1. 19 Oct, 2010 1 commit
    • Darren Hart's avatar
      futex: Fix errors in nested key ref-counting · 7ada876a
      Darren Hart authored
      futex_wait() is leaking key references due to futex_wait_setup()
      acquiring an additional reference via the queue_lock() routine. The
      nested key ref-counting has been masking bugs and complicating code
      analysis. queue_lock() is only called with a previously ref-counted
      key, so remove the additional ref-counting from the queue_(un)lock()
      functions.
      
      Also futex_wait_requeue_pi() drops one key reference too many in
      unqueue_me_pi(). Remove the key reference handling from
      unqueue_me_pi(). This was paired with a queue_lock() in
      futex_lock_pi(), so the count remains unchanged.
      
      Document remaining nested key ref-counting sites.
      Signed-off-by: default avatarDarren Hart <dvhart@linux.intel.com>
      Reported-and-tested-by: Matthieu Fertré<matthieu.fertre@kerlabs.com>
      Reported-by: Louis Rilling<louis.rilling@kerlabs.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: John Kacur <jkacur@redhat.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      LKML-Reference: <4CBB17A8.70401@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: stable@kernel.org
      7ada876a
  2. 17 Oct, 2010 2 commits
  3. 16 Oct, 2010 4 commits
  4. 15 Oct, 2010 10 commits
  5. 14 Oct, 2010 5 commits
    • Linus Torvalds's avatar
      Linux 2.6.36-rc8 · cd07202c
      Linus Torvalds authored
      cd07202c
    • Linus Torvalds's avatar
      Un-inline the core-dump helper functions · 3aa0ce82
      Linus Torvalds authored
      Tony Luck reports that the addition of the access_ok() check in commit
      0eead9ab ("Don't dump task struct in a.out core-dumps") broke the
      ia64 compile due to missing the necessary header file includes.
      
      Rather than add yet another include (<asm/unistd.h>) to make everything
      happy, just uninline the silly core dump helper functions and move the
      bodies to fs/exec.c where they make a lot more sense.
      
      dump_seek() in particular was too big to be an inline function anyway,
      and none of them are in any way performance-critical.  And we really
      don't need to mess up our include file headers more than they already
      are.
      Reported-and-tested-by: default avatarTony Luck <tony.luck@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3aa0ce82
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 · ae42d8d4
      Linus Torvalds authored
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
        ehea: Fix a checksum issue on the receive path
        net: allow FEC driver to use fixed PHY support
        tg3: restore rx_dropped accounting
        b44: fix carrier detection on bind
        net: clear heap allocations for privileged ethtool actions
        NET: wimax, fix use after free
        ATM: iphase, remove sleep-inside-atomic
        ATM: mpc, fix use after free
        ATM: solos-pci, remove use after free
        net/fec: carrier off initially to avoid root mount failure
        r8169: use device model DMA API
        r8169: allocate with GFP_KERNEL flag when able to sleep
      ae42d8d4
    • Linus Torvalds's avatar
      Don't dump task struct in a.out core-dumps · 0eead9ab
      Linus Torvalds authored
      akiphie points out that a.out core-dumps have that odd task struct
      dumping that was never used and was never really a good idea (it goes
      back into the mists of history, probably the original core-dumping
      code).  Just remove it.
      
      Also do the access_ok() check on dump_write().  It probably doesn't
      matter (since normal filesystems all seem to do it anyway), but he
      points out that it's normally done by the VFS layer, so ...
      
      [ I suspect that we should possibly do "vfs_write()" instead of
        calling ->write directly.  That also does the whole fsnotify and write
        statistics thing, which may or may not be a good idea. ]
      
      And just to be anal, do this all for the x86-64 32-bit a.out emulation
      code too, even though it's not enabled (and won't currently even
      compile)
      Reported-by: default avatarakiphie <akiphie@lavabit.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0eead9ab
    • Salman Qazi's avatar
      hrtimer: Preserve timer state in remove_hrtimer() · f13d4f97
      Salman Qazi authored
      The race is described as follows:
      
      CPU X                                 CPU Y
      remove_hrtimer
      // state & QUEUED == 0
      timer->state = CALLBACK
      unlock timer base
      timer->f(n) //very long
                                        hrtimer_start
                                          lock timer base
                                          remove_hrtimer // no effect
                                          hrtimer_enqueue
                                          timer->state = CALLBACK |
                                                         QUEUED
                                          unlock timer base
                                        hrtimer_start
                                          lock timer base
                                          remove_hrtimer
                                              mode = INACTIVE
                                              // CALLBACK bit lost!
                                          switch_hrtimer_base
                                                  CALLBACK bit not set:
                                                          timer->base
                                                          changes to a
                                                          different CPU.
      lock this CPU's timer base
      
      The bug was introduced with commit ca109491 (hrtimer: removing all ur
      callback modes) in 2.6.29
      
      [ tglx: Feed new state via local variable and add a comment. ]
      Signed-off-by: default avatarSalman Qazi <sqazi@google.com>
      Cc: akpm@linux-foundation.org
      Cc: Peter Zijlstra <peterz@infradead.org>
      LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: stable@kernel.org
      f13d4f97
  6. 13 Oct, 2010 12 commits
  7. 12 Oct, 2010 6 commits
    • Russell King's avatar
      ARM: relax ioremap prohibition (309caa9c) for -final and -stable · 06c10884
      Russell King authored
      ... but produce a big warning about the problem as encouragement
      for people to fix their drivers.
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      06c10884
    • Russell King's avatar
    • Mika Westerberg's avatar
      ARM: 6440/1: ep93xx: DMA: fix channel_disable · 10d48b39
      Mika Westerberg authored
      When channel_disable() is called, it disables per channel interrupts and
      waits until channels state becomes STATE_STALL, and then disables the
      channel. Now, if the DMA transfer is disabled while the channel is in
      STATE_NEXT we will not wait anything and disable the channel immediately.
      This seems to cause weird data corruption for example in audio transfers.
      
      Fix is to wait while we are in STATE_NEXT or STATE_ON and only then
      disable the channel.
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@iki.fi>
      Acked-by: default avatarRyan Mallon <ryan@bluewatersys.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      10d48b39
    • Dan Carpenter's avatar
      ps3disk: passing wrong variable to bvec_kunmap_irq() · 93055c31
      Dan Carpenter authored
      This should pass "buf" to bvec_kunmap_irq() instead of "bv".  The api is
      like kmap_atomic() instead of kmap().
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Acked-by: default avatarGeoff Levand <geoff@infradead.org>
      Signed-off-by: default avatarJens Axboe <jaxboe@fusionio.com>
      93055c31
    • Linus Torvalds's avatar
      Merge branch 'kvm-updates/2.6.36' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 0acc1b2a
      Linus Torvalds authored
      * 'kvm-updates/2.6.36' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Move TSC reset out of vmcb_init
        KVM: x86: Fix SVM VMCB reset
      0acc1b2a
    • Steven Rostedt's avatar
      ring-buffer: Fix typo of time extends per page · d0134324
      Steven Rostedt authored
      Time stamps for the ring buffer are created by the difference between
      two events. Each page of the ring buffer holds a full 64 bit timestamp.
      Each event has a 27 bit delta stamp from the last event. The unit of time
      is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events
      happen more than 134 milliseconds apart, a time extend is inserted
      to add more bits for the delta. The time extend has 59 bits, which
      is good for ~18 years.
      
      Currently the time extend is committed separately from the event.
      If an event is discarded before it is committed, due to filtering,
      the time extend still exists. If all events are being filtered, then
      after ~134 milliseconds a new time extend will be added to the buffer.
      
      This can only happen till the end of the page. Since each page holds
      a full timestamp, there is no reason to add a time extend to the
      beginning of a page. Time extends can only fill a page that has actual
      data at the beginning, so there is no fear that time extends will fill
      more than a page without any data.
      
      When reading an event, a loop is made to skip over time extends
      since they are only used to maintain the time stamp and are never
      given to the caller. As a paranoid check to prevent the loop running
      forever, with the knowledge that time extends may only fill a page,
      a check is made that tests the iteration of the loop, and if the
      iteration is more than the number of time extends that can fit in a page
      a warning is printed and the ring buffer is disabled (all of ftrace
      is also disabled with it).
      
      There is another event type that is called a TIMESTAMP which can
      hold 64 bits of data in the theoretical case that two events happen
      18 years apart. This code has not been implemented, but the name
      of this event exists, as well as the structure for it. The
      size of a TIMESTAMP is 16 bytes, where as a time extend is only
      8 bytes. The macro used to calculate how many time extends can fit on
      a page used the TIMESTAMP size instead of the time extend size
      cutting the amount in half.
      
      The following test case can easily trigger the warning since we only
      need to have half the page filled with time extends to trigger the
      warning:
      
       # cd /sys/kernel/debug/tracing/
       # echo function > current_tracer
       # echo 'common_pid < 0' > events/ftrace/function/filter
       # echo > trace
       # echo 1 > trace_marker
       # sleep 120
       # cat trace
      
      Enabling the function tracer and then setting the filter to only trace
      functions where the process id is negative (no events), then clearing
      the trace buffer to ensure that we have nothing in the buffer,
      then write to trace_marker to add an event to the beginning of a page,
      sleep for 2 minutes (only 35 seconds is probably needed, but this
      guarantees the bug), and then finally reading the trace which will
      trigger the bug.
      
      This patch fixes the typo and prevents the false positive of that warning.
      Reported-by: default avatarHans J. Koch <hjk@linutronix.de>
      Tested-by: default avatarHans J. Koch <hjk@linutronix.de>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Stable Kernel <stable@kernel.org>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      d0134324