summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2012-09-26move put_unused_fd() and fd_install() to fs/file.cAl Viro2-44/+44
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26trim free_fdtable_rcu()Al Viro1-15/+2
embedded case isn't hit anymore Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26don't bother with call_rcu() in put_files_struct()Al Viro1-9/+5
At that point nobody can see us anyway; everything that looks at files_fdtable(files) is separated from the guts of put_files_struct(files) - either since files is current->files or because we fetched it under task_lock() and hadn't dropped that yet, or because we'd bumped files->count while holding task_lock()... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26move files_struct-related bits from kernel/exit.c to fs/file.cAl Viro3-100/+99
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26new helper: __alloc_fd()Al Viro3-58/+16
Essentially, alloc_fd() in a files_struct we own a reference to. Most of the time wanting to use it is a sign of lousy API design (such as android/binder). It's *not* a general-purpose interface; better that than open-coding its guts, but again, playing with other process' descriptor table is a sign of bad design. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26take rlimit check to callers of expand_files()Al Viro2-7/+12
... except for one in android, where the check is different and already done in caller. No need to recalculate rlimit many times in alloc_fd() either. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26fanotify: sanitize failure exits in copy_event_to_user()Al Viro1-39/+20
* do copy_to_user() before prepare_for_access_response(); that kills the need in remove_access_response(). * don't do fd_install() until we are past the last possible failure exit. Don't use sys_close() on cleanup side - just put_unused_fd() and fput(). Less racy that way... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26events: don't use get_unused_fd_flags() when get_unused_fd() will doAl Viro1-1/+1
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26pipe(2) - race-free error recoveryAl Viro1-9/+22
don't mess with sys_close() if copy_to_user() fails; just postpone fd_install() until we know it hasn't. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26binder: don't allow mmap() by process other than proc->tskAl Viro1-1/+4
we really shouldn't do get_files_struct() on a different process and use it to modify the sucker later on. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26autofs4: don't open-code fd_install()Al Viro1-16/+2
The only difference between autofs_dev_ioctl_fd_install() and fd_install() is __set_close_on_exec() done by the latter. Just use get_unused_fd_flags(O_CLOEXEC) to allocate the descriptor and be done with that... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26make get_unused_fd_flags() a functionAl Viro2-5/+5
... and get_unused_fd() a macro around it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26unexport sock_map_fd(), switch to sock_alloc_file()Al Viro4-18/+32
Both modular callers of sock_map_fd() had been buggy; sctp one leaks descriptor and file if copy_to_user() fails, 9p one shouldn't be exposing file in the descriptor table at all. Switch both to sock_alloc_file(), export it, unexport sock_map_fd() and make it static. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26take descriptor handling from sock_alloc_file() to callersAl Viro1-22/+40
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-26Merge remote branch 'origin' into for-nextAl Viro893-4213/+7372
2012-09-25Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds17-61/+152
Pull more networking fixes from David Miller: 1) Eric Dumazet discovered and fixed what turned out to be a family of bugs. These functions were using pskb_may_pull() which might need to reallocate the linear SKB data buffer, but the callers were not expecting this possibility. The callers have cached pointers to the packet header areas, and would need to reload them if we were to continue using pskb_may_pull(). So they could end up reading garbage. It's easier to just change these RAW4/RAW6/MIP6 routines to use skb_header_pointer() instead of pskb_may_pull(), which won't modify the linear SKB data area. 2) Dave Jone's syscall spammer caught a case where a non-TCP socket can call down into the TCP keepalive code. The case basically involves creating a raw socket with sk_protocol == IPPROTO_TCP, then calling setsockopt(sock_fd, SO_KEEPALIVE, ...) Fixed by Eric Dumazet. 3) Bluetooth devices do not get configured properly while being powered on, resulting in always using legacy pairing instead of SSP. Fix from Andrzej Kaczmarek. 4) Bluetooth cancels delayed work erroneously, put stricter checks in place. From Andrei Emeltchenko. 5) Fix deadlock between cfg80211_mutex and reg_regdb_search_mutex in cfg80211, from Luis R. Rodriguez. 6) Fix interrupt double release in iwlwifi, from Emmanuel Grumbach. 7) Missing module license in bcm87xx driver, from Peter Huewe. 8) Team driver can lose port changed events when adding devices to a team, fix from Jiri Pirko. 9) Fix endless loop when trying ot unregister PPPOE device in zombie state, from Xiaodong Xu. 10) batman-adv layer needs to set MAC address of software device earlier, otherwise we call tt_local_add with it uninitialized. 11) Fix handling of KSZ8021 PHYs, it's matched currently by KS8051 but that doesn't program the device properly. From Marek Vasut. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: ipv6: mip6: fix mip6_mh_filter() ipv6: raw: fix icmpv6_filter() net: guard tcp_set_keepalive() to tcp sockets phy/micrel: Add missing header to micrel_phy.h phy/micrel: Rename KS80xx to KSZ80xx phy/micrel: Implement support for KSZ8021 batman-adv: Fix symmetry check / route flapping in multi interface setups batman-adv: Fix change mac address of soft iface. pppoe: drop PPPOX_ZOMBIEs in pppoe_release team: send port changed when added ipv4: raw: fix icmp_filter() net/phy/bcm87xx: Add MODULE_LICENSE("GPL") to GPL driver iwlwifi: don't double free the interrupt in failure path cfg80211: fix possible circular lock on reg_regdb_search() Bluetooth: Fix not removing power_off delayed work Bluetooth: Fix freeing uninitialized delayed works Bluetooth: mgmt: Fix enabling LE while powered off Bluetooth: mgmt: Fix enabling SSP while powered off
2012-09-25ipv6: mip6: fix mip6_mh_filter()Eric Dumazet1-9/+11
mip6_mh_filter() should not modify its input, or else its caller would need to recompute ipv6_hdr() if skb->head is reallocated. Use skb_header_pointer() instead of pskb_may_pull() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-25Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-mergeDavid S. Miller2-8/+12
Included fixes: - fix the behaviour of batman-adv in case of virtual interface MAC change event - fix symmetric link check in neighbour selection Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-25ipv6: raw: fix icmpv6_filter()Eric Dumazet1-11/+10
icmpv6_filter() should not modify its input, or else its caller would need to recompute ipv6_hdr() if skb->head is reallocated. Use skb_header_pointer() instead of pskb_may_pull() and change the prototype to make clear both sk and skb are const. Also, if icmpv6 header cannot be found, do not deliver the packet, as we do in IPv4. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-25Merge tag 'sh-for-linus' of git://github.com/pmundt/linux-shLinus Torvalds1-0/+2
Pull SuperH fix from Paul Mundt: "One last minute regression fix.." * tag 'sh-for-linus' of git://github.com/pmundt/linux-sh: sh: pfc: Fix up GPIO mux type reconfig case.
2012-09-25Merge branch 'akpm' (sundry from Andrew)Linus Torvalds4-2/+5
Merge misc fixes from Andrew Morton: "One maintainer change and three bugfixes" * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (4 commits) c/r: prctl: fix build error for no-MMU case lib/flex_proportions.c: fix corruption of denominator in flexible proportions checksyscalls: fix "here document" handling pwm-backlight: take over maintenance
2012-09-25c/r: prctl: fix build error for no-MMU caseMark Salter1-0/+1
Commit 1ad75b9e1628 ("c/r: prctl: add minimal address test to PR_SET_MM") added some address checking to prctl_set_mm() used by checkpoint-restore. This causes a build error for no-MMU systems: kernel/sys.c: In function 'prctl_set_mm': kernel/sys.c:1868:34: error: 'mmap_min_addr' undeclared (first use in this function) The test for mmap_min_addr doesn't make a lot of sense for no-MMU code as noted in commit 6e1415467614 ("NOMMU: Optimise away the {dac_,}mmap_min_addr tests"). This patch defines mmap_min_addr as 0UL in the no-MMU case so that the compiler will optimize away tests for "addr < mmap_min_addr". Signed-off-by: Mark Salter <msalter@redhat.com> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> Cc: <stable@vger.kernel.org> [3.6.x] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-25lib/flex_proportions.c: fix corruption of denominator in flexible proportionsJan Kara1-1/+1
When racing with CPU hotplug, percpu_counter_sum() can return negative values for the number of observed events. This confuses fprop_new_period(), which uses unsigned type and as a result number of events is set to big *positive* number. From that moment on, things go pear shaped and can result e.g. in division by zero as denominator is later truncated to 32-bits. This bug causes a divide-by-zero oops in bdi_dirty_limit() in Borislav's 3.6.0-rc6 based kernel. Fix the issue by using a signed type in fprop_new_period(). That makes us bail out from the function without doing anything (mistakenly) thinking there are no events to age. That makes aging somewhat inaccurate but getting accurate data would be rather hard. Signed-off-by: Jan Kara <jack@suse.cz> Reported-by: Borislav Petkov <bp@amd64.org> Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-25checksyscalls: fix "here document" handlingHeiko Carstens1-1/+1
"echo" doesn't read from stdin, therefore the checksyscalls script didn't warn about not implemented system calls anymore since 29dc54c6 ("checksyscalls: Use arch/x86/syscalls/syscall_32.tbl as source"). Use "cat" instead of "echo" which handles this correctly. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Michal Marek <mmarek@suse.cz> Cc: H. Peter Anvin <hpa@linux.intel.com> Cc: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-25pwm-backlight: take over maintenanceThierry Reding1-0/+2
Since the pwm-backlight driver is lacking a proper maintainer and is the heaviest user of the PWM framework I'm taking over maintenance. Signed-off-by: Thierry Reding <thierry.reding@avionic-design.de> Acked-by: Arun Murthy <arun.murthy@stericsson.com> Cc: Matthew Garrett <mjg@redhat.com> Cc: Robert Morell <rmorell@nvidia.com> Cc: Dilan Lee <dilee@nvidia.com> Cc: Axel Lin <axel.lin@gmail.com> Cc: Mark Brown <broonie@opensource.wolfsonmicro.com> Cc: Alexandre Courbot <acourbot@nvidia.com> Acked-by: Sachin Kamat <sachin.kamat@linaro.org> Acked-by: Linus Walleij <linus.walleij@linaro.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-25sh: pfc: Fix up GPIO mux type reconfig case.Paul Mundt1-0/+2
Some drivers need to switch pin states between GPIO and pin function at runtime, which was inadvertently broken in the pinctrl driver for GPIOs being bound to a specific direction. This fixes up the request path to ensure that previously configured GPIOs don't cause us to inadvertently error out with an unsupported mux on reconfig, which in practice is primarily aimed at trapping pull-up/down users that have yet to be implemented under the new API. Fixes up regressions in the TPU PWM driver, amongst others. Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
2012-09-24Merge branch 'for-davem' of ↵David S. Miller5-4/+29
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless John W. Linville says: ==================== Please pull this last(?) batch of fixes intended for 3.6... For the Bluetooth bits, Gustavo says this: "Here goes probably my last update to 3.6. It includes the two patches you were ok last week(from Andrzej Kaczmarek), those are critical ones, and two other fixes one for a system crash and the other for a missing lockdep annotation." The referenced fixes from Andrzej prevent attempts to configure devices that are powered-off. Along with the Bluetooth fixes, there are a couple of 802.11 fixes. Emmanuel Grumbach gives us an iwlwifi fix to prevent releasing an interrupt twice. Luis R. Rodriguez provides a fix for a possible circular lock dependency in the cfg80211 regulatory enforcement code. All of these have been in linux-next for a few days. I hope they are not too late to make the 3.6 release! ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-24Merge git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tileLinus Torvalds1-11/+13
Pull tile gxio ABI fix from Chris Metcalf: "This fixes a last-minute change in the Tilera hypervisor ABI for TRIO (PCI root complex) support. We've locked in this ABI going forward and will make sure no further ABI changes like this occur." * git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile: tile: gxio iorpc numbering change for TRIO interface
2012-09-24Merge tag 'vfio-for-linus' of git://github.com/awilliam/linux-vfioLinus Torvalds2-21/+57
Pull vfio fixes from Alex Williamson: "VFIO doc update and virqfd race fix" * tag 'vfio-for-linus' of git://github.com/awilliam/linux-vfio: vfio: Fix virqfd release race vfio: Trivial Documentation correction
2012-09-24Merge tag 'stable/for-linus-3.6-rc7-tag' of ↵Linus Torvalds1-0/+4
git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen Pull a Xen fix from Konrad Rzeszutek Wilk: "It is a bug-fix when we run the initial PV guest on a AMD K8 machine and have CONFIG_AMD_NUMA enabled and detect the NUMA topology from the Northbridge. We end up in the situation where the initial domain gets too much information and gets confused and crashes - the fix is to restrict the domain to get the information - and we do it by just disabling NUMA on the PV guest (the hypervisor is still able to do its proper NUMA allocations of guests). It is OK to disable the PV guest from accessing NUMA data as right now we do not inject any NUMA node information to the PV guests. When we do get to that point, then this patch will have to be reverted." * Disable PV NUMA support as we do not do anything with it (yet) and it can cause bootup crashes on certain AMD machines. * tag 'stable/for-linus-3.6-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen: xen/boot: Disable NUMA for PV guests.
2012-09-24Merge branch 'for-linus' of ↵Linus Torvalds2-8/+4
git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client Pull two ceph fixes from Sage Weil: "The first fixes a leak in the rbd setup error path, and the second fixes a more serious problem with mismatched kmap/kunmap that surfaced after the recent refactoring work." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client: libceph: only kunmap kmapped pages rbd: drop dev reference on error in rbd_open()
2012-09-24net: guard tcp_set_keepalive() to tcp socketsEric Dumazet1-1/+2
Its possible to use RAW sockets to get a crash in tcp_set_keepalive() / sk_reset_timer() Fix is to make sure socket is a SOCK_STREAM one. Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-24phy/micrel: Add missing header to micrel_phy.hMarek Vasut1-0/+12
The license header was missing in micrel_phy.h . This patch adds one. Signed-off-by: Marek Vasut <marex@denx.de> Cc: David J. Choi <david.choi@micrel.com> Cc: David S. Miller <davem@davemloft.net> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-24phy/micrel: Rename KS80xx to KSZ80xxMarek Vasut3-13/+13
There is no such part as KS8001, KS8041 or KS8051. There are only KSZ8001, KSZ8041 and KSZ8051. Rename these parts as such to match the Micrel naming. Signed-off-by: Marek Vasut <marex@denx.de> Cc: David J. Choi <david.choi@micrel.com> Cc: David S. Miller <davem@davemloft.net> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Cc: Linux ARM kernel <linux-arm-kernel@lists.infradead.org> Cc: Fabio Estevam <fabio.estevam@freescale.com> Cc: Shawn Guo <shawn.guo@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-24phy/micrel: Implement support for KSZ8021Marek Vasut2-0/+28
The KSZ8021 PHY was previously caught by KS8051, which is not correct. This PHY needs additional setup if it is strapped for address 0. In such case an reserved bit must be written in the 0x16, "Operation Mode Strap Override" register. According to the KS8051 datasheet, that bit means "PHY Address 0 in non-broadcast" and it indeed behaves as such on KSZ8021. The issue where the ethernet controller (Freescale FEC) did not communicate with network is fixed by writing this bit as 1. Signed-off-by: Marek Vasut <marex@denx.de> Cc: David J. Choi <david.choi@micrel.com> Cc: David S. Miller <davem@davemloft.net> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-24tile: gxio iorpc numbering change for TRIO interfaceChris Metcalf1-11/+13
An ABI numbering change was made in the hypervisor for Tilera's 4.1 MDE release (just shipped). It's incompatible with the previous 4.0 release ABI numbering, so we track the new numbering going forward. We plan to avoid modifying ABI numbering for these interfaces again. Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2012-09-24xen/boot: Disable NUMA for PV guests.Konrad Rzeszutek Wilk1-0/+4
The hypervisor is in charge of allocating the proper "NUMA" memory and dealing with the CPU scheduler to keep them bound to the proper NUMA node. The PV guests (and PVHVM) have no inkling of where they run and do not need to know that right now. In the future we will need to inject NUMA configuration data (if a guest spans two or more NUMA nodes) so that the kernel can make the right choices. But those patches are not yet present. In the meantime, disable the NUMA capability in the PV guest, which also fixes a bootup issue. Andre says: "we see Dom0 crashes due to the kernel detecting the NUMA topology not by ACPI, but directly from the northbridge (CONFIG_AMD_NUMA). This will detect the actual NUMA config of the physical machine, but will crash about the mismatch with Dom0's virtual memory. Variation of the theme: Dom0 sees what it's not supposed to see. This happens with the said config option enabled and on a machine where this scanning is still enabled (K8 and Fam10h, not Bulldozer class) We have this dump then: NUMA: Warning: node ids are out of bound, from=-1 to=-1 distance=10 Scanning NUMA topology in Northbridge 24 Number of physical nodes 4 Node 0 MemBase 0000000000000000 Limit 0000000040000000 Node 1 MemBase 0000000040000000 Limit 0000000138000000 Node 2 MemBase 0000000138000000 Limit 00000001f8000000 Node 3 MemBase 00000001f8000000 Limit 0000000238000000 Initmem setup node 0 0000000000000000-0000000040000000 NODE_DATA [000000003ffd9000 - 000000003fffffff] Initmem setup node 1 0000000040000000-0000000138000000 NODE_DATA [0000000137fd9000 - 0000000137ffffff] Initmem setup node 2 0000000138000000-00000001f8000000 NODE_DATA [00000001f095e000 - 00000001f0984fff] Initmem setup node 3 00000001f8000000-0000000238000000 Cannot find 159744 bytes in node 3 BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff81d220e6>] __alloc_bootmem_node+0x43/0x96 Pid: 0, comm: swapper Not tainted 3.3.6 #1 AMD Dinar/Dinar RIP: e030:[<ffffffff81d220e6>] [<ffffffff81d220e6>] __alloc_bootmem_node+0x43/0x96 .. snip.. [<ffffffff81d23024>] sparse_early_usemaps_alloc_node+0x64/0x178 [<ffffffff81d23348>] sparse_init+0xe4/0x25a [<ffffffff81d16840>] paging_init+0x13/0x22 [<ffffffff81d07fbb>] setup_arch+0x9c6/0xa9b [<ffffffff81683954>] ? printk+0x3c/0x3e [<ffffffff81d01a38>] start_kernel+0xe5/0x468 [<ffffffff81d012cf>] x86_64_start_reservations+0xba/0xc1 [<ffffffff81007153>] ? xen_setup_runstate_info+0x2c/0x36 [<ffffffff81d050ee>] xen_start_kernel+0x565/0x56c " so we just disable NUMA scanning by setting numa_off=1. CC: stable@vger.kernel.org Reported-and-Tested-by: Andre Przywara <andre.przywara@amd.com> Acked-by: Andre Przywara <andre.przywara@amd.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2012-09-23Linux 3.6-rc7v3.6-rc7Linus Torvalds1-2/+2
2012-09-23Merge branch 'rc-fixes' of ↵Linus Torvalds2-3/+3
git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild Pull kbuild fixes from Michal Marek: "There are two more kbuild fixes for 3.6. One fixes a race between x86's archscripts target and the rule (re)building scripts/basic/fixdep. The second is a fix for the previous attempt at fixing make firmware_install with make 3.82. This new solution should work with any version of GNU make" * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild: x86/kbuild: archscripts depends on scripts_basic firmware: fix directory creation rule matching with make 3.80
2012-09-23Merge branch 'hwmon-for-linus' of ↵Linus Torvalds3-2/+23
git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging Pull hwmon subsystem fixes from Jean Delvare. * 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: hwmon: (fam15h_power) Tweak runavg_range on resume hwmon: (coretemp) Use get_online_cpus to avoid races involving CPU hotplug hwmon: (via-cputemp) Use get_online_cpus to avoid races involving CPU hotplug
2012-09-23Merge tag 'scsi-fixes' of ↵Linus Torvalds4-2/+13
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "This is a set of four essential fixes: two oops related (bnx2i, virtio-scsi), one data corruption related (hpsa) and one failure to boot due to interrupt routing issues (mpt2ss). Signed-off-by: James Bottomley <JBottomley@Parallels.com>" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: [SCSI] hpsa: fix handling of protocol error [SCSI] mpt2sas: Fix for issue - Unable to boot from the drive connected to HBA [SCSI] bnx2i: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload [SCSI] scsi: virtio-scsi: Fix address translation failure of HighMem pages used by sg list
2012-09-23edac_mc: edac_mc_free() cannot assume mem_ctl_info is registered in sysfs.Shaun Ruffell1-20/+39
Fix potential NULL pointer dereference in edac_unregister_sysfs() on system boot introduced in 3.6-rc1. Since commit 7a623c039 ("edac: rewrite the sysfs code to use struct device") edac_mc_alloc() no longer initializes embedded kobjects in struct mem_ctl_info. Therefore edac_mc_free() can no longer simply decrement a kobject reference count to free the allocated memory unless the memory controller driver module had also called edac_mc_add_mc(). Now edac_mc_free() will check if the newly embedded struct device has been registered with sysfs before using either the standard device release functions or freeing the data structures itself with logic pulled out of the error path of edac_mc_alloc(). The BUG this patch resolves for me: BUG: unable to handle kernel NULL pointer dereference at (null) EIP is at __wake_up_common+0x1a/0x6a Process modprobe (pid: 933, ti=f3dc6000 task=f3db9520 task.ti=f3dc6000) Call Trace: complete_all+0x3f/0x50 device_pm_remove+0x23/0xa2 device_del+0x34/0x142 edac_unregister_sysfs+0x3b/0x5c [edac_core] edac_mc_free+0x29/0x2f [edac_core] e7xxx_probe1+0x268/0x311 [e7xxx_edac] e7xxx_init_one+0x56/0x61 [e7xxx_edac] local_pci_probe+0x13/0x15 ... Cc: Mauro Carvalho Chehab <mchehab@redhat.com> Cc: Shaohui Xie <Shaohui.Xie@freescale.com> Signed-off-by: Shaun Ruffell <sruffell@digium.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-23edac_mc: fix messy kfree calls in the error pathFengguang Wu1-5/+7
coccinelle warns about: + drivers/edac/edac_mc.c:429:9-23: ERROR: reference preceded by free on line 429 421 if (mci->csrows) { > 422 for (chn = 0; chn < tot_channels; chn++) { 423 csr = mci->csrows[chn]; 424 if (csr) { > 425 for (chn = 0; chn < tot_channels; chn++) 426 kfree(csr->channels[chn]); 427 kfree(csr); 428 } > 429 kfree(mci->csrows[i]); 430 } 431 kfree(mci->csrows); 432 } and that code block seem to mess things up in several ways (double free, memory leak, out-of-bound reads etc.): L422: The iterator "chn" and bound "tot_channels" are totally wrong. Should be "row" and "tot_csrows" respectively. Which means either memory leak, or out-of-bound reads (which if does not trigger an immediate page fault error, will further lead to kfree() on random addresses). L425: The inner loop is reusing the same iterator "chn" as the outer loop, which could lead to premature end of the outer loop, and hence memory leak. L429: The array index 'i' in mci->csrows[i] is a temporary value used in previous loops, and won't change at all in the current loop. Which means either out-of-bound read and possibly kfree(random number), or the same mci->csrows[i] get freed once and again, and possibly double free for the kfree(csr) in L427. L426/L427: a kfree(csr->channels) is needed in between to avoid leaking the memory. The buggy code was introduced by commit de3910eb ("edac: change the mem allocation scheme to make Documentation/kobject.txt happy") in the 3.6-rc1 merge window. Fix it by freeing up resources in this order: free csrows[i]->channels[j] free csrows[i]->channels free csrows[i] free csrows CC: Mauro Carvalho Chehab <mchehab@redhat.com> CC: Shaun Ruffell <sruffell@digium.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-09-23batman-adv: Fix symmetry check / route flapping in multi interface setupsLinus Lüssing1-6/+7
If receiving an OGM from a neighbor other than the currently selected and if it has the same TQ then we are supposed to switch if this neighbor provides a more symmetric link than the currently selected one. However this symmetry check currently is broken if the interface of the neighbor we received the OGM from and the one of the currently selected neighbor differ: We are currently trying to determine the symmetry of the link towards the selected router via the link we received the OGM from instead of just checking via the link towards the currently selected router. This leads to way more route switches than necessary and can lead to permanent route flapping in many common multi interface setups. This patch fixes this issue by using the right interface for this symmetry check. Signed-off-by: Linus Lüssing <linus.luessing@web.de>
2012-09-23batman-adv: Fix change mac address of soft iface.Def1-2/+5
Into function interface_set_mac_addr, the function tt_local_add was invoked before updating dev->dev_addr. The new MAC address was not tagged as NoPurge. Signed-off-by: Def <def@laposte.net>
2012-09-23hwmon: (fam15h_power) Tweak runavg_range on resumeAndreas Herrmann1-2/+13
The quirk introduced with commit 00250ec90963b7ef6678438888f3244985ecde14 (hwmon: fam15h_power: fix bogus values with current BIOSes) is not only required during driver load but also when system resumes from suspend. The BIOS might set the previously recommended (but unsuitable) initilization value for the running average range register during resume. Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com> Tested-by: Andreas Hartmann <andihartmann@01019freenet.de> Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: stable@vger.kernel.org # 3.0+
2012-09-23hwmon: (coretemp) Use get_online_cpus to avoid races involving CPU hotplugSilas Boyd-Wickizer1-0/+5
coretemp_init loops with for_each_online_cpu, adding platform_devices and sysfs interfaces, then calls register_hotcpu_notifier. There is a race if a CPU is offlined or onlined after the loop, but before register_hotcpu_notifier. The race might result in the absence of a platform_device+sysfs interface for an online CPU, or the presence of a platform_device+sysfs interface for an offline CPU. A similar race occurs during coretemp_exit, after the module calls unregister_hotcpu_notifier, but before it unregisters all devices, a CPU might offline and a device for an offline CPU will exist for a short while. This fix surrounds for_each_online_cpu and register_hotcpu_notifier with get_online_cpus+put_online_cpus; and surrounds unregister_hotcpu_notifier and device unregistering with get_online_cpus+put_online_cpus. Build tested. Signed-off-by: Silas Boyd-Wickizer <sbw@mit.edu> Signed-off-by: Jean Delvare <khali@linux-fr.org>
2012-09-23hwmon: (via-cputemp) Use get_online_cpus to avoid races involving CPU hotplugSilas Boyd-Wickizer1-0/+5
via_cputemp_init loops with for_each_online_cpu, adding platform_devices, then calls register_hotcpu_notifier. If a CPU is offlined between the loop and register_hotcpu_notifier, then later onlined, via_cputemp_device_add will attempt to add platform devices with the same ID. A similar race occurs during via_cputemp_exit, after the module calls unregister_hotcpu_notifier, a CPU might offline and a device will exist for a CPU that is offline. This fix surrounds for_each_online_cpu and register_hotcpu_notifier with get_online_cpus+put_online_cpus; and surrounds unregister_hotcpu_notifier and device unregistering with get_online_cpus+put_online_cpus. Build tested. Signed-off-by: Silas Boyd-Wickizer <sbw@mit.edu> Acked-by: Harald Welte <laforge@gnumonks.org> Signed-off-by: Jean Delvare <khali@linux-fr.org>
2012-09-22close the race in nlmsvc_free_block()Al Viro1-2/+1
we need to grab mutex before the reference counter reaches 0 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-09-22do_add_mount()/umount -l racesAl Viro1-2/+8
normally we deal with lock_mount()/umount races by checking that mountpoint to be is still in our namespace after lock_mount() has been done. However, do_add_mount() skips that check when called with MNT_SHRINKABLE in flags (i.e. from finish_automount()). The reason is that ->mnt_ns may be a temporary namespace created exactly to contain automounts a-la NFS4 referral handling. It's not the namespace of the caller, though, so check_mnt() would fail here. We still need to check that ->mnt_ns is non-NULL in that case, though. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>