- 16 Jun, 2011 2 commits
-
-
Al Viro authored
[Kudos to dhowells for tracking that crap down] If two processes attempt to cause automounting on the same mountpoint at the same time, the vfsmount holding the mountpoint will be left with one too few references on it, causing a BUG when the kernel tries to clean up. The problem is that lock_mount() drops the caller's reference to the mountpoint's vfsmount in the case where it finds something already mounted on the mountpoint as it transits to the mounted filesystem and replaces path->mnt with the new mountpoint vfsmount. During a pathwalk, however, we don't take a reference on the vfsmount if it is the same as the one in the nameidata struct, but do_add_mount() doesn't know this. The fix is to make sure we have a ref on the vfsmount of the mountpoint before calling do_add_mount(). However, if lock_mount() doesn't transit, we're then left with an extra ref on the mountpoint vfsmount which needs releasing. We can handle that in follow_managed() by not making assumptions about what we can and what we cannot get from lookup_mnt() as the current code does. The callers of follow_managed() expect that reference to path->mnt will be grabbed iff path->mnt has been changed. follow_managed() and follow_automount() keep track of whether such reference has been grabbed and assume that it'll happen in those and only those cases that'll have us return with changed path->mnt. That assumption is almost correct - it breaks in case of racing automounts and in even harder to hit race between following a mountpoint and a couple of mount --move. The thing is, we don't need to make that assumption at all - after the end of loop in follow_manage() we can check if path->mnt has ended up unchanged and do mntput() if needed. The BUG can be reproduced with the following test program: #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <sys/wait.h> int main(int argc, char **argv) { int pid, ws; struct stat buf; pid = fork(); stat(argv[1], &buf); if (pid > 0) wait(&ws); return 0; } and the following procedure: (1) Mount an NFS volume that on the server has something else mounted on a subdirectory. For instance, I can mount / from my server: mount warthog:/ /mnt -t nfs4 -r On the server /data has another filesystem mounted on it, so NFS will see a change in FSID as it walks down the path, and will mark /mnt/data as being a mountpoint. This will cause the automount code to be triggered. !!! Do not look inside the mounted fs at this point !!! (2) Run the above program on a file within the submount to generate two simultaneous automount requests: /tmp/forkstat /mnt/data/testfile (3) Unmount the automounted submount: umount /mnt/data (4) Unmount the original mount: umount /mnt At this point the kernel should throw a BUG with something like the following: BUG: Dentry ffff880032e3c5c0{i=2,n=} still in use (1) [unmount of nfs4 0:12] Note that the bug appears on the root dentry of the original mount, not the mountpoint and not the submount because sys_umount() hasn't got to its final mntput_no_expire() yet, but this isn't so obvious from the call trace: [<ffffffff8117cd82>] shrink_dcache_for_umount+0x69/0x82 [<ffffffff8116160e>] generic_shutdown_super+0x37/0x15b [<ffffffffa00fae56>] ? nfs_super_return_all_delegations+0x2e/0x1b1 [nfs] [<ffffffff811617f3>] kill_anon_super+0x1d/0x7e [<ffffffffa00d0be1>] nfs4_kill_super+0x60/0xb6 [nfs] [<ffffffff81161c17>] deactivate_locked_super+0x34/0x83 [<ffffffff811629ff>] deactivate_super+0x6f/0x7b [<ffffffff81186261>] mntput_no_expire+0x18d/0x199 [<ffffffff811862a8>] mntput+0x3b/0x44 [<ffffffff81186d87>] release_mounts+0xa2/0xbf [<ffffffff811876af>] sys_umount+0x47a/0x4ba [<ffffffff8109e1ca>] ? trace_hardirqs_on_caller+0x1fd/0x22f [<ffffffff816ea86b>] system_call_fastpath+0x16/0x1b as do_umount() is inlined. However, you can see release_mounts() in there. Note also that it may be necessary to have multiple CPU cores to be able to trigger this bug. Tested-by: Jeff Layton <jlayton@redhat.com> Tested-by: Ian Kent <raven@themaw.net> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Török Edwin authored
Git bisection shows that commit e6bc45d6 causes BUG_ONs under high I/O load: kernel BUG at fs/inode.c:1368! [ 2862.501007] Call Trace: [ 2862.501007] [<ffffffff811691d8>] d_kill+0xf8/0x140 [ 2862.501007] [<ffffffff81169c19>] dput+0xc9/0x190 [ 2862.501007] [<ffffffff8115577f>] fput+0x15f/0x210 [ 2862.501007] [<ffffffff81152171>] filp_close+0x61/0x90 [ 2862.501007] [<ffffffff81152251>] sys_close+0xb1/0x110 [ 2862.501007] [<ffffffff814c14fb>] system_call_fastpath+0x16/0x1b A reliable way to reproduce this bug is: Login to KDE, run 'rsnapshot sync', and apt-get install openjdk-6-jdk, and apt-get remove openjdk-6-jdk. The buggy part of the patch is this: struct inode *inode = NULL; ..... - if (nd.last.name[nd.last.len]) - goto slashes; inode = dentry->d_inode; - if (inode) - ihold(inode); + if (nd.last.name[nd.last.len] || !inode) + goto slashes; + ihold(inode) ... if (inode) iput(inode); /* truncate the inode here */ If nd.last.name[nd.last.len] is nonzero (and thus goto slashes branch is taken), and dentry->d_inode is non-NULL, then this code now does an additional iput on the inode, which is wrong. Fix this by only setting the inode variable if nd.last.name[nd.last.len] is 0. Reference: https://lkml.org/lkml/2011/6/15/50Reported-by: Norbert Preining <preining@logic.at> Reported-by: Török Edwin <edwintorok@gmail.com> Cc: "Theodore Ts'o" <tytso@mit.edu> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Török Edwin <edwintorok@gmail.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- 12 Jun, 2011 6 commits
-
-
Al Viro authored
* new refcount in struct net, controlling actual freeing of the memory * new method in kobj_ns_type_operations (->drop_ns()) * ->current_ns() semantics change - it's supposed to be followed by corresponding ->drop_ns(). For struct net in case of CONFIG_NET_NS it bumps the new refcount; net_drop_ns() decrements it and calls net_free() if the last reference has been dropped. Method renamed to ->grab_current_ns(). * old net_free() callers call net_drop_ns() instead. * sysfs_exit_ns() is gone, along with a large part of callchain leading to it; now that the references stored in ->ns[...] stay valid we do not need to hunt them down and replace them with NULL. That fixes problems in sysfs_lookup() and sysfs_readdir(), along with getting rid of sb->s_instances abuse. Note that struct net *shutdown* logics has not changed - net_cleanup() is called exactly when it used to be called. The only thing postponed by having a sysfs instance refering to that struct net is actual freeing of memory occupied by struct net. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
* set ->s_fs_info in set() callback passed to sget() * allocate the thing and set it up enough for afs_test_super() before making it visible * have it freed in ->kill_sb() (current tree simply leaks it) * have ->put_super() leave ->s_fs_info->volume alone; it's too early for dropping it; do that from ->kill_sb() after having called kill_anon_super(). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
* allocate ubifs_info in ->mount(), fill it enough for sb_test() and set ->s_fs_info to it in set() callback passed to sget(). * do *not* free it in ->put_super(); do that in ->kill_sb() after we'd done kill_anon_super(). * don't free it in ubifs_fill_super() either - deactivate_locked_super() done by caller when ubifs_fill_super() returns an error will take care of that sucker. * get rid of kludge with passing ubi to ubifs_fill_super() in ->s_fs_info; we only need it in alloc_ubifs_info(), so ubifs_fill_super() will need only ubifs_info. Which it will find in ->s_fs_info just fine, no need to reassign anything... As the result, sb_test() becomes safe to apply to all superblocks that can be found by sget() (and a kludge with temporary use of ->s_fs_info to store a pointer to very different structure goes away). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
preparation to ubifs sget() race fixes Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
set_anon_super() can fail... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
Linus Torvalds authored
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: AppArmor: Fix sleep in invalid context from task_setrlimit
-
- 11 Jun, 2011 1 commit
-
-
David Howells authored
It uses cpu_relax(), and so needs <asm/processor.h> Without this patch, I see: CC arch/mn10300/kernel/asm-offsets.s In file included from include/linux/time.h:8, from include/linux/timex.h:56, from include/linux/sched.h:57, from arch/mn10300/kernel/asm-offsets.c:7: include/linux/seqlock.h: In function 'read_seqbegin': include/linux/seqlock.h:91: error: implicit declaration of function 'cpu_relax' whilst building asb2364_defconfig on MN10300. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
- 10 Jun, 2011 1 commit
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-devLinus Torvalds authored
* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev: libata: fix unexpectedly frozen port after ata_eh_reset()
-
- 09 Jun, 2011 30 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6Linus Torvalds authored
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6: sparc32, leon: bugfix in LEON SMP interrupt init sparc32, sun4m: bugfix in SMP IPI traphandler sparc: Remove unnecessary semicolons Add support for allocating irqs for bootbus devices Do not skip interrupt sources in sun4d interrupt handler and acknowledge interrupts correctly Restructure sun4d_build_device_irq so that timer interrupts can be allocated sparc: PCIC_PCI needs SPARC32 dependency sparc: Do not select GENERIC_HARDIRQS_NO_DEPRECATED sparc32,leon: add GRPCI2 PCI Host driver sparc32,leon: added LEON-common low-level PCI routines sparc32: added CONFIG_PCIC_PCI Kconfig setting
-
git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6Linus Torvalds authored
* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild-2.6: perf: Use make kernelversion instead of parsing the Makefile kbuild: Hack for depmod not handling X.Y versions kbuild: Move depmod call to a separate script kbuild: Fix <linux/version.h> for empty SUBLEVEL or PATCHLEVEL kbuild: Fix KERNELVERSION for empty SUBLEVEL or PATCHLEVEL kbuild: silence Nothing to be done for 'all' message
-
Daniel Hellstrom authored
During converting per-cpu ticker to genirq layer some IRQ initialization code was removed by commit 2cf95304 ("sparc32,leon: per-cpu ticker use genirq per-cpu handler"). This patch reintroduces the code at the same place it was removed from. IRQ12 - IRQ14 will crash on LEON SMP without this patch because it will run the SUN4M IRQ trap handler. Reported-by: Jan Andersson <jan@gaisler.com> Signed-off-by: Daniel Hellstrom <daniel@gaisler.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Daniel Hellstrom authored
Three new IPIs were introduced by commit ecbc42b7 ("sparc32, sun4m: Implemented SMP IPIs support for SUN4M machines"), the old handler was already prepared for IPIs but handled only IRQ14 and IRQ13, this patch adds support for the new IPI at IRQ12. The IPI trap handler looks at the mask rather than the pending IRQ/IPI, this bug may have masked the problem above, introduced by the same commit. Signed-off-by: Daniel Hellstrom <daniel@gaisler.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Michal Marek authored
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Paul Mackerras <paulus@samba.org> Cc: Ingo Molnar <mingo@elte.hu> Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: Michal Marek <mmarek@suse.cz>
-
Michal Marek authored
depmod from module-init-tools < 3.13 and the busybox depmod check if the kernel release starts with <num>.<num>.<num>. To support these versions, we create a symlink with two numbers prepended. Signed-off-by: Michal Marek <mmarek@suse.cz>
-
Michal Marek authored
Do not bloat the Makefile with multiline shell statements. No user-visible change intended. Signed-off-by: Michal Marek <mmarek@suse.cz>
-
Michal Marek authored
expr treats all numbers as decimals, so prepending a zero is safe. Note that the KERNEL_VERSION() macro still takes three arguments, 3.0 has to be written as KERNEL_VERSION(3,0,0). Signed-off-by: Michal Marek <mmarek@suse.cz>
-
Michal Marek authored
Omit the second dot for releases without SUBLEVEL. If PATCHLEVEL is also empty, only display VERSION. Signed-off-by: Michal Marek <mmarek@suse.cz>
-
git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpcLinus Torvalds authored
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc: powerpc: Force page alignment for initrd reserved memory dtc/powerpc: remove obsolete .gitignore entries powerpc/85xx: fix race bug of calling request_irq after enable elbc interrupts powerpc/book3e: Fix CPU feature handling on e5500 in 32-bit mode powerpc/fsl_rio: Fix compile error when CONFIG_FSL_RIO not set
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6Linus Torvalds authored
* 'staging-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6: staging: iio: max517: Fix iio_info changes Staging: mei: fix debug code Staging: cx23885: fix include of altera.h staging: iio: error case memory leak fix staging: ath6kl: Fix a kernel panic during suspend/resume staging: gma500: get control from firmware framebuffer if conflicts staging: gma500: Skip bogus LVDS VBT mode and check for LVDS before adding backlight staging: usbip: bugfix prevent driver unbind staging: iio: industrialio-trigger: set iio_poll_func private_data staging: rts_pstor: use bitwise operator instead of logical one staging: fix ath6kl build when CFG80211 is not enabled staging: brcm80211: fix for 'multiple definition of wl_msg_level' build err staging: fix olpc_dcon build, needs BACKLIGHT_CLASS_DEVICE Staging: remove STAGING_EXCLUDE_BUILD option Staging: altera: move .h file to proper place
-
Linus Torvalds authored
Merge branch 'stable/xen-swiotlb.bugfix' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb-2.6 * 'stable/xen-swiotlb.bugfix' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb-2.6: swiotlb: Export swioltb_nr_tbl and utilize it as appropiate.
-
Linus Torvalds authored
Merge branch 'stable/broadcom.ibft-bugfixes' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/ibft-2.6 * 'stable/broadcom.ibft-bugfixes' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/ibft-2.6: iscsi_ibft: iscsi_ibft_find unused variable i
-
git://git.kernel.org/pub/scm/linux/kernel/git/epip/linux-2.6-unicore32Linus Torvalds authored
* 'unicore32' of git://git.kernel.org/pub/scm/linux/kernel/git/epip/linux-2.6-unicore32: unicore32: using generic-y format for one line asm-generic files unicore32: change PERCPU to PERCPU_SECTION unicore32: add KBUILD_DEFCONFIG with unicore32_defconfig (old debug_defconfig) unicore32: change zImage physical address, though it's PIC codes unicore32: move rtc-puv3.c to drivers/rtc directory
-
Joe Perches authored
RFC 5952 (http://tools.ietf.org/html/rfc5952) mandates that 2 or more consecutive 0's are required before using :: compression. Update ip6_compressed_string to match the RFC and update the http reference as well. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Mathias Krause authored
Unconditionally changing the address limit to USER_DS and not restoring it to its old value in the error path is wrong because it prevents us using kernel memory on repeated calls to this function. This, in fact, breaks the fallback of hard coded paths to the init program from being ever successful if the first candidate fails to load. With this patch applied switching to USER_DS is delayed until the point of no return is reached which makes it possible to have a multi-arch rootfs with one arch specific init binary for each of the (hard coded) probed paths. Since the address limit is already set to USER_DS when start_thread() will be invoked, this redundancy can be safely removed. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-
Roland Stigge authored
struct iio_info introduced a bug where the second channel of a MAX518 can't be used. This commit fixes the typo (using max518 instead of the max517 struct). Signed-off-by: Roland Stigge <stigge@antcom.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Dan Carpenter authored
! has higher precedence than !=. H_RDY is 8 and since neither 0 nor 1 are equal to 8 the original condition was always true. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
Connor Hansen authored
int i is only needed if CONFIG_ACPI is set so move it within a new ifdef so kernels without ACPI don't allocate space for nothing. Fixes warning too. Signed-off-by: Connor Hansen <cmdkhh@gmail.com> Signed-off-by: Peter Jones <pjones@redhat.com> [v2: Fixed warning when CONFIG_ACPI was defined] Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
-
Peter Foley authored
This patch silences a Makefile.asm-generic message by defining a dummy rule for all. make -f /usr/src/git/scripts/Makefile.asm-generic \ obj=arch/x86/include/generated/asm make[1]: Nothing to be done for `all'. Signed-off-by: Peter Foley <pefoley2@verizon.net> Signed-off-by: Michal Marek <mmarek@suse.cz>
-
Guan Xuetao authored
The patch adds one-line asm-generic files in arch/unicore32/include/asm/Kbuild Also, remove the old implementation in arch/unicore32/Makefile see commit from Sam Ravnborg <d8ecc5cd> kbuild: asm-generic support Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn> Acked-by: Arnd Bergmann <arnd@arndb.de>
-
Guan Xuetao authored
The patch changes PERCPU to PERCPU_SECTION see commit from Tejun Heo <0415b00d> percpu: Always align percpu output section to PAGE_SIZE Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn> Acked-by: Tejun Heo <tj@kernel.org>
-
Guan Xuetao authored
Rename debug_defconfig to unicore32_defconfig, which is a minimal config for PKUnity-v3 (130nm) SoC board. Also, add KBUILD_DEFCONFIG to use 'make defconfig'. Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn> Acked-by: Arnd Bergmann <arnd@arndb.de>
-
Guan Xuetao authored
U-boot will load the kernel image to 48M physical memory address. The patch changes it to the correct address, though it's PIC codes. Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn> Acked-by: Arnd Bergmann <arnd@arndb.de>
-
Guan Xuetao authored
The patch moves rtc driver for PKUnity-v3 SoC from arch/unicore32/kernel/ to drivers/rtc/, with renaming it to rtc-puv3.c. Also, Kconfig, Makefile, and MAINTAINERS are modified correspondingly. Signed-off-by: Guan Xuetao <gxt@mprc.pku.edu.cn> Acked-by: Arnd Bergmann <arnd@arndb.de>
-
Benjamin Herrenschmidt authored
When using 64K pages with a separate cpio rootfs, U-Boot will align the rootfs on a 4K page boundary. When the memory is reserved, and subsequent early memblock_alloc is called, it will allocate memory between the 64K page alignment and reserved memory. When the reserved memory is subsequently freed, it is done so by pages, causing the early memblock_alloc requests to be re-used, which in my case, caused the device-tree to be clobbered. This patch forces the reserved memory for initrd to be kernel page aligned, and will move the device tree if it overlaps with the range extension of initrd. This patch will also consolidate the identical function free_initrd_mem() from mm/init_32.c, init_64.c to mm/mem.c, and adds the same range extension when freeing initrd. free_initrd_mem() is also moved to the __init section. Many thanks to Milton Miller for his input on this patch. [BenH: Fixed build without CONFIG_BLK_DEV_INITRD] Signed-off-by: Dave Carroll <dcarroll@astekcorp.com> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-
Benjamin Herrenschmidt authored
-
Benjamin Herrenschmidt authored
-
John Johansen authored
Affected kernels 2.6.36 - 3.0 AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk->group_leader); held when called from security_task_setrlimit. This will only occur when the task's current policy has been replaced, and the task's creds have not been updated before entering the LSM security_task_setrlimit() hook. BUG: sleeping function called from invalid context at mm/slub.c:847 in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd 2 locks held by cupsd/1583: #0: (tasklist_lock){.+.+.+}, at: [<ffffffff8104dafa>] do_prlimit+0x61/0x189 #1: (&(&p->alloc_lock)->rlock){+.+.+.}, at: [<ffffffff8104db2d>] do_prlimit+0x94/0x189 Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7 Call Trace: [<ffffffff8102ebf2>] __might_sleep+0x10d/0x112 [<ffffffff810e6f46>] slab_pre_alloc_hook.isra.49+0x2d/0x33 [<ffffffff810e7bc4>] kmem_cache_alloc+0x22/0x132 [<ffffffff8105b6e6>] prepare_creds+0x35/0xe4 [<ffffffff811c0675>] aa_replace_current_profile+0x35/0xb2 [<ffffffff811c4d2d>] aa_current_profile+0x45/0x4c [<ffffffff811c4d4d>] apparmor_task_setrlimit+0x19/0x3a [<ffffffff811beaa5>] security_task_setrlimit+0x11/0x13 [<ffffffff8104db6b>] do_prlimit+0xd2/0x189 [<ffffffff8104dea9>] sys_setrlimit+0x3b/0x48 [<ffffffff814062bb>] system_call_fastpath+0x16/0x1b Signed-off-by: John Johansen <john.johansen@canonical.com> Reported-by: Miles Lane <miles.lane@gmail.com> Cc: stable@kernel.org Signed-off-by: James Morris <jmorris@namei.org>
-
Wolfram Sang authored
dtc was moved and .gitignores have been added to the new location. So, we can delete the old, forgotten ones. Signed-off-by: Wolfram Sang <w.sang@pengutronix.de> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
-