1. 21 Feb, 2012 3 commits
    • Sarah Sharp's avatar
      xhci: Fix encoding for HS bulk/control NAK rate. · 340a3504
      Sarah Sharp authored
      The xHCI 0.96 spec says that HS bulk and control endpoint NAK rate must
      be encoded as an exponent of two number of microframes.  The endpoint
      descriptor has the NAK rate encoded in number of microframes.  We were
      just copying the value from the endpoint descriptor into the endpoint
      context interval field, which was not correct.  This lead to the VIA
      host rejecting the add of a bulk OUT endpoint from any USB 2.0 mass
      storage device.
      
      The fix is to use the correct encoding.  Refactor the code to convert
      number of frames to an exponential number of microframes, and make sure
      we convert the number of microframes in HS bulk and control endpoints to
      an exponent.
      
      This should be back ported to kernels as old as 2.6.31, that contain the
      commit dfa49c4a "USB: xhci - fix math
      in xhci_get_endpoint_interval"
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Tested-by: default avatarFelipe Contreras <felipe.contreras@gmail.com>
      Suggested-by: default avatarAndiry Xu <andiry.xu@amd.com>
      Cc: stable@vger.kernel.org
      340a3504
    • Elric Fu's avatar
      USB: Set hub depth after USB3 hub reset · a45aa3b3
      Elric Fu authored
      The superspeed device attached to a USB 3.0 hub(such as VIA's)
      doesn't respond the address device command after resume. The
      root cause is the superspeed hub will miss the Hub Depth value
      that is used as an offset into the route string to locate the
      bits it uses to determine the downstream port number after
      reset, and all packets can't be routed to the device attached
      to the superspeed hub.
      
      Hub driver sends a Set Hub Depth request to the superspeed hub
      except for USB 3.0 root hub when the hub is initialized and
      doesn't send the request again after reset due to the resume
      process. So moving the code that sends the Set Hub Depth request
      to the superspeed hub from hub_configure() to hub_activate()
      is to cover those situations include initialization and reset.
      
      The patch should be backported to kernels as old as 2.6.39.
      Signed-off-by: default avatarElric Fu <elricfu1@gmail.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: stable@vger.kernel.org
      a45aa3b3
    • Sarah Sharp's avatar
      USB: Fix handoff when BIOS disables host PCI device. · cab928ee
      Sarah Sharp authored
      On some systems with an Intel Panther Point xHCI host controller, the
      BIOS disables the xHCI PCI device during boot, and switches the xHCI
      ports over to EHCI.  This allows the BIOS to access USB devices without
      having xHCI support.
      
      The downside is that the xHCI BIOS handoff mechanism will fail because
      memory mapped I/O is not enabled for the disabled PCI device.
      Jesse Barnes says this is expected behavior.  The PCI core will enable
      BARs before quirks run, but it will leave it in an undefined state, and
      it may not have memory mapped I/O enabled.
      
      Make the generic USB quirk handler call pci_enable_device() to re-enable
      MMIO, and call pci_disable_device() once the host-specific BIOS handoff
      is finished.  This will balance the ref counts in the PCI core.  When
      the PCI probe function is called, usb_hcd_pci_probe() will call
      pci_enable_device() again.
      
      This should be back ported to kernels as old as 2.6.31.  That was the
      first kernel with xHCI support, and no one has complained about BIOS
      handoffs failing due to memory mapped I/O being disabled on other hosts
      (EHCI, UHCI, or OHCI).
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarOliver Neukum <oneukum@suse.de>
      Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
      Cc: stable@vger.kernel.org
      cab928ee
  2. 14 Feb, 2012 3 commits
  3. 13 Feb, 2012 1 commit
  4. 10 Feb, 2012 2 commits
    • Sarah Sharp's avatar
      xhci: Fix oops caused by more USB2 ports than USB3 ports. · 3278a55a
      Sarah Sharp authored
      The code to set the device removable bits in the USB 2.0 roothub
      descriptor was accidentally looking at the USB 3.0 port registers
      instead of the USB 2.0 registers.  This can cause an oops if there are
      more USB 2.0 registers than USB 3.0 registers.
      
      This should be backported to kernels as old as 2.6.39, that contain the
      commit 4bbb0ace "xhci: Return a USB 3.0
      hub descriptor for USB3 roothub."
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: stable@vger.kernel.org
      3278a55a
    • Sarah Sharp's avatar
      USB: Remove duplicate USB 3.0 hub feature #defines. · d9f5343e
      Sarah Sharp authored
      Somehow we ended up with duplicate hub feature #defines in ch11.h.
      Tatyana Brokhman first created the USB 3.0 hub feature macros in 2.6.38
      with commit 0eadcc09 "usb: USB3.0 ch11
      definitions".  In 2.6.39, I modified a patch from John Youn that added
      similar macros in a different place in the same file, and committed
      dbe79bbe "USB 3.0 Hub Changes".
      
      Some of the #defines used different names for the same values.  Others
      used exactly the same names with the same values, like these gems:
      
       #define USB_PORT_FEAT_BH_PORT_RESET     28
      ...
       #define USB_PORT_FEAT_BH_PORT_RESET            28
      
      According to my very geeky husband (who looked it up in the C99 spec),
      it is allowed to have object-like macros with duplicate names as long as
      the replacement list is exactly the same.  However, he recalled that
      some compilers will give warnings when they find duplicate macros.  It's
      probably best to remove the duplicates in the stable tree, so that the
      code compiles for everyone.
      
      The macros are now fixed to move the feature requests that are specific
      to USB 3.0 hubs into a new section (out of the USB 2.0 hub feature
      section), and use the most common macro name.
      
      This patch should be backported to 2.6.39.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: Tatyana Brokhman <tlinder@codeaurora.org>
      Cc: John Youn <johnyoun@synopsys.com>
      Cc: Jamey Sharp <jamey@minilop.net>
      Cc: stable@vger.kernel.org
      d9f5343e
  5. 09 Feb, 2012 13 commits
    • Linus Torvalds's avatar
      Merge tag 'usb-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fe250923
      Linus Torvalds authored
      USB fixes for 3.3-rc3
      
      Here are a few minor USB fixes and a bunch of device id updates for the
      USB drivers.
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      * tag 'usb-3.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: usbserial: add new PID number (0xa951) to the ftdi driver
        usb: ch9.h: usb_endpoint_maxp() uses __le16_to_cpu()
        usb: musb: fix a build error on mips
        uwb & wusb & usb wireless controllers: fix kconfig error & build errors
        usb: Skip PCI USB quirk handling for Netlogic XLP
        powerpc/usb: fix issue of CPU halt when missing USB PHY clock
        usb: otg: mv_otg: Add dependence
        usb: host: Distinguish Kconfig text for Freescale controllers
        USB: add new zte 3g-dongle's pid to option.c
        usb: ch9.h: usb_endpoint_maxp() uses __le16_to_cpu()
        USB: qcserial: don't enable autosuspend
        USB: qcserial: add several new serial devices
        usb: otg: mv_otg: Add dependence
        usb: gadget: zero: fix bug in loopback autoresume handling
      fe250923
    • David Howells's avatar
      Reduce the number of expensive division instructions done by _parse_integer() · 690d137f
      David Howells authored
      _parse_integer() does one or two division instructions (which are slow)
      per digit parsed to perform the overflow check.
      
      Furthermore, these are particularly expensive examples of division
      instruction as the number of clock cycles required to complete them may
      go up with the position of the most significant set bit in the dividend:
      
      	if (*res > div_u64(ULLONG_MAX - val, base))
      
      which is as maximal as possible.
      
      Worse, on 32-bit arches, more than one of these division instructions
      may be required per digit.
      
      So, assuming we don't support a base of more than 16, skip the check if the
      top nibble of the result is not set at this point.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      [ Changed it to not dereference the pointer all the time - even if the
        compiler can and does optimize it away, the code just looks cleaner.
        And edited the top nybble test slightly to make the code generated on
        x86-64 better in the loop - test against a hoisted constant instead of
        shifting and testing the result ]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      690d137f
    • Linus Torvalds's avatar
      Linux 3.3-rc3 · d65b4e98
      Linus Torvalds authored
      d65b4e98
    • Linus Torvalds's avatar
      Merge branch 'iommu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 63082402
      Linus Torvalds authored
      One patch fixes an bug in the ARM/MSM IOMMU code which returned sucess
      in the unmap function even when an error occured and the other patch
      adds a workaround into the AMD IOMMU driver to better handle broken IVRS
      ACPI tables (this patch fixes the case when a device is not listed in
      the table but actually translated by the iommu).
      
      * 'iommu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/msm: Fix error handling in msm_iommu_unmap()
        iommu/amd: Work around broken IVRS tables
      63082402
    • Linus Torvalds's avatar
      Merge branch '3.3-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · 19e75ed4
      Linus Torvalds authored
      This series contains pending target bug-fixes and cleanups for v3.3-rc3
      that have been addressed the past weeks in lio-core.git.
      
      Some of the highlights include:
      
       - Fix handling for control CDBs with data greater than PAGE_SIZE (andy)
       - Use IP_FREEBIND for iscsi-target to address network portal creation
         issues with systemd (dax)
       - Allow PERSISTENT RESERVE IN for non-reservation holder (marco)
       - Fix iblock se_dev_attrib.unmap_granularity (marco)
       - Fix unsupported WRITE_SAME sense payload handling (martin)
       - Add workaround for zero-length control CDB handling (nab)
       - Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT (nab)
       - Fix target_submit_cmd() exception handling (nab)
       - Return correct ASC for unimplemented VPD pages (roland)
       - Don't zero pages used for data buffers (roland)
       - Fix return code of core_tpg_.*_lun (sebastian)
      
      * '3.3-rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: (26 commits)
        target: Fix unsupported WRITE_SAME sense payload
        iscsi: use IP_FREEBIND socket option
        iblock: fix handling of large requests
        target: handle empty string writes in sysfs
        iscsi_target: in_aton needs linux/inet.h
        target: Fix iblock se_dev_attrib.unmap_granularity
        target: Fix target_submit_cmd() exception handling
        target: Change target_submit_cmd() to return void
        target: accept REQUEST_SENSE with 18bytes
        target: Fail INQUIRY commands with EVPD==0 but PAGE CODE!=0
        target: Return correct ASC for unimplemented VPD pages
        iscsi-target: Fix discovery with INADDR_ANY and IN6ADDR_ANY_INIT
        target: Allow control CDBs with data > 1 page
        iscsi-target: Fix up a few assignments
        iscsi-target: make one-bit bitfields unsigned
        iscsi-target: Fix double list_add with iscsit_alloc_buffs reject
        iscsi-target: Fix reject release handling in iscsit_free_cmd()
        target: fix return code of core_tpg_.*_lun
        target: use save/restore lock primitive in core_dec_lacl_count()
        target: avoid multiple outputs in scsi_dump_inquiry()
        ...
      19e75ed4
    • Linus Torvalds's avatar
      Merge tag 'md-3.3-fixes' of git://neil.brown.name/md · 4d39aa1b
      Linus Torvalds authored
      Some simple md-related fixes.
      
      1/ two small fixes to ensure we handle an interrupted resync properly.
      2/ avoid loading the bitmap multiple times in dm-raid
      
      * tag 'md-3.3-fixes' of git://neil.brown.name/md:
        md: two small fixes to handling interrupt resync.
        Prevent DM RAID from loading bitmap twice.
      4d39aa1b
    • Linus Torvalds's avatar
      Merge tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6 · 4a68d54c
      Linus Torvalds authored
      SPI bug fixes for v3.3-rc2
      
      Minor SPI device driver changes.  A rename of the pch_spi_pcidev symbol
      that merely eliminates a modpost warning, and a Kconfig change to allow
      the Samsung spi driver to build on EXYNOS.
      
      * tag 'spi-for-linus' of git://git.secretlab.ca/git/linux-2.6:
        spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver
        spi: Add spi-s3c64xx driver dependency on ARCH_EXYNOS4
      4a68d54c
    • Linus Torvalds's avatar
      Merge branch 'akpm' (Andrew's tree) · 15a46353
      Linus Torvalds authored
      Five fixes
      
      * branch 'akpm':
        pcmcia: fix socket refcount decrementing on each resume
        mm: fix UP THP spin_is_locked BUGs
        drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax
        mm: compaction: check for overlapping nodes during isolation for migration
        nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
      15a46353
    • Russell King's avatar
      pcmcia: fix socket refcount decrementing on each resume · 025e4ab3
      Russell King authored
      This fixes a memory-corrupting bug: not only does it cause the warning,
      but as a result of dropping the refcount to zero, it causes the
      pcmcia_socket0 device structure to be freed while it still has
      references, causing slab caches corruption.  A fatal oops quickly
      follows this warning - often even just a 'dmesg' following the warning
      causes the kernel to oops.
      
      While testing suspend/resume on an ARM device with PCMCIA support, and a
      CF card inserted, I found that after five suspend and resumes, the
      kernel would complain, and shortly die after with slab corruption.
      
        WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50()
      
      As the message doesn't give a clue about which kobject, and the built-in
      debugging in drivers/base/power/main.c happens too late, this was added
      right before each get_device():
      
        printk("%s: %p [%s] %u\n", __func__, dev, kobject_name(&dev->kobj), atomic_read(&dev->kobj.kref.refcount));
      
      and on the 3rd s2ram cycle, the following behaviour observed:
      
      On the 3rd suspend/resume cycle:
      
        dpm_prepare: c1a0d998 [pcmcia_socket0] 3
        dpm_suspend: c1a0d998 [pcmcia_socket0] 3
        dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 3
        dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 3
        dpm_resume: c1a0d998 [pcmcia_socket0] 3
        dpm_complete: c1a0d998 [pcmcia_socket0] 2
      
      4th:
      
        dpm_prepare: c1a0d998 [pcmcia_socket0] 2
        dpm_suspend: c1a0d998 [pcmcia_socket0] 2
        dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 2
        dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 2
        dpm_resume: c1a0d998 [pcmcia_socket0] 2
        dpm_complete: c1a0d998 [pcmcia_socket0] 1
      
      5th:
      
        dpm_prepare: c1a0d998 [pcmcia_socket0] 1
        dpm_suspend: c1a0d998 [pcmcia_socket0] 1
        dpm_suspend_noirq: c1a0d998 [pcmcia_socket0] 1
        dpm_resume_noirq: c1a0d998 [pcmcia_socket0] 1
        dpm_resume: c1a0d998 [pcmcia_socket0] 1
        dpm_complete: c1a0d998 [pcmcia_socket0] 0
        ------------[ cut here ]------------
        WARNING: at include/linux/kref.h:41 kobject_get+0x28/0x50()
        Modules linked in: ucb1x00_core
        Backtrace:
        [<c0212090>] (dump_backtrace+0x0/0x110) from [<c04799dc>] (dump_stack+0x18/0x1c)
        [<c04799c4>] (dump_stack+0x0/0x1c) from [<c021cba0>] (warn_slowpath_common+0x50/0x68)
        [<c021cb50>] (warn_slowpath_common+0x0/0x68) from [<c021cbdc>] (warn_slowpath_null+0x24/0x28)
        [<c021cbb8>] (warn_slowpath_null+0x0/0x28) from [<c0335374>] (kobject_get+0x28/0x50)
        [<c033534c>] (kobject_get+0x0/0x50) from [<c03804f4>] (get_device+0x1c/0x24)
        [<c0388c90>] (dpm_complete+0x0/0x1a0) from [<c0389cc0>] (dpm_resume_end+0x1c/0x20)
        ...
      
      Looking at commit 7b24e798 ("pcmcia: split up central event handler"),
      the following change was made to cs.c:
      
                      return 0;
              }
       #endif
      -
      -       send_event(skt, CS_EVENT_PM_RESUME, CS_EVENT_PRI_LOW);
      +       if (!(skt->state & SOCKET_CARDBUS) && (skt->callback))
      +               skt->callback->early_resume(skt);
              return 0;
       }
      
      And the corresponding change in ds.c is from:
      
      -static int ds_event(struct pcmcia_socket *skt, event_t event, int priority)
      -{
      -       struct pcmcia_socket *s = pcmcia_get_socket(skt);
      ...
      -       switch (event) {
      ...
      -       case CS_EVENT_PM_RESUME:
      -               if (verify_cis_cache(skt) != 0) {
      -                       dev_dbg(&skt->dev, "cis mismatch - different card\n");
      -                       /* first, remove the card */
      -                       ds_event(skt, CS_EVENT_CARD_REMOVAL, CS_EVENT_PRI_HIGH);
      -                       mutex_lock(&s->ops_mutex);
      -                       destroy_cis_cache(skt);
      -                       kfree(skt->fake_cis);
      -                       skt->fake_cis = NULL;
      -                       s->functions = 0;
      -                       mutex_unlock(&s->ops_mutex);
      -                       /* now, add the new card */
      -                       ds_event(skt, CS_EVENT_CARD_INSERTION,
      -                                CS_EVENT_PRI_LOW);
      -               }
      -               break;
      ...
      -    }
      
      -    pcmcia_put_socket(s);
      
      -    return 0;
      -} /* ds_event */
      
      to:
      
      +static int pcmcia_bus_early_resume(struct pcmcia_socket *skt)
      +{
      +       if (!verify_cis_cache(skt)) {
      +               pcmcia_put_socket(skt);
      +               return 0;
      +       }
      
      +       dev_dbg(&skt->dev, "cis mismatch - different card\n");
      
      +       /* first, remove the card */
      +       pcmcia_bus_remove(skt);
      +       mutex_lock(&skt->ops_mutex);
      +       destroy_cis_cache(skt);
      +       kfree(skt->fake_cis);
      +       skt->fake_cis = NULL;
      +       skt->functions = 0;
      +       mutex_unlock(&skt->ops_mutex);
      
      +       /* now, add the new card */
      +       pcmcia_bus_add(skt);
      +       return 0;
      +}
      
      As can be seen, the original function called pcmcia_get_socket() and
      pcmcia_put_socket() around the guts, whereas the replacement code
      calls pcmcia_put_socket() only in one path.  This creates an imbalance
      in the refcounting.
      
      Testing with pcmcia_put_socket() put removed shows that the bug is gone:
      
        dpm_suspend: c1a10998 [pcmcia_socket0] 5
        dpm_suspend_noirq: c1a10998 [pcmcia_socket0] 5
        dpm_resume_noirq: c1a10998 [pcmcia_socket0] 5
        dpm_resume: c1a10998 [pcmcia_socket0] 5
        dpm_complete: c1a10998 [pcmcia_socket0] 5
      Tested-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      025e4ab3
    • Hugh Dickins's avatar
      mm: fix UP THP spin_is_locked BUGs · b9980cdc
      Hugh Dickins authored
      Fix CONFIG_TRANSPARENT_HUGEPAGE=y CONFIG_SMP=n CONFIG_DEBUG_VM=y
      CONFIG_DEBUG_SPINLOCK=n kernel: spin_is_locked() is then always false,
      and so triggers some BUGs in Transparent HugePage codepaths.
      
      asm-generic/bug.h mentions this problem, and provides a WARN_ON_SMP(x);
      but being too lazy to add VM_BUG_ON_SMP, BUG_ON_SMP, WARN_ON_SMP_ONCE,
      VM_WARN_ON_SMP_ONCE, just test NR_CPUS != 1 in the existing VM_BUG_ONs.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b9980cdc
    • Axel Lin's avatar
      drivers/leds/leds-lm3530.c: fix setting pltfm->als_vmax · ec44fd42
      Axel Lin authored
      In current code, pltfm->als_vmin is set to LM3530_ALS_WINDOW_mV and
      pltfm->als_vmax is 0.  This does not make sense.  I think what we want
      here is setting pltfm->als_vmax to LM3530_ALS_WINDOW_mV.
      
      Both als_vmin and als_vmax local variables will be set to
      pltfm->als_vmin and pltfm->als_vmax by a few lines latter.  Thus also
      remove a redundant assignment for als_vmin and als_vmax in this patch.
      Signed-off-by: default avatarAxel Lin <axel.lin@gmail.com>
      Cc: Shreshtha Kumar Sahu <shreshthakumar.sahu@stericsson.com>
      Acked-by: default avatarMilo(Woogyom) Kim <milo.kim@ti.com>
      Tested-by: default avatarMilo(Woogyom) Kim <milo.kim@ti.com>
      Cc: Richard Purdie <rpurdie@rpsys.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ec44fd42
    • Mel Gorman's avatar
      mm: compaction: check for overlapping nodes during isolation for migration · dc908600
      Mel Gorman authored
      When isolating pages for migration, migration starts at the start of a
      zone while the free scanner starts at the end of the zone.  Migration
      avoids entering a new zone by never going beyond the free scanned.
      
      Unfortunately, in very rare cases nodes can overlap.  When this happens,
      migration isolates pages without the LRU lock held, corrupting lists
      which will trigger errors in reclaim or during page free such as in the
      following oops
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        IP: [<ffffffff810f795c>] free_pcppages_bulk+0xcc/0x450
        PGD 1dda554067 PUD 1e1cb58067 PMD 0
        Oops: 0000 [#1] SMP
        CPU 37
        Pid: 17088, comm: memcg_process_s Tainted: G            X
        RIP: free_pcppages_bulk+0xcc/0x450
        Process memcg_process_s (pid: 17088, threadinfo ffff881c2926e000, task ffff881c2926c0c0)
        Call Trace:
          free_hot_cold_page+0x17e/0x1f0
          __pagevec_free+0x90/0xb0
          release_pages+0x22a/0x260
          pagevec_lru_move_fn+0xf3/0x110
          putback_lru_page+0x66/0xe0
          unmap_and_move+0x156/0x180
          migrate_pages+0x9e/0x1b0
          compact_zone+0x1f3/0x2f0
          compact_zone_order+0xa2/0xe0
          try_to_compact_pages+0xdf/0x110
          __alloc_pages_direct_compact+0xee/0x1c0
          __alloc_pages_slowpath+0x370/0x830
          __alloc_pages_nodemask+0x1b1/0x1c0
          alloc_pages_vma+0x9b/0x160
          do_huge_pmd_anonymous_page+0x160/0x270
          do_page_fault+0x207/0x4c0
          page_fault+0x25/0x30
      
      The "X" in the taint flag means that external modules were loaded but but
      is unrelated to the bug triggering.  The real problem was because the PFN
      layout looks like this
      
        Zone PFN ranges:
          DMA      0x00000010 -> 0x00001000
          DMA32    0x00001000 -> 0x00100000
          Normal   0x00100000 -> 0x01e80000
        Movable zone start PFN for each node
        early_node_map[14] active PFN ranges
            0: 0x00000010 -> 0x0000009b
            0: 0x00000100 -> 0x0007a1ec
            0: 0x0007a354 -> 0x0007a379
            0: 0x0007f7ff -> 0x0007f800
            0: 0x00100000 -> 0x00680000
            1: 0x00680000 -> 0x00e80000
            0: 0x00e80000 -> 0x01080000
            1: 0x01080000 -> 0x01280000
            0: 0x01280000 -> 0x01480000
            1: 0x01480000 -> 0x01680000
            0: 0x01680000 -> 0x01880000
            1: 0x01880000 -> 0x01a80000
            0: 0x01a80000 -> 0x01c80000
            1: 0x01c80000 -> 0x01e80000
      
      The fix is straight-forward.  isolate_migratepages() has to make a
      similar check to isolate_freepage to ensure that it never isolates pages
      from a zone it does not hold the LRU lock for.
      
      This was discovered in a 3.0-based kernel but it affects 3.1.x, 3.2.x
      and current mainline.
      Signed-off-by: default avatarMel Gorman <mgorman@suse.de>
      Acked-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      dc908600
    • Xi Wang's avatar
      nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() · 1ecd3c7e
      Xi Wang authored
      nsegs is read from userspace.  Limit its value and avoid overflowing nsegs
      * sizeof(__u64) in the subsequent call to memdup_user().
      
      This patch complements 481fe17e ("nilfs2: potential integer overflow
      in nilfs_ioctl_clean_segments()").
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Cc: Haogang Chen <haogangchen@gmail.com>
      Acked-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1ecd3c7e
  6. 08 Feb, 2012 6 commits
  7. 07 Feb, 2012 12 commits