 10:27:06 +01:00
Jesper Juhl 226e01ef0d ALSA: emu8000: Remove duplicate linux/moduleparam.h include from emu8000_patch.c
The header 'linux/moduleparam.h' is included twice in
'sound/isa/sb/emu8000_patch.c'. Once is enough.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-02-06 10:22:54 +01:00
Danny Kukawka c88db23325 spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver
Rename static struct pci_driver pch_spi_pcidev to
pch_spi_pcidev_driver to get rid of warnings from modpost checks.

Signed-off-by: Danny Kukawka <danny.kukawka@bisect.de>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
2012-02-05 23:24:17 -07:00
Sylwester Nawrocki b1a4874e0d spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4
The spi-s3c64xx driver is also used on Exynos4 so update the dependency
to enable build on those platforms.

Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
[grant.likely: relax depends to ARCH_EXYNOS instead of ARCH_EXYNOS4]
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
2012-02-05 23:23:43 -07:00
Guenter Roeck 585c0fd821 hwmon: (w83627ehf) Fix number of fans for NCT6776F
NCT6776F can select fan input pins for fans 3 to 5 with a secondary set of
chip register bits. Check that second set of bits in addition to the first set
to detect if fans 3..5 are monitored.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org # 3.0+
Acked-by: Jean Delvare <khali@linux-fr.org>
2012-02-04 18:08:23 -08:00
Linus Torvalds 23783f817b Power management fixes for 3.3-rc3
Three power management regression fixes, one for a recent regression introcuded
 by the freezer changes during the 3.3 merge window and two for regressions
 in cpuidle (resulting from PM QoS changes) and in the hibernate user space
 interface, both introduced during the 3.2 development cycle.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (GNU/Linux)
 
 iQIcBAABAgAGBQJPLbiPAAoJEKhOf7ml8uNscvwQAJYYhSBL+ouK8ERS0OLkeEoB
 k4O1Ap0hb5Kv54Sr85WKEm5zGRDJXUxlWeMklo9K/fvs04CU1gsBb8jhDdbZ2ovE
 rnyybPjfieExQbLxX6nYIP4qKMLtnZvHhHpafuDSUz0RWq/7sCTiFI2htNj97gGu
 DzXYpeePFgvzG6AaznywWkvNdXoQfmsTC0adDrXWcuKXnNrH6h8o/OIB+pO70Szw
 gmU8SjVGGQjrlnuQ+Ku4WqbSyXs1bXlUkyTHJilg6CNJySrA/LUHhKPrRnP1i3Hu
 LxX/rsrTqohhD1tz1qQOpnMiu86FSez+UVA65b2cF3EqZbNROY2+O1/V+OlczKYy
 V9Q3rk+J4uRJtnL8DEgcniMGrRsjyle5USN5KDX50BkrC56h3mZirnEu1yaiMIJn
 K8NWI/4JdK7JbA6f2hXuPuesmudSP4uo8vuUzKthEUi88QReYXYSMcz/Fy/G9z8n
 JW7PimC5OmeTwYIqBcjZf+8j/1u6cHaEkvjPAJhIUgCR/ZVi6VFySnUByDD6JKTJ
 bQcUSqZZ8TvEc4A6JjG18/QfmWIZMErfuG0WAKb8sqtXoPkHKR/XXjbaXof9Oppn
 nRS5iJUaZGY4YivSHZZOFAk24ThqKx5ZK3qXq/dBbj9JwtJdc+++b9f0RwXUHjd9
 ECoM3bFtO8ewINmZ7wRQ
 =EKGs
 -----END PGP SIGNATURE-----

Merge tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Power management fixes for 3.3-rc3

Three power management regression fixes, one for a recent regression introcuded
by the freezer changes during the 3.3 merge window and two for regressions
in cpuidle (resulting from PM QoS changes) and in the hibernate user space
interface, both introduced during the 3.2 development cycle.

They include:

* Two hibernate (s2disk) regression fixes from Srivatsa S. Bhat (for
 regressions introduced during the 3.3 merge window and during the 3.2
 development cycle).

* A cpuidle fix from Venki Pallipadi for a regression resulting from PM QoS
 changes during the 3.2 development cycle causing cpuidle to work incorrectly
 for CONFIG_PM unset.

* tag 'pm-fixes-for-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / QoS: CPU C-state breakage with PM Qos change
  PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails
  PM / Hibernate: Thaw kernel threads in SNAPSHOT_CREATE_IMAGE ioctl path
2012-02-04 15:21:39 -08:00
Venkatesh Pallipadi d020283dc6 PM / QoS: CPU C-state breakage with PM Qos change
Looks like change "PM QoS: Move and rename the implementation files"
merged during the 3.2 development cycle made PM QoS depend on
CONFIG_PM which depends on (PM_SLEEP || PM_RUNTIME).

That breaks CPU C-states with kernels not having these CONFIGs, causing CPUs
to spend time in Polling loop idle instead of going into deep C-states,
consuming way way more power. This is with either acpi idle or intel idle
enabled.

Either CONFIG_PM should be enabled with any pm_qos users or
the !CONFIG_PM pm_qos_request() should return sane defaults not to break
the existing users. Here's is the patch for the latter option.

[rjw: Modified the changelog slightly.]

Signed-off-by: Venkatesh Pallipadi <venki@google.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Cc: stable@vger.kernel.org
2012-02-04 22:23:17 +01:00
Srivatsa S. Bhat 379e0be812 PM / Freezer: Thaw only kernel threads if freezing of kernel threads fails
If freezing of kernel threads fails, we are expected to automatically
thaw tasks in the error recovery path. However, at times, we encounter
situations in which we would like the automatic error recovery path
to thaw only the kernel threads, because we want to be able to do
some more cleanup before we thaw userspace. Something like:

error = freeze_kernel_threads();
if (error) {
	/* Do some cleanup */

	/* Only then thaw userspace tasks*/
	thaw_processes();
}

An example of such a situation is where we freeze/thaw filesystems
during suspend/hibernation. There, if freezing of kernel threads
fails, we would like to thaw the frozen filesystems before thawing
the userspace tasks.

So, modify freeze_kernel_threads() to thaw only kernel threads in
case of freezing failure. And change suspend_freeze_processes()
accordingly. (At the same time, let us also get rid of the rather
cryptic usage of the conditional operator (:?) in that function.)

[rjw: In fact, this patch fixes a regression introduced during the
 3.3 merge window, because without it thaw_processes() may be called
 before swsusp_free() in some situations and that may lead to massive
 memory allocation failures.]

Signed-off-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Nigel Cunningham <nigel@tuxonice.net>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
2012-02-04 22:23:05 +01:00
Linus Torvalds d9142025f5 arm-soc fixes for 3.3-rc
* A series of OMAP regression fixes for merge window fallout
 * Two patches for Davinci, one removes some misdefined clocks, the other
   is a regression fix for merge window fallout
 * Two patches that makes Broadcom bcmring build again (and removes a
   bunch of unused code in the process)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJPLYzVAAoJEIwa5zzehBx3QSMP/17+6JYJEnzNgZAnrCNm03EK
 4f72pLIh6SSKn85jrq+mYlUorakUhlkF26G7+IyYz96YsvvEjrp8mKqlnate4Svv
 veROfNIa12AifX6H/0hr9xiRJLK+RLz933HAywh24x9GeKBAjoS72EcZRmThZWJ9
 RssfzAXAUbAfwYJyczcEpLOLkg7HJIAx5w7mQLh/hkhWkDKAugO8z1tSKESN98F3
 HJtSKE84Xg17y0c1SRoBTV3npSf3D2RptSX0r7H/nT3dpM1lSjoPvawtqdGf+ibT
 plHmRY75ebGEq18CHOl177YXPq0iUyfCDLqsu/nbcTtWoY/Cdfdj5gmMHuCYItcY
 8JJ758KUIJeHBpjbfeFbAPXJwa2FTnhgG9IQmCWuO47mquBCAi2TCWMmyNi1+kuZ
 PB+RkoU8O99bIwI+9vza1apVjjqx7rW6+9IS56KXkKYq6FkSbkvtpuveYvkvuboT
 D9o9GKmLL2Z4qE0XG7jsFi7RU1dymTaWow4chyx/iVvNvZnA/Yb9z1CmbydsyLV3
 ND1e7Tt49OIjy764Vw1KNmnIhd2joFoqF4jcw/+ID+Hy7cFSuBjjIR6TkZrqYjNf
 FhgqrRTl4iIw9zIroAJFuWOQOe82vxDDRVTe/7S7SrhvF5nTDF0AqHmeenBo6cLM
 0CfOwbRxbpgXfDpaHbH9
 =tFsG
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

arm-soc fixes for 3.3-rc

* A series of OMAP regression fixes for merge window fallout
* Two patches for Davinci, one removes some misdefined clocks, the other
  is a regression fix for merge window fallout
* Two patches that makes Broadcom bcmring build again (and removes a
  bunch of unused code in the process)

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: bcmring: fix build failure in mach-bcmring/arch.c
  ARM: bcmring: remove unused DMA map code
  ARM: davinci: update mdio bus name
  ARM: OMAP2+: arch/arm/mach-omap2/smartreflex.c: add missing iounmap
  ARM: OMAP2+: arch/arm/mach-omap2/devices.c: introduce missing kfree
  ARM: OMAP: fix MMC2 loopback clock handling
  ARM: OMAP: fix erroneous mmc2 clock change on mmc3 setup
  ARM: OMAP2+: GPMC: fix device size setup
  ARM: OMAP2+: timer: Fix crash due to wrong arg to __omap_dm_timer_read_counter
  ARM: OMAP3: hwmod data: register dss hwmods after dss_core
  ARM: OMAP2/3: PRM: fix missing plat/irqs.h build breakage
  ARM: OMAP2+: io: fix compilation breakage on 2420-only configs
  ARM: OMAP4: hwmod data: Add names for DMIC memory address space
  ARM: OMAP3: hwmod data: add SYSC_HAS_ENAWAKEUP for dispc
  ARM: OMAP2+: hwmod data: split omap2/3 dispc hwmod class
  ARM: davinci: DA850: remove non-existing pll1_sysclk4-7 clocks
  ARM: OMAP2: fix regulator warnings
  ARM: OMAP2: fix omap3 touchbook kconfig warning
  i2c: OMAP: Fix OMAP1 build error
2012-02-04 12:11:40 -08:00
Paul Gortmaker ca43784daa ARM: bcmring: fix build failure in mach-bcmring/arch.c
Upstream commit d1fce9c115

   "ARM: restart: bcmring: use new restart hook"

breaks building of this platform, since what used to be the
last field of the MACHINE_START/END block didn't have a
trailing comma.  Once another field was added below, we get:

arch/arm/mach-bcmring/arch.c:198: error: request for member 'restart' in something not a structure or union

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Acked-by: Jiandong Zheng <jdzheng@broadcom.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
2012-02-04 11:38:20 -08:00
JD Zheng 864e5e360e ARM: bcmring: remove unused DMA map code
Remove BCMRING DMA map code which is no longer used.

This also fixes a build error with dma.c introduced by
bfcd2ea6a4.

Signed-off-by: Jiandong Zheng <jdzheng@broadcom.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
2012-02-04 11:27:13 -08:00
Linus Torvalds 31c150a11c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: i8042 - add Lenovo Ideapad U455 to 'reset' blacklist
  Input: serio_raw - return proper result when serio_raw_read fails
  Input: document device properties
  Input: twl4030_keypad - fix comment (trivial)
  Input: gpio_keys - fix struct device declared inside parameter list
  Input: evdev - fix variable initialisation
2012-02-04 10:57:42 -08:00
Linus Torvalds 4554c135a0 Merge branch 'fixes' of git://git.infradead.org/users/vkoul/slave-dma
* 'fixes' of git://git.infradead.org/users/vkoul/slave-dma:
  i.MX SDMA: Fix burstsize settings
  ARM: mach-shmobile: both USB DMAC instances on sh7372 are slave-only
  dma: sh_dma: not all SH DMAC implementations support MEMCPY
  at_hdmac: bugfix for enabling channel irq
  dmaengine: fix missing 'cnt' in ?: in dmatest
2012-02-04 10:54:26 -08:00
Linus Torvalds 82bdc843c2 Merge branch 'akpm'
* akpm:
  mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration
  readahead: fix pipeline break caused by block plug
  kprobes: fix a memory leak in function pre_handler_kretprobe()
  drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer
  lkdtm: avoid calling lkdtm_do_action() with spinlock held
  mm/filemap_xip.c: fix race condition in xip_file_fault()
  mm/memcontrol.c: fix warning with CONFIG_NUMA=n
  avr32: select generic atomic64_t support
  mm: postpone migrated page mapping reset
  xtensa: fix memscan()
  MAINTAINERS: update lguest F: patterns
  MAINTAINERS: remove staging sections
  MAINTAINERS: remove iMX5 section
  MAINTAINERS: update partitions block F: patterns
2012-02-04 10:51:54 -08:00
Linus Torvalds 71b1b20b8a - Fix a regression in 16-bit Atmel NAND flash which was introduced in 3.1
- Fix breakage with MTD suspend caused by the API rework
  - Fix a problem with resetting the MX28 BCH module
  - A couple of other trivial fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iEYEABECAAYFAk8s6HsACgkQdwG7hYl686MIiACgxpNoUWFvq8z+2UGXxsLnNrio
 hhcAn31H7TY3KUuIQBo4CqG2dEjNwpCw
 =DRWp
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-3.3' of git://git.infradead.org/~dwmw2/mtd-3.3

 - Fix a regression in 16-bit Atmel NAND flash which was introduced in 3.1
 - Fix breakage with MTD suspend caused by the API rework
 - Fix a problem with resetting the MX28 BCH module
 - A couple of other trivial fixes

* tag 'for-linus-3.3-20120204' of git://git.infradead.org/~dwmw2/mtd-3.3:
  Revert "mtd: atmel_nand: optimize read/write buffer functions"
  mtd: fix MTD suspend
  jffs2: do not initialize variable unnecessarily
  mtd: gpmi-nand bugfix: reset the BCH module when it is not MX23
  mtd: nand: fix typo in comment
2012-02-04 07:17:47 -08:00
Artem Bityutskiy 500823195d Revert "mtd: atmel_nand: optimize read/write buffer functions"
This reverts commit fb5427508a.

The reason is that it breaks 16 bits NAND flash as it was reported by
Nikolaus Voss and confirmed by Eric Bénard.

Nicolas Ferre <nicolas.ferre@atmel.com> alco confirmed:
"After double checking with designers, I must admit that I misunderstood
the way of optimizing accesses to SMC. 16 bit nand is not so common
those days..."

Reported-by: Nikolaus Voss <n.voss@weinmann.de>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Cc: stable@kernel.org [3.1+]
2012-02-04 08:04:57 +00:00
Linus Torvalds d12566674c Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm
* 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
  ARM: 7314/1: kuser: consistently use usr_ret for returning from helpers
  ARM: 7302/1: Add TLB flushing for both entries in a PMD
  ARM: 7303/1: perf: add empty NODE event definitions for Cortex-A5 and Cortex-A15
  ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers
  ARM: 7307/1: vfp: fix ptrace regset modification race
  ARM: 7306/1: vfp: flush thread hwstate before restoring context from sigframe
  Revert "ARM: 7304/1: ioremap: fix boundary check when reusing static mapping"
2012-02-03 16:57:40 -08:00
Mel Gorman 0bf380bc70 mm: compaction: check pfn_valid when entering a new MAX_ORDER_NR_PAGES block during isolation for migration
When isolating for migration, migration starts at the start of a zone
which is not necessarily pageblock aligned.  Further, it stops isolating
when COMPACT_CLUSTER_MAX pages are isolated so migrate_pfn is generally
not aligned.  This allows isolate_migratepages() to call pfn_to_page() on
an invalid PFN which can result in a crash.  This was originally reported
against a 3.0-based kernel with the following trace in a crash dump.

PID: 9902   TASK: d47aecd0  CPU: 0   COMMAND: "memcg_process_s"
 #0 [d72d3ad0] crash_kexec at c028cfdb
 #1 [d72d3b24] oops_end at c05c5322
 #2 [d72d3b38] __bad_area_nosemaphore at c0227e60
 #3 [d72d3bec] bad_area at c0227fb6
 #4 [d72d3c00] do_page_fault at c05c72ec
 #5 [d72d3c80] error_code (via page_fault) at c05c47a4
    EAX: 00000000  EBX: 000c0000  ECX: 00000001  EDX: 00000807  EBP: 000c0000
    DS:  007b      ESI: 00000001  ES:  007b      EDI: f3000a80  GS:  6f50
    CS:  0060      EIP: c030b15a  ERR: ffffffff  EFLAGS: 00010002
 #6 [d72d3cb4] isolate_migratepages at c030b15a
 #7 [d72d3d14] zone_watermark_ok at c02d26cb
 #8 [d72d3d2c] compact_zone at c030b8de
 #9 [d72d3d68] compact_zone_order at c030bba1
#10 [d72d3db4] try_to_compact_pages at c030bc84
#11 [d72d3ddc] __alloc_pages_direct_compact at c02d61e7
#12 [d72d3e08] __alloc_pages_slowpath at c02d66c7
#13 [d72d3e78] __alloc_pages_nodemask at c02d6a97
#14 [d72d3eb8] alloc_pages_vma at c030a845
#15 [d72d3ed4] do_huge_pmd_anonymous_page at c03178eb
#16 [d72d3f00] handle_mm_fault at c02f36c6
#17 [d72d3f30] do_page_fault at c05c70ed
#18 [d72d3fb0] error_code (via page_fault) at c05c47a4
    EAX: b71ff000  EBX: 00000001  ECX: 00001600  EDX: 00000431
    DS:  007b      ESI: 08048950  ES:  007b      EDI: bfaa3788
    SS:  007b      ESP: bfaa36e0  EBP: bfaa3828  GS:  6f50
    CS:  0073      EIP: 080487c8  ERR: ffffffff  EFLAGS: 00010202

It was also reported by Herbert van den Bergh against 3.1-based kernel
with the following snippet from the console log.

BUG: unable to handle kernel paging request at 01c00008
IP: [<c0522399>] isolate_migratepages+0x119/0x390
*pdpt = 000000002f7ce001 *pde = 0000000000000000

It is expected that it also affects 3.2.x and current mainline.

The problem is that pfn_valid is only called on the first PFN being
checked and that PFN is not necessarily aligned.  Lets say we have a case
like this

H = MAX_ORDER_NR_PAGES boundary
| = pageblock boundary
m = cc->migrate_pfn
f = cc->free_pfn
o = memory hole

H------|------H------|----m-Hoooooo|ooooooH-f----|------H

The migrate_pfn is just below a memory hole and the free scanner is beyond
the hole.  When isolate_migratepages started, it scans from migrate_pfn to
migrate_pfn+pageblock_nr_pages which is now in a memory hole.  It checks
pfn_valid() on the first PFN but then scans into the hole where there are
not necessarily valid struct pages.

This patch ensures that isolate_migratepages calls pfn_valid when
necessary.

Reported-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com>
Tested-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com>
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:41 -08:00
Shaohua Li 3deaa7190a readahead: fix pipeline break caused by block plug
Herbert Poetzl reported a performance regression since 2.6.39.  The test
is a simple dd read, but with big block size.  The reason is:

T1: ra (A, A+128k), (A+128k, A+256k)
T2: lock_page for page A, submit the 256k
T3: hit page A+128K, ra (A+256k, A+384). the range isn't submitted
because of plug and there isn't any lock_page till we hit page A+256k
because all pages from A to A+256k is in memory
T4: hit page A+256k, ra (A+384, A+ 512). Because of plug, the range isn't
submitted again.
T5: lock_page A+256k, so (A+256k, A+512k) will be submitted. The task is
waitting for (A+256k, A+512k) finish.

There is no request to disk in T3 and T4, so readahead pipeline breaks.

We really don't need block plug for generic_file_aio_read() for buffered
I/O.  The readahead already has plug and has fine grained control when I/O
should be submitted.  Deleting plug for buffered I/O fixes the regression.

One side effect is plug makes the request size 256k, the size is 128k
without it.  This is because default ra size is 128k and not a reason we
need plug here.

Vivek said:

: We submit some readahead IO to device request queue but because of nested
: plug, queue never gets unplugged.  When read logic reaches a page which is
: not in page cache, it waits for page to be read from the disk
: (lock_page_killable()) and that time we flush the plug list.
:
: So effectively read ahead logic is kind of broken in parts because of
: nested plugging.  Removing top level plug (generic_file_aio_read()) for
: buffered reads, will allow unplugging queue earlier for readahead.

Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Reported-by: Herbert Poetzl <herbert@13thfloor.at>
Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:41 -08:00
Jiang Liu 55ca6140e9 kprobes: fix a memory leak in function pre_handler_kretprobe()
In function pre_handler_kretprobe(), the allocated kretprobe_instance
object will get leaked if the entry_handler callback returns non-zero.
This may cause all the preallocated kretprobe_instance objects exhausted.

This issue can be reproduced by changing
samples/kprobes/kretprobe_example.c to probe "mutex_unlock".  And the fix
is straightforward: just put the allocated kretprobe_instance object back
onto the free_instances list.

[akpm@linux-foundation.org: use raw_spin_lock/unlock]
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Acked-by: Jim Keniston <jkenisto@us.ibm.com>
Acked-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:41 -08:00
Samuel Thibault cbcb834605 drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer
KDFONTOP(GET) currently fails with EIO when being run in a 32bit userland
with a 64bit kernel if the font width is not 8.

This is because of the setting of the KD_FONT_FLAG_OLD flag, which makes
con_font_get return EIO in such case.

This flag should *not* be set for KDFONTOP, since it's actually the whole
point of this flag (see comment in con_font_set for instance).

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Arthur Taylor <art@ified.ca>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:41 -08:00
Cong Wang 92618184cb lkdtm: avoid calling lkdtm_do_action() with spinlock held
lkdtm_do_action() may call sleeping functions like kmalloc(), so do not
call it with spin lock held.

Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Reviewed-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:41 -08:00
Carsten Otte 99f02ef1f1 mm/filemap_xip.c: fix race condition in xip_file_fault()
Fix a race condition that shows in conjunction with xip_file_fault() when
two threads of the same user process fault on the same memory page.

In this case, the race winner will install the page table entry and the
unlucky loser will cause an oops: xip_file_fault calls vm_insert_pfn (via
vm_insert_mixed) which drops out at this check:

	retval = -EBUSY;
	if (!pte_none(*pte))
		goto out_unlock;

The resulting -EBUSY return value will trigger a BUG_ON() in
xip_file_fault.

This fix simply considers the fault as fixed in this case, because the
race winner has successfully installed the pte.

[akpm@linux-foundation.org: use conventional (and consistent) comment layout]
Reported-by: David Sadler <dsadler@us.ibm.com>
Signed-off-by: Carsten Otte <cotte@de.ibm.com>
Reported-by: Louis Alex Eisner <leisner@cs.ucsd.edu>
Cc: Hugh Dickins <hughd@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:41 -08:00
Andrew Morton 82b3f2a717 mm/memcontrol.c: fix warning with CONFIG_NUMA=n
mm/memcontrol.c: In function 'memcg_check_events':
mm/memcontrol.c:779: warning: unused variable 'do_numainfo'

Acked-by: Michal Hocko <mhocko@suse.cz>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Hiroyuki KAMEZAWA <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Fabio Baltieri 31e0017e6f avr32: select generic atomic64_t support
Enable use of the generic atomic64 implementation on AVR32 platforms.
Without this the kernel fails to build as the architecture does not
provide its version.

Signed-off-by: Fabio Baltieri <fabio.baltieri@gmail.com>
Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Konstantin Khlebnikov 35512ecaef mm: postpone migrated page mapping reset
Postpone resetting page->mapping until the final remove_migration_ptes().
Otherwise the expression PageAnon(migration_entry_to_page(entry)) does not
work.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Akinobu Mita a1b58c237b xtensa: fix memscan()
Defining memscan() as memchr() is wrong, because the return values of
memscan() and memchr() are different when the character is not found.  So
use the generic memscan() implementation to fix this.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Cc: Chris Zankel <chris@zankel.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Joe Perches 070f420b35 MAINTAINERS: update lguest F: patterns
commit 07fe9977b6 ("lguest: move the lguest tool to the tools
directory") moved the files, update the patterns.  Sort F: patterns
alphabetically too.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Davidlohr Bueso <dave@gnu.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Joe Perches cdb7232b29 MAINTAINERS: remove staging sections
Two commits moved files from staging to drivers/media/

commit d6ce55de3a ("[media] move cx25821 out of staging")
commit be30497085 ("[media] move tm6000 to drivers/media/video")

Remove the sections.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Joe Perches 0960e7d13f MAINTAINERS: remove iMX5 section
commit 784a90c0a7 ("ARM i.MX: Merge i.MX5 support into mach-imx")
merged the files, remove the iMX5 section.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Amit Kucheria <amit.kucheria@canonical.com>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Joe Perches 20d16fef95 MAINTAINERS: update partitions block F: patterns
Commit 9be96f3fd1 ("move fs/partitions to block/") moved the files,
update the patterns.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-03 16:16:40 -08:00
Linus Torvalds 7c7ed8ec33 Trivial kmemleak bug-fixes:
- Early logging doesn't stop when kmemleak is off by default.
 - Zero-size scanning areas should be ignored (currently it prints a warning).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iQIcBAABAgAGBQJPK8XOAAoJEGvWsS0AyF7xUzsP/1ZMK5glfaqsbrvALX/rKZBz
 lxIaKhIa77z5MBHL9AJdy/q6pAVJof5+YXdwDpGu+nOkwvFxj5Ell2M3VVOaSda+
 QPwypn/1K1NsAo4yFUlT/7zdWC1ubuYBITeqcmsfdHJeZ57c/ccRv74vs75DJucu
 1nLZH7WEJdFYzUdqJkiwaxRjJ7b5d9qz1DX8+b0KWTE+xbEdPDTP6Pps0ITVccJY
 +7o6b8PYVIs+t1xgCnZNNa/rhOXSm6kctvBAT1HnR/6+JlHMxC9YJ8uSavJ3trEX
 8U+pcwNqbruM5aq9f6k9imAd1ZiR0E5BMihem3OqJslZyX9vvqglC8wqKXlCGVs0
 OFD8I4iimmQd/b+pvI9Q2F7A1qk2b9Zy1Wklg7iGD0AysJMkp+wc8+P8DjC6jKQw
 T6pPUlVVe76haAZUrN8BIeAH/7SdyeQnrRBTGuOtZRfKZixyb92wicXFvcwmFG5E
 WzDeGxCHprNo5G66zUnS6Q9pvoIdFpb6ILaeEB0xoJPBMTVJDn8paDjvuuKRpjM6
 Eflw9ztJJnOgR8U3nPia35kyEt2plg4KFFvbP5jzCbpp3QeF2wLMUeSx+ijhcCiI
 nLNWy35vIQrPbw7T35e4oOA67ppqmhCCgzFxiPX7hxJoRfrc9RXFLsPligUjBqps
 5KUEEie/qEJR6j70Z8hC
 =Ydy/
 -----END PGP SIGNATURE-----

Merge tag 'kmemleak-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux

Trivial kmemleak bug-fixes:

 - Early logging doesn't stop when kmemleak is off by default.
 - Zero-size scanning areas should be ignored (currently it prints a
   warning).

* tag 'kmemleak-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux:
  kmemleak: Disable early logging when kmemleak is off by default
  kmemleak: Only scan non-zero-size areas
2012-02-03 12:41:31 -08:00
Linus Torvalds 7f06db34e5 sound fixes for 3.3-rc3
Most of commits are either regression fixes for varioud HD-audio
 codecs or small ASoC fixes.  Also a trivial build fix is included.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (GNU/Linux)
 
 iQIcBAABAgAGBQJPKomfAAoJEGwxgFQ9KSmk+wUP/05FWjbbUlkT1tchQxN/nPVw
 nCXk2inPAvItvjyWFXGR0UXTz670E0+aeDCE9yCdGiIP/kpDagveN2hbDc34pPpe
 k8g5Gvwt3vSzpgnDbZ8y1dGXTkfE6J5GD0yxrvABjI81HdJ/NPkOw3SVFP/HLLBC
 a//DTosS8rLiCr2Q+XKgh9bdWGC/ykZPVGsC1PLV9EzyviIMTiNFw5ZFUKVV28a9
 TsZGvZpkXzvr9mJnc7lV8wOlabh/pfOXwVVhIznNucCnqG+7GLEm8TdWcnAP/umH
 XDDaInc6yXMxuFhMwgfmrR9a57As1ZXyYt+0BAnMBIk7oZqSqu8647p8NYCKJzV3
 q76DTPrzvGcn8VKdF4u+ORaUND/ysC2f2o/aD2O1JLpvs992eJ4Ioe6IVyZWnd3B
 KhmVloOww6HHjxVtYx4IS9Sh5MpOLcGb21efyNbH8wDWlPjDV/lW6wGFmnzTNyg1
 HdHAt1XA3mzLolswigxujkuiYf5YFJpmfZ3SERBmE263EbiDpoLonP4/5L6CkPFg
 kK9P72+2xq9dybCJ7xDdMZH/ZZdwhwl5PA2H0n7Bzfg4lHmSGhqm5ydP8hh4Nisj
 yJbKucs3NOAFx3MLWRBwjLy+HTBEH7ZUd+sUbjbF5J6R2tgKjgdqT1K4R1K9wZ4W
 yY/kAVzAyuUt5pgWuYLZ
 =K0vv
 -----END PGP SIGNATURE-----

Merge tag 'sound-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

sound fixes for 3.3-rc3

Most of commits are either regression fixes for varioud HD-audio
codecs or small ASoC fixes.  Also a trivial build fix is included.

* tag 'sound-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - Disable dynamic-power control for VIA as default
  ALSA: hda - Allow analog low-current mode when dynamic power-control is on
  ALSA: hda - Fix the logic to detect VIA analog low-current mode
  ALSA: hda - Check power-state before changing in patch_via.c
  ALSA: HDA: Fix duplicated output to more than one codec
  ALSA: hda - Fix calling cs_automic twice for Cirrus codecs.
  ALSA: HDA: Remove quirk for Toshiba Qosmio G50
  ALSA: HDA: Fix jack creation for codecs with front and rear Line In
  ALSA: hda - Apply 0x0f-VREF fix to all ASUS laptops with ALC861/660
  ASoC: neo1973_wm8753: remove references to the neo1973-gta01 machine
  ALSA: Add #ifdef CONFIG_PCI guard for snd_pci_quirk_* functions
  ASoC: wm_hubs: fix wrong bits for LINEOUT2 N/P mixer
  ALSA: HDA: Remove quirk for Asus N53Jq
  ASoC: wm_hubs: Enable line out VMID buffer for single ended line outputs
  ASoC: wm5100: Mark register cache as dirty when regulators are disabled
  ASoC: wm8962: Mark register cache as dirty when regulators are disabled
  ASoC: wm8996: Mark register cache as dirty when regulators are disabled
  ASoC: wm5100: Fix microphone configuration
  ASoC: wm5100: Make sure we switch to button reporting mode
2012-02-03 10:06:15 -08:00
Peter Ujfalusi 2bd05db718 mfd: Avoid twl6040-codec PLL reconfiguration when not needed
Do not reconfigure the PLL in case it has been configured already
with the requested parameters.
In case of different PLL configuration do only the needed changes.
This can save considerable amount of time since we can avoid the
defined protocol (with delays) for the PLL configuration.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-02-03 19:03:50 +01:00
Peter Ujfalusi f8447d6c21 mfd: Store twl6040-codec mclk configuration
Store the last used mclk configuration for the PLL.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-02-03 19:03:44 +01:00
Dan Carpenter 3af336376f IB/srpt: Fix ERR_PTR() vs. NULL checking confusion
transport_init_session() and target_fabric_configfs_init() don't
return NULL pointers, they only return ERR_PTRs or valid pointers.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
2012-02-03 09:07:00 -08:00
Will Deacon 5a97d0ae5b ARM: 7314/1: kuser: consistently use usr_ret for returning from helpers
__kuser_cmpxchg64 has a return path using bx lr to get back to the caller.
This is actually ok since the code in question is predicated on
CONFIG_CPU_32v6K, but for the sake of consistency using the usr_ret
macro is probably better.

Acked-by: Dave Martin <dave.martin@linaro.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2012-02-03 15:58:46 +00:00
Takashi Iwai b544d1e0e2 ALSA: hda/realtek - Add missing Bass and CLFE as vmaster slaves
The recent changes in Realtek auto-parser added the new "Bass Speaker"
and "CLFE" mixer elements which should be tracked as vmaster slaves,
too.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=42720

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-02-03 14:04:11 +01:00
Igor Murzov 82b982c9a6 Input: i8042 - add Lenovo Ideapad U455 to 'reset' blacklist
From 2d5a38a56453421e82428155f4b00303f3fb19b2 Mon Sep 17 00:00:00 2001
From: Igor Murzov <e-mail@date.by>
Date: Wed, 1 Feb 2012 03:11:53 +0400
Subject: [PATCH] Input: i8042 - add Lenovo Ideapad U455 to 'reset' blacklist

Lenovo Ideapad U455 needs to be in the reset quirk list for its
touchpad's proper function.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=40672

Signed-off-by: Igor Murzov <e-mail@date.by>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
2012-02-03 00:22:43 -08:00
Linus Torvalds 6c073a7ee2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  rbd: fix safety of rbd_put_client()
  rbd: fix a memory leak in rbd_get_client()
  ceph: create a new session lock to avoid lock inversion
  ceph: fix length validation in parse_reply_info()
  ceph: initialize client debugfs outside of monc->mutex
  ceph: change "ceph.layout" xattr to be "ceph.file.layout"
2012-02-02 15:47:33 -08:00
Josh Triplett ff05f603c3 include/linux/lp8727.h: Remove executable bit
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-02-02 15:43:40 -08:00
Shirish Pargaonkar de47a4176c cifs: Fix oops in session setup code for null user mounts
For null user mounts, do not invoke string length function
during session setup.

Cc: <stable@kernel.org
Reported-and-Tested-by: Chris Clayton <chris2553@googlemail.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2012-02-02 16:59:09 -06:00
Alex Elder d23a4b3fd6 rbd: fix safety of rbd_put_client()
The rbd_client structure uses a kref to arrange for cleaning up and
freeing an instance when its last reference is dropped.  The cleanup
routine is rbd_client_release(), and one of the things it does is
delete the rbd_client from rbd_client_list.  It acquires node_lock
to do so, but the way it is done is still not safe.

The problem is that when attempting to reuse an existing rbd_client,
the structure found might already be in the process of getting
destroyed and cleaned up.

Here's the scenario, with "CLIENT" representing an existing
rbd_client that's involved in the race:

 Thread on CPU A                | Thread on CPU B
 ---------------                | ---------------
 rbd_put_client(CLIENT)         | rbd_get_client()
   kref_put()                   |   (acquires node_lock)
     kref->refcount becomes 0   |   __rbd_client_find() returns CLIENT
     calls rbd_client_release() |   kref_get(&CLIENT->kref);
                                |   (releases node_lock)
       (acquires node_lock)     |
       deletes CLIENT from list | ...and starts using CLIENT...
       (releases node_lock)     |
       and frees CLIENT         | <-- but CLIENT gets freed here

Fix this by having rbd_put_client() acquire node_lock.  The result
could still be improved, but at least it avoids this problem.

Signed-off-by: Alex Elder <elder@dreamhost.com>
Signed-off-by: Sage Weil <sage@newdream.net>
2012-02-02 12:56:59 -08:00
Jesper Juhl ebfded8c4b IB/srpt: Remove unneeded <linux/version.h> include
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Roland Dreier <roland@purestorage.com>
2012-02-02 12:55:59 -08:00
Roland Dreier f225066b64 IB/srpt: Use ARRAY_SIZE() instead of open-coding
Signed-off-by: Roland Dreier <roland@purestorage.com>
2012-02-02 12:55:58 -08:00