| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
After executing the matching works, a rescuer leaves the gcwq whether
there are more pending works or not. This may decrease the
concurrency level to zero and stall execution until a new work item is
queued on the gcwq.
Make rescuer wake up a regular worker when it leaves a gcwq if there
are more works to execute, so that execution isn't stalled.
Signed-off-by: Tejun Heo <[email protected]>
Reported-by: Ray Jui <[email protected]>
Cc: [email protected]
|
|
We use it in non __cpuinit code now too so drop marker.
Signed-off-by: Borislav Petkov <[email protected]>
LKML-Reference: <20110211171754.GA21047@aftab>
Signed-off-by: Ingo Molnar <[email protected]>
|
|
Slave-dma has become the predominant usage model for dmaengine and needs
special attention. Memory-to-memory dma usage cases will continue to be
maintained by Dan.
Cc: Alan Cox <[email protected]>
Acked-by: Vinod Koul <[email protected]>
Signed-off-by: Dan Williams <[email protected]>
|
|
|
|
Currently when two or more buffers are queued by the camera driver
and so the double buffering is enabled in the idmac, we lose one
frame comming from CSI since the reporting of arrival of the first
frame is deferred by the DMAIC_7_EOF interrupt handler and reporting
of the arrival of the last frame is not done at all. So when requesting
N frames from the image sensor we actually receive N - 1 frames in
user space.
The reason for this behaviour is that the DMAIC_7_EOF interrupt
handler misleadingly assumes that the CUR_BUF flag is pointing to the
buffer used by the IDMAC. Actually it is not the case since the
CUR_BUF flag will be flipped by the FSU when the FSU is sending the
<TASK>_NEW_FRM_RDY signal when new frame data is delivered by the CSI.
When sending this singal, FSU updates the DMA_CUR_BUF and the
DMA_BUFx_RDY flags: the DMA_CUR_BUF is flipped, the DMA_BUFx_RDY
is cleared, indicating that the frame data is beeing written by
the IDMAC to the pointed buffer. DMA_BUFx_RDY is supposed to be
set to the ready state again by the MCU, when it has handled the
received data. DMAIC_7_CUR_BUF flag won't be flipped here by the
IPU, so waiting for this event in the EOF interrupt handler is wrong.
Actually there is no spurious interrupt as described in the comments,
this is the valid DMAIC_7_EOF interrupt indicating reception of the
frame from CSI.
The patch removes code that waits for flipping of the DMAIC_7_CUR_BUF
flag in the DMAIC_7_EOF interrupt handler. As the comment in the
current code denotes, this waiting doesn't help anyway. As a result
of this removal the reporting of the first arrived frame is not
deferred to the time of arrival of the next frame and the drivers
software flag 'ichan->active_buffer' is in sync with DMAIC_7_CUR_BUF
flag, so the reception of all requested frames works.
This has been verified on the hardware which is triggering the
image sensor by the programmable state machine, allowing to
obtain exact number of frames. On this hardware we do not tolerate
losing frames.
This patch also removes resetting the DMA_BUFx_RDY flags of
all channels in ipu_disable_channel() since transfers on other
DMA channels might be triggered by other running tasks and the
buffers should always be ready for data sending or reception.
Signed-off-by: Anatolij Gustschin <[email protected]>
Reviewed-by: Guennadi Liakhovetski <[email protected]>
Tested-by: Guennadi Liakhovetski <[email protected]>
Signed-off-by: Dan Williams <[email protected]>
|
|
git://git.linaro.org/people/jstultz/linux into timers/urgent
|
|
This PCH_GBE driver had an issue that the receiving data is not normal.
This driver had not removed correctly the padding data
which the DMA include in receiving data.
This patch fixed this issue.
Signed-off-by: Toshiharu Okada <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
This patch enables it by default when the driver starts.
This has been required by many people and seems to actually be
useful on STB.
At any rate, the WoL modes can be selected and turned-on/off
by using the ethtool at run-time by users.
Signed-off-by: Giuseppe Cavallaro <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
alloc_skb() interact badly.
If alloc_skb() fails to allocate memory and returns NULL then we want to
return -ENOMEM from drivers/atm/solos-pci.c::popen() regardless of the
value of net_ratelimit(). The way the code is today, we may not return if
net_ratelimit() returns 0, then we'll proceed to pass a NULL pointer to
skb_put() which will blow up in our face.
This patch ensures that we always return -ENOMEM on alloc_skb() failure
and only let the dev_warn() be controlled by the value of net_ratelimit().
Signed-off-by: Jesper Juhl <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
In drivers/net/usb/hso.c::hso_create_bulk_serial_device() we have this
code:
...
serial = kzalloc(sizeof(*serial), GFP_KERNEL);
if (!serial)
goto exit;
...
exit:
hso_free_tiomget(serial);
...
hso_free_tiomget() directly dereferences its argument, which in the
example above is a NULL pointer, ouch.
I could just add a 'if (serial)' test at the 'exit' label, but since most
freeing functions in the kernel accept NULL pointers (and it seems like
this was also assumed here) I opted to instead change 'hso_free_tiomget()'
so that it is safe to call it with a NULL argument. I also modified the
function to get rid of a pointles conditional before the call to
'usb_free_urb()' since that function already tests for NULL itself -
besides fixing the NULL deref this change also buys us a few bytes in
size.
Before:
$ size drivers/net/usb/hso.o
text data bss dec hex filename
32200 592 9960 42752 a700 drivers/net/usb/hso.o
After:
$ size drivers/net/usb/hso.o
text data bss dec hex filename
32196 592 9960 42748 a6fc drivers/net/usb/hso.o
Signed-off-by: Jesper Juhl <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
Commit c0e69a5bbc6f ("klist.c: bit 0 in pointer can't be used as flag")
intended to make sure that all klist objects were at least pointer size
aligned, but used the constant "4" which only works on 32-bit.
Use "sizeof(void *)" which is correct in all cases.
Signed-off-by: David S. Miller <[email protected]>
Acked-by: Jesper Nilsson <[email protected]>
Cc: stable <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
|
|
Jesper Juhl noticed that l2_pull_iqueue() does not
check to see if alloc_skb() fails.
Fix this by first trying to reallocate the headroom
if necessary, rather than later after we've made hard
to undo state changes.
Reported-by: Jesper Juhl <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
* 'intel/drm-intel-fixes' of /ssd/git/drm-next:
drm/i915: Fix resume regression from 5d1d0cc
drm/i915/tv: Use polling rather than interrupt-based hotplug
drm/i915: Trigger modesetting if force-audio changes
drm/i915/sdvo: If we have an EDID confirm it matches the mode of the connection
drm/i915: Disable RC6 on Ironlake
drm/i915/lvds: Restore dithering on native modes for gen2/3
drm/i915: Invalidate TLB caches on SNB BLT/BSD rings
|
|
Makes debugging CS rejections much easier.
Signed-off-by: Alex Deucher <[email protected]>
Cc: [email protected]
Signed-off-by: Dave Airlie <[email protected]>
|
|
This is an important security fix because we allowed arbitrary values
to be passed to AARESOLVE_OFFSET. This also puts the right buffer address
in the register.
Signed-off-by: Marek Olšák <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
Also move ZB_DEPTHCLEARVALUE to the list of safe regs.
Signed-off-by: Marek Olšák <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
Not only is linear aligned supposedly more performant,
linear general is only supported by the CB in single
slice mode. The texture hardware doesn't support
linear general, but I think the hw automatically
upgrades it to linear aligned.
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
Not only is linear aligned supposedly more performant,
linear general is only supported by the CB in single
slice mode. The texture hardware doesn't support
linear general, but I think the hw automatically
upgrades it to linear aligned.
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
My evergreen has been in a remote PC for week and reset has never once
saved me from certain doom, I finally relocated to the box with a
serial cable and noticed an oops when the GPU resets, and the TTM
delayed delete thread tries to remove something from the GTT.
This stops the delayed delete thread from executing across the GPU
reset handler, and woot I can GPU reset now.
Signed-off-by: Dave Airlie <[email protected]>
|
|
Based on 6xx/7xx endian fixes from Cédric Cano.
v2: fix typo in shader
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
agd5f: minor cleanups
Signed-off-by: Cédric Cano <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
agd5f: additional cleanups/fixes
Signed-off-by: Cédric Cano <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
agd5f: minor cleanups
Signed-off-by: Cédric Cano <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
The colorbuffer, zbuffer, and texture states are checked only once when
they get changed. This improves performance in the apps which emit
lots of draw packets and few state changes.
This drops performance in glxgears by a 1% or so, but glxgears is not
a benchmark we care about.
The time spent in the kernel when running Torcs dropped from 33% to 23%
and the frame rate is higher, which is a good thing.
r600 might need something like this as well.
Signed-off-by: Marek Olšák <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
In the continuing effort to avoid kernel addresses leaking to unprivileged
users, this patch switches to %pK for /proc/dri/*/vma.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
PPC Mac cards do not provide connector tables in
their vbios. Their connector/encoder configurations
must be hardcoded in the driver.
verified by nyef on #radeon
Signed-off-by: Alex Deucher <[email protected]>
Cc: [email protected]
Signed-off-by: Dave Airlie <[email protected]>
|
|
drivers/gpu/drm/radeon/mkregtable.c:parser_auth() almost always remembers
to fclose(file) before returning, but it misses two spots.
This is not really important since the process will exit shortly after and
thus close the file for us, but being explicit prevents static analysis
tools from complaining about leaked memory and missing fclose() calls and
it also seems to be the prefered style of the existing code to explicitly
close the file.
So, here's a patch to add the two missing fclose() calls.
Signed-off-by: Jesper Juhl <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
|
|
- set scaler table clears the interleave bit, need to
reset it in encoder quirks, this was already done for
pre-dce4.
- remove the interleave settings from set_base() functions
this is now handled in the encoder quirks functions, and
isn't technically part of the display base setup.
- rename evergreen_do_set_base() to dce4_do_set_base() since
it's used on both evergreen and NI asics.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=28182
Signed-off-by: Alex Deucher <[email protected]>
Cc: [email protected]
Signed-off-by: Dave Airlie <[email protected]>
|
|
The old code dereferenced a value, the new code just needs to pass
the ptr.
fixes an oops looking at files in debugfs.
cc: [email protected]
Signed-off-by: Dave Airlie <[email protected]>
|
|
returns less than zero in kevent().
We'll leak the memory allocated to 'urb' in
drivers/net/usb/usbnet.c:kevent() when we 'goto fail_lowmem' and the 'urb'
variable goes out of scope while still completely unused.
Signed-off-by: Jesper Juhl <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
nla_nest_start() may return NULL. If it does then we'll blow up in
nla_nest_end() when we dereference the pointer.
Signed-off-by: Jesper Juhl <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
The app_data priority may not be the same for all net devices.
In order for stacks with application notifiers to identify the
specific net device dcb_app_type should be passed in the ptr.
This allows handlers to use dev_get_by_name() to pin priority
to net devices.
Signed-off-by: John Fastabend <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
* 'spi/merge' of git://git.secretlab.ca/git/linux-2.6:
devicetree-discuss is moderated for non-subscribers
MAINTAINERS: Add entry for GPIO subsystem
dt: add documentation of ARM dt boot interface
dt: Remove obsolete description of powerpc boot interface
dt: Move device tree documentation out of powerpc directory
spi/spi_sh_msiof: fix wrong address calculation, which leads to an Oops
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: hda - add quirk for Ordissimo EVE using a realtek ALC662
ALSA: hrtimer: remove superfluous tasklet invocation
ALSA: hrtimer: handle delayed timer interrupts
ALSA: HDA: Add subwoofer quirk for Acer Aspire 8942G
ALSA: hda - Don't handle empty patch files
ALSA: hda - Fix missing CA initialization for HDMI/DP
ALSA: usbaudio - Enable the E-MU 0204 USB
ALSA: hda - switch lfe with side in mixer for 4930g
ASoC: Improve WM8994 digital power sequencing
ASoC: Create an AIF1ADCDAT signal widget to match AIF2
asoc: davinci: da830/omap-l137: correct cpu_dai_name
ASoC: fill in snd_soc_pcm_runtime.card before calling snd_soc_dai_link.init()
|
|
space read"
This reverts commit 47970b1b2aa64464bc0a9543e86361a622ae7c03.
It turns out it breaks several distributions. Looks like the stricter
selinux checks fail due to selinux policies not being set to allow the
access - breaking X, but also lspci.
So while the change was clearly the RightThing(tm) to do in theory, in
practice we have backwards compatibility issues making it not work.
Reported-by: Dave Young <[email protected]>
Acked-by: David Airlie <[email protected]>
Acked-by: Alex Riesen <[email protected]>
Cc: Eric Paris <[email protected]>
Cc: Chris Wright <[email protected]>
Cc: James Morris <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
|
|
|
|
|
|
Signed-off-by: Paul Bolle <[email protected]>
Signed-off-by: Grant Likely <[email protected]>
|
|
Signed-off-by: Kashyap Desai <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
There's a branch at the end of this function that
is supposed to normalize the return value with what
the mid-layer expects. In this one case, we get it wrong.
Also increase the verbosity of the INFO level printk
at the end of mptscsih_abort to include the actual return value
and the scmd->serial_number. The reason being success
or failure is actually determined by the state of
the internal tag list when a TMF is issued, and not the
return value of the TMF cmd. The serial_number is also
used in this decision, thus it's useful to know for debugging
purposes.
Cc: [email protected]
Reported-by: Peter M. Petrakis <[email protected]>
Signed-off-by: Kashyap Desai <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
Added missing release callback for file_operations mptctl_fops.
Without release callback there will be never freed. It remains on
mptctl's eent list even after the file is closed and released.
Relavent RHEL bugzilla is 660871
Cc: [email protected]
Signed-off-by: Kashyap Desai <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
This patch moves a large number of memory release paths inside of the
configfs callback target_core_hba_item_ops->release() called from
within fs/configfs/item.c: config_item_cleanup() context. This patch
resolves the SLUB 'Poison overwritten' warnings.
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
This patch removes the legacy procfs based target_core_mib.c code,
and moves the necessary scsi_index_tables functions and defines into
target_core_transport.c and target_core_base.h code to allow existing
fabric independent statistics to function.
This includes the removal of a handful of 'atomic_t mib_ref_count'
counters used in struct se_node_acl, se_session and se_hba to prevent
removal while using seq_list procfs walking logic.
[jejb: fix up compile failures]
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
This patch fixes a bug introduced during the v4 control CDB emulation
refactoring that broke SCF_SCSI_CONTROL_SG_IO_CDB operation within
transport_map_control_cmd_to_task(). It moves the BUG_ON() into
transport_do_se_mem_map() after the TRANSPORT(dev)->do_se_mem_map()
RAMDISK_DR special case, and adds the proper struct se_mem assignment
when !list_empty() for normal non RAMDISK_DR backend device cases.
Reported-by: Kai-Thorsten Hambrecht <[email protected]>
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
I'll probably regret this....
Signed-off-by: Grant Likely <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
|
|
This patch fixes two bugs uncovered during testing with
slub_debug=FPUZ during module_exit() -> target_core_exit_configfs()
with release of configfs subsystem consumer default groups, namely how
this should be working with
fs/configfs/dir.c:configfs_unregister_subsystem() release logic for
struct config_group->default_group.
The first issue involves configfs_unregister_subsystem() expecting to
walk+drain the top-level subsys->su_group.default_groups directly in
unlink_group(), and not directly from the configfs subsystem consumer
for the top level struct config_group->default_groups. This patch
drops the walk+drain of subsys->su_group.default_groups from TCM
configfs subsystem consumer code, and moves the top-level
->default_groups kfree() after configfs_unregister_subsystem() has
been called.
The second issue involves calling
core_alua_free_lu_gp(se_global->default_lu_gp) to release the
default_lu_gp->lu_gp_group before configfs_unregister_subsystem() has
been called. This patches also moves the core_alua_free_lu_gp() call
to release default_lu_group->lu_gp_group after the subsys has been
unregistered.
Finally, this patch explictly clears the
[lu_gp,alua,hba]_cg->default_groups pointers after kfree() to ensure
that no stale memory is picked up from child struct
config_group->default_group[] while configfs_unregister_subsystem() is
called.
Reported-by: Fubo Chen <[email protected]>
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
The struct se_node_acl->device_list_lock needs to be released if either
sanity check for struct se_dev_entry->se_lun_acl or deve->se_lun fails.
Signed-off-by: Fubo Chen <[email protected]>
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
This patch fixes a bug in core_update_device_list_for_node() where
individual demo-mode generated MappedLUN's UA + Persistent
Reservations metadata where being leaked, instead of falling through
and calling existing core_scsi3_ua_release_all() and
core_scsi3_free_pr_reg_from_nacl() at the end of
core_update_device_list_for_node().
This bug would manifest itself with the following OOPs w/ TPG
demo-mode endpoints (tfo->tpg_check_demo_mode()=1), and PROUT
REGISTER+RESERVE -> explict struct se_session logout -> struct
se_device shutdown:
[ 697.021139] LIO_iblock used greatest stack depth: 2704 bytes left
[ 702.235017] general protection fault: 0000 [#1] SMP
[ 702.235074] last sysfs file: /sys/devices/virtual/net/lo/operstate
[ 704.372695] CPU 0
[ 704.372725] Modules linked in: crc32c target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: iscsi_target_mod]
[ 704.375442]
[ 704.375563] Pid: 4964, comm: tcm_node Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
[ 704.375912] RIP: 0010:[<ffffffffa00aaa16>] [<ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.376017] RSP: 0018:ffff88001e5ffcb8 EFLAGS: 00010296
[ 704.376017] RAX: 6d32335b1b0a0d0a RBX: ffff88001d952cb0 RCX: 0000000000000015
[ 704.376017] RDX: ffff88001b428000 RSI: ffff88001da5a4c0 RDI: ffff88001e5ffcd8
[ 704.376017] RBP: ffff88001e5ffd28 R08: ffff88001e5ffcd8 R09: ffff88001d952080
[ 704.377116] R10: ffff88001dfc5480 R11: ffff88001df8abb0 R12: ffff88001d952cb0
[ 704.377319] R13: 0000000000000000 R14: ffff88001df8abb0 R15: ffff88001b428000
[ 704.377521] FS: 00007f033d15c6e0(0000) GS:ffff88001fa00000(0000) knlGS:0000000000000000
[ 704.377861] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 704.378043] CR2: 00007fff09281510 CR3: 000000001e5db000 CR4: 00000000000006f0
[ 704.378110] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 704.378110] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 704.378110] Process tcm_node (pid: 4964, threadinfo ffff88001e5fe000, task ffff88001d99c260)
[ 704.378110] Stack:
[ 704.378110] ffffea0000678980 ffff88001da5a4c0 ffffea0000678980 ffff88001f402b00
[ 704.378110] ffff88001e5ffd08 ffffffff810ea236 ffff88001e5ffd18 0000000000000282
[ 704.379772] ffff88001d952080 ffff88001d952cb0 ffff88001d952cb0 ffff88001dc79010
[ 704.380082] Call Trace:
[ 704.380220] [<ffffffff810ea236>] ? __slab_free+0x89/0x11c
[ 704.380403] [<ffffffffa00ab781>] core_scsi3_free_all_registrations+0x3e/0x157 [target_core_mod]
[ 704.380479] [<ffffffffa00a752b>] se_release_device_for_hba+0xa6/0xd8 [target_core_mod]
[ 704.380479] [<ffffffffa00a7598>] se_free_virtual_device+0x3b/0x45 [target_core_mod]
[ 704.383750] [<ffffffffa00a3177>] target_core_drop_subdev+0x13a/0x18d [target_core_mod]
[ 704.384068] [<ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
[ 704.384263] [<ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
[ 704.384459] [<ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
[ 704.384631] [<ffffffff810fc3be>] do_rmdir+0xa3/0xf4
[ 704.384895] [<ffffffff810eed15>] ? filp_close+0x67/0x72
[ 704.386485] [<ffffffff810fc446>] sys_rmdir+0x11/0x13
[ 704.387893] [<ffffffff81002a92>] system_call_fastpath+0x16/0x1b
[ 704.388083] Code: 4c 8d 45 b0 41 56 49 89 d7 41 55 41 89 cd 41 54 b9 15 00 00 00 53 48 89 fb 48 83 ec 48 4c 89 c7 48 89 75 98 48 8b 86 28 01 00 00 <48> 8b 80 90 01 00 00 48 89 45 a0 31 c0 f3 aa c7 45 ac 00 00 00
[ 704.388763] RIP [<ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.389142] RSP <ffff88001e5ffcb8>
[ 704.389572] ---[ end trace 2a3614f3cd6261a5 ]---
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
This patch adds an explict check for struct iblock_dev->ibd_bd in
iblock_free_device() before calling blkdev_put(), which will otherwise hit
the following NULL pointer dereference @ ib_dev->ibd_bd when iblock_create_virtdevice()
fails to claim an already in-use struct block_device via blkdev_get_by_path().
[ 112.528578] Target_Core_ConfigFS: Allocated struct se_subsystem_dev: ffff88001e750000 se_dev_su_ptr: ffff88001dd05d70
[ 112.534681] Target_Core_ConfigFS: Calling t->free_device() for se_dev_su_ptr: ffff88001dd05d70
[ 112.535029] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 112.535029] IP: [<ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] PGD 1e5d0067 PUD 1e274067 PMD 0
[ 112.535029] Oops: 0002 [#1] SMP
[ 112.535029] last sysfs file: /sys/devices/pci0000:00/0000:00:07.1/host2/target2:0:0/2:0:0:0/type
[ 112.535029] CPU 0
[ 112.535029] Modules linked in: iscsi_target_mod target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: scsi_wait_scan]
[ 112.535029]
[ 112.535029] Pid: 3345, comm: python2.5 Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
[ 112.535029] RIP: 0010:[<ffffffff814987a3>] [<ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] RSP: 0018:ffff88001e6d7d58 EFLAGS: 00010246
[ 112.535029] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000082
[ 112.535029] RDX: ffff88001e6d7fd8 RSI: 0000000000000083 RDI: 0000000000000020
[ 112.535029] RBP: ffff88001e6d7d68 R08: 0000000000000000 R09: 0000000000000000
[ 112.535029] R10: ffff8800000be860 R11: ffff88001f420000 R12: 0000000000000020
[ 112.535029] R13: 0000000000000083 R14: ffff88001d809430 R15: ffff88001d8094f8
[ 112.535029] FS: 00007ff17ca7d6e0(0000) GS:ffff88001fa00000(0000) knlGS:0000000000000000
[ 112.535029] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 112.535029] CR2: 0000000000000020 CR3: 000000001e5d2000 CR4: 00000000000006f0
[ 112.535029] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 112.535029] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 112.535029] Process python2.5 (pid: 3345, threadinfo ffff88001e6d6000, task ffff88001e2d0760)
[ 112.535029] Stack:
[ 112.535029] ffff88001e6d7d88 0000000000000000 ffff88001e6d7d98 ffffffff811187fc
[ 112.535029] ffff88001d809430 ffff88001dd05d70 ffff88001e750860 ffff88001e750000
[ 112.535029] ffff88001e6d7db8 ffffffffa00e3757 ffff88001e6d7db8 0000000000000004
[ 112.535029] Call Trace:
[ 112.535029] [<ffffffff811187fc>] blkdev_put+0x28/0x107
[ 112.535029] [<ffffffffa00e3757>] iblock_free_device+0x1d/0x36 [target_core_iblock]
[ 112.535029] [<ffffffffa00a319c>] target_core_drop_subdev+0x15f/0x18d [target_core_mod]
[ 112.535029] [<ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
[ 112.535029] [<ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
[ 112.535029] [<ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
[ 112.535029] [<ffffffff810fc3be>] do_rmdir+0xa3/0xf4
[ 112.535029] [<ffffffff810fc446>] sys_rmdir+0x11/0x13
[ 112.535029] [<ffffffff81002a92>] system_call_fastpath+0x16/0x1b
[ 112.535029] Code: 8b 04 25 88 b5 00 00 48 2d d8 1f 00 00 48 89 43 18 31 c0 5e 5b c9 c3 55 48 89 e5 53 48 89 fb 48 83 ec 08 e8 c4 f7 ff ff 48 89 df <3e> ff 0f 79 05 e8 1e ff ff ff 65 48 8b 04 25 88 b5 00 00 48 2d
[ 112.535029] RIP [<ffffffff814987a3>] mutex_lock+0x14/0x35
[ 112.535029] RSP <ffff88001e6d7d58>
[ 112.535029] CR2: 0000000000000020
[ 132.679636] ---[ end trace 05754bb48eb828f0 ]---
Note it also adds an second explict check for ib_dev->ibd_bio_set before calling
bioset_free() to fix the same possible NULL pointer deference during an early
iblock_create_virtdevice() failure.
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|
|
blkdev_get_by_path() returns an ERR_PTR() or error and it doesn't return
a NULL. It looks like this bug would be easy to trigger by mistake.
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Nicholas A. Bellinger <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
|