1. 07 Mar, 2012 16 commits
  2. 06 Mar, 2012 18 commits
  3. 05 Mar, 2012 6 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (Andrew's patch bomb) · 3e85fb9c
      Linus Torvalds authored
      Merge the emailed seties of 19 patches from Andrew Morton
      
      * akpm:
        rapidio/tsi721: fix queue wrapping bug in inbound doorbell handler
        memcg: fix mapcount check in move charge code for anonymous page
        mm: thp: fix BUG on mm->nr_ptes
        alpha: fix 32/64-bit bug in futex support
        memcg: fix GPF when cgroup removal races with last exit
        debugobjects: Fix selftest for static warnings
        floppy/scsi: fix setting of BIO flags
        memcg: fix deadlock by inverting lrucare nesting
        drivers/rtc/rtc-r9701.c: fix crash in r9701_remove()
        c2port: class_create() returns an ERR_PTR
        pps: class_create() returns an ERR_PTR, not NULL
        hung_task: fix the broken rcu_lock_break() logic
        vfork: kill PF_STARTING
        coredump_wait: don't call complete_vfork_done()
        vfork: make it killable
        vfork: introduce complete_vfork_done()
        aio: wake up waiters when freeing unused kiocbs
        kprobes: return proper error code from register_kprobe()
        kmsg_dump: don't run on non-error paths by default
      3e85fb9c
    • Alexandre Bounine's avatar
      rapidio/tsi721: fix queue wrapping bug in inbound doorbell handler · b24823e6
      Alexandre Bounine authored
      Fix a bug that causes a kernel panic when the number of received doorbells
      is larger than number of entries in the inbound doorbell queue (current
      default value = 512).
      
      Another possible indication for this bug is large number of spurious
      doorbells reported by tsi721 driver after reaching the queue size maximum.
      Signed-off-by: default avatarAlexandre Bounine <alexandre.bounine@idt.com>
      Cc: Chul Kim <chul.kim@idt.com>
      Cc: Matt Porter <mporter@kernel.crashing.org>
      Cc: <stable@vger.kernel.org>		[3.2.x+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b24823e6
    • Naoya Horiguchi's avatar
      memcg: fix mapcount check in move charge code for anonymous page · e6ca7b89
      Naoya Horiguchi authored
      Currently the charge on shared anonyous pages is supposed not to moved in
      task migration.  To implement this, we need to check that mapcount > 1,
      instread of > 2.  So this patch fixes it.
      Signed-off-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Reviewed-by: default avatarDaisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
      Cc: Hillf Danton <dhillf@gmail.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e6ca7b89
    • Andrea Arcangeli's avatar
      mm: thp: fix BUG on mm->nr_ptes · 1c641e84
      Andrea Arcangeli authored
      Dave Jones reports a few Fedora users hitting the BUG_ON(mm->nr_ptes...)
      in exit_mmap() recently.
      
      Quoting Hugh's discovery and explanation of the SMP race condition:
      
        "mm->nr_ptes had unusual locking: down_read mmap_sem plus
         page_table_lock when incrementing, down_write mmap_sem (or mm_users
         0) when decrementing; whereas THP is careful to increment and
         decrement it under page_table_lock.
      
         Now most of those paths in THP also hold mmap_sem for read or write
         (with appropriate checks on mm_users), but two do not: when
         split_huge_page() is called by hwpoison_user_mappings(), and when
         called by add_to_swap().
      
         It's conceivable that the latter case is responsible for the
         exit_mmap() BUG_ON mm->nr_ptes that has been reported on Fedora."
      
      The simplest way to fix it without having to alter the locking is to make
      split_huge_page() a noop in nr_ptes terms, so by counting the preallocated
      pagetables that exists for every mapped hugepage.  It was an arbitrary
      choice not to count them and either way is not wrong or right, because
      they are not used but they're still allocated.
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Reported-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Josh Boyer <jwboyer@redhat.com>
      Cc: <stable@vger.kernel.org>	[3.0.x, 3.1.x, 3.2.x]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1c641e84
    • Andrew Morton's avatar
      alpha: fix 32/64-bit bug in futex support · 62aca403
      Andrew Morton authored
      Michael Cree said:
      
      : : I have noticed some user space problems (pulseaudio crashes in pthread
      : : code, glibc/nptl test suite failures, java compiler freezes on SMP alpha
      : : systems) that arise when using a 2.6.39 or later kernel on Alpha.
      : : Bisecting between 2.6.38 and 2.6.39 (using glibc/nptl test suite as
      : : criterion for good/bad kernel) eventually leads to:
      : :
      : : 8d7718aa is the first bad commit
      : : commit 8d7718aa
      : : Author: Michel Lespinasse <walken@google.com>
      : : Date:   Thu Mar 10 18:50:58 2011 -0800
      : :
      : :     futex: Sanitize futex ops argument types
      : :
      : :     Change futex_atomic_op_inuser and futex_atomic_cmpxchg_inatomic
      : :     prototypes to use u32 types for the futex as this is the data type the
      : :     futex core code uses all over the place.
      : :
      : : Looking at the commit I see there is a change of the uaddr argument in
      : : the Alpha architecture specific code for futexes from int to u32, but I
      : : don't see why this should cause a problem.
      
      Richard Henderson said:
      
      : futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
      :                               u32 oldval, u32 newval)
      : ...
      :         :       "r"(uaddr), "r"((long)oldval), "r"(newval)
      :
      :
      : There is no 32-bit compare instruction.  These are implemented by
      : consistently extending the values to a 64-bit type.  Since the
      : load instruction sign-extends, we want to sign-extend the other
      : quantity as well (despite the fact it's logically unsigned).
      :
      : So:
      :
      : -        :       "r"(uaddr), "r"((long)oldval), "r"(newval)
      : +        :       "r"(uaddr), "r"((long)(int)oldval), "r"(newval)
      :
      : should do the trick.
      
      Michael said:
      
      : This fixes the glibc test suite failures and the pulseaudio related
      : crashes, but it does not fix the java compiiler lockups that I was (and
      : are still) observing.  That is some other problem.
      Reported-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Tested-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Acked-by: default avatarPhil Carmody <ext-phil.2.carmody@nokia.com>
      Cc: Richard Henderson <rth@twiddle.net>
      Cc: Michel Lespinasse <walken@google.com>
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Reviewed-by: default avatarMatt Turner <mattst88@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      62aca403
    • Hugh Dickins's avatar
      memcg: fix GPF when cgroup removal races with last exit · 7512102c
      Hugh Dickins authored
      When moving tasks from old memcg (with move_charge_at_immigrate on new
      memcg), followed by removal of old memcg, hit General Protection Fault in
      mem_cgroup_lru_del_list() (called from release_pages called from
      free_pages_and_swap_cache from tlb_flush_mmu from tlb_finish_mmu from
      exit_mmap from mmput from exit_mm from do_exit).
      
      Somewhat reproducible, takes a few hours: the old struct mem_cgroup has
      been freed and poisoned by SLAB_DEBUG, but mem_cgroup_lru_del_list() is
      still trying to update its stats, and take page off lru before freeing.
      
      A task, or a charge, or a page on lru: each secures a memcg against
      removal.  In this case, the last task has been moved out of the old memcg,
      and it is exiting: anonymous pages are uncharged one by one from the
      memcg, as they are zapped from its pagetables, so the charge gets down to
      0; but the pages themselves are queued in an mmu_gather for freeing.
      
      Most of those pages will be on lru (and force_empty is careful to
      lru_add_drain_all, to add pages from pagevec to lru first), but not
      necessarily all: perhaps some have been isolated for page reclaim, perhaps
      some isolated for other reasons.  So, force_empty may find no task, no
      charge and no page on lru, and let the removal proceed.
      
      There would still be no problem if these pages were immediately freed; but
      typically (and the put_page_testzero protocol demands it) they have to be
      added back to lru before they are found freeable, then removed from lru
      and freed.  We don't see the issue when adding, because the
      mem_cgroup_iter() loops keep their own reference to the memcg being
      scanned; but when it comes to mem_cgroup_lru_del_list().
      
      I believe this was not an issue in v3.2: there, PageCgroupAcctLRU and
      PageCgroupUsed flags were used (like a trick with mirrors) to deflect view
      of pc->mem_cgroup to the stable root_mem_cgroup when neither set.
      38c5d72f ("memcg: simplify LRU handling by new rule") mercifully
      removed those convolutions, but left this General Protection Fault.
      
      But it's surprisingly easy to restore the old behaviour: just check
      PageCgroupUsed in mem_cgroup_lru_add_list() (which decides on which lruvec
      to add), and reset pc to root_mem_cgroup if page is uncharged.  A risky
      change?  just going back to how it worked before; testing, and an audit of
      uses of pc->mem_cgroup, show no problem.
      
      And there's a nice bonus: with mem_cgroup_lru_add_list() itself making
      sure that an uncharged page goes to root lru, mem_cgroup_reset_owner() no
      longer has any purpose, and we can safely revert 4e5f01c2 ("memcg:
      clear pc->mem_cgroup if necessary").
      
      Calling update_page_reclaim_stat() after add_page_to_lru_list() in swap.c
      is not strictly necessary: the lru_lock there, with RCU before memcg
      structures are freed, makes mem_cgroup_get_reclaim_stat_from_page safe
      without that; but it seems cleaner to rely on one dependency less.
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7512102c