- 02 Apr, 2012 18 commits
-
-
Supriya Karanth authored
commit 39287076 upstream. musb INDEX register is getting modified/corrupted during temporary un-locking in a SMP system. Set this register with proper value after re-acquiring the lock Scenario: --------- CPU1 is handling a data transfer completion interrupt received for the CLASS1 EP CPU2 is handling a CLASS2 thread which is queuing data to musb for transfer Below is the error sequence: CPU1 | CPU2 -------------------------------------------------------------------- Data transfer completion inter- | rupt recieved. | | musb INDEX reg set to CLASS1 EP | | musb LOCK is acquired. | | | CLASS2 thread queues data. | | CLASS2 thread tries to acquire musb | LOCK but lock is already taken by | CLASS1, so CLASS2 thread is | spinning. | From Interrupt Context musb | giveback function is called | | The giveback function releases | CLASS2 thread now acquires LOCK LOCK | | ClASS1 Request's completion cal-| ClASS2 schedules the data transfer and lback is called | sets the MUSB INDEX to Class2 EP number | Interrupt handler for CLASS1 EP | tries to acquire LOCK and is | spinning | | Interrupt for Class1 EP acquires| Class2 completes the scheduling etc and the MUSB LOCK | releases the musb LOCK | Interrupt for Class1 EP schedul-| es the next data transfer | but musb INDEX register is still| set to CLASS2 EP | Since the MUSB INDEX register is set to a different endpoint, we read and modify the wrong registers. Hence data transfer will not happen properly. This results in unpredictable behavior So, the MUSB INDEX register is set to proper value again when interrupt re-acquires the lock Signed-off-by:
Supriya Karanth <supriya.karanth@stericsson.com> Signed-off-by:
Praveena Nadahally <praveen.nadahally@stericsson.com> Reviewed-by:
srinidhi kasagar <srinidhi.kasagar@stericsson.com> Signed-off-by:
Felipe Balbi <balbi@ti.com>
-
Anton Tikhomirov authored
commit 27a78d6a upstream. It's wrong to use the size of array as an argument for strncat. Memory corruption is possible. strlcat is exactly what we need here. Signed-off-by:
Anton Tikhomirov <av.tikhomirov@samsung.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
Paul Zimmerman authored
commit 9bafa56c upstream. Zero is a valid value for a microframe number. So remove the bogus test for non-zero in dwc3_gadget_start_isoc(). Signed-off-by:
Paul Zimmerman <paulz@synopsys.com> Signed-off-by:
-
Larry Finger authored
commit da3e6ec2 upstream. In commit c6dc001f "staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes", the returned qual.qual member of the iw_statistics struct was changed. For strong signals, this change made no difference; however for medium and weak signals it results in a low signal that shows considerable fluctuation, When using wicd for a medium-strength AP, the value reported in the status line is reduced from 100% to 60% by this bug. This problem is reported in https://bugzilla.kernel.org/show_bug.cgi?id=42826. Reported-and-tested-by:
Robert Crawford <wrc1944@gmail.com> Signed-off-by:
Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by:
-
Larry Finger authored
commit 9f4bc8cf upstream. In commit a5ee6529 "staging: r8712u: Interface-state not fully tracked", the private boolean "bup" was set false when the interface was brought down, as that seemed appropriate. This change has not caused any problems when using NetworkManager or manual control of the device; however, when wicd control is used, there is a locking problem in wpa_supplicant, as shown in https://bugzilla.kernel.org/show_bug.cgi?id=42818. This fix reverts the only code change in commit a5ee6529. My analysis is that "bup" is badly named. In its present form, it seems to indicate the up/down state of the device, but its usage is more consistent with an initialized/uninitialized state. That problem will be addressed in a later patch. Note: Commit 8c213fa, which introdued asynchronous firmware loading for this driver, exposed this bug to a greater extent. That bug is addressed in the next patch in this series. This bug is also responsible for the bug in https://bugzilla.kernel.org/show_bug.cgi?id=42815. and this bug is also part of the problems discussed at https://bugs.archlinux.org/task/27996#comment89950. Tested-by:
Alberto Lago Ballesteros <saniukeokusainaya@gmail.com> Tested-by:
Adrian <agib@gmx.de> Signed-off-by:
-
Larry Finger authored
commit 07386343 upstream. When this driver was upgraded to the vendor 20100831 version in commit 93c55dda et al,, one listhead initialization was missed. This broke complete operation of the driver whenever AP mode was enabled. This fixes https://bugs.archlinux.org/task/27996. The configuration parameter R8712_AP is misleading as the driver cannot function as an AP without a heavily hacked version of hostapd. Thus, it makes sense to remove the parameter; however the code and data configured for the option is left in. Signed-off-by:
-
Shengzhou Liu authored
commit 28c56ea1 upstream. If USB UTMI PHY is not enable, writing to portsc register will lead to kernel hang during boot up. Signed-off-by:
Shengzhou Liu <Shengzhou.Liu@freescale.com> Reported-by:
Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by:
-
Michał Wróbel authored
commit 57e596f3 upstream. Signed-off-by:
Michał Wróbel <michal.wrobel@flytronic.pl> Signed-off-by:
-
Jim Paris authored
commit dc0827c1 upstream. Add PID 0x6015, corresponding to the new series of FT-X chips (FT220XD, FT201X, FT220X, FT221X, FT230X, FT231X, FT240X). They all appear as serial devices, and seem indistinguishable except for the default product string stored in their EEPROM. The baudrate generation matches FT232RL devices. Tested with a FT201X and FT230X at various baudrates (100 - 3000000). Sample dmesg: ftdi_sio: v1.6.0:USB FTDI Serial Converters Driver usb 2-1: new full-speed USB device number 6 using ohci_hcd usb 2-1: New USB device found, idVendor=0403, idProduct=6015 usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 2-1: Product: FT230X USB Half UART usb 2-1: Manufacturer: FTDI usb 2-1: SerialNumber: DC001WI6 ftdi_sio 2-1:1.0: FTDI USB Serial Device converter detected drivers/usb/serial/ftdi_sio.c: ftdi_sio_port_probe drivers/usb/serial/ftdi_sio.c: ftdi_determine_type: bcdDevice = 0x1000, bNumInterfaces = 1 usb 2-1: Detected FT-X usb 2-1: Number of endpoints 2 usb 2-1: Endpoint 1 MaxPacketSize 64 usb 2-1: Endpoint 2 MaxPacketSize 64 usb 2-1: Setting MaxPacketSize 64 drivers/usb/serial/ftdi_sio.c: read_latency_timer drivers/usb/serial/ftdi_sio.c: write_latency_timer: setting latency timer = 1 drivers/usb/serial/ftdi_sio.c: create_sysfs_attrs drivers/usb/serial/ftdi_sio.c: sysfs attributes for FT-X usb 2-1: FTDI USB Serial Device converter now attached to ttyUSB0 Signed-off-by:
Jim Paris <jim@jtan.com> Signed-off-by:
-
Michał Wróbel authored
commit 47594d55 upstream. Signed-off-by:
-
Bruno Thomsen authored
commit c1cee1d8 upstream. Microchip VID (0x04d8) was mislabeled as Hornby VID according to USB-IDs. A Full Speed USB Demo Board PID (0x000a) was mislabeled as Hornby Elite (an Digital Command Controller Console for model railways). Most likely the Hornby based their design on PIC18F87J50 Full Speed USB Demo Board. Signed-off-by:
Bruno Thomsen <bruno.thomsen@gmail.com> Signed-off-by:
-
Peter Korsgaard authored
commit 444aa7fa upstream. BeagleBone changed to the default FTDI 0403:6010 id in rev A5 to make life easier for Windows users, so we need a similar workaround as the Calao board to support it. Signed-off-by:
Peter Korsgaard <jacmet@sunsite.dk> Signed-off-by:
-
Greg Kroah-Hartman authored
commit 656d2b39 upstream. On some misconfigured ftdi_sio devices, if the manufacturer string is NULL, the kernel will oops when the device is plugged in. This patch fixes the problem. Reported-by:
Wojciech M Zabolotny <W.Zabolotny@elka.pw.edu.pl> Tested-by:
-
Andrea Righi authored
commit cfbc6a92 upstream. Commit 9256a478 fixed a deadlock condition, being sure that the buddy list spinlock is always taken before the page spinlock. However in zbud_free_and_delist() locking order is the opposite (page lock -> list lock). Possible unsafe locking scenario (reported by lockdep): CPU0 CPU1 ---- ---- lock(&(&zbpg->lock)->rlock); lock(zbud_budlists_spinlock); lock(&(&zbpg->lock)->rlock); lock(zbud_budlists_spinlock); Fix by grabbing the locks in opposite order in zbud_free_and_delist(). Signed-off-by:
Andrea Righi <andrea@betterlinux.com> Signed-off-by:
-
Bjørn Mork authored
commit 5889d3d4 upstream. This device presents a total of 5 interfaces with ff/ff/ff class/subclass/protocol. The last one of these is verified to be a QMI/wwan combined interface which should be handled by the qmi_wwan driver, so we blacklist it here. Signed-off-by:
Bjørn Mork <bjorn@mork.no> Signed-off-by:
-
Bjørn Mork authored
commit 963940cf upstream. commit 0d905fd5 "USB: option: convert Huawei K3765, K4505, K4605 reservered interface to blacklist" accidentally ANDed two blacklist tests by leaving out a return. This was not noticed because the two consecutive bracketless if statements made it syntactically correct. Signed-off-by:
-
Daniele Palmas authored
commit 7204cf58 upstream. Adding PID for Telit CC864-SINGLE, CC864-DUAL and DE910-DUAL modems Signed-off-by:
Daniele Palmas <dnlplm@gmail.com> Signed-off-by:
-
Meng Zhang authored
commit 0d8520a1 upstream. Add MEDIATEK products to Option driver Signed-off-by:
Meng Zhang <meng.zhang@mediatek.com> Signed-off-by:
Matthias Urlichs <matthias@urlichs.de> Signed-off-by:
-
- 23 Mar, 2012 10 commits
-
-
Greg Kroah-Hartman authored
-
Benjamin Herrenschmidt authored
commit 78c5c68a upstream. The code for "powersurge" SMP would kick in and cause a crash at boot due to the lack of a NULL test. Signed-off-by:
Jeremy Kerr <jeremy.kerr@canonical.com> Reported-by:
Adam Conrad <adconrad@ubuntu.com> Tested-by:
-
Stanislaw Gruszka authored
commit 210787e8 upstream. On il3945_down procedure we free tx queue data and nullify il->txq pointer. After that we drop mutex and then cancel delayed works. There is possibility, that after drooping mutex and before the cancel, some delayed work will start and crash while trying to send commands to the device. For example, here is reported crash in il3945_bg_reg_txpower_periodic(): https://bugzilla.kernel.org/show_bug.cgi?id=42766#c10 Patch fix problem by adding il->txq check on works that send commands, hence utilize tx queue. Reported-by:
Clemens Eisserer <linuxhippy@gmail.com> Signed-off-by:
Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
RongQing.Li authored
[ Upstream commit c5779237 ] ip6_mc_find_dev_rcu() is called with rcu_read_lock(), so don't need to dev_hold(). With dev_hold(), not corresponding dev_put(), will lead to leak. [ bug introduced in 96b52e61 (ipv6: mcast: RCU conversions) ] Signed-off-by:
RongQing.Li <roy.qing.li@gmail.com> Acked-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit dfd25fff ] commit ea4fc0d6 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by:
Simon Kirby <sim@netnation.com> Bisected-by:
-
Arnaldo Carvalho de Melo authored
commit e7f01d1e upstream. Several places were expecting that the value returned was the number of characters printed, not what would be printed if there was space. Fix it by using the scnprintf and vscnprintf variants we inherited from the kernel sources. Some corner cases where the number of printed characters were not accounted were fixed too. Reported-by:
Anton Blanchard <anton@samba.org> Cc: Anton Blanchard <anton@samba.org> Cc: Eric B Munson <emunson@mgebm.net> Cc: David Ahern <dsahern@gmail.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Mike Galbraith <efault@gmx.de> Cc: Paul Mackerras <paulus@samba.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Stephane Eranian <eranian@google.com> Cc: Yanmin Zhang <yanmin_zhang@linux.intel.com> Link: http://lkml.kernel.org/n/tip-kwxo2eh29cxmd8ilixi2005x@git.kernel.orgSigned-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by:
-
Anton Blanchard authored
commit b832796c upstream. I have a workload where perf top scribbles over the stack and we SEGV. What makes it interesting is that an snprintf is causing this. The workload is a c++ gem that has method names over 3000 characters long, but snprintf is designed to avoid overrunning buffers. So what went wrong? The problem is we assume snprintf returns the number of characters written: ret += repsep_snprintf(bf + ret, size - ret, "[%c] ", self->level); ... ret += repsep_snprintf(bf + ret, size - ret, "%s", self->ms.sym->name); Unfortunately this is not how snprintf works. snprintf returns the number of characters that would have been written if there was enough space. In the above case, if the first snprintf returns a value larger than size, we pass a negative size into the second snprintf and happily scribble over the stack. If you have 3000 character c++ methods thats a lot of stack to trample. This patch fixes repsep_snprintf by clamping the value at size - 1 which is the maximum snprintf can write before adding the NULL terminator. I get the sinking feeling that there are a lot of other uses of snprintf that have this same bug, we should audit them all. Cc: David Ahern <dsahern@gmail.com> Cc: Eric B Munson <emunson@mgebm.net> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Paul Mackerras <paulus@samba.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Yanmin Zhang <yanmin_zhang@linux.intel.com> Link: http://lkml.kernel.org/r/20120307114249.44275ca3@krytenSigned-off-by:
-
Anton Blanchard authored
commit c0173863 upstream. When writing files to afs I sometimes hit a BUG: kernel BUG at fs/afs/rxrpc.c:179! With a backtrace of: afs_free_call afs_make_call afs_fs_store_data afs_vnode_store_data afs_write_back_from_locked_page afs_writepages_region afs_writepages The cause is: ASSERT(skb_queue_empty(&call->rx_queue)); Looking at a tcpdump of the session the abort happens because we are exceeding our disk quota: rx abort fs reply store-data error diskquota exceeded (32) So the abort error is valid. We hit the BUG because we haven't freed all the resources for the call. By freeing any skbs in call->rx_queue before calling afs_free_call we avoid hitting leaking memory and avoid hitting the BUG. Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Anton Blanchard authored
commit 2c724fb9 upstream. A read of a large file on an afs mount failed: # cat junk.file > /dev/null cat: junk.file: Bad message Looking at the trace, call->offset wrapped since it is only an unsigned short. In afs_extract_data: _enter("{%u},{%zu},%d,,%zu", call->offset, len, last, count); ... if (call->offset < count) { if (last) { _leave(" = -EBADMSG [%d < %zu]", call->offset, count); return -EBADMSG; } Which matches the trace: [cat ] ==> afs_extract_data({65132},{524},1,,65536) [cat ] <== afs_extract_data() = -EBADMSG [0 < 65536] call->offset went from 65132 to 0. Fix this by making call->offset an unsigned int. Signed-off-by:
-
Ryusuke Konishi authored
commit d7178c79 upstream. According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2] [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2] [<c0226636>] mount_fs+0x36/0x180 [<c023d961>] vfs_kern_mount+0x51/0xa0 [<c023ddae>] do_kern_mount+0x3e/0xe0 [<c023f189>] do_mount+0x169/0x700 [<c023fa9b>] sys_mount+0x6b/0xa0 [<c04abd1f>] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by:
Slicky Devil <slicky.dvl@gmail.com> Signed-off-by:
Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Tested-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
- 19 Mar, 2012 12 commits
-
-
Greg Kroah-Hartman authored
-
Guenter Roeck authored
commit fecfb644 upstream. Intersil reports that all chips supported by the zl6100 driver require an interval between chip accesses, even ZL2004 and ZL6105 which were thought to be safe. Reported-by:
Vivek Gani <vgani@intersil.com> Signed-off-by:
Guenter Roeck <guenter.roeck@ericsson.com> Signed-off-by:
-
Nicholas Bellinger authored
commit 087a03b3 upstream. This patch addresses a bug with target_check_scsi2_reservation_conflict() return checking in target_scsi2_reservation_[reserve,release]() that was preventing CRH=1 operation from silently succeeding in the two special cases defined by SPC-3, and not failing with reservation conflict status when dealing with legacy RESERVE/RELEASE + active SPC-3 PR logic. Also explictly set cmd->scsi_status = SAM_STAT_RESERVATION_CONFLICT during the early non reservation holder failure from pr_ops->t10_seq_non_holder() check in transport_generic_cmd_sequencer() for fabrics that already expect it to be set. This bug was originally introduced in mainline commit: commit eacac00c Author: Christoph Hellwig <hch@infradead.org> Date: Thu Nov 3 17:50:40 2011 -0400 target: split core_scsi2_emulate_crh Reported-by:
Martin Svec <martin.svec@zoner.cz> Cc: Martin Svec <martin.svec@zoner.cz> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by:
Nicholas Bellinger <nab@linux-iscsi.org> Signed-off-by:
-
Nicholas Bellinger authored
commit 00fdc6bb upstream. This patch addresses a iscsi-target specific bug related to reservation conflict handling in iscsit_handle_scsi_cmd() that has been causing reservation conflicts to complete and not fail as expected due to incorrect errno checking. The problem occured with the change to return -EBUSY from transport_generic_cmd_sequencer() -> transport_generic_allocate_tasks() failures, that broke iscsit_handle_scsi_cmd() checking for -EINVAL in order to invoke a non GOOD status response. This was manifesting itself as data corruption with legacy SPC-2 reservations, but also effects iscsi-target LUNs with SPC-3 persistent reservations. This bug was originally introduced in lio-core commit: commit 03e98c9e Author: Nicholas Bellinger <nab@linux-iscsi.org> Date: Fri Nov 4 02:36:16 2011 -0700 target: Address legacy PYX_TRANSPORT_* return code breakage Reported-by:
-
Ville Syrjala authored
commit 8ee161ce upstream. When the system is under heavy load, there can be a significant delay between the getscl() and time_after() calls inside sclhi(). That delay may cause the time_after() check to trigger after SCL has gone high, causing sclhi() to return -ETIMEDOUT. To fix the problem, double check that SCL is still low after the timeout has been reached, before deciding to return -ETIMEDOUT. Signed-off-by:
Ville Syrjala <syrjala@sci.fi> Signed-off-by:
Jean Delvare <khali@linux-fr.org> Signed-off-by:
-
Alexandre Bounine authored
commit 9bbad7da upstream. Fix indexed register offset definitions that use decimal (wrong) instead of hexadecimal (correct) notation for indexing multipliers. Incorrect definitions do not affect Tsi721 driver in its current default configuration because it uses only IDB queue 0. Loss of inbound doorbell functionality should be observed if queue other than 0 is used. Signed-off-by:
Alexandre Bounine <alexandre.bounine@idt.com> Cc: Matt Porter <mporter@kernel.crashing.org> Cc: Chul Kim <chul.kim@idt.com> Signed-off-by:
-
Jean Delvare authored
commit aacb6b00 upstream. Properly set the source of temp2 for the W83627UHG. Also fix a comment right before that, and document the W83627UHG as reporting up to 3 temperatures. Signed-off-by:
-
Guenter Roeck authored
commit 32260d94 upstream. The driver probe function leaked memory if creating the cpu0_vid attribute file failed. Fix by converting the driver to use devm_kzalloc. Signed-off-by:
Guenter Roeck <linux@roeck-us.net> Acked-by:
-
Guenter Roeck authored
commit 33fa9b62 upstream. NCT6775F and NCT6776F have their own set of registers for FAN_STOP_TIME. The correct registers were used to read FAN_STOP_TIME, but writes used the wrong registers. Fix it. Signed-off-by:
-
David S. Miller authored
commit e0adb990 upstream. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by:
Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by:
-
Alan Stern authored
commit 62d3c543 upstream. This patch (as1519) fixes a bug in the block layer's disk-events polling. The polling is done by a work routine queued on the system_nrt_wq workqueue. Since that workqueue isn't freezable, the polling continues even in the middle of a system sleep transition. Obviously, polling a suspended drive for media changes and such isn't a good thing to do; in the case of USB mass-storage devices it can lead to real problems requiring device resets and even re-enumeration. The patch fixes things by creating a new system-wide, non-reentrant, freezable workqueue and using it for disk-events polling. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Acked-by:
Tejun Heo <tj@kernel.org> Acked-by:
Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by:
Jens Axboe <axboe@kernel.dk> Signed-off-by:
-
Stanislaw Gruszka authored
commit 9f53d2fe upstream. The following situation might occur: __blkdev_get: add_disk: register_disk() get_gendisk() disk_block_events() disk->ev == NULL disk_add_events() __disk_unblock_events() disk->ev != NULL --ev->block Then we unblock events, when they are suppose to be blocked. This can trigger events related block/genhd.c warnings, but also can crash in sd_check_events() or other places. I'm able to reproduce crashes with the following scripts (with connected usb dongle as sdb disk). <snip> DEV=/dev/sdb ENABLE=/sys/bus/usb/devices/1-2/bConfigurationValue function stop_me() { for i in `jobs -p` ; do kill $i 2> /dev/null ; done exit } trap stop_me SIGHUP SIGINT SIGTERM for ((i = 0; i < 10; i++)) ; do while true; do fdisk -l $DEV 2>&1 > /dev/null ; done & done while true ; do echo 1 > $ENABLE sleep 1 echo 0 > $ENABLE done </snip> I use the script to verify patch fixing oops in sd_revalidate_disk http://marc.info/?l=linux-scsi&m=132935572512352&w=2 Without Jun'ichi Nomura patch titled "Fix NULL pointer dereference in sd_revalidate_disk" or this one, script easily crash kernel within a few seconds. With both patches applied I do not observe crash. Unfortunately after some time (dozen of minutes), script will hung in: [ 1563.906432] [<c08354f5>] schedule_timeout_uninterruptible+0x15/0x20 [ 1563.906437] [<c04532d5>] msleep+0x15/0x20 [ 1563.906443] [<c05d60b2>] blk_drain_queue+0x32/0xd0 [ 1563.906447] [<c05d6e00>] blk_cleanup_queue+0xd0/0x170 [ 1563.906454] [<c06d278f>] scsi_free_queue+0x3f/0x60 [ 1563.906459] [<c06d7e6e>] __scsi_remove_device+0x6e/0xb0 [ 1563.906463] [<c06d4aff>] scsi_forget_host+0x4f/0x60 [ 1563.906468] [<c06cd84a>] scsi_remove_host+0x5a/0xf0 [ 1563.906482] [<f7f030fb>] quiesce_and_remove_host+0x5b/0xa0 [usb_storage] [ 1563.906490] [<f7f03203>] usb_stor_disconnect+0x13/0x20 [usb_storage] Anyway I think this patch is some step forward. As drawback, I do not teardown on sysfs file create error, because I do not know how to nullify disk->ev (since it can be used). However add_disk error handling practically does not exist too, and things will work without this sysfs file, except events will not be exported to user space. Signed-off-by:
-
