1. 11 Jun, 2009 24 commits
  2. 10 Jun, 2009 2 commits
  3. 09 Jun, 2009 14 commits
    • Jan Kara's avatar
      jbd: fix race in buffer processing in commit code · a61d90d7
      Jan Kara authored
      In commit code, we scan buffers attached to a transaction.  During this
      scan, we sometimes have to drop j_list_lock and then we recheck whether
      the journal buffer head didn't get freed by journal_try_to_free_buffers().
       But checking for buffer_jbd(bh) isn't enough because a new journal head
      could get attached to our buffer head.  So add a check whether the journal
      head remained the same and whether it's still at the same transaction and
      list.
      
      This is a nasty bug and can cause problems like memory corruption (use after
      free) or trigger various assertions in JBD code (observed).
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: <stable@kernel.org>
      Cc: <linux-ext4@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a61d90d7
    • Ian Kent's avatar
      autofs4: remove hashed check in validate_wait() · 463aea1a
      Ian Kent authored
      The recent ->lookup() deadlock correction required the directory inode
      mutex to be dropped while waiting for expire completion.  We were
      concerned about side effects from this change and one has been identified.
      
      I saw several error messages.
      
      They cause autofs to become quite confused and don't really point to the
      actual problem.
      
      Things like:
      
      handle_packet_missing_direct:1376: can't find map entry for (43,1827932)
      
      which is usually totally fatal (although in this case it wouldn't be
      except that I treat is as such because it normally is).
      
      do_mount_direct: direct trigger not valid or already mounted
      /test/nested/g3c/s1/ss1
      
      which is recoverable, however if this problem is at play it can cause
      autofs to become quite confused as to the dependencies in the mount tree
      because mount triggers end up mounted multiple times.  It's hard to
      accurately check for this over mounting case and automount shouldn't need
      to if the kernel module is doing its job.
      
      There was one other message, similar in consequence of this last one but I
      can't locate a log example just now.
      
      When checking if a mount has already completed prior to adding a new mount
      request to the wait queue we check if the dentry is hashed and, if so, if
      it is a mount point.  But, if a mount successfully completed while we
      slept on the wait queue mutex the dentry must exist for the mount to have
      completed so the test is not really needed.
      
      Mounts can also be done on top of a global root dentry, so for the above
      case, where a mount request completes and the wait queue entry has already
      been removed, the hashed test returning false can cause an incorrect
      callback to the daemon.  Also, d_mountpoint() is not sufficient to check
      if a mount has completed for the multi-mount case when we don't have a
      real mount at the base of the tree.
      Signed-off-by: default avatarIan Kent <raven@themaw.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      463aea1a
    • Mike Frysinger's avatar
      shm: fix unused warnings on nommu · 586c7e6a
      Mike Frysinger authored
      The massive nommu update (8feae131) resulted in these warnings:
      ipc/shm.c: In function `sys_shmdt':
      ipc/shm.c:974: warning: unused variable `size'
      ipc/shm.c:972: warning: unused variable `next'
      Signed-off-by: default avatarMike Frysinger <vapier@gentoo.org>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      586c7e6a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus · 13df635f
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus:
        kvm: fix kvm reboot crash when MAXSMP is used
        cpumask: alloc zeroed cpumask for static cpumask_var_ts
        cpumask: introduce zalloc_cpumask_var
      13df635f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block · 9cdba302
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.dk/linux-2.6-block:
        bsg: setting rq->bio to NULL
      9cdba302
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · fd4d3429
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
        cls_cgroup: Fix oops when user send improperly 'tc filter add' request
        r8169: fix crash when large packets are received
      fd4d3429
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://neil.brown.name/md · 4d11eff6
      Linus Torvalds authored
      * 'for-linus' of git://neil.brown.name/md:
        md/raid5: fix bug in reshape code when chunk_size decreases.
        md/raid5 - avoid deadlocks in get_active_stripe during reshape
        md/raid5: use conf->raid_disks in preference to mddev->raid_disk
      4d11eff6
    • FUJITA Tomonori's avatar
      bsg: setting rq->bio to NULL · c1d4c41f
      FUJITA Tomonori authored
      Due to commit 1cd96c24 ("block: WARN
      in __blk_put_request() for potential bio leak"), BSG SMP requests get
      the false warnings:
      
      WARNING: at block/blk-core.c:1068 __blk_put_request+0x52/0xc0()
      
      This sets rq->bio to NULL to avoid that false warnings.
      Signed-off-by: default avatarFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
      Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
      c1d4c41f
    • Avi Kivity's avatar
      kvm: fix kvm reboot crash when MAXSMP is used · 8437a617
      Avi Kivity authored
      one system was found there is crash during reboot then kvm/MAXSMP
      Sending all processes the KILL signal...                              done
      Please stand by while rebooting the system...
      [ 1721.856538] md: stopping all md devices.
      [ 1722.852139] kvm: exiting hardware virtualization
      [ 1722.854601] BUG: unable to handle kernel NULL pointer dereference at (null)
      [ 1722.872219] IP: [<ffffffff8102c6b6>] hardware_disable+0x4c/0xb4
      [ 1722.877955] PGD 0
      [ 1722.880042] Oops: 0000 [#1] SMP
      [ 1722.892548] last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/host0/target0:2:0/0:2:0:0/vendor
      [ 1722.900977] CPU 9
      [ 1722.912606] Modules linked in:
      [ 1722.914226] Pid: 0, comm: swapper Not tainted 2.6.30-rc7-tip-01843-g2305324-dirty #299 ...
      [ 1722.932589] RIP: 0010:[<ffffffff8102c6b6>]  [<ffffffff8102c6b6>] hardware_disable+0x4c/0xb4
      [ 1722.942709] RSP: 0018:ffffc900010b6ed8  EFLAGS: 00010046
      [ 1722.956121] RAX: 0000000000000000 RBX: ffffc9000e253140 RCX: 0000000000000009
      [ 1722.972202] RDX: 000000000000b020 RSI: ffffc900010c3220 RDI: ffffffffffffd790
      [ 1722.977399] RBP: ffffc900010b6f08 R08: 0000000000000000 R09: 0000000000000000
      [ 1722.995149] R10: 00000000000004b8 R11: 966912b6c78fddbd R12: 0000000000000009
      [ 1723.011551] R13: 000000000000b020 R14: 0000000000000009 R15: 0000000000000000
      [ 1723.019898] FS:  0000000000000000(0000) GS:ffffc900010b3000(0000) knlGS:0000000000000000
      [ 1723.034389] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      [ 1723.041164] CR2: 0000000000000000 CR3: 0000000001001000 CR4: 00000000000006e0
      [ 1723.056192] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1723.072546] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [ 1723.080562] Process swapper (pid: 0, threadinfo ffff88107e464000, task ffff88047e5a2550)
      [ 1723.096144] Stack:
      [ 1723.099071]  0000000000000046 ffffc9000e253168 966912b6c78fddbd ffffc9000e253140
      [ 1723.115471]  ffff880c7d4304d0 ffffc9000e253168 ffffc900010b6f28 ffffffff81011022
      [ 1723.132428]  ffffc900010b6f48 966912b6c78fddbd ffffc900010b6f48 ffffffff8100b83b
      [ 1723.141973] Call Trace:
      [ 1723.142981]  <IRQ> <0> [<ffffffff81011022>] kvm_arch_hardware_disable+0x26/0x3c
      [ 1723.158153]  [<ffffffff8100b83b>] hardware_disable+0x3f/0x55
      [ 1723.172168]  [<ffffffff810b95f6>] generic_smp_call_function_interrupt+0x76/0x13c
      [ 1723.178836]  [<ffffffff8104cbea>] smp_call_function_interrupt+0x3a/0x5e
      [ 1723.194689]  [<ffffffff81035bf3>] call_function_interrupt+0x13/0x20
      [ 1723.199750]  <EOI> <0> [<ffffffff814ad3b4>] ? acpi_idle_enter_c1+0xd3/0xf4
      [ 1723.217508]  [<ffffffff814ad3ae>] ? acpi_idle_enter_c1+0xcd/0xf4
      [ 1723.232172]  [<ffffffff814ad4bc>] ? acpi_idle_enter_bm+0xe7/0x2ce
      [ 1723.235141]  [<ffffffff81a8d93f>] ? __atomic_notifier_call_chain+0x0/0xac
      [ 1723.253381]  [<ffffffff818c3dff>] ? menu_select+0x58/0xd2
      [ 1723.258179]  [<ffffffff818c2c9d>] ? cpuidle_idle_call+0xa4/0xf3
      [ 1723.272828]  [<ffffffff81034085>] ? cpu_idle+0xb8/0x101
      [ 1723.277085]  [<ffffffff81a80163>] ? start_secondary+0x1bc/0x1d7
      [ 1723.293708] Code: b0 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 e0 31 c0 48 8b 04 cd 30 ee 27 82 49 89 cc 49 89 d5 48 8b 04 10 48 8d b8 90 d7 ff ff <48> 8b 87 70 28 00 00 48 8d 98 90 d7 ff ff eb 16 e8 e9 fe ff ff
      [ 1723.335524] RIP  [<ffffffff8102c6b6>] hardware_disable+0x4c/0xb4
      [ 1723.342076]  RSP <ffffc900010b6ed8>
      [ 1723.352021] CR2: 0000000000000000
      [ 1723.354348] ---[ end trace e2aec53dae150aa1 ]---
      
      it turns out that we need clear cpus_hardware_enabled in that case.
      Reported-and-tested-by: default avatarYinghai Lu <yinghai@kernel.org>
      Signed-off-by: default avatarYinghai Lu <yinghai@kernel.org>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      8437a617
    • Yinghai Lu's avatar
      cpumask: alloc zeroed cpumask for static cpumask_var_ts · eaa95840
      Yinghai Lu authored
      These are defined as static cpumask_var_t so if MAXSMP is not used,
      they are cleared already.  Avoid surprises when MAXSMP is enabled.
      Signed-off-by: default avatarYinghai Lu <yinghai.lu@kernel.org>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      eaa95840
    • Yinghai Lu's avatar
      cpumask: introduce zalloc_cpumask_var · 0281b5dc
      Yinghai Lu authored
      So can get cpumask_var with cpumask_clear
      Signed-off-by: default avatarYinghai Lu <yinghai@kernel.org>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      0281b5dc
    • Minoru Usui's avatar
      cls_cgroup: Fix oops when user send improperly 'tc filter add' request · 52ea3a56
      Minoru Usui authored
      I found a bug in cls_cgroup_change() in cls_cgroup.c.
      cls_cgroup_change() expected tca[TCA_OPTIONS] was set from user space properly,
      but tc in iproute2-2.6.29-1 (which I used) didn't set it.
      
      In the current source code of tc in git, it set tca[TCA_OPTIONS].
      
        git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
      
      If we always use a newest iproute2 in git when we use cls_cgroup, 
      we don't face this oops probably.
      But I think, kernel shouldn't panic regardless of use program's behaviour. 
      Signed-off-by: default avatarMinoru Usui <usui@mxm.nes.nec.co.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      52ea3a56
    • Eric Dumazet's avatar
      r8169: fix crash when large packets are received · fdd7b4c3
      Eric Dumazet authored
      Michael Tokarev reported receiving a large packet could crash
      a machine with RTL8169 NIC.
      ( original thread at http://lkml.org/lkml/2009/6/8/192 )
      
      Problem is this driver tells that NIC frames up to 16383 bytes
      can be received but provides skb to rx ring allocated with
      smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)
      
      When a frame larger than what was allocated by driver is received,
      dma transfert can occurs past the end of buffer and corrupt
      kernel memory.
      
      Fix is to tell to NIC what is the maximum size a frame can be.
      
      This bug is very old, (before git introduction, linux-2.6.10), and 
      should be backported to stable versions.
      Reported-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Tested-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdd7b4c3
    • NeilBrown's avatar
      md/raid5: fix bug in reshape code when chunk_size decreases. · 0e6e0271
      NeilBrown authored
      Now that we support changing the chunksize, we calculate
      "reshape_sectors" to be the max of number of sectors in old
      and new chunk size.
      However there is one please where we still use 'chunksize'
      rather than 'reshape_sectors'.
      This causes a reshape that reduces the size of chunks to freeze.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      0e6e0271