1. 08 Nov, 2011 2 commits
    • Josef Bacik's avatar
      Btrfs: fix our reservations for updating an inode when completing io · 7fd2ae21
      Josef Bacik authored
      People have been reporting ENOSPC crashes in finish_ordered_io.  This is because
      we try to steal from the delalloc block rsv to satisfy a reservation to update
      the inode.  The problem with this is we don't explicitly save space for updating
      the inode when doing delalloc.  This is kind of a problem and we've gotten away
      with this because way back when we just stole from the delalloc reserve without
      any questions, and this worked out fine because generally speaking the leaf had
      been modified either by the mtime update when we did the original write or
      because we just updated the leaf when we inserted the file extent item, only on
      rare occasions had the leaf not actually been modified, and that was still ok
      because we'd just use a block or two out of the over-reservation that is
      delalloc.
      
      Then came the delayed inode stuff.  This is amazing, except it wants a full
      reservation for updating the inode since it may do it at some point down the
      road after we've written the blocks and we have to recow everything again.  This
      worked out because the delayed inode stuff just stole from the global reserve,
      that is until recently when I changed that because it caused other problems.
      
      So here we are, we're doing everything right and being screwed for it.  So take
      an extra reservation for the inode at delalloc reservation time and carry it
      through the life of the delalloc reservation.  If we need it we can steal it in
      the delayed inode stuff.  If we have already stolen it try and do a normal
      metadata reservation.  If that fails try to steal from the delalloc reservation.
      If _that_ fails we'll get a WARN_ON() so I can start thinking of a better way to
      solve this and in the meantime we'll steal from the global reserve.
      
      With this patch I ran xfstests 13 in a loop for a couple of hours and didn't see
      any problems.
      Signed-off-by: default avatarJosef Bacik <josef@redhat.com>
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      7fd2ae21
    • Chris Mason's avatar
      Btrfs: fix oops on NULL trans handle in btrfs_truncate · 917c16b2
      Chris Mason authored
      If we fail to reserve space in the transaction during truncate, we can
      error out with a NULL trans handle.  The cleanup code needs an extra
      check to make sure we aren't trying to use the bad handle.
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      917c16b2
  2. 07 Nov, 2011 1 commit
    • slyich@gmail.com's avatar
      btrfs: fix double-free 'tree_root' in 'btrfs_mount()' · 45ea6095
      slyich@gmail.com authored
      On error path 'tree_root' is treed in 'free_fs_info()'.
      No need to free it explicitely. Noticed by SLUB in debug mode:
      
      Complete reproducer under usermode linux (discovered on real
      machine):
      
          bdev=/dev/ubda
          btr_root=/btr
          /mkfs.btrfs $bdev
          mount $bdev $btr_root
          mkdir $btr_root/subvols/
          cd $btr_root/subvols/
          /btrfs su cr foo
          /btrfs su cr bar
          mount $bdev -osubvol=subvols/foo $btr_root/subvols/bar
          umount $btr_root/subvols/bar
      
      which gives
      
      device fsid 4d55aa28-45b1-474b-b4ec-da912322195e devid 1 transid 7 /dev/ubda
      =============================================================================
      BUG kmalloc-2048: Object already free
      -----------------------------------------------------------------------------
      
      INFO: Allocated in btrfs_mount+0x389/0x7f0 age=0 cpu=0 pid=277
      INFO: Freed in btrfs_mount+0x51c/0x7f0 age=0 cpu=0 pid=277
      INFO: Slab 0x0000000062886200 objects=15 used=9 fp=0x0000000070b4d2d0 flags=0x4081
      INFO: Object 0x0000000070b4d2d0 @offset=21200 fp=0x0000000070b4a968
      ...
      Call Trace:
      70b31948:  [<6008c522>] print_trailer+0xe2/0x130
      70b31978:  [<6008c5aa>] object_err+0x3a/0x50
      70b319a8:  [<6008e242>] free_debug_processing+0x142/0x2a0
      70b319e0:  [<600ebf6f>] btrfs_mount+0x55f/0x7f0
      70b319f8:  [<6008e5c1>] __slab_free+0x221/0x2d0
      Signed-off-by: default avatarSergei Trofimovich <slyfox@gentoo.org>
      Cc: Arne Jansen <sensille@gmx.net>
      Cc: Chris Mason <chris.mason@oracle.com>
      Cc: David Sterba <dsterba@suse.cz>
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      45ea6095
  3. 06 Nov, 2011 22 commits
  4. 24 Oct, 2011 8 commits
  5. 23 Oct, 2011 3 commits
  6. 21 Oct, 2011 4 commits
    • Domenico Andreoli's avatar
      ARM: S3C24XX: Fix s3c24xx build errors if !CONFIG_PM · fb630b9f
      Domenico Andreoli authored
      v2:
      - register_syscore_ops(&s3c24xx_irq_syscore_ops) does not need to be
        conditionally compiled out, it is already optimized out on !CONFIG_PM
      - fix also s3c2412 and s3c2416 affected by the same build issue
      
      v1:
      s3c2440.c fails to build if !CONFIG_PM because in such case
      s3c2410_pm_syscore_ops is not defined. Same error should happen also
      in s3c2410.c and s3c2442.c
      Signed-off-by: default avatarDomenico Andreoli <cavokz@gmail.com>
      Signed-off-by: default avatarKukjin Kim <kgene.kim@samsung.com>
      fb630b9f
    • Linus Torvalds's avatar
      Merge git://github.com/herbertx/crypto · 2efd7c0f
      Linus Torvalds authored
      * git://github.com/herbertx/crypto:
        crypto: ghash - Avoid null pointer dereference if no key is set
      2efd7c0f
    • Linus Torvalds's avatar
      Merge branch 'fix/hda' of git://github.com/tiwai/sound · 62ddc004
      Linus Torvalds authored
      * 'fix/hda' of git://github.com/tiwai/sound:
        ALSA: HDA: conexant support for Lenovo T520/W520
        ALSA: hda - Add position_fix quirk for Dell Inspiron 1010
      62ddc004
    • Nick Bowler's avatar
      crypto: ghash - Avoid null pointer dereference if no key is set · 7ed47b7d
      Nick Bowler authored
      The ghash_update function passes a pointer to gf128mul_4k_lle which will
      be NULL if ghash_setkey is not called or if the most recent call to
      ghash_setkey failed to allocate memory.  This causes an oops.  Fix this
      up by returning an error code in the null case.
      
      This is trivially triggered from unprivileged userspace through the
      AF_ALG interface by simply writing to the socket without setting a key.
      
      The ghash_final function has a similar issue, but triggering it requires
      a memory allocation failure in ghash_setkey _after_ at least one
      successful call to ghash_update.
      
        BUG: unable to handle kernel NULL pointer dereference at 00000670
        IP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul]
        *pde = 00000000
        Oops: 0000 [#1] PREEMPT SMP
        Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc
      
        Pid: 1502, comm: hashatron Tainted: G        W   3.1.0-rc9-00085-ge9308cfd #32 Bochs Bochs
        EIP: 0060:[<d88c92d4>] EFLAGS: 00000202 CPU: 0
        EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul]
        EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000
        ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4
         DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
        Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000)
        Stack:
         00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000
         00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc
         00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000
        Call Trace:
         [<c101a520>] ? kmap_atomic_prot+0x37/0xa6
         [<d88d310f>] ghash_update+0x85/0xbe [ghash_generic]
         [<c11676ed>] crypto_shash_update+0x18/0x1b
         [<c11679ad>] shash_ahash_update+0x22/0x36
         [<c11679cc>] shash_async_update+0xb/0xd
         [<d88ce0ba>] hash_sendpage+0xba/0xf2 [algif_hash]
         [<c121b24c>] kernel_sendpage+0x39/0x4e
         [<d88ce000>] ? 0xd88cdfff
         [<c121b298>] sock_sendpage+0x37/0x3e
         [<c121b261>] ? kernel_sendpage+0x4e/0x4e
         [<c10b4dbc>] pipe_to_sendpage+0x56/0x61
         [<c10b4e1f>] splice_from_pipe_feed+0x58/0xcd
         [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
         [<c10b51f5>] __splice_from_pipe+0x36/0x55
         [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
         [<c10b6383>] splice_from_pipe+0x51/0x64
         [<c10b63c2>] ? default_file_splice_write+0x2c/0x2c
         [<c10b63d5>] generic_splice_sendpage+0x13/0x15
         [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10
         [<c10b527f>] do_splice_from+0x5d/0x67
         [<c10b6865>] sys_splice+0x2bf/0x363
         [<c129373b>] ? sysenter_exit+0xf/0x16
         [<c104dc1e>] ? trace_hardirqs_on_caller+0x10e/0x13f
         [<c129370c>] sysenter_do_call+0x12/0x32
        Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 <f3> a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f
        EIP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4
        CR2: 0000000000000670
        ---[ end trace 4eaa2a86a8e2da24 ]---
        note: hashatron[1502] exited with preempt_count 1
        BUG: scheduling while atomic: hashatron/1502/0x10000002
        INFO: lockdep is turned off.
        [...]
      Signed-off-by: default avatarNick Bowler <nbowler@elliptictech.com>
      Cc: stable@kernel.org [2.6.37+]
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7ed47b7d