1. 06 May, 2013 1 commit
    • Konstantin Khlebnikov's avatar
      net: frag, fix race conditions in LRU list maintenance · b56141ab
      Konstantin Khlebnikov authored
      This patch fixes race between inet_frag_lru_move() and inet_frag_lru_add()
      which was introduced in commit 3ef0eb0d
      ("net: frag, move LRU list maintenance outside of rwlock")
      
      One cpu already added new fragment queue into hash but not into LRU.
      Other cpu found it in hash and tries to move it to the end of LRU.
      This leads to NULL pointer dereference inside of list_move_tail().
      
      Another possible race condition is between inet_frag_lru_move() and
      inet_frag_lru_del(): move can happens after deletion.
      
      This patch initializes LRU list head before adding fragment into hash and
      inet_frag_lru_move() doesn't touches it if it's empty.
      
      I saw this kernel oops two times in a couple of days.
      
      [119482.128853] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [119482.132693] IP: [<ffffffff812ede89>] __list_del_entry+0x29/0xd0
      [119482.136456] PGD 2148f6067 PUD 215ab9067 PMD 0
      [119482.140221] Oops: 0000 [#1] SMP
      [119482.144008] Modules linked in: vfat msdos fat 8021q fuse nfsd auth_rpcgss nfs_acl nfs lockd sunrpc ppp_async ppp_generic bridge slhc stp llc w83627ehf hwmon_vid snd_hda_codec_hdmi snd_hda_codec_realtek kvm_amd k10temp kvm snd_hda_intel snd_hda_codec edac_core radeon snd_hwdep ath9k snd_pcm ath9k_common snd_page_alloc ath9k_hw snd_timer snd soundcore drm_kms_helper ath ttm r8169 mii
      [119482.152692] CPU 3
      [119482.152721] Pid: 20, comm: ksoftirqd/3 Not tainted 3.9.0-zurg-00001-g9f95269 #132 To Be Filled By O.E.M. To Be Filled By O.E.M./RS880D
      [119482.161478] RIP: 0010:[<ffffffff812ede89>]  [<ffffffff812ede89>] __list_del_entry+0x29/0xd0
      [119482.166004] RSP: 0018:ffff880216d5db58  EFLAGS: 00010207
      [119482.170568] RAX: 0000000000000000 RBX: ffff88020882b9c0 RCX: dead000000200200
      [119482.175189] RDX: 0000000000000000 RSI: 0000000000000880 RDI: ffff88020882ba00
      [119482.179860] RBP: ffff880216d5db58 R08: ffffffff8155c7f0 R09: 0000000000000014
      [119482.184570] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88020882ba00
      [119482.189337] R13: ffffffff81c8d780 R14: ffff880204357f00 R15: 00000000000005a0
      [119482.194140] FS:  00007f58124dc700(0000) GS:ffff88021fcc0000(0000) knlGS:0000000000000000
      [119482.198928] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [119482.203711] CR2: 0000000000000000 CR3: 00000002155f0000 CR4: 00000000000007e0
      [119482.208533] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [119482.213371] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [119482.218221] Process ksoftirqd/3 (pid: 20, threadinfo ffff880216d5c000, task ffff880216d3a9a0)
      [119482.223113] Stack:
      [119482.228004]  ffff880216d5dbd8 ffffffff8155dcda 0000000000000000 ffff000200000001
      [119482.233038]  ffff8802153c1f00 ffff880000289440 ffff880200000014 ffff88007bc72000
      [119482.238083]  00000000000079d5 ffff88007bc72f44 ffffffff00000002 ffff880204357f00
      [119482.243090] Call Trace:
      [119482.248009]  [<ffffffff8155dcda>] ip_defrag+0x8fa/0xd10
      [119482.252921]  [<ffffffff815a8013>] ipv4_conntrack_defrag+0x83/0xe0
      [119482.257803]  [<ffffffff8154485b>] nf_iterate+0x8b/0xa0
      [119482.262658]  [<ffffffff8155c7f0>] ? inet_del_offload+0x40/0x40
      [119482.267527]  [<ffffffff815448e4>] nf_hook_slow+0x74/0x130
      [119482.272412]  [<ffffffff8155c7f0>] ? inet_del_offload+0x40/0x40
      [119482.277302]  [<ffffffff8155d068>] ip_rcv+0x268/0x320
      [119482.282147]  [<ffffffff81519992>] __netif_receive_skb_core+0x612/0x7e0
      [119482.286998]  [<ffffffff81519b78>] __netif_receive_skb+0x18/0x60
      [119482.291826]  [<ffffffff8151a650>] process_backlog+0xa0/0x160
      [119482.296648]  [<ffffffff81519f29>] net_rx_action+0x139/0x220
      [119482.301403]  [<ffffffff81053707>] __do_softirq+0xe7/0x220
      [119482.306103]  [<ffffffff81053868>] run_ksoftirqd+0x28/0x40
      [119482.310809]  [<ffffffff81074f5f>] smpboot_thread_fn+0xff/0x1a0
      [119482.315515]  [<ffffffff81074e60>] ? lg_local_lock_cpu+0x40/0x40
      [119482.320219]  [<ffffffff8106d870>] kthread+0xc0/0xd0
      [119482.324858]  [<ffffffff8106d7b0>] ? insert_kthread_work+0x40/0x40
      [119482.329460]  [<ffffffff816c32dc>] ret_from_fork+0x7c/0xb0
      [119482.334057]  [<ffffffff8106d7b0>] ? insert_kthread_work+0x40/0x40
      [119482.338661] Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de 48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00 ad de 48 39 c8 74 7a <4c> 8b 00 4c 39 c7 75 53 4c 8b 42 08 4c 39 c7 75 2b 48 89 42 08
      [119482.343787] RIP  [<ffffffff812ede89>] __list_del_entry+0x29/0xd0
      [119482.348675]  RSP <ffff880216d5db58>
      [119482.353493] CR2: 0000000000000000
      
      Oops happened on this path:
      ip_defrag() -> ip_frag_queue() -> inet_frag_lru_move() -> list_move_tail() -> __list_del_entry()
      Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@openvz.org>
      Cc: Jesper Dangaard Brouer <brouer@redhat.com>
      Cc: Florian Westphal <fw@strlen.de>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: David S. Miller <davem@davemloft.net>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b56141ab
  2. 05 May, 2013 32 commits
  3. 04 May, 2013 7 commits
    • Linus Torvalds's avatar
      Merge tag 'mmc-updates-for-3.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc · 17319295
      Linus Torvalds authored
      Pull MMC update from Chris Ball:
       "MMC highlights for 3.10:
      
        Core:
         - Introduce MMC_CAP2_NO_PRESCAN_POWERUP to allow skipping
           mmc_power_up() at boot/initialization time if it's already
           happened, for performance (faster boot time) reasons.
         - Fix a bit width test failure that resulted in old eMMC cards being
           put into 1-bit mode when 4-bit mode was available.
         - Expose fwrev/hwrev for MMCv4 parts.
         - Improve card removal logic in the case where the card's removed
           slowly; we were missing card removal events if the card retained
           contact with the slot pads for long enough to reply to a CMD13
           while being removed.
      
        Drivers:
         - davinci_mmc: Support using PIO instead of DMA.
         - dw_mmc: Add support for Exynos4412.
         - mxcmmc: DT support, use slot-gpio API.
         - mxs-mmc: Add broken-cd/cd-inverted/non-removable DT property
           support.
         - sdhci-sirf: New sdhci-pltfm driver for CSR SiRF SoCs:
             SiRFprimaII: unicore ARM Cortex-A9
             SiRFatlas6: unicore ARM Cortex-A9
             SiRFmarco: dual core ARM Cortex-A9 SMP
         - sdhci-tegra: Add support for Tegra114 platforms, use
           mmc_of_parse()"
      
      * tag 'mmc-updates-for-3.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/cjb/mmc: (66 commits)
        mmc: sdhci-tegra: fix MODULE_DEVICE_TABLE
        mmc: core: fix init controller performance regression, updated patch
        mmc: mxcmmc: enable DMA support on mpc512x
        mmc: mxcmmc: constify mxcmci_devtype
        mmc: mxcmmc: use slot-gpio API for write-protect detection
        mmc: mxcmmc: add mpc512x SDHC support
        mmc: mxcmmc: fix race conditions for host->req and host->data access
        mmc: mxcmmc: DT support
        mmc: dw_mmc: let device core setup the default pin configuration
        mmc: mxs-mmc: add broken-cd property
        mmc: mxs-mmc: add non-removable property
        mmc: mxs-mmc: add cd-inverted property
        mmc: core: call pm_runtime_put_noidle in pm_runtime_get_sync failed case
        mmc: mxcmmc: Fix bug when card is present during boot
        mmc: core: fix performance regression initializing MMC host controllers
        Revert "mmc: core: wait while adding MMC host to ensure root mounts successfully"
        mmc: atmel-mci: pio hang on block errors
        mmc: core: Fix bit width test failing on old eMMC cards
        mmc: dw_mmc: Use pr_info instead of printk
        mmc: dw_mmc: Check return value of regulator_enable
        ...
      17319295
    • Linus Torvalds's avatar
      Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging · e72a5d1c
      Linus Torvalds authored
      Pull hwmon update from Jean Delvare:
       "Only lm75 driver updates this time"
      
      * 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
        hwmon: (lm75) Add support for the Dallas/Maxim DS7505
        hwmon: (lm75) Tune resolution and sample time per chip
        hwmon: (lm75) Prepare to support per-chip resolution and sample time
        hwmon: (lm75) Per-chip configuration register initialization
      e72a5d1c
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · bd932ae1
      Linus Torvalds authored
      Pull second round of VFS updates from Al Viro:
       "Assorted fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        xtensa simdisk: fix braino in "xtensa simdisk: switch to proc_create_data()"
        hostfs: use kmalloc instead of kzalloc
        hostfs: move HOSTFS_SUPER_MAGIC to <linux/magic.h>
        hostfs: remove "will unlock" comment
        vfs: use list_move instead of list_del/list_add
        proc_devtree: Replace include linux/module.h with linux/export.h
        create_mnt_ns: unidiomatic use of list_add()
        fs: remove dentry_lru_prune()
        Removed unused typedef to avoid "unused local typedef" warnings.
        kill fs/read_write.h
        fs: Fix hang with BSD accounting on frozen filesystem
        sun3_scsi: add ->show_info()
        nubus: Kill nubus_proc_detach_device()
        more mode_t whack-a-mole...
        do_coredump(): don't wait for thaw if coredump has already been interrupted
        do_mount(): fix a leak introduced in 3.9 ("mount: consolidate permission checks")
      bd932ae1
    • Al Viro's avatar
    • James Hogan's avatar
      hostfs: use kmalloc instead of kzalloc · 371fdab1
      James Hogan authored
      The inode info structure is zeroed at allocation with kzalloc, and then
      all but one of the fields (including the largest, vfs_inode) are
      initialised explicitly. Switch to using kmalloc and initialise the
      remaining field too.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      371fdab1
    • James Hogan's avatar
      hostfs: move HOSTFS_SUPER_MAGIC to <linux/magic.h> · 2b3b9bb0
      James Hogan authored
      Move HOSTFS_SUPER_MAGIC to <linux/magic.h> to be with it's magical
      friends from other file systems.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2b3b9bb0
    • James Hogan's avatar
      hostfs: remove "will unlock" comment · 9dcc5e8a
      James Hogan authored
      A "will unlock" comment was added to hostfs in the following commit,
      along with a spinlock:
      
      Commit e9193059 ("hostfs: fix races in
      dentry_name() and inode_name()").
      
      But the spinlock was subsequently removed in the following commit:
      
      Commit ec2447c2 ("hostfs: simplify
      locking").
      
      Since the comment is no longer applicable, remove it.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Nick Piggin <npiggin@kernel.dk>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9dcc5e8a