Two (or more) concurrent calls of shrink_dcache_parent() on the same dentry may
cause shrink_dcache_parent() to loop forever.
Here's what appears to happen:
1 - CPU0: select_parent(P) finds C and puts it on dispose list, returns 1
2 - CPU1: select_parent(P) locks P->d_lock
3 - CPU0: shrink_dentry_list() locks C->d_lock
dentry_kill(C) tries to lock P->d_lock but fails, unlocks C->d_lock
4 - CPU1: select_parent(P) locks C->d_lock,
moves C from dispose list being processed on CPU0 to the new
dispose list, returns 1
5 - CPU0: shrink_dentry_list() finds dispose list empty, returns
6 - Goto 2 with CPU0 and CPU1 switched
Basically select_parent() steals the dentry from shrink_dentry_list() and thinks
it found a new one, causing shrink_dentry_list() to think it's making progress
and loop over and over.
One way to trigger this is to make udev calls stat() on the sysfs file while it
is going away.
Having a file in /lib/udev/rules.d/ with only this one rule seems to the trick:
ATTR{vendor}=="0x8086", ATTR{device}=="0x10ca", ENV{PCI_SLOT_NAME}="%k", ENV{MATCHADDR}="$attr{address}", RUN+="/bin/true"
Then execute the following loop:
while true; do
echo -bond0 > /sys/class/net/bonding_masters
echo +bond0 > /sys/class/net/bonding_masters
echo -bond1 > /sys/class/net/bonding_masters
echo +bond1 > /sys/class/net/bonding_masters
done
One fix would be to check all callers and prevent concurrent calls to
shrink_dcache_parent(). But I think a better solution is to stop the
stealing behavior.
This patch adds a new dentry flag that is set when the dentry is added to the
dispose list. The flag is cleared in dentry_lru_del() in case the dentry gets a
new reference just before being pruned.
If the dentry has this flag, select_parent() will skip it and let
shrink_dentry_list() retry pruning it. With select_parent() skipping those
dentries there will not be the appearance of progress (new dentries found) when
there is none, hence shrink_dcache_parent() will not loop forever.
Set the flag is also set in prune_dcache_sb() for consistency as suggested by
Linus.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
CC: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* 'kvm-updates/3.3' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (74 commits)
KVM: PPC: Whitespace fix for kvm.h
KVM: Fix whitespace in kvm_para.h
KVM: PPC: annotate kvm_rma_init as __init
KVM: x86 emulator: implement RDPMC (0F 33)
KVM: x86 emulator: fix RDPMC privilege check
KVM: Expose the architectural performance monitoring CPUID leaf
KVM: VMX: Intercept RDPMC
KVM: SVM: Intercept RDPMC
KVM: Add generic RDPMC support
KVM: Expose a version 2 architectural PMU to a guests
KVM: Expose kvm_lapic_local_deliver()
KVM: x86 emulator: Use opcode::execute for Group 9 instruction
KVM: x86 emulator: Use opcode::execute for Group 4/5 instructions
KVM: x86 emulator: Use opcode::execute for Group 1A instruction
KVM: ensure that debugfs entries have been created
KVM: drop bsp_vcpu pointer from kvm struct
KVM: x86: Consolidate PIT legacy test
KVM: x86: Do not rely on implicit inclusions
KVM: Make KVM_INTEL depend on CPU_SUP_INTEL
KVM: Use memdup_user instead of kmalloc/copy_from_user
...
Nothing we do here sleeps, so just do it under d_lock and avoid the dget/
dput entirely.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Sage Weil <sage@newdream.net>
We now set d_fsdata unconditionally on all dentries prior to setting up
the d_ops, so all of these checks are unnecessary.
Signed-off-by: Sage Weil <sage@newdream.net>
Use kmemdup rather than duplicating its implementation
The semantic patch that makes this change is available
in scripts/coccinelle/api/memdup.cocci.
Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
Signed-off-by: Sage Weil <sage@newdream.net>
Commit 503358ae01 ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.
sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex < 2) { ... }
This patch fixes two potential issues in the previous commit.
1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount. That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.
2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways. Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.
groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex == 0 || groups_per_flex == 1) {
We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original. GCC keeps the check, but
there is no guarantee that future versions will do the same.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
lookup should fail with ENOMEM, not silently make dentry negative.
Switched to saner calling conventions, while we are at it.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
inode needs to be fully set up before we feed it to d_instantiate().
securityfs_create_file() does *not* do so; it sets ->i_fop and
->i_private only after we'd exposed the inode. Unfortunately,
that's done fairly deep in call chain, so the amount of churn
is considerable. Helper functions killed by substituting into
their solitary call sites, dead code removed. We finally can
bury default_file_ops, now that the final value of ->i_fop is
available (and assigned) at the point where inode is allocated.
Reviewed-by: James Morris <jmorris@namei.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Currently the driver checks only the out_mix_path[] for the primary
output route for judging whether to create the loopback-mixing control
or not. But, there are cases where aamix-routing is available only on
headphone or speaker paths but not on the primary output path. So, the
driver ignores such cases inappropriately.
This patch fixes the check of the loopback-mixing control by testing
all mix-routing paths.
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When an invalid NID is given, get_wcaps() returns zero as the error,
but get_wcaps_type() takes it as the normal value and returns a bogus
AC_WID_AUD_OUT value. This confuses the parser.
With this patch, get_wcaps_type() returns -1 when value 0 is given,
i.e. an invalid NID is passed to get_wcaps().
Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=740118
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Add a cast here to silence a Gcc warning.
drivers/gpu/drm/gma500/mid_bios.c:214:28: warning:
cast from pointer to integer of different size [-Wpointer-to-int-cast]
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
The "if (!p && !p->dev)" condition isn't right because || was intended
instead of &&. But actually, "p" is the list cursor and so it's always
non-NULL and we can just remove that bit. We can remove the another
similar check as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Remove 'static' modifier from the 'vid_hdr' local variable. I do not know
how it slipped in, but this is a bug and will break UBI if someone attaches
2 UBI volumes at the same time.
Artem: amended teh commit message, added -stable.
Signed-off-by: Richard Weinberger <rw@linutronix.de>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Cc: stable@kernel.org
These laptops can work well with the auto-parser and their BIOS setups,
and in addition, the auto-parser fixes the problem with S3/S4 where
the unsol event handling is killed after resume due to fallback to the
single-cmd mode.
Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=740115
Cc: <stable@kernel.org> [v3.1+]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Add power domain control support for the r8a7779 SoC V2.
This adds support for 4 power domains for I/O Devices
together with code that can be used for CPU cores as well.
The only out of the ordinary experience is the need for
ioremap() of SYSC registers. Because of that we need to
execute some init function before setting up the domains.
Signed-off-by: Magnus Damm <damm@opensource.se>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
do_notify_resume() can trigger the freezer via the try_to_freeze() path
(both explicitly through a redundant call in do_signal() or via
get_signal_to_deliver()). That IRQs were disabled across this callsite
became apparent with the might_sleep() introduction in try_to_freeze() by
Tejun in a0acae0e88, resulting in:
BUG: sleeping function called from invalid context at include/linux/freezer.h:45
in_atomic(): 0, irqs_disabled(): 1, pid: 819, name: ntpd
no locks held by ntpd/819.
Stack: (0x9c81be80 to 0x9c81c000)
...
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Add r8a7779 PFC function support using the shared PFC code.
Depends on variable bitfield config register patches.
Signed-off-by: Magnus Damm <damm@opensource.se>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
atomic64_read() doesn't actually write anything (as far as the C
environment is concerned... the CPU does actually write but that's an
implementation quirk), so it should take a const pointer.
This does NOT mean that it is safe to use atomic64_read() on an object
in readonly storage (it will trap!)
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Link: http://lkml.kernel.org/r/20120109165859.1879abda.akpm@linux-foundation.org
The patch renames puv3_rtcdrv to puv3_rtc_driver, so that modpost will know
that this is simply a list of pointers to driver functions, in which case
the section mismatch is OK. (Thanks Michal Marek)
Cc: Axel Lin <axel.lin@gmail.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: rtc-linux@googlegroups.com
Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn>
--
Section mismatch warning information:
WARNING: drivers/rtc/built-in.o(.data+0x90): Section mismatch in
reference from the variable puv3_rtcdrv to the
function .devinit.text:puv3_rtc_probe()
The variable puv3_rtcdrv references
the function __devinit puv3_rtc_probe()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the
variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one,
*_console
WARNING: drivers/rtc/built-in.o(.data+0x94): Section mismatch in
reference from the variable puv3_rtcdrv to the
function .devexit.text:puv3_rtc_remove()
The variable puv3_rtcdrv references
the function __devexit puv3_rtc_remove()
If the reference is valid then annotate the
variable with __exit* (see linux/init.h) or name the variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one,
*_console
WARNING: drivers/built-in.o(.data+0x6c04): Section mismatch in reference
from the variable puv3_rtcdrv to the
function .devinit.text:puv3_rtc_probe()
The variable puv3_rtcdrv references
the function __devinit puv3_rtc_probe()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the
variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one,
*_console
WARNING: drivers/built-in.o(.data+0x6c08): Section mismatch in reference
from the variable puv3_rtcdrv to the
function .devexit.text:puv3_rtc_remove()
The variable puv3_rtcdrv references
the function __devexit puv3_rtc_remove()
If the reference is valid then annotate the
variable with __exit* (see linux/init.h) or name the variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one,
*_console
WARNING: vmlinux.o(.data+0x1126c): Section mismatch in reference from
the variable puv3_rtcdrv to the function .devinit.text:puv3_rtc_probe()
The variable puv3_rtcdrv references
the function __devinit puv3_rtc_probe()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the
variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one,
*_console
WARNING: vmlinux.o(.data+0x11270): Section mismatch in reference from
the variable puv3_rtcdrv to the function .devexit.text:puv3_rtc_remove()
The variable puv3_rtcdrv references
the function __devexit puv3_rtc_remove()
If the reference is valid then annotate the
variable with __exit* (see linux/init.h) or name the variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one,
*_console
This patch converts the driver to use the module_platform_driver()
macro which makes the code smaller and a bit simpler.
Signed-off-by: Axel Lin <axel.lin@gmail.com>
Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn>
This patch converts the driver to use the module_platform_driver()
macro which makes the code smaller and a bit simpler.
Signed-off-by: Axel Lin <axel.lin@gmail.com>
Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn>
As described in e6fa16ab ("signal: sigprocmask() should do
retarget_shared_pending()") the modification of current->blocked is
incorrect as we need to check whether the signal we're about to block
is pending in the shared queue.
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Acked-by: Guan Xuetao <gxt@mprc.pku.edu.cn>
Bugfix for following error messages:
lib/iomap.c: In function 'pci_iomap':
lib/iomap.c:274: error: implicit declaration of function 'ioremap_nocache'
lib/iomap.c:274: warning: return makes pointer from integer without a cast
Also see commit <f1ecc69838a2d7c8a3e1909f637d4083c071777d>
it will hide the ioremap_nocache function for systems with an MMU
Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jonas Bonn <jonas@southpole.se>
For the commit <f1ecc69838a2d7c8a3e1909f637d4083c071777d> has changed
xlate_dev_mem_ptr definition in asm-generic/io.h for the systems with
an MMU, so delete it from unicore32 specified io.h.
Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jonas Bonn <jonas@southpole.se>
