1. 18 Feb, 2010 1 commit
  2. 16 Feb, 2010 1 commit
  3. 10 Feb, 2010 11 commits
    • Brandon Phiilps's avatar
      x86: Avoid race condition in pci_enable_msix() · ced5b697
      Brandon Phiilps authored
      Keep chip_data in create_irq_nr and destroy_irq.
      
      When two drivers are setting up MSI-X at the same time via
      pci_enable_msix() there is a race.  See this dmesg excerpt:
      
      [   85.170610] ixgbe 0000:02:00.1: irq 97 for MSI/MSI-X
      [   85.170611]   alloc irq_desc for 99 on node -1
      [   85.170613] igb 0000:08:00.1: irq 98 for MSI/MSI-X
      [   85.170614]   alloc kstat_irqs on node -1
      [   85.170616] alloc irq_2_iommu on node -1
      [   85.170617]   alloc irq_desc for 100 on node -1
      [   85.170619]   alloc kstat_irqs on node -1
      [   85.170621] alloc irq_2_iommu on node -1
      [   85.170625] ixgbe 0000:02:00.1: irq 99 for MSI/MSI-X
      [   85.170626]   alloc irq_desc for 101 on node -1
      [   85.170628] igb 0000:08:00.1: irq 100 for MSI/MSI-X
      [   85.170630]   alloc kstat_irqs on node -1
      [   85.170631] alloc irq_2_iommu on node -1
      [   85.170635]   alloc irq_desc for 102 on node -1
      [   85.170636]   alloc kstat_irqs on node -1
      [   85.170639] alloc irq_2_iommu on node -1
      [   85.170646] BUG: unable to handle kernel NULL pointer dereference
      at 0000000000000088
      
      As you can see igb and ixgbe are both alternating on create_irq_nr()
      via pci_enable_msix() in their probe function.
      
      ixgbe: While looping through irq_desc_ptrs[] via create_irq_nr() ixgbe
      choses irq_desc_ptrs[102] and exits the loop, drops vector_lock and
      calls dynamic_irq_init. Then it sets irq_desc_ptrs[102]->chip_data =
      NULL via dynamic_irq_init().
      
      igb: Grabs the vector_lock now and starts looping over irq_desc_ptrs[]
      via create_irq_nr(). It gets to irq_desc_ptrs[102] and does this:
      
      	cfg_new = irq_desc_ptrs[102]->chip_data;
      	if (cfg_new->vector != 0)
      		continue;
      
      This hits the NULL deref.
      
      Another possible race exists via pci_disable_msix() in a driver or in
      the number of error paths that call free_msi_irqs():
      
      destroy_irq()
      dynamic_irq_cleanup() which sets desc->chip_data = NULL
      ...race window...
      desc->chip_data = cfg;
      
      Remove the save and restore code for cfg in create_irq_nr() and
      destroy_irq() and take the desc->lock when checking the irq_cfg.
      Reported-and-analyzed-by: default avatarBrandon Philips <bphilips@suse.de>
      Signed-off-by: default avatarYinghai Lu <yinghai@kernel.org>
      LKML-Reference: <1265793639-15071-3-git-send-email-yinghai@kernel.org>
      Signed-off-by: default avatarBrandon Phililps <bphilips@suse.de>
      Cc: stable@kernel.org
      Signed-off-by: default avatarH. Peter Anvin <hpa@zytor.com>
      ced5b697
    • Linus Torvalds's avatar
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6 · 909ccdb4
      Linus Torvalds authored
      * 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6:
        [S390] Fix struct _lowcore layout.
        [S390] qdio: prevent call trace if CHPID is offline
        [S390] qdio: continue polling for buffer state ERROR
      909ccdb4
    • Linus Torvalds's avatar
      Merge branch 'kvm-updates/2.6.33' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 2cbd1883
      Linus Torvalds authored
      * 'kvm-updates/2.6.33' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: PIT: control word is write-only
        kvmclock: count total_sleep_time when updating guest clock
        Export the symbol of getboottime and mmonotonic_to_bootbased
      2cbd1883
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/hskinnemoen/avr32-2.6 · 5993fe31
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/hskinnemoen/avr32-2.6:
        avr32: clean up memory allocation in at32_add_device_mci
        arch/avr32: Fix build failure for avr32 caused by typo
      5993fe31
    • Linus Torvalds's avatar
      Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc · 53910146
      Linus Torvalds authored
      * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
        powerpc: Fix address masking bug in hpte_need_flush()
      53910146
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6 · 5551638a
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
        cifs: fix dentry hash calculation for case-insensitive mounts
        [CIFS] Don't cache timestamps on utimes due to coarse granularity
        [CIFS] Maximum username length check in session setup does not match
        cifs: fix length calculation for converted unicode readdir names
        [CIFS] Add support for TCP_NODELAY
      5551638a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · 0ea45783
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (29 commits)
        drivers/net: Correct NULL test
        MAINTAINERS: networking drivers - Add git net-next tree
        net/sched: Fix module name in Kconfig
        cxgb3: fix GRO checksum check
        dst: call cond_resched() in dst_gc_task()
        netfilter: nf_conntrack: fix hash resizing with namespaces
        netfilter: xtables: compat out of scope fix
        netfilter: nf_conntrack: restrict runtime expect hashsize modifications
        netfilter: nf_conntrack: per netns nf_conntrack_cachep
        netfilter: nf_conntrack: fix memory corruption with multiple namespaces
        Bluetooth: Keep a copy of each HID device's report descriptor
        pktgen: Fix freezing problem
        igb: make certain to reassign legacy interrupt vectors after reset
        irda: add missing BKL in irnet_ppp ioctl
        irda: unbalanced lock_kernel in irnet_ppp
        ixgbe: Fix return of invalid txq
        ixgbe: Fix ixgbe_tx_map error path
        netxen: protect resource cleanup by rtnl lock
        netxen: fix tx timeout recovery for NX2031 chip
        Bluetooth: Enter active mode before establishing a SCO link.
        ...
      0ea45783
    • David Gibson's avatar
      powerpc: Fix address masking bug in hpte_need_flush() · 77058e1a
      David Gibson authored
      Commit f71dc176 'Make
      hpte_need_flush() correctly mask for multiple page sizes' introduced
      bug, which is triggered when a kernel with a 64k base page size is run
      on a system whose hardware does not 64k hash PTEs.  In this case, we
      emulate 64k pages with multiple 4k hash PTEs, however in
      hpte_need_flush() we incorrectly only mask the hardware page size from
      the address, instead of the logical page size.  This causes things to
      go wrong when we later attempt to iterate through the hardware
      subpages of the logical page.
      
      This patch corrects the error.  It has been tested on pSeries bare
      metal by Michael Neuling.
      Signed-off-by: default avatarDavid Gibson <dwg@au1.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      77058e1a
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://neil.brown.name/md · ac73fddf
      Linus Torvalds authored
      * 'for-linus' of git://neil.brown.name/md:
        md: fix some lockdep issues between md and sysfs.
        md: fix 'degraded' calculation when starting a reshape.
      ac73fddf
    • NeilBrown's avatar
      md: fix some lockdep issues between md and sysfs. · ef286f6f
      NeilBrown authored
      ======
      This fix is related to
          http://bugzilla.kernel.org/show_bug.cgi?id=15142
      but does not address that exact issue.
      ======
      
      sysfs does like attributes being removed while they are being accessed
      (i.e. read or written) and waits for the access to complete.
      
      As accessing some md attributes takes the same lock that is held while
      removing those attributes a deadlock can occur.
      
      This patch addresses 3 issues in md that could lead to this deadlock.
      
      Two relate to calling flush_scheduled_work while the lock is held.
      This is probably a bad idea in general and as we use schedule_work to
      delete various sysfs objects it is particularly bad.
      
      In one case flush_scheduled_work is called from md_alloc (called by
      md_probe) called from do_md_run which holds the lock.  This call is
      only present to ensure that ->gendisk is set.  However we can be sure
      that gendisk is always set (though possibly we couldn't when that code
      was originally written.  This is because do_md_run is called in three
      different contexts:
        1/ from md_ioctl.  This requires that md_open has succeeded, and it
           fails if ->gendisk is not set.
        2/ from writing a sysfs attribute.  This can only happen if the
           mddev has been registered in sysfs which happens in md_alloc
           after ->gendisk has been set.
        3/ from autorun_array which is only called by autorun_devices, which
           checks for ->gendisk to be set before calling autorun_array.
      So the call to md_probe in do_md_run can be removed, and the check on
      ->gendisk can also go.
      
      
      In the other case flush_scheduled_work is being called in do_md_stop,
      purportedly to wait for all md_delayed_delete calls (which delete the
      component rdevs) to complete.  However there really isn't any need to
      wait for them - they have already been disconnected in all important
      ways.
      
      The third issue is that raid5->stop() removes some attribute names
      while the lock is held.  There is already some infrastructure in place
      to delay attribute removal until after the lock is released (using
      schedule_work).  So extend that infrastructure to remove the
      raid5_attrs_group.
      
      This does not address all lockdep issues related to the sysfs
      "s_active" lock.  The rest can be address by splitting that lockdep
      context between symlinks and non-symlinks which hopefully will happen.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      ef286f6f
  4. 09 Feb, 2010 16 commits
  5. 08 Feb, 2010 11 commits