1. 21 Aug, 2012 11 commits
    • Michal Hocko's avatar
      mm: hugetlbfs: correctly populate shared pmd · eb48c071
      Michal Hocko authored
      Each page mapped in a process's address space must be correctly
      accounted for in _mapcount.  Normally the rules for this are
      straightforward but hugetlbfs page table sharing is different.  The page
      table pages at the PMD level are reference counted while the mapcount
      remains the same.
      
      If this accounting is wrong, it causes bugs like this one reported by
      Larry Woodman:
      
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#1] SMP
        CPU 22
        Modules linked in: bridge stp llc sunrpc binfmt_misc dcdbas microcode pcspkr acpi_pad acpi]
        Pid: 18001, comm: mpitest Tainted: G        W    3.3.0+ #4 Dell Inc. PowerEdge R620/07NDJ2
        RIP: 0010:[<ffffffff8112cfed>]  [<ffffffff8112cfed>] __delete_from_page_cache+0x15d/0x170
        Process mpitest (pid: 18001, threadinfo ffff880428972000, task ffff880428b5cc20)
        Call Trace:
          delete_from_page_cache+0x40/0x80
          truncate_hugepages+0x115/0x1f0
          hugetlbfs_evict_inode+0x18/0x30
          evict+0x9f/0x1b0
          iput_final+0xe3/0x1e0
          iput+0x3e/0x50
          d_kill+0xf8/0x110
          dput+0xe2/0x1b0
          __fput+0x162/0x240
      
      During fork(), copy_hugetlb_page_range() detects if huge_pte_alloc()
      shared page tables with the check dst_pte == src_pte.  The logic is if
      the PMD page is the same, they must be shared.  This assumes that the
      sharing is between the parent and child.  However, if the sharing is
      with a different process entirely then this check fails as in this
      diagram:
      
        parent
          |
          ------------>pmd
                       src_pte----------> data page
                                              ^
        other--------->pmd--------------------|
                        ^
        child-----------|
                       dst_pte
      
      For this situation to occur, it must be possible for Parent and Other to
      have faulted and failed to share page tables with each other.  This is
      possible due to the following style of race.
      
        PROC A                                          PROC B
        copy_hugetlb_page_range                         copy_hugetlb_page_range
          src_pte == huge_pte_offset                      src_pte == huge_pte_offset
          !src_pte so no sharing                          !src_pte so no sharing
      
        (time passes)
      
        hugetlb_fault                                   hugetlb_fault
          huge_pte_alloc                                  huge_pte_alloc
            huge_pmd_share                                 huge_pmd_share
              LOCK(i_mmap_mutex)
              find nothing, no sharing
              UNLOCK(i_mmap_mutex)
                                                            LOCK(i_mmap_mutex)
                                                            find nothing, no sharing
                                                            UNLOCK(i_mmap_mutex)
            pmd_alloc                                       pmd_alloc
            LOCK(instantiation_mutex)
            fault
            UNLOCK(instantiation_mutex)
                                                        LOCK(instantiation_mutex)
                                                        fault
                                                        UNLOCK(instantiation_mutex)
      
      These two processes are not poing to the same data page but are not
      sharing page tables because the opportunity was missed.  When either
      process later forks, the src_pte == dst pte is potentially insufficient.
      As the check falls through, the wrong PTE information is copied in
      (harmless but wrong) and the mapcount is bumped for a page mapped by a
      shared page table leading to the BUG_ON.
      
      This patch addresses the issue by moving pmd_alloc into huge_pmd_share
      which guarantees that the shared pud is populated in the same critical
      section as pmd.  This also means that huge_pte_offset test in
      huge_pmd_share is serialized correctly now which in turn means that the
      success of the sharing will be higher as the racing tasks see the pud
      and pmd populated together.
      
      Race identified and changelog written mostly by Mel Gorman.
      
      {akpm@linux-foundation.org: attempt to make the huge_pmd_share() comment comprehensible, clean up coding style]
      Reported-by: default avatarLarry Woodman <lwoodman@redhat.com>
      Tested-by: default avatarLarry Woodman <lwoodman@redhat.com>
      Reviewed-by: default avatarMel Gorman <mgorman@suse.de>
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.cz>
      Reviewed-by: default avatarRik van Riel <riel@redhat.com>
      Cc: David Gibson <david@gibson.dropbear.id.au>
      Cc: Ken Chen <kenchen@google.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Hillf Danton <dhillf@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      eb48c071
    • Stephen M. Cameron's avatar
      cciss: fix incorrect scsi status reporting · b0cf0b11
      Stephen M. Cameron authored
      Delete code which sets SCSI status incorrectly as it's already been set
      correctly above this incorrect code.  The bug was introduced in 2009 by
      commit b0e15f6d ("cciss: fix typo that causes scsi status to be
      lost.")
      Signed-off-by: default avatarStephen M. Cameron <scameron@beardog.cce.hp.com>
      Reported-by: default avatarRoel van Meer <roel.vanmeer@bokxing.nl>
      Tested-by: default avatarRoel van Meer <roel.vanmeer@bokxing.nl>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b0cf0b11
    • Namjae Jeon's avatar
      Documentation: update mount option in filesystem/vfat.txt · d65226e2
      Namjae Jeon authored
      Update two mount options(discard, nfs) in vfat.txt.
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@gmail.com>
      Acked-by: default avatarOGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d65226e2
    • Hugh Dickins's avatar
      mm: change nr_ptes BUG_ON to WARN_ON · f9aed62a
      Hugh Dickins authored
      Occasionally an isolated BUG_ON(mm->nr_ptes) gets reported, indicating
      that not all the page tables allocated could be found and freed when
      exit_mmap() tore down the user address space.
      
      There's usually nothing we can say about it, beyond that it's probably a
      sign of some bad memory or memory corruption; though it might still
      indicate a bug in vma or page table management (and did recently reveal a
      race in THP, fixed a few months ago).
      
      But one overdue change we can make is from BUG_ON to WARN_ON.
      
      It's fairly likely that the system will crash shortly afterwards in some
      other way (for example, the BUG_ON(page_mapped(page)) in
      __delete_from_page_cache(), once an inode mapped into the lost page tables
      gets evicted); but might tell us more before that.
      
      Change the BUG_ON(page_mapped) to WARN_ON too?  Later perhaps: I'm less
      eager, since that one has several times led to fixes.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f9aed62a
    • Jens Rottmann's avatar
      cs5535-clockevt: typo, it's MFGPT, not MFPGT · 61e01be2
      Jens Rottmann authored
      Signed-off-by: default avatarJens Rottmann <JRottmann@LiPPERTEmbedded.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: John Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      61e01be2
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu · a6b881a5
      Linus Torvalds authored
      Pull m68knommu arch fixes from Greg Ungerer:
       "This contains 2 fixes.  One fixes compilation of ColdFire clk code,
        the other makes sure we use the generic atomic64 support on all m68k
        targets."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
        m68k: select CONFIG_GENERIC_ATOMIC64 for all m68k CPU types
        m68knommu: select CONFIG_HAVE_CLK for ColdFire CPU types
      a6b881a5
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-fixes-v3.6-rc3' of... · 8f6c1ca9
      Linus Torvalds authored
      Merge tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
      
      Pull pin control fixes from Linus Walleij:
       - Fixed Nomadik errorpath
       - Fixed documentation spelling errors
       - Forward-declare struct device in a header file
       - Remove some extraneous code lines when getting pinctrl states
       - Correct the i.MX51 configure register number
       - Fix the Nomadik keypad function group list
      
      * tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl/nomadik: add kp_b_2 keyboard function group list
        pinctrl: imx51: fix .conf_reg of MX51_PAD_SD2_CMD__CSPI_MOSI
        trivial: pinctrl core: remove extraneous code lines
        pinctrl: header: trivial: declare struct device
        Documentation/pinctrl.txt: Fix some misspelled macros
        pinctrl/nomadik: fix null in irqdomain errorpath
      8f6c1ca9
    • Linus Torvalds's avatar
      Merge tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 4459f397
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This update became slightly bigger than usual for rc3, but most of the
        commits are small and trivial.  A large chunk is found for HD-audio
        ca0132 codec, which is mostly a clean up of the specific code, to make
        SPDIF working properly, and also in the new ASoC Arizona driver.
      
        One important fix is for usb-audio Oops fix since 3.5.  We still see
        some EHCI related bandwidth problem, but usb-audio should be more
        stabilized now.
      
        Other than that, a Kconfig fix is spread over files, and various
        HD-audio and ASoC fixes as usual, in addition to Julia's error path
        fixes."
      
      * tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (42 commits)
        ALSA: snd-als100: fix suspend/resume
        ALSA: hda - Fix leftover codec->power_transition
        ALSA: hda - don't create dysfunctional mixer controls for ca0132
        ALSA: sound/ppc/snd_ps3.c: fix error return code
        ALSA: sound/pci/rme9652/hdspm.c: fix error return code
        ALSA: sound/pci/sis7019.c: fix error return code
        ALSA: sound/pci/ctxfi/ctatc.c: fix error return code
        ALSA: sound/atmel/ac97c.c: fix error return code
        ALSA: sound/atmel/abdac.c: fix error return code
        ALSA: fix pcm.h kernel-doc warning and notation
        sound: oss/sb_audio: prevent divide by zero bug
        ASoC: wm9712: Fix inverted capture volume
        ASoC: wm9712: Fix microphone source selection
        ASoC: wm5102: Remove DRC2
        ALSA: hda - Don't send invalid volume knob command on IDT 92hd75bxx
        ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream
        ALSA: lx6464es: Add a missing error check
        ALSA: hda - Fix 'Beep Playback Switch' with no underlying mute switch
        ASoC: jack: Always notify full jack status
        ASoC: wm5110: Add missing input PGA routes
        ...
      4459f397
    • Eric Dumazet's avatar
      task_work: add a scheduling point in task_work_run() · f341861f
      Eric Dumazet authored
      It seems commit 4a9d4b02 ("switch fput to task_work_add") re-
      introduced the problem addressed in 944be0b2 ("close_files(): add
      scheduling point")
      
      If a server process with a lot of files (say 2 million tcp sockets) is
      killed, we can spend a lot of time in task_work_run() and trigger a soft
      lockup.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f341861f
    • Dave Airlie's avatar
      fbcon: fix race condition between console lock and cursor timer · ec5da7f8
      Dave Airlie authored
      So we've had a fair few reports of fbcon handover breakage between
      efi/vesafb and i915 surface recently, so I dedicated a couple of
      days to finding the problem.
      
      Essentially the last thing we saw was the conflicting framebuffer
      message and that was all.
      
      So after much tracing with direct netconsole writes (printks
      under console_lock not so useful), I think I found the race.
      
        Thread A (driver load)    Thread B (timer thread)
          unbind_con_driver ->              |
          bind_con_driver ->                |
          vc->vc_sw->con_deinit ->          |
          fbcon_deinit ->                   |
          console_lock()                    |
              |                             |
              |                       fbcon_flashcursor timer fires
              |                       console_lock() <- blocked for A
              |
              |
        fbcon_del_cursor_timer ->
          del_timer_sync
          (BOOM)
      
      Of course because all of this is under the console lock,
      we never see anything, also since we also just unbound the active
      console guess what we never see anything.
      
      Hopefully this fixes the problem for anyone seeing vesafb->kms
      driver handoff.
      Signed-off-by: default avatarDavid Airlie <airlied@redhat.com>
      Acked-by: default avatarAlan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: stable@vger.kernel.org
      Tested-by: default avatarJosh Boyer <jwboyer@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ec5da7f8
    • Ondrej Zary's avatar
      ALSA: snd-als100: fix suspend/resume · 53e1719f
      Ondrej Zary authored
      snd_card_als100_probe() does not set pcm field in struct snd_sb.
      As a result, PCM is not suspended and applications don't know that they need
      to resume the playback.
      
      Tested with Labway A381-F20 card (ALS120).
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      53e1719f
  2. 20 Aug, 2012 29 commits