1. 03 Apr, 2013 12 commits
    • ycnian@gmail.com's avatar
      nfsd: fix bug on nfs4 stateid deallocation · 491402a7
      ycnian@gmail.com authored
      NFS4_OO_PURGE_CLOSE is not handled properly. To avoid memory leak, nfs4
      stateid which is pointed by oo_last_closed_stid is freed in nfsd4_close(),
      but NFS4_OO_PURGE_CLOSE isn't cleared meanwhile. So the stateid released in
      THIS close procedure may be freed immediately in the coming encoding function.
      Sorry that Signed-off-by was forgotten in last version.
      Signed-off-by: default avatarYanchuan Nian <ycnian@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      491402a7
    • Yanchuan Nian's avatar
      nfsd: remove unused macro in nfsv4 · 9c6bdbb8
      Yanchuan Nian authored
      lk_rflags is never used anywhere, and rflags is not defined in struct
      nfsd4_lock.
      Signed-off-by: default avatarYanchuan Nian <ycnian@gmail.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      9c6bdbb8
    • J. Bruce Fields's avatar
      nfsd4: fix use-after-free of 4.1 client on connection loss · 2e4b7239
      J. Bruce Fields authored
      Once we drop the lock here there's nothing keeping the client around:
      the only lock still held is the xpt_lock on this socket, but this socket
      no longer has any connection with the client so there's no way for other
      code to know we're still using the client.
      
      The solution is simple: all nfsd4_probe_callback does is set a few
      variables and queue some work, so there's no reason we can't just keep
      it under the lock.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      2e4b7239
    • J. Bruce Fields's avatar
      nfsd4: fix race on client shutdown · b0a9d3ab
      J. Bruce Fields authored
      Dropping the session's reference count after the client's means we leave
      a window where the session's se_client pointer is NULL.  An xpt_user
      callback that encounters such a session may then crash:
      
      [  303.956011] BUG: unable to handle kernel NULL pointer dereference at 0000000000000318
      [  303.959061] IP: [<ffffffff81481a8e>] _raw_spin_lock+0x1e/0x40
      [  303.959061] PGD 37811067 PUD 3d498067 PMD 0
      [  303.959061] Oops: 0002 [#8] PREEMPT SMP
      [  303.959061] Modules linked in: md5 nfsd auth_rpcgss nfs_acl snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc microcode psmouse snd_timer serio_raw pcspkr evdev snd soundcore i2c_piix4 i2c_core intel_agp intel_gtt processor button nfs lockd sunrpc fscache ata_generic pata_acpi ata_piix uhci_hcd libata btrfs usbcore usb_common crc32c scsi_mod libcrc32c zlib_deflate floppy virtio_balloon virtio_net virtio_pci virtio_blk virtio_ring virtio
      [  303.959061] CPU 0
      [  303.959061] Pid: 264, comm: nfsd Tainted: G      D      3.8.0-ARCH+ #156 Bochs Bochs
      [  303.959061] RIP: 0010:[<ffffffff81481a8e>]  [<ffffffff81481a8e>] _raw_spin_lock+0x1e/0x40
      [  303.959061] RSP: 0018:ffff880037877dd8  EFLAGS: 00010202
      [  303.959061] RAX: 0000000000000100 RBX: ffff880037a2b698 RCX: ffff88003d879278
      [  303.959061] RDX: ffff88003d879278 RSI: dead000000100100 RDI: 0000000000000318
      [  303.959061] RBP: ffff880037877dd8 R08: ffff88003c5a0f00 R09: 0000000000000002
      [  303.959061] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
      [  303.959061] R13: 0000000000000318 R14: ffff880037a2b680 R15: ffff88003c1cbe00
      [  303.959061] FS:  0000000000000000(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
      [  303.959061] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  303.959061] CR2: 0000000000000318 CR3: 000000003d49c000 CR4: 00000000000006f0
      [  303.959061] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  303.959061] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  303.959061] Process nfsd (pid: 264, threadinfo ffff880037876000, task ffff88003c1fd0a0)
      [  303.959061] Stack:
      [  303.959061]  ffff880037877e08 ffffffffa03772ec ffff88003d879000 ffff88003d879278
      [  303.959061]  ffff88003d879080 0000000000000000 ffff880037877e38 ffffffffa0222a1f
      [  303.959061]  0000000000107ac0 ffff88003c22e000 ffff88003d879000 ffff88003c1cbe00
      [  303.959061] Call Trace:
      [  303.959061]  [<ffffffffa03772ec>] nfsd4_conn_lost+0x3c/0xa0 [nfsd]
      [  303.959061]  [<ffffffffa0222a1f>] svc_delete_xprt+0x10f/0x180 [sunrpc]
      [  303.959061]  [<ffffffffa0223d96>] svc_recv+0xe6/0x580 [sunrpc]
      [  303.959061]  [<ffffffffa03587c5>] nfsd+0xb5/0x140 [nfsd]
      [  303.959061]  [<ffffffffa0358710>] ? nfsd_destroy+0x90/0x90 [nfsd]
      [  303.959061]  [<ffffffff8107ae00>] kthread+0xc0/0xd0
      [  303.959061]  [<ffffffff81010000>] ? perf_trace_xen_mmu_set_pte_at+0x50/0x100
      [  303.959061]  [<ffffffff8107ad40>] ? kthread_freezable_should_stop+0x70/0x70
      [  303.959061]  [<ffffffff814898ec>] ret_from_fork+0x7c/0xb0
      [  303.959061]  [<ffffffff8107ad40>] ? kthread_freezable_should_stop+0x70/0x70
      [  303.959061] Code: ff ff 5d c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 65 48 8b 04 25 f0 c6 00 00 48 89 e5 83 80 44 e0 ff ff 01 b8 00 01 00 00 <3e> 66 0f c1 07 0f b6 d4 38 c2 74 0f 66 0f 1f 44 00 00 f3 90 0f
      [  303.959061] RIP  [<ffffffff81481a8e>] _raw_spin_lock+0x1e/0x40
      [  303.959061]  RSP <ffff880037877dd8>
      [  303.959061] CR2: 0000000000000318
      [  304.001218] ---[ end trace 2d809cd4a7931f5a ]---
      [  304.001903] note: nfsd[264] exited with preempt_count 2
      Reported-by: default avatarBryan Schumaker <bjschuma@netapp.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      b0a9d3ab
    • J. Bruce Fields's avatar
      nfsd4: handle seqid-mutating open errors from xdr decoding · 9d313b17
      J. Bruce Fields authored
      If a client sets an owner (or group_owner or acl) attribute on open for
      create, and the mapping of that owner to an id fails, then we return
      BAD_OWNER.  But BAD_OWNER is a seqid-mutating error, so we can't
      shortcut the open processing that case: we have to at least look up the
      owner so we can find the seqid to bump.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      9d313b17
    • J. Bruce Fields's avatar
      nfsd4: remove BUG_ON · b600de7a
      J. Bruce Fields authored
      This BUG_ON just crashes the thread a little earlier than it would
      otherwise--it doesn't seem useful.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      b600de7a
    • Jeff Layton's avatar
      nfsd: scale up the number of DRC hash buckets with cache size · 0733c7ba
      Jeff Layton authored
      We've now increased the size of the duplicate reply cache by quite a
      bit, but the number of hash buckets has not changed. So, we've gone from
      an average hash chain length of 16 in the old code to 4096 when the
      cache is its largest. Change the code to scale out the number of buckets
      with the max size of the cache.
      
      At the same time, we also need to fix the hash function since the
      existing one isn't really suitable when there are more than 256 buckets.
      Move instead to use the stock hash_32 function for this. Testing on a
      machine that had 2048 buckets showed that this gave a smaller
      longest:average ratio than the existing hash function:
      
      The formula here is longest hash bucket searched divided by average
      number of entries per bucket at the time that we saw that longest
      bucket:
      
          old hash: 68/(39258/2048) == 3.547404
          hash_32:  45/(33773/2048) == 2.728807
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      0733c7ba
    • Jeff Layton's avatar
      nfsd: keep stats on worst hash balancing seen so far · 98d821bd
      Jeff Layton authored
      The typical case with the DRC is a cache miss, so if we keep track of
      the max number of entries that we've ever walked over in a search, then
      we should have a reasonable estimate of the longest hash chain that
      we've ever seen.
      
      With that, we'll also keep track of the total size of the cache when we
      see the longest chain. In the case of a tie, we prefer to track the
      smallest total cache size in order to properly gauge the worst-case
      ratio of max vs. avg chain length.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      98d821bd
    • Jeff Layton's avatar
      nfsd: add new reply_cache_stats file in nfsdfs · a2f999a3
      Jeff Layton authored
      For presenting statistics relating to duplicate reply cache.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      a2f999a3
    • Jeff Layton's avatar
      6c6910cd
    • Jeff Layton's avatar
      nfsd: break out comparator into separate function · 9dc56143
      Jeff Layton authored
      Break out the function that compares the rqstp and checksum against a
      reply cache entry. While we're at it, track the efficacy of the checksum
      over the NFS data by tracking the cases where we would have incorrectly
      matched a DRC entry if we had not tracked it or the length.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      9dc56143
    • Jeff Layton's avatar
      nfsd: eliminate one of the DRC cache searches · 0b9ea37f
      Jeff Layton authored
      The most common case is to do a search of the cache, followed by an
      insert. In the case where we have to allocate an entry off the slab,
      then we end up having to redo the search, which is wasteful.
      
      Better optimize the code for the common case by eliminating the initial
      search of the cache and always preallocating an entry. In the case of a
      cache hit, we'll end up just freeing that entry but that's preferable to
      an extra search.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      0b9ea37f
  2. 26 Mar, 2013 1 commit
  3. 22 Mar, 2013 1 commit
  4. 18 Mar, 2013 2 commits
  5. 17 Mar, 2013 4 commits
    • Linus Torvalds's avatar
      Linux 3.9-rc3 · a937536b
      Linus Torvalds authored
      a937536b
    • David Rientjes's avatar
      perf,x86: fix link failure for non-Intel configs · 6c4d3bc9
      David Rientjes authored
      Commit 1d9d8639 ("perf,x86: fix kernel crash with PEBS/BTS after
      suspend/resume") introduces a link failure since
      perf_restore_debug_store() is only defined for CONFIG_CPU_SUP_INTEL:
      
      	arch/x86/power/built-in.o: In function `restore_processor_state':
      	(.text+0x45c): undefined reference to `perf_restore_debug_store'
      
      Fix it by defining the dummy function appropriately.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6c4d3bc9
    • Linus Torvalds's avatar
      perf,x86: fix wrmsr_on_cpu() warning on suspend/resume · 2a6e06b2
      Linus Torvalds authored
      Commit 1d9d8639 ("perf,x86: fix kernel crash with PEBS/BTS after
      suspend/resume") fixed a crash when doing PEBS performance profiling
      after resuming, but in using init_debug_store_on_cpu() to restore the
      DS_AREA mtrr it also resulted in a new WARN_ON() triggering.
      
      init_debug_store_on_cpu() uses "wrmsr_on_cpu()", which in turn uses CPU
      cross-calls to do the MSR update.  Which is not really valid at the
      early resume stage, and the warning is quite reasonable.  Now, it all
      happens to _work_, for the simple reason that smp_call_function_single()
      ends up just doing the call directly on the CPU when the CPU number
      matches, but we really should just do the wrmsr() directly instead.
      
      This duplicates the wrmsr() logic, but hopefully we can just remove the
      wrmsr_on_cpu() version eventually.
      Reported-and-tested-by: default avatarParag Warudkar <parag.lkml@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      2a6e06b2
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 08637024
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "Eric's rcu barrier patch fixes a long standing problem with our
        unmount code hanging on to devices in workqueue helpers.  Liu Bo
        nailed down a difficult assertion for in-memory extent mappings."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: fix warning of free_extent_map
        Btrfs: fix warning when creating snapshots
        Btrfs: return as soon as possible when edquot happens
        Btrfs: return EIO if we have extent tree corruption
        btrfs: use rcu_barrier() to wait for bdev puts at unmount
        Btrfs: remove btrfs_try_spin_lock
        Btrfs: get better concurrency for snapshot-aware defrag work
      08637024
  6. 16 Mar, 2013 8 commits
    • Liu Bo's avatar
      Btrfs: fix warning of free_extent_map · 3b277594
      Liu Bo authored
      Users report that an extent map's list is still linked when it's actually
      going to be freed from cache.
      
      The story is that
      
      a) when we're going to drop an extent map and may split this large one into
      smaller ems, and if this large one is flagged as EXTENT_FLAG_LOGGING which means
      that it's on the list to be logged, then the smaller ems split from it will also
      be flagged as EXTENT_FLAG_LOGGING, and this is _not_ expected.
      
      b) we'll keep ems from unlinking the list and freeing when they are flagged with
      EXTENT_FLAG_LOGGING, because the log code holds one reference.
      
      The end result is the warning, but the truth is that we set the flag
      EXTENT_FLAG_LOGGING only during fsync.
      
      So clear flag EXTENT_FLAG_LOGGING for extent maps split from a large one.
      Reported-by: default avatarJohannes Hirte <johannes.hirte@fem.tu-ilmenau.de>
      Reported-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarChris Mason <chris.mason@fusionio.com>
      3b277594
    • Linus Torvalds's avatar
      Merge branch 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild · e2043785
      Linus Torvalds authored
      Pull kbuild fix from Michal Marek:
       "One fix for for make headers_install/headers_check to not require make
        3.81.  The requirement has been accidentally introduced in 3.7."
      
      * 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
        kbuild: fix make headers_check with make 3.80
      e2043785
    • Linus Torvalds's avatar
      Merge tag 'for-3.9-rc3' of git://openrisc.net/jonas/linux · 23659587
      Linus Torvalds authored
      Pull OpenRISC bug fixes from Jonas Bonn:
      
       - The GPIO descriptor work has exposed how broken the non-GPIOLIB bits
         for OpenRISC were.  We now require GPIOLIB as this is the preferred
         way forward.
      
       - The system.h split introduced a bug in llist.h for arches using
         asm-generic/cmpxchg.h directly, which is currently only OpenRISC.
         The patch here moves two defines from asm-generic/atomic.h to
         asm-generic/cmpxchg.h to make things work as they should.
      
       - The VIRT_TO_BUS selector was added for OpenRISC, but OpenRISC does
         not have the virt_to_bus methods, so there's a patch to remove it
         again.
      
      * tag 'for-3.9-rc3' of git://openrisc.net/jonas/linux:
        openrisc: remove HAVE_VIRT_TO_BUS
        asm-generic: move cmpxchg*_local defs to cmpxchg.h
        openrisc: require gpiolib
      23659587
    • Linus Torvalds's avatar
      Merge tag 'char-misc-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 9e1a0aab
      Linus Torvalds authored
      Pull char/misc fixes from Greg Kroah-Hartman:
       "Here are some tiny fixes for the w1 drivers and the final removal
        patch for getting rid of CONFIG_EXPERIMENTAL (all users of it are now
        gone from your tree, this just drops the Kconfig item itself.)
      
        All have been in the linux-next tree for a while"
      
      * tag 'char-misc-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        final removal of CONFIG_EXPERIMENTAL
        w1: fix oops when w1_search is called from netlink connector
        w1-gpio: fix unused variable warning
        w1-gpio: remove erroneous __exit and __exit_p()
        ARM: w1-gpio: fix erroneous gpio requests
      9e1a0aab
    • Linus Torvalds's avatar
      Merge tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 5cd8846c
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small fixes, as expected for the middle rc:
         - A couple of fixes for potential NULL dereferences and out-of-range
           array accesses revealed by static code parsers
         - A fix for the wrong error handling detected by trinity
         - A regression fix for missing audio on some MacBooks
         - CA0132 DSP loader fixes
         - Fix for EAPD control of IDT codecs on machines w/o speaker
         - Fix a regression in the HD-audio widget list parser code
         - Workaround for the NuForce UDH-100 USB audio"
      
      * tag 'sound-3.9' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Fix missing EAPD/GPIO setup for Cirrus codecs
        sound: sequencer: cap array index in seq_chn_common_event()
        ALSA: hda/ca0132 - Remove extra setting of dsp_state.
        ALSA: hda/ca0132 - Check download state of DSP.
        ALSA: hda/ca0132 - Check if dspload_image succeeded.
        ALSA: hda - Disable IDT eapd_switch if there are no internal speakers
        ALSA: hda - Fix snd_hda_get_num_raw_conns() to return a correct value
        ALSA: usb-audio: add a workaround for the NuForce UDH-100
        ALSA: asihpi - fix potential NULL pointer dereference
        ALSA: seq: Fix missing error handling in snd_seq_timer_open()
      5cd8846c
    • Linus Torvalds's avatar
      Merge branch 'fixes-for-3.9' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping · c7f17deb
      Linus Torvalds authored
      Pull DMA-mapping fix from Marek Szyprowski:
       "An important fix for all ARM architectures which use ZONE_DMA.
        Without it dma_alloc_* calls with GFP_ATOMIC flag might have allocated
        buffers outsize DMA zone."
      
      * 'fixes-for-3.9' of git://git.linaro.org/people/mszyprowski/linux-dma-mapping:
        ARM: DMA-mapping: add missing GFP_DMA flag for atomic buffer allocation
      c7f17deb
    • Linus Torvalds's avatar
      Merge tag 'mfd-fixes-3.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-fixes · de1893f6
      Linus Torvalds authored
      Pull MFD fixes from Samuel Ortiz:
       "This is the first batch of MFD fixes for 3.9.
      
        With this one we have:
      
         - An ab8500 build failure fix.
         - An ab8500 device tree parsing fix.
         - A fix for twl4030_madc remove routine to work properly (when
           built-in).
         - A fix for properly registering palmas interrupt handler.
         - A fix for omap-usb init routine to actually write into the
           hostconfig register.
         - A couple of warning fixes for ab8500-gpadc and tps65912"
      
      * tag 'mfd-fixes-3.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/mfd-fixes:
        mfd: twl4030-madc: Remove __exit_p annotation
        mfd: ab8500: Kill "reg" property from binding
        mfd: ab8500-gpadc: Complain if we fail to enable vtvout LDO
        mfd: wm831x: Don't forward declare enum wm831x_auxadc
        mfd: twl4030-audio: Fix argument type for twl4030_audio_disable_resource()
        mfd: tps65912: Declare and use tps65912_irq_exit()
        mfd: palmas: Provide irq flags through DT/platform data
        mfd: Make AB8500_CORE select POWER_SUPPLY to fix build error
        mfd: omap-usb-host: Actually update hostconfig
      de1893f6
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging · 92fbb1c9
      Linus Torvalds authored
      Pull hwmon fixes from Guenter Roeck:
       "Bug fixes for pmbus, ltc2978, and lineage-pem drivers
      
        Added specific maintainer for some hwmon drivers"
      
      * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (pmbus/ltc2978) Fix temperature reporting
        hwmon: (pmbus) Fix krealloc() misuse in pmbus_add_attribute()
        hwmon: (lineage-pem) Add missing terminating entry for pem_[input|fan]_attributes
        MAINTAINERS: Add maintainer for MAX6697, INA209, and INA2XX drivers
      92fbb1c9
  7. 15 Mar, 2013 8 commits
  8. 14 Mar, 2013 4 commits
    • Linus Torvalds's avatar
      Merge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu · f4846e52
      Linus Torvalds authored
      Pull fix for hlist_entry_safe() regression from Paul McKenney:
       "This contains a single commit that fixes a regression in
        hlist_entry_safe().  This macro references its argument twice, which
        can cause NULL-pointer errors.  This commit applies a gcc statement
        expression, creating a temporary variable to avoid the double
        reference.  This has been posted to LKML at
      
          https://lkml.org/lkml/2013/3/9/75.
      
        Kudos to CAI Qian, whose testing uncovered this, to Eric Dumazet, who
        spotted root cause, and to Li Zefan, who tested this commit."
      
      * 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu:
        list: Fix double fetch of pointer in hlist_entry_safe()
      f4846e52
    • Paul E. McKenney's avatar
      list: Fix double fetch of pointer in hlist_entry_safe() · f65846a1
      Paul E. McKenney authored
      The current version of hlist_entry_safe() fetches the pointer twice,
      once to test for NULL and the other to compute the offset back to the
      enclosing structure.  This is OK for normal lock-based use because in
      that case, the pointer cannot change.  However, when the pointer is
      protected by RCU (as in "rcu_dereference(p)"), then the pointer can
      change at any time.  This use case can result in the following sequence
      of events:
      
      1.	CPU 0 invokes hlist_entry_safe(), fetches the RCU-protected
      	pointer as sees that it is non-NULL.
      
      2.	CPU 1 invokes hlist_del_rcu(), deleting the entry that CPU 0
      	just fetched a pointer to.  Because this is the last entry
      	in the list, the pointer fetched by CPU 0 is now NULL.
      
      3.	CPU 0 refetches the pointer, obtains NULL, and then gets a
      	NULL-pointer crash.
      
      This commit therefore applies gcc's "({ })" statement expression to
      create a temporary variable so that the specified pointer is fetched
      only once, avoiding the above sequence of events.  Please note that
      it is the caller's responsibility to use rcu_dereference() as needed.
      This allows RCU-protected uses to work correctly without imposing
      any additional overhead on the non-RCU case.
      
      Many thanks to Eric Dumazet for spotting root cause!
      Reported-by: default avatarCAI Qian <caiqian@redhat.com>
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Tested-by: default avatarLi Zefan <lizefan@huawei.com>
      f65846a1
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 40e4591d
      Linus Torvalds authored
      Pull ext2, ext3, reiserfs, quota fixes from Jan Kara:
       "A fix for regression in ext2, and a format string issue in ext3.  The
        rest isn't too serious."
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        ext2: Fix BUG_ON in evict() on inode deletion
        reiserfs: Use kstrdup instead of kmalloc/strcpy
        ext3: Fix format string issues
        quota: add missing use of dq_data_lock in __dquot_initialize
      40e4591d
    • Liu Bo's avatar
      Btrfs: fix warning when creating snapshots · 7c2ec3f0
      Liu Bo authored
      Creating snapshot passes extent_root to commit its transaction,
      but it can lead to the warning of checking root for quota in
      the __btrfs_end_transaction() when someone else is committing
      the current transaction.  Since we've recorded the needed root
      in trans_handle, just use it to get rid of the warning.
      Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarChris Mason <chris.mason@fusionio.com>
      7c2ec3f0