1. 30 Aug, 2012 9 commits
    • Merav Sicron's avatar
      bnx2x: Correct the ndo_poll_controller call · 14a15d61
      Merav Sicron authored
      This patch correct poll_bnx2x (ndo_poll_controller call) which was not
      functioning well with MSI-X.
      Signed-off-by: default avatarMerav Sicron <meravs@broadcom.com>
      Signed-off-by: default avatarDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      14a15d61
    • Merav Sicron's avatar
      bnx2x: Move netif_napi_add to the open call · 26614ba5
      Merav Sicron authored
      Move netif_napi_add for all queues from the probe call to the open call, to
      avoid the case that napi objects are added for queues that may eventually not
      be initialized and activated. With the former behavior, the driver could crash
      when netpoll was calling ndo_poll_controller.
      Signed-off-by: default avatarMerav Sicron <meravs@broadcom.com>
      Signed-off-by: default avatarDmitry Kravkov <dmitry@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      26614ba5
    • Eric Dumazet's avatar
      ipv4: must use rcu protection while calling fib_lookup · c5ae7d41
      Eric Dumazet authored
      Following lockdep splat was reported by Pavel Roskin :
      
      [ 1570.586223] ===============================
      [ 1570.586225] [ INFO: suspicious RCU usage. ]
      [ 1570.586228] 3.6.0-rc3-wl-main #98 Not tainted
      [ 1570.586229] -------------------------------
      [ 1570.586231] /home/proski/src/linux/net/ipv4/route.c:645 suspicious rcu_dereference_check() usage!
      [ 1570.586233]
      [ 1570.586233] other info that might help us debug this:
      [ 1570.586233]
      [ 1570.586236]
      [ 1570.586236] rcu_scheduler_active = 1, debug_locks = 0
      [ 1570.586238] 2 locks held by Chrome_IOThread/4467:
      [ 1570.586240]  #0:  (slock-AF_INET){+.-...}, at: [<ffffffff814f2c0c>] release_sock+0x2c/0xa0
      [ 1570.586253]  #1:  (fnhe_lock){+.-...}, at: [<ffffffff815302fc>] update_or_create_fnhe+0x2c/0x270
      [ 1570.586260]
      [ 1570.586260] stack backtrace:
      [ 1570.586263] Pid: 4467, comm: Chrome_IOThread Not tainted 3.6.0-rc3-wl-main #98
      [ 1570.586265] Call Trace:
      [ 1570.586271]  [<ffffffff810976ed>] lockdep_rcu_suspicious+0xfd/0x130
      [ 1570.586275]  [<ffffffff8153042c>] update_or_create_fnhe+0x15c/0x270
      [ 1570.586278]  [<ffffffff815305b3>] __ip_rt_update_pmtu+0x73/0xb0
      [ 1570.586282]  [<ffffffff81530619>] ip_rt_update_pmtu+0x29/0x90
      [ 1570.586285]  [<ffffffff815411dc>] inet_csk_update_pmtu+0x2c/0x80
      [ 1570.586290]  [<ffffffff81558d1e>] tcp_v4_mtu_reduced+0x2e/0xc0
      [ 1570.586293]  [<ffffffff81553bc4>] tcp_release_cb+0xa4/0xb0
      [ 1570.586296]  [<ffffffff814f2c35>] release_sock+0x55/0xa0
      [ 1570.586300]  [<ffffffff815442ef>] tcp_sendmsg+0x4af/0xf50
      [ 1570.586305]  [<ffffffff8156fc60>] inet_sendmsg+0x120/0x230
      [ 1570.586308]  [<ffffffff8156fb40>] ? inet_sk_rebuild_header+0x40/0x40
      [ 1570.586312]  [<ffffffff814f4bdd>] ? sock_update_classid+0xbd/0x3b0
      [ 1570.586315]  [<ffffffff814f4c50>] ? sock_update_classid+0x130/0x3b0
      [ 1570.586320]  [<ffffffff814ec435>] do_sock_write+0xc5/0xe0
      [ 1570.586323]  [<ffffffff814ec4a3>] sock_aio_write+0x53/0x80
      [ 1570.586328]  [<ffffffff8114bc83>] do_sync_write+0xa3/0xe0
      [ 1570.586332]  [<ffffffff8114c5a5>] vfs_write+0x165/0x180
      [ 1570.586335]  [<ffffffff8114c805>] sys_write+0x45/0x90
      [ 1570.586340]  [<ffffffff815d2722>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarPavel Roskin <proski@gnu.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5ae7d41
    • Yuval Mintz's avatar
      bnx2x: fix 57840_MF pci id · 5c879d20
      Yuval Mintz authored
      Commit c3def943 have added support for
      new pci ids of the 57840 board, while failing to change the obsolete value
      in 'pci_ids.h'.
      This patch does so, allowing the probe of such devices.
      Signed-off-by: default avatarYuval Mintz <yuvalmin@broadcom.com>
      Signed-off-by: default avatarEilon Greenstein <eilong@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c879d20
    • Francesco Ruggeri's avatar
      net: ipv4: ipmr_expire_timer causes crash when removing net namespace · acbb219d
      Francesco Ruggeri authored
      When tearing down a net namespace, ipv4 mr_table structures are freed
      without first deactivating their timers. This can result in a crash in
      run_timer_softirq.
      This patch mimics the corresponding behaviour in ipv6.
      Locking and synchronization seem to be adequate.
      We are about to kfree mrt, so existing code should already make sure that
      no other references to mrt are pending or can be created by incoming traffic.
      The functions invoked here do not cause new references to mrt or other
      race conditions to be created.
      Invoking del_timer_sync guarantees that ipmr_expire_timer is inactive.
      Both ipmr_expire_process (whose completion we may have to wait in
      del_timer_sync) and mroute_clean_tables internally use mfc_unres_lock
      or other synchronizations when needed, and they both only modify mrt.
      
      Tested in Linux 3.4.8.
      Signed-off-by: default avatarFrancesco Ruggeri <fruggeri@aristanetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acbb219d
    • Bruce Allan's avatar
      e1000e: DoS while TSO enabled caused by link partner with small MSS · d821a4c4
      Bruce Allan authored
      With a low enough MSS on the link partner and TSO enabled locally, the
      networking stack can periodically send a very large (e.g.  64KB) TCP
      message for which the driver will attempt to use more Tx descriptors than
      are available by default in the Tx ring.  This is due to a workaround in
      the code that imposes a limit of only 4 MSS-sized segments per descriptor
      which appears to be a carry-over from the older e1000 driver and may be
      applicable only to some older PCI or PCIx parts which are not supported in
      e1000e.  When the driver gets a message that is too large to fit across the
      configured number of Tx descriptors, it stops the upper stack from queueing
      any more and gets stuck in this state.  After a timeout, the upper stack
      assumes the adapter is hung and calls the driver to reset it.
      
      Remove the unnecessary limitation of using up to only 4 MSS-sized segments
      per Tx descriptor, and put in a hard failure test to catch when attempting
      to check for message sizes larger than would fit in the whole Tx ring.
      Refactor the remaining logic that limits the size of data per Tx descriptor
      from a seemingly arbitrary 8KB to a limit based on the dynamic size of the
      Tx packet buffer as described in the hardware specification.
      
      Also, fix the logic in the check for space in the Tx ring for the next
      largest possible packet after the current one has been successfully queued
      for transmit, and use the appropriate defines for default ring sizes in
      e1000_probe instead of magic values.
      
      This issue goes back to the introduction of e1000e in 2.6.24 when it was
      split off from e1000.
      Reported-by: default avatarBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: default avatarBruce Allan <bruce.w.allan@intel.com>
      Cc: Stable <stable@vger.kernel.org> [2.6.24+]
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d821a4c4
    • xeb@mail.ru's avatar
      l2tp: avoid to use synchronize_rcu in tunnel free function · 99469c32
      xeb@mail.ru authored
      Avoid to use synchronize_rcu in l2tp_tunnel_free because context may be
      atomic.
      Signed-off-by: default avatarDmitry Kozlov <xeb@mail.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99469c32
    • Claudiu Manoil's avatar
      gianfar: fix default tx vlan offload feature flag · e2c53be2
      Claudiu Manoil authored
      Commit -
      "b852b720 gianfar: fix bug caused by
      87c288c6"
      disables by default (on mac init) the hw vlan tag insertion.
      The "features" flags were not updated to reflect this, and
      "ethtool -K" shows tx-vlan-offload to be "on" by default.
      
      Cc: Sebastian Poehn <sebastian.poehn@belden.com>
      Signed-off-by: default avatarClaudiu Manoil <claudiu.manoil@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e2c53be2
    • Ian Campbell's avatar
      xen-netfront: use __pskb_pull_tail to ensure linear area is big enough on RX · 3683243b
      Ian Campbell authored
      I'm slightly concerned by the "only in exceptional circumstances"
      comment on __pskb_pull_tail but the structure of an skb just created
      by netfront shouldn't hit any of the especially slow cases.
      
      This approach still does slightly more work than the old way, since if
      we pull up the entire first frag we now have to shuffle everything
      down where before we just received into the right place in the first
      place.
      Signed-off-by: default avatarIan Campbell <ian.campbell@citrix.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: Jeremy Fitzhardinge <jeremy@goop.org>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: xen-devel@lists.xensource.com
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Tested-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Acked-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3683243b
  2. 29 Aug, 2012 1 commit
    • Amerigo Wang's avatar
      netpoll: revert 6bdb7fe3 and fix be_poll() instead · 072a9c48
      Amerigo Wang authored
      Against -net.
      
      In the patch "netpoll: re-enable irq in poll_napi()", I tried to
      fix the following warning:
      
      [100718.051041] ------------[ cut here ]------------
      [100718.051048] WARNING: at kernel/softirq.c:159 local_bh_enable_ip+0x7d/0xb0()
      (Not tainted)
      [100718.051049] Hardware name: ProLiant BL460c G7
      ...
      [100718.051068] Call Trace:
      [100718.051073]  [<ffffffff8106b747>] ? warn_slowpath_common+0x87/0xc0
      [100718.051075]  [<ffffffff8106b79a>] ? warn_slowpath_null+0x1a/0x20
      [100718.051077]  [<ffffffff810747ed>] ? local_bh_enable_ip+0x7d/0xb0
      [100718.051080]  [<ffffffff8150041b>] ? _spin_unlock_bh+0x1b/0x20
      [100718.051085]  [<ffffffffa00ee974>] ? be_process_mcc+0x74/0x230 [be2net]
      [100718.051088]  [<ffffffffa00ea68c>] ? be_poll_tx_mcc+0x16c/0x290 [be2net]
      [100718.051090]  [<ffffffff8144fe76>] ? netpoll_poll_dev+0xd6/0x490
      [100718.051095]  [<ffffffffa01d24a5>] ? bond_poll_controller+0x75/0x80 [bonding]
      [100718.051097]  [<ffffffff8144fde5>] ? netpoll_poll_dev+0x45/0x490
      [100718.051100]  [<ffffffff81161b19>] ? ksize+0x19/0x80
      [100718.051102]  [<ffffffff81450437>] ? netpoll_send_skb_on_dev+0x157/0x240
      
      by reenabling IRQ before calling ->poll, but it seems more
      problems are introduced after that patch:
      
      http://ozlabs.org/~akpm/stuff/IMG_20120824_122054.jpg
      http://marc.info/?l=linux-netdev&m=134563282530588&w=2
      
      So it is safe to fix be2net driver code directly.
      
      This patch reverts the offending commit and fixes be_poll() by
      avoid disabling BH there, this is okay because be_poll()
      can be called either by poll_napi() which already disables
      IRQ, or by net_rx_action() which already disables BH.
      Reported-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reported-by: default avatarSylvain Munaut <s.munaut@whatever-company.com>
      Cc: Sylvain Munaut <s.munaut@whatever-company.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: David Miller <davem@davemloft.net>
      Cc: Sathya Perla <sathya.perla@emulex.com>
      Cc: Subbu Seetharaman <subbu.seetharaman@emulex.com>
      Cc: Ajit Khaparde <ajit.khaparde@emulex.com>
      Signed-off-by: default avatarCong Wang <amwang@redhat.com>
      Tested-by: default avatarSylvain Munaut <s.munaut@whatever-company.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      072a9c48
  3. 24 Aug, 2012 11 commits
  4. 23 Aug, 2012 5 commits
  5. 22 Aug, 2012 14 commits
    • Linus Torvalds's avatar
      Linux 3.6-rc3 · fea7a08a
      Linus Torvalds authored
      fea7a08a
    • Vladimir Zapolskiy's avatar
      brcm80211: smac: set interface down on reset · ea2d2183
      Vladimir Zapolskiy authored
      This change marks interface as down on reset, otherwise the driver can't
      reinitialize itself properly.
      
      Without the change a transient problem turns out to be critical and leads
      to inavailability to reset the driver without brcmsmac module unload/load
      cycle:
      
          ieee80211 phy0: wl0: PSM microcode watchdog fired at 5993 (seconds). Resetting.
          brcms_c_dpc : PSM Watchdog, chipid 0xa8d9, chiprev 0x1
          ieee80211 phy0: wl0: fatal error, reinitializing
          ieee80211 phy0: Hardware restart was requested
          ieee80211 phy0: brcms_ops_start: brcms_up() returned -19
      Signed-off-by: default avatarVladimir Zapolskiy <vz@mleia.com>
      Cc: Arend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      ea2d2183
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 4ff63e47
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Intel: edid fixes, power consumption fix, s/r fix, haswell fix
      
        Radeon: BIOS loading fixes for UEFI and Thunderbolt machines, better
        MSAA validation, lockup timeout fixes, modesetting fixes
      
        One udl dpms fix, one vmwgfx fix, a couple of trivial core changes.
      
        There is an export added to ACPI as part of the radeon bios fixes.
      
        I've also included the fbcon flashing cursor vs deinit race fix, that
        seems the simplest place to start"
      
      Trivial conflict in drivers/video/console/fbcon.c due to me having
      already applied the fbcon flashing cursor vs deinit race fix, and Dave
      had added a comment in there too.
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (22 commits)
        fbcon: fix race condition between console lock and cursor timer (v1.1)
        drm: Add missing static storage class specifiers in drm_proc.c file
        drm/udl: dpms off the crtc when disabled.
        drm: Remove two unused fields from struct drm_display_mode
        drm: stop vmgfx driver explosion
        drm/radeon/ss: use num_crtc rather than hardcoded 6
        Revert "drm/radeon: fix bo creation retry path"
        drm/i915: use hsw rps tuning values everywhere on gen6+
        drm/radeon: split ATRM support out from the ATPX handler (v3)
        drm/radeon: convert radeon vfct code to use acpi_get_table_with_size
        ACPI: export symbol acpi_get_table_with_size
        drm/radeon: implement ACPI VFCT vbios fetch (v3)
        drm/radeon/kms: extend the Fujitsu D3003-S2 board connector quirk to cover later silicon stepping
        drm/radeon: fix checking of MSAA renderbuffers on r600-r700
        drm/radeon: allow CMASK and FMASK in the CS checker on r600-r700
        drm/radeon: init lockup timeout on ring init
        drm/radeon: avoid turning off spread spectrum for used pll
        drm/i915: fall back to bit-banging if GMBUS fails in CRT EDID reads
        drm/i915: extract connector update from intel_ddc_get_modes() for reuse
        drm/i915: fix hsw uncached pte
        ...
      4ff63e47
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · 09236994
      Linus Torvalds authored
      Pull SCSI target fixes from Nicholas Bellinger:
       "The executive summary includes:
      
         - Post-merge review comments for tcm_vhost (MST + nab)
         - Avoid debugging overhead when not debugging for tcm-fc(FCoE) (MDR)
         - Fix NULL pointer dereference bug on alloc_page failulre (Yi Zou)
         - Fix REPORT_LUNs regression bug with pSCSI export (AlexE + nab)
         - Fix regression bug with handling of zero-length data CDBs (nab)
         - Fix vhost_scsi_target structure alignment (MST)
      
        Thanks again to everyone who contributed a bugfix patch, gave review
        feedback on tcm_vhost code, and/or reported a bug during their own
        testing over the last weeks.
      
        There is one other outstanding bug reported by Roland recently related
        to SCSI transfer length overflow handling, for which the current
        proposed bugfix has been left in queue pending further testing with
        other non iscsi-target based fabric drivers.
      
        As the patch is verified with loopback (local SGL memory from SCSI
        LLD) + tcm_qla2xxx (TCM allocated SGL memory mapped to PCI HW) fabric
        ports, it will be included into the next 3.6-rc-fixes PULL request."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        target: Remove unused se_cmd.cmd_spdtl
        tcm_fc: rcu_deref outside rcu lock/unlock section
        tcm_vhost: Fix vhost_scsi_target structure alignment
        target: Fix regression bug with handling of zero-length data CDBs
        target/pscsi: Fix bug with REPORT_LUNs handling for SCSI passthrough
        tcm_vhost: Change vhost_scsi_target->vhost_wwpn to char *
        target: fix NULL pointer dereference bug alloc_page() fails to get memory
        tcm_fc: Avoid debug overhead when not debugging
        tcm_vhost: Post-merge review changes requested by MST
        tcm_vhost: Fix incorrect IS_ERR() usage in vhost_scsi_map_iov_to_sgl
      09236994
    • Linus Torvalds's avatar
      Merge branch 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux · 2e2d8c93
      Linus Torvalds authored
      Pull i2c-embedded fixes from Wolfram Sang:
       "Some bugfixes for the "embedded" part of the I2C subsystem.  The fixes
        affect mostly drivers which have been largely reworked lately and
        where regressions appeared."
      
      * 'i2c-embedded/for-current' of git://git.pengutronix.de/git/wsa/linux:
        i2c: tegra: protect suspend/resume callbacks with CONFIG_PM_SLEEP
        i2c: diolan-u2c: Fix master_xfer return code
        I2C: OMAP: xfer: fix runtime PM get/put balance on error
        i2c: nomadik: Add default configuration into the Nomadik I2C driver
      2e2d8c93
    • Linus Torvalds's avatar
      Merge tag 'for-3.6-rc3' of git://gitorious.org/linux-pwm/linux-pwm · fec3c03f
      Linus Torvalds authored
      Pull pwm fixes from Thierry Reding:
       "These patches fix the Samsung PWM driver and perform some minor
        cleanups like fixing checkpatch and sparse warnings.
      
        Two redundant error messages are removed and the Kconfig help text for
        the PWM subsystem is made more descriptive."
      
      * tag 'for-3.6-rc3' of git://gitorious.org/linux-pwm/linux-pwm:
        pwm: Improve Kconfig help text
        pwm: core: Fix coding style issues
        pwm: vt8500: Fix coding style issue
        pwm: Remove a redundant error message when devm_request_and_ioremap fails
        pwm: samsung: add missing device pointer to struct pwm_chip
        pwm: Add missing static storage class specifiers in core.c file
      fec3c03f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client · f753c4ec
      Linus Torvalds authored
      Pull ceph fixes from Sage Weil:
       "Jim's fix closes a narrow race introduced with the msgr changes.  One
        fix resolves problems with debugfs initialization that Yan found when
        multiple client instances are created (e.g., two clusters mounted, or
        rbd + cephfs), another one fixes problems with mounting a nonexistent
        server subdirectory, and the last one fixes a divide by zero error
        from unsanitized ioctl input that Dan Carpenter found."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
        ceph: avoid divide by zero in __validate_layout()
        libceph: avoid truncation due to racing banners
        ceph: tolerate (and warn on) extraneous dentry from mds
        libceph: delay debugfs initialization until we learn global_id
      f753c4ec
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-3.6-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · ad746be9
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       - NFSv3 mounts need to fail if the FSINFO rpc call fails
       - Ensure that the NFS commit cache gets torn down when we unload the
         NFS module.
       - Fix memory scribble issues when interrupting a LAYOUTGET rpc call
       - Fix NFSv4 legacy idmapper regressions
       - Fix issues with the NFSv4 getacl command
       - Fix a regression when using the legacy "mount -t nfs4"
      
      * tag 'nfs-for-3.6-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv3: Ensure that do_proc_get_root() reports errors correctly
        NFSv4: Ensure that nfs4_alloc_client cleans up on error.
        NFS: return -ENOKEY when the upcall fails to map the name
        NFS: Clear key construction data if the idmap upcall fails
        NFSv4: Don't use private xdr_stream fields in decode_getacl
        NFSv4: Fix the acl cache size calculation
        NFSv4: Fix pointer arithmetic in decode_getacl
        NFS: Alias the nfs module to nfs4
        NFS: Fix a regression when loading the NFS v4 module
        NFSv4.1: Remove a bogus BUG_ON() in nfs4_layoutreturn_done
        pnfs-obj: Better IO pattern in case of unaligned offset
        NFS41: add pg_layout_private to nfs_pageio_descriptor
        pnfs: nfs4_proc_layoutget returns void
        pnfs: defer release of pages in layoutget
        nfs: tear down caches in nfs_init_writepagecache when allocation fails
      ad746be9
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 467e9e51
      Linus Torvalds authored
      Pull assorted fixes - mostly vfs - from Al Viro:
       "Assorted fixes, with an unexpected detour into vfio refcounting logics
        (fell out when digging in an analog of eventpoll race in there)."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        task_work: add a scheduling point in task_work_run()
        fs: fix fs/namei.c kernel-doc warnings
        eventpoll: use-after-possible-free in epoll_create1()
        vfio: grab vfio_device reference *before* exposing the sucker via fd_install()
        vfio: get rid of vfio_device_put()/vfio_group_get_device* races
        vfio: get rid of open-coding kref_put_mutex
        introduce kref_put_mutex()
        vfio: don't dereference after kfree...
        mqueue: lift mnt_want_write() outside ->i_mutex, clean up a bit
      467e9e51
    • Eric Dumazet's avatar
      task_work: add a scheduling point in task_work_run() · 88ec2789
      Eric Dumazet authored
      It seems commit 4a9d4b02 (switch fput to task_work_add) reintroduced
      the problem addressed in commit 944be0b2 (close_files(): add scheduling
      point)
      
      If a server process with a lot of files (say 2 million tcp sockets)
      is killed, we can spend a lot of time in task_work_run() and trigger
      a soft lockup.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      88ec2789
    • Randy Dunlap's avatar
      fs: fix fs/namei.c kernel-doc warnings · 55852635
      Randy Dunlap authored
      Fix kernel-doc warnings in fs/namei.c:
      
      Warning(fs/namei.c:360): No description found for parameter 'inode'
      Warning(fs/namei.c:672): No description found for parameter 'nd'
      Signed-off-by: default avatarRandy Dunlap <rdunlap@xenotime.net>
      Cc:	Alexander Viro <viro@zeniv.linux.org.uk>
      Cc:	linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      55852635
    • Al Viro's avatar
      eventpoll: use-after-possible-free in epoll_create1() · 98022748
      Al Viro authored
      As soon as we'd installed the file into descriptor table, it can
      get closed by another thread.  Freeing ep in process...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      98022748
    • Al Viro's avatar
      vfio: grab vfio_device reference *before* exposing the sucker via fd_install() · 31605deb
      Al Viro authored
      It's not critical (anymore) since another thread closing the file will block
      on ->device_lock before it gets to dropping the final reference, but it's
      definitely cleaner that way...
      Acked-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      31605deb
    • Al Viro's avatar
      vfio: get rid of vfio_device_put()/vfio_group_get_device* races · 90b1253e
      Al Viro authored
      we really need to make sure that dropping the last reference happens
      under the group->device_lock; otherwise a loop (under device_lock)
      might find vfio_device instance that is being freed right now, has
      already dropped the last reference and waits on device_lock to exclude
      the sucker from the list.
      Acked-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      90b1253e